Menu

Advanced Examples

Before setting a policy, ensure that you meet the following prerequisites. Refer to your UEM documentation for instructions on how to complete these steps.

  1. Your devices are set in either DO or PO mode, or are set in fully managed device with a work profile mode.
  2. You have set up a Managed Google Play store
  3. You have added KSP as an approved app

The following section describes the various policies available to configure using KSP.

NOTE – The layout and visual appearance of these policies may vary depending on your UEM's implementation. However, the policy names, descriptions, and functionality remain the same.

DeX

The available DeX policies include:

  • Basic policy controls—These standard controls allow you to perform simple actions, such as enable or disable DeX. These policies are free and do not require an additional license. They are listed under DO > DeX policy > Manage DeX restrictions.
  • Customization controls—These additional customization options allow you to change the DeX setup and user experience. Use of these policies requires a KPE Premium license.
NOTE—See DeX policy descriptions for a full list of the DeX policies available.

Enable DeX

The process to enable DeX is simple and only requires you to turn on a few policies as follows:

  1. In your supported UEM, under the Device-wide policies (Device Owner) category turn on Enable device policy controls.
  2. Enable DeX policy.
  3. Under Manage DeX Restrictions, enable Allow DeX connection.
  4. In your UEM, save the profile and push it to a device.

To disable DeX, simply turn off Allow DeX connection, as shown in the previous example.

Enable DeX with basic customization

This example shows you how to enable DeX so it auto launches and sets a specific screen timeout. Note that all DeX customization policies require a KPE Premium license.

  1. In your supported UEM, under the Device-wide policies (Device Owner) category turn on Enable device policy controls.
  2. Enable DeX policy.
  3. Under Manage DeX Restrictions, enable Allow DeX connection.
  4. Under DeX customization profile, enable Auto-start DeX on HDMI connection.
  5. Under DeX customization profile, find Set screen timeout and input your desired value.
  6. Under DeX customization profile, disable Allow screen timeout change.
  7. The device now launches DeX automatically when it is plugged into a HDMI cable.

Industry example

This example configures a tablet in DeX mode, so a bank employee can use it to help customers with day to day operations. For example opening a new account or checking account balances. In this use case, DeX is used as a dedicated employee work station and the bank can slowly phase out older, single purpose computer terminals. Note that all DeX customization policies require a KPE Premium license.

NOTE – These instructions do not apply to any specific UEM. Refer to your UEM documentation for specific instructions on menu structure and navigation.
  1. In your supported UEM, under the Device-wide policies (Device Owner) category turn on Enable device policy controls.
  2. Under DeX Policy, turn on Enable DeX policy controls.
  3. Under Manage DeX Restrictions, enable Allow DeX connection.
  4. Under Manage DeX Restrictions, enable Customize DeX Experience.
  5. Set DeX profile name to a value that makes sense to you, for example, the following image shows a profile called Bank Terminal.
  6. Under DeX customization profile, type the name of the DeX Profile you set in the previous step. In this example, it is Bank Terminal
  7. Under DeX customization profile, enable DeX Auto Start on HDMI connection This setting minimizes potential troubleshooting for employees and can reduce IT overhead. If a device is unplugged, setting up the bank terminal again is as simple as plugging the device back into an HDMI cable.
  8. Under DeX customization profile, enable Disable buttons on the DeX panel. Select the buttons you want to disable. For example, selecting Exit DeX button prevents users from exiting the bank terminal and using the device for other purposes.
  9. Under DeX customization profile, turn on Skip overscan detection screen. The overscan screen is a setting that automatically tries to optimize the UI according to the monitor you are using. This setting is unnecessary for this use-case.
  10. Under DeX customization profile, enable Add application shortcuts on DeX. You can now add relevant bank services that employees need to use to the DeX homescreen. To do add apps, list the app packages in the App package name dialog.
  11. In your UEM, save the profile and push it to a device.
  12. Once configured and pushed to a device, DeX auto launches with your company profile and policies applied.
NOTE—DeX Customization features do not always return errors in debug mode. This omission can happen if your device may not have the correct OS or DeX version installed. If the framework on your device does not support your policies, then they are not applied.

VPN

Configuring and applying VPN policies using KSP is a two step process.

NOTE—All VPN policies require a KPE Premium license.
  1. Set up the VPN configuration profile—Choose the VPN settings and policies to suit your organization. These settings are saved as a profile you can reuse in later configurations, such as setting up a DO or PO profile.
  2. Create the VPN policy—The VPN Policy uses settings from the VPN configuration profile created in the previous step. This VPN policy allows you to specify other rules such as which apps should use this VPN.
NOTE—See VPN policy descriptions for a full list of the VPN policies available.

The following example shows you how to configure a per app VPN on a Device Owner (DO) device. It uses an on-demand connection.

Configure VPN profile

  1. Under VPN profiles, VPN Profile, enter a profile name. For example, VPN_StrongSwan.
  2. Under VPN profiles, Vendor, choose the type of VPN you want to use. For this example, we select Knox built-in, which uses the StrongSwan VPN.
  3. Under Host, list your server host IP, for example, 52.3.256.0.
  4. Leave all other values as default.
  5. In your UEM, save the profile.
NOTE—Knox built-in VPN (Strong Swan) cannot support certificate based authentication when used at a DO level.

Configure VPN Vendor parameters

Now that you have created a VPN profile, you can set up the parameters such as the identifier and pre-shared key. Following the previous example, we continue to configure out StrongSwan VPN.

  1. Under Parameters for Knox built-in VPN (for Strong Swan), Authentication type select ipsec_ike2_rsa.
  2. Under User certificate alias, enter your certificate name. For example: md_user.pfx
  3. Under CA certificate alias, enter your certificate name. For example: vpn_cal.pfx
  4. Leave all other values as default.
  5. In your UEM, save the profile.

