Back to top

Cannot allow Camera policy only in work container on fully managed with work profile device

Last updated July 26th, 2023



  • Knox Manage (KM)
  • Android Enterprise (AE)
  • Fully managed with work profile enrollment type


In Knox Manage (KM), you may want to enable the camera only in a device’s work profile, not the personal container. Under Android Enterprise > System, setting the Camera policy to Fully Managed > Disallow all and Work Profile > Allow restricts the camera on both sides of the device.


This behavior is by Android design. Disabling the Camera policy for the Device Owner user applies the restriction to all users, so devices enrolled as fully managed with work profile have the camera disabled for both work and personal profiles.


As a workaround, you can add the camera to your Control Applications list.

  1. In your KM console, in the left sidebar, click Profile.
  2. Click Push Manage Control App > Add.
  3. Enter the Camera app package name for your device (i.e.
  4. For the Application Name, enter Camera.
  5. Click Save.

Verify if you have the Camera app enabled in your work profile. If not, modify your profile and apply the System App Activation Setting policy under Android Enterprise > Application, then add Camera to the list.

  1. In your KM profile, under Android Enterprise > Application, set App Execution Blacklist Setting to Apply.
  2. Next to Application execution blacklist, click Add.
  3. Select Camera, then click OK.
  4. Save your profile and apply the changes.

Following the steps above only restricts one package name (e.g. the default camera app for Samsung devices). To restrict 3rd-party camera applications, add their package names to the application execution blacklist.

Is this page helpful?