Menu

Samsung Knox running Android Enterprise

Create a profile and register policies specific to Samsung devices enrolled under Android Enterprise.

System

Provides data sharing or save settings, developer options, and other features.

Interface

Controls the network settings, such as Wi-Fi Hotspot and Bluetooth tethering, and controls the USB media player settings.

Security

Configures security settings, such as the Google Android security update policy.

Kiosk

Configures the Kiosk device settings.

Application

Configures the battery optimization exceptions setting.

Browser

Configures the settings for the default web browser and Chrome browser.

Phone

Configures the phone settings, such as the cellular network settings.

Custom Animation

Set up the boot/shutdown animation and sound.

Work Profile

Configure Work Profile settings like data and file sharing .

Firewall

Configures the IP or a domain firewall policy for each application.

DeX

Allows the use of DeX mode, an interface to use a mobile device like a desktop.

APN

Configures the APN (Access Point Name) settings.

System

Policy

Description

Supported devices

Remote control Allow or block third party remote control apps to access the device for Fully Managed (DO) or Work Profile (PO) devices. PO : Samsung Knox 3.0 or higher

Domain blacklist Settings

Allow using the domain blacklist.

 

> Domain blacklist

Enter a domain blacklist that should not be used when registering an Exchange or email account.

  • To add a domain, enter the domain name in the field, and click .
  • To delete a domain, click next to the added domain name.

DO: Samsung Knox 1.0 or higher

Power off

Allows powering off the device.

NOTE—

  • If this policy is disallowed, the use cannot turn off the device and cannot perform factory rest.
  • The device command from an administrator for factory reset is also blocked.

DO: Samsung Knox 1.0 or higher

OTA Upgrade

Allows an OTA upgrade for the device.

DO: Samsung Knox 1.0 or higher

Settings

Allows the configuration changes within the System Settings.

DO: Samsung Knox 1.0 or higher

Expand status bar

Allows the expansion of the status bar.

DO: Samsung Knox 1.0 or higher

Clipboard

Allows using the clipboard feature and sets the range.

  • Allow: Allows the clipboard feature throughout the entire system.
  • Disallow: Disallows the clipboard feature throughout the entire system.
  • Allow within the same app: Allows using the clipboard feature only within the same application.

DO/PO: Samsung Knox 1.0 or higher

Share via apps

Allows the share app feature.

DO/PO: Samsung Knox 1.0 or higher

Smart Select

Allows using the Smart Select, which is one of the Samsung device features. It allows users to clip a content by drawing a circle with the S pen. Clipped contents can be used on notes or anywhere else.

DO: Samsung Knox 2.3 or higher

Developer mode

Allows using a developer mode.

DO: Samsung Knox 2.0 or higher

> Mock location

Allows using a mock location, which specifies an arbitrary location for development or test purposes. Use this policy if the location information from the Update Device Information in the Send Device Command seems incorrect.

DO: Samsung Knox 1.0 or higher

> Background process limitation

Allows setting the number of background processes.

If this policy is disabled, the default number of background processes will be set at the maximum number.

DO: Samsung Knox 1.0 or higher

> Quit application upon killing activities

Enables closing all running applications when the user logs out of the device.

If this policy is disabled, the activation setting is disabled on the device and the user cannot control the device settings.

DO: Samsung Knox 1.0 or higher

Reboot banner

Allows using the reboot banner which appears on the user’s device when the device reboots.

DO: Samsung Knox 1.0 or higher

> Reboot banners stationery

Enter the text for the reboot banner. You can enter up to 1000 bytes.

Note : You can customize banners for Samsung Knox 2.2 + devices. For Samsung Knox 1.0 devices, only the message or banner registered by the manufacturer is displayed.

DO: Samsung Knox 2.2 or higher

Control Power saving mode

Allows power saving controls on the device.

DO: Samsung Knox 2.8 or higher

Firmware download mode control

Allows using the hardware key on the device to update firmware.

