Samsung Knox running Android Enterprise policies
Last updated September 19th, 2024
This topic describes the policies you can configure for Samsung devices enrolled under Android Enterprise.
To configure Samsung Knox policies for devices with work profiles, make sure you have the right licenses in the console. You must have a Knox Suite, Knox Platform for Enterprise, or Knox Manage (with KLM12 prefix) license. For more information, see license overview.
- To apply these policies, devices require the Knox Service Plugin agent 19.12 or higher.
- One UI Core devices do not support Premium features with a KPE license. Applying KPE policies on such a device will cause unexpected errors that require a factory reset.
System
Provides data sharing or save settings, developer options, and other features.
Policy | Description | Supported system |
---|---|---|
Domain Blocklist Settings | Allow using the domain blocklist. | |
> Domain Blocklist | Enter a domain blocklist that should not be used when registering an Exchange or email account.
|
Fully Managed — Samsung Knox 1.0 and higher |
Network Time Protocol Settings | Enables the device to sync system time with an external server through the Network Time Protocol (NTP). Values
|
Samsung Knox 2.5 and higher |
Server Address | Specifies the URL of the NTP server. Only available if theNetwork Time Protocol Settings policy is set to Apply. ValuesEnter a URL. |
Samsung Knox 2.5 and higher |
Maximum Number of Attempts | Specifies the maximum number of attempts allowed to connect to the NTP server during a polling cycle. Only available if theNetwork Time Protocol Settings policy is set to Apply. ValuesEnter the maximum number of connection attempts. The value can be 1–100. |
Samsung Knox 2.5 and higher |
Polling Cycles (hr) | Specifies the duration to wait before the device attempts to resync with the NTP server after the previous synchronization succeeds. When syncing begins, the device attempts to connect to the server a maximum number of times defined by theMaximum Number of Attempts policy. Only available if theNetwork Time Protocol Settings policy is set to Apply. ValuesEnter a delay between polling cycles, in hours. The value can be between 1–8760. |
Samsung Knox 2.5 and higher |
Short Polling Cycle (sec) | Specifies the duration to wait before the device attempts to resync with the NTP server after the previous synchronization fails. Only available if theNetwork Time Protocol Settings policy is set to Apply. ValuesEnter a delay between short polling cycles, in seconds. The value can be between 1–1000. |
Samsung Knox 2.5 and higher |
Timeout (sec) | Specifies the duration to wait after a connection attempt during a polling cycle times out. Only available if theNetwork Time Protocol Settings policy is set to Apply. ValuesEnter a value, in seconds. The value can be between 0–1000 seconds. |
Samsung Knox 2.5 and higher |
Power off |
Allows powering off the device.
|
Fully Managed — Samsung Knox 1.0 and higher |
OTA Upgrade | Allows an OTA upgrade for the device. | Fully Managed — Samsung Knox 1.0 and higher |
Settings | Allows the configuration changes within the System Settings. | Fully Managed — Samsung Knox 1.0 and higher |
Expand status bar | Allows the expansion of the status bar. | Fully Managed — Samsung Knox 1.0 and higher |
Clipboard | Allows using the clipboard feature and sets the range.
|
Samsung Knox 1.0 and higher |
Share via apps | Allows the share app feature. | Samsung Knox 1.0 and higher |
Smart Select | Allows using the Smart Select, which is one of the Samsung device features. It allows users to clip a content by drawing a circle with the S pen. Clipped contents can be used on notes or anywhere else. | Fully Managed — Samsung Knox 2.3 and higher |
Reboot banner | Allows using the reboot banner which appears on the user's device when the device reboots. | Fully Managed — Samsung Knox 1.0 and higher |
> Reboot banners stationery |
Enter the text for the reboot banner. You can enter up to 1000 bytes. You can customize banners for Samsung Knox 2.2 + devices. For Samsung Knox 1.0 devices, only the message or banner registered by the manufacturer is displayed. |
Fully Managed — Samsung Knox 2.2 and higher |
Power Saving Mode Control | Allows power saving controls on the device. | Fully Managed — Samsung Knox 2.8 and higher |
Firmware download mode control | Allows using the hardware key on the device to update firmware.
|
Fully Managed — Samsung Knox 2.0 and higher |
Samsung Keyboard settings control | Allows accessing the settings key from the Samsung keyboard. | Fully Managed — Samsung Knox 2.0 and higher |
Connectivity
Controls the network settings, such as Wi-Fi Hotspot and Bluetooth tethering, and controls the USB media player settings.
