Add a unique profile name(version) that highlights the policies and restrictions applicable to this profile. You can later use the name(version) for tracking and debugging. If use the profile name and version together, can manage it by version. To ensure good user experience, we recommend using a name less than 50 characters in length.
If your UEM console supports Knox license information, enter your Knox License there. For UEM consoles not showing this information, enter your Knox License Key in this field. This field does not apply to Blackberry users. Applies to devices running Android P and Knox v3.2.1 or higher. To buy a Knox license, contact your Samsung Knox Reseller.
The informative mode shows policy results and errors on the device. We recommend enabling this mode only during the test phases and not during final deployment.
A group of policies and restriction that are applicable to Separated apps.
Turn Separated Apps policies on or off. Enable this option before using any of the Separated Apps policies. If this option is disabled, KSP will apply policy to remove Separated Apps from the device, all apps installed inside Separated Apps will be uninstalled from the device.
A group of policies for specifying the list of apps to be separated and whether the specified list of apps should be installed outside or inside of the separate space.Available Knox 3.7 or higher
If the value is set to Outside, List of specified apps will be installed outside (i.e. in user0), apps not in the list will be installed inside. if the value is set to Inside, List of specified apps will be installed inside (i.e. inside separate space), apps not in the list will be installed outside
Provide list of applications that will be separated from all the other apps not in this list. *Note: If Outside is selected for Location of Separate Apps installation then existing apps installed outside in User0 that are not part of this list will be uninstalled
A global group of policies and restrictions that are applicable to all users of the device. This list includes items that impact all users on the device, whether they fall under personal or work profiles. Availability: Knox 3.0 and above.
Use this control to enable or disable device-wide policies. Enable this option before using any of the device-wide policies. If this option is disabled, KSP does not apply any policies in default user (User 0). *Note: Privacy-related functions are not supported in WPC mode. (ex : APN Policy, Certificate Management Policy and so on)
A group of controls to manage advanced restriction policies. A KPE Premium license is required for all policies in this group.
Use this control to enable advanced controls on the device.
Use this control to block the device from scanning for Wi-Fi networks in range to improve the accuracy of location detection. Availability with Knox 3.2 or higher.
Use this control to block the device from scanning for bluetooth devices in range to improve the accuracy of location detection. Availability with Knox 3.2 or higher. *Note: If disabled, all Bluetooth functionality is disabled. If Bluetooth scanning is disabled, the device declines location accuracy and does not allow apps and services to scan for and connect to nearby devices automatically via Bluetooth.
Use this control to block connections to the device, using third-party remote control apps. Availability with Knox 3.0 or higher.
Select the process data only on device menu to enable. *Note: When you activate the Samsung Account, the menu appears on device. Supported from some flagship models and OneUI 6.1 and later.
Use this control to enable services to bring the device into the Common Criteria-evaluated configuration, called CC Mode.
Use this control to enable or disable the secondary SIM card slot on a dual SIM device. Disabling this policy blocks functions on the second SIM, preventing calls, SMS / MMS and data. Enabling the policy returns all ordinary functions to the previously blocked SIM. This policy is ignored by devices that only have one SIM.
Use this control to enable or disable the eSIM operation. Availability with OneUI 6.0 and higher.
Use this control to enable or disable the SOS call with side key pressing. Availability with Knox 3.11 and higher.
A group of controls to configure WIPS to prevents unauthorized network access to local area networks and other information assets by wireless devices.
Use this control to enable or disable WIPS options. If this control is disabled, any changes to other WIPS related settings have no impact.
Select this option to enforce the feature, Disallow end user to bypass WIPS
Select this option to Disallow end user to change WIPS
Use this control to select the usb connection type
Use this control to enable or disable copy contact from device to SIM Card
A group of policies to configure and manage applications on the device.
Use this control to enable or disable advanced application management settings.
Use this control to exempt applications from battery usage optimizations such as Android Doze mode. For a fully managed device with a Work profile, enter the list of application on the personal profile to allowlist. To specify Work profile-only apps, go to Work Profile Policies > App Management section. Enter a comma-separated list of package names to specify the apps to allowlist.
Use this control to stop applications from showing notifications on the status bar. When this policy is enabled, notifications from all applications are blocked except for the apps specified in this allowlist. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax.
Use this control to add a list of package names to notification blocklist. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
Use this control in combination with the following List of apps control to allow or restrict updates to specific apps. The default value is set to 'None', meaning apps on your device update per the policies you've specified in your Device Settings and in app settings on Managed Google Play Store.
Use this field to allow or restrict app updates for specific apps. Enter the values as a comma separated list or wildcard to specify multiple apps, if you want to use advanced query, please use correct regular expression syntax.
Use this setting to grant user permission for one or more usb devices to be used by a particular package. Use the Allowed USB devices for Applications section for Configurations.
Use this control to allowlist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax. If the package name of an application currently being installed matches a package name pattern in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
Use this control to blocklist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax. If the application package is already installed, the API does not affect the existing installation.
Use this control to allowlist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist. If the signature of an application currently being installed matches the signature in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
Use this control to blocklist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist. If the application package is already installed, the API does not affect the existing installation.
Use this control to disable application without user interaction. The disabled application package is not uninstalled but the device user cannot use it. The API does not affect the future application package state. Enter the values as a comma separated list, for example, "com.xyz, com.abc".
Use this control to prevent the user from stopping certain applications. The stop actions include force stop in Settings app, stopping through third-party applications, stopping any background process by system and stopping any service from the application. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
Use this control to allow widget to be installed on the DO. When this policy is enabled, widget matching the list will be allowed to installed and rest all the other widgets will be blocked. Enter the values as a comma separated list or wildcard to specify multiple widget to the allow. If the package name matches the pattern in both the blocklist and allowlist, the allowlist will takes priority.
Use this control to block widget to be installed on the DO. When this policy is enabled, a user cannot add widgets with package names that match the list, and existent widgets are removed from the launcher home screen. Enter the values as a comma separated list or wildcard to specify multiple widget to the block. If the package name matches the pattern in both the blocklist and allowlist, the allowlist will takes priority.
Enter the package name of the application that needs to be launched after it is installed along with the Component name. Example: PackageName/ComponentName
Use this control to prevent the user from clearing cache for certain applications. The actions include clear cache in Settings app, clearing cache through third-party applications, and clearing service cache from the application. Also, wildcard characters like "com.xyz.*" can be used to specify multiple application package names.
Use this control to prevent the user from clearing data for certain applications. The actions include clear data in Settings app, clearing data through third-party applications, and clearing service data from the application. Also, wildcard characters like "com.xyz.*" can be used to specify multiple application package names.
Use this control to enable/disable the enhanced battery heat management algorithm. It aims to provide better battery performance by limiting resource consumption of background apps.
Use this control to pre-grant permissions for specific application
A group of controls to enable audit log on the device. Available with a KPE Premium license. *Note: Audit Log policies have been deprecated and will no longer work in Android 12 or higher.
Use this control to enable audit log to capture events such as Password policies set for devices; App installation and removal; Certificate failure and key generation; Account creation and removal; File exchange attempts over Wi-Fi etc. *Note: Audit Log policies have been deprecated and will no longer work in Android 12 or higher.
A group of controls to configure audit log on the device. Available with a KPE Premium license
Use this control to select granular audit log on the device
Use this control to select audit log outcome on the device
Use this control to select severity level of Audit Log
Use this control to select the Audit log frequency
A group of policies to manage device-wide call and messaging restrictions.
Use this control to enable or disable the phone call and text messaging functionality on the device.