  • Disallow: Disallows updating firmware with the hardware key and performing a factory reset.

DO: Samsung Knox 2.0 or higher

Samsung Keyboard settings control

Allows accessing the settings key from the Samsung keyboard.

DO: Samsung Knox 2.0 or higher

Data Saver Mode

Allows the device to use the data saver mode automatically.

DO: Samsung Knox 3.0 or higher

Enable Common Criteria (CC) Mode See the policy description for Enable Common Criteria (CC) mode in the Knox Service Plugin admin guide.
Device Customization Controls See the policy description for Device and Settings customization profile (Premium) in the Knox Service Plugin admin guide.

Whitelisted Device Admin

Enables blocking activation of any applications as device admin, except those specified on the whitelist.

DO: Samsung Knox 3.0 or higher

> Whitelisted Apps

Add applications to the whitelist.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

 

Whitelisted Device Admin (Premium)

See the policy description for Device Admin whitelisting (Premium) in the Knox Service Plugin admin guide.

 

Share Via Options

See the policy description for Allow Share Via option in the Knox Service Plugin admin guide.

DO/PO: Samsung Knox 3.0 or higher

Interface

Policy

Description

Supported devices

NFC Control

Allows NFC (Near Field Communication) control.

NOTE— Android 10 (Q) or higher devices are not supported.

DO: Samsung Knox 1.0 or higher

PO: Samsung Knox 2.4 or higher

USB host storage (OTG)

Allows a device connection via OTG (On the Go). OTG controls only the storage items and not the non-storage items, such as a keyboard or mouse.

NOTE—

To use DeX, configure the policy to allow DeX mode. If the configuration value is set as either allow or disallow, make the USB exception list as below:

  • Using DeX only: All block.
  • Using DeX, Keyboard, and Mouse: Hid.
  • Using DeX, Keyboard, Mouse, Ethernet: Hid, Communication, Cdc Data, Vendor Spec.

DO: Samsung Knox 1.0 or higher

> Set usb exception allowed list

Select a USB interface to use if the USB host storage (OTG) policy is disallowed.

 

>> USB exception allowed list

Select the USB interface to use from the USB exception allowed list. For more information, see https://www.usb.org/defined-class-codes.

DO: Samsung Knox 3.0 or higher

Wi-Fi hotspot

Specify using mobile Wi-Fi hotspot on the device.

DO: Samsung Knox 1.0 or higher

Wi-Fi SSID whitelist setting

Allows using the Wi-Fi SSID whitelist. Devices can only connect to the Wi-Fi APs on the whitelist.

NOTE— For non-Samsung devices with Android 8.0 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.

 

> Wi-Fi SSID whitelist

Add Wi-Fi APs to the whitelist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.

  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click .
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click .

DO: Samsung Knox 1.0 or higher

Wi-Fi SSID Blacklist setting

Allows using the Wi-Fi SSID blacklist. Devices cannot connect to Wi-Fi APs on the blacklist.

NOTE— For non-Samsung devices with Android 8.0 or a higher version, this policy can only be applied when it has been agreed to grant access to location information.

 

> Wi-Fi SSID Blacklist

Add Wi-Fi APs to the blacklist. This policy is irrelevant to adding or deleting the Wi-Fi setting profile.

  • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add.
  • To add all Wi-Fi APs, click Add all to access the Wi-Fi list.
  • To delete a Wi-Fi AP, select a Wi-Fi SSID and click .

DO: Samsung Knox 1.0 or higher

Wi-Fi auto connection

Allows automatic connection to the Wi-Fi SSID already stored in the device.

DO: Samsung Knox 1.0 or higher

Wi-Fi minimum security level setting

Set a minimum security level for Wi-Fi.

