Menu

Samsung Knox running Android Enterprise policies

This section describes the policies you can configure that are specific to Samsung devices enrolled under Android Enterprise.

IMPORTANT
  • To apply these policies, devices require the Knox Service Plugin agent 19.12 or higher.
  • One UI Core devices do not support Premium features with a KPE license. Applying KPE policies on such a device will cause unexpected errors that require a factory reset.

System

Provides data sharing or save settings, developer options, and other features.

Policy Description Supported system
Domain Blocklist Settings Allow using the domain blocklist.
> Domain Blocklist

Enter a domain blocklist that should not be used when registering an Exchange or email account.

  • To add a domain, enter the domain name in the field, and click add.
  • To delete a domain, click delete next to the added domain name.
Fully Managed — Samsung Knox 1.0 and higher
Network Time Protocol Settings

Enables the device to sync system time with an external server through the Network Time Protocol (NTP).

Values

  • Apply — Enables NTP syncing.
Samsung Knox 2.5 and higher
Server Address

Specifies the URL of the NTP server. Only available if the Network Time Protocol Settings policy is set to Apply.

Values

Enter a URL.

Samsung Knox 2.5 and higher
Maximum Number of Attempts

Specifies the maximum number of attempts allowed to connect to the NTP server during a polling cycle. Only available if the Network Time Protocol Settings policy is set to Apply.

Values

Enter the maximum number of connection attempts. The value can be 1–100.

Samsung Knox 2.5 and higher
Polling Cycles (hr)

Specifies the duration to wait before the device attempts to resync with the NTP server after the previous synchronization succeeds. When syncing begins, the device attempts to connect to the server a maximum number of times defined by the Maximum Number of Attempts policy. Only available if the Network Time Protocol Settings policy is set to Apply.

Values

Enter a delay between polling cycles, in hours. The value can be between 1–8760.

Samsung Knox 2.5 and higher
Short Polling Cycle (sec)

Specifies the duration to wait before the device attempts to resync with the NTP server after the previous synchronization fails. Only available if the Network Time Protocol Settings policy is set to Apply.

Values

Enter a delay between short polling cycles, in seconds. The value can be between 1–1000.

Samsung Knox 2.5 and higher
Timeout (sec)

Specifies the duration to wait after a connection attempt during a polling cycle times out. Only available if the Network Time Protocol Settings policy is set to Apply.

Values

Enter a value, in seconds. The value can be between 0–1000 seconds.

Samsung Knox 2.5 and higher
Power off

Allows powering off the device.

NOTE
  • If this policy is disallowed, the use cannot turn off the device and cannot perform factory reset.
  • The device command from an administrator for factory reset is also blocked.
Fully Managed — Samsung Knox 1.0 and higher
OTA Upgrade Allows an OTA upgrade for the device. Fully Managed — Samsung Knox 1.0 and higher
Settings Allows the configuration changes within the System Settings. Fully Managed — Samsung Knox 1.0 and higher
Expand status bar Allows the expansion of the status bar. Fully Managed — Samsung Knox 1.0 and higher
Clipboard

Allows using the clipboard feature and sets the range.

  • Allow — Allows the clipboard feature throughout the entire system.
  • Disallow — Disallows the clipboard feature throughout the entire system.
  • Allow within the same app — Allows using the clipboard feature only within the same application.
Samsung Knox 1.0 and higher
Share via apps Allows the share app feature. Samsung Knox 1.0 and higher
Smart Select Allows using the Smart Select, which is one of the Samsung device features. It allows users to clip a content by drawing a circle with the S pen. Clipped contents can be used on notes or anywhere else. Fully Managed — Samsung Knox 2.3 and higher
Developer mode Allows using a developer mode. Fully Managed — Samsung Knox 2.0 and higher
> Mock location Allows using a mock location, which specifies an arbitrary location for development or test purposes. Use this policy if the location information from the Update Device Information in the Send Device Command seems incorrect. Fully Managed — Samsung Knox 1.0 and higher
> Background process limitation

Allows setting the number of background processes.

If this policy is disabled, the default number of background processes will be set at the maximum number.

Fully Managed — Samsung Knox 1.0 and higher
> Quit application upon killing activities

Enables closing all running applications when the user logs out of the device.

If this policy is disabled, the activation setting is disabled on the device and the user cannot control the device settings.

Fully Managed — Samsung Knox 1.0 and higher
Reboot banner Allows using the reboot banner which appears on the user's device when the device reboots. Fully Managed — Samsung Knox 1.0 and higher
> Reboot banners stationery

Enter the text for the reboot banner. You can enter up to 1000 bytes.