Use this control to block RCS on the device. RCS (Rich Communication Services) is an advanced messaging system that aims at making SMS messages more interactive. For example, letting users transmit in-call multimedia. By default, RCS messaging is allowed. This policy is only for the Samsung Native messages app(Samsung Message, Google Message).
Use this control to set a disclaimer text with all the outgoing SMS and MMS from the device. The disclaimer text should be limited to 30 characters.
A group of policies to manage call controls and restrictions
Use this list to block incoming calls from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
Use this list to add exceptions to the blocklist for incoming calls from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
Use this list to block outgoing calls from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
Use this list to add exceptions to the blocklist for outgoing calls from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
A group of policies to manage SMS controls and restrictions
Use this list to block incoming SMS from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
Use this list to add exceptions to the blocklist for incoming SMS from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
Use this list to block outgoing SMS from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
Use this list to add exceptions to the blocklist for outgoing SMS from certain numbers. Enter the values as a comma separated list or wildcard to specify multiple numbers to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
A group of policies to control certificate management settings. For example, disable certificates, restrict certificates and more.
Use this control to enable or disable certificate management settings for the device. Enable this control before changing any certificate management settings. If this control is not enabled, any Enterprise certificate management policy is ignored.
Choose the Certificate revocation method most appropriate for your devices.
Use this to check certificate validation. For example if you list "com.samsung.email" in a allowlist, any certificates used by this app for SMIME encryption or signing is first checked against a list of Certificate Revocation List (CRL) to verify that they are still valid. Enter the application package names to check as a comma separated list, for example ("com.xyz, com.abc")
Use this to perform certificate validation using OSCP before checking a CRL. If the OCSP response is inconclusive the device performs a CRL check.
Use this to perform certificate revocation on a list of applications. Enter the values as a comma separated list of the application packages, for example, "com.xyz, com.abc".
Enter the name of a Trusted CA Alias which was already defined in Certificate Alias. Enter the values as a comma separated list of the Trusted CA Alias
Use this control to block the user from removing certificates from the keystore. By default, users are allowed to remove certificates from the keystore.
Use this setting to Allow application to read private keys without alerting user. To specify application package name, host, port, alias & storage name that will be matched with what applications provided. Use the Allowed apps for reading private keys section.
Enter the name of a CA Alias which will be installed silently in the device keystore(s). Enter the values as a comma separated list of the CA Alias
A group of policies to control client certificate management settings. *Note: CCM Policies are deprecated in the KSP release (22.05). Due to their deprecation, we strongly suggest that you no longer use these policies since Android 12(Knox 3.8.0). See KSP Release Notes for details.
Use this control to enable or disable client certificate management settings for the device. Enable this control before changing any client certificate management settings. If this control is not enabled, any Enterprise client certificate management policy is ignored. *Note: CCM Policies are deprecated in the KSP release (22.05). Due to their deprecation, we strongly suggest that you no longer use these policies since Android 12(Knox 3.8.0). See KSP Release Notes for details.
Enter Name of the packages to be exempted from access control.Enter the values as a comma separated list of the package names.
A Group of control to enable Date and Time Change
Use this control to enable Date and Time Change
Use this setting to allow or disallow date time change
Use specified NTP server to set date and time. Supported from Android 14 and later.
Server URL
Time in seconds
Max. no. of attempts to reach server
Time in seconds
Time in seconds
A group of controls for Device Account Policy
A group of controls to Enable Device Account Policy
Use this setting to enable device account addition policies
A group of policies to manage Device Administrator (DA) privileges to specific apps when KSP is launched on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is launched.
Use this control to enable or disable Device Admin allowlisting control for applications on a device where KSP is launched.
By default, KSP will block activation of any application as device admin, except those specified in this allowlist. Enter a comma-separated list of packages to specify the list of apps to allowlist.
A group of policies to manage device controls, such as APN settings, NFC policies, certificate management, and more.
A group of policies to create, update and remove Access Point Name (APN) settings on the device.
Use this control to enable or disable APN settings for the device. Enable this control before changing any APN settings. If this control is not enabled, any APN settings are ignored. *Note: When the APN Setting Policy is enabled, the eSIM menu disappears to prevent conflicts between functions.
Enter the name of the APN configuration profile that needs to be added or updated. Ensure that the name used here matches at least one name in the APN configuration > name field. For example, "samsungAPN3"
Use this control to allow or prevent user from changing the APN settings.
A group of policies to control the data roaming settings on the device.
Use this control to enable or disable data roaming settings for the device. Enable this control before changing any data roaming settings. If this control is not enabled, any data roaming settings are ignored.
Use this control to set the data roaming status on device. Supported from Knox 3.10 and OneUI 6.1. *Note: To set data roaming to on/off, turn on the Allow data roaming function first.
Use this setting to allow or prevent users from changing the current data roaming state (on or off).
Use this setting to allow or prevent users from changing the current voice call state (on or off).
A group of policies to control the Network mode settings on the device.
Use this control to set the network mode type for the device. Enable this control before changing any network mode settings. If this control is not enabled, any data roaming settings are ignored.
Use this control to set the network mode. *Note: Supported from S OS, US OPEN, TMO and S21 only.
A group of policies to control Near Field Communications (NFC) settings. For example turning NFC on or off.
Use this control to enable or disable NFC settings for the device. Enable this control before changing any NFC settings. If this control not enabled, any NFC settings are ignored.
Use this control to turn NFC on or off. If this setting is disabled, all NFC related functions will not work such as NFC based payment systems or NFC tags.
Use this setting to allow or prevent users from changing the current NFC state (on or off).
A group of policies to control Wi-Fi settings. For example setting Wi-Fi hotspots, allowlisting specific connections etc.
Use this control to enable or disable Wi-Fi polices on a device. If this control not enabled, any Wi-Fi settings you change are ignored.
Use this control to name the Wi-Fi hotspot saved on a device. For example, you can set a custom name, such as "MyMobileWifi", instead of using the default SSID.
Use this control to enforce a password when a Wi-Fi mobile hotspot is enabled. If this field is empty, users can create unsecured hotspot network. Passwords should be eight or more characters long.
Use this control to allow users to change Wi-Fi hotspot settings on the device. If this setting is off, users cannot make modifications to the hotspot settings on their device
Use this control to allow devices to start an open (non-secured) Wi-Fi hotspot or connect to open and unprotected Wi-Fi access points. If this control is off, users cannot connect to unsecured Wi-Fi networks or start an open (non-secured) Wi-Fi hotspot.
Use this option to allow user to select the minimum security requirement for Wi-Fi Connection. *Note: This policy can be applied only if open Wi-Fi connection is disabled
Add SSID to the list of blocked network to prevent user to connect
Use this control to allow or deny automatic connections of saved SSIDs
Use this control to make the password hidden or visible in the network edit dialog
Use this control to allow or deny user access to make Wi-Fi state change
Use this control to allow configuration of Wi-Fi
Use this control to prevent users from creating an open Wi-Fi hotspot that does not require a password.
A group of policies to control Advanced Wi-Fi settings. For example setting roam trigger, roam delta, roam scan period etc.
Use this control to enable or disable Advanced Wi-Fi polices on a device. If this control not enabled, any Advanced Wi-Fi settings you change are ignored.
A group of policies to control bluetooth settings. For example you can block certain bluetooth profiles or services. *Note: These controls have no impact if "Allow BT" is disabled in the "device restrictions" section.
Use this control to enable or disable bluetooth settings. If this control is not enabled, any changes you make to bluetooth settings are ignored.
Use this control to allow or block peripherals from connecting based on their bluetooth profiles.
