Profile name(version)

Add a unique profile name(version) that highlights the policies and restrictions applicable to this profile. You can later use the name(version) for tracking and debugging. If use the profile name and version together, can manage it by version. To ensure good user experience, we recommend using a name less than 50 characters in length.

12 of 5000 characters entered

Knox License key(Knox Suite, DualDAR, etc)

If your UEM console supports Knox license information, enter your Knox License there. For UEM consoles not showing this information, enter your Knox License Key in this field. This field does not apply to Blackberry users. Applies to devices running Android P and Knox v3.2.1 or higher. To buy a Knox license, contact your Samsung Knox Reseller.

0 of 5000 characters entered

Debug Mode

The informative mode shows policy results and errors on the device. We recommend enabling this mode only during the test phases and not during final deployment.

Separated Apps policies

A group of policies and restriction that are applicable to Separated apps.

Enable Separated Apps
Configured
Turn Separated Apps policies on or off. Enable this option before using any of the Separated Apps policies. If this option is disabled, KSP will apply policy to remove Separated Apps from the device, all apps installed inside Separated Apps will be uninstalled from the device.
Allow List Policy
A group of policies for specifying the list of apps to be separated and whether the specified list of apps should be installed outside or inside of the separate space.Available Knox 3.7 or higher
- Location for Separate Apps installation
  Configured
  If the value is set to Outside, List of specified apps will be installed outside (i.e. in user0), apps not in the list will be installed inside. if the value is set to Inside, List of specified apps will be installed inside (i.e. inside separate space), apps not in the list will be installed outside
  Outside
  Inside
- List of Apps to Separate
  Configured
  Provide list of applications that will be separated from all the other apps not in this list. *Note: If Outside is selected for Location of Separate Apps installation then existing apps installed outside in User0 that are not part of this list will be uninstalled
  0 of 5000 characters entered

Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)

A global group of policies and restrictions that are applicable to all users of the device. This list includes items that impact all users on the device, whether they fall under personal or work profiles. Availability: Knox 3.0 and above.

