Knox Workspace (Android Legacy) policies

Last updated March 21st, 2023

With 23.03, Knox Manage no longer supports the Android Legacy (also known as Device Admin ) platform. The Knox Manage team strongly recommends that you migrate to the Android Enterprise platform.

This section describes the policies you can configure for Knox Workspace devices.

The availability of each policy varies depending on the OS version.

System

Allows various features, such as screen capture, clipboard, and share via apps.

Policy	Description	Supported system
Screen capture	Allows using the screen capture function in the Knox Workspace. Even if this policy is disallowed, you can still use the screen capture function through the Remote Support Viewer in Remote Support.	Samsung Knox 1.0 and higher
Clipboard	Allows the clipboard feature. Allow within the same app — The clipboard function can only be used within the same application.	Samsung Knox 1.0 and higher
Share via apps	Allows the share app function in the Knox Workspace.	Samsung Knox 1.0 and higher
Google account synchronization	Allows Google account synchronization in the Knox Workspace.	Samsung Knox 2.0 and higher
App crash report to Google	Report application error occurrence information to Google in the Knox Workspace.	Samsung Knox 1.0 and higher
System app close	Allows forceful system application shutdowns in the Knox Workspace.	Samsung Knox 1.0 and higher
Trusted Boot Verification	Allows Trusted Boot.	Samsung Knox 2.0 and higher
Third Party Keyboard	Allows the use of third Party Keyboards.	Samsung Knox 2.0 - 2.9
Email Account Addition	Allows adding accounts from the default email application on the device.	Samsung Knox 1.0 and higher
Domain allowlist setting	Set to use the email domain allowlist setting. The Add email account policy has a higher priority than the Domain allowlist setting policy. The Domain allowlist setting policy does not apply if the Add email account policy is set to Disallow.
> Domain Allowlist	Enter the email domain allowlist to add. To add a domain, enter the domain name in the field, and click . To delete a domain, click next to the added domain name.	Samsung Knox 1.0 and higher
Remote Control	Allows remote control within the Knox Workspace using Remote Support.Remote Support should be installed in the general area. Policy changes using Remote Support in the Knox Workspace do not apply to the Remote Support Viewer immediately. In this case, reload the Knox Workspace area.	Samsung Knox 2.2 and higher

Connectivity

Allows adding a new Wi-Fi network or using a microphone and other features.

Policy	Description	Supported system
New Wi-Fi Network Addition	Allows adding a new Wi-Fi network connection in the Knox Workspace.	Samsung Knox 1.0 - 2.4.1
Microphone	Allows the controls for Microphone use in the Knox Workspace. If this policy is disallowed, video recording is also disallowed.	Samsung Knox 1.0 and higher
> Recording	Allows using microphone recording in the Knox Workspace.	Samsung Knox 1.0 and higher
Camera	Allows using the camera in the Knox Workspace. Consider the following items: If the camera policy in the General area is disallowed, camera use in the Knox Workspace is also prohibited. This policy allows taking pictures but disallows video recording.	Samsung Knox 1.0 and higher
Allow USB access	Allows using USB devices, such as printers and scanners, via OTG in the Knox Workspace. Disallow is the default value. Consider the following: This policy is only allowed for non-storage USB devices in USB accessory mode. Devices from Verizon, the United States telecommunications provider, are not supported.	Samsung Knox 2.5 and higher
> Allow access of USB devices	Set USB products to use in a specific application. Enter the Package Name. Select the Vendor ID. Only 4-digit, hexadecimal characters can be entered. Multiple inputs should be separated by commas. Only the product ID for the selected vendor can be entered. Enter the Product ID. Click to add, or click to delete.	Samsung Knox 2.1 and higher
Bluetooth	Allows use of the Bluetooth feature in the Knox Workspace. To use this policy, set the Bluetooth connections in the general area to Allow.	Samsung Knox 2.4 and higher
Phone Book Access Profile (PBAP) via Bluetooth	Allows use of the Phone Book Access Profile (PBAP). Contacts on the Knox Workspace are sent to the connected device if this policy is allowed.	Samsung Knox 2.7 and higher
NFC control	Allows control of the NFC (Near Field Communication).	Samsung Knox 2.4 and higher

Security

Configures the security settings, such as passwords and lock screen.