If you are using a different VPN, such as Pulse Secure or Cisco AnyConnect, these values may differ. The mandatory parameters you need to set depend on your network configuration. Contact your Network Administrator to find out which fields to use and with what values.

Enable VPN policy

Now that you have created and configured a profile, configure a policy and push it to a target device.

  1. In your supported UEM, under the Device-wide policies (Device Owner) category, turn on Enable device policy controls.
  2. Under VPN policy, turn on Enable VPN controls.
  3. Under VPN type, choose Selected Apps (Per-App).
  4. NOTE—Currently, KSP does not support per-app the VPN mode for Net Motion VPN.
  5. Under Manage list of apps that use VPN, add the package names of the apps you want to route through the VPN. For example, com.samsung.email.provider. If you do not enter any app packages, the VPN applies to all apps by default.
  6. Enter the Name of VPN profile to use, for this example we use our StrongSwan profile VPN_StrongSwan.
  7. Leave all the other VPN values as set by default.
  8. In your UEM, save the profile and push it to a device.
NOTE—Within the VPN policy, optionally enable USB tethering over VPN so a whitelisted USB device can access and share resources with a peer device. However, VPN tethering will only work when he following three conditions are met:
  • An IT admin must allow this feature from their UEM console for a target device to receive the tethering feature.
  • A user must enable VPN tethering on their device.
  • The laptop or tablet being connected must have been previously whitelisted by the IT admin.

USB tethering over VPN is only supported on Knox 3.5 and above devices.

NOTE—A wrong VPN configuration can disconnect your device or work profile from the network and in some cases may make it unrecoverable. To avoid this issue, Samsung recommends keeping the following applications out of the VPN configuration:
  • UEM Agent package—Check with your UEM for details.
  • KSP packagecom.samsung.android.knox.kpu
  • Google servicescom.android.vending, com.google.android.gms

Use the Manage list of apps that can bypass VPN setting to list theses packages.

Firewall

NOTE—See Firewall policy descriptions for a full list of the Firewall policies available.

Set up basic firewall

  1. Under Firewall configuration profiles, enter a profile name. For example Firewall_config1.
  2. Under Allow rules > Allow rule, fill out the required information for the data you want to allow through the firewall, for example, any connection originating from your enterprise intranet.
  3. Under Deny rules > Deny rule, fill out the required information for the data you want to block through the firewall, for example, popular social media sites.
    NOTE—To ensure devices are not locked out of your network, give the following apps explicit allow rules. You must always set these allow rule exceptions if you are using DENY ALL rules.
    1. UEM Agent package—Contact your UEM for details.
    2. KSP packagecom.samsung.android.knox.kpu
    3. Google servicescom.android.vending, com.google.android.gms
  4. In your UEM, save the configuration.
  5. Under Firewall policy, turn on Enable Firewall controls.
  6. Under Name of firewall configuration to user, enter the name of the profile you want to use. In this example we use the profile we created previously, namely, Firewall_config1.
  7. In your UEM, save the profile and push it to a device.

Industry example

This example shows you how to configure a firewall that only allows traffic through for your UEM agent and internal intranet.

  1. Under Firewall configuration profiles, enter a profile name. For example, Firewall_internalOnly.
  2. Under Allow rules > Allow rule, fill out the required information to allow traffic for your UEM agent.
  3. Under Allow rules > Allow rule, fill out the required information to allow traffic for intranet.
  4. Test to make sure the previous configurations are working before you proceed to the next step.
  5. Under Deny rules > Deny rule, under Hostname (IP or IP range) type * to use a wild card to block all other incoming traffic.
  6. In your UEM, save the profile and push it to a device.

Dual DAR

NOTE—See Dual DAR policy descriptions for a full list of the Dual DAR policies available.

This example enables Dual DAR encryption for your Workspace. With it, we set a 5 minute lockout time.

  1. In your supported UEM, under the Work profile policies (Profile Owner) category turn on Enable work profile policies.
  2. Enable Dual DAR controls.
  3. Set Data lock timeout type to specified value, and enter the data lock timeout value as 5 (minutes).

Enterprise Billing

NOTE—See Enterprise Billing policy descriptions for a full list of the Enterprise Billing policies available.

KPE and KSP offer the use of dual Access Point Name (APN) settings in the following ways:

  • For Bring Your Own Device (BYOD) deployments, enterprise billing allows employees to be properly compensated for data costs generated from work-related app usage.
  • In Corporately Owned, Personally Enabled deployments, enterprise billing allows employers to pay for data usage incurred only for work purposes.

Depending on your device deployment, set up various APN configurations for devices deployed in your network.

Create a new APN configuration

The following example illustrates how to create a new APN configuration called Company billing, for devices set up with a Workspace or work profile.

  1. In your UEM console, open the Device Configuration Profile that is associated with your target devices, and then click the appropriate option to edit the profile.
  2. On the policy settings homepage, click APN configurations. The page refreshes to show the APN configurations menu item on the left hand navigation menu.
  3. On the refreshed navigation menu, click APN configurations > Add setting. The UCM plugin configuration page opens to show a set of fields that help you create and customize your UCM plugin.
  4. On the APN configurations page, do as follows:
    1. In the Name field, enter Company billing.
    2. Enter appropriate values for the rest of the fields on this page. Contact your mobile service provider for these values.
  5. After you've entered all relevant information, click OK to save this new APN configuration.

Configure Enterprise billing

Once you've created the new APN configuration, you can now configure your devices—whether they are DO or PO device deployments—to use the new APN configuration and apply Enterprise billing settings to applicable apps.

The following example uses the Company billing APN configuration for devices using the PO deployment model.