Enable device policy controls
Configured
Use this control to enable or disable device-wide policies. Enable this option before using any of the device-wide policies. If this option is disabled, KSP does not apply any policies in default user (User 0). *Note: Privacy-related functions are not supported in WPC mode. (ex : APN Policy, Certificate Management Policy and so on)
Advanced Restriction policies (Premium)
A group of controls to manage advanced restriction policies. A KPE Premium license is required for all policies in this group.
- Enable Advanced Restrictions controls
  Configured
  Use this control to enable advanced controls on the device.
- Allow Wi-Fi scanning
  Configured
  Use this control to block the device from scanning for Wi-Fi networks in range to improve the accuracy of location detection. Availability with Knox 3.2 or higher.
- Allow bluetooth scanning
  Configured
  Use this control to block the device from scanning for bluetooth devices in range to improve the accuracy of location detection. Availability with Knox 3.2 or higher. *Note: If disabled, all Bluetooth functionality is disabled. If Bluetooth scanning is disabled, the device declines location accuracy and does not allow apps and services to scan for and connect to nearby devices automatically via Bluetooth.
- Allow remote control
  Configured
  Use this control to block connections to the device, using third-party remote control apps. Availability with Knox 3.0 or higher.
- Allow process data only on device
  Configured
  Select the process data only on device menu to enable. *Note: When you activate the Samsung Account, the menu appears on device. Supported from some flagship models and OneUI 6.1 and later.
- Enable Common Criteria (CC) mode
  Configured
  Use this control to enable services to bring the device into the Common Criteria-evaluated configuration, called CC Mode. For devices enrolled in a UEM, these settings are set at the UEM level.
- Allow dual SIM operation
  Configured
  Due to a change with the way that Google has implemented SIM management, KSP can no longer support this policy on devices running One UI 6.1. See Release Notes for details.
- Allow eSIM operation
  Configured
  Use this control to enable or disable the eSIM operation. *Note: Supported from OneUI 6.0 only.
- Wi-Fi Advanced Detect suspicious network
  A group of controls to configure WIPS to prevents unauthorized network access to local area networks and other information assets by wireless devices.
  Enable WIPS Control
  Configured
  Use this control to enable or disable WIPS options. If this control is disabled, any changes to other WIPS related settings have no impact.
  Allow WIPS Enforcement
  Configured
  Select this option to enforce the feature, Disallow end user to bypass WIPS
  0 off
  1 on
  Allow WIPS Advance Protection
  Configured
  Select this option to Disallow end user to change WIPS
  0 off
  1 on
- Set USB Device Connection Type
  Configured
  Use this control to select the usb connection type
  DEFAULT
  MTP
  PTP
  MIDI
  CHARGING
- Allow copy contact to SIM operation
  Configured
  Use this control to enable or disable copy contact from device to SIM Card
Application management policies
A group of policies to configure and manage applications on the device.
- Enable application management controls
  Configured
  Use this control to enable or disable advanced application management settings.
- Battery optimization allowlist
  Configured
  Use this control to exempt applications from battery usage optimizations such as Android Doze mode. For a fully managed device with a Work profile, enter the list of application on the personal profile to allowlist. To specify Work profile-only apps, go to Work Profile Policies > App Management section. Enter a comma-separated list of package names to specify the apps to allowlist.
  0 of 5000 characters entered
- Notifications allowlist
  Configured
  Use this control to stop applications from showing notifications on the status bar. When this policy is enabled, notifications from all applications are blocked except for the apps specified in this allowlist. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
- Notifications blocklist
  Configured
  Use this control to add a list of package names to notification blocklist. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
- App update controls
  Application update policy
  Configured
  Use this control in combination with the following List of apps control to allow or restrict updates to specific apps. The default value is set to ‘None’, meaning apps on your device update per the policies you’ve specified in your Device Settings and in app settings on Managed Google Play Store.
  None
  Allow update for specified apps only
  Block updates for specified apps only
  List of apps
  Configured
  Use this field to allow or restrict app updates for specific apps. Enter the values as a comma separated list or wildcard to specify multiple apps, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
- Allow USB Devices for default access by Application (Configure profiles below)
  Configured
  Use this setting to grant user permission for one or more usb devices to be used by a particular package. Use the Allowed USB devices for Applications section for Configurations.
- Application Allowlist by Pkg Name
  Configured
  Use this control to allowlist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax. If the package name of an application currently being installed matches a package name pattern in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
  0 of 5000 characters entered
- Application Blocklist by Pkg Name
  Configured
  Use this control to blocklist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax. If the application package is already installed, the API does not affect the existing installation.
  0 of 5000 characters entered
- Application Allowlist by Signature used
  Configured
  Use this control to allowlist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist. If the signature of an application currently being installed matches the signature in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
  0 of 5000 characters entered
- Application Blocklist by Signature used
  Configured
  Use this control to blocklist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist. If the application package is already installed, the API does not affect the existing installation.
  0 of 5000 characters entered
- Disable Application without user interaction
  Configured
  Use this control to disable application without user interaction. The disabled application package is not uninstalled but the device user cannot use it. The API does not affect the future application package state. Enter the values as a comma separated list, for example, "com.xyz, com.abc".
  0 of 5000 characters entered
- Force Stop Blocklist
  Configured
  Use this control to prevent the user from stopping certain applications. The stop actions include force stop in Settings app, stopping through third-party applications, stopping any background process by system and stopping any service from the application. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
- Widget Allowed List
  Configured
  Use this control to allow widget to be installed on the DO. When this policy is enabled, widget matching the list will be allowed to installed and rest all the other widgets will be blocked. Enter the values as a comma separated list or wildcard to specify multiple widget to the allow. If the package name matches the pattern in both the blocklist and allowlist, the allowlist will takes priority.
  0 of 5000 characters entered
- Widget Blocked List
  Configured
  Use this control to block widget to be installed on the DO. When this policy is enabled, a user cannot add widgets with package names that match the list, and existent widgets are removed from the launcher home screen. Enter the values as a comma separated list or wildcard to specify multiple widget to the block. If the package name matches the pattern in both the blocklist and allowlist, the allowlist will takes priority.
  0 of 5000 characters entered
- Package Name for Auto-Launch
  Configured
  Enter the package name of the application that needs to be launched after it is installed along with the Component name. Example: PackageName/ComponentName
  0 of 5000 characters entered
- Clear Cache Block List
  Configured
  Use this control to prevent the user from clearing cache for certain applications. The actions include clear cache in Settings app, clearing cache through third-party applications, and clearing service cache from the application. Also, wildcard characters like "com.xyz.*" can be used to specify multiple application package names.
  0 of 5000 characters entered
- Clear Data Block List
  Configured
  Use this control to prevent the user from clearing data for certain applications. The actions include clear data in Settings app, clearing data through third-party applications, and clearing service data from the application. Also, wildcard characters like "com.xyz.*" can be used to specify multiple application package names.
  0 of 5000 characters entered
- Disable Heat Management
  Configured
  Use this control to enable/disable the enhanced battery heat management algorithm. It aims to provide better battery performance by limiting resource consumption of background apps.
- Enable permission controls
  Configured
  Use this control to pre-grant permissions for specific application
Audit Log (Premium)
A group of controls to enable audit log on the device. Available with a KPE Premium license
- Enable Audit Log
  Configured
  Use this control to enable audit log to capture events such as Password policies set for devices; App installation and removal; Certificate failure and key generation; Account creation and removal; File exchange attempts over Wi-Fi etc
- Audit Log Policy Configuration
  A group of controls to configure audit log on the device. Available with a KPE Premium license
  Audit Log Policies
  Configured
  Use this control to select granular audit log on the device
  All Group
  Application Group
  Events Group
  Network Group
  Security Group
  System Group
  Audit Log Outcome
  Configured
  Use this control to select audit log outcome on the device
  All
  Failures
  Successes
  Audit Log Severity Level
  Configured
  Use this control to select severity level of Audit Log
  All
  Alert
  Critical
  Error
  Warning
  Audit Log Frequency
  Configured
  Use this control to select the Audit log frequency
  2 Hours
  6 Hours
  12 Hours
  24 Hours
Call and Messaging control
A group of policies to manage device-wide call and messaging restrictions.
- Enable call and messaging controls
  Configured
  Use this control to enable or disable the phone call and text messaging functionality on the device.
- Manage RCS messaging
  Configure
  Use this control to block RCS on the device. RCS (Rich Communication Services) is an advanced messaging system that aims at making SMS messages more interactive. For example, letting users transmit in-call multimedia. By default, RCS messaging is allowed. This policy is only for the Samsung Native messages app(Samsung Message, Google Message).
- Set disclaimer text for messages