NOTE — You can customize banners for Samsung Knox 2.2 + devices. For Samsung Knox 1.0 devices, only the message or banner registered by the manufacturer is displayed.
Fully Managed — Samsung Knox 2.2 and higher
Power Saving Mode Control Allows power saving controls on the device. Fully Managed — Samsung Knox 2.8 and higher
Firmware download mode control

Allows using the hardware key on the device to update firmware.

  • Disallow — Disallows updating firmware with the hardware key and performing a factory reset.
Fully Managed — Samsung Knox 2.0 and higher
Samsung Keyboard settings control Allows accessing the settings key from the Samsung keyboard. Fully Managed — Samsung Knox 2.0 and higher

Interface

Controls the network settings, such as Wi-Fi Hotspot and Bluetooth tethering, and controls the USB media player settings.

Policy Description Supported system
USB debugging Specify whether to allow corporate devices to communicate with computers through USB.

Fully Managed — Samsung Knox 1.0 and higher

Work Profile — Android 5 and higher

NFC Control

Allows NFC (Near Field Communication) control.

NOTE — Android 10 and higher devices are not supported.

Fully Managed — Samsung Knox 1.0 and higher

Work Profile — Samsung Knox 2.4 and higher

USB host storage (OTG)

Allows a device connection via OTG (On the Go). OTG controls only the storage items and not the non-storage items, such as a keyboard or mouse.

NOTE — To use DeX, configure the policy to allow DeX mode. If the configuration value is set as either allow or disallow, make the USB exception list as follows:
  • Using DeX only — All block.
  • Using DeX, Keyboard, and Mouse — Hid.
  • Using DeX, Keyboard, Mouse, Ethernet — Hid, Communication, Cdc Data, Vendor Spec.
Fully Managed — Samsung Knox 1.0 and higher
> Set usb exception allowed list Select a USB interface to use if the USB host storage (OTG) policy is disallowed.
>> USB exception allowed list Select the USB interface to use from the USB exception allowed list. For more information, see https://www.usb.org/defined-class-codes. Fully Managed — Samsung Knox 3.0 and higher
Wi-Fi hotspot Specify using mobile Wi-Fi hotspot on the device. Fully Managed — Samsung Knox 1.0 and higher
Wi-Fi SSID allowlist setting

Allows using the Wi-Fi SSID allowlist. Devices can only connect to the Wi-Fi APs on the allowlist.

NOTE — For non-Samsung devices with Android 8 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.
> Wi-Fi SSID allowlist

Add Wi-Fi APs to the allowlist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.

  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click add.
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click delete.
Fully Managed — Samsung Knox 1.0 and higher
Wi-Fi SSID Blocklist setting

Allows using the Wi-Fi SSID blocklist. Devices cannot connect to Wi-Fi APs on the blocklist.

NOTE — For non-Samsung devices with Android 8 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.
> Wi-Fi SSID Blocklist

Add Wi-Fi APs to the blocklist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.

  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add.
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click delete.
Fully Managed — Samsung Knox 1.0 and higher
Wi-Fi auto connection Allows automatic connection to the Wi-Fi SSID already stored in the device. Fully Managed — Samsung Knox 1.0 and higher
Wi-Fi minimum security level setting

Set a minimum security level for Wi-Fi.

NOTE — The security level increases in the following ascending order — OPEN < WEP < WPA < LEAP, PWD < FAST, PEAP < TSL, TTLS, SIM, AKA, AKA'.
Fully Managed — Samsung Knox 1.0 and higher
USB Tethering Allows USB tethering. Fully Managed — Android 4.3 and higher, Samsung Knox 1.0 and higher
Bluetooth Tethering Allows Bluetooth tethering to share the internet connection from one device to another. Fully Managed — Samsung Knox 1.0 and higher
Bluetooth UUID Allowlist Setting Allows connecting Bluetooth devices based on their Universal Unique Identifier (UUID).
> Bluetooth UUID allowlist

Select devices to allow Bluetooth connections with. Click the check boxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.

NOTE — When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.
Fully Managed — Samsung Knox 1.0 and higher
Bluetooth UUID Blocklist Setting Allows disconnecting Bluetooth devices based on their Universal Unique Identifier (UUID).
> Bluetooth UUID Blocklist

Select devices to allow Bluetooth connections with. Click the check boxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.

NOTE — When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.
Fully Managed — Samsung Knox 1.0 and higher
Allow USB devices for default access by app See the policy description for Application management policies > Allow USB Devices for default access by Application in the Knox Service Plugin admin guide.
Allow USB devices for default access by app See the policy description for Application management policies (Premium) > Allow USB Devices for default access by Application in the Knox Service Plugin admin guide.
Bluetooth Specify whether to allow devices to connect through Bluetooth. Work Profile — Samsung Knox 2.4 and higher

Security

Configures security settings, such as the Google Android security update policy.

