Home / Knox Platform for Enterprise / Knox Service Plugin / Configure advanced policies /

Advanced restrictions in work profile

Last updated May 7th, 2026

Refer to the following to manage advanced restriction policies for personal devices with a work profile.

Create an advanced restriction configuration

  1. On your EMM console, add an assignment for the Knox Service Plugin app intended for your target devices, or edit it if one already exists.

  2. On the Knox Service Plugin managed configuration, set the following to enable Advanced Restriction policies in the work profile:

    Setting Value
    Work profile policies > Enable work profile policies True
    Work profile policies > Advanced Restriction in work profile (Premium) > Enable Advanced restrictions in work profile True

    Now you can proceed to set the Advanced Restriction policies below.

Advanced restrictions in work profile

  • Allow process data only on device — Enable to process data only on the device. This setting appears on the device when you activate your Samsung Account. Supported on some flagship models running OneUI 6.1 and higher. Learn more about controlling Galaxy AI.

  • Block all galaxy AI — Set True to disable all Galaxy AI features. Only supported on devices running Knox 3.11 and higher. Learn more about controlling Galaxy AI.

  • Block individual galaxy AI operations — Disable select Galaxy AI features. Only supported on devices running Knox 3.11 and higher. Learn more about controlling Galaxy AI. Selecting All here only disables the following menu items:

    • Call Assist
    • Writing Assist
    • Interpreter
    • Note Assist
    • Transcript Assist
    • Browsing Assist
    • Photo Assist
    • Creative Studio (previously Drawing Assist)
    • All

  • Privacy Display operation — Control the privacy display on Galaxy S26 Ultra devices.

    This feature is only supported on Galaxy S26 Ultra devices running Android 16 (One UI 8.5) with Knox 3.13 or higher. Additionally, devices must have updated to at least the first maintenance release of One UI 8.5 to use this feature.

    • Add package names — Specify package names to apply privacy display only to specific applications.

    • Allow user to change work tab — Set False to prevent device users from modifying which apps have privacy display enabled.

  • Allow remote control — Set False to block device connections using third-party remote control apps.

On this page

Is this page helpful?