  Configure
  Use this control to set a disclaimer text with all the outgoing SMS and MMS from the device. The disclaimer text should be limited to 30 characters.
- Call Controls
  A group of policies to manage call controls and restrictions
  Blocklist Incoming Call restriction
  Configured
  Use this list to block incoming calls from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
  Blocklist Incoming Call exception
  Configured
  Use this list to add exceptions to the blocklist for incoming calls from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
  Blocklist Outgoing Call restriction
  Configured
  Use this list to block outgoing calls from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
  Blocklist Outgoing Call exception
  Configured
  Use this list to add exceptions to the blocklist for outgoing calls from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
- SMS Controls
  A group of policies to manage SMS controls and restrictions
  Blocklist Incoming SMS restriction
  Configured
  Use this list to block incoming SMS from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
  Blocklist Incoming SMS exception
  Configured
  Use this list to add exceptions to the blocklist for incoming SMS from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
  Blocklist Outgoing SMS restriction
  Configured
  Use this list to block outgoing SMS from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
  Blocklist Outgoing SMS exception
  Configured
  Use this list to add exceptions to the blocklist for outgoing SMS from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  0 of 5000 characters entered
Certificate management policies (Premium)
A group of policies to control certificate management settings. For example, disable certificates, restrict certificates and more.
- Enable certificate management controls
  Configured
  Use this control to enable or disable certificate management settings for the device. Enable this control before changing any certificate management settings. If this control is not enabled, any Enterprise certificate management policy is ignored.
- Certificate revocation
  Choose the Certificate revocation method most appropriate for your devices.
  Enable revocation check
  Configured
  Use this to check certificate validation. For example if you list “com.samsung.email” in a allowlist, any certificates used by this app for SMIME encryption or signing is first checked against a list of Certificate Revocation List (CRL) to verify that they are still valid. Enter the application package names to check as a comma separated list, for example (“com.xyz, com.abc”)
  Not enabled
  Enable for all apps
  Enable for specified apps only
  Enable OCSP check before CRL
  Configured
  Use this to perform certificate validation using OSCP before checking a CRL. If the OCSP response is inconclusive the device performs a CRL check.
  List of apps to enable for verification
  Configured
  Use this to perform certificate revocation on a list of applications. Enter the values as a comma separated list of the application packages, for example, “com.xyz, com.abc”.
  0 of 5000 characters entered
- Add trusted CA certificate
  Configured
  Enter the name of a Trusted CA Alias which was already defined in Certificate Alias. Enter the values as a comma separated list of the Trusted CA Alias
  0 of 5000 characters entered
- Block User from removing Certificate
  Configured
  Use this control to block the user from removing certificates from the keystore. By default, users are allowed to remove certificates from the keystore.
- Allow applications to read private keys without alerting user (Configure profiles below)
  Configured
  Use this setting to Allow application to read private keys without alerting user. To specify application package name, host, port, alias & storage name that will be matched with what applications provided. Use the Allowed apps for reading private keys section.
- Install Certificate in keystore(s) silently
  Configured
  Enter the name of a CA Alias which will be installed silently in the device keystore(s). Enter the values as a comma separated list of the CA Alias
  0 of 5000 characters entered
Client Certificate management (CCM) policies (Premium)
A group of policies to control client certificate management settings. *Note: CCM Policies are deprecated in the KSP release (22.05). Due to their deprecation, we strongly suggest that you no longer use these policies since Android 12(Knox 3.8.0). See KSP Release Notes for details.
- Enable client certificate management controls
  Configured
  Use this control to enable or disable client certificate management settings for the device. Enable this control before changing any client certificate management settings. If this control is not enabled, any Enterprise client certificate management policy is ignored. *Note: CCM Policies are deprecated in the KSP release (22.05). Due to their deprecation, we strongly suggest that you no longer use these policies since Android 12(Knox 3.8.0). See KSP Release Notes for details.
- Add packages to be exempted from access control
  Configured
  Enter Name of the packages to be exempted from access control.Enter the values as a comma separated list of the package names.
  0 of 5000 characters entered
Date Time Change
A Group of control to enable Date and Time Change
- Enable Date Time Policy controls
  Configured
  Use this control to enable Date and Time Change
- Allow Date Time change
  Configured
  Use this setting to allow or disallow date time change
Device Account Policy
A group of controls for Device Account Policy
- Enable Device Account Policy controls
  Configured
  A group of controls to Enable Device Account Policy
- Enable Device Account policies (Configure profiles below)
  Configured
  Use this setting to enable device account addition policies
Device Admin allowlisting
A group of policies to manage Device Administrator (DA) privileges to specific apps when KSP is launched on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is launched.
- Enable device admin controls
  Configured
  Use this control to enable or disable Device Admin allowlisting control for applications on a device where KSP is launched.
- Allowlisted DAs
  Configured
  By default, KSP will block activation of any application as device admin, except those specified in this allowlist. Enter a comma-separated list of packages to specify the list of apps to allowlist.
  0 of 5000 characters entered
Device Controls
A group of policies to manage device controls, such as APN settings, NFC policies, certificate management, and more.
- APN Setting Policy
  A group of policies to create, update and remove Access Point Name (APN) settings on the device.
  Enable APN settings policy control
  Configured
  Use this control to enable or disable APN settings for the device. Enable this control before changing any APN settings. If this control is not enabled, any APN settings are ignored. *Note: When the APN Setting Policy is enabled, the eSIM menu disappears to prevent conflicts between functions.
  Name of APN Configuration to add or update
  Configured
  Enter the name of the APN configuration profile that needs to be added or updated. Ensure that the name used here matches at least one name in the APN configuration > name field. For example, “samsungAPN3”
  APN_1
  5 of 5000 characters entered
  Allow user to change APN Settings
  Configured
  Use this control to allow or prevent user from changing the APN settings.
- Data Roaming Policy
  A group of policies to control the data roaming settings on the device.
  Enable data roaming policy control
  Configured
  Use this control to enable or disable data roaming settings for the device. Enable this control before changing any data roaming settings. If this control is not enabled, any data roaming settings are ignored.
  Allow data roaming
  Configured
  Use this setting to allow or prevent users from changing the current data roaming state (on or off).
  Allow voice call
  Configured
  Use this setting to allow or prevent users from changing the current voice call state (on or off).
- Network Mode Policy
  A group of policies to control the Network mode settings on the device.
  Enable network mode policy control
  Configured
  Use this control to set the network mode type for the device. Enable this control before changing any network mode settings. If this control is not enabled, any data roaming settings are ignored.
  Set Network mode
  Configured
  Use this control to set the network mode. *Note: Supported from S OS, US OPEN, TMO and S21 only.
  5G/LTE/3G/2G(auto connect)
  LTE/3G/2G(auto connect)
  LTE/3G(auto connect)
- NFC Policy
  A group of policies to control Near Field Communications (NFC) settings. For example turning NFC on or off.
  Enable NFC policy controls
  Configured
  Use this control to enable or disable NFC settings for the device. Enable this control before changing any NFC settings. If this control not enabled, any NFC settings are ignored.
  Turn on NFC
  Configured
  Use this control to turn NFC on or off. If this setting is disabled, all NFC related functions will not work such as NFC based payment systems or NFC tags.
  Allow user to change NFC state
  Configured
  Use this setting to allow or prevent users from changing the current NFC state (on or off).
- Wi-Fi Policy
  A group of policies to control Wi-Fi settings. For example setting Wi-Fi hotspots, allowing specific connections etc.
  Enable Wi-Fi policy controls
  Configured
  Use this control to enable or disable Wi-Fi polices on a device. If this control not enabled, any Wi-Fi settings you change are ignored.
  Set Wi-Fi hotspot SSID
  Configured
  Use this control to name the Wi-Fi hotspot saved on a device. For example, you can set a custom name, such as “MyMobileWifi”, instead of using the default SSID.
  0 of 5000 characters entered
  Set Wi-Fi hotspot password
  Configured
  Use this control to enforce a password when a Wi-Fi mobile hotspot is enabled. If this field is empty, users can create unsecured hotspot network. Passwords should be eight or more characters long.
  0 of 5000 characters entered
  Allow user to change hotspot setting
  Configured
  Use this control to allow users to change Wi-Fi hotspot settings on the device. If this setting is off, users cannot make modifications to the hotspot settings on their device
  Allow open Wi-Fi connection
  Configured
  Use this control to allow devices to start an open (non-secured) Wi-Fi hotspot or connect to open and unprotected Wi-Fi access points. If this control is off, users cannot connect to unsecured Wi-Fi networks or start an open (non-secured) Wi-Fi hotspot.
  Allow Minimum Wi-Fi Security Requirement
  Configured
  Use this option to allow user to select the minimum security requirement for Wi-Fi Connection. *Note: This policy can be applied only if open Wi-Fi connection is disabled
  WEP
  WPA
  LEAP, PWD
  FAST, PEAP
  TLS, TTLS, SIM, AKA, AKA'
  Block Wi-Fi Network Connection
  Configured
  Add SSID to the list of blocked network to prevent user to connect
  0 of 5000 characters entered
  Allow Automatic Wi-Fi Connection to saved SSIDs
  Configured
  Use this control to allow or deny automatic connections of saved SSIDs
