Android policies

Allows the device user and apps to operate the camera.

Values

• Allow (default)
• Don't allow

Allows the device user and apps to take screenshots.

Values

• Allow (default)
• Don't allow

Allows the device user to factory reset the device.

Values

• Allow (default)
• Don't allow

Allows the device user to toggle developer mode.

Values

• Allow (default)
• Don't allow

Android 8 and higher

Allows using a mock location for development or test purposes. Applies to Samsung devices only.

Android 8 and higher

Knox 2.0 and higher

Allows limiting background processes on the device.

Allows closing all apps when the device user signs out of the device

Allows use of the Safe Mode on the device.

Android 8 and higher

Determines the schedule for firmware updates on the device.

Values

• Automatically install updates when available (default). The device will perform firmware updates as soon as they become available.
• Postpone updates for 30 days after it becomes available. For each firmware update, the device will wait 30 days before applying it.

• Set a time period. The device will perform firmware updates during a specified period in the day. If set, you must also define the start and end of the period:

  • From. Specifies the start of the update period, in 24-hour time format.
  • To. Specifies the end of the update period, in 24-hour time format.

Additionally, you can schedule one or more freeze periods, which are stretches of time where the device won't apply any firmware updates, on top of whichever update setting you select. These periods will recur every year. You can configure as many freeze periods as you need.

• Start date. Specifies the month and day to begin the firmware freeze period.
• End date. Specifies the month and day to end the firmware freeze period.

Click ADD ANOTHER PERIOD to schedule an additional freeze period.

Specifies start time and end time to install updates.

Specifies dates on which to block installation of updates.

Allows backup of device data.

Values

• Allow (default)
• Don't allow

Android 8 and higher

Allows the device user to adjust the clock and current date.

Values

• Allow (default)
• Don't allow

Android 8 and higher

Allows the device user to set a certificate.

Values

• Allow (default)
• Don't allow

Android 8 and higher

Allows the device user to change the language.

Values

• Allow (default)
• Don't allow

Android 8 and higher

Allows the device user to change the screen brightness setting.

Values

• Allow (default)
• Don't allow

Android 8 and higher

Allows the always on display feature that displays information on the lock screen.

Values

• Allow (default)
• Don't allow

Android 8 and higher

Allows the device user to run the Easter egg game on a device.

Values

• Allow (default)
• Don't allow

Android 8 and higher

Allows both the device user and apps to change the wallpaper.

Values

• Allow
• Don't allow

Applies a custom wallpaper on the device.

Values

• Set for home and lock screen (default)
• Set for home screen only
• Set for Lock screen only

Specifies a custom wallpaper to apply to the home screen. Only available if the Set custom wallpaper policy is set for both the home and lock screens.

Values

1. To add custom images, click Browse. The image file can be in BMP, GIF, ICO, JPG, JPEG, or PNG format and can't exceed 10 MB in size.
2. Select Portrait or Landscape to specify the display orientation.

Specifies a custom wallpaper to apply to the home screen. Only available if the Set custom wallpaper policy is set for both the home and lock screens.

Values

1. To add custom images, click Browse. The image file can be in BMP, GIF, ICO, JPG, JPEG, or PNG format and can't exceed 10 MB in size.
2. Select Portrait or Landscape to specify the display orientation.

Specifies a custom wallpaper to apply to the home or lock screen. Only available if the Set custom wallpaper policy is set for home screen or lock screen.

Values

1. To add custom images, click Browse. The image file can be in BMP, GIF, ICO, JPG, JPEG, or PNG format and can't exceed 10 MB in size.
2. Select Portrait or Landscape to specify the display orientation.

Allows display of notification messages on the device.

Values

• Allow (default)
• Don't allow

Allows the display of notifications related to app crashes.

Values

• Allow
• Don't allow

Allows the display of notifications when an event occurs.

Values

• User defined (default)
• Show notification
• Hide notification

Allows the display of notifications when an event is disabled.