  1. After you've created the Company billing APN configuration in your chosen Device Configuration Policy, go to Device Configuration Policy > click Properties > click Settings. The Device Configuration Policy OEM config page opens.
  2. On the new navigation menu that opens, click Work profile policies. The Work profile policies (PO) page opens.
  3. On this page, next to Enterprise billing policy, click Configure. The Enterprise billing policy page opens.
  4. For the Enable enterprise billing policy field, click True to enable the use of enterprise billing.
  5. In the Name of the APN configuration to use for Enterprise apps field, enter Company billing.
  6. Depending upon your network and IT usage guidelines, specify values for the rest of the fields on this page, and then click OK.
  7. Depending upon the settings you've chosen for deploying Device Configuration Policy changes, the new Enterprise billing policy is deployed on all the devices that use this Device Configuration Policy.

Set up an MVNO configuration

A Mobile Virtual Network Operator (MVNO) is a mobile device reseller that uses another carrier's mobile network. An apt example is Consumer Cellular, whose devices use the mobile networks of AT&T and T-Mobile.

On devices running Knox v3.4 or higher, you can set up multiple APN configurations on a device to:

  • Support different MVNOs that access the same network.
  • Set up different subscriber accounts within the same network or reseller. For example, you could switch to a SIM card for a different subscriber or reseller but on the same mobile network.

To set up an MVNO configuration, do as follows.

NOTE—Before you set up MVNO configuration, you must get the values that apply to your device from your mobile network provider. Refer to your mobile network provider’s documentation for more information.
  1. In your UEM console, open the Device Configuration Profile that is associated with your target devices > click the appropriate option to edit the profile.
  2. On the policy settings homepage, next to Device-wide Settings, click Configure to open the Device-wide policies (Device Owner) page.
  3. On this page, next to Device Controls, click Configure to open the Device Controls page.
  4. On this page, next to APN Setting Policy, click Configure to open the APN Setting Policy page.
  5. Next to the Enable APN settings policy control, click True.
  6. Navigate back to the policy settings homepage, and next to APN configuration, click Configure. The middle menu refreshes to show a new menu item called APN configurations.
  7. On the refreshed navigation menu, click APN configurations > Add setting. The APN configuration page opens to show a set of fields. Enter the appropriate information for these fields based on the details provided by your mobile network provider.
  8. Scroll down to find the Mobile Virtual Network Operator (MVNO) configuration setting.
  9. Next to the Mobile Virtual Network Operator (MVNO) configuration setting, click Configure.
  10. On the page that opens, in the MVNO type list, select the appropriate value from the following:
    • Group identifier level 1 (GID)
    • Service provider name (SPN)
    • International mobile subscriber identity (IMSI)
  11. In the MVNO value field, enter the appropriate value.
  12. Click OK. The new MVNO configuration is saved and sent to your devices depending upon your deployment policies.

Universal Credential Management (UCM)

NOTE—See UCM policy descriptions for a full list of the UCM policy settings available.

KSP provides a group of policies to manage universal authentication credentials in both external and internal device storage, for example, a smartcard, micro SD card, or embedded Secure Element. Depending upon your network and security needs, you can enable or disable UCM policies as well as configure advanced settings for your UCM plugins.

Before you can enable UCM plugins for your devices, you must create and configure at least one UCM configuration policy.

1. Create UCM configuration policy

The following example describes the process to create a new UCM configuration policy, called Screen lock, that dictates how the UCM plugin restricts access to specific apps on the target device when the device is locked.

  1. In your UEM console, open the Device Configuration Profile that is associated with your target devices > click the appropriate option to edit the profile.
  2. On the policy settings homepage, next to UCM plugin configurations, click Configure. The page refreshes to show the UCM plugin configurations menu item on the left hand navigation menu.
  3. On the refreshed navigation menu, click UCM plugin configurations > Add setting. The UCM plugin configuration page opens to show a set of fields that help you create and customize your UCM plugin.
  4. On the UCM plugin configuration page, do as follows:
    1. In the Name of UCM plugin configuration field, enter Screen lock.
    2. NOTE—Always choose a name that highlights the main feature or use of the UCM plugin configuration that you are setting up. You can then reference this name in KSP to apply these settings to the target device.
    3. In the Package name of UCM plugin application field, enter the package name for your UCM vendor's application. Sample format is com.mycompany.ucm.plugin. Refer to the UCM vendor application's Google Play Store page for the correct package name.

    4. In the Credential usage list, select Screen lock.

    5. If your UCM vendor's plugin supports PIN caching, in the Pin properties area > in the PIN timeout type list > select Same as screen lock. The UCM plugin now requires re-authentication whenever the screen locks. (Question for Dev: Is this correct? Or does this setting mean that the UCM plugin re-authenticates the screen automatically?)

    6. In the Application access controls area > Type of access restrictions list > select Unrestricted access.

    7. In the Access control when device or workspace is locked area > Lock credential storage when device or workspace is locked list > click True.

    8. In the List of apps allowed to access credential storage when locked field, enter the package names—in a comma-separated list—to allow specific apps to access UCM credential storage when the device is locked.
    9. List of certificates to install on this credential storage after configuration.

  5. Click OK to save this new UCM configuration. This UCM configuration restricts all apps' access to UCM credential storage, with the exception of specific apps, when the device is locked.
  6. NOTE—Repeat steps 1 to 5 for each type of UCM configuration policy you want to create in your Device Configuration Profile.

2. Use an existing UCM configuration policy

The following example shows you how to use the Screen lock UCM configuration policy that you created earlier to automatically secure target devices in the High security devices device group when the screen is locked.

  1. After you've created the Screen lock UCM configuration policy in your chosen Device Configuration Policy, go to Groups > All groups.
  2. On the All groups page, confirm that the High security devices device group exists. Refer to your UEM console's help documentation for information on creating a new or editing an existing device group.
  3. Go to the Device Configuration Policy that contains the Screen lock UCM configuration policy > click Assignments > Include tab.
  4. On the Include page, in the Assign to list, select High security devices > click Save.
  5. Depending upon the settings you've chosen for deploying Device Configuration Policy changes, the new UCM Configuration Policy is deployed on the devices in the High security devices group.