  Allow Control for Wi-Fi Password to be Visible
  Configured
  Use this control to make the password hidden or visible in the network edit dialog
  Allow Wi-Fi State Change
  Configured
  Use this control to allow or deny user access to make Wi-Fi state change
  Allow to configure Wi-Fi (Configure details below)
  Configured
  Use this control to allow configuration of Wi-Fi
- Advanced Wi-Fi Policy (Premium)
  A group of policies to control Advanced Wi-Fi settings. For example setting roam trigger, roam delta, roam scan period etc.
  Enable Advanced Wi-Fi Policy Controls(Configure profiles below)
  Configured
  Use this control to enable or disable Advanced Wi-Fi polices on a device. If this control not enabled, any Advanced Wi-Fi settings you change are ignored.
- Bluetooth Policy
  A group of policies to control bluetooth settings. For example you can block certain bluetooth profiles or services. *Note: These controls have no impact if “Allow BT” is disabled in the “device restrictions” section.
  Enable bluetooth policy controls
  Configure
  Use this control to enable or disable bluetooth settings. If this control is not enabled, any changes you make to bluetooth settings are ignored.
  Enable bluetooth profiles
  Configure
  Use this control to allow or block peripherals from connecting based on their bluetooth profiles.
  Allowlist Bluetooth Service by UUID
  Configured
  Use this control to allow peripherals from connecting based on their Bluetooth service UUID. When enabled, all peripherals except those with UUIDs specified here are blocked from operating with the device. The UUIDs should be as per BT SIG specifications. See the KSP Admin guide for a list of frequently used UUIDs.
  NONE
  ALL
  A2DP_ADVAUDIODIST_UUID
  A2DP_AUDIOSINK_UUID
  A2DP_AUDIOSOURCE_UUID
  AVRCP_CONTROLLER_UUID
  AVRCP_TARGET_UUID
  BNEP_UUID
  BPP_UUID
  DUN_UUID
  HFP_AG_UUID
  HFP_UUID
  HID_UUID
  HSP_AG_UUID
  HSP_UUID
  NAP_UUID
  OBEXOBJECTPUSH_UUID
  PANU_UUID
  PBAP_PSE_UUID
  PBAP_UUID
  SPP_UUID
  Blocklist Bluetooth Service by UUID
  Configured
  Use this control to block peripherals from connecting based on their Bluetooth service UUID. When enabled, all peripherals except those with UUIDs specified here are allowed from operating with the device. The UUIDs should be as per BT SIG specifications. See the KSP Admin guide for a list of frequently used UUIDs.
  NONE
  ALL
  A2DP_ADVAUDIODIST_UUID
  A2DP_AUDIOSINK_UUID
  A2DP_AUDIOSOURCE_UUID
  AVRCP_CONTROLLER_UUID
  AVRCP_TARGET_UUID
  BNEP_UUID
  BPP_UUID
  DUN_UUID
  HFP_AG_UUID
  HFP_UUID
  HID_UUID
  HSP_AG_UUID
  HSP_UUID
  NAP_UUID
  OBEXOBJECTPUSH_UUID
  PANU_UUID
  PBAP_PSE_UUID
  PBAP_UUID
  SPP_UUID
  Allow Device discoverable Mode
  Configured
  Use this control to enable or disable Bluetooth discoverable mode.
- Boot banner
  A group of controls to add, change, or show a banner upon device restart. Available with a KPE Premium license.
  Enable banner on device reboot
  Configured
  Use this control to show a banner on the device display when the device restarts. Default value is set to not show a banner upon device reboot.
  Custom Banner Message
  Configured
  If you want to show custom text to the user when the device restarts, enter the text in this field.
  0 of 5000 characters entered
- Battery Optimization (Premium)
  A group of controls to optimize battery usage. Available with a KPE Premium license.
  Enable battery optimization
  Configured
  Use this control to optimize battery and enable device to shutdown, if the user is inactive for the set user inactivity timeout
  Set User Inactivity Timeout
  Configured
  Enter the user inactivity timeout in seconds(10 minutes as minimum) for device to shutdown, in order to optimize battery.
  Set User Inactivity Timeout
  3 of 10 characters entered
Device customization controls (Premium)
A group of policies to customize the device user interface. Configure the "Device customization profile" that the device user must use in this section. Availability: Premium license with Customization permissions.
- Enable device customization
  Configured
  Use this control to enable or disable device customization. (Configure Device customization profile below)
Device Key Mapping
A group of controls to map key up. Available with a KPE Premium license.
- Enable Key Mapping
  Configured
  Use this control to enable key mapping. Enable this control before changing any Device Key Mapping settings. If this control is not enabled, any Device Key Mapping settings are ignored.
- Enable XCover/Active Key Mapping for Microsoft Teams
  Configured
  Use this control to enable key mapping for passing intent for Microsoft Teams package.
- XCover/Active key Mapping for specific application
  A group of controls to enable XCover/Active key mapping for a specific application
  Package Name
  Configured
  Enter the name of the package (application) that will receive the XCover key mapping action
  0 of 5000 characters entered
  Use Samsung Intent
  Configured
  If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
  Intent for Key press
  Configured
  Enter the intent name provided by the Application Vendor for XCover Key Press
  com.samsung.android.knox.intent.action.PTT_PRESS
  48 of 5000 characters entered
  Intent for Key release
  Configured
  Enter the intent name provided by the Application Vendor for XCover Key Release
  com.samsung.android.knox.intent.action.PTT_RELEASE
  50 of 5000 characters entered
- Top Key Mapping for specific application
  A group of controls to enable Top key mapping for a specific application
  Package Name
  Configured
  Enter the name of the package (application) that will receive the Top key mapping action
  0 of 5000 characters entered
  Use Samsung Intent
  Configured
  If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
  Intent for Key press
  Configured
  Enter the intent name provided by the Application Vendor for Top Key Press
  com.samsung.android.knox.intent.action.TOP_PRESS
  48 of 5000 characters entered
  Intent for Key release
  Configured
  Enter the intent name provided by the Application Vendor for Top Key Release
  com.samsung.android.knox.intent.action.TOP_RELEASE
  50 of 5000 characters entered
- Side Key Mapping for specific application
  A group of controls to enable Side key mapping for a specific application
  Package Name
  Configured
  Enter the name of the package (application) that will receive the Side key mapping action
  0 of 5000 characters entered
  Use Samsung Intent
  Configured
  If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
  Intent for Key press
  Configured
  Enter the intent name provided by the Application Vendor for Side Key Press
  com.samsung.android.knox.intent.action.SIDE_PRESS
  49 of 5000 characters entered
  Intent for Key release
  Configured
  Enter the intent name provided by the Application Vendor for Side Key Release
  com.samsung.android.knox.intent.action.SIDE_RELEASE
  51 of 5000 characters entered
- Enable Key Mapping to Launch applications (Configure profiles below)
  Configured
  Use this control to enable key mapping for specific action for defined package
Device Restrictions
A group of controls to allow or block specific operations on the user's device.
- Enable device restriction controls
  Configured
  Use this control to enable or disable restriction controls for the device. Enable these controls before changing any device restriction settings. If these controls are not enabled, any device restriction settings are ignored.
- Allow microphone
  Configured
  Use this setting to disable the microphone without user interaction. Disabling this control restricts the use of the microphone for recording purposes, but does not impact the use of the phone application on the device.
- Allow Wi-Fi
  Configured
  Use this control to allow or restrict the device's ability to connect to Wi-Fi networks.
- Allow Wi-Fi Direct
  Configured
  Use this control to allow or restrict the device's ability to connect to Wi-Fi Direct networks.
- Allow Bluetooth
  Configured
  Use this control to allow or restrict the device's ability to make Bluetooth connections.
- Allow cellular data
  Configured
  Use this control to allow or restrict the device's ability to use the cellular data connection.
- Tethering controls
  A group of controls to configure the use of tethering technologies on the device.
  Allow tethering
  Configured
  Use this control to allow or block all types of tethering on the device. Enable this control before changing any other tethering settings. If this control is not enabled, any changes to other tethering settings are ignored.
  Allow Wi-Fi tethering
  Configured
  Use this control to allow or block tethering on Wi-Fi. If the use of all tethering is disabled, changing these settings has no impact.
  Allow Bluetooth tethering
  Configured
  Use this control to allow or block tethering on Bluetooth. If the use of all tethering is disabled, changing these settings has no impact.
  Allow USB tethering
  Configured
  Use this control to allow or block tethering on USB. If the use of all tethering is disabled, changing these settings has no impact.
- Allow USB media player
  Configured
  Use this control to enable or disable the use of an external USB media player on the device.
- Allow USB host storage
  Configured
  Use this control to enable or disable the use of an external USB storage device, such as an external hard disk or a flash drive.
- Setup USB exception list
  Configured
  If the Allow USB host storage setting is enabled, use this control to configure the use of one or more classes of USB devices or USB composite device on the mobile device. If the Allow USB host storage setting is disabled, any settings in this section have no impact. A USB Composite Device is a peripheral device that supports more than one device class. If you use this policy to control a USB Composite Device, ensure that you add all supported classes in the exception list.
  Allow all
  Audio
  CDC Data
  Communication
  Human Interface Device
  Mass Storage
  Miscellaneous
  Still Image
  Vendor Specific
  Wireless Controller
- Allow USB debugging
  Configured
  Use this control to enable or disable the device to enter into a USB debugging mode.
- Allow developer mode
  Configured
  Use this control to enable or disable the device to enter into a developer mode.
- Allow Share Via option
  Configured
  Use this control to enable or disable the Share Via option that presents User options to share data from one application to another application using one of the many available options.
- Allow power saving mode
  Configured
  Use this control to enable or disable the device from entering the Power Saver mode automatically.
- Allow data saver mode
  Configured
  Use this control to enable or disable the device from entering the Data Saver mode automatically.
- Allow VPN connections
  Configured
  Use this control to enable or disable VPN connections on the device.
- Allow user to modify Settings
  Configured
  Use this control to allow or restrict the user from changing the device settings.
- Enforce external storage encryption
  Configured