Policy Description Supported system
Google Android security update policy

Allows the user to select whether to receive updates on the device.

  • Forced use — Set to receive security updates by default.
Fully Managed — Samsung Knox 2.6 and higher

Kiosk

Configures the Kiosk device settings.

Policy Description Supported system
Task manager Allow the use of the Task Manager. Fully Managed — Samsung Knox 1.0 - 2.4
System bar

Use the System bar which refers to the Status bar in the Notifications area at the top of the device and the Navigation bar in the Buttons area at the bottom.

For non-Samsung devices, even if you selected either Allow status bar only or Allow navigation bar only, both the status bar and the navigation bar will be disabled.

Fully Managed — Samsung Knox 1.0 and higher
Multiple windows Allows the use of multiple windows. This is available for devices that provide the functionality of multiple windows. Fully Managed — Samsung Knox 1.0 and higher
Air command

Allows the use of Air command. Air command is a function provided on Samsung devices. Menu items appear when the user brings an S pen close to the screen.

NOTE — Air command is not available on Kiosk mode devices with Android Pie (9.0) and higher.
Fully Managed — Samsung Knox 2.2 and higher
Air view Allows the use of Air view. Air view is a function provided on Samsung devices. Users can preview a picture or email when they bring the S pen or finger close to the picture or other content. Fully Managed — Samsung Knox 2.2 and higher
Edge screen Allows the use of the Edge screen of the device. The Edge screen allows users to create shortcuts on the edges of the screen panel to frequently used applications, favorite contacts, or the camera. Fully Managed — Samsung Knox 2.5 and higher

Application

Configures the battery optimization exceptions setting.

Policy Description Supported system
Battery optimization exceptions

Set to exempt applications from the battery optimization mode.

NOTE — This policy may cause battery loss.
Samsung Knox 2.7 and higher
> Apps excluded from battery optimization

Add applications to be exempted from battery optimization mode.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click delete next to the added application.

Browser

Configures the settings for the default web browser and Chrome browser.

Policy Description Supported system
Cookies

Allows cookies in the Android browser.

NOTE — If cookies are not allowed, you cannot access websites that authenticate users with cookies.
Fully Managed — Samsung Knox 1.0 and higher
JavaScript Allows JavaScript in the Android browser. Fully Managed — Samsung Knox 1.0 and higher
Autofill Allows auto-completion of information that you enter on websites in the Android browser. Fully Managed — Samsung Knox 1.0 and higher
Pop-up block Allows blocking pop-ups in the Android browser. Fully Managed — Samsung Knox 1.0 and higher
Browser proxy URL

Set the proxy server address for the Android browser. Enter the value in the form of IP:port or domain:port in the fields.

NOTE
  • The Chrome browser and Samsung S browser are supported.
  • The supported version for Chrome is Knox 4.0.1 - 5.6.
Fully Managed — Samsung Knox 1.0.1 and higher

Phone

Configures the phone settings, such as the cellular network settings.

Policy Description Supported system
Prohibit voice call Prohibits incoming and outgoing voice calls.
> Voice call

Specifies the types of voice calls to block:

  • Incoming — Blocks incoming voice calls only.
  • Outgoing — Blocks outgoing voice calls only.

If both are selected, only emergency calls can be made or received.

Fully Managed — Samsung Knox 1.0 and higher
Disallow SMS/MMS Allows sending and receiving SMS/MMS messages.
> Disallow Incoming/Outgoing SMS/MMS

Select the types of SMS/MMS messages to disable.

NOTE — You must select at least one type of message.
Fully Managed — Samsung Knox 1.0 and higher
WAP push during roaming Allows WAP push communications while roaming. Fully Managed — Samsung Knox 1.0 and higher
Data sync during roaming Allows data synchronization while roaming. Fully Managed — Samsung Knox 1.0 and higher
Voice calls during roaming Allows voice calls while roaming. Fully Managed — Samsung Knox 1.0 and higher
Use SIM card locking

This policy is no longer supported through profiles. You can control SIM card locking through device commands.

NOTE — In cases where this setting was already applied, it is retained. However, you cannot modify it.

Custom Animation

Set up the boot/shutdown animation and sound.

