Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / Configure advanced policies /

Application management policies

Last updated October 28th, 2024

As part of your mobile application management strategy, you can employ app management policies to control the installation, access, and permissions of apps in the work profile. You can push these policies to an unlimited number of apps in your EMM.

In your Knox Service Plugin managed configuration, set Application management policies > Enable application management controls to True to enable the following application management settings. If set to False, these settings take no effect.

  • Battery optimization allowlist — Exempt a list of apps from battery usage optimizations. Add application package names as a comma separated list.

  • Notifications allowlist — All apps except for those added to this allowlist are prevented from displaying notifications on the console status bar. Add package names as a comma separated list, and you can also use a wildcard (com.abc*) to target multiple apps.

  • Install app from personal to work profile — Install an existing app from the default personal space to the work profile without device user interaction. Provide a comma separated list of application package names to install apps.

  • Allow USB devices for application configuration — Enable this setting to allow select apps to use specified USB devices.

    To select an app and allow it to use a USB device, go to Allowed USB devices for Applications Configurations and add a new configuration. Enter the following for each configuration:

    • Application Name — Provide the package name of the app you would like to allow for USB configuration.

    • USB Devices Configuration — Define the following values to allow USB device access for the app above:

      • Product ID — Hex value of the USB device Product ID.

      • Vendor ID — Hex value of the USB device Vendor ID.

  • Application Allowlist by Pkg Name — Allow apps intended for installation on the work profile. Specified third party apps not part of the device system image can be installed on the work profile if they’re on the allow list. Add apps as a comma separated list, or use a wildcard (com.abc*) to target multiple apps. If an app is in both the allow list and block list, then allow list takes precedence and the app is installed.

  • Application Blocklist by Pkg Name — Block apps by package name and prevent them from being installed on the work profile. Specified third party app names not part of the device system image can’t be installed if they’re on the block list. Add apps as a comma separated list, or use a wildcard (com.abc*) to target multiple apps. If an app was already installed before it was added to this block list, then this block list takes no effect on the app.

  • Application Allowlist by Signature used — Allow third-party apps intended for installation on the work profile based on the app’s signature. Enter application signatures as a comma separated list, or use a wildcard (com.abc*) to target multiple apps. If an app is in both the allow list and block list, then the allow list takes precedence and the app is installed.

  • Application Blocklist by Signature used — Block apps by their signature and prevent them from being installed on the work profile. Specified third party application signatures that are not part of the device system image can’t be installed if they’re on the block list. Enter application signatures as a comma separated list, or use a wildcard (com.abc*) to target multiple apps. If an app was already installed before it was added to this block list, then this block list takes no effect on the app.

  • Disable application without user interaction — Disable specific apps without device user interaction. A disabled app is not uninstalled, but it can’t be launched by the device user. This control doesn’t affect the app state. Add package names as a comma separated list.

  • Force Stop Blocklist — Prevent the user from stopping specified apps. Stop actions include a force stop in the Settings app, stopping through third-party apps, stopping any background process, and stopping any process from the app. Enter the values as a comma separated list, or use a wildcard (com.abc*) to target multiple apps.

  • Widget Allowed List and Widget Blocked List — Allow or block a set of widgets. If an allowlist is implemented, all other widgets not matching the list are blocked. If a block list is implemented, only the widgets in the list are blocked and any existing widgets are removed. If a widget package name exists in both allow and block lists, then the allow list takes precedence and the widget is allowed to run. This feature requires Android 11 or higher.

  • Package Name for Auto-Launch — Set an app to auto launch after installation. Additionally, specify a component name along with the app package name in the PackageName/ComponentName format to launch a specific screen. If no component name is provided, the launch screen of the app is displayed.

  • Enable permission controls — Enable special access permission grants for select apps. This feature means that apps requiring special access permissions can run without prompting the device user with a permission request.

    To select an app and grant it special permissions, go to Permission Controls and add a new configuration for each app you want to grant special access permissions. For each configuration:

    • Permission Policy — Select which permissions to grant:

      • All files access
      • Appear on top
      • Change system settings
      • Notification access
      • Alarms & Reminders
      • Usage data access
      • ALL

    • Package or Component Name — Enter the package name of the app to receive the above permissions. If you’ve selected Notification access or ALL permissions above, then you must enter both the package name and the component name of the app in the format: PackageName/ComponentName.

Is this page helpful?