  Use this control to enable external storage (SD Card) encryption. Enabling this option prompts the user to start encryption. For security reasons, we recommend setting the policy to use an alphanumeric password.
- Allow SD card access
  Configured
  Use this control to enable or disable Secure Digital (SD) card access.
- Allow backup on Google Server
  Configured
  Use this control to enable or disable backup of data on the Google Server.
- Allow installation of Non-Google Play Apps
  Configured
  Use this control to allow or disallow installation of Non-Google Play Applications.
- Allow Video Recording
  Configured
  Use this control to enable or disable video recording.
- Allow Android Beam on device
  Configured
  Use this control to allow or disallow Android Beam on device.
- Allow Camera
  Configured
  Use this control to enable or disable camera.
- Allow Clipboard
  Configured
  Use this control to enable or disable clipboard.
- Allow Smart Switch
  Configured
  Use this control to allow or disallow smart switch to seamlessly transfer contacts, photos, music, videos, messages, notes, calendars and more to virtually any Samsung Galaxy device
- Allow UWB
  Configured
  Use this control to allow or disallow UWB on the device. *Note: Allow UWB policies are deprecated in the KSP release (23.06). Due to their deprecation, we strongly suggest that you no longer use these policies since Android 13(Knox 3.9.0). See KSP Release Notes for details.
- Allow Factory Reset
  Configured
  Use this control to allow or restrict the device factory reset
Device Settings (Premium)
A group of controls for device settings. A KPE Premium license is required for all policies in this group.
- Enable device settings controls
  Configured
  Use this control to enable device settings
- Hide Settings Backup and Reset
  Configured
  Use this control to hide backup and reset settings
- Hide Settings Airplane Mode
  Configured
  Use this control to hide airplane mode settings
- Hide Settings Language
  Configured
  Use this control to hide language settings
- Hide Settings Lock Screen
  Configured
  Use this control to hide lock screen settings
- Hide Settings Bluetooth
  Configured
  Use this control to hide bluetooth settings
- Hide Settings Developer
  Configured
  Use this control to hide developer settings
- Hide Settings Wi-Fi
  Configured
  Use this control to hide Wi-Fi settings
- Set System Language & Location
  A group of controls to set the system locale with default language & location on the device
  Set Language
  Configured
  Use this control to set the default device language; Two character lower case language code as defined in ISO 639-1.
  0 of 5000 characters entered
  Set Location
  Configured
  Use this control to set the default device location; Two character upper case country code as defined in ISO 3166-1. This can be optionally followed by a hash (#) and a four character script code as defined in ISO 15924.
  0 of 5000 characters entered
- Enable Mobile Data
  Configured
  Use this control to turn on mobile data
- Set Power ON when connected to power source
  Configured
  Use this control to power the device ON when connected to power source. *Note: For Android 12 and lower, this feature is compatible with Qualcomm & LSI chipset only. For Android 13 and higher, it works on all devices (with any chipset).
- Set Power OFF when disconnected from power source
  Configured
  Use this control to power the device OFF when disconnected from power source.
- Set input method
  A group of controls to set the input method on the device
  Set input method package name
  Configured
  Enter the specified package name for input method. Default package name is for XCover/TabActive Pro devices
  com.sec.android.inputmethod
  27 of 5000 characters entered
- Enable No Battery Mode
  Configured
  Use this control to enable or disable No Battery Mode
- Set Power Saving Mode
  Set the power saving mode of the device
  Enable power saving mode controls
  Configured
  Use this control to allow power saving mode policy on the device
  Set Limit CPU
  Configured
  Use this control to limit CPU usage on Power Saving Mode
  Set Reduce Brightness
  Configured
  Use this control to reduce brightness on Power Saving Mode
DeX policy
A group of policies for Samsung DeX control and customization, including items related to enabling and disabling DeX, managing DeX restrictions, and customization of the DeX experience for the user. Availability: Knox v3.1 or higher.
- Enable DeX policy controls
  Configured
  Use this control to enable or disable DeX mode controls for the device. Enable DeX controls before using any of the DeX restriction policies. If DeX controls are not enabled, any settings for items in the DeX Policy group are ignored.
- Manage DeX restrictions
  Use these controls to turn individual DeX restrictions on or off. On Knox v3.1 or higher.
  Allow Dex connection
  Configured
  Use this control to allow the device to accept DeX connections on your phone.
  Enforce the use of Ethernet connection
  Configured
  Use this control to enforce the use of ethernet connectivity in DeX mode. When this functionality is enabled, cellular data, Wi-Fi, and other such connections are not available in Dex mode. By default, ethernet use is not enforced.
  Enforce the use of virtual MAC address
  Configured
  Enable this control to use a virtual MAC address for a device in DeX mode to differentiate between the different modes of the device on your network.
  Manage list of apps disabled in DeX mode
  Configured
  Use this control to list the apps that are disabled when the device is in DeX mode. Enter the values as a comma separated list of package names.To find package names, use a browser on a computer to go to app information on the Play store and find the app’s URL showing after “id=”.
  0 of 5000 characters entered
- Customize Dex Experience (Premium)
  Configured
  Use this control to enable customization of your DeX mode. (Configure DeX customization profile below)
Dual Data-at-rest (DAR) Encryption
These controls will work on devices with Dual DAR version 1.4.1 or above and only when Dual DAR has already been setup for the Workspace using either supported UEM or via Knox Mobile Enrollment (KME) portal. *Note: You need a KPE Premium license with Dual DAR add-on to use this feature. Supported from Android 12 and S22 only.
- Enable Dual DAR controls
  Configured
  Use this control to enable Dual DAR settings for the Workspace. If this control is not enabled, any Dual DAR policy settings you change are ignored and the device may use Dual DAR with default values.
- Data lock timeout type
  Configured
  Use this control to set a data lock type. This locks the credential encrypted (CE) storage and flushes the key from memory. Once locked, apps can’t use the CE until user provides the credential again.
  No lock-out
  Specified value
- Data lock timeout value (in minutes)
  Configured
  Use this control to specify the data lock timeout value in minutes. To use this feature, you must set the data lock timeout type to specified value.
  5
  1 of 5000 characters entered
- Restrict access to device encrypted (DE) storage
  Configured
  Use this control to enable or disable access restrictions to the DE storage. By default, apps in the DualDAR area are allowed to access the DE storage. Enabling this control prevents apps, other than those allowlisted by Admin, to access DE storage.
- List of apps allowed to access DE storage and to run in data locked state
  Configured
  Use this control to specify the list of apps that are allowed to access DE storage and to run in data locked state.
  0 of 5000 characters entered
- Set password minimum length for inner
  Configured
  Use this control to set the password minimum length for inner layer password at DualDAR for fully managed devices use case.
  0 of 5000 characters entered
- Set a new password for inner layer
  Configured
  Use this controls to set a new password for inner layer at DualDAR for fully managed devices use case. Note that the password must be stronger than requested quality, for example, a password containing alphanumeric characters when the requested quality is only numeric.
  0 of 5000 characters entered
Firewall and Proxy policy
A group of policies for firewall setup and configuration. IT admins can enforce these policies for fully managed devices with or without a Work profile. Availability: Knox v2.7 or higher with a Premium license.
- Enable firewall controls
  Configured
  Use this control to enable or disable the firewall controls for fully managed devices with or without a Work profile.
- Name of firewall configuration to use
  Configured
  Enter the name of the primary firewall configuration profile that apps can use for network connections. This profile name must match the value set in the Firewall profiles section.
  Firewall config 1
  17 of 5000 characters entered
- Enable Proxy on device
  Configured
  Use this control to enable or disable a global proxy on a device that routes all internet traffic through a proxy server of your choice. This works for both Wi-Fi and data connections. You can use either a fixed proxy server address or a proxy auto-config (PAC) file. According to your selection here, the settings provided in either the "Manual proxy configuration" or "Proxy auto configuration" section below will be used.
  None
  Use manual proxy configuration
  Use proxy auto-config (PAC)
Firmware update (FOTA) policy
A group of controls to configure firmware updates settings.
- Enable firmware controls
  Configured
  Use this control to enable or disable advanced firmware update options. If this control is disabled, any changes to other firmware update related settings have no impact.
- Allow firmware update over-the-air
  Configured
  Use this control to enable or disable firmware updates using Firmware-Over-The-Air (FOTA) technology. When this policy controls is set to false, all possible OTA upgrade requests (user initiated, server initiated, and system initiated) are blocked; the user may see server messages related to new firmware updates but any attempt to upgrade fails. This does not block user from updating firmware using recovery mode.
- Allow firmware update in recovery mode
  Configured
  Use this control to enable or disable firmware updates when the device is in recovery mode. Recovery Mode is a device mode which allows users to factory reset, fix some problems or apply software updates on the device. If the firmware controls are disabled, any changes to this setting have no impact.
- Enforce firmware auto update on Wi-Fi (Premium)
  Configured
  Use this control to enable or disable automatic firmware updates when the device is connected to Wi-Fi network. Enabling this control will turn-on the device setting to auto-update on W-Fi and block the user from modifying it. Disabling this control will reset the setting and allow user to freely modify the setting on the device. If the firmware controls are disabled, any changes to this setting have no impact.
- Enable E-FOTA client installation & launch
  Configured
  Use this control to enable or disable installation and launch of E-FOTA client
Network Platform Analytics (NPA) (Premium)
A group of controls to enable and configure NPA clients to collect network activity data on the device. Available with a KPE Premium license.