Policy	Description	Supported system
Knox Container Password	Use a password to lock Knox Workspace.Use of the camera is prohibited when the device is screen locked. Consider the following: For devices with a One Lock password, the password policy that is stronger between Android Legacy and the Knox Workspace area is applied. When a user has forgotten their Knox Workspace password, the administrator needs to send the Reset screen password device command, and then the user needs to enter a temporary password. For more information, see the Knox password in View the details of a device. If the Prohibited words policy has been set, then the password cannot be reset with a temporary password containing the specified prohibited words. If this happens, you will need to disable the Prohibited words policy, save the relevant profile again, and then apply it.
> Enterprise identity Authentication	Controls Knox Workspace unlock with an enterprise ID. Use — Allows the choice to use an enterprise ID to sign in. Forced use — Forces the use of an enterprise ID to sign in.	Samsung Knox 2.4 and higher
>> Domain Address	Enter the domain address of the enterprise identity server. The http or https prefix can be omitted.	Samsung Knox 2.4 and higher
>> Setup file	Select a file to install inside the Knox Workspace for enterprise ID authentication. You can select an application such as Samsung SSO Authenticator (com.sec.android.service.singlesignon), from the application list. Applications must be pre-enrolled either on Application> Internal application or Application> Public application.	Samsung Knox 2.4 and higher
>> Enable FIDO	Use FIDO (Fast ID Online) authentication in a Knox Workspace when using an enterprise ID.	Samsung Knox 2.7 and higher
>>> Request URL	Set the URL to request for FIDO authentication.	Samsung Knox 2.7 and higher
>>> Response URL	Set the URL to respond to FIDO authentication	Samsung Knox 2.7 and higher
>>> FIDO App Installed List	Manage the applications to use for FIDO authentication. The essential applications required for FIDO authentication are automatically added to the list. You can add an additional application if needed.	Samsung Knox 2.7 and higher
> Minimum strength	Set the minimum password strength on the screen. Pattern — Set the password using a pattern or any other password with a higher degree of complexity, such as Numeric , Alphanumeric , or Complex options. Numeric — The password must consist of a 4 digit number or be more complex. The screen can be locked using the Numeric , Alphanumeric , and Complex types of passwords. Alphanumeric — Both letters and numbers must be included. The screen can be locked using with the Alphanumeric and Complex types of passwords. Complex — Set so that the passwords must include alphanumeric and special characters.	Samsung Knox 2.0 and higher
>> Maximum Failed Login Attempts	Set the maximum number of incorrect password attempts before access is restricted.The value can be between 0 - 10 times.	Samsung Knox 2.0 and higher
>>> Action for failing allowed count to retry password	Select the action to be taken when the maximum number of failed attempts is reached.A Workspace control command must be sent to unlock the Knox Workspace. Lock Knox Workspace — When the set number of password attempts has been reached, the Knox Workspace is locked. Wipe Knox Workspace — When the set number of password attempts has been reached, the Knox Workspace is deleted.	Samsung Knox 1.0 and higher
>> Expiration after (days)	Set the maximum number of days before the password must be reset. The value can be between 0 - 365 days.	Samsung Knox 2.0 and higher
>> Manage password history (times)	Set the minimum number of new passwords that must be used before a user can reuse the previous password.The value can be between 0 - 10 times.	Samsung Knox 2.0 and higher
>> Minimum length	Set the minimum length of the password. If the Minimum strength is set to Pattern, at least more than one stroke is required. In the case of Complex, it must be equal to or greater than the sum of the Minimum number of letters and Minimum number of non-letters. The value can be between 4 - 16 characters for Numeric or Alphanumeric. The value can be between 6 - 16 characters for Complex. The minimum length of the pattern password refers to the number of lines connecting each dot. For example, if the policy value is 4, at least four lines connecting five dots must be entered.	Samsung Knox 2.0 and higher
