Menu

Knox Workspace (Android Legacy) Policies

Create a profile and register policies for Knox Workspace devices.

You can configure the policies below for Knox Workspace devices. The availability of each policy varies depending on the OS version.

System

Allows various features, such as screen capture, clipboard, and share via apps.

Interface

Allows adding a new Wi-Fi network or using a microphone and other features.

Security

Configures the security settings, such as passwords and lock screen.

Application

Configures options for application controls such as installation, blacklist/whitelist, and execution prevention.

Browser

Allows the use of the Android browser and configuring the settings for it.

Firewall

Configures the IP or a domain firewall policy for each application.

Container Data

Allows data transfers between the Knox Workspace area and the general area.

Exchange ActiveSync

Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.

Email Account

Configures the settings of a POP or IMAP email account.

Bookmark

Configures the bookmark settings such as the configuration ID and bookmark name.

Knox VPN

Configures the VPN (Virtual Private Network) on a Knox Workspace.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

System

Policy
Description
Supported devices
Screen capture
Allows using the screen capture function in the Knox Workspace.
Note
Even if this policy is disallowed, you can still use the screen capture function through the Remote Support Viewer in Remote Support.
Samsung Knox 1.0 or higher
Clipboard
Allows the clipboard feature.
  • Allow within the same app: The clipboard function can only be used within the same application.
Samsung Knox 1.0 or higher
Share via apps
Allows the share app function in the Knox Workspace.
Samsung Knox 1.0 or higher
Google account synchronization
Allows Google account synchronization in the Knox Workspace.
Samsung Knox 2.0 or higher
App crash report to Google
Report application error occurrence information to Google in the Knox Workspace.
Samsung Knox 1.0 or higher
System app close
Allows forceful system application shutdowns in the Knox Workspace.
Samsung Knox 1.0 or higher
Trusted Boot Verification
Allows Trusted Boot.
Samsung Knox 2.0 or higher
Third Party Keyboard
Allows the use of third Party Keyboards.
Samsung Knox 2.0 - 2.9
Add Email Account
Allows adding accounts from the default email application on the device.
Samsung Knox 1.0 or higher
Domain whitelist setting
Set to use the email domain whitelist setting.
NOTE
  • The Add email account policy has a higher priority than the Domain whitelist setting policy.
  • The Domain whitelist setting policy does not apply if the Add email account policy is set to Disallow.
> Domain Whitelist
Enter the email domain whitelist to add.
  • To add a domain, enter the domain name in the field, and click .
  • To delete a domain, click next to the added domain name.
Samsung Knox 1.0 or higher
Allow Remote Control
Allows remote control within the Knox Workspace via Remote Support.
Remote Support should be installed in the general area.

NOTEPolicy changes using Remote Support in the Knox Workspace do not apply to the Remote Support Viewer immediately. In this case, reload the Knox Workspace area.

Samsung Knox 2.2 or higher

Interface

Policy
Description
Supported devices
Add a new Wi-Fi network
Allows adding a new Wi-Fi network connection in the Knox Workspace.
Samsung Knox 1.0 - 2.4.1
Microphone
Allows the controls for Microphone use in the Knox Workspace.
NOTEIf this policy is disallowed, video recording is also disallowed.
Samsung Knox 1.0 or higher
> Recording
Allows using microphone recording in the Knox Workspace.
Samsung Knox 1.0 or higher
Camera
Allows using the camera in the Knox Workspace.

NOTE

  • If the camera policy in the General area is disallowed, camera use in the Knox Workspace is also prohibited.
  • This policy allows taking pictures but disallows video recording.
Samsung Knox 1.0 or higher
Allow USB access
Allows using USB devices, such as printers and scanners, via OTG in the Knox Workspace.
  • Disallow is the default value.
Note
  • This policy is only allowed for non-storage USB devices in USB accessary mode.
  • Devices from Verizon, the United States telecommunications provider, are not supported.
Samsung Knox 2.5 or higher
> Allow access of USB devices
Set USB products to use in a specific application.
  1. Enter the Package Name.
  1. Select the Vendor ID.
  2. Enter the Product ID.
  • Only 4-digit, hexadecimal characters can be entered.
  • Multiple inputs should be separated by commas.
  • Only the product ID for the selected vendor can be entered.
  1. Click to add, or click to delete.
Samsung Knox 2.1 or higher
Bluetooth Low Energy
Allows use of the Bluetooth Low Energy feature in the Knox Workspace. To use this policy, set the Bluetooth connections in the general area to Allow.
Samsung Knox 2.4 or higher
Phone Book Access Profile (PBAP) via Bluetooth
Allows use of the Phone Book Access Profile (PBAP). Contacts on the Knox Workspace are sent to the connected device if this policy is allowed.
Samsung Knox 2.7 or higher
NFC control
Allows control of the NFC (Near Field Communication).
Samsung Knox 2.4 or higher