Deep Settings Customization

The Deep Settings Customization feature is available on devices running Knox v3.4 and higher with a KPE Premium license.

1. Create and configure deep settings

The following example describes the process to create and configure a new policy that hides all notifications on the screen when the device is locked.

  1. In your UEM console, open the Device Configuration Profile that is associated with your target devices. On the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
  2. On the Properties page, in the Settings list, click Configured. The OEMConfig page for the Device Configuration Policy opens.
  3. On the OEMConfig page, next to Device and Settings customization profile, click Configure. The Device and Settings customization profile page opens.
  4. On the customization profile page, next to the Configure values in settings menu title, click Configure. The Configure values in settings menu page opens to show a refreshed navigation menu to its immediate left.
  5. On the refreshed navigation menu, click Configure values in settings menu > Add setting. The Configure values in settings menu page opens to show fields and controls that help you customize your device settings.
  6. Do as follows:
    1. In the Name of the setting item list, select Lock screen > Notifications > Hide content.
    2. In the Set value for setting list, select On.
    3. If you want to allow the device user to change this setting, in the Allow end-user modification of this setting field, click True.
  7. Click OK. The new setting is created and you can now deploy it to your target devices. For information, go to: Deploy deep settings.
NOTE—Repeat steps 5 to 7 for each type of deep setting you want to configure in your Device Configuration Profile.
NOTE—To configure deep settings that require specific values be set beyond simply enabling or disabling a specific control, go to Configure unique deep settings.

2. Configure unique deep settings

The following describes how to set specific deep settings that require configuration beyond simply enabling or disabling a specific control. This section will be periodically updated as unique deep settings requiring specific configuration values are added.

  • Set the Font Size from 0-7, with zero (0) being the smallest font size displayed on the device, and seven (7) the largest. Font Size adjustments are made within the Lockscreen customization policies section.
  • Configure the Font Style as either SamsungOneUI-Regular.xml (sets the font as SamsungOne), or Foundation.xml (sets the font as Gothic bold). Font Style adjustments are made within the Lockscreen customization policies section.
  • Refer to the Show notification icons controls to define whether all or some notifications display on the device. Notification setting, (battery percentage, icon display, etc.) adjustments are made within the Lockscreen customization policies section. Enter the notification icon display setting as one of the following numeric values:
    • 0 - All notifications are received.
    • 1 - Only the three most recent notifications are received.
    • 2 - Notifications are turned off and none are received.
    • 3 - Notifications are enabled, but only a defined number are received.
  • Set one of the following Language Shortcut values to configure how language shortcuts are utilized on the device. Language settings are configured within the Device settings policies section, while other language settings such as preferred speech engine, pitch and speech rate can be set within the Lockscreen customization policies section. Enter the Language shortcut setting as one of the following numeric values:
    • 1 - shift+space
    • 2 - ctrl+space
    • 3 - shift+space & ctrl+space
    • 4 - left alt+shift
    • 5 - shift+space & left alt+shift
    • 6 - ctrl+space & left alt+shift
    • 7 - All

3. Deploy deep settings

The following example describes how to use the policy that hides all notifications on the locked device screen to automatically secure target devices in a group called High security devices.

  1. After you have created a deep settings policy in your chosen Device Configuration Policy, go to Groups > All groups.
  2. Within the All groups page, confirm the High security devices device group exists. Refer to your UEM console's help documentation for information on creating a new, or editing an existing, device group.
  3. Go to the Device Configuration Policy that contains the appropriate deep settings configuration > click Assignments > Include tab.
  4. On the Include page, in the Assign to list, select High security devices > click Save.
  5. Depending upon the settings chosen for deploying Device Configuration Policy changes, the new settings are deployed on the devices in the High security devices group.

Lockscreen customization policies

Lockscreen customization policies are a group of controls allowing the customization of UI shortcuts available on the device lockscreen. These lockscreen controls are available with a Knox Premium license.

Refer to the following lockscreen policies:

  • Use the Lockscreen shortcuts control to enable the utilization of device lockscreen shortcuts. This control must be enabled before app shortcut customizations are permitted.
    • Enter an App for left shortcut package name string> to specify the app that opens when the device user utilizes the left shortcut on the device lockscreen.
    • Enter an App for right shortcut package name string> to specify the app that opens when the device user utilizes the right shortcut on the device lockscreen.
  • Refer to the Configure values in settings menu controls to configure policies to customize the device settings menu. These settings are part of the Deep settings customization feature available with a KPE Premium license on devices running Knox version 3.4 or above. Support for individual settings varies based on the device model and operating system.
    • Use the Configure a settings menu item controls to set the value for a specified device setting and restrict the device user from modifying these values.
    • Use the Name of the Setting item control to select the device Setting menu item—including Accessibility, Wi-Fi, Language, Fonts (size and style), Sound and Vibration, and Notification setting options— you would like to control, hide, or gray out. Use this control along with the Select value for the setting control to turn a device setting on or off once selected with this Name of the Setting item control.
    • Refer to the Set value for the setting control to turn a selected device setting on or off. For those settings that are not simply turned on or off, select the Specify Value control and set the actual value for a particular setting.
      • Use the Specify Value control when a device setting requires a value other then an on or off definition.
    • Set the Allow end-user modification of this setting control to True to allow the device user to change a configuration setting. If set to False, the impacted setting is grayed out and not available for selection by the device user.
    • Set the Configure to hide settings control to True to hide settings from the device user.

Workspace configuration

IT admins—and device users, if granted requisite rights at the policy level— can customize Workspace configuration on target devices. This feature offers IT admins the ability to grant or revoke device users' rights to:

The following sections provide detailed examples for these tasks.