>> Minimum number of letters	Set the minimum password length.If the Minimum strength is set to Must be alphanumeric, the number 1 must be entered. In the case of Must include special characters, the default value is the number 3. If you want to enter another number, the number must be equal or greater than the sum of the Minimum number of lowercase letters and the Minimum number of capital letters — the value can be between 1–10 characters. The default value is 1 character for Alphanumeric. The default value is 3 characters for Complex.	Samsung Knox 2.0 and higher
>> Minimum number of lowercase letters	Set the minimum number of lowercase letters required in the password.The value can be between 1 - 10 characters.	Samsung Knox 2.0 and higher
>> Minimum number of capital letters	Set the minimum number of uppercase letters required in the password.The value can be between 1 - 10 characters.	Samsung Knox 2.0 and higher
>> Minimum number of non-letters	Set the minimum number of numbers and special characters required in the password.If Minimum strength is set to Must include special characters, the default value is the number 2. If you want to enter another number, the number must be equal or greater than the sum of Minimum number of numeric characters and the Minimum number of special characters. The value can be between 1 - 10 characters.The default value is 2 characters for Must include special characters.	Samsung Knox 2.0 and higher
>> Minimum number of numeric characters	Set the minimum number of numeric characters allowed in the password.The value can be between 1 - 10 characters.The default value is 2 characters for Must include special characters.	Samsung Knox 2.0 and higher
>> Minimum number of special characters	Set the minimum number of special characters required in the password.The value can be between 1 -10 characters.The default value is 1 character for Must include special characters.	Samsung Knox 2.0 and higher
>> Maximum length of repeated characters	Set maximum number of duplicated characters.The value can be between 1 -10 characters.	Samsung Knox 1.0 and higher
>> Maximum length of sequential numbers	Set the maximum number of consecutive numeric characters allowed in a password.The value can be between 1 - 10 words.	Samsung Knox 1.0 and higher
>> Maximum length of sequential characters	Set the number of consecutive letters allowed in a password.The value can be between 1 - 10 words.	Samsung Knox 1.0 and higher
>> Minimum length of character change	Set the minimum length of letters that users must change from the previous password. If the Minimum strength is set to Number, Must be alphanumeric, or Must include special characters, it must be less than the Minimum length. The value can be between 1 - 10 words.	Samsung Knox 1.0 and higher
>> Prohibited words	Allows the use of prohibited words in a password.
>>> Set prohibited words	Set prohibited words in a password. To add a word, enter the word in the field and click . To delete a word, click next to the added word.	Samsung Knox 1.0 and higher
Maximum screen timeout	Set the maximum time limit that a user can linger before screen timeout.	Samsung Knox 2.0 and higher
Password visibility settings	Shows the password when entering it.	Samsung Knox 1.0 and higher
Pattern lock visibility settings	Shows the password when entering it.	Samsung Knox 1.0 and higher
Smartcard Browser Authentication	Allows Smartcard Browser Authentication within the internet browser.When the policy is allowed, the Bluetooth security mode is applied while the device is connected to the smart card reader and will not accept other Bluetooth connections. Consider the following: To use this policy, Bluetooth smart card-related applications must be installed on the device and the smartcard must be registered in the Settings menu of the device. Android 10 and higher devices are not supported.	Samsung Knox 1.0 and higher
Unlock with fingerprint	Allows the use of the fingerprint unlock control.	Samsung Knox 2.1 and higher
Unlock with iris	Allows the use of the iris unlock control.	Samsung Knox 2.2 and higher
Enforce Multi factor Authentication	Allows the use of two-step authentication. Use — Forces the screen lock to release via fingerprint or iris recognition. Do not use — Disables the two-step authentication settings via your fingerprint or iris recognition. When the Knox Workspace is created, it is set to select only two factor authentication on the password setup stage. Even when the manager chooses to disable Unlock with fingerprint or Unlock with Iris, you can still use your fingerprint or iris for two-step verification.	Samsung Knox 2.0 and higher
KeyGuard (Block function on lock screen)	Blocks the function set in the lock screen.
> Select function to block	Set the lock screen function options. Trust Agent — Set whether to use the Knox Quick Access on the lock screen.	Samsung Knox 2.4 - 2.9