Security

Policy
Description
Supported devices
Knox Container Password
Use a password to lock Knox Workspace.
Use of the camera is prohibited when the device is screen locked.
Note
  • For devices with a One Lock password, the password policy that is stronger between Android Legacy and the Knox Workspace area will be applied.
  • When a user has forgotten their Knox Workspace password, the administrator needs to send the Reset screen password device command, and then the user needs to enter a temporary password. For more information, see the Knox password in View the device details.
  • If the Prohibited words policy has been set, then the password cannot be reset with a temporary password containing the specified prohibited words. If this happens, you will need to disable the Prohibited words policy, save the relevant profile again, and then apply it.
> Enterprise identity Authentication
Controls Knox Workspace unlock with an enterprise ID.
  • Use: Allows the choice to use an enterprise ID to log in.
  • Forced use: Forces the use of an enterprise ID to log in.
Samsung Knox 2.4 or higher
>> Domain Address
Enter the domain address of the enterprise identity server. The http(s) prefix can be omitted.
Samsung Knox 2.4 or higher
>> Setup file
Select a file to install inside the Knox Workspace for enterprise ID authentication.
Note
You can select an application such as Samsung SSO Authenticator (com.sec.android.service.singlesignon), from the application list. Applications must be pre-enrolled either on Application > Internal application or Application > Public application.
Samsung Knox 2.4 or higher
>> Enable FIDO
Use FIDO (Fast ID Online) authentication in a Knox Workspace when using an enterprise ID.
Samsung Knox 2.7 or higher
>>> Request URL
Set the URL to request for FIDO authentication.
Samsung Knox 2.7 or higher
>>> Response URL
Set the URL to respond to FIDO authentication
Samsung Knox 2.7 or higher
>>> FIDO App Installed List
Manage the applications to use for FIDO authentication.
Note
The essential applications required for FIDO authentication are automatically added to the list. You can add an additional application if needed.
Samsung Knox 2.7 or higher
> Minimum strength
Set the minimum password strength on the screen.
  • Pattern: Set the password using a pattern or any other password with a higher degree of complexity, such as Numeric, Alphanumeric, or Complex options.
  • Numeric: The password must consist of a 4 digit number or be more complex. The screen can be locked using the Numeric, Alphanumeric, and Complex types of passwords.
  • Alphanumeric: Both letters and numbers must be included. The screen can be locked using with the Alphanumeric and Complex types of passwords.
  • Complex: Set so that the passwords must include alphanumeric and special characters.
Samsung Knox 2.0 or higher
>> Maximum Failed Login Attempts
Set the maximum number of incorrect password attempts before access is restricted.
The value can be between 0 - 10 times.
Samsung Knox 2.0 or higher
>>> Action for failing allowed count to retry password
Select the action to be taken when the maximum number of failed attempts is reached.
A Workspace control command must be sent to unlock the Knox Workspace.
  • Lock Knox Workspace: When the set number of password attempts has been reached, the Knox Workspace is locked.
  • Wipe Knox Workspace: When the set number of password attempts has been reached, the Knox Workspace is deleted.
Samsung Knox 1.0 or higher
>> Expiration after (days)
Set the maximum number of days before the password must be reset.
The value can be between 0 - 365 days.
Samsung Knox 2.0 or higher
>> Manage password history (times)
Set the minimum number of new passwords that must be used before a user can reuse the previous password.
The value can be between 0 - 10 times.
Samsung Knox 2.0 or higher
>> Minimum length
Set the minimum length of the password.
If the Minimum strength is set to Pattern, at least more than one stroke is required.
In the case of Complex, it must be equal to or greater than the sum of the Minimum number of letters and Minimum number of non-letters.
The value can be between 4 - 16 characters for Numeric or Alphanumeric.
The value can be between 6 - 16 characters for Complex.
Note
The minimum length of the pattern password refers to the number of lines connecting each dot. For example, if the policy value is 4, at least four lines connecting five dots must be entered.
Samsung Knox 2.0 or higher
>> Minimum number of letters
Set the minimum password length.
If the Minimum strength is set to Must be alphanumeric, the number 1 must be entered.
