Menu

Knox policies in the personal side

As described in device management modes, Android 11:

  • deprecates the fully managed device with a work profile, to protect user privacy on company devices that enable personal usage
  • provides a new work profile on company-owned device, which offers greater privacy to the end user and at the same time offer sufficient level of control to the IT admin to protect corporate assets

This page summarizes the Knox policies that can and can't be applied to the personal side of company-owned devices with Android 11.

For similar lists of the Android policies that can and can't be applied to the personal side, see Google's EMM migration guidelines > Appendix A and B (requires partner login) or Android policies in the personal side

Knox policies allowed

For a more granular list of the atomic actions allowed, see the developer version of the list.

  1. Account management (Google account, Samsung account, and so on)
  2. App installation or update restrictions (allow and block lists for apps by package name/permission/signature)
  3. App start/stop
  4. AuditLog
  5. Bluetooth advanced settings (via BluetoothPolicy, except for BluetoothLog)
  6. Camera, microphone, screen capture, video recording
  7. Common Criteria (CC) mode
  8. Connectivity (Call/Emergency Call/SMS/MMS/Roaming/Wifi/Wifi Scanning/Bluetooth/BLE/Tethering/USB debugging/USB MTP/USB host/Mock Location/Celluar Data/WifiDirect/airplane mode/data saving/RCS) restrictions
  9. Customization features (via SystemManager, SettingsManager, ProKioskManager)
  10. DeX management
  11. Device inventory (for asset management)
  12. Email/EAS/LDAP management and restrictions
  13. Firmware/FOTA auto-update restrictions
  14. Font/date time configuration
  15. GPS change restriction (via setGPSStateChangeAllowed)
  16. Google crash report restriction
  17. Hypervisor Device Manager (HDM)
  18. Kiosk mode
  19. Lockscreen customization
  20. Multi-user mode restrictions (via allowMultipleUsers)
  21. NFC controls (for example, turn on/off) and restrictions
  22. On-device firewall management
  23. Password complexity management
  24. Power off/power saving restrictions
  25. Reboot banner customization (US DoD requirement)
  26. Remote control (screen sharing/remote input injection) restriction
  27. SDCard access restrictions
  28. SIM PIN Lock
  29. System app force stop restriction (via allowStopSystemApp)
  30. Wallpaper change restriction
  31. Wi-fi advanced settings (via WifiPolicy)
  32. Widget installation (allow and block lists)

Knox policies not allowed

If you must use one of these prohibited policies, consider using Separated apps instead of work profile on company-owned device.

  1. Access Point Name (APN) settings
  2. App configuration (via setApplicationRestrictions)
  3. App data/cache deletion restriction
  4. App default settings
  5. App silent installation/uninstallation/update
  6. App status/usage/focus monitoring
  7. App uninstallation/force stop/prevent start restriction
  8. Bluetooth Log
  9. Browser settings (popup blocker, cookie setting, auto-fill, HTTP proxy, etc.)
  10. Client Certificate Management (via ClientCertificateManager, CertificateProvisioning, CertificatePolicy)
  11. Clipboard access/sharing restrictions (including per-app clipboard disabling)
  12. Clipboard data add/get/clear
  13. Device admin (DA) controls
  14. Device wipe
  15. Enterprise billing
  16. Factory reset
  17. Global Proxy
  18. Google Account auto-sync restriction
  19. Google backup restriction
  20. Knox Platform for Critical Communication (KPCC) PS-LTE features such as DRX value settings and allowing access to restricted network capabilities
  21. Location services, including geo-fencing (except for GPS state change restriction via setGPSStateChangeAllowed)
  22. Network Platform Analytics (NPA)
  23. Rich Communication Services (RCS) message monitoring
  24. TIMA KeyStore
  25. Universal Credential Management (UCM)
  26. User/multi-user granular restriction/management like allowUserCreation (except for the multi-user mode restriction via allowMultipleUsers)
  27. VPN