Policy | Description | Supported system |
---|---|---|
USB debugging | Specify whether to allow corporate devices to communicate with computers through USB. | Fully Managed — Samsung Knox 1.0 and higher Work Profile — Android 5 and higher |
NFC Control |
Allows NFC (Near Field Communication) control. Android 10 and higher devices are not supported. |
Fully Managed — Samsung Knox 1.0 and higher Work Profile — Samsung Knox 2.4 and higher |
USB host storage (OTG) | Allows a device connection via OTG (On the Go). OTG controls only the storage items and not the non-storage items, such as a keyboard or mouse. To use DeX, configure the policy to allow DeX mode. If the configuration value is set as either allow or disallow, make the USB exception list as follows:
|
Fully Managed — Samsung Knox 1.0 and higher |
> Set usb exception allowed list | Select a USB interface to use if the USB host storage (OTG) policy is disallowed. | |
>> USB exception allowed list | Select the USB interface to use from the USB exception allowed list. For more information, see https://www.usb.org/defined-class-codes. | Fully Managed — Samsung Knox 3.0 and higher |
Wi-Fi Hotspot | Specify using mobile Wi-Fi hotspot on the device. | Fully Managed — Samsung Knox 1.0 and higher |
Wi-Fi SSID Allowlist Setting |
Allows using the Wi-Fi SSID allowlist. Devices can only connect to the Wi-Fi APs on the allowlist. For non-Samsung devices with Android 8 or a higher version, this policy can only be applied when it has been agreed to grant access to location information. |
|
> Wi-Fi SSID Allowlist | Add Wi-Fi APs to the allowlist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.
|
Fully Managed — Samsung Knox 1.0 and higher |
Wi-Fi SSID Blocklist Setting |
Allows using the Wi-Fi SSID blocklist. Devices cannot connect to Wi-Fi APs on the blocklist. For non-Samsung devices with Android 8 or a higher version, this policy can only be applied when it has been agreed to grant access to location information. |
|
> Wi-Fi SSID Blocklist | Add Wi-Fi APs to the blocklist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.
|
Fully Managed — Samsung Knox 1.0 and higher |
Wi-Fi Auto Connection | Allows automatic connection to the Wi-Fi SSID already stored in the device. | Fully Managed — Samsung Knox 1.0 and higher |
Wi-Fi Minimum Security Level Setting |
Set a minimum security level for Wi-Fi. The security level increases in the following ascending order — OPEN < WEP < WPA < LEAP, PWD < FAST, PEAP < TSL, TTLS, SIM, AKA, AKA'. |
Fully Managed — Samsung Knox 1.0 and higher |
USB Tethering | Allows USB tethering. | Fully Managed — Android 4.3 and higher, Samsung Knox 1.0 and higher |
Bluetooth Tethering | Allows Bluetooth tethering to share the internet connection from one device to another. | Fully Managed — Samsung Knox 1.0 and higher |
Bluetooth UUID Allowlist Setting | Allows connecting Bluetooth devices based on their Universal Unique Identifier (UUID). | Android 13 and lower |
> Bluetooth UUID allowlist |
Select devices to allow Bluetooth connections with. Click the check boxes for Audio, File transfer, Phonebook, Headsets, or Hands-free. When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect. |
Fully Managed — Samsung Knox 1.0 and higher |
Bluetooth UUID Blocklist Setting | Allows disconnecting Bluetooth devices based on their Universal Unique Identifier (UUID). | Android 13 and lower |
> Bluetooth UUID Blocklist |
Select devices to allow Bluetooth connections with. Click the check boxes for Audio, File transfer, Phonebook, Headsets, or Hands-free. When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect. |
Fully Managed — Samsung Knox 1.0 and higher |
Allow USB devices for default access by app | See the policy description for Application management policies > Allow USB Devices for default access by Application in the Knox Service Plugin admin guide. | |
Allow USB devices for default access by app | See the policy description for Application management policies (Premium) > Allow USB Devices for default access by Application in the Knox Service Plugin admin guide. | |
Bluetooth | Specify whether to allow devices to connect through Bluetooth. | Work Profile — Samsung Knox 2.4 and higher |
Security
Configures security settings, such as the Google Android security update policy.