1. Rename Workspace and Personal tabs

In certain cases, device users may prefer to customize the Work and Personal tabs on their device to better represent their use and available features. The following example describes the process to change the device configuration policy to allow changing tab names.

  1. In your UEM console, open the Device Configuration Profile that is associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
  2. On the Properties page, in the Settings list, click Configured. The OEMConfig page for the Device Configuration Policy opens.
  3. On the OEMConfig page, next to Work profile policies, click Configure. The Work profile policies (Policy Owner) page opens.
  4. On this page, next to the Work profile configuration title, click Configure. The Work profile configuration page opens.
  5. On this page, next to the Enable work profile configuration controls title, click True to enable work profile configuration controls and apply these changes to your target devices.
  6. In the Customize work profile tab name field, enter CorporateTasks.
  7. In the Customize work profile tab name field, enter CorporateTasks.
  8. Click OK. The new tab names are deployed to target devices based on your deployment settings.

2. Install apps from the Personal space to the Workspace

Depending upon your IT security policies, IT admins may want to restrict device users from installing personal—or more specifically, non-work related apps—in the Workspace. Installing apps that are not specific to your organization or that are not approved for use within your network may compromise the security of the apps and data in the Workspace on the device. The following example describes the process to restrict users from installing personal apps in the Work profile.

  1. In your UEM console, open the Device Configuration Profile that is associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
  2. On the Properties page, in the Settings list, click Configured. The OEMConfig page for the Device Configuration Policy opens.
  3. On the OEMConfig page, next to Work profile policies, click Configure. The Work profile policies (Policy Owner) page opens.
  4. On this page, next to the Allow adding apps from personal space to work profile title, click False.
  5. Click OK. The new installation restriction is deployed to target devices based on your deployment settings.

Network Platform Analytics

NOTE—Currently, you can use KSP to configure the NPA data points policy for Cisco AnyConnect clients only.

Network Platform Analytics (NPA) clients are the IT admin's primary method of monitoring and sorting through the traffic on the devices in their network. NPA clients can monitor and collect a wide variety of details about network traffic, including—but not limited to—the following information:

  • Application from where the request originated
  • Origin and target IP address information
  • Encryption level and protocol details
  • Amount of data packets sent and received

The process to enable and configure the NPA client to collect information is in two stages:

  1. Create an NPA Data Points profile
  2. Deploy selected NPA Data Points profile to devices

Create an NPA Data Points profile

KSP uses an NPA Data Points profile to configure data collection on NPA clients. You can set up an NPA Data Points profile at the DO and PO level as follows:

  1. In your UEM console, open the Device Configuration Profile that is associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
  2. On the Properties page, in the Settings list, click Configured. The OEMConfig page for the Device Configuration Policy opens.
  3. On the OEMConfig page, next to NPA Data Points policy, click Configure. The NPA Data Points profile page opens.
  4. In the Profile name field, enter an appropriate name for your new Data Points profile.
  5. NOTE—Always choose a name that highlights the main feature or use of the Data Points policy that you are creating. You can then reference this name in KSP to apply these settings to the target device.
  6. Next to NPA Data Points, click Configure. The NPA Data Points page opens.
  7. Depending upon your needs, use the fields on this page to enable collection of various data points. Refer to your NPA client's documentation for more details on each of these values.
  8. Click OK to save this new NPA Data Points profile.

The next step is to apply this profile to your target devices.

Deploy selected NPA Data Points profile to devices

To apply this new NPA Data Points profile to your managed devices, do as follows:

  1. In your UEM console, open the Device Configuration Profile that is associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
  2. On the Properties page, in the Settings list, click Configured. The OEMConfig page for the Device Configuration Policy opens.
  3. Associate the NPA Data Points policy with your devices as follows:
    • For DO devices, next to the Device-wide policies (Device Owner) field, click Configure. Continue to the next step.
    • For PO devices, next to the Work profile policies (Profile Owner) field, click Configure.
  4. On the page that opens, next to the Network Platform Analytics (NPA) field, click Configure. The Network Platform Analytics (NPA) page opens.
  5. In the Enable NPA controls field, click True.
  6. In the NPA client list, select your NPA client.
  7. In the NPA Profile for Data Points field, enter the name of the NPA Data Points profile you created earlier.
  8. Click OK.
  9. Depending upon the settings you've chosen for deploying Device Configuration Policy changes, these changes are deployed on all the devices that use this Device Configuration Policy.

RCP data sync profile configuration

RCP data sync profiles help you configure application-level policies for syncing data within a Work profile container. You can then use these profiles to The process to create and configure RCP data sync profiles has two distinct parts:

  1. Create RCP data sync configuration profile
  2. Configure and use RCP policies

The following two sections provides in-depth examples for this process.

Create RCP data sync configuration profile

To create a new RCP data sync configuration, do as follows:

  1. In your UEM console, open the Device Configuration Profile that is associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
  2. On the Properties page, in the Settings list, click Configured. The OEMConfig page for the Device Configuration Policy opens.
  3. Next to the RCP Data Sync profile Configurations (Premium) field, click Configure. The Configure values in settings menu page opens to show a refreshed navigation menu to its immediate left.
  4. On the middle navigation menu, click ... > Add setting. The Configure values in settings menu page opens to show fields and controls that help you customize your device settings.
  5. Do as follows:
    1. Next to Select Application to Data Sync field, click Configure. On the page that opens, in the Name of the Application field, select Calendar.
    2. In the middle menu, click RCP Data Sync profile Configuration to return to the RCP Data Sync profile Configuration page.
    3. Next to Select Data Sync Property field, click Configure. On the page that opens, use this configuration profile's controls to add one action or data sync property that you want to allow or block for the calendar application.
    4. NOTE—You can only add and configure one data sync property per profile. If you want to configure another data sync property, you need to add a data sync profile for each property you want to manage.
    5. In the middle menu, click RCP Data Sync profile Configuration to return to the RCP Data Sync profile Configuration page.
    6. To enable the user sync data on selective applications, set the Enable user to data sync on selective applications field to True.
  6. Click OK. The configuration profile you just created is saved and deployed to devices based on your deployment schedule. The next step is to enable the use of this configuration profile on your devices.

