Device restrictions

Device restrictions are a dedicated group of controls to allow or deny specific device access restriction operations. These controls require Knox version 2.7 or above and a Standard license.

Set the Enable device restriction controls value to True to enable the following device restriction controls on a target device. If disabled — set to False — device restriction settings are ignored.

• Set the Allow microphone control to True to enable the device microphone without user intervention. When set to False, the microphone is disabled for recording, but does not impact the device’s phone application.

• Set the Allow Wi-Fi control to True to permit the device to connect to Wi-Fi networks.

• Set the Allow Wi-Fi Direct control to True to permit the device to connect to Wi-Fi Direct supported networks without an access point or router resource.

• Set the Allow Bluetooth control to True to enable the device to make Bluetooth connections.

• Set the Allow cellular control to True to enable the device to make cellular connections.

• Refer to the following Tethering controls to configure tethering on a device and permit the device to share its Internet connection:

  • Set the Allow Tethering control to True to permit all tethering types on the device. This control must be enabled before any other tethering control is set, or other tethering settings will be ignored.

  • Set Allow Wi-Fi tethering to True to permit tethering over a Wi-Fi connection.

  • Set Allow Bluetooth tethering to True to permit tethering over a Bluetooth connection.

  • Set Allow USB tethering to True to permit tethering over a USB connection.

• Set the Allow USB media player control to True to permit the use of an external USB media player on the device.

• Set the Allow USB host player control to True to permit the use of an external USB storage device — such as an external hard disk or flash drive — on the device.

• Use the Setup USB exception list to permit the configuration and use of one or more USB device classes. The Allow USB host storage setting must be enabled to define USB exceptions. If the Allow USB host storage setting is disabled, any USB exceptions will not be committed. Ensure you add all supported classes USB classes to the exception list. Options include:

  • Allow all (default setting)
  • Audio
  • CDC Data
  • Communication
  • Human Interface Device
  • Mass Storage
  • Miscellaneous
  • Still Image
  • Vendor Specific
  • Wireless Controller

• Set the Allow USB debugging control to True to permit the device to enter USB debugging mode. Debugging mode permits new applications to be copied to a device via USB for testing prior to deployment.

• Set the Allow developer mode control to True to permit the device to enter developer mode and configure system behaviors to improve device performance.

• Set the Allow Share Via Option control to True to present user options to share data from one application to another.

• Set the Allow power saving mode control to True to permit the device to enter power save mode automatically. Setting this control to False restricts the device from entering power save mode by itself.

• Set the Allow data saver mode control to True to permit the data to enter data saver mode automatically. Data saver reduces device data usage by preventing some applications from sending or receiving data in the background.

• Set the Allow VPN connections control to True to permit VPN connections between this device and another peer device.

• Set the Allow user to modify Settings control to True to permit the user to change their device settings. Setting this value to False restricts device user setting updates.

• Enforce external storage encryption — set to True — to enable external storage (SD Card) encryption. Samsung recommends using an alphanumeric password. The default setting is False.

• Set the Allow backup on Google Server control to True to enable a data backup on the Google server. Backups are a recommended practice when device data needs to be periodically restored from a Google Server resource. If disabled — set to False — a device user is unable to use a Google Server as a data backup resource.

• Set the Allow SD card access control to True to enable Secure Digital (SD) card access. Consider enabling this setting if intending to utilize a high capacity flash memory card with the device. If disabled — set to False — any device user attempt to transfer data to the device’s SD card fails, and the user is unable to use a SD card as a memory resource.

• Set the Allow installation of non-Google Play Apps control to True to permit the installation of applications that were are not procured from the Google Play store. If set to False, a device user cannot install non-Google Play apps, and cannot access the device UI until the administrator enables access again. While Google Play has a wide variety of applications for Android, consider enabling this setting to install those application that may not be available on the Google Play store’s application listing.

• Set the Allow Android Beam on device control to True to enable the device to use NFC and Bluetooth as data and video beam transfer mechanisms. If Android Beam is disabled — set to False — S Beam is also disabled on the device.

• Set the Allow Camera control Camera to True to enable the use of the device camera. Setting this value to False renders the device’s camera inoperable. If this policy has been applied for user 0, then the camera is disabled for user 0, as well as all the containers and users defined on the device.

• Set the Allow Video Recording control to True to enable the device to use video recording functionality. Setting this control to False restricts video recording, but still permits the use of the device camera.

• Set the Allow Multiple User control to False to restrict additional users from accessing the device and its potentially proprietary data.

  This setting is only available for tablet devices in Legacy DA mode to meet STIG compliance.