Policy Description Supported system
Booting Animation This method configures device boot animation. Fully Managed — Samsung Knox 2.5 and higher
> Boot Animation File The animation file to be played while the device boots.
> Boot Loop File The loop file to be played while the device boots.
> Boot Sound File The sound file to be played while the device boots.
Shutdown Animation This method configures device shutdown animation. Fully Managed — Samsung Knox 2.5 and higher
> Shutdown Animation File The animation file to be played while the device shuts down.
> Shutdown Sound File The sound file to be played while the device shuts down.
NOTE — Refer to Knox SDK developer guide for instructions on how to create and request QMG file. This policy takes effect after reboot.

Firewall

Configures the IP or a domain firewall policy for each application.

Policy Description Supported system
Firewall Set to use the firewall to set target IP addresses. The firewall policy is enabled by default. Samsung Knox 1.0 - 2.4.1
> Permitted policy (IP)

Input values to permit the target IP and port address. Configure the following:

  1. Enter or click Add to search the Package Name of the application.
  2. Input the IP Address (range) and Port (range).
  3. Select the Network Type:
    • All
    • Data — Only mobile network access is enabled.
    • Wi-Fi — Only Wi-Fi network access is enabled.
  4. Select Port Range:
    • All
    • Local — Port access from the device is enabled.
    • Remote — Port access from the target server is enabled.
  5. Click add to add.
NOTE — Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited Policy (IP) ranges.
Samsung Knox 2.5 and higher
> Prohibited policy (IP)

Input values to prohibit the target IP and port address. Configure the following:

  1. Enter or click Add to search the Package Name of the application.
  2. Enter the IP Address (range) and Port (range).
    • Enter a wildcard character (*) as an IP Address to prohibit the use of the bandwidth.
  3. Select Network Type:
    • All
    • Data — Mobile network access is disabled.
    • Wi-Fi — Wi-Fi network access is disabled.
  4. Select Port Range:
    • All
    • Local — Port access from the device is disabled.
    • Remote — Port access from the target server is disabled.
  5. Click add to add.
NOTE — Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited Policy (IP) ranges.
Samsung Knox 2.5 and higher
> Permitted policy (Domain)

Input values to permit the target domain address.

  1. Enter or click Add to search the Package Name of the application.
  2. Input the IP Address (range) and Port (range).
NOTE
  • Before setting this policy, disable all domains by entering a wildcard character (*) to the Prohibited policy (Domain) ranges.
  • Use a wildcard character (*) to allow the use of a specific domain. The character must be placed before or after the domain name. For example, *android.com / www.samsung*
Samsung Knox 2.6 and higher
> Prohibited policy (Domain)

Input values to prohibit the target domain address.

  1. Enter or click Add to search the Package Name of the application.
  2. Input the IP Address (range) and Port (range).
NOTE — Use a wildcard character (*) to prohibit a specific domain.
Samsung Knox 2.6 and higher
> DNS setting

Input values to specify the domain server address of all applications or registered applications.

  1. Enter or click Add to search the Package Name of the application.
  2. 2. Input DNS values.
    • DNS1 — Primary DNS.
    • DNS2 — Secondary DNS.
NOTE — Only one DNS per application can be set and it is effective only when there are no VPN or Proxy policies assigned to the application.
Samsung Knox 2.7 and higher

DeX

Allows the use of DeX mode, an interface to use a mobile device like a desktop.

Samsung DeX is an accessory that extends the functionalities of a mobile device. By connecting a monitor, keyboard, and mouse to a DeX docking station, the mobile device can function as a desktop computer

In Knox Manage, you can allow the use of DeX mode and control applications according to the Application execution blocklist setting.

Policy Description Supported system
DeX Mode

Allows the use of DeX mode.

  • Disallow — The DeX station will not function even if a mobile device is mounted on it.
Fully Managed — Samsung Knox 3.0 and higher
>Ethernet Only Allows ethernet only for DeX. Mobile data, Wi-Fi, and tethering are blocked. Fully Managed — Samsung Knox 3.0 and higher
>App execution blocklist(Android) Use the blocklist for running DeX applications.
> >App execution blocklist

Prohibits launching the specified applications.

When this policy is enabled and applied, the icons of the blocked applications will disappear so that users cannot launch them. However, the applications are not deleted. The icons will reappear once the policy is changed or Knox Manage is disabled.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click delete next to the added application.
NOTE — Any applications that already have been added to the Application allowlist cannot be added to the Application blocklist.
Fully Managed — Samsung Knox 3.0 and higher

Knox Service Plugin

Provides various policies through Knox Service Plugin.

The Knox Service Plugin (KSP) is Samsung's OEMConfig based solution that enables IT administrators to use a wide range of Knox management features on their EMM consoles as soon as they are commercially available in the market

These policies require the Knox Service Plugin app from Google Play.

You must meet the following requirements to use the Knox Service Plugin (KSP) with your managed devices.