Use this control to allow peripherals from connecting based on their Bluetooth service UUID. When enabled, all peripherals except those with UUIDs specified here are blocked from operating with the device. The UUIDs should be as per BT SIG specifications. See the KSP Admin guide for a list of frequently used UUIDs.
Use this control to block peripherals from connecting based on their Bluetooth service UUID. When enabled, all peripherals except those with UUIDs specified here are allowed from operating with the device. The UUIDs should be as per BT SIG specifications. See the KSP Admin guide for a list of frequently used UUIDs.
Use this control to enable or disable Bluetooth discoverable mode.
A group of controls to add, change, or show a banner upon device restart. Available with a KPE Premium license.
Use this control to show a banner on the device display when the device restarts. Default value is set to not show a banner upon device reboot.
If you want to show custom text to the user when the device restarts, enter the text in this field.
A group of controls to optimize battery usage. Available with a KPE Premium license.
Use this control to optimize battery and enable device to shutdown, if the user is inactive for the set user inactivity timeout
Enter the user inactivity timeout in seconds(10 minutes as minimum) for device to shutdown, in order to optimize battery.
A group of policies to customize the device user interface. Configure the "Device customization profile" that the device user must use in this section. Availability: Premium license with Customization permissions.
Use this control to enable or disable device customization. (Configure Device customization profile below)
A group of controls to map key up. Available with a KPE Premium license.
Use this control to enable key mapping. Enable this control before changing any Device Key Mapping settings. If this control is not enabled, any Device Key Mapping settings are ignored.
Use this control to enable key mapping for passing intent for Microsoft Teams package.
A group of controls to enable XCover/Active key mapping for a specific application
Enter the name of the package (application) that will receive the XCover key mapping action
If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
Enter the intent name provided by the Application Vendor for XCover Key Press
Enter the intent name provided by the Application Vendor for XCover Key Release
A group of controls to enable Top key mapping for a specific application
Enter the name of the package (application) that will receive the Top key mapping action
If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
Enter the intent name provided by the Application Vendor for Top Key Press
Enter the intent name provided by the Application Vendor for Top Key Release
A group of controls to enable Side key mapping for a specific application
Enter the name of the package (application) that will receive the Side key mapping action
If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
Enter the intent name provided by the Application Vendor for Side Key Press
Enter the intent name provided by the Application Vendor for Side Key Release
Use this control to enable key mapping for specific action for defined package
A group of controls to allow or block specific operations on the user's device.
Use this control to enable or disable restriction controls for the device. Enable these controls before changing any device restriction settings. If these controls are not enabled, any device restriction settings are ignored.
Use this setting to disable the microphone without user interaction. Disabling this control restricts the use of the microphone for recording purposes, but does not impact the use of the phone application on the device.
Use this control to allow or restrict the device's ability to connect to Wi-Fi networks.
Use this control to allow or restrict the device's ability to connect to Wi-Fi Direct networks.
Use this control to allow or restrict the device's ability to make Bluetooth connections.
Use this control to allow or restrict the device's ability to use the cellular data connection.
A group of controls to configure the use of tethering technologies on the device.
Use this control to allow or block all types of tethering on the device. Enable this control before changing any other tethering settings. If this control is not enabled, any changes to other tethering settings are ignored.
Use this control to allow or block tethering on Wi-Fi. If the use of all tethering is disabled, changing these settings has no impact.
Use this control to allow or block tethering on Bluetooth. If the use of all tethering is disabled, changing these settings has no impact.
Use this control to allow or block tethering on USB. If the use of all tethering is disabled, changing these settings has no impact.
Use this control to enable or disable the use of an external USB media player on the device.
Use this control to enable or disable the use of an external USB storage device, such as an external hard disk or a flash drive.
If the Allow USB host storage setting is enabled, use this control to configure the use of one or more classes of USB devices or USB composite device on the mobile device. If the Allow USB host storage setting is disabled, any settings in this section have no impact. A USB Composite Device is a peripheral device that supports more than one device class. If you use this policy to control a USB Composite Device, ensure that you add all supported classes in the exception list.
Use this control to enable or disable the device to enter into a USB debugging mode.
Use this control to enable or disable the device to enter into a developer mode.
Use this control to enable or disable the device from entering the Power Saver mode automatically.
Use this control to enable or disable the device from entering the Data Saver mode automatically.
Use this control to enable or disable VPN connections on the device.
Use this control to allow or restrict the user from changing the device settings.
Use this control to enable external storage (SD Card) encryption. Enabling this option prompts the user to start encryption. For security reasons, we recommend setting the policy to use an alphanumeric password.
Use this control to enable or disable Secure Digital (SD) card access.
Use this control to enable or disable backup of data on the Google Server.
Use this control to allow or disallow installation of Non-Google Play Applications.
Use this control to enable or disable video recording.
Use this control to allow or disallow Android Beam on device. *Note: The "Allow Android Beam on device" function is not supported from Knox 3.8.0
Use this control to enable or disable camera.
Use this control to enable or disable clipboard.
Use this control to allow or disallow smart switch to seamlessly transfer contacts, photos, music, videos, messages, notes, calendars and more to virtually any Samsung Galaxy device
Use this control to allow or disallow UWB on the device. *Note: Allow UWB policies are deprecated in the KSP release (23.06). Due to their deprecation, we strongly suggest that you no longer use these policies since Android 13(Knox 3.9.0). See KSP Release Notes for details.
Use this control to allow or restrict the device factory reset
Use this control to allow or restrict the device factory reset
A group of controls for device settings. A KPE Premium license is required for all policies in this group.
Use this control to enable device settings
Use this control to hide backup and reset settings
Use this control to hide airplane mode settings
Use this control to hide language settings
Use this control to hide lock screen settings
Use this control to hide bluetooth settings
Use this control to hide developer settings
Use this control to hide Wi-Fi settings
A group of controls to set the system locale with default language & location on the device
Use this control to set the default device language; Two character lower case language code as defined in ISO 639-1.
Use this control to set the default device location; Two character upper case country code as defined in ISO 3166-1. This can be optionally followed by a hash (#) and a four character script code as defined in ISO 15924.
Use this control to turn on mobile data
Use this control to power the device ON when connected to power source. *Note: For Android 12 and lower, this feature is compatible with Qualcomm & LSI chipset only. For Android 13 and higher, it works on all devices (with any chipset).
Use this control to power the device OFF when disconnected from power source.
A group of controls to set the input method on the device
Enter the specified package name for input method. Default package name is for XCover/TabActive Pro devices
Use this control to enable or disable No Battery Mode
Set the power saving mode of the device
Use this control to allow power saving mode policy on the device
Use this control to limit CPU usage on Power Saving Mode
Use this control to reduce brightness on Power Saving Mode
A group of policies for Samsung DeX control and customization, including items related to enabling and disabling DeX, managing DeX restrictions, and customization of the DeX experience for the user. Availability: Knox v3.1 or higher.
Use this control to enable or disable DeX mode controls for the device. Enable DeX controls before using any of the DeX restriction policies. If DeX controls are not enabled, any settings for items in the DeX Policy group are ignored.
Use these controls to turn individual DeX restrictions on or off. On Knox v3.1 or higher.
Use this control to allow the device to accept DeX connections on your phone.
Use this control to enforce the use of ethernet connectivity in DeX mode. When this functionality is enabled, cellular data, Wi-Fi, and other such connections are not available in Dex mode. By default, ethernet use is not enforced.
Enable this control to use a virtual MAC address for a device in DeX mode to differentiate between the different modes of the device on your network.