In the case of Must include special characters, the default value is the number 3. If you want to enter another number, the number must be equal or greater than the sum of the Minimum number of lowercase letters and the Minimum number of capital letters:
The value can be between 1 – 10 characters.
The default value is 1 character for Alphanumeric.
The default value is 3 characters for Complex.
Samsung Knox 2.0 or higher
>> Minimum number of lowercase letters
Set the minimum number of lowercase letters required in the password.
The value can be between 1 - 10 characters.
Samsung Knox 2.0 or higher
>> Minimum number of capital letters
Set the minimum number of uppercase letters required in the password.
The value can be between 1 - 10 characters.
Samsung Knox 2.0 or higher
>> Minimum number of non-letters
Set the minimum number of numbers and special characters required in the password.
If Minimum strength is set to Must include special characters, the default value is the number 2. If you want to enter another number, the number must be equal or greater than the sum of Minimum number of numeric characters and the Minimum number of special characters.
The value can be between 1 - 10 characters.
The default value is 2 characters for Must include special characters.
Samsung Knox 2.0 or higher
>> Minimum number of numeric characters
Set the minimum number of numeric characters allowed in the password.
The value can be between 1 - 10 characters.
The default value is 2 characters for Must include special characters.
Samsung Knox 2.0 or higher
>> Minimum number of special characters
Set the minimum number of special characters required in the password.
The value can be between 1 -10 characters.
The default value is 1 character for Must include special characters.
Samsung Knox 2.0 or higher
>> Maximum length of repeated characters
Set maximum number of duplicated characters.
The value can be between 1 -10 characters.
Samsung Knox 1.0 or higher
>> Maximum length of sequential numbers
Set the maximum number of consecutive numeric characters allowed in a password.
The value can be between 1 - 10 words.
Samsung Knox 1.0 or higher
>> Maximum length of sequential characters
Set the number of consecutive letters allowed in a password.
The value can be between 1 - 10 words.
Samsung Knox 1.0 or higher
>> Minimum length of character change
Set the minimum length of letters that users must change from the previous password. If the Minimum strength is set to Number, Must be alphanumeric, or Must include special characters, it must be less than the Minimum length.
The value can be between 1 - 10 words.
Samsung Knox 1.0 or higher
>> Prohibited words
Allows the use of prohibited words in a password.
>>> Set prohibited words
Set prohibited words in a password.
  • To add a word, enter the word in the field and click .
  • To delete a word, click next to the added word.
Samsung Knox 1.0 or higher
Maximum screen timeout
Set the maximum time limit that a user can linger before screen timeout.
Samsung Knox 2.0 or higher
Password visibility settings
Shows the password when entering it.
Samsung Knox 1.0 or higher
Pattern lock visibility settings
Shows the password when entering it.
Samsung Knox 1.0 or higher
Smartcard Browser Authentication
Allows Smartcard Browser Authentication within the internet browser.
When the policy is allowed, the Bluetooth security mode is applied while the device is connected to the smart card reader and will not accept other Bluetooth connections.
Note
  • To use this policy, Bluetooth smart card-related applications must be installed on the device and the smartcard must be registered in the Settings menu of the device.
  • Android 10 (Q) or higher devices are not supported.
Samsung Knox 1.0 or higher
Unlock with fingerprint
Allows the use of the fingerprint unlock control.
Samsung Knox 2.1 or higher
Unlock with iris
Allows the use of the iris unlock control.
Samsung Knox 2.2 or higher
Enforce Multi factor Authentication
Allows the use of two-step authentication.
  • Use: Forces the screen lock to release via fingerprint or iris recognition.
  • Do not use: Disables the two-step authentication settings via your fingerprint or iris recognition.
Note
When the Knox Workspace is created, it is set to select only two factor authentication on the password setup stage. Even when the manager chooses to disable ‘Unlock with fingerprint’ or ‘Unlock with Iris, you can still use your fingerprint or iris for two-step verification.
Samsung Knox 2.0 or higher
Block function setting on lock screen
Blocks the function set in the lock screen.
> Block functions on lock screen
Set the lock screen function options.
  • Trust Agent: Set whether to use the Knox Quick Access on the lock screen.
Samsung Knox 2.4 - 2.9

