Menu

Samsung Knox running Android Enterprise

This section describes the policies you can configure that are specific to Samsung devices enrolled under Android Enterprise.

NOTE

Policies marked by a are Premium policies. These policies require one of the following, which you can purchase through SamsungKnox.com:

These policies also require the KSP app.

IMPORTANT—One UI Core devices do not support Premium features with a KPE license. Applying KPE policies on such a device will cause unexpected errors that require a factory reset.

System

Provides data sharing or save settings, developer options, and other features.

Interface

Controls the network settings, such as Wi-Fi Hotspot and Bluetooth tethering, and controls the USB media player settings.

Security

Configures security settings, such as the Google Android security update policy.

Kiosk

Configures the Kiosk device settings.

Application

Configures the battery optimization exceptions setting.

Browser

Configures the settings for the default web browser and Chrome browser.

Phone

Configures the phone settings, such as the cellular network settings.

Custom Animation

Set up the boot/shutdown animation and sound.

Firewall

Configures the IP or a domain firewall policy for each application.

DeX

Allows the use of DeX mode, an interface to use a mobile device like a desktop.

Knox Service Plugin

Provides various policies through Knox Service Plugin.

APN

Configures the APN (Access Point Name) settings.

System

Policy

Description

Supported devices

Domain blacklist Settings

Allow using the domain blocklist.

 

> Domain blacklist

Enter a domain blocklist that should not be used when registering an Exchange or email account.

  • To add a domain, enter the domain name in the field, and click .
  • To delete a domain, click next to the added domain name.

DO: Samsung Knox 1.0 or higher

Power off

Allows powering off the device.

NOTE—

  • If this policy is disallowed, the use cannot turn off the device and cannot perform factory rest.
  • The device command from an administrator for factory reset is also blocked.

DO: Samsung Knox 1.0 or higher

OTA Upgrade

Allows an OTA upgrade for the device.

DO: Samsung Knox 1.0 or higher

Settings

Allows the configuration changes within the System Settings.

DO: Samsung Knox 1.0 or higher

Expand status bar

Allows the expansion of the status bar.

DO: Samsung Knox 1.0 or higher

Clipboard

Allows using the clipboard feature and sets the range.

  • Allow: Allows the clipboard feature throughout the entire system.
  • Disallow: Disallows the clipboard feature throughout the entire system.
  • Allow within the same app: Allows using the clipboard feature only within the same application.

DO/PO: Samsung Knox 1.0 or higher

Share via apps

Allows the share app feature.

DO/PO: Samsung Knox 1.0 or higher

Smart Select

Allows using the Smart Select, which is one of the Samsung device features. It allows users to clip a content by drawing a circle with the S pen. Clipped contents can be used on notes or anywhere else.

DO: Samsung Knox 2.3 or higher

Developer mode

Allows using a developer mode.

DO: Samsung Knox 2.0 or higher

> Mock location

Allows using a mock location, which specifies an arbitrary location for development or test purposes. Use this policy if the location information from the Update Device Information in the Send Device Command seems incorrect.

DO: Samsung Knox 1.0 or higher

> Background process limitation

Allows setting the number of background processes.

If this policy is disabled, the default number of background processes will be set at the maximum number.

DO: Samsung Knox 1.0 or higher

> Quit application upon killing activities

Enables closing all running applications when the user logs out of the device.

If this policy is disabled, the activation setting is disabled on the device and the user cannot control the device settings.

DO: Samsung Knox 1.0 or higher

Reboot banner

Allows using the reboot banner which appears on the user’s device when the device reboots.

DO: Samsung Knox 1.0 or higher

> Reboot banners stationery

Enter the text for the reboot banner. You can enter up to 1000 bytes.

Note : You can customize banners for Samsung Knox 2.2 + devices. For Samsung Knox 1.0 devices, only the message or banner registered by the manufacturer is displayed.

DO: Samsung Knox 2.2 or higher

Control Power saving mode

Allows power saving controls on the device.

DO: Samsung Knox 2.8 or higher

Firmware download mode control

Allows using the hardware key on the device to update firmware.

  • Disallow: Disallows updating firmware with the hardware key and performing a factory reset.

DO: Samsung Knox 2.0 or higher

Samsung Keyboard settings control

Allows accessing the settings key from the Samsung keyboard.

DO: Samsung Knox 2.0 or higher

Interface

Policy

Description

Supported devices

USB debugging Specify whether to allow corporate devices to communicate with computers through USB.

DO: Samsung Knox 1.0 or higher

PO: Android 5.0 or higher

NFC Control

Allows NFC (Near Field Communication) control.

NOTE— Android 10 (Q) or higher devices are not supported.