Policy | Description | Supported system |
---|---|---|
Google Android security update policy | Allows the user to select whether to receive updates on the device.
|
Fully Managed — Samsung Knox 2.6 and higher |
Kiosk
Configures the Kiosk device settings.
Policy | Description | Supported system |
---|---|---|
Task manage | Allow the use of the Task Manager. | Fully Managed — Samsung Knox 1.0 - 2.4 |
System bar | Use the System bar which refers to the Status bar in the Notifications area at the top of the device and the Navigation bar in the Buttons area at the bottom. For non-Samsung devices, even if you selected either Allow status bar only, or Allow navigation bar only, both the status bar and the navigation bar will be disabled. |
Fully Managed — Samsung Knox 1.0 and higher |
Multiple windows | Allows the use of multiple windows. This is available for devices that provide the functionality of multiple windows. | Fully Managed — Samsung Knox 1.0 and higher |
Air command |
Allows the use of Air command. Air command is a function provided on Samsung devices. Menu items appear when the user brings an S pen close to the screen. Air command is not available on Kiosk mode devices with Android Pie (9.0) and higher. |
Fully Managed — Samsung Knox 2.2 and higher |
Air view | Allows the use of Air view. Air view is a function provided on Samsung devices. Users can preview a picture or email when they bring the S pen or finger close to the picture or other content. | Fully Managed — Samsung Knox 2.2 and higher |
Edge screen | Allows the use of the Edge screen of the device. The Edge screen allows users to create shortcuts on the edges of the screen panel to frequently used applications, favorite contacts, or the camera. | Fully Managed — Samsung Knox 2.5 and higher |
App Restrictions
Configures the battery optimization exceptions setting.
Policy | Description | Supported system |
---|---|---|
Battery optimization exceptions |
Set to exempt applications from the battery optimization mode. This policy may cause battery loss. |
Samsung Knox 2.7 and higher |
> Apps excluded from battery optimization | Add applications to be exempted from battery optimization mode.
|
|
App Component Blocklist | Specify whether to block an app component, such as activity, receiver, or service. Values
|
Samsung Knox 2.0 and higher |
> App Component Blocklist | Select an app and specify the component to block. |
Browser
Configures the settings for the default web browser and Chrome browser.
Policy | Description | Supported system |
---|---|---|
Cookies |
Allows cookies in the Android browser. If cookies are not allowed, you cannot access websites that authenticate users with cookies. |
Fully Managed — Samsung Knox 1.0 and higher |
JavaScript | Allows JavaScript in the Android browser. | Fully Managed — Samsung Knox 1.0 and higher |
Autofill | Allows auto-completion of information that you enter on websites in the Android browser. | Fully Managed — Samsung Knox 1.0 and higher |
Pop-up block | Allows blocking pop-ups in the Android browser. | Fully Managed — Samsung Knox 1.0 and higher |
Browser proxy URL |
Set the proxy server address for the Android browser. Enter the value in the form of IP:port or domain:port in the fields.
|
Fully Managed — Samsung Knox 1.0.1 and higher |
Phone
Configures the phone settings, such as the cellular network settings.
