Back to top
Home / Knox Manage / Configure / Profile / Configure profile policies /

Knox Manage 25.04 admin guide (original console)

Last updated March 25th, 2025

Android Enterprise policies

Lock Screen

Policy Description Supported system
Screen Lock Policies

Configures a device lock screen and relevant settings. Camera use is prohibited while the screen is locked. The following screen lock policy sets are available:

  • Device Controls --- Lock screen settings for the personal area of the device. You can choose either of the following:
    • Set Custom Screen Lock --- Lets you set a custom screen lock on devices.
    • Set Default Screen Lock --- Lets you set a default screen lock (Fully Managed devices only).
  • Work Profile Controls --- Lock screen settings for a device's Work Profile. After the Work Profile is set up, the device user is directed to set a lock screen.

If the device user creates a lock screen for the Work Profile that does not comply with your Screen Lock Policies configuration, all apps on the Work Profile --- except essential apps like Knox Manage --- are suspended, preventing unauthorized users from accessing Work Profile data.

Important: If the device is using a One Lock password and the policy for the personal area and Work Profile are configured differently, the stronger Lock Screen policy is applied.

During enrollment of company-owned devices with a Work Profile, the Knox Manage agent prompts the device user to set locks for the personal profile and Work Profile. If the device is rebooted before locks are set, it could inhibit Managed Google Play functionality, or result in the device getting bricked. For more details and remedies, seeHow to enforce a password policy during enrollment for company-owned devices with a Work Profile.

> Set Default Password Enforce a specific password upon applying Set Default Screen Lock. The password can be comprised of 4-10 alphanumeric characters. We recommend using this policy on kiosk devices instead of setting a screen lock using the multi-kiosk wizard. Important: You will need to communicate the password to device users. Even if a device user changes the screen lock password, it will revert to the default password set by this policy every time the profile gets re-applied. Android 8 and higher
> Set Minimum Strength

Set a minimum strength level for the lock screen. The following options are available, in ascending order of strength:

  • Weak Biometric --- A biometric recognition method
  • Pattern --- A pattern
  • Numeric --- A PIN
  • Numeric Complex --- A pin with no repeating (4444) or ordered (1234, 4321, 2468) sequences
  • Alphabetic --- A password comprised only of letters
  • Alphanumeric --- A password with alphanumeric characters
  • Complex --- A password with alphanumeric and special characters

Note: For Fully Managed and Fully Managed with Work Profile devices, if the strength of the lock screen is lower than the Screen Lock Policies requirements, the device is locked using Lock Task mode. The device user can't use any other functions until they set a lock screen.

Fully Managed --- Android 6 to 11 Work Profile --- Android 6 to 11 Personal area --- Android 7 to 11

APN

Policy Description Supported system
Access Point Type

Specifies which connection types to allow for the APN.

Values

  • Default (allows all services)
  • MMS (Multimedia Messaging Service)
  • Supl (Secure User Plane Location)
  • DUN (Dial-Up Networking)
  • HIPRI (High Priority)
  • FOTA (Firmware Over-The-Air)
  • IMS (IP Multimedia Subsystem)
  • CBS (Cell Broadcast Service)
  • IA (Internet Access)
  • EMERGENCY (Emergency Access)
  • MCX (Mission-Critical Services)
  • XCAP (XML Configuration Access Protocol)
  • BIP (Binary Object Store Access)
  • VSIM (Virtual SIM)
  • ENTERPRISE (Enterprise Access)
  • RCS (Rich Communication Services)
Fully Managed --- Android 9 and higher Samsung device --- Android 9 and higher Android 11 and higher (for XCAP) Android 12 and higher (for BIP and VSIM) Android 13 and higher (for ENTERPRISE) Android 15 and higher (for RCS)

Phone

Policy Description Supported system
Contact Management

Allows uploading contacts to your devices in bulk.

Values

  • Apply
Android 8 and higher
> Contact List Opens the Bulk Upload Contact dialog when selected, allowing you to download an Excel template ( addContactTemplate_Android.xlsx ) and upload contact lists. Tip: You can upload a file to add new contacts, and/or delete existing ones. Refer to the Guide sheet in the template file for details. Android 8 and higher

Wear OS policies

System

Policy Description Supported system
Always On Display

Enables or restricts the Always On Display feature, which keeps the device screen active ("awake") at all times.