DO: Samsung Knox 1.0 or higher

PO: Samsung Knox 2.4 or higher

USB host storage (OTG)

Allows a device connection via OTG (On the Go). OTG controls only the storage items and not the non-storage items, such as a keyboard or mouse.

NOTE—

To use DeX, configure the policy to allow DeX mode. If the configuration value is set as either allow or disallow, make the USB exception list as below:

  • Using DeX only: All block.
  • Using DeX, Keyboard, and Mouse: Hid.
  • Using DeX, Keyboard, Mouse, Ethernet: Hid, Communication, Cdc Data, Vendor Spec.

DO: Samsung Knox 1.0 or higher

> Set usb exception allowed list

Select a USB interface to use if the USB host storage (OTG) policy is disallowed.

 

>> USB exception allowed list

Select the USB interface to use from the USB exception allowed list. For more information, see https://www.usb.org/defined-class-codes.

DO: Samsung Knox 3.0 or higher

Wi-Fi hotspot

Specify using mobile Wi-Fi hotspot on the device.

DO: Samsung Knox 1.0 or higher

Wi-Fi SSID whitelist setting

Allows using the Wi-Fi SSID allowlist. Devices can only connect to the Wi-Fi APs on the allowlist.

NOTE— For non-Samsung devices with Android 8.0 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.

 

> Wi-Fi SSID whitelist

Add Wi-Fi APs to the allowlist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.

  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click .
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click .

DO: Samsung Knox 1.0 or higher

Wi-Fi SSID Blacklist setting

Allows using the Wi-Fi SSID blocklist. Devices cannot connect to Wi-Fi APs on the blocklist.

NOTE— For non-Samsung devices with Android 8.0 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.

 

> Wi-Fi SSID Blacklist

Add Wi-Fi APs to the blocklist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.

  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add.
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click .

DO: Samsung Knox 1.0 or higher

Wi-Fi auto connection

Allows automatic connection to the Wi-Fi SSID already stored in the device.

DO: Samsung Knox 1.0 or higher

Wi-Fi minimum security level setting

Set a minimum security level for Wi-Fi.

NOTE— The security level increases in the following ascending order: OPEN < WEP < WPA < LEAP, PWD < FAST, PEAP < TSL, TTLS, SIM, AKA, AKA’

DO: Samsung Knox 1.0 or higher

USB Tethering

Allows USB tethering.

DO: Android 4.3 or higher, Samsung Knox 1.0 or higher

Bluetooth Tethering

Allows Bluetooth tethering to share the internet connection from one device to another.

DO: Samsung Knox 1.0 or higher

Bluetooth UUID Whitelist Setting

Allows connecting Bluetooth devices based on their Universal Unique Identifier (UUID).

 

> Bluetooth UUID whitelist

Select devices to allow Bluetooth connections with. Click the checkboxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.

NOTE— When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.

DO: Samsung Knox 1.0 or higher

Bluetooth UUID Blacklist Setting

Allows disconnecting Bluetooth devices based on their Universal Unique Identifier (UUID).

 

> Bluetooth UUID blacklist

Select devices to allow Bluetooth connections with. Click the checkboxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.

NOTE— When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.

DO: Samsung Knox 1.0 or higher

Allow USB devices for default access by app See the policy description for Application management policies > Allow USB Devices for default access by Application in the Knox Service Plugin admin guide.
Allow USB devices for default access by app See the policy description for Application management policies (Premium) > Allow USB Devices for default access by Application in the Knox Service Plugin admin guide.

Bluetooth

Specify whether to allow devices to connect through Bluetooth.

PO: Samsung Knox 2.4 or higher

Security

Policy

Description

Supported devices

Google Android security update policy

Allows the user to select whether to receive updates on the device.

  • Forced use: Set to receive security updates by default.

DO: Samsung Knox 2.6 or higher

Kiosk

Policy

Description

Supported devices

Task manager

Allow the use of the Task Manager.

DO: Samsung Knox 1.0 - 2.4

System bar

Use the System bar which refers to the Status bar in the Notifications area at the top of the device and the Navigation bar in the Buttons area at the bottom.

For non-Samsung devices, even if you selected either Allow status bar only or Allow navigation bar only, both the status bar and the navigation bar will be disabled.

DO: Samsung Knox 1.0 or higher

Multiple windows

Allows the use of multiple windows. This is available for devices that provide the functionality of multiple windows.

DO: Samsung Knox 1.0 or higher

Air command

Allows the use of Air command. Air command is a function provided on Samsung devices. Menu items appear when the user brings an S pen close to the screen.

NOTE— Air command is not available on Kiosk mode devices with Android Pie (9.0) or higher.