Values

• User defined (default)
• Show notification
• Hide notification

Set the removal of notifications from a device's Quick panel.

Values

• User defined (default). Device users can remove notifications using the settings menu of Knox Manage agent.
• Show notification. Device users can't remove notifications from the device's Quick Panel.
• Hide notification. Device users can remove notifications from the device's Quick Panel.

Allows display of custom messages on the device. A default message is displayed if you don't set a custom message.

Values

• Set custom short message. The short message shows in a dialog on the device.
• Set custom long message. The long message displays when device users view more details.

Allows the display of notification messages on locked screen of a device.

Values

• Write message. The maximum length is 65 characters.

Select a measure to take when a compromised OS is detected.

Values

• Lock device (default) --- Locks the device.
• Factory reset --- Resets the user device but not the SD card.
• Factory reset and initialize SD Card --- Factory resets the user device and the SD card.

Specifies the encryption of the device's internal storage or the external SD card.

Values

Select the storage to encrypt.

• System storage
• External SD card

Enforces the minimum complexity for the device's lock. There are three complexity levels, each pre-defined by the Android API. The device user must set a lock that meets or exceeds the minimum level.

You can enable this setting and the Set minimum strength at the same time. If you do so, this setting will apply to any assigned devices that are running Android 12 and higher, while Set minimum strength will apply to any devices running Android 8 to 11.

Only available if Screen lock policies is turned on.

Values

• Low. The lock must be a pattern or PIN. Repeating (4444) and ordered (1234, 4321, 2468) sequences are allowed.
• Medium. The lock must be A PIN without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, it must be a password with 4 or more characters.
• High. The lock must be a PIN with 8 or more characters, without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, it must be a password with 6 or more characters.

Enforces the minimum strength for the device's lock. Each strength level uses a lock type with minimum strength requirements. For PINs and passwords, you can further define the minimum length and complexity requirements across multiple parameters. The device user must set a lock that meets or exceeds the minimum strength.

The password strength increases in the following descending order of the available values, with Weak Biometric being the weakest, and Complex being the strongest.

You can enable this setting and the Set minimum complexity at the same time. If you do so, this setting will apply to any assigned devices that are running Android 8 to 11, while Set minimum complexity will apply to any devices running Android 12 and higher.

Only available if Screen lock policies is turned on.

Values

• Weak Biometric. A biometric recognition method.
• Pattern. A pattern.

• Numeric. A PIN.

• Numeric Complex. A pin with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
• Alphabetic. A password with letter characters.
• Alphanumeric. A password with alphanumeric characters.
• Complex. A password with alphanumeric and special characters.

Depending on the value selected above, you must also set the parameters of the password strength:

• Minimum length (default is 4 for most strengths, and 6 for Complex). Specifies the minimum allowed length of the PIN. This value can be between 4 and 16 for most strengths, but is between 6 and 16 for Complex.

  Required if the password strength is set to Numeric, Numeric Complex, Alphabetic, Alphanumeric, or Complex.

• Minimum letters (default is 4). Specifies the minimum number of letters that the password must have.

  Required if the password strength is set to Complex.

• Minimum non-letters (default is 2). Specifies the minimum number of numbers and special characters that the password must have.

  Required if the password strength is set to Complex.

• Minimum lowercase letters (default is 3). Specifies the minimum number of lowercase letters that the password must have.

  Required if the password strength is set to Complex.

• Minimum capital letters (default is 1). Specifies the minimum number of capital letters that the password must have.

  Required if the password strength is set to Complex.

• Minimum special characters (default is 1). Specifies the minimum number of special characters that the password must have.

  Required if the password strength is set to Complex.

• Maximum sequential numbers (default is 10). Specifies the maximum length that any sequence of repeated numbers (such as 4444) can be in the PIN. Leave as 1 to disallow repeated sequences entirely.