- Enable NPA Controls
  Configured
  Use this control to allow your NPA client to collect network activity data on the device. Enable this option before you specify any other options for your NPA client.
- NPA Client
  Configured
  Select the NPA Client that can collect network activity data on the device.
  Cisco Connect
- NPA Profile for Data Points
  Configured
  Enter the name of the profile that specifies the data points you want the NPA Client to collect. This profile name must match the ‘Profile Name’ value set in the NPA Data Points Profile section.
  NPA profile 1
  13 of 5000 characters entered
Password Policy
A group of policies to manage password policies on the device, including enabling or disabling the ability to manage passwords and other authentication methods to log in to the device.
- Enable password policy controls with KSP
  Configured
  Use this control to allow management of password policies on the device. Enable this option before changing any password related settings. If this option is not enabled, any settings for password and other authentication related items are ignored.
- Biometric authentication
  A group of policies to manage the biometric authentication option without user interaction.
  Enable fingerprint authentication
  Configured
  Use this control to allow or stop the use of fingerprint recognition for authentication.
  Enable Iris authentication
  Configured
  Use this control to allow or stop the use of iris recognition for authentication.
  Enable Face recognition
  Configured
  Use this control to allow or stop the use of facial recognition for authentication.
- Enable multifactor authentication (Premium)
  Configured
  Use this control to enable or disable multifactor authentication (2FA). Once enabled, a device is only unlocked after two authentication methods are provided, including one biometric input (iris / fingerprint) and one lock screen method (PIN / password / pattern).This feature is available only on Knox 3.2.1 and above. Caution: Incorrect use of this policy together with “One Lock” and “Biometric policy” can lock your device.
- Password Change (Premium)
  A group of policies to manage password change.
  Enforce Password Change
  Configured
  Use this control to enforce password change. if no password set, enforce to set. Caution: Verify password enforcement condition before saving any new policy otherwise it will enforce password at unexpected time
  Password Enforcement timeout
  Configured
  Enter the value in mins up to which user can cancel/delay the password change
  Password Enforcement timeout
  1 of 10 characters entered
- Password Restriction
  A group of policies to manage password restriction.
  Maximum Character Sequence Length
  Configured
  Use this policy to specify the maximum length of an alphabetic sequence that is allowed for a device password.
  Maximum Character Sequence Length
  1 of 10 characters entered
  Maximum Numeric Sequence Length
  Configured
  Use this policy to specify the maximum length of numeric sequence that is allowed for a device password.
  Maximum Numeric Sequence Length
  1 of 10 characters entered
  Minimum Password Length
  Configured
  Use this policy to specify minimum length password allowed for device.
  Minimum Password Length
  1 of 10 characters entered
- Allowed Time for User Activity before Device Locks
  Configured
  Enter the maximum number of time in seconds for user activity until the device will lock. A Value of 0 means there is no restriction; Caution: The API takes into effect immediately.
  Allowed Time for User Activity before Device Locks
  1 of 10 characters entered
- Maximum Failed Password Attempt to Wipe Data
  Configured
  Enter the maximum number of failed password allowed until the data in the device is wiped. Caution: The API takes into effect immediately with the # of failed attempts and data will be wiped completely and no possible way to revert.
  Maximum Failed Password Attempt to Wipe Data
  1 of 10 characters entered
- Maximum Failed Password Attempt to Disable Device
  Configured
  Set the maximum permitted failed password attempts before the device is rendered inoperable. When the set value is exceeded, the device container is disabled and a blocking page displays to the user. The impacted device can be re-enabled using API by setting set this value to zero (0). However, KSP cannot be used to unlock just the impacted device, and each device within the impacted device group will have this feature disabled. Additionally, when the disabled device is rebooted it remains in a file-based encrypted state, and is unable to receive any KSP policies.
  Maximum Failed Password Attempt to Disable Device
  1 of 10 characters entered
- Define Password Quality
  Configured
  Select level of complexity you would like to define for the device password; From No Password to Complex Password (letter, numeric, alphanumeric); Numeric Complex Password must include numeric character with no repeating or ordered
  No Password
  Some Password
  Numeric
  Alphabet
  Alphanumeric
  Numeric Complex
  Complex
- Disable Keyguard Feature
  Configured
  Select the Keyguard feature to disable
  None
  Disable Trusted Agents
- Enable password visibility
  Configured
  Use this policy to control the visibility of Password while Typing
Peripheral Configuration Policy
A group of controls for Peripheral Configuration Policy
- Enable Peripheral Configuration controls
  Configured
  Use this setting to enable peripheral configurations. Use the Peripheral Configuration section to configure various peripheral devices. *Note: Peripheral Configuration Policies are deprecated in the KSP release (23.12). Due to their deprecation, we strongly suggest that you no longer use these policies since android 14(Knox 3.10.0). See KSP Release Notes for details.
ZTNA Policy
A group of controls for Zero Trust Network Access (ZTNA). *Note: You need a KPE Premium license to use this feature which is supported from Android 14 and later only.
- Enable ZTNA controls
  Configured
  Use this control to enable ZTNA. *Note: You need a KPE Premium license to use this feature which is supported from Android 14 and later only.
- Package Name
  Configured
  Package name of the authorized network filter client application
  0 of 5000 characters entered
- Package Signature
  Configured
  Public key of the authorized network filter client application (optional)
  0 of 5000 characters entered
Universal Credential Manager policy (Premium)
A group of policies to manage credentials in both external and internal device storage, for example, a smartcard, micro SD card, or embedded Secure Element. A KPE Premium license is required for all policies in this group.
- Enable UCM policy controls
  Configured
  Use this control to enable or disable UCM policies. Enable this option before using any of the UCM policies. If this option is disabled, any UCM settings and policies are ignored.
- UCM plugin for device lock
  A group of policies to specify how to use a UCM plugin for device unlock.
  Enable UCM plugin for device lock
  Configured
  Use this control to enable or disable device unlock through a UCM plugin. Enable this option to allow the specified plugin app to use stored credentials to unlock a device. Once enabled, device users cannot change the lock type. Disable to let device users control the lock type.
  Name of UCM plugin configuration to use
  Configured
  Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
  UCM Config 1
  12 of 5000 characters entered
- General purpose UCM plugin
  A group of policies to control a credential storage and UCM plugin that manages the credential storage.
  Enable a general purpose UCM plugin
  Configured
  Use this control to enable or disable a general purpose UCM plugin. Enable this option to manage a credential storage and the UCM Plugin used to access the storage. Disable to prohibit general access to the storage space.
  Name of UCM plugin configuration to use
  Configured
  Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
  UCM Config 2
  12 of 5000 characters entered
VPN policy (Premium)
A group of policies for VPN setup and configuration. IT admins can enforce these policies for fully managed devices with or without a Work profile. Availability: All Knox versions with a Premium license.
- Enable VPN controls
  Configured
  Use this control to enable or disable VPN controls for the device. Enable VPN controls before changing any VPN related settings. If VPN controls are not enabled, any settings for VPN related items are ignored.
- VPN type
  Configure
  Choose the VPN type applicable to the apps on the device. For fully managed devices without a Work profile/Separated Apps, choose between all apps or specific apps. For devices with a Work profile, choose between all three options.
- Manage list of apps that use VPN
  Use these controls to add a list of applications at a device-wide or Work profile/Separated Apps specific level that can use VPN and connect to the network directly.
  Select apps in the device, in the main user
  Configured
  For fully managed devices with app-specific VPN, enter a comma-separated list of package names to specify apps that must use VPN to connect. For devices with a Work profile, enter the Personal profile apps that must use VPN to connect. To use VPN for all apps, do not enter any app names. Default value is all apps.
  0 of 5000 characters entered
  Select apps in the Work profile/Separated Apps
  Configure
  For fully managed devices with a Work profile/Separated Apps and the VPN type set to Selected Apps, enter the list of Work profile/Separated Apps apps that must use VPN to connect. Enter a comma-separated list of package names to specify the apps. To use VPN for all Work profile/Separated Apps, leave blank. Default value is all apps.
- Enable on-demand VPN
  Configure
  For fully managed device with or without a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can use VPN connections. To use VPN for all apps, do not enter any app names.
- Manage list of apps that can bypass VPN
  Use these controls to add a list of applications at a device-wide or Work profile/Separated Apps specific level that can bypass VPN and connect to the network directly.
  Apps in main user
  Configured
  For fully managed device with or without a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
  0 of 5000 characters entered
  Apps in work profile/Separated Apps
  Configure
  For fully managed devices with a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
- Name of VPN profile to use
  Configured
  Enter the name of the primary VPN configuration profile that apps can use for network connections. This profile name must match the "Profile name" value set in one of the "VPN profiles" below.
  VPN profile 1
  13 of 5000 characters entered
- Enable VPN chaining
  Configure
  Use this control to enable the use of two VPNs to double encrypt the data-traffic from apps added to the VPN profile.
- Name of secondary VPN profile to use
  Configure
  For devices with multiple VPN profiles, enter the name of the outer VPN configuration profile. This VPN server decrypts all data before passing it to the VPN client. This profile name must match the value set in the VPN profiles section.