Use this control to list the apps that are disabled when the device is in DeX mode. Enter the values as a comma separated list of package names.To find package names, use a browser on a computer to go to app information on the Play store and find the app's URL showing after "id=".
Use this control to enable customization of your DeX mode. (Configure DeX customization profile below)
These controls will work on devices with Dual DAR version 1.4.1 or above and only when Dual DAR has already been setup for the Workspace using either supported UEM or via Knox Mobile Enrollment (KME) portal. *Note: You need a KPE Premium license with Dual DAR add-on to use this feature. Supported from Android 12 and S22 only.
Use this control to enable Dual DAR settings for the Workspace. If this control is not enabled, any Dual DAR policy settings you change are ignored and the device may use Dual DAR with default values.
Use this control to set a data lock type. This locks the credential encrypted (CE) storage and flushes the key from memory. Once locked, apps can't use the CE until user provides the credential again.
Use this control to specify the data lock timeout value in minutes. To use this feature, you must set the data lock timeout type to "specified value."
Use this control to enable or disable access restrictions to the DE storage. By default, apps in the DualDAR area are allowed to access the DE storage. Enabling this control prevents apps, other than those allowlisted by Admin, to access DE storage.
Use this control to specify the list of apps that are allowed to access DE storage and to run in data locked state.
Use this control to set the password minimum length for inner layer password at DualDAR for fully managed devices use case.
Use this controls to set a new password for inner layer at DualDAR for fully managed devices use case. Note that the password must be stronger than requested quality, for example, a password containing alphanumeric characters when the requested quality is only numeric.
A group of policies for firewall setup and configuration. IT admins can enforce these policies for fully managed devices with or without a Work profile. Availability: Knox v2.7 or higher with a Premium license.
Use this control to enable or disable the firewall controls for fully managed devices with or without a Work profile.
Enter the name of the primary firewall configuration profile that apps can use for network connections. This profile name must match the value set in the Firewall profiles section.
Use this control to enable or disable a global proxy on a device that routes all internet traffic through a proxy server of your choice. This works for both Wi-Fi and data connections. You can use either a fixed proxy server address or a proxy auto-config (PAC) file. According to your selection here, the settings provided in either the "Manual proxy configuration" or "Proxy auto configuration" section below will be used.
A group of controls to configure firmware updates settings.
Use this control to enable or disable advanced firmware update options. If this control is disabled, any changes to other firmware update related settings have no impact.
Use this control to enable or disable firmware updates using Firmware-Over-The-Air (FOTA) technology. When this policy controls is set to false, all possible OTA upgrade requests (user initiated, server initiated, and system initiated) are blocked; the user may see server messages related to new firmware updates but any attempt to upgrade fails. This does not block user from updating firmware using recovery mode.
Use this control to enable or disable firmware updates when the device is in recovery mode. Recovery Mode is a device mode which allows users to factory reset, fix some problems or apply software updates on the device. If the firmware controls are disabled, any changes to this setting have no impact.
Use this control to enable or disable automatic firmware updates when the device is connected to Wi-Fi network. Enabling this control will turn-on the device setting to auto-update on W-Fi and block the user from modifying it. Disabling this control will reset the setting and allow user to freely modify the setting on the device. If the firmware controls are disabled, any changes to this setting have no impact.
Use this control to enable or disable installation and launch of E-FOTA client
A group of controls to enable and configure NPA clients to collect network activity data on the device. Available with a KPE Premium license.
Use this control to allow your NPA client to collect network activity data on the device. Enable this option before you specify any other options for your NPA client.
Select the NPA Client that can collect network activity data on the device.
Enter the name of the profile that specifies the data points you want the NPA Client to collect. This profile name must match the 'Profile Name' value set in the NPA Data Points Profile section.
A group of policies to manage password policies on the device, including enabling or disabling the ability to manage passwords and other authentication methods to log in to the device.
Use this control to allow management of password policies on the device. Enable this option before changing any password related settings. If this option is not enabled, any settings for password and other authentication related items are ignored.
A group of policies to manage the biometric authentication option without user interaction.
Use this control to allow or stop the use of fingerprint recognition for authentication.
Use this control to allow or stop the use of iris recognition for authentication.
Use this control to allow or stop the use of facial recognition for authentication.
Use this control to enable or disable multifactor authentication (2FA). Once enabled, a device is only unlocked after two authentication methods are provided, including one biometric input (iris / fingerprint) and one lock screen method (PIN / password / pattern).This feature is available only on Knox 3.2.1 and above. *Note: Incorrect use of this policy together with "One Lock" and "Biometric policy" can lock your device.
A group of policies to manage password change.
Use this control to enforce password change. if no password set, enforce to set. Caution: Verify password enforcement condition before saving any new policy otherwise it will enforce password at unexpected time
Enter the value in mins up to which user can cancel/delay the password change
A group of policies to manage password restriction.
Use this policy to specify the maximum length of an alphabetic sequence that is allowed for a device password.
Use this policy to specify the maximum length of numeric sequence that is allowed for a device password.
Use this policy to specify minimum length password allowed for device.
Enter the maximum number of time in seconds for user activity until the device will lock. A Value of 0 means there is no restriction; *Note: The API takes into effect immediately.
Enter the maximum number of failed password allowed until the data in the device is wiped. *Note: The API takes into effect immediately with the # of failed attempts and data will be wiped completely and no possible way to revert.
Set the maximum permitted failed password attempts before the device is rendered inoperable. When the set value is exceeded, the device container is disabled and a blocking page displays to the user. The impacted device can be re-enabled using API by setting set this value to zero (0). However, KSP cannot be used to unlock just the impacted device, and each device within the impacted device group will have this feature disabled. Additionally, when the disabled device is rebooted it remains in a file-based encrypted state, and is unable to receive any KSP policies.
Select level of complexity you would like to define for the device password; From No Password to Complex Password (letter, numeric, alphanumeric); Numeric Complex Password must include numeric character with no repeating or ordered
Select the Keyguard feature to disable
Use this policy to control the visibility of Password while Typing
A group of controls for Peripheral Configuration Policy
Use this setting to enable peripheral configurations. Use the "Peripheral Configuration" section to configure various peripheral devices. *Note: Peripheral Configuration Policies are deprecated in the KSP release (23.12). Due to their deprecation, we strongly suggest that you no longer use these policies since android 14(Knox 3.10.0). See KSP Release Notes for details.
A group of policies to manage credentials in both external and internal device storage, for example, a smartcard, micro SD card, or embedded Secure Element. A KPE Premium license is required for all policies in this group.
Use this control to enable or disable UCM policies. Enable this option before using any of the UCM policies. If this option is disabled, any UCM settings and policies are ignored.
A group of policies to specify how to use a UCM plugin for device unlock.
Use this control to enable or disable device unlock through a UCM plugin. Enable this option to allow the specified plugin app to use stored credentials to unlock a device. Once enabled, device users cannot change the lock type. Disable to let device users control the lock type.
Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
A group of policies to control a credential storage and UCM plugin that manages the credential storage.
Use this control to enable or disable a general purpose UCM plugin. Enable this option to manage a credential storage and the UCM Plugin used to access the storage. Disable to prohibit general access to the storage space.
Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
A group of policies for VPN setup and configuration. IT admins can enforce these policies for fully managed devices with or without a Work profile. Availability: All Knox versions with a Premium license.
Use this control to enable or disable VPN controls for the device. Enable VPN controls before changing any VPN related settings. If VPN controls are not enabled, any settings for VPN related items are ignored.
Choose the VPN type applicable to the apps on the device. For fully managed devices without a Work profile/Separated Apps, choose between all apps or specific apps. For devices with a Work profile, choose between all three options.
