Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / Configure advanced policies /

Device controls

Last updated July 26th, 2023

Device Controls are a specific group of advanced policies designed to manage APN, NFC, Wi-Fi, Bluetooth, boot banner, battery optimization, device hardware key mapping, and multiple-user policies, to name just a few of a growing list.

  1. In your UEM console, open the Device Configuration Profile associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.

  2. On the Properties page, in the Settings list, click Configure. The OEMConfig page for the Device Configuration Policy opens.

  3. Next to the appropriate Profile Owner or Device Owner field, click Configure.

  4. Navigate to one of the following Device Control Policy fields as needed. Click Configure. Once the updates have been completed Click OK. Updated device control settings are saved and deployed to devices based on the deployment schedule.

APN setting policy

Set the following APN Setting Policy values to create, update, and remove Access Point Name (APN) settings on a device. The following APN settings are configurable as device controls:

  • Set the Enable APN settings policy control to True to change APN configuration settings. If set to False, updated APN settings are ignored.

  • Enter the Name of APN Configuration to add or update <string> for the APN configuration that is added or updated. The name provided must match at least one of the names within the APN configuration > name field.

NFC policy

Refer to the following Near Field Communications NFC Policy settings to define how devices transmit and receive information with on another — via NFC — in close proximity.

  • Set the Enable NFC policy controls value to True to change existing NFC settings. If set to False, NFC setting updates are ignored.

  • Turn on NFC — set to True — to enable NFC functions such as NFC payment systems or NFC tags, etc. If set to False, NFC setting updates will not be implemented.

  • Optionally Allow user to change NFC state — set to True — to permit users to change NFC settings. Click False to restrict users from changing NFC settings on their device.

Wi-Fi policy

Refer to the following Wi-Fi Policy control values to configure a device’s hotspot settings, and manage Wi-Fi profile, connection, and security settings:

  • Set the Enable Wi-Fi policy controls value to True to enable Wi-Fi policy control settings on the device. If set to False, Wi-Fi policy configuration updates are ignored.

  • Set Wi-Fi hotspot SSID <string> to name the Wi-Fi hotspot resource saved on the device. Consider a customized name such as MyMobileWifi as opposed to the default SSID.

  • Refer to the Set Wi-Fi hotspot password parameter and enter a password <string> to enforce password protection when the hotspot is enabled. If this parameter is undefined, users can configure an unsecured hotspot with no password requirement. Ensure the password is at least eight characters long.

  • Set the Allow user to change hotspot setting to True to permit users to change hotspot settings on their device. If set to False, hotspot configuration updates and modifications are not permitted.

  • Set the Allow open Wi-Fi connection value to True to permit devices to connect to an open and unsecured Wi-Fi access point resource. If set to False, non-secure access point connections are not permitted.

  • Set the Allow Wi-Fi User Profile Change value to True to allow the device to connect to available Wi-Fi networks. If set to False, Wi-Fi network connections are not permitted.

  • Set the Allow Wi-Fi User Policy Change value to True to allow the user to modify the device’s Wi-Fi user profile. If set to False, user Wi-Fi profile updates are not permitted.

  • Enter the Block Wi-Fi Network Connection SSIDs <string> to configure a list of blocked network locations to prevent a device user from connecting to them.

  • Ensure the Allow Automatic Wi-Fi Connection to saved SSIDs value is set to True to allow automatic connections to saved SSIDs. Click False to disable automatic connections to saved SSIDs.

  • Refer to the Allow Minimum Wi-Fi Security Requirement option to permit the user to select the minimum security requirement utilized for a Wi-Fi connection. This option is only configurable if the device is restricted from connecting to open Wi-Fi connections. Options include:

    • WEP
    • WPA
    • LEAP, PWD
    • FAST, PEAP
    • TLS, TTLS, SIM, AKA, AKA'

  • Set the Allow Control for Wi-Fi Password to be Visible value to True to display the password within the network edit dialogue. Click False to hide the password.

  • Refer to Allow to configure Wi-Fi (Configure details below) to configure a Wi-Fi network using raw MAC ID. This policy allows devices to automatically connect to the given corporate network without user action. You can add configurations for multiple Wi-Fi networks.

    This Wi-Fi configuration will not be applied on One UI Core devices if Skip MAC Randomization is set to True.

    MAC randomization support depends on the chipset and OS.

    This feature is not supported on certain models. For more information, contact B2B customer support.

    • Wi-Fi Network Name — Specify the SSID (service set identifier) of the Wi-Fi network to be configured and managed.
    • Security Type — Select the security type for the Wi-Fi network.
    • Password — Set the password for the Wi-Fi network.
    • Skip MAC Randomization — Set this to True if you want to disable MAC randomization.

