Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / Configure advanced policies /

Advanced Restriction policies

Last updated April 10th, 2024

These restrictions are a dedicated group of controls to manage advanced restriction policies. A free Knox Platform for Enterprise Premium license is required for advanced restriction policies. These policies include — but are not limited to — the following:

  • Wi-Fi and Bluetooth scanning
  • Remote control to block device connections using 3rd party applications
  • Common criteria
  • Dual SIM device enable/disable
  • Wireless Intrusion Prevention Support (WIPS)

Create an advanced restriction configuration

  1. In your UEM console, open the Device Configuration Profile associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.

  2. On the Properties page, in the Settings list, click Configure. The OEMConfig page for the Device Configuration Policy opens.

  3. Next to the Work profile policies (Profile Owner) field, click Configure. The Work profile policies (Profile Owner) page opens.

  4. Next to the Advanced Restriction Policy field, click Configure.

  5. Set the following advanced restriction values as needed:

    • Set the Enable advanced restriction controls value to True to enable the following advanced restriction controls on a target device.

      • Refer to the Allow Wi-Fi scanning setting and click False to block the device from scanning for in-range Wi-Fi networks in order to improve location detection accuracy. This setting is only available with Knox 3.2 and above devices.

      • Refer to the Allow bluetooth scanning setting and click False to block the device from scanning for in-range Bluetooth devices in order to improve location detection accuracy.

      • Set the Allow remote control value to False to block connections to the device using 3rd party control applications. This setting is only available with Knox 3.0 and above devices.

      • Refer to the Enable Common Criteria (CC) mode setting and click True to enable services to bring the device into a CC mode compliant evaluated configuration. If enrolled in a UEM, the CC mode setting is defined at the UEM level.

      • Set the Allow dual SIM operation policy to False to block all mobile service (mobile data, calls, SMS) on the second SIM slot of dual-SIM devices.

        This policy is only available on devices running One UI 6.0 and lower. For One UI 6.0, the policy controls the secondary physical SIM, but eSIMs are left unmanaged. To also disable eSIMs on One UI 6.0, use the Allow eSIM operation policy.

      • Set the Enable WIPS Control value to True to enable WIPS enforcement and protection options for the device. If disabled, changes to other WIPS settings have no impact.

        • Set the Allow WIPS Enforcement value to 1 to enforce this feature and disallow a device user from bypassing WIPS protection. Set this value to 0 to permit a device user to bypass WIPS.

        • Set the Allow WIPS Advance Protection value to 1 to disallow an device user from changing the WIPS configuration. Setting this value to 0 turns this setting off and permits a device user to change WIPS settings.

      • Refer to the Set USB Device Connection Type control and set to either DEFAULT, MTP, PTP, MIDI, or CHARGING to define the USB connection type utilized by the device.

  6. Click OK. The updated advanced restriction settings are saved and deployed to devices based on the deployment schedule.

On this page

Is this page helpful?