Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / Configure advanced policies /

Advanced Restriction policies

Last updated April 10th, 2024

These restrictions are a dedicated group of controls to manage advanced restriction policies. A free Knox Platform for Enterprise Premium license is required for advanced restriction policies. These policies include — but are not limited to — the following:

  • Wi-Fi and Bluetooth scanning
  • Remote control to block device connections using 3rd party applications
  • Common criteria
  • Dual SIM device enable/disable
  • Wireless Intrusion Prevention Support (WIPS)

Create an advanced restriction configuration

  1. On your EMM console, add an assignment for the Knox Service Plugin app intended for your target devices, or edit it if one already exists.

  2. On the Knox Service Plugin managed configuration, set the following to enable Advanced Restriction policies:

    Setting Value
    Device-wide policies > Enable device policy controls True
    Device-wide policies > Advanced Restriction policies (Premium) > Enable Advanced restrictions controls True

    Now you can proceed to set the Advanced Restriction policies below.

Advanced Restriction policies

  • Allow Wi-Fi scanning — set to False to block the device from scanning for in-range Wi-Fi networks in order to improve location detection accuracy. This setting is only available with Knox 3.2 and above devices.

  • Allow bluetooth scanning — set to False to block the device from scanning for in-range Bluetooth devices in order to improve location detection accuracy.

  • Allow remote control — set to False to block connections to the device using 3rd party control applications. This setting is only available with Knox 3.0 and above devices.

  • Enable Common Criteria (CC) mode — set to True to enable services to bring the device into a CC mode compliant evaluated configuration. If enrolled in a UEM, the CC mode setting is defined at the UEM level.

  • Allow dual SIM operation — set to False to block all mobile service (mobile data, calls, SMS) on the second SIM slot of dual-SIM devices.

    On OneUI 6.0 and higher, The Allow dual SIM operation policy can only control physical SIMs on a device. To control eSIMs, see the Allow eSIM operation policy.

    For devices below OneUI 6.0, setting Allow dual SIM operation to False can also block eSIMs.

  • Allow eSIM operation — set to False to block eSIMs on the device, restricting the device to only the physical SIM (Only supported on devices running OneUI 6.0 and higher).

  • Allow SOS call with side key pressing — set to False to disable default side key behavior to make SOS calls when pressed 5 times consecutively.

    This policy is only supported on devices running Knox 3.11 and higher.

  • Enable WIPS Control — set to True to enable WIPS enforcement and protection options for the device. If disabled, changes to other WIPS settings have no impact.

    • Allow WIPS Enforcement — set to 1 to enforce this feature and disallow a device user from bypassing WIPS protection. Set this value to 0 to permit a device user to bypass WIPS.

    • Allow WIPS Advance Protection — set to 1 to disallow an device user from changing the WIPS configuration. Setting this value to 0 turns this setting off and permits a device user to change WIPS settings.

  • Set USB Device Connection Type — set to either DEFAULT, MTP, PTP, MIDI, or CHARGING to define the USB connection type utilized by the device.

On this page

Is this page helpful?