Values

  • Turn On – Turns on Always On Display
  • Turn Off – Turns off Always On Display
Wear OS 4.0 and higher Android 14 and higher Enterprise Wear OS Framework version 1
> Raise Wrist To Wake

Allows you to enforce or restrict the Raise Wrist To Wake feature, which lets the device user wake up the device by raising their wrist.

Values

  • Force On – Raise Wrist To Wake is always enabled
  • Force Off – Raise Wrist To Wake is always disabled

Wear OS 7 and higher: Always set to Force On if Always On Display is enabled Lower than Wear OS 7: Can be set to Force On or Force Off regardless of Always On Display setting Enterprise Wear OS Framework version 3
> Touch Screen To Wake

Allows you to enforce or restrict the Touch Screen To Wake feature, which lets the device user wake up the device by touching the screen.

Values

  • Force On – Touch Screen To Wake is always enabled
  • Force Off – Touch Screen To Wake is always disabled

Wear OS 7 and higher: Always set to Force On if Always On Display is enabled Lower than Wear OS 7: Can be set to Force On or Force Off regardless of Always On Display setting Enterprise Wear OS Framework version 3
Key Remapping

Allows remapping the device's home key to launch a specific application.

Values

  • Apply – Disables the key remapping settings on the smartwatch to prevent the device user from changing them
Wear OS 3.5 and higher Android 11 and higher
> Remapping List

Configure key remapping behavior for the home key.

Values

  • Key and Press Type – Allows you to specify the key press type (long press or double press)
  • Application Type (for long press only) – Lets you specify what kind of apps the remapping will apply to.
    • For general apps – Supports general apps, including pre-loaded apps such as Calculator. If this option is set, long-pressing the home key launches the general app specified by Package Name. Any pre-loaded or newly loaded apps can be assigned to use the remapping
    • For custom apps – An "intent" is sent to the app specified by Package Name. Developers can programmatically implement the intent according to the intended business logic for the custom app (such as trigger an emergency call). Please contact Support to request a developer guide for this feature
  • Long Press Duration (for long press) – Allows setting the minimum long press duration (allowed range is from 500 ms to10,000 ms)
  • Package Name – Lets you specify one or more apps the key remapping will apply to. You can use Add System application to add one app at a type, or Bulk Add apps using the linked addSystemAppTemplate_WearOS.xlsx for Wear OS. For either approach, you will need to specify the Package Name andApplication Name
Wear OS 3.5 and higher Android 11 and higher

Lock Screen

Policy Description Supported system
Screen Lock Policies

Allows setting a screen lock.

Values

  • Apply
Wear OS 4.0 and higher Android 13 and higher
> Set Minimum Complexity

Lets you specify a minimum complexity level for the screen lock.

Values

  • Medium – The device user can set an alphanumeric pattern or PIN consisting of at least four characters or digits. Repeating patterns (such as 4444) and ordered sequences (such as 1234, 4321, and 2468) are not allowed.
  • High – The device user can set an alphanumeric pattern consisting of a minimum of six characters and digits, or an alphabetic pattern with a minimum of eight characters. Repeating patterns and ordered sequences are not allowed.
Wear OS 4.0 and higher Android 13 and higher

Knox Browser

Policy Description Supported system
Add URLs to Allowlist or Blocklist

Configure whether to restrict access to URLs. The restriction list is defined by the URLs policy. Only available if the Knox Browser App policy is set to Use.

Values

  • Allowlist – Knox Browser uses an allowlist to restrict access to specified sites.
  • Blocklist – Knox Browser uses a blocklist to restrict access to specified sites.

Unless this policy is set to Allowlist or Blocklist , URLs aren't restricted.

Knox Platform for Enterprise Premium
URLs Enter the URLs to allow or block, as determined by the Add URLs to Allowlist or Blocklist policy. Only available if the Knox Browser App policy is set to Use , and Add URLs to Allowlist or Blocklist is set to Allowlist or Blocklist. To add URLs, enter them one at a time using the plus and trashcan icons. Alternatively, use the Bulk Add to add up to 100 URLs at a time by uploading a bulk template, or Delete All to delete all URLs in your current list. Tip: You can include wildcards (*) to include multiple sub-domains and paths. For example, https://*.example.com and https://corp.example.com/* . Knox Platform for Enterprise Premium

iOS policies

System

Policy Description Supported system
iPhone Mirroring

Allows the device user to mirror their iPhone screen on a Mac.

Values

  • Allow
  • Disallow
iOS 18 and higher Supervised
Personalized Handwriting

Allows text generation in the user's handwriting.