  • Set the Allow Wi-Fi State Change value to True to permit the user to change the device’s Wi-Fi state. Click False to restrict the user from making a Wi-Fi state change.

Advanced Wi-Fi policy

Advanced Wi-Fi settings are configurable in Device Owner (DO) and Work Profile on Company-owned device (WP-C) mode.

Advanced Wi-Fi settings are a group of controls to refine client behavior and improve enterprise network connectivity, including — but not limited to — SSID assignment and management controls, roam scan configuration settings, DHCP settings and SSID block list functions. Advanced Wi-Fi policy controls include the following:

  • Enable Advance Wi-Fi Policy Controls — set to True — to enable advanced Wi-Fi policy controls, making them available for unique configuration updates based on projected usage. If set to False, updates are ignored.

  • Specify the Wi-Fi Network Name (SSID) whose settings require configuration and network management using advanced Wi-Fi controls.

  • Enter the Wi-Fi Roam Trigger threshold used to trigger a roam scan for other potential AP resources within range of the specific client SSID. The scan can only be initiated when the relative signal strength (RSSI) of the current AP is weaker then the specified Wi-Fi Roam Trigger value. The range for this value is -50 ~ -100.

  • Provide the Wi-Fi Roam Delta to define a threshold for a target client to disassociate from its current AP and associate with another. AP re-association will occur only when the RSSI of the other AP is at least the Wi-Fi Roam Delta, or stronger, of the current AP. The range for this value is 0 ~ 100.

  • Enter the Wi-Fi Roam Scan Period that determines how often a target client scans for roam candidate APs. The range for this value is 0 ~ 60.

  • Refer to the Allow DHCP Renewal setting and click True to allow the device to keep (renew) its current IP address assignment, even after the device roams to another AP.

  • Refer to the Allow Network Blocklisting setting and click True to enable the list of blocked SSIDs.

Bluetooth policy

Configure the following Bluetooth Policy controls to define bluetooth data exchange settings over short distances. The following settings have no impact when Allow BT is disabled within the Device restrictions configuration page.

  • Enable bluetooth policy controls — set to True — to enable bluetooth policy configuration updates using the controls described below. If set to False, bluetooth setting updates are ignored.

  • Set the Allow Device discovery mode to True to permit the device to enter Bluetooth discovery mode and search for other Bluetooth supported devices to connect and transfer data. Set this control to False to restrict a Bluetooth device from searching, connecting and transferring data with other Bluetooth devices.

  • Use the Enable bluetooth profiles control to permit or restrict the following peripherals from connecting based on their bluetooth profiles. Options include:

    • None
    • Bluetooth Advanced Audio Distribution (A2DP)
    • Bluetooth Audio/Video Remote Control (AVRCP)
    • Bluetooth Hands Free (HFP)
    • Bluetooth Headset (HSP)
    • Bluetooth Phone Book Access (PBAP)
    • Bluetooth Serial Port (SPP)

  • Use the Allowlist Bluetooth Service by UUID and Blocklist Bluetooth Service by UUID controls to select specific peripherals to either allow or block connections based on their bluetooth service UUID. When enabled, all peripherals except those specified are allowed or blocked from operating with the device. A wildcard character (*) is used to allow all UUID except those in the block list. Alternatively, a wildcard character is used to block all UUIDs except those in the allow list. If the same UUID is present in both the allow and block list, then the allow list takes precedent when updated by the same administrator. Ensure UUIDs are defined properly per SIG specification.

Boot banner

Refer to the following Boot banner options to add, change, or display a customizable banner when the device is restarted. The following boot banner settings are configurable with a free Knox Platform for Enterprise Premium license:

  • Set the Enable banner on device reboot value to True to display a banner on the device when restarted. Keep this setting False — the default value — to hide the banner when the device is restarted.

  • Provide a Custom banner message to display a custom text <string> to the device user when the device is restarted.

Battery optimization

Use the following Battery Optimization settings to improve battery consumption efficiency based on projected device activity. The following battery optimization settings are configurable:

  • Set the Enable battery optimization value to True to set an inactivity timeout to shutdown the device when the defined inactivity period is exceeded.

  • Use the Set user inactivity timeout value to set the number of seconds <integer> device inactivity results in a device shutdown to conserve battery power and extend device battery life between charges.

There is a 10 minute minimum timeout if setting a user inactivity period.

Allow multiple users

Set the Allow Multiple User value to True to grant additional (multiple) users access to a device. Return this value to False to restrict multiple users from a device.

On this page

Is this page helpful?