App Restrictions

Configures options for application controls such as installation, blocklist/allowlist, and execution prevention.

Policy	Description	Supported system
Installation of App from Untrusted Sources	Allows the installation of apps from untrusted sources instead of just the Google Play Store.	Android 8 and higher
App Installation Block/Allowlist Setting	Set to control the app installation policies on the Knox Workspace.
> Application installation blocklist	Add applications to prohibit their installation on the Knox Workspace. To add an application, click Add, and then select applications in the Select Application window. To add all applications, click Add all. To delete an application, click next to the added application. If a control application registers with a wildcard (_) in the package name is added to this policy, the specific package will not be installed. For example, com..emm / com.sds. / com..emm. Previously installed blocked applications will also be removed. An application that has been added on the Application Installation allowlist policy cannot be added.	Samsung Knox 1.0 and higher
> Application installation allowlist	Add applications to allow their installation on the Knox Workspace. To add an application, click Add, and then select applications in the Select Application window. To add all applications, click Add all. To delete an application, click next to the added application. If a control application registers with a wildcard(_) in the package name is added to this policy, the specific package will not be installed. For example, com..emm / com.sds. / com..emm. Any application not on the allowlist are deleted, even if they are not on the blocklist. An application that has been added to the Application Installation Blocklist policy cannot be added.	Samsung Knox 2.0 and higher
App Execution Blocklist Setting	Set to control the execution blocklist on the Knox Workspace.
> Application execution blocklist	Add applications to prevent their execution in Knox Workspace. Icon of the blocked application disappears and users cannot run the application. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application. An application that was added to the Application Installation allowlist policy cannot be added.	Samsung Knox 1.0 and higher
App execution prevention list setting	Allows app installation but prevents app execution.
> App execution prevention list	Add apps to be displayed but not executable on the Knox Workspace. Listed apps can be installed and the icons are displayed, but they are not executable. To add an app, click Add, and then select apps on the Select Application screen. To delete an app, click next to the added app.	Samsung Knox 2.0 and higher
App uninstallation prevention list Setting	Set to control the app uninstallation policies.
> App uninstallation prevention list	Add apps to prevent their uninstallation on Knox Workspace. To add an app, click Add, and then select apps in the Select Application screen. To delete an app, click next to the added app.	Samsung Knox 1.0 and higher
App installation authority allowlisting settings	Set the applications with installation permissions on Knox Workspace.
> Application installation allowlist	Add applications to allow installation on the Knox Workspace. Selected applications are added to the View list with the package name of the applications. To add an application, click Add , and then select applications on the Select Application screen. To delete an application, click next to the added application.	Samsung Knox 1.0 and higher
Google Mobile Service App	Allows Google Mobile Service (GMS) app installation. If the GMS app policy is disallowed, the basic apps provided by Google do not show.	Samsung Knox 2.0 and higher
TIMA CCM profile allowlist	Allows the use of the TIMA Client Certificate Manager (CCM) profile on Knox Workspace. Entire application — Applications in the Knox Workspace can access TIMA CCM. Allowlist Application — Only the added applications on the allowlist can access TIMA CCM.
> TIMA CCM profile application allowlist	Add applications to access the TIMA CCM on the Knox Workspace. To add an application, click Add, and then select applications on the Select Application screen. To delete an application, click next to the added application.	Samsung Knox 2.1 and higher
TIMA CCM profile app access restriction exception list settings	Allows only the set applications to access the TIMA CCM profile even when the Knox Workspace is locked.
> TIMA CCM profile app access restriction exception list	Add applications to access the TIMA CCM profile even when the Knox Workspace is locked. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application. IfAllowlist Application is selected in the TIMA CCM profile allowlist policy, only the allowed applications can access TIMA CCM. IfEntire application is selected in the TIMA CCM profile allowlist policy, the access restrictions of the applied applications are excluded.	Samsung Knox 2.1 and higher
Allowlisting Apps Allowing External SD Card Setting	Allows the use of an external SD card in Knox Workspace. The external SD card cannot be used by default in the Knox Workspace.
> Allowlisted apps for external SD card	Add applications that can use an external SD card. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application.	Samsung Knox 2.2 and higher
Battery optimization exceptions	Set to exempt applications from the battery optimization function. This policy may cause battery loss.
> Apps excluded from battery optimization	Add applications to exempt from the battery optimization function on Knox Workspace. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application.	Samsung Knox 2.7 and higher
General Area App Installation List Setting	Allows the apps installed in the general area to be installed in the Knox Workspace area.
> General area app installation list	Add the applications in the general area to be installed in the Knox Workspace area. To add an application, click Add, and then select applications in the Select Application window. To delete an application, click next to the added application. A list of Android platform applications is displayed in Profile > Manage Control App.	Samsung Knox 2.1 and higher
App Data deletion control setting	Allows control of the deletion of the internal application data inside Knox Workspace.
> App Data deletion prevention list	Add applications to protect the internal application data from being deleted. The internal data delete button is disabled to block users from arbitrarily deleting application data. To add an application, click Add, and then select applications in the Select Application window. To add all applications, click Add all. To delete an application, click next to the added application. Add the registered application to the App Data deletion protection list policy with a wildcard character in the package name. Then the application data for the specific registered package cannot be deleted. For example, com..Knox Manage / com.sds. / com..Knox Manage.	Samsung Knox 1.0 and higher
> App Data deletion protection exception list	Add applications to delete the internal application data. To add an application, click Add, and then select applications in the Select Application window. To add all applications, click Add all. To delete an application, click next to the added application.	Samsung Knox 1.0 and higher
App force stop prohibition list setting	Set to prohibit app from force stop.
> App Force Stop Prohibition List	Add apps to prohibit force stop. To add an app, click Add, and then select apps in the Select Application window. To delete an app, click next to the added app.	Samsung Knox 1.0 and higher