Work profile policies (Profile Owner)

A group of policies and restrictions that are applicable to the Work profile user of the device. Starting Knox 3.0, a KPE Premium license activation is required for using any policy in the work profile.

Advanced Wi-Fi Configurations (Premium)

A group of controls for Advanced Wi-Fi configurations

Allowed apps for reading private keys Configurations (Premium)

A group of controls that drive Allowed Apps for reading private keys configurations

Allowed USB devices for Applications Configurations

A group of controls that drive Access for USB Devices for Applications

APN configurations

A group of policies to specify one or more Access Point Name configurations. For example, APN name, APN type, authentication type and more.

Certificates (Premium)

A group of policies to specify one or more Certificate configurations.

Device Account Policy Configurations

A group of controls to Enable Device Accounts policies

Device and Settings customization profile (Premium)

A group of controls to configure and customize the device user's experience. These features are available only with a KPE Premium license with customization permissions.

Enable Device Name in Settings
Use these group of controls to enable device name in settings
- Set Device Name
  Configured
  Use this setting to specify device name
  0 of 5000 characters entered
- Allow Device Name Change by End User
  Configured
  Use this control to allow device name change by user
Samsung keyboard controls
Use this control to enable and configure Samsung's built-in keyboard.
- Disable Predictive text
  Configured
  Use this control to enable or disable the use of predictive text to facilitate typing on the device by suggesting words the device user may want to use in a text field. Predictions are based on the context of other words in the message and the first few letters typed.
- Disable Keyboard settings
  Configured
  Use this control to enable or disable the settings that let the user switch between different Samsung Keyboard options.
- Samsung Keyboard Toolbar Controls
  Use this control to enable or disable toolbar configuration of Samsung Keyboard
  Disable Emoticon
  Configured
  Use this control to enable or disable Emoticons on Keyboard Toolbar
  Disable Sticker
  Configured
  Use this control to enable or disable Sticker on Keyboard Toolbar
  Disable Gif Keyboard
  Configured
  Use this control to enable or disable Gif Keyboard on Keyboard Toolbar
  Disable Voice Input
  Configured
  Use this control to enable or disable Gif Keyboard on Keyboard Toolbar
  Disable Live Message
  Configured
  Use this control to enable or disable Live Message on Keyboard Toolbar
  Disable Handwriting Input
  Configured
  Use this control to enable or disable Handwriting Input on Keyboard Toolbar
  Disable Clipboard
  Configured
  Use this control to enable or disable Clipboard on Keyboard Toolbar
  Disable Modes
  Configured
  Use this control to enable or disable Modes on Keyboard Toolbar
  Disable Text Edit Panel
  Configured
  Use this control to enable or disable Text Panel Edit on Keyboard Toolbar
  Disable Search
  Configured
  Use this control to enable or disable Search Keyboard Toolbar
  Disable Spotify
  Configured
  Use this control to enable or disable Spotify on Keyboard Toolbar
  Disable YouTube
  Configured
  Use this control to enable or disable YouTube on Keyboard Toolbar
  Disable AdjustSize
  Configured
  Use this control to enable or disable AdjustSize on Keyboard Toolbar
  Disable ARemoji
  Configured
  Use this control to enable or disable AR emoji on Keyboard Toolbar
  Disable Bitmoji
  Configured
  Use this control to enable or disable Bitmoji on Keyboard Toolbar
  Disable Expression
  Configured
  Use this control to enable or disable Expression on Keyboard Toolbar
  Disable Mojitok
  Configured
  Use this control to enable or disable Mojitok on Keyboard Toolbar
  Disable SamsungPass
  Configured
  Use this control to enable or disable Samsung Pass on Keyboard Toolbar
  Disable Translation
  Configured
  Use this control to enable or disable Translation on Keyboard Toolbar
Quick Panel configuration
A group of policies to customize the access to the Quick Settings Panel on the device.
- Items on Quick Panel
  Use these controls to hide or show one or more items from the list of shortcuts available in the Quick Settings Panel. Other shortcuts not listed here will be shown by default.
  Show airplane mode control
  Configured
  Use this control to show or hide shortcut to the airplane mode control on quick settings panel.
  Show screen rotation control
  Configured
  Use this control to show or hide shortcut to the screen rotation control on quick settings panel.
  Show always-on screen control
  Configured
  Use this control to show or hide shortcut to the always-on screen control on quick settings panel.
  Show bluetooth control
  Configured
  Use this control to show or hide shortcut to the bluetooth control on quick settings panel.
  Show Samsung DeX control
  Configured
  Use this control to show or hide shortcut to the Samsung DeX control on quick settings panel.
  Show mobile hotspot control
  Configured
  Use this control to show or hide shortcut to the mobile hotspot control on quick settings panel.
  Show NFC control
  Configured
  Use this control to show or hide shortcut to the NFC control on quick settings panel.
  Show background sync control
  Configured
  Use this control to show or hide shortcut to the background data sync control on quick settings panel.
  Show Wi-Fi control
  Configured
  Use this control to show or hide shortcut to the Wi-Fi control on quick settings panel.
  Show Location control
  Configured
  Use this control to show or hide shortcut to the Location control on quick settings panel.
  Show Screen Mirroring control
  Configured
  Use this control to show or hide shortcut to the Screen Mirroring control on quick settings panel.
  Show Do Not Disturb control
  Configured
  Use this control to show or hide shortcut to the Do Not Disturb control on quick settings panel.
  Show Dolby control
  Configured
  Use this control to show or hide shortcut to the Dolby control on quick settings panel.
- Allow user to edit Quick Panel
  Configured
  Use this control to allow or block the device user from editing the configuration of the Quick Settings Panel.
Disable app suggestions
Configured
Use this control to disable application suggestions in the task manager and other places on the device. Availability: Knox 3.4 and above.
Enable battery protection setting
Configured
Use this control to enable the "protect battery" device setting. This stops your device from charging before it reaches 100%. *Note: that setting does not take effect until the next device reboot. Availability : This feature will work for tablets, galaxy xcover pro/xcover5 from Android 11, and mobile device from Android 12. Select devices support this setting. This policy has no effect on unsupported device.
Lockscreen customization
A group of controls to allow customization of UI shortcuts available on the device’s lockscreen. Available with a KPE Premium license.
- Lockscreen shortcuts
  Use this control to enable the use of lockscreen shortcuts on the device. Enable this option before customizing app shortcuts.
  App for left shortcut
  Configured
  Enter a package name to specify the app that opens when the user uses the left shortcut on the lockscreen.
  0 of 5000 characters entered
  App for right shortcut
  Configure
  Enter a package name to specify the app that opens when the user uses the right shortcut on the lockscreen.
Configure values in settings menu
Configure
A group of policies to customize the device settings menu. These settings are part of the Deep Settings Customization feature that is available on device with KPE Premium licenses on Knox v3.4 and higher. Support for individual settings varies based on the device’s model and OS.
Audio Volume Controls
Configure
Use this control to configure the Audio Stream & Volume Controls