Application

Policy
Description
Supported devices
Installation of application from untrusted sources
Allows the installation of applications from untrusted sources instead of just the Google Play Store.
Android 8.0 or higher
App Installation Black/Whitelist Setting
Set to control the application installation policies on the Knox Workspace.
> Application installation blacklist
Add applications to prohibit their installation on the Knox Workspace.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.
Note
  • If a control application registered with a wildcard (*) in the package name is added to this policy, the specific package will not be installed.
e.g.) com.*.emm / com.sds.* / com.*.emm.*
  • Previously installed blacklisted applications will also be removed.
  • An application that has been added on the Application installation whitelist policy cannot be added.
Samsung Knox 1.0 or higher
> Application installation whitelist
Add applications to allow their installation on the Knox Workspace.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.
Note
  • If a control application registered with a wildcard (*) in the package name is added to this policy, the specific package will not be installed.
e.g.) com.*.emm / com.sds.* / com.*.emm.*
  • Any applications not on the whitelist are deleted, even if they are not on the blacklist.
  • An application that has been added to the Application installation blacklist policy cannot be added.
Samsung Knox 2.0 or higher
App Execution Blacklist Setting
Set to control the execution blacklist on the Knox Workspace.
> Application execution blacklist
Add applications to prevent their execution in Knox Workspace. Icon of the blacklisted application disappears and users cannot run the application.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
An application that has been added to the Application installation whitelist policy cannot be added.
Samsung Knox 1.0 or higher
Application execution prevention list setting
Allows application installation but prevents application execution.
> Application execution prevention list
Add applications to be displayed but not executable on the Knox Workspace. Listed applications can be installed and the icons will be displayed, but they will not be executable.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 2.0 or higher
Application uninstallation prevention list Setting
Set to control the application uninstallation policies.
> Application uninstallation prevention list
Add applications to prevent their uninstallation on Knox Workspace.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 1.0 or higher
App installation authority whitelisting settings
Set the applications with installation permissions on Knox Workspace.
> Application installation whitelist
Add applications to allow installation on the Knox Workspace. Selected applications will be added to the View list with the package name of the applications.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 1.0 or higher
GMS application
Allows Google Mobile Service (GMS) application installation. If the GMS application policy is disallowed, the basic applications provided by Google do not appear.
Samsung Knox 2.0 or higher
TIMA CCM profile whitelist
Allows the use of the TIMA Client Certificate Manager (CCM) profile on Knox Workspace.
  • Entire application: Applications in the Knox Workspace can access TIMA CCM.
  • Whitelist Application: Only the added applications on the whitelist can access TIMA CCM.
> TIMA CCM profile application whitelist
Add applications to access the TIMA CCM on the Knox Workspace.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 2.1 or higher
TIMA CCM profile app access restriction exception list settings
Allows only the set applications to access the TIMA CCM profile even when the Knox Workspace is locked.
> TIMA CCM profile app access restriction exception list
Add applications to access the TIMA CCM profile even when the Knox Workspace is locked.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
  • If Whitelist Application is selected in the TIMA CCM profile whitelist policy, only the whitelisted applications can access TIMA CCM.
  • If Entire application is selected in the TIMA CCM profile whitelist policy, the access restrictions of the applied applications are excluded.
Samsung Knox 2.1 or higher
Settings for whitelisting apps allowing external SD card
Allows the use of an external SD card in Knox Workspace. The external SD card cannot be used by default in the Knox Workspace.
> Whitelisted apps for external SD card
Add applications that can use an external SD card.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 2.2 or higher
Battery optimization exceptions
Set to exempt applications from the battery optimization function. This policy may cause battery loss.
> Apps excluded from battery optimization
Add applications to exempt from the battery optimization function on Knox Workspace.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 2.7 or higher
Set General area app installation
Allows the applications installed in the general area to be installed in the Knox Workspace area.
> General area app installation list
Add the applications in the general area to be installed in the Knox Workspace area.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Note
A list of Android platform applications is displayed in Profile > Manage Control App.
Samsung Knox 2.1 or higher
App Data deletion control setting
Allows control of the deletion of the internal application data inside Knox Workspace.
> App Data deletion prevention list
Add applications to protect the internal application data from being deleted. The internal data delete button is disabled to block users from arbitrarily deleting application data.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.
Note
Add the registered application to the App Data deletion protection list policy with a wildcard character in the package name. Then the application data for the specific registered package cannot be deleted.
e.g.) com.*.Knox Manage / com.sds.* / com.*.Knox Manage.*
Samsung Knox 1.0 or higher
> App Data deletion protection exception list
Add applications to delete the internal application data.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To add all applications, click Add all.
  • To delete an application, click next to the added application.
Samsung Knox 1.0 or higher
Application force stop prohibition list setting
Set to prohibit application from force stop.
> Force stop blacklist
Add applications to prohibit force stop.
  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.
Samsung Knox 1.0 or higher
Show ProgressBar when installing apps
Set to display the ProgressBar, which displays the progress of the application downloads made in Knox Manage.
Samsung Knox 1.0 or higher