  Required if the password strength is set to Numeric, Numeric Complex, Alphabetic, Alphanumeric, or Complex.

  Only takes effect on Samsung devices secured by Knox.

• Maximum sequential characters (default is 10). Specifies the maximum length that any sequence of repeated letters (such as aaaa) can be in the PIN. Leave as 1 to disallow repeated sequences entirely.

  Required if the password strength is set to Alphabetic, Alphanumeric, or Complex.

  Only takes effect on Samsung devices secured by Knox.

Specifies how long the lock will remain active before the device user must change it.

Only available if Set minimum complexity is turned on, or Set minimum strength is set to Pattern, Numeric, Numeric Complex, Alphabetic, Alphanumeric, or Complex.

Values

Enter the number of days, between 1 and 365. Default is 30.

You can also set:

• Notify users about expiring passwords (default off). Pushes a notification to the device that alerts the device user that the password will expire soon. Additionally, select how soon before expiration to send the notification:

  • 1 day before (default)
  • 3 day before
  • 5 day before
  • 7 day before

Specifies how many times how many times someone can fail to unlock the device in a row before the device takes action to protect itself.

Only available if Set minimum complexity is turned on, or Set minimum strength is set to Pattern, Numeric, Numeric Complex, Alphabetic, Alphanumeric, or Complex.

Values

Enter the number of failed unlock attempts are tolerated, between 1 and 10. Default is 1.

You can also set:

• Take action if attempts are exceeded (default off). Controls which action the device takes when the unlock attempt limit is reached. You can select from the following actions:

  • Lock device (default)
  • Factory reset + initialize SD card
  • Factory reset

If the lock complexity is low or its strength is weak, specifies how long after the device is unlocked that it relocks.

Values

Enter the number of hours, between 1 and 72. Default is 1.

Specifies the minimum number of new locks that must be registered before a user can reuse a previous lock.

Values

Enter the minimum number of locks, between 1 and 10. Default is 1.

Specifies what happens if the device user sets a lock that violates the minimum complexity or strength requirements.

Values

• Lock device
• Do nothing (default)

Choose which features to block when the screen is locked.

Values

• Trust agent
• Fingerprint (default)
• Iris (default)
• Face (default)
• Camera (default)
• Previews in pop-ups (default)
• Notification (default)

Specify whether to allow a device user to control the screen lock time setting.

Values

• Allow
• Don't allow

Specifies the longest duration that the device user can set for automatic screen timeout and lock.

Values

• 15 sec
• 30 sec
• 1 min
• 2 min
• 5 min
• 10 min (default)

Controls Wi-Fi availability.

Values

• Allow (default). The device user can turn Wi-Fi on and off.
• Force on
• Force off

Android 8 and higher

Controls the use of Wi-Fi Direct connection for Samsung devices.

Values

• Allow (default)
• Don't allow

Android 8 and higher

Knox 1.0 and higher

Controls Bluetooth availability.

Values

• Allow (default). The device user can turn Bluetooth on and off.
• Force off

Allows desktop's to connect with the user's device using Bluetooth.

Values

• Allow (default)
• Don't allow

Allows device search mode.

Values

• Allow (default)
• Don't allow

Allows device users to control Bluetooth settings on their device.

Values

• Allow (default)
• Don't allow

Allows the use of VPN on a device.

Values

• Allow (default)
• Don't allow

Allows the device user to transfer files between the device and other devices through USB. Charging through the USB connector isn't affected.

Values

• Allow (default)
• Don't allow

Allows transfer of data using NFC.

Values

• Allow (default)
• Don't allow

Allows the device user to mount storage media connected through the SD card slot.

Values

• Allow (default)
• Don't allow

Allows writing to an external SD card.

Values

• Allow (default)
• Don't allow

Determines the name of the policy.

Values

Enter a unique name for the policy. The name must:

• Be at least 3 characters long
• Contain only ASCII alphanumeric characters, and underscores (_)
• Not contain a space at the start or the end

Determines the name of the policy.