Configure and use RCP policies

To configure and use the RCP data sync configuration policy for the calendar app you just created, do as follows:

  1. In your UEM console, open the Device Configuration Profile associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
  2. On the Properties page, in the Settings list, click Configure. The OEMConfig page for the Device Configuration Policy opens.
  3. Next to the Work profile policies (Profile Owner) field, click Configure. The Work profile policies (Profile Owner) page opens.
  4. Next to the RCP policy (Premium) field, click Configure. The RCP policy (Premium) page opens.
  5. On this page, do as follows:
    1. Set the Enable RCP Policy Controls field to True.
    2. Set values for the Allow moving files from personal space to work profile and Allow moving files from Work profile to personal space fields as needed.
    3. Set the value for the Enable RCP data sync policy field to True. The RCP data sync policy you created earlier is now applicable to appropriate devices with a PO.
  6. Click OK. The settings you changed are saved and deployed to devices based on your deployment schedule.

Device restrictions

Device restrictions are a dedicated group of controls to allow or deny specific device access restriction operations. These controls require Knox version 2.7 or above and a Standard license.

  • Set the Enable device restriction controls value to True to enable the following device restriction controls on a target device. If disabled—set to False—device restriction settings are ignored.
    • Set the Allow microphone control to True to enable the device microphone without user intervention. When set to False, the microphone is disabled for recording, but does not impact the device's phone application.
    • Set the Allow Wi-Fi control to True to permit the device to connect to Wi-Fi networks.
    • Set the Allow Wi-Fi Direct control to True to permit the device to connect to Wi-Fi Direct supported networks without an access point or router resource.
    • Set the Allow Bluetooth control to True to enable the device to make Bluetooth connections.
    • Set the Allow cellular control to True to enable the device to make cellular connections.
    • Refer to the following Tethering controls to configure tethering on a device and permit the device to share its Internet connection:
      • Set the Allow Tethering control to True to permit all tethering types on the device. This control must be enabled before any other tethering control is set, or other tethering settings will be ignored.
        • Set Allow Wi-Fi tethering to True to permit tethering over a Wi-Fi connection.
        • Set Allow Bluetooth tethering to True to permit tethering over a Bluetooth connection.
        • Set Allow USB tethering to True to permit tethering over a USB connection.
    • Set the Allow USB media player control to True to permit the use of an external USB media player on the device.
    • Set the Allow USB host player control to True to permit the use of an external USB storage device—such as an external hard disk or flash drive—on the device.
    • Use the Setup USB exception list to permit the configuration and use of one or more USB device classes. The Allow USB host storage setting must be enabled to define USB exceptions. If the Allow USB host storage setting is disabled, any USB exceptions will not be committed. Ensure you add all supported classes USB classes to the exception list. Options include:
      • Allow all (default setting)
      • Audio
      • CDC Data
      • Communication
      • Human Interface Device
      • Mass Storage
      • Miscellaneous
      • Still Image
      • Vendor Specific
      • Wireless Controller
    • Set the Allow USB debugging control to True to permit the device to enter into USB debugging mode. Debugging mode permits new applications to be copied to a device via USB for testing prior to deployment.
    • Set the Allow developer mode control to True to permit the device to enter into developer mode and configure system behaviors to improve device performance.
    • Set the Allow Share Via Option control to True to present user options to share data from one application to another.
    • Set the Allow power saving mode control to True to permit the device to enter power save mode automatically. Setting this control to False restricts the device from entering power save mode by itself.
    • Set the Allow data saver mode control to True to permit the data to enter data saver mode automatically. Data saver reduces device data usage by preventing some applications from sending or receiving data in the background.
    • Set the Allow VPN connections control to True to permit VPN connections between this device and another peer device.
    • Set the Allow user to modify Settings control to True to permit the user to change their device settings. Setting this value to False restricts device user setting updates.
    • Enforce external storage encryption—set to True—to enable external storage (SD Card) encryption. Samsung recommends using an alphanumeric password. The default setting is False.
    • Set the Allow backup on Google Server control to True to enable a data backup on the Google server. Backups are a recommended practice when device data needs to be periodically restored from a Google Server resource. If disabled—set to False—a device user is unable to use a Google Server as a data backup resource.
    • Set the Allow SD card access control to True to enable Secure Digital (SD) card access. Consider enabling this setting if intending to utilize a high capacity flash memory card with the device. If disabled—set to False—any device user attempt to transfer data to the device's SD card fails, and the user is unable to use a SD card as a memory resource.
    • Set the Allow installation of non-Google Play Apps control to True to permit the installation of applications that were are not procured from the Google Play store. If set to False, a device user cannot install non-Google Play apps, and cannot access the device UI until the administrator enables access again. While Google Play has a wide variety of applications for Android, consider enabling this setting to install those application that may not be available on the Google Play store's application listing.
    • Set the Allow Android Beam on device control to True to enable the device to use NFC and Bluetooth as data and video beam transfer mechanisms. If Android Beam is disabled—set to False—S Beam is also disabled on the device.
    • Set the Allow Camera control Camerato True to enable the use of the device camera. Setting this value to False renders the device's camera inoperable. If this policy has been applied for user 0, then the camera is disabled for user 0, as well as all the containers and users defined on the device.
    • Set the Allow Video Recording control to True to enable the device to use video recording functionality. Setting this control to False restricts video recording, but still permits the use of the device camera.
    • Set the Allow Multiple User control to True to enable multiple users to access the device and its data. Set this control to False to restrict additional users from accessing the device and its potentially proprietary data.
  • Advanced restrictions

    These restrictions are a dedicated group of controls to manage advanced restriction policies. A KPE premium license is required for advanced restriction policies. These policies include—but are not limited to—the following:

    • Wi-Fi and Bluetooth scanning
    • Remote control to block device connections using 3rd party applications
    • Common criteria
    • Dual SIM device enable/disable
    • Wireless Intrusion Prevention Support (WIPS)
    NOTE—To review additional advanced restriction configuration examples, go to: Policy Descriptions.