Browser

Browsers must be closed and opened again to apply the changes.

Policy
Description
Supported devices
Android browser
Allows using the Android browser in the Knox Workspace.
Samsung Knox 1.0 or higher
> Cookies
Allows cookies in the Android browser of the Knox Workspace.
Samsung Knox 1.0 or higher
> JavaScript
Allows JavaScript in the Android browser of the Knox Workspace.
Samsung Knox 1.0 or higher
> Autofill
Allows auto-completion of information that you enter on websites in the Android browser of the Knox Workspace.
Samsung Knox 1.0 or higher
> Pop-up block
Allows blocking pop-ups in the Android browser of the Knox Workspace.
Samsung Knox 1.0 or higher
Browser proxy URL
Set the proxy server address for the Android browser in the Knox Workspace.
Enter the value in the form of IP:port or domain:port in the fields.
Note
  • The Chrome browser and Samsung S browser are supported.
  • The supported version for Chrome is Knox 1.0.1 - 2.6.
Samsung Knox 1.0 or higher

Firewall

The firewall supports IPv6 for SDK 2.6 or above. Even if the IPv4 and the IPv6 indicate the same address, a separate configuration is required.

Policy
Description
Supported devices
Firewall
Set to use the firewall to set target IP addresses. The firewall policy is enabled by default.
Samsung Knox 1.0 - 2.4.1
> Firewall type
Select and configure the firewall type to use in Knox Workspace.
  • All Packages: Input values for Permission policy and Prohibition policy.
Note
Android 10 (Q) or higher devices are not supported.
  • By Application: Input values for Permission policy (IP), Prohibition policy (IP), Permitted policy (Domain), Prohibited policy (Domain), and DNS setting.
>> Permission policy
Input values to permit access through the firewall.
  1. Enter a Host Pattern and Port.
  1. Select a Network Type:
  • All
  • Data: Only mobile network access is enabled.
  • Wi-Fi: Only Wi-Fi network access is enabled.
  1. Select Port Range:
  • All
  • Local: Port access from the device is enabled.
  • Remote: Port access from the target server is enabled.
  1. Click to add.
Note
Before setting this policy, disable all IPs and ports by entering a wildcard character (*) to the Prohibited policy (IP) ranges
Samsung Knox 1.0 - 2.4.1
>> Prohibition policy
Input values to prohibit access through the firewall.
  1. Enter a Host Pattern and Port.
  1. Select Network Type:
  • All
  • Data: Only mobile network access is disabled.
  • Wi-Fi: Only Wi-Fi network access is disabled.
  1. Select Port Range:
  • All
  • Local: Port access from the device is disabled.
  • Remote: Port access from the target server is disabled.
  1. Click to add.
Samsung Knox 1.0 - 2.4.1
>> Permitted policy (IP)
Input values to permit the target IP and port address. Configure the following:
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
  2. Select the Network Type:
  • All
  • Data: Only mobile network access is enable.
  • Wi-Fi: Only Wi-Fi network access is enable.
  1. Select Port Range:
  • All
  • Local: Port access from the device is enable.
  • Remote: Port access from the target server is enable.
  1. Click to add.
Note
Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited policy (IP) ranges.
Samsung Knox 2.5 or higher
>> Prohibited policy (IP)
Input values to prohibit the target IP and port address. Configure the following:
  1. Enter or click Add to search the Package Name of the application.
  1. Enter the IP Address (range) and Port (range).
  • Enter a wildcard character (*) as an IP Address to prohibit the use of the bandwidth.
  1. Select Network Type:
  • All
  • Data: Mobile network access is disable.
  • Wi-Fi: Wi-Fi network access is disable.
  1. Select Port Range:
  • All
  • Local: Port access from the device is disable.
  • Remote: Port access from the target server is disable.
  1. Click to add.
Note
When entering the IP address, you can use a wildcard character (*) to disable the bandwidth usage.
Samsung Knox 2.5 or higher
>> Permitted policy (Domain)
Input values to permit the target domain address.
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
Note
  • Before setting this policy, disable all domains by entering a wildcard character (*) to the Prohibited policy (Domain) ranges.
  • Use a wildcard character (*) to allow the use of a specific domain. The character must be placed before or after the domain name.
e.g.) *android.com / www.samsung*
Samsung Knox 2.6 or higher
>> Prohibited policy (Domain)
Input values to prohibit the target domain address.
  1. Enter or click Add to search the Package Name of the application.
  1. Input the IP Address (range) and Port (range).
Note
Use a wildcard character (*) to disable a specific domain.
Samsung Knox 2.6 or higher
>> DNS setting
Input values to specify the domain server address of all applications or registered applications.
  1. Enter or click Add to search the Package Name of the application.
  1. Input DNS values.
  • DNS1: Primary DNS.
  • DNS2: Secondary DNS.
Note
Only one DNS per application can be set and it is effective only when there are no VPN or Proxy policies assigned to the application.
Samsung Knox 2.7 or higher