Values

Enter a name.

So that Knox Manage can correctly process and store the name, it must:

• Be between 3 and 50 characters long
• Contain only ASCII alphanumeric characters, and underscores (_)
• Not contain a space at the start or the end

Specifies a description for the policy that is displayed on the Knox Manage console.

Values

Enter a description up to 1,000 characters long.

The security protocol of the Wi-Fi network. This value must match the actual security protocol that the network uses.

Values

• None
• WPA/WPA2-PSK (default)

The password of the Wi-Fi network. This value must match the actual password that the network uses.

Only available if Security type is set to WPA/WPA2-PSK.

Values

Enter the password.

So that Knox Manage can correctly process and store the password, it must:

• Be between 8 and 30 characters long
• Contain at least one ASCII letter
• Not contain spaces

The Wi-Fi network's proxy. This value must match the actual proxy settings that the network uses.

Values

• None (default).

• Manual. The proxy settings are determined individually.

  • Proxy host name. The name of the proxy server.

    So that Knox Manage can correctly process and store the host name, it must:

    • Contain ASCII alphanumeric characters, colons (:), periods (.), dashes (-), underscores (_), and forward slashes (/).
  • Proxy port. The port of the proxy server. Must be a number between 1 and 5 digits long.

  • Proxy exception. A URL that isn't routed through the proxy.

    So that Knox Manage can correctly process and store the host name, it must:

    • Contain ASCII alphanumeric characters, colons (:), periods (.), dashes (-), and forward slashes (/).

    Click ADD ANOTHER EXCEPTION to create extra exceptions.

• Proxy automatic configuration. The proxy settings are loaded by an external file.

  • PAC Web address. The URL where the proxy auto-config (PAC) file is stored.

Assigns extra settings that control how the device interacts with the Wi-Fi network.

Values

• Automatically connect to Wi-Fi (default off). If in range of the network, the device will connect to it.
• Allow user to remove network from Knox Manage agent configuration (default on). Allows the user to remove the Wi-Fi policy from the Knox Manage agent. This setting has no effect on the network's entry Android Wi-Fi manager.
• Hide Wi-Fi (SSID) (default off). Hides the the network from the Android Wi-Fi manager. This setting has no effect on the Wi-Fi policy in the Knox Manage agent.

Controls the services that track the device's physical location.

Values

• Allow user to configure (default). Allows the device user to toggle location services.

• Allow user to configure and prompt for location accuracy. Turns on high-precision tracking for location services.

  When turned on, every app that requires location permissions asks the device user to choose a preferred precision.

• Force on. Requires Android 9 and higher.
• Force off

Specifies if collection of data requires user consent.

Values

• Automatic (default)
• Upon user consent

Specifies the time period after which location data must be collected.

Values

• 30 minutes (default)
• 1 hour
• 2 hour
• 4 hour
• 12 hour
• 24 hour

Allows the device user to install apps.

Values

• Allow (default)
• Don't allow

Allows the device user to uninstall apps.

Values

• Allow (default)
• Don't allow

Allows the device user to install Android apps from untrusted sources. This setting doesn't apply to apps on Google Play.

Values

• Allow (default)
• Don't allow

Allows device users to skip the tutorials available for apps.

Values

• Allow (default)
• Don't allow

Determines if device users can modify app settings.

Values

• Allow (default)
• Don't allow

Specify apps with delegation scope enabled. Click Set App Delegation to select the apps.

Values

• Select the apps and system apps

Specify whether to allow the setting of app runtime permissions in all areas.

The admin can grant or deny app runtime permissions without a user's intervention.

Values

• Grant(default). Allows all apps to run on a device.
• Deny. Blocks all apps from running on a device.
• Prompt. Device users are required to grant permission to apps to run.

Specifies the apps that do not need runtime permissions.

Values

Specify the app name.