Browser

Allows the use of the Android browser and configuring the settings for it.

Browsers must be closed and opened again to apply the changes.

Policy	Description	Supported system
Android browse	Allows using the Android browser in the Knox Workspace.	Samsung Knox 1.0 and higher
> Cookies	Allows cookies in the Android browser of the Knox Workspace.	Samsung Knox 1.0 and higher
> JavaScript	Allows JavaScript in the Android browser of the Knox Workspace.	Samsung Knox 1.0 and higher
> Autofill	Allows auto-completion of information that you enter on websites in the Android browser of the Knox Workspace.	Samsung Knox 1.0 and higher
> Pop-up block	Allows blocking pop-ups in the Android browser of the Knox Workspace.	Samsung Knox 1.0 and higher
Browser proxy URL	Set the proxy server address for the Android browser in the Knox Workspace.Enter the value in the form of IP:port or domain:port in the fields. The Chrome browser and Samsung S browser are supported. The supported version for Chrome is Knox 1.0.1 - 2.6.	Samsung Knox 1.0 and higher

Firewall

Configures the IP or a domain firewall policy for each application.

The firewall supports IPv6 for SDK 2.6 or above. Even if the IPv4 and the IPv6 indicate the same address, a separate configuration is required.

Policy	Description	Supported system
Firewall	Set to use the firewall to set target IP addresses. The firewall policy is enabled by default.	Samsung Knox 1.0 - 2.4.1
> Firewall type	Select and configure the firewall type to use in Knox Workspace. All Packages — Input values for Permission policy and Prohibition policy. Android 10 and higher devices are not supported. By Application — Input values for Permission policy (IP), Prohibition policy (IP), Permitted policy (Domain), Prohibited policy (Domain), and DNS setting.
>> Permission policy	Input values to permit access through the firewall. Enter a Host Pattern and Port. Select a Network Type: All Data — Only mobile network access is enabled. Wi-Fi — Only Wi-Fi network access is enabled. Select Port Range: All Local — Port access from the device is enabled. Remote — Port access from the target server is enabled. Click to add. Before setting this policy, disable all IPs and ports by entering a wildcard character () to the Prohibited policy (IP)* ranges.	Samsung Knox 1.0 - 2.4.1
>> Prohibition policy	Input values to prohibit access through the firewall. Enter a Host Pattern and Port. Select Network Type: All Data — Only mobile network access is disabled. Wi-Fi — Only Wi-Fi network access is disabled. Select Port Range: All Local — Port access from the device is disabled. Remote — Port access from the target server is disabled. Click to add.	Samsung Knox 1.0 - 2.4.1
>> Permitted policy (IP)	Input values to permit the target IP and port address. Configure the following: Enter or click Add to search the Package Name of the application. Input the IP Address (range) and Port (range). Select the Network Type: All Data — Only mobile network access is enable. Wi-Fi — Only Wi-Fi network access is enable. Select Port Range: All Local — Port access from the device is enable. Remote — Port access from the target server is enable. Click to add. Before setting this policy, disable all IPs by entering a wildcard character (_) to the Prohibited policy (IP) ranges.	Samsung Knox 2.5 and higher
>> Prohibited policy (IP)	Input values to prohibit the target IP and port address. Configure the following: Enter or click Add to search the Package Name of the application. Enter the IP Address (range) and Port (range). Enter a wildcard character (_) as an IP Address to prohibit the use of the bandwidth. Select Network Type: All Data — Mobile network access is disable. Wi-Fi — Wi-Fi network access is disable. Select Port Range: All Local — Port access from the device is disable. Remote — Port access from the target server is disable. Click to add. When entering the IP address, you can use a wildcard character (_) to disable the bandwidth usage.	Samsung Knox 2.5 and higher
>> Permitted policy (Domain)	Input values to permit the target domain address. Enter or click Add to search the Package Name of the application. Input the IP Address (range) and Port (range). Consider the following: Before setting this policy, disable all domains by entering a wildcard character (_) to the Prohibited policy (Domain) ranges. Use a wildcard character (_) to allow the use of a specific domain. The character must be placed before or after the domain name. For example, `_android.com / www.samsung_`	Samsung Knox 2.6 and higher
>> Prohibited policy (Domain)	Input values to prohibit the target domain address. Enter or click Add to search the Package Name of the application. Input the IP Address (range) and Port (range). Use a wildcard character (*) to disable a specific domain.	Samsung Knox 2.6 and higher
>> DNS setting	Input values to specify the domain server address of all applications or registered applications. Enter or click Add to search the Package Name of the application. Input DNS values. DNS1 — Primary DNS. DNS2 — Secondary DNS. Only one DNS per application can be set and it is effective only when there are npo VPN or Proxy policies assigned to the application.	Samsung Knox 2.7 and higher