Values

  • Allow
  • Disallow
iOS 18 and higher Supervised
Genmoji

Allows emoji generation using Genmoji.

Values

  • Allow
  • Disallow
iOS 18 and higher Supervised
Image Playground

Allows image generation using Image Playground.

Values

  • Allow
  • Disallow
iOS 18 and higher Supervised
Image Wand

Allows using the Image Wand feature.

Values

  • Allow
  • Disallow
iOS 18 and higher Supervised
Writing Tools

Allows using Apple Intelligence in Writing Tools.

Values

  • Allow
  • Disallow
iOS 18 and higher Supervised

List of environment settings

App & Support

Application

Setting Description
Manage Deletion

Configures where you can delete apps from. Available options are:

  • Console (deletes apps from the console app list)
  • Console + Device (deletes apps from the app list, and from devices in assigned groups and organizations)

Important: Regardless of your selection, Android Management API apps are always deleted using the Console + Device option. Chrome OS apps are always deleted using the Console option.

Knox Manage App Store

Setting Description
Knox Manage App Store Review

Allows device users to rate apps and write app reviews in the Knox Manage agent's app store. Options are:

  • Yes
  • No

Support

Setting Description
Email Address Allows you to enter the Support email address, which is displayed in the Knox Manage agent's Support screen.
Phone Number Allows you to enter the Support phone number, which is displayed in the Knox Manage agent's Support screen.

Kiosk Wizard menu items

This section describes menu items in the Kiosk Wizard.

Single App Mode menu items

The following menu items are available for Single App Mode:

  • Name — Enter a name for the kiosk that represents its intended use.
  • Package Name — The autogenerated kiosk package name.
  • Orientation & Grid — Sets the screen orientation for the Kiosk Launcher as Landscape, Portrait, or Auto Rotate. This setting doesn’t apply to the kiosk’s screen or the apps on the screen.
  • Allowlisted Apps Settings — Lets you whitelist specific apps so that they can be run in the kiosk device, even if they are not included in the single- or multi-app kiosk component list.
  • Device Setting — Allows selecting one or more device settings to be used in Kiosk mode, such as Wi-Fi, Hotspot, Time Zone, and so on. Each setting corresponds to a Settings menu item on the kiosk device.

Note: Device users can optionally grant or deny additional permissions, such as notification permissions for multi-kiosk devices, or the Window overlay permission for single kiosk devices. As an IT admin, you can set permission notifications to only appear when the Kiosk Launcher is running.

  • Component – Lets you browse components, and drag-and-drop them to the Preview screen. Additionally, you can use Add System Application to add a system app.

Multi Apps Mode menu items

The following menu items are available for Multi Apps Mode:

  • Name — Enter a name for the kiosk that represents its intended use.
  • Package Name — The autogenerated kiosk package name.
  • Orientation & Grid — Sets the screen orientation as Landscape, Portrait, or Auto Rotate. This setting doesn’t apply to the kiosk’s screen or on-screen apps.
  • Allowlisted Apps Settings — Lets you whitelist specific apps so that they can be run in the kiosk device, even if they are not included in the single- or multi-app kiosk component list.

Note: Device users can optionally grant or deny additional permissions, such as notification permissions for multi-kiosk devices, or the window overlay permission for single kiosk devices. As an IT admin, you can set permission notifications to only appear when the Kiosk Launcher is running.

  • Wallpaper — Lets you select up to five background wallpaper images for the kiosk. You can also specify a margin color, keep the original wallpaper size, and choose to randomly display available wallpapers.
  • Under Advance Setting:
    • Screen Composition – Lets you enable the Status Bar, Logo, or both. Furthermore, you can specify the bar and text colors for the Status Bar.
    • Icon Size – Lets you resize icons by a specific percentage to optimize how much visual space they occupy (defaults to 70% of icon size, maximum 100%). You can also choose to show or hide the icon text, specify a background color, and apply a shadow effect.

Note: If shown, the icon text might not fit on the screen due to icon size, grid, and device resolution.

  • Point Color – Lets you apply a point color for icons and page indicators.
  • Screen Lock – Allows setting a 4-digit password, or a 6-10 digit or Alphanumeric password for the kiosk device screen lock. The default value is Disabled, implying no screen lock password is applied.

Important: This setting only restricts access to the kiosk home screen. To prevent access to previously used applications, use the device screen lock feature. For enhanced security, we recommend setting the Set Default Screen Lock policy introduced in 25.04.