NOTE— The security level increases in the following ascending order: OPEN < WEP < WPA < LEAP, PWD < FAST, PEAP < TSL, TTLS, SIM, AKA, AKA’

DO: Samsung Knox 1.0 or higher

Open Wi-Fi Connection

Allows devices to connect to open and unprotected Wi-Fi access points. If this policy is disallowed, users cannot connect to unsecured Wi-Fi networks.

DO: Samsung Knox 3.0 or higher

Control for Wi-Fi password to be Visible

Makes the password hidden or visible in the network edit dialog.

DO: Samsung Knox 3.0 or higher

Wi-Fi Scanning

See the policy description for Allow wi-fi scanning in the Knox Service Plugin admin guide.

USB tethering

Allows USB tethering.

DO: Android 4.3 or higher, Samsung Knox 1.0 or higher

Bluetooth tethering

Allows Bluetooth tethering to share the internet connection from one device to another.

DO: Samsung Knox 1.0 or higher

Bluetooth UUID Whitelist Setting

Allows connecting Bluetooth devices based on their Universal Unique Identifier (UUID).

 

> Bluetooth UUID whitelist

Select devices to allow Bluetooth connections with. Click the checkboxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.

NOTE— When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.

DO: Samsung Knox 1.0 or higher

Bluetooth UUID Blacklist Setting

Allows disconnecting Bluetooth devices based on their Universal Unique Identifier (UUID).

 

> Bluetooth UUID blacklist

Select devices to allow Bluetooth connections with. Click the checkboxes for Audio, File transfer, Phonebook, Headsets, or Hands-free.

NOTE— When updating the policy, current Bluetooth connection gets disconnected. Users must reconnect.

DO: Samsung Knox 1.0 or higher

Bluetooth Scanning

See the policy description for Allow bluetooth scanning in the Knox Service Plugin admin guide.

USB Debugging

Allows USB debugging.

DO: Samsung Knox 1.0 or higher

PO: Android 5.0 or higher

USB Mediaplayer

Allows the use of an external USB media player on the device.

DO: Samsung Knox 3.0 or higher

Security

Policy

Description

Supported devices

Google Android security update policy

Allows the user to select whether to receive updates on the device.

  • Forced use: Set to receive security updates by default.

DO: Samsung Knox 2.6 or higher

Multifactor Authentication

See the policy description for Enable multifactor authentication (Premium) in the Knox Service Plugin admin guide.

Kiosk

Policy

Description

Supported devices

Task manager

Allow the use of the Task Manager.

DO: Samsung Knox 1.0 - 2.4

System bar

Use the System bar which refers to the Status bar in the Notifications area at the top of the device and the Navigation bar in the Buttons area at the bottom.

For non-Samsung devices, even if you selected either Allow status bar only or Allow navigation bar only, both the status bar and the navigation bar will be disabled.

DO: Samsung Knox 1.0 or higher

Multiple windows

Allows the use of multiple windows. This is available for devices that provide the functionality of multiple windows.

DO: Samsung Knox 1.0 or higher

Air command

Allows the use of Air command. Air command is a function provided on Samsung devices. Menu items appear when the user brings an S pen close to the screen.

NOTE— Air command is not available on Kiosk mode devices with Android Pie (9.0) or higher.

DO: Samsung Knox 2.2 or higher

Air view

Allows the use of Air view. Air view is a function provided on Samsung devices. Users can preview a picture or email when they bring the S pen or finger close to the picture or other content.

DO: Samsung Knox 2.2 or higher

Edge screen

Allows the use of the Edge screen of the device. The Edge screen allows users to create shortcuts on the edges of the screen panel to frequently used applications, favorite contacts, or the camera.

DO: Samsung Knox 2.5 or higher

Application

Policy

Description

Supported devices

Battery optimization exceptions

Set to exempt applications from the battery optimization mode.

NOTE— This policy may cause battery loss.