1. ClickSet Permission to open App permissions page.
2. Select app and click Next.
3. Set permissions for the app, and click Set Permission.

Specifies a list of apps to uninstall from the device and prevent the user from installing.

If you or the user have already installed an app to the device, once you hide it, it automatically uninstalls.

Values

Select one or more apps from the app library.

Specifies a list of pre-installed system apps to reactivate. Apps specified in the Hide apps list take precedence over this list.

Values

Select one or more apps from the known list of system apps.

Specifies a list of apps that must not be uninstalled using mobile data.

Values

Select one or more apps or system apps from the app library.

Specifies the single app to offer in the kiosk experience.

Values

Enter the package name.

As of Knox Manage 23.12, this value is fixed at com.sds.emm.singleweb — Knox Browser — and can't be changed.

Specifies the home page of the Kiosk Browser.

Values

Enter a fully-formed URL.

You can insert lookup codes for string substitution.

Controls settings related to core kiosk behavior.

Values

• Hide info icon (default off). Hides the info button in the interface, which normally lets the device user exit kiosk mode and view the license. If the button is hidden and the device isn't connected to a network, the device can't exit mode.
• Automatic app updates (default off). Controls whether apps can automatically update.
• File uploads (default off). Allows the device user to upload files through Kiosk Browser.
• Copy text (default off). Allows the device user to copy text in Kiosk Browser.

• Session timeout (default off). Controls if the kiosk session terminates following user inactivity for a specific number of seconds. If this setting is selected, the default timeout period is 1800 seconds. Cookies and other session information are automatically deleted, and Kiosk Browser redirects to the default URL.

  • Screen saver. Allows you to set a screen saver to display while the device is charging and upon session timeout.
  • Images (up to 10 images, max 5 MB per image). Specifies the images to use as a screen saver. PNG, JPG, JPEG, and non-animated GIF file formats are supported.
  • Video (max 50 MB). Specifies the video to use as a screen saver. MP4 and MKV file formats are supported.
• Run JavaScript (default on). Controls whether Kiosk Browser can run JavaScript on web pages.
• Exit Kiosk mode attempt limit (default off). Prevents exiting Kiosk mode following a maximum number of invalid attempts. If this setting is selected, the default maximum is five attempts.
  • Take action if attempts are exceeded (default off). Lets you prevent the user from re-entering a Kiosk mode exit code for a certain period of time upon exceeding the maximum number of invalid attempts. Options are:
    • Prevent re-entering code for 10 min (default)
    • Prevent re-entering code for 30 min

Controls settings related to OS behavior in the kiosk.

Values

• System status bar (default off). Enables the system status bar.
• Notification bar (default off). Enables notifications.
• Power off (default off). Enables the power off button.
• Home button (default off). Enables the home button.
• Recent apps (default off). Enables the recent app button, also known as the Recents button.
• Keyguard (default off). Allows the Lock screen policy to apply to the device. If turned off, the device doesn't won't be protected by a lock screen, and the device user can access the device without first unlocking it.

Controls settings related to advanced kiosk behavior.

Values

• Use HTTP Proxy (default off). Lets you specify proxy details for the kiosk. You can set:
  • IP/domain (required) — An IP address or domain
  • Port (optional) — A specific port associated with the IP/domain

Allows device users to add or delete accounts.

Values

• Allow (default)
• Don't allow

Specifies a list of apps to allow or block on devices.

Values

• Allow (default)
• Don't allow

Specifies the account types to allow or block on devices.

Values

Enter account types

Specifies the accounts to allow on devices.

Values

• Allow all (default)
• Allow only Managed Google Play account
• Allow Managed Google Play and selected accounts

Specifies the accounts to allow when you select Allow Managed Google Play and selected accounts option in the Select accounts to allow in Google Play setting.

Values

Enter account types

Specifies if deletion of users is allowed.

Values

• Allow (default)
• Don't allow