DO: Samsung Knox 2.2 or higher

Air view

Allows the use of Air view. Air view is a function provided on Samsung devices. Users can preview a picture or email when they bring the S pen or finger close to the picture or other content.

DO: Samsung Knox 2.2 or higher

Edge screen

Allows the use of the Edge screen of the device. The Edge screen allows users to create shortcuts on the edges of the screen panel to frequently used applications, favorite contacts, or the camera.

DO: Samsung Knox 2.5 or higher

Application

Policy

Description

Supported devices

Battery optimization exceptions

Set to exempt applications from the battery optimization mode.

NOTE— This policy may cause battery loss.

DO/PO: Samsung Knox 2.7 or higher

> Apps excluded from battery optimization

Add applications to be exempted from battery optimization mode.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

 

Browser

Policy

Description

Supported devices

Cookies

Allows cookies in the Android browser.

NOTE— If cookies are not allowed, you cannot access websites that authenticate users with cookies.

DO: Samsung Knox 1.0 or higher

JavaScript

Allows JavaScript in the Android browser.

DO: Samsung Knox 1.0 or higher

Autofill

Allows auto-completion of information that you enter on websites in the Android browser.

DO: Samsung Knox 1.0 or higher

Pop-up block

Allows blocking pop-ups in the Android browser.

DO: Samsung Knox 1.0 or higher

Browser proxy URL

Set the proxy server address for the Android browser. Enter the value in the form of IP:port or domain:port in the fields.

NOTE—

  • The Chrome browser and Samsung S browser are supported.
  • The supported version for Chrome is Knox 4.0.1 - 5.6.

DO: Samsung Knox 1.0.1 or higher

Phone

Policy

Description

Supported devices

Prohibit voice call

Prohibits incoming and outgoing voice calls.

 

> Voice call

Specifies the types of voice calls to block:

  • Incoming: Blocks incoming voice calls only.
  • Outgoing: Blocks outgoing voice calls only.

If both are selected, only emergency calls can be made or received.

DO: Samsung Knox 1.0 or higher

Disallow SMS/MMS

Allows sending and receiving SMS/MMS messages.

 

> Disallow Incoming/Outgoing SMS/MMS

Select the types of SMS/MMS messages to disable.

NOTE—At least one of the types should be selected.

DO: Samsung Knox 1.0 or higher

WAP push during roaming

Allows WAP push communications while roaming.

DO: Samsung Knox 1.0 or higher

Data sync during roaming

Allows data synchronization while roaming.

DO: Samsung Knox 1.0 or higher

Voice calls during roaming

Allows voice calls while roaming.

DO: Samsung Knox 1.0 or higher

Use SIM card locking

This policy is no longer supported through profiles. You can control SIM card locking through device commands.

NOTE—In cases where this setting has already been applied, it is retained. However, it cannot be modified.

 

Custom Animation

Policy

Description

Supported devices

Booting Animation This method configures device boot animation. DO: Samsung Knox 2.5 or higher
> Boot Animation File The animation file to be played while the device boots.  
> Boot Loop File The loop file to be played while the device boots.  
> Boot Sound File The sound file to be played while the device boots.  
Shutdown Animation This method configures device shutdown animation. DO: Samsung Knox 2.5 or higher
> Shutdown Animation File The animation file to be played while the device shuts down.  
> Shutdown Sound File The sound file to be played while the device shuts down.  

NOTE—Refer to Knox SDK developer guide for instructions on how to create and request .QMG file. This policy will have effect after reboot.

Firewall

Policy

Description

Supported devices

Firewall

Set to use the firewall to set target IP addresses. The firewall policy is enabled by default.

DO/PO: Samsung Knox 1.0 - 2.4.1

> Permitted policy (IP)

Input values to permit the target IP and port address. Configure the following:

1. Enter or click Add to search the Package Name of the application.

2. Input the IP Address (range) and Port (range).

3. Select the Network Type:

  • All
  • Data: Only mobile network access is enabled.
  • Wi-Fi: Only Wi-Fi network access is enabled.

4. Select Port Range:

  • All
  • Local: Port access from the device is enabled.
  • Remote: Port access from the target server is enabled.

5. Click to add.

NOTE— Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited Policy (IP) ranges.

DO/PO: Samsung Knox 2.5 or higher

> Prohibited policy (IP)

Input values to prohibit the target IP and port address. Configure the following:

1. Enter or click Add to search the Package Name of the application.

2. Enter the IP Address (range) and Port (range).

  • Enter a wildcard character (*) as an IP Address to prohibit the use of the bandwidth.