DO/PO: Samsung Knox 2.7 or higher

> Apps excluded from battery optimization

Add applications to be exempted from battery optimization mode.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

 

Notifications Whitelist

See the policy description for Notifications Whitelist in the Knox Service Plugin admin guide.

Update Policy for Apps in Main User Space

See the policy description for App update controls in the Knox Service Plugin admin guide.

Battery Optimization Exceptions

See the policy description for Battery optimization whitelist in the Knox Service Plugin admin guide.

Notifications Whitelist (Premium)

See the policy description for Notifications Whitelist (Premium) in the Knox Service Plugin admin guide.

Adding Apps from Personal to Work Profile

See the policy description for Allow adding apps from personal space to work profile in the Knox Service Plugin admin guide.

Install App from Personal to Work Profile

See the policy description for Install app from personal to work profile in the Knox Service Plugin admin guide.

Browser

Policy

Description

Supported devices

Cookies

Allows cookies in the Android browser.

NOTE— If cookies are not allowed, you cannot access websites that authenticate users with cookies.

DO: Samsung Knox 1.0 or higher

JavaScript

Allows JavaScript in the Android browser.

DO: Samsung Knox 1.0 or higher

Autofill

Allows auto-completion of information that you enter on websites in the Android browser.

DO: Samsung Knox 1.0 or higher

Pop-up block

Allows blocking pop-ups in the Android browser.

DO: Samsung Knox 1.0 or higher

Browser proxy URL

Set the proxy server address for the Android browser. Enter the value in the form of IP:port or domain:port in the fields.

NOTE—

  • The Chrome browser and Samsung S browser are supported.
  • The supported version for Chrome is Knox 4.0.1 - 5.6.

DO: Samsung Knox 1.0.1 or higher

Phone

Policy

Description

Supported devices

APN Configuration to use for Enterprise Apps

See the policy description Enterprise Billing policy (Premium) in the Knox Service Plugin admin guide. There are two instances of this, one is for Fully Managed and other for Work Profile. The latter has additional sub-policy for Apps to use Enterprise billing (List of Apps that use Enterprise billing in console) allowing to select all apps in Workspace.

Prohibit voice call

Prohibits incoming and outgoing voice calls.

 

> Voice call

Specifies the types of voice calls to block:

  • Incoming: Blocks incoming voice calls only.
  • Outgoing: Blocks outgoing voice calls only.

If both are selected, only emergency calls can be made or received.

DO: Samsung Knox 1.0 or higher

Disallow SMS/MMS

Allows sending and receiving SMS/MMS messages.

 

> Disallow Incoming/Outgoing SMS/MMS

Select the types of SMS/MMS messages to disable.

NOTE— At least one of the types should be selected.

DO: Samsung Knox 1.0 or higher

WAP push during roaming

Allows WAP push communications while roaming.

DO: Samsung Knox 1.0 or higher

Data sync during roaming

Allows data synchronization while roaming.

DO: Samsung Knox 1.0 or higher

Voice calls during roaming

Allows voice calls while roaming.

DO: Samsung Knox 1.0 or higher

Use SIM card locking

Prevents the use of the SIM card on a user device. To use this policy, the default PIN of the SIM card should be entered. Then, the new PIN number for the SIM card should be entered.

If the locked SIM card is registered to another device, the device is locked and the user must enter a valid PIN to unlock it.

DO: Samsung Knox 1.0 or higher

> Default SIM PIN

Enter the default PIN found on the SIM card.

The value is 4 - 8 digit numbers.

NOTE— This policy is intended for use by Corporate-Owned, Personally Enabled (COPE) devices and is only applied if the PIN found on the SIM card matches the default PIN.

 

> New SIM PIN

Enter the new PIN number for the SIM card. The new PIN number can be found next to SIM PIN Number in the “Network“ tab of the “Device Detail” page.

The value is 4 - 8 digit numbers.

 

Dual SIM Operation

See the policy description for Allow dual SIM operation in the Knox Service Plugin admin guide.