  • Rearrange – Allows kiosk users to rearrange icons on their devices (disabled by default).

  • Device Setting — Allows selecting one or more device settings to be used in Kiosk mode, such as Wi-Fi, Hotspot, Time Zone, and so on. Each setting corresponds to a Settings menu item on the kiosk device.

  • Page Rotation – Allows kiosk users to return to the first page after viewing the last page in the kiosk (disallowed by default).

  • Effect – The screen transition effect for kiosk pages. Available effects are Slide (default), Card, Box, Bulldoze, and Corner.

  • Component – Lets you browse components, and drag-and-drop them to the Preview screen. You can also use Add System Application to add a system app.

Android Enterprise device commands

Knox Manage

Device command Description Supported system
Push Notification

Sends a push notification message to the device. The message icon appears on the devices' status bar.

On the Push Notification dialog for the command:

  • Specify how you want the message to be delivered ( Notification or Pop-up ).
  • Enter a Title for your message.
  • Enter the message content (up to 80 characters) in the Message field. URLs included in pop-up messages are automatically converted to clickable hyperlinks.

Note: If the device is locked, you must unlock it to view popup pages. Pop-up pages may not show on work profile devices running Android 10 and higher.

Android 6 and higher Fully managed Fully managed with work profile Work profile

iOS device commands

Device

Device command Description Supported system
Factory Reset
Performs a factory reset and changes the device status to Unenrolled. Additionally, you can select the Keep eSIM upon factory reset option in the Request Command dialog to retain the device's eSIM.
iOS iPadOS
Play Lost Mode Sound (Supervised) Plays lost mode sound (when the device is in Lost mode). iOS iPadOS Supervised

Video - Synchronize users and groups with Active Directory in Knox Manage

The following video describes how to sync users and groups with Active Directory.

< YouTube link for embedded video >

Note: Starting with Knox Manage 25.04, Directory group sync functionality has been optimized to only sync groups and group members that have changed.

Shared Android device quickstart

Device user check-in

When the shared device is enrolled and deployed, it shows the check-in screen if there is no active user session. A device user starts a session by checking in with their Knox Manage account credentials.

  • Samsung devices used as shared devices are automatically activated when a user first checks in.
  • For non-Samsung devices, the device user must activate the device by manually running the Knox Manage agent when they first check in to the device. The device user can launch the Knox Manage app or tap the Knox Manage notification to run the agent.

Important: Starting with 25.04, Knox Manage supports web-based IdP authentication for secondary user check-ins. Shared Android devices can have up to seven secondary users per device. However, the exact limit may vary depending on the device model and manufacturer.

If a shared device exceeds the maximum number of secondary users it can support, and an additional secondary user attempts to check in, then error code KMA_E1001 is shown and access is denied. For more information on shared Android device errors, see Shared device in the client error codes reference.

When the device user has finished their activities, they can end their session by tapping Check Out in the Knox notification.

  • If it’s a Temporary shared device, the app and user data on the device is erased.
  • On Persistent shared devices:
    • Apps common to staging users and device users are cached, and are available to device users when they check in.
    • User-specific apps are automatically downloaded and installed when the appropriate device user checks in.

(Connection name changes – slide 26)

Not posting the updated sections here as it will bloat the Word document – requirement is to update the following terminology (before → after):

  • Microsoft Entra ID (Graph API) → Microsoft Entra ID
  • Okta (SCIM) → Okta
  • Ping Identity (SCIM) → Ping Identity

Will update the following pages:

Add a report

You can create a new report using report queries, which retrieve and aggregate data from the Knox Manage database based on predefined criteria. Alternatively, you can add a report based on an existing report and tweak it as required.

Create a new report

To create a new report using report queries, complete the following steps:

  1. Navigate to Advanced > Report.

  2. On the Report page, click Add.

  3. On the Add Report screen:

    • Report Name — Enter the report name.
    • Report ID — Enter the ID for the new report.
    • Description — Enter a brief description for the report.
    • Chart — Select a chart type to visualize the report.
    • Legend — Specify where the legend should appear relative to the chart (if you selected a chart type).
    • Report Queries — Select from a list of existing queries.

Note: The App Information installed in Device query returns a maximum of 100,000 results.