Policy | Description | Supported system |
---|---|---|
Prohibit voice call | Prohibits incoming and outgoing voice calls. | |
> Voice call | Specifies the types of voice calls to block:
If both are selected, only emergency calls can be made or received. |
Fully Managed — Samsung Knox 1.0 and higher |
Disallow SMS/MMS | Allows sending and receiving SMS/MMS messages. | |
> Disallow Incoming/Outgoing SMS/MMS |
Select the types of SMS/MMS messages to disable. You must select at least one type of message. |
Fully Managed — Samsung Knox 1.0 and higher |
WAP push during roaming | Allows WAP push communications while roaming. | Fully Managed — Samsung Knox 1.0 and higher |
Data sync during roaming | Allows data synchronization while roaming. | Fully Managed — Samsung Knox 1.0 and higher |
Voice calls during roaming | Allows voice calls while roaming. | Fully Managed — Samsung Knox 1.0 and higher |
Use SIM card locking |
This policy is no longer supported through profiles. You can control SIM card locking throughdevice commands. In cases where this setting was already applied, it is retained. However, you cannot modify it. |
Custom Animation
Set up the boot/shutdown animation and sound.
Policy | Description | Supported system |
---|---|---|
Booting Animation | This method configures device boot animation. | Fully Managed — Samsung Knox 2.5 and higher |
> Boot Animation File | The animation file to be played while the device boots. | |
> Boot Loop File | The loop file to be played while the device boots. | |
> Boot Sound File | The sound file to be played while the device boots. | |
Shutdown Animation | This method configures device shutdown animation. | Fully Managed — Samsung Knox 2.5 and higher |
> Shutdown Animation File | The animation file to be played while the device shuts down. | |
> Shutdown Sound File | The sound file to be played while the device shuts down. |
Refer to Knox SDK developer guide for instructions on how to create and request QMG file. This policy takes effect after reboot.
Firewall
Configures the IP or a domain firewall policy for each application.
Policy | Description | Supported system |
---|---|---|
Firewall | Set to use the firewall to set target IP addresses. The firewall policy is enabled by default. | Samsung Knox 1.0 - 2.4.1 |
> Permitted policy (IP) |
Input values to permit the target IP and port address. Configure the following:
Before setting this policy, disable all IPs by entering a wildcard character (_) to the Prohibited Policy (IP), ranges. |
Samsung Knox 2.5 and higher |
> Prohibited policy (IP) |
Input values to prohibit the target IP and port address. Configure the following:
Before setting this policy, disable all IPs by entering a wildcard character (_) to the Prohibited Policy (IP), ranges. |
Samsung Knox 2.5 and higher |
> Permitted policy (Domain) |
Input values to permit the target domain address.
|
Samsung Knox 2.6 and higher |
> Prohibited policy (Domain) |
Input values to prohibit the target domain address.
Use a wildcard character (*) to prohibit a specific domain. |
Samsung Knox 2.6 and higher |
> DNS setting |
Input values to specify the domain server address of all applications or registered applications.
Only one DNS per application can be set and it is effective only when there are no VPN or Proxy policies assigned to the application. |
Samsung Knox 2.7 and higher |
DeX
Allows the use of DeX mode, an interface to use a mobile device like a desktop.
Samsung DeX is an accessory that extends the functionalities of a mobile device. By connecting a monitor, keyboard, and mouse to a DeX docking station, the mobile device can function as a desktop compute
In Knox Manage, you can allow the use of DeX mode and control applications according to the Application execution blocklist setting.
Policy | Description | Supported system |
---|---|---|
DeX Mode | Allows the use of DeX mode.
|
Fully Managed — Samsung Knox 3.0 and higher |
>Ethernet Only | Allows ethernet only for DeX. Mobile data, Wi-Fi, and tethering are blocked. | Fully Managed — Samsung Knox 3.0 and higher |
>App execution blocklist(Android) | Use the blocklist for running DeX applications. | |
> >App execution blocklist |
Prohibits launching the specified applications. When this policy is enabled and applied, the icons of the blocked applications will disappear so that users cannot launch them. However, the applications are not deleted. The icons will reappear once the policy is changed or Knox Manage is disabled.
Any applications that already have been added to the Application allowlist cannot be added to the Application blocklist. |
Fully Managed — Samsung Knox 3.0 and higher |
Knox Service Plugin
Provides various policies through Knox Service Plugin.
The Knox Service Plugin (KSP) is Samsung’s OEMConfig-based solution that enables IT administrators to use a wide range of Knox management features on their EMM consoles as soon as they are available on the market.