Container Data

Allows data transfers between the Knox Workspace area and the general area.

Policy	Description	Supported system
Moving an application to container	Allows moving applications from the general area to the Knox Workspace. Android 10(Q) and higher devices are not supported.	Samsung Knox 2.0 and higher
Moving a file to Knox area	Allows moving files from the general area to the Knox Workspace.	Samsung Knox 2.0 and higher
Moving a file to General area	Allows moving files from the Knox Workspace to the general area.	Samsung Knox 2.0 and higher
Calendar sync setting	Allows syncing calendar data between the general area and the Knox Workspace.	Android 8 and lowe
> Calendar data sync	Set how the calendar data is synced between the general area and the Knox Workspace: Allow Import — Allows to import the calendar data of the general area to the Knox Workspace. Allow Export — Allow to export the calendar data of the Knox Workspace to the general area.	Samsung Knox 2.0 and higher
Contacts sync setting	Allows syncing contact data between the general area and the Knox Workspace.
> Contacts data sync	Sets Data Loss Protection (DLP): Allow Import — Allows to import the calendar data of the general area to the Knox Workspace. Allow Export — Allows to export the calendar data of the Knox Workspace to the general area.	Samsung Knox 2.0 and higher
Copy and Paste Clipboard per Profile	Allows copying and pasting with the clipboard between the personal and work areas.

Exchange ActiveSync

Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.

Add configurations by clicking add .