Container Data

Policy
Description
Supported devices
Moving an application to container
Allows moving applications from the general area to the Knox Workspace.
Note
Android 10 (Q) or higher devices are not supported.
Samsung Knox 2.0 or higher
Moving a file to Knox area
Allows moving files from the general area to the Knox Workspace.
Samsung Knox 2.0 or higher
Moving a file to General area
Allows moving files from the Knox Workspace to the general area.
Samsung Knox 2.0 or higher
Calendar sync setting
Allows syncing calendar data between the general area and the Knox Workspace.
Android 8.0 or lower
> Calendar data sync
Set how the calendar data is synced between the general area and the Knox Workspace:
  • Allow Import: Allows to import the calendar data of the general area to the Knox Workspace.
  • Allow Export: Allow to export the calendar data of the Knox Workspace to the general area.
Samsung Knox 2.0 or higher
Contacts sync setting
Allows syncing contact data between the general area and the Knox Workspace.
> Contacts data sync
Sets Data Loss Protection (DLP):
  • Allow Import: Allows to import the calendar data of the general area to the Knox Workspace.
  • Allow Export: Allows to export the calendar data of the Knox Workspace to the general area.
Samsung Knox 2.0 or higher
Copy and Paste Clipboard per Profile
Allows copying and pasting with the clipboard between the personal and work areas.

Exchange ActiveSync

You can add more Exchange Active policy sets by clicking .