Device Key Mapping to Launch application Configurations

A group of controls for device key mapping configurations

DeX customization profile (Premium)

A group of settings that help customize Samsung DeX experience for the user. These features are available only with a KPE Premium license.

Firewall configuration profile

A group of controls that drive the firewall configuration on the device

Firewall configuration name
Configure
Enter the name of the firewall configuration profile in this field. Use a unique and descriptive name, including the name of the firewall provider and other identifying descriptions. For example, FirewallProvider1. Use the value in this field as a reference for the value in the Firewall profile name in the firewall policy section.
Allow rules
Configure
A group of controls to specify the network connections allowed on the device. The firewall allow rule takes precedence over the deny rules.
Deny rules
Configure
A group of controls to specify the network connections denied access on the device. CAUTION: Adding a DENY ALL rule disconnects the device completely from Network. To retain control on the device, always add ALLOW rules that guarantee UEM Agent connectivity before adding a DENY ALL rule.
Redirect rules
Configure
A group of controls to specify when and how firewall access requests are redirected.
Redirect exceptions
Configure
A group of controls to specify which data connections are not redirected.
Domain filters
Configure
A group of controls to specify how traffic to and from specific domains are handled.
Prioritize Domain filters over allow and deny rules
Configured
Enable this flag to process Domain Filters before other firewall rules. Once enabled, next time an application tries to send a domain name resolution request, the Domain rules will be analyzed before Firewall rules, deciding to allow or block the request. Note that this would allow data packets if there is a specific allowlist rule for that domain in Domain Filter. Data packets to non-allowlisted domains may still be blocked if there is a Firewall deny rule for it.

Manual Proxy configuration

A group of policies to specify the global proxy setting using a specified server host and port. Contact your network administrator for this information.

Server
Configured
Enter the proxy server information in this field. Contact your Network or IT Administrator for this information.
0 of 5000 characters entered
Port
Configured
Enter the port number of the proxy server host in this field. Contact your Network or IT Administrator for this information.
0 of 5000 characters entered
Username
Configured
If your proxy uses authentication, then use this field. If you want to use admin provided credentials, enter the username for use with the proxy server. Leave this field empty if you do not use authentication or if the proxy requires users corporate credentials to authenticate.
0 of 5000 characters entered
Password
Configured
If your proxy uses authentication, then use this field. If you want to use admin provided credentials, enter the password for use with the proxy server. Leave this field empty if you do not use authentication or if the proxy requires users corporate credentials to authenticate.
0 of 5000 characters entered
Host IP addresses to exclude from Proxy
Configured
Specify any IP addresses you want to bypass the proxy. Enter the values as a comma separated list of the IP addresses, for example, “123.123.55.0, 123.123.50.0”.
0 of 5000 characters entered
Domain to exclude from Proxy
Configured
Specify the domains that can bypass the proxy you have set. For example, you can specify that “samsung.com” as a domain and any DNS query to that domain and resulting data traffic will bypass the proxy.
0 of 5000 characters entered

NPA Data Points profile (Premium)

A group of controls that drive the Network Platform Analytics (NPA) data points configuration at a device-wide or Work profile level. Availability: Knox v3.3 or higher.

Profile name
Configured
Use this field to create a new NPA Data Points configuration profile. Enter a unique and descriptive name for this new configuration profile, for example, NPADataPoints1. Use the value in this field as a reference for the NPA profile name value in the NPA Data Points section.
NPA profile 1
13 of 5000 characters entered
NPA Data Points
A group of controls to specify the data points for collection. Available with a KPE Premium license.
- Select all Data Points
  Configured
  Set this option to True, to automatically set all the data points in the following section to True and collect them. Set this option to False, if you want to configure collection of specific data points only.
- Identification number of the application
  Configured
  Identification number of the application from where the network flow originated
- Identification number of the process
  Configured
  Identification number of the process from where the network flow originated
- Identification number of the parent application
  Configured
  Identification number of the parent to the application from where the network flow originated
- Identification number of the parent process
  Configured
  Identification number of the parent to the process from where the network flow originated
- Identification number of the application DNS request
  Configured
  Identification number of the application from where the DNS request originated
- IP address of the host
  Configured
  IP address of the host which originated the network flow
- IP address of the receiving host
  Configured
  IP address of the host that is receiving the network flow
- Source port number
  Configured
  Source port number from where the network flow originated
- Destination port number
  Configured
  Destination port number that is receiving the network flow
- Fully Qualified Domain Name (FQDN) of the destination IP address
  Configured
  Fully Qualified Domain Name (FQDN) of the destination IP address
- Transport layer protocol
  Configured
  Transport layer protocol used by the network flow
- Name of the process
  Configured
  Name of the process from where the network flow originated
- Name of the parent of the process
  Configured
  Name of the parent of the process from where the network flow originated
- SHA 256 encryption hash of the application
  Configured
  SHA 256 encryption hash of the application from where the network flow originated
- SHA 256 encryption hash of the parent of the application
  Configured
  SHA 256 encryption hash of the parent of the application which originated the network flow
- Number of L4 bytes sent
  Configured
  Number of L4 bytes (Network Flow payload size) sent during the network flow
- Number of L4 bytes received
  Configured
  Number of L4 bytes (Network Flow payload size) received during the network flow
- Network interface
  Configured
  Network interface (wlan0, tun0, rmnet0) which originated the network flow
- Start time
  Configured
  Start time of the network flow
- End time
  Configure
  End time of the network flow

Peripheral Configuration

A group of controls for peripheral configuration profiles. *Note: Peripheral Configuration Policies are deprecated in the KSP release (23.12). Due to their deprecation, we strongly suggest that you no longer use these policies since android 14(Knox 3.10.0). See KSP Release Notes for details.

Proxy auto-config (PAC)

A group of policies to specify the Proxy auto-config (PAC) based proxy setting, for example, the server, port details and more

PAC (Proxy auto config) URL
Configure
Specify the URL where a device fetches your Proxy Auto Configuration (PAC) file from. This file that determines the appropriate proxy server to use for each URL accessed. Contact your Network or IT Administrator for this information.
Authentication configurations
Configure
A group of controls to specify one or more authentication configurations. Note that a different username and password can be used for each individual proxy listed in a PAC file.

Permission Controls

A group of controls for permission configuration profiles

RCP Data Sync profile Configurations (Premium)

A group of controls that drive RCP Policy data sync configurations at a Work profile level.

UCM plugin configurations (Premium)

A group of controls to specify the configuration of one or more UCM plugins that access credential storage.

VPN profiles (Premium)

A group of configuration settings for the VPN profiles used to drive the primary and secondary VPN clients on the device. You can define up to two VPN profiles that are used for VPN Chaining.

Wi-Fi Configurations

A group of controls for Wi-Fi configurations