Use these controls to add a list of applications at a device-wide or Work profile/Separated Apps specific level that can use VPN and connect to the network directly.
For fully managed devices with app-specific VPN, enter a comma-separated list of package names to specify apps that must use VPN to connect. For devices with a Work profile, enter the Personal profile apps that must use VPN to connect. To use VPN for all apps, do not enter any app names. Default value is all apps.
For fully managed devices with a Work profile/Separated Apps and the VPN type set to Selected Apps, enter the list of Work profile/Separated Apps apps that must use VPN to connect. Enter a comma-separated list of package names to specify the apps. To use VPN for all Work profile/Separated Apps, leave blank. Default value is all apps.
Use these controls to add a list of applications at a device-wide or Work profile/Separated Apps specific level that can bypass VPN and connect to the network directly.
For fully managed device with or without a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
For fully managed devices with a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
For fully managed device with or without a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can use VPN connections. To use VPN for all apps, do not enter any app names.
Enter the name of the primary VPN configuration profile that apps can use for network connections. This profile name must match the "Profile name" value set in one of the "VPN profiles" below.
Use this control to enable the use of two VPNs to double encrypt the data-traffic from apps added to the VPN profile.
For devices with multiple VPN profiles, enter the name of the outer VPN configuration profile. This VPN server decrypts all data before passing it to the VPN client. This profile name must match the value set in the VPN profiles section.
A group of controls for Zero Trust Network Access (ZTNA). *Note: You need a KPE Premium license to use this feature which is supported from Android 14 and later only.
Use this control to enable ZTNA. *Note: You need a KPE Premium license to use this feature which is supported from Android 14 and later only.
Package name of the authorized network filter client application
Public key of the authorized network filter client application (optional)
A group of policies and restrictions that are applicable to the Work profile user of the device. Starting Knox 3.0, a KPE Premium license activation is required for using any policy in the work profile.
Enable this setting before using any of the Work Profile policies. If this setting is disabled, KSP does not apply any policy changes inside the Work Profile.
A group of controls to manage advanced restriction policies on the Work Profile. Availability: Premium license.
Use this control to enable advanced controls in the Work Profile, such as Wi-Fi or Bluetooth scanning.
Select the process data only on device menu to enable. *Note: When you activate the Samsung Account, the menu appears on device. Supported from some flagship models and OneUI 6.1 and later.
Use this control to block connections to the device, using third-party remote control apps.
A group of policies to configure and manage applications inside the Work Profile on the device.
Use this control to enable or disable advanced application management settings.
Use this control to exempt applications from battery usage optimizations such as Android Doze mode. Enter a comma-separated list of package names to specify the apps to allowlist.
Use this control to stop applications from showing notifications on the status bar. When this policy is enabled, notifications from all applications in the workspace are blocked except for the apps specified in this allowlist. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax.
Use this control to install an existing application from the personal (default) space into the Work Profile, without requiring user interaction.
Use this setting to grant user permission for one or more usb devices to be used by a particular package. Use the Allowed USB devices for Applications section for Configurations.
Use this control to allowlist applications to be installed on the PO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax. If the package name of an application currently being installed matches a package name pattern in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
Use this control to blocklist applications to be installed on the PO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax. If the application package is already installed, the API does not affect the existing installation.
Use this control to allowlist applications to be installed on the PO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist. If the signature of an application currently being installed matches the signature in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
Use this control to blocklist applications to be installed on the PO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist. If the application package is already installed, the API does not affect the existing installation.
Use this control to disable application without user interaction. The disabled application package is not uninstalled but the device user cannot use it. The API does not affect the future application package state. Enter the values as a comma separated list, for example, "com.xyz, com.abc".
Use this control to prevent the user from stopping certain applications. The stop actions include force stop in Settings app, stopping through third-party applications, stopping any background process by system and stopping any service from the application. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
Enter the package name of the application that needs to be launched after it is installed along with the Component name. Example: PackageName/ComponentName
Use this control to prevent the user from clearing cache for certain applications. The actions include clear cache in Settings app, clearing cache through third-party applications, and clearing service cache from the application. Also, wildcard characters like "com.xyz.*" can be used to specify multiple application package names.
Use this control to prevent the user from clearing data for certain applications. The actions include clear data in Settings app, clearing data through third-party applications, and clearing service data from the application. Also, wildcard characters like "com.xyz.*" can be used to specify multiple application package names.
A group of controls to enable audit log on the device. Available with a KPE Premium license.
Use this control to enable audit log to capture events such as Password policies set for devices; App installation and removal; Certificate failure and key generation; Account creation and removal; File exchange attempts over Wi-Fi etc
A group of controls to configure audit log on the device. Available with a KPE Premium license
Use this control to select granular audit log on the device
Use this control to select audit log outcome on the device
Use this control to select severity level of Audit Log
Use this control to select the Audit log frequency
A group of policies to control certificate management settings. For example, disable certificates, restrict certificates and more.
Use this control to enable or disable certificate management settings for the workspace. Enable this control before changing any certificate management settings. If this control is not enabled, any Enterprise certificate management policy is ignored.
Choose the Certificate revocation method most appropriate for your workspace.
Use this to check certificate validation. For example if you list "com.samsung.email" in a allowlist, any certificates used by this app for SMIME encryption or signing is first checked against a list of Certificate Revocation List (CRL) to verify that they are still valid. Enter the application package names to check as a comma separated list, for example ("com.xyz, com.abc")
Use this to perform certificate validation using OSCP before checking a CRL. If the OCSP response is inconclusive the device performs a CRL check.
Use this to perform certificate revocation on a list of applications. Enter the values as a comma separated list of the application packages, for example, "com.xyz, com.abc".
Enter the name of a Trusted CA Alias which was already defined in Certificate Alias. Enter the values as a comma separated list of the Trusted CA Alias
Use this control to block the user from removing certificates from the keystore. By default, users are allowed to remove certificates from the keystore.
Use this setting to Allow application to read private keys without alerting user. To specify application package name, host, port, alias & storage name that will be matched with what applications provided. Use the Allowed apps for reading private keys section.
Enter the name of a CA Alias which will be installed silently in the device keystore(s). Enter the values as a comma separated list of the CA Alias
A group of policies to control client certificate management settings. *Note: CCM Policies are deprecated in the KSP release (22.05). Due to their deprecation, we strongly suggest that you no longer use these policies since Android 12(Knox 3.8.0). See KSP Release Notes for details.
Use this control to enable or disable client certificate management settings for the device. Enable this control before changing any client certificate management settings. If this control is not enabled, any Enterprise client certificate management policy is ignored. *Note: CCM Policies are deprecated in the KSP release (22.05). Due to their deprecation, we strongly suggest that you no longer use these policies since Android 12(Knox 3.8.0). See KSP Release Notes for details.
Enter Name of the packages to be exempted from access control.Enter the values as a comma separated list of the package names.
A group of controls for Device Account Policy
A group of controls to Enable Device Account Policy
Use this setting to enable device account addition policies
A group of policies to manage Device Administrator (DA) privileges to specific apps when KSP is launched on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is launched.
Use this control to enable or disable Device Admin allowlisting control for applications on a device where KSP is launched.
By default, KSP will block activation of any application as device admin, except those specified in this allowlist. Enter a comma-separated list of packages to specify the list of apps to allowlist.
A group of controls to map hardware key. Available with a KPE Premium license and Knox 3.7.1
Use this control to enable key mapping. Enable this control before changing any Device Key Mapping settings. If this control is not enabled, any Device Key Mapping settings are ignored.
Use this control to enable key mapping for passing intent for Microsoft Teams package.