Cellular Data

Allows the use of a cellular data connection.

DO: Samsung Knox 3.0 or higher

Manage RCS Messaging

Allows Rich Communication Services (RCS) on the device.

DO: Samsung Knox 3.0 or higher

> Set Disclaimer Text for Messages

Set a disclaimer text for all outgoing SMS and MMS messages. The disclaimer text should be limited to 30 characters.

 

Microphone

See the policy description Allow microphone in the Knox Service Plugin admin guide. There are two instances of this, one is for Fully Managed and other for Work Profile.

Custom Animation

Policy

Description

Supported devices

Booting Animation This method configures device boot animation. DO: Samsung Knox 2.5 or higher
Shutdown Animation This method configures device shutdown animation. DO: Samsung Knox 2.5 or higher

NOTE—Refer to Knox SDK developer guide for instructions on how to create and request .QMG file. This policy will have effect after reboot.

Work Profile

Policy

Description

Supported devices

Customize Work Profile Tab Name

See the policy description for Customize work profile tab name in the Knox Service Plugin admin guide.

 
Customize Personal Tab Name

See the policy description for Customize personal tab name in the Knox Service Plugin admin guide.

 
Moving files to Work Profile

See the policy description for Allow moving files from personal space to work profile in the Knox Service Plugin admin guide.

 
Moving files to Personal Space

See the policy description for Allow moving files from work profile to personal space in the Knox Service Plugin admin guide.

 
Set up Application to Data Sync

See the policy description for RCP Data Sync profile Configurations (Premium) in the Knox Service Plugin admin guide.

 
> Display Notifications

See the policy description for Select Application to Data Sync and Select Data Sync Property in the Knox Service Plugin admin guide.

 
> Export Calendar to Personal Space

See the policy description for Select Application to Data Sync and Select Data Sync Property in the Knox Service Plugin admin guide.

 
> Export Calendar to Work Profile

See the policy description for Select Application to Data Sync and Select Data Sync Property in the Knox Service Plugin admin guide.

 

Firewall

Policy

Description

Supported devices

Firewall

Set to use the firewall to set target IP addresses. The firewall policy is enabled by default.

DO/PO: Samsung Knox 1.0 - 2.4.1

> Permitted policy (IP)

Input values to permit the target IP and port address. Configure the following:

1. Enter or click Add to search the Package Name of the application.

2. Input the IP Address (range) and Port (range).

3. Select the Network Type:

  • All
  • Data: Only mobile network access is enabled.
  • Wi-Fi: Only Wi-Fi network access is enabled.

4. Select Port Range:

  • All
  • Local: Port access from the device is enabled.
  • Remote: Port access from the target server is enabled.

5. Click to add.

NOTE— Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited Policy (IP) ranges.

DO/PO: Samsung Knox 2.5 or higher

> Prohibited policy (IP)

Input values to prohibit the target IP and port address. Configure the following:

1. Enter or click Add to search the Package Name of the application.

2. Enter the IP Address (range) and Port (range).

  • Enter a wildcard character (*) as an IP Address to prohibit the use of the bandwidth.

3. Select Network Type:

  • All
  • Data: Mobile network access is disabled.
  • Wi-Fi: Wi-Fi network access is disabled.

4. Select Port Range:

  • All
  • Local: Port access from the device is disabled.
  • Remote: Port access from the target server is disabled.

5. Click to add.

NOTE— Before setting this policy, disable all IPs by entering a wildcard character (*) to the Prohibited Policy (IP) ranges.

DO/PO: Samsung Knox 2.5 or higher

> Permitted policy (Domain)

Input values to permit the target domain address.

1. Enter or click Add to search the Package Name of the application.

2. Input the IP Address (range) and Port (range).

NOTE—

  • Before setting this policy, disable all domains by entering a wildcard character (*) to the Prohibited policy (Domain) ranges.
  • Use a wildcard character (*) to allow the use of a specific domain. The character must be placed before or after the domain name. e.g.) *android.com / www.samsung*

DO/PO: Samsung Knox 2.6 or higher

> Prohibited policy (Domain)

Input values to prohibit the target domain address.