Policy
Description
Configuration ID
Assign a unique ID for each Exchange setting.
Description
Enter a description for each Exchange setting.
Remove available
Allows users to delete the Exchange settings in Knox Workspace.
Office 365
Allows to configure the Exchange settings.
Note
This policy will automatically fill out the Exchange server address and the SSL option as ‘Use’.
User information input method
Select an input method for entering user information.
> Manual Input
Select to manually enter the email address, account ID, and password of a user.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
> Connector interworking
Select to choose a connector from the User Information Connector list.
Note
All the connectors are listed in Advanced > System Integration > Directory Connector.
> User Information
Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user’s device.
Domain
Enter a domain address for the Exchange server.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
Exchange server address
Enter the Exchange server information such as IP address, host name or URL.
Sync measure for the early data
Select the interval period to sync the past emails. The sync interval and synchronization are in accordance with the email application settings.
Email sync Interval
Select the interval period to sync the past emails.
Note
The sync interval and synchronization are in accordance with the email application settings.
User certificate input method
Select an input method for entering certificate information.
> EMM Management Certificate
Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.
Note
Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Certificate: Select a certificate to use from the User Certificate list.
> Connector interworking
Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • User certificate Connector: Select a connector to use from the User certificate Connector list.
> Issuing External CA
Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
  • Issuing external CA: Select an external CA to use from the Issuing external CA list.
Sync calendar
Syncs schedules on a calendar from a server to a device.
Sync contacts
Syncs contact information in a phone book from a server to a device.
Sync task
Syncs tasks items from a server to a device.
Sync notes
Syncs notes from a server to a device.
SSL
Set to use SSL for email encryption.
Note
If Office365 setting is used, the SSL option is automatically set to ‘Use’.
Signature
Enter the email signature to use.
Notification
Notifies the user of new emails.
Always vibrate on notification
Notifies the user of new emails with a vibration.
Silent notification
Mutes email notifications.
Note
Always vibrate on notification and Silent notification cannot be used at the same time.
Attachments capacity (byte)
Enter the email attachment file size limit in bytes.
The input value ranges from 1 to 52428800 (50MB).
Maximum Size of Email Body (Kbyte)
Select a maximum value for the email body size. This is only set once during the initial Exchange ActiveSync setup.
> Default Size of Email Body (Kbyte)
Select the default value of the email body size.
Note
Select this setting after the Maximum Size of Email Body (Kbyte) setting.

Email Account

You can add more email account policy sets by clicking .

Policy
Description
Configuration ID
Assign a unique ID for each email account setting.
Description
Enter a description for each email account setting.
Remove available
Allows users to delete the email account settings in Knox Workspace.
Default Account
Specifies to usage of the default account.
User Information input method
Select an input method for entering user information.
> Manual Input
Select this to enter the email address manually. You can also enter the incoming server ID, incoming server password, outgoing server ID, and outgoing server password for the email connection.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
> Connector interworking
Select a connector from the user information connector.
Note
The connectors are listed in Advanced > System Integration > Directory Connector.
> User Information
Select to access the relevant mail server using the registered Knox Manage email, ID, and password. The password must be entered from the user’s device.
Incoming Server Protocol
Select between the POP3 (pop3) and IMAP (imap) protocol.
Outgoing Server Protocol
Entered automatically as SMTP.
Incoming Server Address/port
Enter the Incoming Server address/port in a provided format.
Outgoing Server Address/port
Enter the outgoing server address in a provided format.
Incoming Server ID
Enter an incoming server ID to log in to the incoming mail server manually. This protocol is only available when Manual Input is selected.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Outgoing Server ID
Enter an outgoing server ID to log in to the outgoing mail server manually. This protocol is only available when Manual Input is selected.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Incoming Server Password
Enter an incoming server password to log in to the incoming mail server manually. This protocol is only available when Manual Input is selected.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Outgoing Server Password
Enter an outgoing server password to manually log in to the outgoing mail server. This protocol is only available when Manual Input is selected.
You can also click Lookup to open the reference items list and select an item from it. The reference value will be entered automatically.
Incoming SSL
Select this to use SSL encryption.
Outgoing SSL
Select this to use SSL encryption.
Notification
Select an email notification method.
  • Enable Notification: Activates email notification.
  • Enable ‘Always notify by vibrate mode’: Notifies the user of new emails with a vibration.
  • Disable Notification: Deactivates email notification.
All incoming certificates
Allows receiving certificates.
All outgoing certificates
Allows sending certificates.
Signature
Enter an email signature to use.
Account Name
Assign an account name.
Sender Name
Assign a sender name.

Bookmark

You can add, modify, or delete the bookmarks in the Samsung S browser, the default browser on Samsung Galaxy devices. You can add more bookmark policy sets by clicking .
Note
  • Browsers must be closed and opened again to apply the changes.
  • Even if a user modifies a registered bookmark or registers a bookmark with the same URL and name, it will not be deleted when the bookmark setting is deleted.
  • Even if a user manually deletes the set bookmark, due to the limitations of Samsung devices, the application may still appear to be installed. In this case, you have to delete the bookmark in the profile, and then recreate the bookmark.
Policy
Description
Name
Assign a unique ID for each bookmark setting.
Description
Enter a description for each bookmark setting.
Bookmark page URL
Enter a website address to go to when a bookmark is selected.
Bookmark name
Enter a bookmark name to be displayed as the title in a bookmark.