A group of controls to enable XCover/Active key mapping for a specific application
Enter the name of the package (application) that will receive the XCover key mapping action
If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
Enter the intent name provided by the Application Vendor for XCover Key Press
Enter the intent name provided by the Application Vendor for XCover Key Release
A group of controls to enable Top key mapping for a specific application
Enter the name of the package (application) that will receive the Top key mapping action
If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
Enter the intent name provided by the Application Vendor for Top Key Press
Enter the intent name provided by the Application Vendor for Top Key Release
A group of controls to enable Side key mapping for a specific application
Enter the name of the package (application) that will receive the Side key mapping action
If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
Enter the intent name provided by the Application Vendor for Side Key Press
Enter the intent name provided by the Application Vendor for Side Key Release
These controls will work on devices with Dual DAR version 1.1 or above and only when Dual DAR has already been setup for the Workspace using either supported UEM or via Knox Mobile Enrollment (KME) portal. *Note: You need a KPE Premium license with Dual DAR add-on to use this feature.
Use this control to enable Dual DAR settings for the Workspace. If this control is not enabled, any Dual DAR policy settings you change are ignored and the device may use Dual DAR with default values.
Use this control to set a data lock type. This locks the credential encrypted (CE) storage and flushes the key from memory. Once locked, apps can't use the CE until user provides the credential again.
Use this control to specify the data lock timeout value in minutes. To use this feature, you must set the data lock timeout type to "specified value."
Use this control to enable or disable access restrictions to the DE storage. By default, apps in the DualDAR area are allowed to access the DE storage. Enabling this control prevents apps, other than those allowlisted by Admin, to access DE storage.
Use this control to specify the list of apps that are allowed to access DE storage and to run in data locked state.
A group of policies for firewall setup and configuration. IT admins can enforce these policies for devices with a Work profile.
Use this control to enable or disable the firewall controls for the Work profile.
Enter the name of the primary firewall configuration profile that apps can use for network connections. This profile name must match the value set in the Firewall profiles section.
A group of controls to enable and configure NPA clients to collect network activity data on the device. Available with a KPE Premium license.
Use this control to allow your NPA client to collect network activity data on the device. Enable this option before you specify any other options for your NPA client.
Select the NPA Client that can collect network activity data on the device.
Enter the name of the profile that specifies the data points you want the NPA Client to collect. This profile name must match the 'Profile Name' value set in the NPA Data Points Profile section.
A group of policies to manage password policies on the device, including enabling or disabling the ability to manage passwords and other authentication methods to log in to the Work profile. These policies apply to all devices with a Work profile.
For devices with a Work profile, use this control to allow management of password policies on the Work profile. Enable this option before changing any related settings. If this option is not enabled, any settings for password and authentication related items are ignored.
A group of policies to manage the biometric authentication options without user interaction. Knox Workspace does not use facial recognition as an authentication method.
Use this control to allow or stop the use of fingerprint recognition for authentication.
Use this control to allow or stop the use of iris recognition for authentication.
Use this control to allow or stop the use of facial recognition for authentication.
Use this control to enable or disable multifactor authentication (2FA). Once enabled, the workspace is only unlocked after two authentication methods are provided, including one biometric input (iris / fingerprint) and one lock screen method (PIN / password / pattern). This feature is available only on Knox 3.2.1 and above. *Note: Incorrect use of this policy together with "One Lock" and "Biometric policy" can lock your device.
A group of policies to manage password change.
Use this control to enforce password change. if no password set, enforce to set. Caution: Verify password enforcement condition before saving any new policy otherwise it will enforce password at unexpected time
Enter the value in mins up to which user can cancel/delay the password change
A group of policies to manage password restriction.
Use this policy to specify the maximum length of an alphabetic sequence that is allowed for the work profile.
Use this policy to specify the maximum length of numeric sequence that is allowed for the work profile.
Use this policy to specify minimum length password allowed for the profile.
Enter the maximum number of time in seconds for user activity until the work profile will lock. A Value of 0 means there is no restriction; *Note: The API takes into effect immediately.
Enter the maximum number of failed password allowed until the data in the work profile is wiped. *Note: The API takes into effect immediately with the # of failed attempts and data will be wiped completely and no possible way to revert. *Note: Not supported in WPC mode
Set the maximum permitted failed password attempts before the device is rendered inoperable. When the set value is exceeded, the device container is disabled and a blocking page displays to the user. The impacted device can be re-enabled using API by setting set this value to zero (0). However, KSP cannot be used to unlock just the impacted device, and each device within the impacted device group will have this feature disabled. Additionally, when the disabled device is rebooted it remains in a file-based encrypted state, and is unable to receive any KSP policies.
Select level of complexity you would like to define for the work profile password; From No Password to Complex Password (letter, numeric & alphanumeric); Numeric Complex Password must include numeric character with no repeating or ordered
Select the Keyguard feature to disable
Use this policy to control the visibility of Password while Typing
A group of policies to control Data sync on specific applications
Use this control to enable RCP settings for the Applications. If this control is not enabled, any RCP policy settings you change are ignored and the device may use RCP with default values.
Use this setting to allow or restrict the user from moving files from personal workspace to the Work Profile. *Note: From Android 13, the default value is changed from "TRUE" to "FALSE". Please configure it carefully if device is upgraded to Android 13 or above.
Use this setting to allow or restrict the user from moving files from Work Profile to personal workspace.
Use this setting to enable RCP data sync policy. To apply specific data sync policies, use the RCP data sync config section. *Note: The "Enable RCP data sync policy (Configure profiles below)" function is not supported from Knox 3.8.0.
A group of controls to allow or block specific operations in the work profile user.
Enable this before using any of the Work Profile Restrictions below. If this is disabled, KSP will ignore any value set below and will not enforce any restrictions.
Use this setting to disable the microphone without user interaction. Disabling this control restricts the use of the microphone for recording purposes, but does not impact the use of the phone application on the device.
Use this control to enable or disable Bluetooth inside container. (supported from Android 10 and above only)
Use this control to enable or disable camera.
Use this control to enable or disable clipboard.
Use this control to enable or disable video recording.
A group of policies to manage credentials in both external and internal device storage, for example, a smartcard, micro SD card, or embedded Secure Element. A KPE Premium license is required for all policies in this group.
Use this control to enable or disable UCM policies in the workspace. Enable this option before using any of the UCM policies. If this option is disabled, any UCM settings and policies are ignored.
A group of policies to specify how to use a UCM plugin for device unlock.
Use this control to enable or disable device unlock through a UCM plugin. Enable this option to allow the specified plugin app to use stored credentials to unlock the workspace. Once enabled, device users cannot change the lock type. Disable to let device users control the lock type.
Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
A group of policies to control a credential storage and UCM plugin that manages the credential storage.
Use this control to enable or disable a general purpose UCM plugin. Enable this option to manage a credential storage and the UCM Plugin used to access the storage. Disable to prohibit general access to the storage space.
Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
A group of policies for Knox VPN setup and customization. Availability: All Knox versions with a Premium license.
Use this control to enable or disable VPN controls for the device. Enable VPN controls before changing any VPN related settings. If VPN is not enabled, any settings for VPN related items are ignored. *Note: The Knox built-in vendor supported version in the work area is from Q OS(Knox 3.6.0) to R OS(Knox 3.7.1) and not supported from S OS.
For devices with a Work profile, choose the VPN type applicable to the apps in the work profile. Choose between all apps in the Work profile or specific apps within the Work profile.