  1. Click Add next to Output Fields. The Add Output Field dialog appears, showing available fields based on your report query selection. For a list of output fields in each report query, see Default reports and report queries.
  2. Configure output fields as needed. The Data Type value of the field dictates what properties you can modify.
    • String fields let you update values for Output Name (display name of the field) and Chart Setting (whether or not the field will appear as a chart category) values.
    • Number fields let you update values for Output Name (display name of the field), Output Format (the number display format), Summary Type (the numeric value to display on the chart – sum, average, maximum or minimum), and Chart Setting (whether or not the field will appear as a chart category).
    • Date fields let you update values for Output Name (display name of the field), Output Format (the date display format), and Chart Setting (whether or not the field will appear as a chart category).

Tip: You can reorder selected output fields using the up and down arrows.

  1. Based on your report query selection, relevant input fields are listed in the Input Value table. Proceed to enter input values under the Input Value column.
  2. Click View to preview your report before saving.
  3. Click Save, then in the Save Report dialog click OK.

Add a report based on an existing report

To copy an existing report to create a new report:

  1. Navigate to Advanced > Report.
  2. On the Report page, select the report you want to copy and click Copy.
  3. On the Copy Report page, enter a new Report Name and Report ID.
  4. Modify other fields and settings as needed.
  5. Click Save, then in the Save Report dialog click OK.

View details of a device

Network tab

The Network tab displays network status details, such as the device’s current Wi-Fi status and SIM information.

Note: SIM Status, SIM Country & Carrier, ICCID Information, Roaming, and IP Address (Mobile) fields are only displayed for devices that have a SIM. (ICCID Information isn’t supported for devices managed by Android Management API.)

The Wi-Fi Transfer Data and Network Transfer Data fields aren’t available on devices running Android 10 or higher.

Default reports and report queries

Report queries

You can make your own reports using the following queries included in Knox Manage.

Report query Output fields
Device Basic Information
  • Tenant ID
  • Device ID
  • Device Name
  • User ID
  • User Name
  • Organization Code
  • Organization Name
  • Platform Code
  • Platform
  • Network Service Provider Code
  • SIM Carrier
  • Device Version
  • Device Version Code
  • Mobile Number
  • Model
  • Device OS
  • Device Status Code
  • Device Status
  • Status
  • Modem Firmware
  • Build Number
  • Build Type
  • Product Name
  • Device Kind
  • Manufacturer
  • Device Organization
  • Device Name
  • Creation Date
  • Current Device Management Profile Pushed Date
  • Last Connection Date
  • Whether is compromised
  • App Count
  • Compromised App Count
  • Official App Count
  • Whether the app is compromised
  • Battery Level (%)
  • Memory Size (GB)
  • Memory Usage (GB)
  • RAM Memory Size (GB)
  • RAM Memory Usage (GB)
  • AP Type
  • AP Speed (GHz)
  • Network Transfer Data (in) (MB)
  • Network Transfer Data (out) (MB)
  • Wi-Fi Transfer Data (in) (MB)
  • Wi-Fi Transfer Data (out) (MB)
  • IMEI
  • Serial Number
  • Activation Type
  • IP Address (Wi-Fi)
  • Wi-Fi Status
  • Device Count
  • Management Type
  • Organization Path
  • Initial Enrollment Date
  • Latest Enrollment Date
  • Latest Unenrollment Date
  • Device Alias
  • Pushed Profile
  • Device Tag
  • Display Name
  • IP Address (Mobile)

Device Details Information

  • Device Name
  • User ID
  • User Name
  • Email
  • Organization Name
  • Device Status Code
  • Device Status
  • Platform Code
  • Platform
  • Device Version
  • Mobile Number
  • MAC Address
  • Model
  • Firmware
  • IMEI
  • Serial Number
  • ICCID
  • SIM Status
  • SIM Country
  • SIM Carrier
  • Roaming Status
  • Current Country
  • Current Carrier
  • Voice Roaming
  • Data Roaming
  • IMSI
  • Device OS
  • Device ID
  • Telephone Type
  • Network Type
  • Modem Firmware
  • Manufacturer
  • Device Type
  • Activation Type
  • Battery Level (%)
  • Memory Size (GB)
  • Memory Usage (GB)
  • RAM Memory Size (GB)
  • RAM Memory Usage (GB)
  • AP Type
  • AP Speed (GHz)
  • Network Transfer Data (in) (MB)
  • Network Transfer Data (out) (MB)
  • Wi-Fi Transfer Data (in) (MB)
  • Wi-Fi Transfer Data (out) (MB)
  • IP Address (Wi-Fi)
  • Wi-Fi Status
  • AP Name
  • AP MAC Address
  • Hidden SSID
  • External SD Card Size (GB)
  • External SD Card Usage (GB)
  • External SD Card Installed
  • Device Count
  • Unenrollment Code
  • Last Connection Date
  • Management Type
  • Organization Path
  • Device Alias
  • Pushed Profile
  • Device Tag
  • Time Zone
  • Time Formation
  • Date Format
  • Daylight Saving Time
  • Automatic Day/Time Use
  • Kiosk Mode Status
  • Display Name
  • IP Address (Mobile)