These policies require the Knox Service Plugin app from Google Play. You must meet the following requirements to use the Knox Service Plugin with your managed devices:
-
A device enrolled with Android Enterprise.
-
A valid Knox Platform for Enterprise license for the device. For more information about Knox licenses, see Knox Platform for Enterprise licenses.
Knox Manage supports a multi-profile structure only for Android Enterprise, iOS, Windows, and macOS. If you assign multiple profiles to Knox Service Plugin, only the highest-priority profile gets applied.
To view and edit Knox Service Plugin policies for a device:
-
On the Knox Manage console, begin modifying the target profile. Then, expand the Samsung Knox > Knox Service Plugin policy group.
-
Set Debug Mode to True.
-
Specify policy values as required. If you want to set to default values, you can view them in the tooltip and specify them as values.
-
Click Save & Assign to push the values to the device.
Knox Service Plugin policies do not apply to the Fully Managed with Work Profile management mode. However, if a Fully Managed device has Knox Service Plugin policies applied, those policies may remain in effect even after the device’s management mode is changed to Fully Managed with Work Profile. In such cases, remove Knox Service Plugin policies manually.
During installation, if the package name of an application matches a package name pattern in both the blocklist and allowlist, the allowlist takes priority and the application gets installed. To ensure Knox Manage works as expected, add the Knox Manage agent package (com.sds.emm.cloud.knox.samsung) to the Application Allowlist by Pkg Name policy.
For more information on Knox Service Plugin policies, see advanced examples and policy descriptions.
APN
Configures the device’s Access Point Name (APN) settings for cellular data connectivity.
Click to add a configuration.
You can add or edit up to 20 configurations when you save the profile.
If you’re configuring an APN for a Samsung device running Android 11 and lower, don’t configure an APN for both the Android Enterprise profile and Samsung Knox profile types. Configure it for only one.
Policy | Description | Supported system |
---|---|---|
Configuration ID | Specifies the name of the APN configuration. Each configuration name must be unique. ValuesEnter a name. |
Android 6–11 |
Description | Specifies the description of the APN configuration. ValuesEnter a description. |
Android 6–11 |
Remove available | Toggles whether the device user can delete the APN. Values
|
Android 6–11 |
Access Point Name (APN) | Specifies the name of the APN, which is comprised of the network identifier and optional operator identifier. ValuesEnter a name. |
Android 6–11 |
Access Point Type | Specifies which connection services to allow for this APN. Values
|
Android 6–11 |
Mobile Country Code (MCC) | Specifies the MCC of the APN. ValuesEnter a 3-digit MCC. |
Android 6–11 |
Mobile Network Code (MNC) | Specifies the carrier's MNC for the APN. ValuesEnter a 2- or 3-digit MNC. |
Android 6–11 |
MMS Server (MMSC) | Specifies the address of the carrier's MMS server. ValuesEnter a URL. |
Android 6–11 |
MMS Proxy Server | Specifies the address of the carrier's MMS proxy server. ValuesEnter an IP or domain. |
Android 6–11 |
MMS Proxy Server Port | Specifies the port of the carrier's MMS proxy server. ValuesEnter a port. |
Android 6–11 |
Server | Specifies the address of the carrier's wide area network (WAN) server. ValuesEnter a URL. |
Android 6–11 |
Proxy Server | Specifies the address of the carrier's WAN proxy server. ValuesEnter a URL. |
Android 6–11 |
Proxy Server Port | Specifies the port of the carrier's WAN proxy server. ValuesEnter a port. |
Android 6–11 |
Access Point Username | Specifies the account username to use when connecting to the APN. ValuesEnter a username. By default, the field contains the ${UserName}, lookup item, which substitutes for the username associated with the device in Knox Manage. |
Android 6–11 |
Access Point Password | Specifies the account password to use when connecting to the APN. ValuesEnter a password. |
Android 6–11 |
Authentication Method | Specifies the protocol to use when authenticating with the APN. Values
|
Android 6–11 |
Set as Preferred APN | Makes this the priority APN configuration on the device. ValuesSelect to enable. |
Android 6–11 |
On this page
Is this page helpful?