For devices with a Work profile and where the VPN type is set to Selected Apps, enter a comma-separated list of package names to specify apps that must use VPN to connect. To use VPN for all apps within the Work profile, do not enter any app names.
For devices with a Work profile, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
For devices with a Work profile and where the VPN type is set to Selected Apps, use this control to start VPN on-demand when one of the specified apps is connects to the network. When no apps are in use, VPN is terminated. By default, all apps use VPN on-demand.
Enter the name of the primary VPN configuration profile that apps can use for network connections. This name must match the "profile name" of one of the profiles in "VPN profiles" section.
Use this control to enable the use of two VPNs to double encrypt the data-traffic from apps added to the VPN profile. By default, this value is set to disallow VPN chaining.
For devices with multiple VPN profiles, enter the name of the outer VPN configuration profile. This VPN server decrypts all data before passing it to the VPN client. This name must match the "profile name" of one of the profiles in "VPN profiles" section.
A group of policies that control the configuration of the Work Profile on the device, for example rename the tab and allow moving apps in and out of the Workspace.
Use this setting to enable or disable configuration controls for the Work Profile on the device. Enable this setting before using any of the Work profile configuration controls. If this setting is disabled, KSP does not apply any changes to the Work profile.
Use this setting to allow or restrict the user from installing any personal workspace apps to the Work Profile. *Note: "Allow adding apps from personal space to work profile" Policy is deprecated in the KSP release (23.12). Due to their deprecation, we strongly suggest that you no longer use these policies since P OS(Knox 3.4.0). See KSP Release Notes for details.
Use this field to specify a custom name for the Work Profile tab on the home screen and device settings. *Note: The "Customize work profile tab name" function is not supported from Knox 3.9.0.
Use this field to specify a custom name for the personal workspace tab on the home screen and device settings. *Note: The "Customize personal tab name" function is not supported from Knox 3.9.0.
Use this field to specify the storage path of screen capture file in the workspace. If it is set to "False", the storage path is the Work Area. If it is set to "True", it is saved in the Owner Area. *Note: "Configure the screen capture file storage path" function is not supported from Knox 3.11.
A group of controls for Zero Trust Network Access (ZTNA). *Note: You need a KPE Premium license to use this feature which is supported from Android 14 and later only.
Use this control to enable ZTNA. *Note: You need a KPE Premium license to use this feature which is supported from Android 14 and later only.
Package name of the authorized network filter client application
Public key of the authorized network filter client application (optional)
A group of controls for Advanced Wi-Fi configurations
A group of controls that drive Allowed Apps for reading private keys configurations
A group of controls that drive Access for USB Devices for Applications
A group of policies to specify one or more Access Point Name configurations. For example, APN name, APN type, authentication type and more.
A group of policies to specify one or more Certificate configurations.
A group of policies to configure one or more certificate provisionings.
A group of controls to Enable Device Accounts policies
A group of controls to configure and customize the device user's experience. These features are available only with a KPE Premium license with customization permissions.
Use these group of controls to enable device name in settings
Use this setting to specify device name
Use this control to allow device name change by user
Use this control to enable and configure Samsung's built-in keyboard.
Use this control to enable or disable the use of predictive text to facilitate typing on the device by suggesting words the device user may want to use in a text field. Predictions are based on the context of other words in the message and the first few letters typed.
Use this control to enable or disable the settings that let the user switch between different Samsung Keyboard options.
Use this control to enable or disable toolbar configuration of Samsung Keyboard
Use this control to enable or disable Emoticons on Keyboard Toolbar
Use this control to enable or disable Grammarly on Keyboard Toolbar. Only supported on Android 14 / OneUI 6.1.1 and higher.
Use this control to enable or disable Sticker on Keyboard Toolbar
Use this control to enable or disable Gif Keyboard on Keyboard Toolbar
Use this control to enable or disable Voice Input on Keyboard Toolbar
Use this control to enable or disable Live Message on Keyboard Toolbar
Use this control to enable or disable Handwriting Input on Keyboard Toolbar
Use this control to enable or disable Clipboard on Keyboard Toolbar
Use this control to enable or disable Modes on Keyboard Toolbar
Use this control to enable or disable Text Panel Edit on Keyboard Toolbar
Use this control to enable or disable Search Keyboard Toolbar
Use this control to enable or disable Spotify on Keyboard Toolbar
Use this control to enable or disable YouTube on Keyboard Toolbar
Use this control to enable or disable AdjustSize on Keyboard Toolbar
Use this control to enable or disable AR emoji on Keyboard Toolbar
Use this control to enable or disable Bitmoji on Keyboard Toolbar
Use this control to enable or disable Expression on Keyboard Toolbar
Use this control to enable or disable Mojitok on Keyboard Toolbar
Use this control to enable or disable Samsung Pass on Keyboard Toolbar
Use this control to enable or disable Translation on Keyboard Toolbar
A group of policies to customize the access to the Quick Settings Panel on the device.
Use these controls to hide or show one or more items from the list of shortcuts available in the Quick Settings Panel. Other shortcuts not listed here will be shown by default.
Use this control to show or hide shortcut to the airplane mode control on quick settings panel.
Use this control to show or hide shortcut to the screen rotation control on quick settings panel.
Use this control to show or hide shortcut to the always-on screen control on quick settings panel.
Use this control to show or hide shortcut to the bluetooth control on quick settings panel.
Use this control to show or hide shortcut to the Samsung DeX control on quick settings panel.
Use this control to show or hide shortcut to the mobile hotspot control on quick settings panel.
Use this control to show or hide shortcut to the NFC control on quick settings panel.
Use this control to show or hide shortcut to the background data sync control on quick settings panel.
Use this control to show or hide shortcut to the Wi-Fi control on quick settings panel.
Use this control to show or hide shortcut to the Location control on quick settings panel.
Use this control to show or hide shortcut to the Do Not Disturb control on quick settings panel.
Use this control to show or hide shortcut to the Dolby control on quick settings panel.
Use this control to allow or block the device user from editing the configuration of the Quick Settings Panel.
Use this control to disable application suggestions in the task manager and other places on the device. Availability: Knox 3.4 and above.
Use this control to enable the "protect battery" device setting. This stops your device from charging before it reaches 100%. *Note: that setting does not take effect until the next device reboot. Availability : This feature will work for tablets, galaxy xcover pro/xcover5 from Android 11, and mobile device from Android 12. Select devices support this setting. This policy has no effect on unsupported device.
A group of controls to allow customization of UI shortcuts available on the device's lockscreen. Available with a KPE Premium license.
Use this control to enable the use of lockscreen shortcuts on the device. Enable this option before customizing app shortcuts.
Enter a package name to specify the app that opens when the user uses the left shortcut on the lockscreen.
Enter a package name to specify the app that opens when the user uses the right shortcut on the lockscreen.
A group of policies to customize the device settings menu. These settings are part of the Deep Settings Customization feature that is available on device with KPE Premium licenses on Knox v3.4 and higher. Support for individual settings varies based on the device's model and OS.
Use this control to configure the Audio Stream & Volume Controls
A group of controls for device key mapping configurations
A group of settings that help customize Samsung DeX experience for the user. These features are available only with a KPE Premium license.
Select the alignment of apps and icons for the homescreen when the device is in DeX mode. Available options are sort items by type, by item name in alphabetical order, or in a custom grid arrangement. Default value is custom grid.
Enter the duration for which the device must be inactive in Dex mode before the screen times out. Default duration of inactivity is 30 seconds.
Change this setting to allow or block device users to modify the screen timeout settings when the device is in DeX mode. Default value is set to allow device users to modify the timeout settings.
Use these controls to add the logo or image to show on the display when the device is starting DeX mode.
