Apply basic policies

Before setting any policies, ensure you have met the following prerequisites. Refer to your UEM documentation for instructions on how to complete these steps.

1. Your devices are set up in either a DO or PO deployment mode.

2. You have set up a Managed Google Play store.

3. You have added KSP as an approved app.

Set a standard policy

Device Owner (DO)

This example demonstrates how to use a device-wide (DO) policy that requires a fingerprint as the minimum password strength. This configuration is applied to the entire device. You can repeat this sequence of steps for any policy that falls under the Device-wide policies (Device Owner) category.

1. In your supported UEM, under the Device-wide policies (Device Owner) category, turn on Device Wide Policy Controls.

2. Under Password policy turn on Enable password policy controls with KSP.

3. Under Biometric authentication turn on Enable fingerprint authentication.

4. In your UEM, save the profile and push it to a device.

5. Your policies are now applied.

   

Profile Owner (PO)

This example demonstrates how to use a profile-wide policy that disables the Android Allow Share Via feature. The particular policies used in this section require a free Knox Platform for Enterprise Premium license key. You can repeat this step sequence for any policy under the Work profile policies (Profile Owner) category.

1. In your supported UEM, under the Work profile policies (Profile Owner) category, turn on Enable work profile policy controls.

2. Under Device Restrictions turn on Enable device restriction controls.

3. If required, enter your Knox Platform for Enterprise Premium License Key. If your UEM natively supports Knox Platform for Enterprise Premium license activation, you don’t need to fill out this field. Check with your UEM for more information.

4. Disable Allow Share Via option.

5. In your UEM, save the profile and push it to a device.

6. Your policies are now applied.

Here is an example of a success message and an error message. The error message occurs if you try to apply a Premium policy to a device without first activating a Knox Platform for Enterprise Premium license key.

Set multiple policy parameters

Some policies allow you to select more than one option as a parameter. With these policies, you can individually select which parameters to enable or disable. In some cases, you may need to deselect policy parameters that you do not want to apply. For example, we set the USB exception list to allow only Audio and Human Interface Device. The following image shows a policy with multiple options applied.

To revoke multiple polices, simply deselect the polices you want to change and push the updated configuration profile to your devices.

Set group policies

Some policies are actually a subset of a larger group policy. With these policies, you must enable the group policy before you can modify any individual parameters. For example, we must first turn on Tethering controls before we can access the Allow Wi-Fi tethering and Allow Bluetooth tethering settings. The following image illustrates these settings.

Target a specific app

To target a specific app, you need to use the app package name in conjunction with a KSP policy.

1. In your supported UEM, under the Device-wide policies (Device Owner) category, turn on Enable application management controls.

2. Under Application Management policies, enable Enable application management controls with KSP.

3. Under Battery optimization insert the app package name you want to target, for example, com.samsung.email.provider.

   • If you want to add more than one app, enter a comma separated list of package names, for example com.samsung.email.provider, com.samsung.android.app.notes, com.sec.android.app.voicenote.

   • If you need to remove an app from a previously applied policy, simply remove the app package from your comma separated list and re-apply the configuration.

     

One way to find an app’s package is to search for it on Google Play in a browser. You see the app package appended to the URL in the browser, as seen in the following image.

Enforce a password policy

The first line of defense on a device is a strong device password. KSP offers granular controls for IT admins to enforce the use of a strong password as well as allow or block other authentication methods on a device. For example, let’s turn off biometric authentication methods for devices as well as enforce a specific password policy.

1. In your supported UEM, under the Device-wide policies (Device Owner) category, next to Password Policy, click Configure.

2. On the Password Policy page that opens, set the Enable password policy controls with KSP field to True.

3. Next to the Biometric authentication field, click Configure.

4. On the Biometric authentication page that opens, set all fields to False. Doing so turns off all biometric authentication methods for these devices. Return to the Password policy page.

5. Next to the Password Change field, click Configure.

6. On the page that opens, set the Enforce password change field to True. When you set the Enforce password change field to True, the device user is forced to set up a password — if one was not already set up — or change the password, if a password was previously set on the device.

7. In the Password enforcement timeout field, set a value for the number of minutes up to which the user can cancel or delay the password change. We recommend setting a low value to enforce a password change in a timely fashion. Return to the Password policy page.

8. Next to the Password Restrictions field, click Configure.

9. In the Maximum character sequence length field, set the maximum length of an alphabetic sequence that is allowed for a password.

10. In your UEM, save the profile and push it to a device. Your policy is now updated.

Revoke a policy

Revoking a policy is simple. All you need to do is find the policy you previously enabled and toggle it back off. For example, let’s turn Wi-Fi back on from our previous example.

1. In your supported UEM, under the Device-wide policies (Device Owner) category, turn on Device Wide Policy Controls.

2. Find the previous policy you disabled, for example Allow Wi-Fi.

3. Turn Allow Wi-Fi back on.

4. In your UEM, save the profile and push it to a device.

5. Your policy is now updated.

   

Revoke a group of policies

You can also revoke an entire group of polices if you turn off the respective group control flag. For example, if you turn off Enable device restriction controls, then all device restrictions are revoked.

In addition, if a policy that is related to a configuration is disabled, all the configuration is revoked. For example, if Customize DeX Experience is turned off , then all settings applied from the DeX customization profile are revoked.

Test and debug policies

To test your polices, you use a feature called Debug mode.

1. Turn on Debug mode.

   

2. Set or update the policies you need.

3. Push the policies to a device.

4. Check the KSP app for debug information.

Tips on successful KSP deployments

1. Deploy payloads gradually.

2. Add only a small number of policy changes at a time.

   • Push
   • Test
   • Ensure success

3. Disable debug mode in production after testing.

4. Assign unique profile names in KSP.

Settings can be configured in 2 main areas — the Device wide policies (DO and WP-C) and the Work profile policies (PO).

The sections below these DO and PO configurations are sub sections of the policy, and usually need to be enabled in the DO or PO prior to being configured in the policy.

Inside of each section of the policy, there are typically switches that turn on individual settings.