3. Select Network Type:

  • All
  • Data: Mobile network access is disabled.
  • Wi-Fi: Wi-Fi network access is disabled.

4. Select Port Range:

  • All
  • Local: Port access from the device is disabled.
  • Remote: Port access from the target server is disabled.

5. Click to add.

NOTE— Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited Policy (IP) ranges.

DO/PO: Samsung Knox 2.5 or higher

> Permitted policy (Domain)

Input values to permit the target domain address.

1. Enter or click Add to search the Package Name of the application.

2. Input the IP Address (range) and Port (range).

NOTE—

  • Before setting this policy, disable all domains by entering a wildcard character (*) to the Prohibited policy (Domain) ranges.
  • Use a wildcard character (*) to allow the use of a specific domain. The character must be placed before or after the domain name. e.g.) *android.com / www.samsung*

DO/PO: Samsung Knox 2.6 or higher

> Prohibited policy (Domain)

Input values to prohibit the target domain address.

1. Enter or click Add to search the Package Name of the application.

2. Input the IP Address (range) and Port (range).

NOTE— Use a wildcard character (*) to prohibit a specific domain.

DO/PO: Samsung Knox 2.6 or higher

> DNS setting

Input values to specify the domain server address of all applications or registered applications.

1. Enter or click Add to search the Package Name of the application.

2. Input DNS values.

  • DNS1: Primary DNS.
  • DNS2: Secondary DNS.

NOTE— Only one DNS per application can be set and it is effective only when there are no VPN or Proxy policies assigned to the application.

DO/PO: Samsung Knox 2.7 or higher

DeX

Samsung DeX is an accessory that extends the functionalities of a mobile device. By connecting a monitor, keyboard, and mouse to a Dex docking station, the mobile device can function as a desktop computer

In Knox Manage, you can allow the use of DeX mode and control applications according to the Application execution blacklist setting.

Policy

Description

Supported devices

Allow DeX Mode

Allows the use of DeX mode.

  • Disallow: The DeX station will not function even if a mobile device is mounted on it.

DO: Samsung Knox 3.0 or higher

>Allow Ethernet Only

Allows ethernet only for DeX. Mobile data, Wi-Fi, and tethering are blocked.

DO: Samsung Knox 3.0 or higher

>App execution blacklist(Android)

Use the blocklist for running DeX applications.

 

> >App execution blacklist

Prohibits launching the specified applications.

When this policy is enabled and applied, the icons of the blocked applications will disappear so that users cannot launch them. However, the applications are not deleted. The icons will reappear once the policy is changed or Knox Manage is disabled.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

NOTE— Any applications that already have been added to the Application allowlist cannot be added to the Application blocklist.

DO: Samsung Knox 3.0 or higher

Knox Service Plugin

These policies require the Knox Service Plugin (KSP) app. In order to configure these policies, you must approve the KSP app in the Android Enterprise settings.

NOTE—KSP policies are not applicable to the Fully Managed with Work Profile type. For devices that are enrolled under the Fully Managed type with KSP policies applied, these policies can remain even after the device type changes to the Fully Managed with Work Profile type. It is recommended to remove them manually.

For more detailed information on KSP policies, see the Policy Descriptions page of the Knox Service Plugin Admin Guide.

APN

You can add more APN policy sets by clicking .

Policy

Description

Configuration ID

Enter an ID name to be displayed on the device.

Description

Enter a description for an APN.

Remove available

Allows users to delete APN settings. If you choose Disallow, then the button used to delete APN settings is disabled.

Access Point Name (APN)

Enter the name of the access point.

Access Point Type

Select the type of the access point.

  • Default: default type.
  • MMS: Multimedia Messaging Service.
  • Supl: IP-based protocol to receive GPS satellite signals.

Mobile Country Code (MCC)

Enter the country code for the APN.

Mobile Network Code (MNC)

Enter the carrier network code for the APN.

MMS Server (MMSC)

Enter the server information for sending multimedia messages.

MMS Proxy Server

Enter the information of the proxy server for sending multimedia messages.

MMS Proxy Server Port

Enter the port number of the proxy server for sending multimedia messages.

Server

Enter the WAP gateway server name.

Proxy Server

Enter the information of the proxy server.

Proxy Server Port

Enter the port number of the proxy server.

Access Point Username

Enter the user name of the access point.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Access Point Password

Enter the password of the access point.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Authentication Method

Select an authentication method.

  • None: Disables authentication.
  • PAP: Requires a user name and password for authentication.
  • CHAP: Uses encryption with a Challenge string for authentication.
  • PAP or CHAP: Uses the PAP or CHAP authentication method.

Set as Preferred APN

Applies APN settings to the device.