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each Exchange setting.
Description	Enter a description for each Exchange setting.
Remove available	Allows users to delete the Exchange settings in Knox Workspace.
Office 365	Allows to configure the Exchange settings. This policy will automatically fill out the Exhchange server address and the SSL option as Use.
User information input method	Select an input method for entering user information.
> Manual Input	Select to manually enter the email address, account ID, and password of a user.You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
> Connector interworking	Select to choose a connector from the User Information Connector list. All the connectors are listed in Advanced > System Integration > Directory Connector.
> User Information	Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user's device.
Domain	Enter a domain address for the Exchange server.You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Exchange server address	Enter the Exchange server information such as IP address, host name or URL.
Sync measure for the early data	Select the interval period to sync the past emails. The sync interval and synchronization are in accordance with the email application settings.
Email sync Interval	Select the interval period to sync the past emails. The sync interval and synchronization are in accordance with the mail application settings.
User certificate input method	Select an input method for entering certificate information.
> EMM Management Certificate	Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. Certificate — Select a certificate to use from the User Certificate list.
> Connector interworking	Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced> System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. User certificate Connector — Select a connector to use from the User certificate Connector list.
> Issuing External CA	Register a certificate obtained from an external certificate authority to Advanced> Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates. Issuing external CA — Select an external CA to use from the Issuing external CA list.
Sync calendar	Syncs schedules on a calendar from a server to a device.
Sync contacts	Syncs contact information in a phone book from a server to a device.
Sync task	Syncs tasks items from a server to a device.
Sync notes	Syncs notes from a server to a device.
SSL	Set to use SSL for email encryption. If Office365 setting is used, the SSL option is automatically set to Use.
Signature	Enter the email signature to use.
Notification	Notifies the user of new emails.
Always vibrate on notification	Notifies the user of new emails with a vibration.
Silent notification	Mutes email notifications. Always vibrate on notification and Silent notification cannot be used at the same time.
Attachments capacity (byte)	Enter the email attachment file size limit in bytes.The input value ranges from 1 to 52428800 (50MB).
Maximum Size of Email Body (Kbyte)	Select a maximum value for the email body size. This is only set once during the initial Exchange ActiveSync setup.
> Default Size of Email Body (Kbyte)	Select the default value of the email body size. Select the setting after the Maximum Size of Email Body (Kbyte) setting.

Email Account

Configures the settings of a POP or IMAP email account.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each email account setting.
Description	Enter a description for each email account setting.
Remove available	Allows users to delete the email account settings in Knox Workspace.
Default Account	Specifies to usage of the default account.
User Information input method	Select an input method for entering user information.
> Manual Input	Select this to enter the email address manually. You can also enter the incoming server ID, incoming server password, outgoing server ID, and outgoing server password for the email connection.You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
> Connector interworking	Select a connector from the user information connector. The connectors are listed in Advanced > System Integration > Directory Connector.
> User Information	Select to access the relevant mail server using the registered Knox Manage email, ID, and password. The password must be entered from the user's device.
Incoming Server Protocol	Select between the POP3 (pop3) and IMAP (imap) protocol.
Outgoing Server Protocol	Entered automatically as SMTP.
Incoming Server Address/port	Enter the Incoming Server address/port in a provided format.
Outgoing Server Address/port	Enter the outgoing server address in a provided format.
Incoming Server ID	Enter an incoming server ID to sign in to the incoming mail server manually. This protocol is only available when Manual Input is selected.You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Outgoing Server ID	Enter an outgoing server ID to sign in to the outgoing mail server manually. This protocol is only available when Manual Input is selected.You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Incoming Server Password	Enter an incoming server password to sign in to the incoming mail server manually. This protocol is only available when Manual Input is selected. You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Outgoing Server Password	Enter an outgoing server password to manually sign in to the outgoing mail server. This protocol is only available when Manual Input is selected.You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Incoming SSL	Select this to use SSL encryption.
Outgoing SSL	Select this to use SSL encryption.
Notification	Select an email notification method. Enable Notification — Activates email notification. Enable "Always notify by vibrate mode" — Notifies the user of new emails with a vibration. Disable Notification — Deactivates email notification.
All incoming certificates	Allows receiving certificates.
All outgoing certificates	Allows sending certificates.
Signature	Enter an email signature to use.
Account Name	Assign an account name.
Sender Name	Assign a sender name.

Bookmark

Configures the bookmark settings such as the configuration ID and bookmark name.

You can add, modify, or delete the bookmarks in the Samsung S browser, the default browser on Samsung Galaxy devices. Click add to add a configuration.

You can add or edit up to 100 configurations when you save the profile.

Browsers must be closed and opened again to apply the changes.
Even if a user modifies a registered bookmark or registers a bookmark with the same URL and name, it will not be deleted when the bookmark setting is deleted
Even if a user manually deletes the set bookmark, due to the limitations pf Samsung devices, the application may still appear to be installed. In this case, you have to delete the bookmark in the profile, and then recreate the bookmark.

Policy	Description
Name	Assign a unique ID for each bookmark setting.
Description	Enter a description for each bookmark setting.
Bookmark page URL	Enter a website address to go to when a bookmark is selected.
Bookmark name	Enter a bookmark name to be displayed as the title in a bookmark.

Knox VPN

Configures the VPN (Virtual Private Network) on a Knox Workspace.

