Back to top
Home / Knox Platform for Enterprise / Knox Platform for Enterprise knowledge base articles /

How to block Google and Samsung Accounts using KSP

Last updated February 8th, 2024

Categories:

Profile

Environment

  • Android Enterprise
  • Knox Service Plugin (KSP)
  • Google Accounts
  • Samsung Accounts

Overview

A user can add accounts to a device, such as a Google and Samsung account, in Settings > Account and backup > Manage accounts. You can restrict the accounts types and specify accounts of an account type to be blocked by using the Knox Service Plugin (KSP).

How can I block the addition of a Google or Samsung account on a device?

You can prevent accounts from being added to a device by using KSP to set an Account Device Policy. In your EMM, set the following KSP configurations:

For Fully Managed devices:

  1. Set Device-Wide policies > Enable work profile policies to True.

  2. Under Device-Wide policies > Device Account Policy, set the following to True:

    1. Enable Device Account Policy controls.

    2. Enable Device Account policies (Configure profiles below).

For Work Profile or Fully Manged with Work Profile or Work Profile on Company-Owned Devices (WP-C):

  1. Set Work profile policies > Enable device policy controls to True.

  2. Under Work profile policies > Device Account Policy (Premium), set the following to True:

    1. Enable Device Account Policy controls.

    2. Enable Device Account policies (Configure profiles below).

Set the Device Account policy profile:

  1. Go to Device Account Policy Configurations > Device Account Policy Configuration and add a configuration for each account type to be blocked:

    1. Add Account Type to Addition Blocklist:

      • “com.google” for Google accounts.
      • “com.osp.app.signin” for Samsung accounts.

    2. Add Accounts to Addition Blocklist: Enter the list of accounts to be blocked as a comma-separated list. For example, “abc@google.com, xyz@google.com”. You can use a wildcard to specify multiple accounts to blocklisted, for example, “*@google.com” or “.*” for all accounts.

  2. Save and publish the configuration.

When a restricted account is attempted to be added to the device, the message “Security policy prevents addition of this account” will be presented to the user.

On this page

Is this page helpful?