App management

This section provides information on how to manage apps using Knox Platform for Enterprise. Note that this is not an exhaustive list of all Knox features, but rather a starting point for IT Admins to use when deploying devices. Check with your MDM for a full list of supported features.

Action when apps are compromised

Knox can identify if an app on a device has been compromised. If it detects an app on the device is different than the one that was loaded through your MDM, the following actions can be taken.

  1. Stop app from running – prevents the app from being launched on the device.
  2. Uninstall – Uninstall the app from the device.
  3. Lock Device – Lock the device screen. Only IT administrators can unlock the device screen.
  4. Report Compliance – Send a message to the IT admin that a compromised app has been detected.
  5. Factory Reset + SD Card Initialization – Factory reset is performed on the device and the SD card is initialized.
  6. Factory Reset (Only) – Factory reset is performed on the device but the SD card is not initialized.

For example, there are the options you can choose if you are using Knox Manage.

Allow / block apps

Knox can control how apps work on your phone. You can prevent a user from installing or launching apps using the allowlist and blocklist.

App blocklist settings

  • Installation Blacklist – Apps on the list cannot be installed and are removed if already installed.
  • Launch Blacklist – Apps on the list can be installed but the app icon is not displayed so user cannot click it.
  • Launch Prevention List – Apps on the list can be installed but the app is not launched even when the user taps on the app icon.

App allowlist settings:

  • App Installation Whitelist – Preloaded apps and apps deployed via MDM are internally included on the allowlist. Apps not included on the allowlist are removed if already installed.
  • Launch Whitelist – Preloaded apps and apps deployed via MDM are internally included on the allowlist.
  • Uninstall Prevention List – Apps on the list cannot be removed from device.

For example, this screenshot below:

  • Automatically uninstalls Chrome (due to the inclusion on the blocklist.)
  • Prevents the S browser from being installed.

Control Android Browser

Knox can enable or disable the native Android browser. This is useful if you have an internal solution that you require employees to use.

If you allow the Android browser, you can choose to control specific assets if needed. These include the following:

  • Cookies - Restrict the use of cookies.
  • JavaScript - Control the use of JavaScript.
  • Autofill - Control the storage of form data.
  • Pop-ups - Control the pop-up blocker.

For example, in this screenshot below, the Android browser is allowed with some restrictions.

  • Cookies, autofill's are not allowed to ensure sensitive employee information is not saved accidentally.
  • The pop-up blocker is enabled. This lowers the chance an employee will click on a malicious pop-up or a phishing attempt.

Managed Google Play

Managed Google Play (formerly called Google Play for Work) lets enterprises use a customized version of the Google Play store that has only apps approved for work.

Enterprises can:

  • Enable Managed Google Play on a device or inside the Android Enterprise work profile container.
  • Silently install and uninstall apps.
  • Add apps to an allowlist or block the apps that are not allowed.
  • Allow Google Voice apps to use voice recognition in addition to the touchscreen keyboard.
  • Allow employees to download apps as needed from Google Play.
  • Manage app updates from Google Play.

Use case

  • A gaming company allows employees to download and try games on corporate issued mobile phones, but wants enterprise apps managing confidential data to be secured on the phones.
  • An enterprise IT admin uses an MDM console to push the Managed Google Play store on mobile phones, and adds to an allowlist the gaming apps that employees can freely install on their phones.
  • To secure corporate data on the phone, the IT admin creates a Work container on each phone, and allows only the apps managing confidential data.


  • Employees are more productive using a wide range of apps on a mobile device.
  • Enterprises have the flexibility to manage many apps in Google Play, controlling what apps employees can use through allowlists and blocklists

Control Google Play

Knox allows you to disable Google Play on your devices. This combined with the policy disable app installation from unknown sources helps ensure that only approved apps pushed through an MDM are installed.

In this example below, we prevent users from installing apps from unknown sources and accessing the Play Store.

App push without Google Play

Knox can push a single app form an app store without requesting the user to install Google Play. In this example below, we are searching through Google Play to push an app to a device.

Push an APK with an MDM policy

You can push any APK to a device using your MDM. In this example below, we add the Samsung messaging app to our internal application repository. This is useful if you have internal apps that you need to install on your devices.