Knox VPN settings are provided to help you set up a VPN on a Knox Workspace more easily. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Only one Knox VPN can be set on a device regardless of the Knox Workspace area or General area.

Policy	Description
Configuration ID	Assign a unique ID for the Knox VPN setting.
VPN name	Enter a VPN name to display on the user device.
Description	Enter a description for the Knox VPN setting.
Remove available	Allows users to delete the Knox VPN setting.
VPN vendor name	Select a VPN vendor among F5, Juniper, Cisco, and User defined. Input fields vary depending on the selected VPN vendor name. Select User defined to set up a different vendor's VPN service, such as Sectra mobile VPN. For more information, see Entering a VPN vendor manually.
VPN client vendor package name	Entered automatically according to the selected VPN vendor name. If User defined is selected, you must manually enter this protocol.
VPN type	Entered automatically when you selected F5 or Juniper. If other vendors are selected, you must manually select this protocol.
Entering methods for Knox VPN	Select an entering method for Knox VPN information. Manual Input — Allowed for all VPN vendors except for User defined. For more information, see Configuring a Knox VPN profile manually. Upload profile — Allowed for all VPN vendors. Input fields vary depending on the selected VPN vendor and the entering method.
Upload Knox VPN profile	Allows uploading a Knox VPN profile when you set Entering methods for Knox VPNs to Upload profile. You can upload a text file in the JSON format. JSON varies depending on the VPN vendor and VPN type.For more information about sample files, see the sample file of a Sectra Mobile VPN configuration in Configuring a Knox VPN profile manually and see the sample file of Cisco VPN configuration in Sample file for uploading a Knox VPN profile.
User certificate input method	Select an input method for entering certificate information. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
Authentication Method	Select an authentication method. Not Applicable — Disables authentication. Certificate-based Authentication — Uses certificates for authentication in the Knox VPN setting. CAC-based Authentication — Uses two-factor authentication provided by CAC (Common Access Card).
CA Certificate	Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Knox VPN and the Type set as Root will appear on the list.
Server certificate	Select a certificate to use from the certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as Knox VPN and the Type set as Use will appear on the list.
FIPS mode	Allows the use of FIPS mode.FIPS (US Federal Information Processing Standards) encrypts all data with FIPS-140-2 authentication modules between the server and client.
Auto Re-connection	Allows connecting automatically when an error occurs.
VPN route type by application	Select to use a VPN for selected applications or for all applications in the General area. By Application — Click Add next to The VPN applied package name per app and select applications, and then click Save. All Packages — All applications in the General area are subject to a VPN.

Configuring a Knox VPN profile manually

You can manually enter a profile when Manual Input is selected in the Entering methods for Knox VPN field. Set the options as below:

Enter the IP address, host name, or URL of the VPN server in the Server address.

The VPN route type, which enables the use of VPN tunneling, is automatically entered.
Select to use user authentication.

Enter the user information for authentication depending on the selected method of entering user information:

If the VPN vendor is set to F5 or Juniper, configure the following:

Method	Policy
Manual Input	Enter the user ID and Password for the VPN connection. You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Connector interworking	Choose a connector from the User information Connector. All the connectors are listed in Advanced > System Integration > Directory Connector.
User Information	Use the user information registered in Knox Manage to access a VPN.

Select a VPN type and enter the parameters. Required parameters vary depending on the selected VPN type.

If the VPN type is set to SSL, enter the SSL algorithm that the server requires for the SSL algorithm section.
Select a VPN connection type.
- KEEP ON — Keep the VPN connection.
- On Demand — Connect to the VPN upon request.
Select the chaining type.
Select to use the UID PID.
Select to use the Logon mode.

Logon mode is used when the VPN vendor name is set to F5.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each certificate setting.
Description	Enter a description for each certificate setting.
User certificate input method	Select an input method for entering certificate information. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
Certificate category	Select a certification category when EMM Management Certificate is selected in User certificate input method, CA certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root will appear on the list. User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User will appear on the list.

Knox Workspace (Android Legacy) policies

System

Connectivity

Security

Browser

Firewall

Container Data

Exchange ActiveSync

Email Account

Bookmark

Knox VPN

Configuring a Knox VPN profile manually

Certificate

On this page