Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / Configure advanced policies /

Advanced Restriction policies

Last updated February 26th, 2025

These restrictions are a dedicated group of controls to manage advanced restriction policies. A free Knox Platform for Enterprise Premium license is required for advanced restriction policies. These policies include — but are not limited to — the following:

  • Wi-Fi and Bluetooth scanning
  • Remote control to block device connections using 3rd party applications
  • Common criteria
  • Dual SIM device enable/disable
  • Wireless Intrusion Prevention Support (WIPS)

Create an advanced restriction configuration

  1. On your EMM console, add an assignment for the Knox Service Plugin app intended for your target devices, or edit it if one already exists.

  2. On the Knox Service Plugin managed configuration, set the following to enable Advanced Restriction policies in the primary profile:

    Setting Value
    Device-wide policies > Enable device policy controls True
    Device-wide policies > Advanced Restriction policies (Premium) > Enable Advanced restrictions controls True

    Now you can proceed to set the Advanced Restriction policies below.

Advanced Restriction policies

  • Allow Wi-Fi scanning — Set False to block the device from scanning for in-range Wi-Fi networks in order to improve location detection accuracy. This setting is only available with Knox 3.2 and above devices.

  • Allow bluetooth scanning — Set False to block the device from scanning for in-range Bluetooth devices in order to improve location detection accuracy.

  • Allow remote control — Set False to block connections to the device using 3rd party control applications. Only supported on devices running Knox 3.0 and higher.

  • Allow process data only on device — Enable to process data only on the device. This setting appears on the device when you activate your Samsung Account. Supported on some flagship models running OneUI 6.1 and higher. Learn more about controlling Galaxy AI.

  • Block all galaxy AI — Set True to disable all Galaxy AI features. Only supported on devices running Knox 3.11 and higher. Learn more about controlling Galaxy AI.

  • Block individual galaxy AI operations — Disable select Galaxy AI features. Selecting All here only disables the eight items listed in the menu. Only supported on devices running Knox 3.11 and higher. Learn more about controlling Galaxy AI.

  • Enable Common Criteria (CC) mode — Set True to enable services to bring the device into a CC mode compliant evaluated configuration. If enrolled in a UEM, the CC mode setting is defined at the UEM level.

  • Allow dual SIM operation — Set False to block all mobile service (mobile data, calls, SMS) on the second SIM slot of dual-SIM devices.

    To control dual-SIMs and eSIMs on devices running OneUI 7.0 and higher, please use Sim management operation policies instead.

    On OneUI 6.0 and 6.1.1, The Allow dual SIM operation policy can only control physical SIMs on a device. To control eSIMs, see the Allow eSIM operation policy.

    For devices below OneUI 6.0, setting Allow dual SIM operation to False can also block eSIMs.

  • Allow eSIM operation — Set False to block eSIMs on the device, restricting the device to only the physical SIM (Only supported on devices running OneUI 6.0 and higher).

  • Sim management operation — Policies to manage physical SIMs and eSIMs. Only supported on devices with OneUI 7.0 running Knox 3.11 and higher.

    • Physical SIM control — Configure the number of physical SIMs allowed on the device.
    • eSIM control — Confiture the number of eSIMs allowed on the device.
    • SIM Lock Control with PLMN — Only allow SIMs with the specified PLMN (MCC and MNC combination) to function on the device. You can use regular expression to target specific groups of PLMNs.

  • Allow SOS call with side key pressing — Set False to disable default side key behavior to make SOS calls when pressed 5 times consecutively. This policy is only supported on devices running Knox 3.11 and higher.

  • Enable WIPS Control — Set True to enable WIPS enforcement and protection options for the device. If disabled, changes to other WIPS settings have no impact.

    • Allow WIPS Enforcement — Set to 1 to enforce this feature and disallow a device user from bypassing WIPS protection. Set this value to 0 to permit a device user to bypass WIPS.

    • Allow WIPS Advance Protection — Set to 1 to disallow an device user from changing the WIPS configuration. Setting this value to 0 turns this setting off and permits a device user to change WIPS settings.

  • Set USB Device Connection Type — Set to either DEFAULT, MTP, PTP, MIDI, or CHARGING to define the USB connection type utilized by the device.

On this page

Is this page helpful?