1. Enter or click Add to search the Package Name of the application.

2. Input the IP Address (range) and Port (range).

NOTE— Use a wildcard character (*) to prohibit a specific domain.

DO/PO: Samsung Knox 2.6 or higher

> DNS setting

Input values to specify the domain server address of all applications or registered applications.

1. Enter or click Add to search the Package Name of the application.

2. Input DNS values.

  • DNS1: Primary DNS.
  • DNS2: Secondary DNS.

NOTE— Only one DNS per application can be set and it is effective only when there are no VPN or Proxy policies assigned to the application.

DO/PO: Samsung Knox 2.7 or higher

DeX

Samsung DeX is an accessory that extends the functionalities of a mobile device. By connecting a monitor, keyboard, and mouse to a Dex docking station, the mobile device can function as a desktop computer

In Knox Manage, you can allow the use of DeX mode and control applications according to the Application execution blacklist setting.

Policy

Description

Supported devices

Allow DeX Mode

Allows the use of DeX mode.

  • Disallow: The DeX station will not function even if a mobile device is mounted on it.

DO: Samsung Knox 3.0 or higher

>Allow Ethernet Only

Allows ethernet only for DeX. Mobile data, Wi-Fi, and tethering are blocked.

DO: Samsung Knox 3.0 or higher

>App execution blacklist(Android)

Use the blacklist for running DeX applications.

 

> >App execution blacklist

Prohibits launching the specified applications.

When this policy is enabled and applied, the icons of the blocked applications will disappear so that users cannot launch them. However, the applications are not deleted. The icons will reappear once the policy is changed or Knox Manage is disabled.

  • To add an application, click Add, and then select applications in the “Select Application” window.
  • To delete an application, click next to the added application.

NOTE— Any applications that already have been added to the Application whitelist cannot be added to the Application blacklist.

DO: Samsung Knox 3.0 or higher

> Enforce the use of Virtual MAC Address

See the policy description for Enforce the use of virtual MAC address in the Knox Service Plugin admin guide.

Customize Dex Experience

See the policy description for Customize Dex Experience (Premium) in the Knox Service Plugin admin guide.

APN

You can add more APN policy sets by clicking .

Policy

Description

Configuration ID

Enter an ID name to be displayed on the device.

Description

Enter a description for an APN.

Remove available

Allows users to delete APN settings. If you choose Disallow, then the button used to delete APN settings is disabled.

Access Point Name (APN)

Enter the name of the access point.

Access Point Type

Select the type of the access point.

  • Default: default type.
  • MMS: Multimedia Messaging Service.
  • Supl: IP-based protocol to receive GPS satellite signals.

Mobile Country Code (MCC)

Enter the country code for the APN.

Mobile Network Code (MNC)

Enter the carrier network code for the APN.

MMS Server (MMSC)

Enter the server information for sending multimedia messages.

MMS Proxy Server

Enter the information of the proxy server for sending multimedia messages.

MMS Proxy Server Port

Enter the port number of the proxy server for sending multimedia messages.

Server

Enter the WAP gateway server name.

Proxy Server

Enter the information of the proxy server.

Proxy Server Port

Enter the port number of the proxy server.

Access Point Username

Enter the user name of the access point.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Access Point Password

Enter the password of the access point.

You can also click Lookup to open the reference items list and select an item from it. The reference value will be automatically entered.

Authentication Method

Select an authentication method.

  • None: Disables authentication.
  • PAP: Requires a user name and password for authentication.
  • CHAP: Uses encryption with a Challenge string for authentication.
  • PAP or CHAP: Uses the PAP or CHAP authentication method.

Set as Preferred APN

Applies APN settings to the device.