Register user accounts in bulk

Registration template spreadsheet

The spreadsheet is an XLSX file and contains three sheets:

  • The Guide sheet describes the requirements of each editable cell in detail.
  • The User sheet defines the user account and details you want to add.
  • The UserTag sheet defines any tags you want to attach to existing accounts. If you enter tags for the same user in both the User and UserTag sheets, the UserTag sheet’s entry takes precedence.
  • The AdditionalInfo sheet lets you register users using additional details, such as User ID, Department, Site, user defined fields, and so on.

Unenroll devices

Unenroll connected devices

To unenroll devices that are connected to the server:

  1. Go to Device on the Knox Manage console.
  2. On the Device page, select the device you want to unenroll.
  3. Click Unenroll.
  4. (Optional) Select one or more of the following actions to be performed during unenrollment:
    • Unassign KME profiles — Unassigns any Knox Mobile Enrollment profiles on the device.
    • Delete devices from KME — Deletes the device from Knox Mobile Enrollment, if applicable. For information about unenrolling devices from Knox Mobile Enrollment, see Use Samsung Knox Mobile Enrollment (KME).
    • Unenroll devices from KAI — Unenrolls the device from Knox Asset Intelligence. For information about Knox Asset Intelligence license management, see Manage licenses.
    • Remove eSIM upon factory reset (Preview) — Removes eSIM information from the device (even if the eSIM wasn’t installed using Knox Manage). You will need to activate the eSIM through the carrier if you want to reuse it.
  5. On the Unenroll dialog, click OK to confirm. Alternatively, click Force Unenroll to unenroll the device both from the server and the Knox Manage agent on the device, and factory reset the device.

Note:eSIM removal only works for devices that have neither been factory reset nor unenrolled from Knox Manage since the eSIM was installed. The option will be read-only if the device doesn’t support eSIM.

For iOS devices that were reset or unenrolled from the Knox Manage console, device users can disable the activation lock by entering the code in the Password field and leaving the ID field empty in the Setup Assistant.

(Policy name changes – slide 39)

_Not posting the updated tables here as it will bloat the Word document – just have to update the following _AE policy terminology (before → after):

  • Microphone → Use Microphone
  • Recording → Record with Microphone
  • S Voice → Use S Voice
  • Volume Adjustment → Adjust Volume
  • Voice Call (except Samsung Device) → Make Voice Calls on Non-Samsung Devices
  • SMS (except Samsung Device) → Send Text Messages on Non-Samsung Devices
  • Cell Broadcast Setting → Emergency Alerts
  • Airplane mode → Turn on Airplane Mode
  • Tethering Setting → Share Internet Connection Using Tethering
  • Bluetooth Share → Send and Receive Files through Bluetooth
  • Printing → Use Printer
  • Network Reset → Reset Mobile Data Usage
  • Mobile Network Setting → Configure Mobile Network Settings
  • Autofill Service → Auto-Completion in Browser
  • Play Integrity (SafetyNet Attestation) → Check Devices through Play Integrity
  • Verification Interval (days) → Set Time Period Between Checks
  • Verification Failure Policy (During Enrollment) → Take Action if Device Fails Check during Enrollment
  • Verification Failure Policy (After Enrollment) → Take Action if Device Fails Check after Enrollment
  • Verify Apps Using Google Play Protect → App Verification Using Google Play Protect
  • App Auto Update → Automatic App Updates
  • URL Control Type → Add URLs to Allowlist or Blocklist
  • URL Control List → URLs
  • Hide URL → Hide URL Address Bar
  • Link URL to Other Apps → Web Intents
  • File Download → Download Files
  • Bookmark → Add Bookmarks
  • File Upload → Upload Files
  • Cookies → Store Cookies
  • Text Copy → Copy Text
  • Force Enable Zoom → Force Page Zoom
  • Ratio → Default Ratio
  • Screen on when Plugged in → Turn Screen on when Plugged in

Configure alerts

Configure emails for audit alerts

Knox Manage can send emails to your admins whenever an audit alert is triggered. This feature enables admins to conveniently monitor device status changes outside of the Knox Manage console.

