Knox policies in the personal profile

As described in Device management modes, Android 11:

• deprecates the fully managed device with a work profile, to protect user privacy on company devices that enable personal usage

• provides a new Work profile on company-owned devices, which offers greater privacy to the end user and at the same time offer sufficient level of control to the IT admin to protect corporate assets

This page summarizes the Knox policies that can and can’t be applied to the personal side of company-owned devices with Android 11.

For similar lists of the Android policies that can and can’t be applied to the personal side, see Google’s EMM migration guidelines > Appendix A and B (requires partner login) or Android policies in the personal profile.

Knox policies allowed

For a more granular list of the atomic actions allowed, see the developer version of the list.

1. Account management (Google account, Samsung account, and so on)
2. App installation or update restrictions (allow and block lists for apps by package name/permission/signature)
3. App start/stop
4. AuditLog
5. Bluetooth advanced settings (via BluetoothPolicy, except for BluetoothLog)
6. Camera, microphone, screen capture, video recording
7. Common Criteria (CC) mode
8. Connectivity (Call/Emergency Call/SMS/MMS/Roaming/Wifi/Wifi Scanning/Bluetooth/BLE/Tethering/USB debugging/USB MTP/USB host/Mock Location/Cellular Data/WifiDirect/airplane mode/data saving/RCS) restrictions
9. Customization features (via SystemManager, SettingsManager)
10. DeX management
11. Device inventory (for asset management)
12. Email/EAS/LDAP management and restrictions
13. Firmware/FOTA auto-update restrictions
14. Font/date time configuration
15. GPS change restriction (via setGPSStateChangeAllowed)
16. Google crash report restriction
17. Hypervisor Device Manager (HDM)
18. Kiosk mode
19. Lockscreen customization
20. Multi-user mode restrictions (via allowMultipleUsers)
21. NFC controls (for example, turn on/off) and restrictions
22. On-device firewall management
23. Password complexity management
24. Power off/power saving restrictions
25. Reboot banner customization (US DoD requirement)
26. Remote control (screen sharing/remote input injection) restriction
27. SDCard access restrictions
28. SIM PIN Lock
29. System app force stop restriction (via allowStopSystemApp)
30. Wallpaper change restriction
31. Wi-fi advanced settings (via WifiPolicy)
32. Widget installation (allow and block lists)

Knox policies not allowed

If you must use one of these prohibited policies, consider using Separated Apps instead of Work profile on company-owned devices.

1. Access Point Name (APN) settings
2. App configuration (via setApplicationRestrictions)
3. App data/cache deletion restriction
4. App default settings
5. App silent installation/uninstallation/update
6. App status/usage/focus monitoring
7. App uninstallation/force stop/prevent start restriction
8. Bluetooth Log
9. Browser settings (popup blocker, cookie setting, auto-fill, HTTP proxy, etc.)
10. Client Certificate Management (via ClientCertificateManager, CertificateProvisioning, CertificatePolicy)
11. Clipboard access/sharing restrictions (including per-app clipboard disabling)
12. Clipboard data add/get/clear
13. Device admin (DA) controls
14. Device wipe
15. Enterprise billing
16. Factory reset
17. Global Proxy
18. Google Account auto-sync restriction
19. Google backup restriction
20. Knox Platform for Critical Communication (KPCC) PS-LTE features such as DRX value settings and allowing access to restricted network capabilities
21. Location services, including geo-fencing (except for GPS state change restriction via setGPSStateChangeAllowed)
22. Network Platform Analytics (NPA)
23. Rich Communication Services (RCS) message monitoring
24. TIMA KeyStore
25. Universal Credential Management (UCM)
26. User/multi-user granular restriction/management like allowUserCreation (except for the multi-user mode restriction via allowMultipleUsers)
27. VPN