Select the appropriate source type for the location of your image file. To use Base64 string option, convert the source PNG image file to a Base64 encoded string and copy the data to the "Logo image file" field. Please be aware that some UEM console may set size limits. To provide the logo as Web URL type, use a public URL that KSP can access. To provide the logo as local file path, ensure that the image file is available in that path before KSP is launched and ensure that the path is accessible to KSP application.
Depending upon the source type you selected, enter the file's location path or URL in this field. For the base 64 string source type, add the converted image data in this field.
Use these controls to add the wallpaper image to show on the display when the device is in DeX mode. This feature will work only on devices with Knox 3.3, API level 28 and above.
Select the appropriate source type for the location of your image file. To use Base64 string option, convert the source PNG image file to a Base64 encoded string and copy the data to the wallpaper image file field. Some UEM consoles may set size limits. To provide a Web URL type image, use a public URL that KSP can access. To provide the image as a local file path, ensure that the image file is available and accessible before KSP launches. *Note: Local file path option have been deprecated and will no longer work in Android 11 or higher.
Depending upon the source type you selected, enter the file's location path or URL in this field. For the base 64 string source type, add the converted image data in this field.
Use this control to indicate which wallpaper(s) to configure with the new imagery.
Change this setting to skip the DeX welcome screen containing the Terms and Conditions that shows when the device first connects to DeX mode.
Change this setting to skip automatic detection of overscan boundaries and size adjustment overlay screen on the monitor.
Specify the list of applications you want to auto-launch in DeX mode. Apps here will be auto-launched in the DeX mode only if it is in-use right before DeX mode. Provide the app package names in a comma separated list. Leave the field empty to allow User to control the setting.
Change this setting to start DeX mode automatically when HDMI cable is connected to the device. This feature is available on Knox v3.4 or higher.
For devices in DeX mode, enter the list of apps whose icons must be hidden from the App Drawer. These applications will not be disabled. Enter a comma-separated list of package names for the list of applications to hide.
Change this setting to allow extending of the mouse cursor from the monitor to the host device when using a Dual view mode.
Use these controls to add shortcuts to one or more apps on the device when the device is in DeX mode. Shortcuts work only when the DeX homescreen uses the custom grid.
Use these controls to add shortcuts to one or more URLs on the device when the device is in DeX mode. Shortcuts work only when the DeX homescreen uses the custom grid.
Use this control to disable one or more specific buttons that show up on the DeX panel.
A group of controls to enable/disable file copy, drag/drop, copy/paste
Use this control to disable file copy from PC to DeX
Use this control to disable file copy from DeX to PC
A group of policies to customize the DeX settings menu. These settings are part of the Deep Settings Customization feature that is available on device with KPE Premium licenses on Knox v3.4 and higher.
Use this control to configure the number of apps open limit applications on DeX(5-15)
A group of controls to enable/disable Dex Stabilizer mode. Supported from Android 12 and Australia model only. *Note: The "Configure DeX Stabilizer Mode" function is not supported from Knox 3.9.0
A group of controls that drive the firewall configuration on the device
Enter the name of the firewall configuration profile in this field. Use a unique and descriptive name, including the name of the firewall provider and other identifying descriptions. For example, FirewallProvider1. Use the value in this field as a reference for the value in the Firewall profile name in the firewall policy section.
A group of controls to specify the network connections allowed on the device. The firewall allow rule takes precedence over the deny rules.
A group of controls to specify the network connections denied access on the device. CAUTION: Adding a DENY ALL rule disconnects the device completely from Network. To retain control on the device, always add ALLOW rules that guarantee UEM Agent connectivity before adding a DENY ALL rule.
A group of controls to specify when and how firewall access requests are redirected.
A group of controls to specify which data connections are not redirected.
A group of controls to specify how traffic to and from specific domains are handled.
Enable this flag to process Domain Filters before other firewall rules. Once enabled, next time an application tries to send a domain name resolution request, the Domain rules will be analyzed before Firewall rules, deciding to allow or block the request. Note that this would allow data packets if there is a specific allowlist rule for that domain in Domain Filter. Data packets to non-allowlisted domains may still be blocked if there is a Firewall deny rule for it.
A group of policies to specify the global proxy setting using a specified server host and port. Contact your network administrator for this information.
Enter the proxy server information in this field. Contact your Network or IT Administrator for this information.
Enter the port number of the proxy server host in this field. Contact your Network or IT Administrator for this information.
If your proxy uses authentication, then use this field. If you want to use admin provided credentials, enter the username for use with the proxy server. Leave this field empty if you do not use authentication or if the proxy requires users corporate credentials to authenticate.
If your proxy uses authentication, then use this field. If you want to use admin provided credentials, enter the password for use with the proxy server. Leave this field empty if you do not use authentication or if the proxy requires users corporate credentials to authenticate.
Specify any IP addresses you want to bypass the proxy. Enter the values as a comma separated list of the IP addresses, for example, "123.123.55.0, 123.123.50.0".
Specify the domains that can bypass the proxy you have set. For example, you can specify that "samsung.com" as a domain and any DNS query to that domain and resulting data traffic will bypass the proxy.
A group of controls that drive the Network Platform Analytics (NPA) data points configuration at a device-wide or Work profile level. Availability: Knox v3.3 or higher.
Use this field to create a new NPA Data Points configuration profile. Enter a unique and descriptive name for this new configuration profile, for example, NPADataPoints1. Use the value in this field as a reference for the NPA profile name value in the NPA Data Points section.
A group of controls to specify the data points for collection. Available with a KPE Premium license.
Set this option to True, to automatically set all the data points in the following section to True and collect them. Set this option to False, if you want to configure collection of specific data points only.
Identification number of the application from where the network flow originated
Identification number of the process from where the network flow originated
Identification number of the parent to the application from where the network flow originated
Identification number of the parent to the process from where the network flow originated
Identification number of the application from where the DNS request originated
IP address of the host which originated the network flow
IP address of the host that is receiving the network flow
Source port number from where the network flow originated
Destination port number that is receiving the network flow
Fully Qualified Domain Name (FQDN) of the destination IP address
Transport layer protocol used by the network flow
Name of the process from where the network flow originated
Name of the parent of the process from where the network flow originated
SHA 256 encryption hash of the application from where the network flow originated
SHA 256 encryption hash of the parent of the application which originated the network flow
Number of L4 bytes (Network Flow payload size) sent during the network flow
Number of L4 bytes (Network Flow payload size) received during the network flow
Network interface (wlan0, tun0, rmnet0) which originated the network flow
Start time of the network flow
End time of the network flow
A group of controls for peripheral configuration profiles. *Note: Peripheral Configuration Policies are deprecated in the KSP release (23.12). Due to their deprecation, we strongly suggest that you no longer use these policies since android 14(Knox 3.10.0). See KSP Release Notes for details.
A group of policies to specify the Proxy auto-config (PAC) based proxy setting, for example, the server, port details and more
Specify the URL where a device fetches your Proxy Auto Configuration (PAC) file from. This file that determines the appropriate proxy server to use for each URL accessed. Contact your Network or IT Administrator for this information.
A group of controls to specify one or more authentication configurations. Note that a different username and password can be used for each individual proxy listed in a PAC file.
A group of controls for permission configuration profiles
A group of controls that drive RCP Policy data sync configurations at a Work profile level.
A group of controls to specify the configuration of one or more UCM plugins that access credential storage.
A group of configuration settings for the VPN profiles used to drive the primary and secondary VPN clients on the device. You can define up to two VPN profiles that are used for VPN Chaining.
A group of controls for Wi-Fi configurations