Important: Audit alerts are only triggered when actions are initiated by device commands in Knox Manage. For example, if an IT administrator sends a Reboot Device command through the console, an email alert is sent. In contrast, no alert is sent if a device user manually initiates a reboot. For more information on sending device commands, see Send commands to devices.

To configure emails for audit alerts:

  1. Go to History > Alert. The Alert page opens.
  2. Click Alert Mailing Settings, then configure the parameters of the emails for alerts:
    • Alert Mailing Settings — Enable sending emails for alerts.
    • Period — Define a start and end date during which emails for alerts are enabled.
    • Frequency — Specify how often to send the emails. After you select a frequency, choose when to send the emails:
      • Hourly — Select the number of hours after which to send the alert. Available values are 1, 2, 3, 4, 6, 8, and 12 hours. The email delivery time for a tenant is calculated from midnight.
      • Daily — Select which hour in the day.
      • Weekly — Select which days of the week and at which hour in a day.
      • Monthly — Select which days in the month and at which hour in a day.
    • Knox Manage Admin — Click Select to pick the admins who will receive the emails.
    • Email Address — If you need to send emails to recipients who aren’t attached to accounts in your tenant, click Add and enter their addresses.
    • Target Events — Select one or more event types to trigger emails:
      • New enrolled devices
      • Unenrolled devices
      • Disconnected devices
      • Devices within geofencing area
      • Devices outside the geofencing area
      • Devices with the day & time event profiles applied (in)
      • Devices with the day & time event profiles unapplied (out)
      • Devices with the SIM change event profiles applied (in)
      • Devices with the SIM change event profiles unapplied (out)
      • Devices with the Wi-Fi SSID event profiles applied (in)
      • Devices with the Wi-Fi SSID event profiles unapplied (out)
      • Devices with the roaming event profiles applied (in)
      • Devices with the roaming event profiles unapplied (out)
      • Devices re-enrolled after Factory Reset
      • Factory reset devices
      • Devices with policy violation
      • Devices with profile pushed
      • Current location collected devices
      • Powered off devices
      • Rebooted devices
      • Devices whose apps has been installed or updated
      • Devices whose apps have been run
      • Devices whose apps have been uninstalled
      • Devices whose app data have been deleted
      • Devices receiving push notifications
      • Devices with changed licenses
      • Devices with updated licenses
      • Devices with the Knox Manage agent updated
      • Devices that have exited Kiosk mode
  3. (Optional) Click Select more events to select and add other audit events. All audit events are available for use as target events.
  4. Click Save to save the configuration.

Download the audit log

Follow the steps below to download the audit log (all rows currently showing in the Audit Log page) as an Excel file.

  1. Navigate to History > Audit Log.
  2. The Audit Log page opens. To filter audit log entries, selecting or entering values in the following fields, then click Search. You can reset filters by clicking Reset.
    • User ID
    • Device Name
    • Result
    • Log Date & Time
    • Audit Type
    • Event Category
    • Event
  3. Click Download.
  4. Click OK in the Export to Excel window. You can select the following issues to include additional process information or log data in the download file – however, this will increase both the download file size and the file generation time – so we recommend leaving these options unchecked unless the additional information or log data is really needed.
    • Includes additional process information: Request History, Result Code, Result History
    • Includes additional log data

Important: If the default country is set to South Korea, you also need to provide a reason for downloading data. Downloaded logs are stored on the Knox Manage server for two years.

  1. The Download dialog appears. The zipped audit log file is listed under My Download.
  2. Click the Download button to download the zipped file to your default download directory.

Register a group

You can add a manual group (which is static) or a dynamic group (which auto-updates group memberships and assignments based on pre-set criteria).

Add a manual group

  1. Go to Group on the navigation pane.
  2. On the Group page, click Add.
  3. On the Add Group page, enter the following user information:
    • Name — Enter a group name.
    • Type — Select one of the following group types.
      • User — A group of user accounts.
      • Device — A group of enrolled devices.
    • Membership Type — Select Manual.
    • Sub-Administrator — Click Select, then select a sub-administrator for the group in the Select Sub-Administrator dialog, and click OK.

Tip: For an overview of administrator roles, see Administrator account overview. To add a sub-administrator for Knox Manage, see Add an administrator. Alternatively, to add a sub-administrator for all Knox services, see Manage admins and roles for Knox services in Knox Admin Portal documentation.