What you need

  1. A device enrolled with Android Enterprise.
  2. A valid Knox Platform for Enterprise (KPE) license for the device. For more information about Knox licenses, see KPE Admin Guide - About licenses.

KSP policies that have their default value defined using KSP, the Knox Service Plugin screen pre-populates fields with recommended default values. These values for each field are shown on the Knox Service Plugin screen.

To view and edit these values, complete the following steps:

  1. On the KM admin portal, go to Profile > Modify policy > Set policy page > Samsung Knox policies > Knox Service Plugin page.
  2. Click drop down to populate fields with the default values. If you want to resetthese values, click delete next to the appropriate heading, and then change the values as necessary.
NOTE — KSP policies are not applicable to the Fully Managed with Work Profile type. For devices that are enrolled under the Fully Managed type with KSP policies applied, these policies can remain even after the device type changes to the Fully Managed with Work Profile type. It is recommended to remove them manually.

For more detailed information on KSP policies, see the advanced examples and policy descriptions page of the Knox Service Plugin admin guide.

NOTE — If the package name of an application currently being installed matches a package name pattern in both the blocklist and allowlist, the allowlist takes priority and the application is installed. We recommend adding the Knox Manage agent package (com.sds.emm.cloud.knox.samsung) on the Application Allowlist by Pkg Name policy in case there are packages on the Application Blocklist by Pkg Name policy and to ensure that Knox Manage works well on the device. You can access this option by going to Profile > Samsung Knox > Knox Service Plugin > Separated Apps policies > Device-wide policies > Application management policies > Application Allowlist by Pkg Name, Application Blocklist by Pkg Name.

APN

Configures the device's Access Point Name (APN) settings for cellular data connectivity.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

IMPORTANT — If you're configuring an APN for a Samsung device running Android 11 and lower, don't configure an APN for both the Android Enterprise profile and Samsung Knox profile types. Configure it for only one.
Policy Description Supported system
Configuration ID

Specifies the name of the APN configuration. Each configuration name must be unique.

Values

Enter a name.

Android 6–11
Description

Specifies the description of the APN configuration.

Values

Enter a description.

Android 6–11
Remove available

Toggles whether the device user can delete the APN.

Values

  • Allow (default)
  • Disallow
Android 6–11
Access Point Name (APN)

Specifies the name of the APN, which is comprised of the network identifier and optional operator identifier.

Values

Enter a name.

Android 6–11
Access Point Type

Specifies which connection services to allow for this APN.

Values

  • Default — Allows all services. Also known as unspecified.
  • MMS — Allows only the Multimedia Messaging Service (MMS).
  • Supl — Allows only the Secure User Plane Location (SUPL) service, which is an IP-based protocol that uses GPS for device geolocation.
Android 6–11
Mobile Country Code (MCC)

Specifies the MCC of the APN.

Values

Enter a 3-digit MCC.

Android 6–11
Mobile Network Code (MNC)

Specifies the carrier's MNC for the APN.

Values

Enter a 2- or 3-digit MNC.

Android 6–11
MMS Server (MMSC)

Specifies the address of the carrier's MMS server.

Values

Enter a URL.

Android 6–11
MMS Proxy Server

Specifies the address of the carrier's MMS proxy server.

Values

Enter an IP or domain.

Android 6–11
MMS Proxy Server Port

Specifies the port of the carrier's MMS proxy server.

Values

Enter a port.

Android 6–11
Server

Specifies the address of the carrier's wide area network (WAN) server.

Values

Enter a URL.

Android 6–11
Proxy Server

Specifies the address of the carrier's WAN proxy server.

Values

Enter a URL.

Android 6–11
Proxy Server Port

Specifies the port of the carrier's WAN proxy server.

Values

Enter a port.

Android 6–11
Access Point Username

Specifies the account username to use when connecting to the APN.

Values

Enter a username. By default, the field contains the ${UserName} lookup item, which substitutes for the username associated with the device in KM.

Android 6–11
Access Point Password

Specifies the account password to use when connecting to the APN.

Values

Enter a password.

Android 6–11
Authentication Method

Specifies the protocol to use when authenticating with the APN.

Values

  • None — Disables authentication.
  • PAP — Uses the Password Authentication Protocol (PAP), which requires a username and password.
  • CHAP — Uses the Challenge-Handshake Authentication Protocol (CHAP), which implements challenge messages to validate identities.
  • PAP or CHAP — Uses either the PAP or CHAP method, depending on which is available.
Android 6–11
Set as Preferred APN

Makes this the priority APN configuration on the device.

Values

Select to enable.

Android 6–11