Knox VPN

Knox VPN settings are provided to help you set up a VPN on a Knox Workspace more easily. You can add more Knox VPN policy sets by clicking .
Note
Only one Knox VPN can be set on a device regardless of the Know Workspace area or General area.
Policy
Description
Configuration ID
Assign a unique ID for the Knox VPN setting.
VPN name
Enter a VPN name to display on the user device.
Description
Enter a description for the Knox VPN setting.
Remove available
Allows users to delete the Knox VPN setting.
VPN vendor name
Select a VPN vendor among F5, Juniper, Cisco, and User defined. Input fields vary depending on the selected VPN vendor name.
Note
Select User defined to set up a different vendor’s VPN service, such as Sectra mobile VPN. For more information, see Entering a VPN vendor manually.
VPN client vendor package name
Entered automatically according to the selected VPN vendor name. If User defined is selected, you must manually enter this protocol.
VPN type
Entered automatically when you selected F5 or Juniper. If other vendors are selected, you must manually select this protocol.
Entering methods for Knox VPN
Select an entering method for Knox VPN information.
Note
Input fields vary depending on the selected VPN vendor and the entering method.
Upload Knox VPN profile
Allows uploading a Knox VPN profile when you set Entering methods for Knox VPNs to Upload profile.
You can upload a text file in the JSON format. JSON varies depending on the VPN vendor and VPN type.
For more information about sample files, see the sample file of a Sectra Mobile VPN configuration in Configuring a Knox VPN profile manually and see the sample file of Cisco VPN configuration in Sample file for uploading a Knox VPN profile.
User certificate input method
Select an input method for entering certificate information.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate.
Note
All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
Authentication Method
Select an authentication method.
  • Not Applicable: Disables authentication.
  • Certificate-based Authentication: Uses certificates for authentication in the Knox VPN setting.
  • CAC-based Authentication: Uses two-factor authentication provided by CAC (Common Access Card).
CA Certificate
Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as Knox VPN and the Type set as Root will appear on the list.
Server certificate
Select a certificate to use from the certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose has been set as Knox VPN and the Type set as User will appear on the list.
FIPS mode
Allows the use of FIPS mode.
FIPS (US Federal Information Processing Standards) encrypts all data with FIPS-140-2 authentication modules between the server and client.
Auto Re-connection
Allows connecting automatically when an error occurs.
VPN route type by application
Select to use a VPN for selected applications or for all applications in the General area.
  • By Application: Click Add next to The VPN applied package name per app and select applications, and then click Save.
  • All Packages: All applications in the General area are subject to a VPN.

Configuring a Knox VPN profile manually

You can manually enter a profile when Manual Input is selected in the Entering methods for Knox VPN field. Set the options as below:

  1. Enter the IP address, host name, or URL of the VPN server in the Server address.

    The VPN route type, which enables the use of VPN tunneling, is automatically entered.

  2. Select to use user authentication.

  3. Enter the user information for authentication depending on the selected method of entering user information:

    If the VPN vendor is set to F5 or Juniper, configure the following:

    Method
    Description
    Manual Input
    Enter the user ID and Password for the VPN connection.
    You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.
    Connector interworking
    Choose a connector from the User information Connector.
    All the connectors are listed in Advanced > System Integration > Directory Connector.
    User Information
    Use the user information registered in Knox Manage to access a VPN.
  4. Select a VPN type and enter the parameters. Required parameters vary depending on the selected VPN type.

    If the VPN type is set to SSL, enter the SSL algorithm that the server requires for the SSL algorithm section.

  5. Select a VPN connection type.

    • KEEP ON: Keep the VPN connection.

    • On Demand: Connect to the VPN upon request.

  6. Select the chaining type.

  7. Select to use the UID PID.

  8. Select to use the Logon mode.

    Logon mode is used when the VPN vendor name is set to F5.

Certificate

You can add more certificate policy sets by clicking .

Policy
Description
Configuration ID
Assign a unique ID for each certificate setting.
Description
Enter a description for each certificate setting.
User certificate input method
Select an input method for entering certificate information.
  • EMM Management Certificate: Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate.
Note
All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking: Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Add sync services.
When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • Issuing external CA: Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
Certificate category
Select a certification category when EMM Management Certificate is selected in User certificate input method,
  • CA certificate: Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root will appear on the list.
  • User certificate: Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User will appear on the list.