  1. On the All Users or All Devices list (depending on your selected Type), select user IDs or device names to include them in the group. Selected users or devices appear under Selected User or Selected Device, correspondingly.
    • You can use the search bar in the All Users or All Devices area to find records matching your search criteria.
    • You can further refine your device selections in the Selected Device area: Click Select via Filter, select filters that you want to apply, then click OK.
  2. Save your new group by doing one of the following:
    • If you want to save the group without assigning anything to it, click Save, then in the Save Group dialog click OK.
    • Alternatively, click Save & Assign, then in the Save & Assign dialog select Application (to assign apps), Profile (to assign profiles), or Content (to assign content files). Click Next to proceed with assignment flow.

Tip: You can select an existing group on the Group page, then click on the Application, Profile, or Content button to assign apps, profiles, or content files, in that order.

Add a dynamic group

Note: Dynamic group features are currently in public preview. Certain aspects are expected to be finalized in a future release. A single tenant can have a maximum of 100 dynamic groups.

  1. Go to Group on the navigation pane.
  2. On the Group page, click Add.
  3. On the Add Group page, enter the following user information:

a) Name — Enter a group name.

b) Type — Select one of the following group types.

  • User — A group of user accounts.
  • Device — A group of enrolled devices.

c) Membership Type — Select Dynamic (Preview).

d) Sub-Administrator — Click Select, then select a sub-administrator for the group in the Select Sub-Administrator dialog, and click OK.

Tip: For an overview of administrator roles, see Administrator account overview. To add a sub-administrator for Knox Manage, see Add an administrator. Alternatively, to add a sub-administrator for all Knox services, see Manage admins and roles for Knox services in Knox Admin Portal documentation.

  1. Under Group Rules (Preview):

a) For Group Assignment:

  • If you want profiles and apps to be dynamically assigned to new group members, select When a user or device is added, the profiles and applications assigned to the group will be pushed to the user or device.
  • If you want profiles and apps to be dynamically removed from departing group members, select When a user or device is removed, the profiles and applications of the group will be unassigned from the user or device.

b) In the Rule Builder, you can create rules to dynamically add users or devices (based on your selected Type) to your group. You can create rules using one of the following options: Make rules via Filter, Rule Configuration, or Rule Syntax.

  • The Make rules via Filter button brings up the Make rules via Filter dialog. You can use user or device attribute fields at the top of the dialog to search for matching users or devices. Click Apply rules to create corresponding rule syntax (which appears in the Rule Syntax field).
  • Rule Configuration lets you select attributes, operators, and values to create rules. To use this option, Rule Builder Type must be set to Configuration. Click the + icon to add more rules (up to a maximum of five), and use the And/Or selector to create complex rules.

Tip: Click the Rule Configuration tooltip to see a rule configuration guide for common user and device attributes.

  1. Once you’ve added at least one rule, you can use the Validation area to inspect which users or devices fulfill rule criteria.

a) Click Select to bring up the Select User or Select device dialog, select from existing records, and click Add.

  • You can use the search bar to find specific user or device records.
  • To further refine your device selections, click Select via Filter, select filters that you want to apply, then click OK.

b) The Validate button becomes active, and selected records appear below it. Click the button.

c) Status values appear, indicating the rule evaluation status for each row. Click on the corresponding View Details link for further information.

d) If needed, proceed to tweak your rules (step 4b), then revalidate against selected records (steps 5a and 5b).

  1. To save your new dynamic group, click Save, then in the Save Group dialog click OK.

View group details

Tab: Application

The Application tab shows the apps assigned to the group. The following function buttons are available:

Function button

Description
Unassign Unassigns selected apps from the group.
Modify Setting Opens the Modify Setting page, which lets you change app settings for selected apps. You can modify settings per-app, as well as use Bulk Configure Settings to update common settings across your app selection.
Export to CSV Exports the group's app list as a CSV file.

Minimum requirements and supported languages

Minimum requirements

The following table describes minimum requirements for using Knox Manage.

Note: As an Android Enterprise Recommended (AER) certified solution, Knox Manage is compatible with all AER devices.

Not posting the updated tables here as it will bloat the Word document – just have to update the supported versions in a table (before → after):

  • Android 10 and higher → Android 11 and higher
  • iOS 15 and higher → iOS 16 and higher
  • iPadOS 15 and higher → iPadOS 16 and higher

On this page

Is this page helpful?