Knox Manage 25.11 release notes (original console)
Last updated November 6th, 2025
This document is new for the Knox cloud services 25.11 UAT.
On this tab
- New
- New View Only permissions for groups and applications
- Windows 11 multi-app kiosk support
- New policies
- Support for iOS 26 and macOS 26
- New statuses for device location
- New device commands for Android Management API devices
- New Microsoft Excel file limit
- Updates
- Enable work profile to troubleshoot non-compliant devices
- Identity and directory enhancements
- Sync between nested groups
- Maximum number of directory sync targets increased
- New condition in the Wi-fi event profile
- Deprecated
- Notice of deprecation for admin invitations
- Notice of deprecation of policies
- Notice of deprecation of device command
New
New View Only permissions for groups and applications
Previously, admins with the access to groups and applications could only have the Manage permission. In the 25.11 release, the View Only permission is added for admins with access to groups and applications. This permission allows admins to view your groups and applications, but not manage them.
Windows 11 multi-app kiosk support
Previously, you could create a multi-app Kiosk only for Windows 10 devices. Now, you can select between Windows 10 or Windows 11 when creating a multi-app kiosk. See Manage Windows kiosks to learn more.
New policies
The following policies have been added in 25.11. You can configure policies from Profile > profile name > Modify Policy. To find a specific policy, start typing the policy name in Search Policy.
| Platform | Setting | Description |
|---|---|---|
| Android Enterprise | Expand status bar | Allows the expansion of the status bar. |
| Wear OS | Prevent Waterlock to be activated | The Waterlock feature cannot be turned on. |
| Wear OS | Always On Display | Allows you to make a device’s screen active (“awake”) at all times. |
| Wear OS | Wrist Orientation | Allows you to change the orientation of the device to support left-handed use cases. |
| Wear OS | Button Position | Allows you to change the orientation of the device buttons to support left-handed use cases. |
| Wear OS | Apps Excluded from Battery Optimization Lock Screen | Specify the apps to exclude from battery optimization. |
| Wear OS | Set Default Screen Lock | Users must use the password you set to unlock their device. |
| iOS | Apple Intelligence report | Set whether to enable Apple Intelligence reports. |
| iOS | Mail Smart Reply | Set whether to enable smart replies by Apple Intelligence in Mail. |
| iOS | Mail Summary | Sets whether to enable the ability to create summaries of email messages manually. |
| iOS | Hide Apps | Sets whether to enable the ability for the users to hide apps. |
| iOS | Lock Apps | Sets whether to enable the ability for the users to lock apps. |
| iOS | Call Recording | Sets whether to enable call recording. |
| iOS | Default Calling App Modification | Sets whether to allow users to modify default calling app preference |
| iOS | Default Messaging App Modification | Sets whether to allow users to modify default messaging app preference. |
| iOS | Default Browser Modification | Sets whether to allow users to modify default browser preference. |
Support for iOS 26 and macOS 26
With this release, iOS 26 and macOS 26 are officially supported by Knox Manage. See Minimum requirements and supported languages to learn more.
New statuses for device location
There are new location statuses available for Android Enterprise devices: Location, KM App Permission, and Location Accuracy.
- Location indicates whether a device is able to share its location with the Knox Manage console.
- KM App Permission indicates whether the Knox Manage agent is allowed to locate the device.
- Location Accuracy displays whether Google location accuracy is enabled.
To view these statuses, go to Device > select a device name > Device Information.
New device commands for Android Management API devices
With this release, new device commands are available for company-owned devices with a work profile. When you go to Device > select a device > Device Command > Unenroll Device, you can now select Deactivate Factory Reset Protection and Initialize SD card during factory reset. For more information, see Android Management API device commands.
New Microsoft Excel file limit
The upload size of Microsoft Excel files to the Knox Manage console is now limited to 10 MB. These files are commonly used to upload or manage devices, users, and content in bulk.
Updates
Enable work profile to troubleshoot non-compliant devices
Previously, if an Android Management API device failed to pass a Play Integrity validation, the only action you could take was to unenroll and factory reset the impacted, or non-compliant, device.
Now, you can enable the work profile on a non-compliant device. With this feature, you can continue to troubleshoot devices which may have failed the integrity validation because of temporary problems, such as a network issue.
To check if a device is non-compliant, navigate to Device > select a device name. The Device Details page opens. Non-compliant devices display the Violated status beside Play Integrity.
To enable work profiles on non-compliant devices, navigate to Profile > select a profile > Modify Policy > Check Devices through Play Integrity. For both the Verification Failed During Enrollment and Verification Failed After Enrollment settings, select Allow Enrollment under Device Controls and Work Profile Controls.
If you don’t enable work profiles, non-compliant devices will display a warning that This device isn’t active. Device users can dismiss the warning by tapping the home button, but they won’t have access to work profiles.
Identity and directory enhancements
Sync between nested groups
For on-premise AD and Entra ID directory servers, the nested groups in your identity server now sync with the applicable groups in Knox Manage. For instance, if you remove a child group from your identity directory server, the equivalent child group is also removed from Knox Manage.
Maximum number of directory sync targets increased
Previously, the maximum number of directory sync targets you could set was 40,000. In Knox Manage 25.11, you can now set between 10,000 and 70,000 sync targets. The default remains at 40,000, but you can submit a request to change it by going to Submit a support ticket.
New condition in the Wi-fi event profile
When you create a new event profile with the Wi-Fi event type, you can now select MAC Address as a condition.
Deprecated
Notice of deprecation for admin invitations
You can no longer invite admins through the Knox Manage console. Now, you must invite admins through the Knox Admin Portal, then update their permissions in the Knox Manage console. See Add an administrator to learn more.
Notice of deprecation of policies
With the 25.11 release, the following policies and settings are removed:
Notice of deprecation of device command
With the 25.11 release, the following device command is removed:
- iOS > OS Update (Supervised)
Is this page helpful?