    Create an advanced restriction configuration

    1. In your UEM console, open the Device Configuration Profile associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
    2. On the Properties page, in the Settings list, click Configure. The OEMConfig page for the Device Configuration Policy opens.
    3. Next to the Work profile policies (Profile Owner) field, click Configure. The Work profile policies (Profile Owner) page opens.
    4. Next to the Advanced Restriction Policy field, click Configure.
    5. Set the following advanced restriction values as needed:
      • Set the Enable advanced restriction controls value to True to enable the following advanced restriction controls on a target device.
        • Refer to the Allow Wi-Fi scanning setting and click True to block the device from scanning for in-range Wi-Fi networks in order to improve location detection accuracy. This setting is only available with Knox 3.2 and above devices.
        • Refer to the Allow bluetooth scanning setting and click True to block the device from scanning for in-range Bluetooth devices in order to improve location detection accuracy.
        • Set the Allow remote control value to True to block connections to the device using 3rd party control applications. This setting is only available with Knox 3.0 and above devices.
        • Refer to the Enable Common Criteria (CC) mode setting and click True to enable services to bring the device into a CC mode compliant evaluated configuration. If enrolled in a UEM, the CC mode setting is defined at the UEM level.
        • Set the Allow dual SIM operation value to True to enable device second SIM slot functionality on a dual SIM device. Disable this setting to restrict functions (calls, SMS/MMS operations, etc.) on the second SIM. Enabling this setting returns functionality to the previously blocked second SIM. This policy is ignored by single SIM devices.
        • Set the Enable WIPS Control value to True to enable WIPS enforcement and protection options for the device. If disabled, changes to other WIPS settings have no impact.
          • Set the Allow WIPS Enforcement value to 1 to enforce this feature and disallow a device user from bypassing WIPS protection. Set this value to 0 to permit a device user to bypass WIPS.
          • Set the Allow WIPS Advance Protection value to 1 to disallow an device user from changing the WIPS configuration. Setting this value to 0 turns this setting off and permits a device user to change WIPS settings.
        • Refer to the Set USB Device Connection Type control and set to either DEFAULT, MTP, PTP, MIDI, or CHARGING to define the USB connection type utilized by the device.
    6. Click OK. The updated advanced restriction settings are saved and deployed to devices based on the deployment schedule.

    Device controls

    Device controls are specific group of advanced policies designed to manage APN, NFC, Wi-Fi, Bluetooth, boot banner, batter optimization, device hardware key mapping, and multiple-user policies, to name just a few of a growing list.

    NOTE—To review additional device control configuration examples, go to: Policy Descriptions.
    1. In your UEM console, open the Device Configuration Profile associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
    2. On the Properties page, in the Settings list, click Configure. The OEMConfig page for the Device Configuration Policy opens.
    3. Next to the appropriate Profile Owner or Device Owner field, click Configure.
    4. Navigate to one of the following Device Control Policy fields as needed. Click Configure. Once the updates have been completed Click OK. Updated device control settings are saved and deployed to devices based on the deployment schedule.

    APN setting policy

    Set the following APN Setting Policy values to create, update, and remove Access Point Name (APN) settings on a device. The following APN settings are configurable as device controls:

    • Set the Enable APN settings policy control to True to change APN configuration settings. If set to False, updated APN settings are ignored.
    • Enter the Name of APN Configuration to add or update <string> for the APN configuration that is added or updated. The name provided must match at least one of the names within the APN configuration > name field.

    NFC policy

    Refer to the following Near Field Communications NFC Policy settings to define how devices transmit and receive information with on another—via NFC— in close proximity.

    • Set the Enable NFC policy controls value to True to change existing NFC settings. If set to False, NFC setting updates are ignored.
    • Turn on NFC—set to True—to enable NFC functions such as NFC payment systems or NFC tags, etc. If set to False, NFC setting updates will not be implemented.
    • Optionally Allow user to change NFC state—set to True—to permit users to change NFC settings. Click False to restrict users from changing NFC settings on their device.

    Wi-Fi policy

    Refer to the following Wi-Fi Policy control values to configure a device's hotspot settings, and manage Wi-Fi profile, connection, and security settings:

    • Set the Enable Wi-Fi policy controls value to True to enable Wi-Fi policy control settings on the device. If set to False, Wi-Fi policy configuration updates are ignored.
    • Set Wi-Fi hotspot SSID <string> to name the Wi-Fi hotspot resource saved on the device. Consider a customized name such as MyMobileWifi as opposed to the default SSID.
    • Refer to the Set Wi-Fi hotspot password parameter and enter a password string> to enforce password protection when the hotspot is enabled. If this parameter is undefined, users can configure an unsecured hotspot with no password requirement. Ensure the password is at least eight characters long.
    • Set the Allow user to change hotspot setting to True to permit users to change hotspot settings on their device. If set to False, hotspot configuration updates and modifications are not permitted.
    • Set the Allow open Wi-Fi connection value to True to permit devices to connect to an open and unsecured Wi-Fi access point resource. If set to False, non-secure access point connections are not permitted.
    • Set the Allow Wi-Fi User Profile Change value to True to allow the device to connect to available Wi-Fi networks. If set to False, Wi-Fi network connections are not permitted.
    • Set the Allow Wi-Fi User Policy Change value to True to allow the user to modify the device's Wi-Fi user profile. If set to False, user Wi-Fi profile updates are not permitted.
    • Enter the Block Wi-Fi Network Connection SSIDs <string> to configure a list of blocked network locations to prevent a device user from connecting to them.
    • Ensure the Allow Automatic Wi-Fi Connection to saved SSIDs value is set to True to allow automatic connections to saved SSIDs. Click False to disable automatic connections to saved SSIDs.
    • Refer to the Allow Minimum Wi-Fi Security Requirement option to permit the user to select the minimum security requirement utilized for a Wi-Fi connection. This option is only configurable if the device is restricted from connecting to open Wi-Fi connections. Options include:
      • WEP
      • WPA
      • LEAP, PWD
      • FAST, PEAP
      • TLS, TTLS, SIM, AKA, AKA'
    • Set the Allow Control for Wi-Fi Password to be Visible value to True to display the password within the network edit dialogue. Click False to hide the password.
    • Set the Allow Wi-Fi State Change value to True to permit the user to change the device's Wi-Fi state. Click False to restrict the user from making a Wi-Fi state change.

    Advanced Wi-Fi policy

    NOTE—Advanced Wi-Fi settings are configurable in Device Owner (DO) mode only.

    Advanced Wi-Fi settings are a group of controls to refine client behavior and improve enterprise network connectivity, including—but not limited to—SSID assignment and management controls, roam scan configuration settings, DHCP settings and SSID blacklist functions. Advanced Wi-Fi policy controls include the following:

    •  Enable Advance Wi-Fi Policy Controls—set to True—to enable advanced Wi-Fi policy controls, making them available for unique configuration updates based on projected usage. If set to False, updates are ignored.
      • Specify the Wi-Fi Network Name (SSID) whose settings require configuration and network management using advanced Wi-Fi controls.
      • Enter the Wi-Fi Roam Trigger threshold used to trigger a roam scan for other potential AP resources within range of the specific client SSID. The scan can only be initiated when the relative signal strength (RSSI) of the current AP is weaker then the specified Wi-Fi Roam Trigger value.
      • Provide the Wi-Fi Roam Delta to define a threshold for a target client to disassociate from its current AP and associate with another. AP re-association will occur only when the RSSI of the other AP is at least the Wi-Fi Roam Delta, or stronger, of the current AP.
      • Enter the Wi-Fi Roam Scan Period that determines how often a target client scans for roam candidate APs.
      • Refer to the Allow DHCP Renewal setting and click True to allow the device to keep (renew) its current IP address assignment, even after the device roams to another AP.
      • Refer to the Disable Wi-Fi Network Blacklisting setting and click True to disable network blacklisting for a specified SSID.

    Bluetooth policy

    Configure the following Bluetooth Policy controls to define bluetooth data exchange settings over short distances. The following settings have no impact when Allow BT is disabled within the Device restrictions configuration page.

    • Enable bluetooth policy controls—set to True—to enable bluetooth policy configuration updates using the controls described below. If set to False, bluetooth setting updates are ignored.
    • Set the Allow Device discovery mode to True to permit the device to enter Bluetooth discovery mode and search for other Bluetooth supported devices to connect and transfer data. Set this control to False to restrict a Bluetooth device from searching, connecting and transferring data with other Bluetooth devices.
    • Use the Enable bluetooth profiles control to permit or restrict the following peripherals from connecting based on their bluetooth profiles. Options include:
      • None
      • Bluetooth Advanced Audio Distribution (A2DP) 
      • Bluetooth Audio/Video Remote Control (AVRCP) 
      • Bluetooth Hands Free (HFP)
      • Bluetooth Headset (HSP) 
      • Bluetooth Phone Book Access (PBAP)
      • Bluetooth Serial Port (SPP)
    • Use the Whitelist Service by UUID and Blacklist Service by UUID controls to select specific peripherals to either allow (whitelist) or block (blacklist) connections based on their bluetooth service UUID. When enabled, all peripherals except those specified are allowed or blocked from operating with the device. A wildcard character (*) is used to whitelist all UUID except those n the blacklist. Alternatively, a wildcard character is used to blacklist all UUIDs except those in the whitelist. If the same UUID is present in both the whitelist and the blacklist, then the whitelist takes precedent when updated by the same administrator. Ensure UUIDs are defined properly per SIG specification.

    Boot banner

    Refer to the following Boot banner options to add, change, or display a customizable banner when the device is restarted. The following boot banner settings are configurable with a KPE Premium license:

    • Set the Enable banner on device reboot value to True to display a banner on the device when restarted. Keep this setting False—the default value— to hide the banner when the device is restarted.
    • Provide a Custom banner message to display a custom text <string> to the device user when the device is restarted.

    Battery optimization

    Use the following Battery Optimization settings to improve battery consumption efficiency based on projected device activity. The following battery optimization settings are configurable:

    • Set the Enable battery optimization value to True to set an inactivity timeout to shutdown the device when the defined inactivity period is exceeded.
    • Use the Set user inactivity timeout value to set the number of seconds <integer> device inactivity results in a device shutdown to conserve battery power and extend device battery life between charges.
    NOTE—There is a 10 minute minimum timeout if setting a user inactivity period.

    Allow multiple users

    Set the Allow Multiple User value to True to grant additional (multiple) users access to a device. Return this value to False to restrict multiple users from a device.

    Device key mapping

    Refer to the following Device key mapping options to map applications functions to a device's hardware keys. The following key mapping settings are configurable with a KPE Premium license:

    NOTE—Keep in mind, there is a precedence amongst key mapping settings that can make using them together problematic. For tips on setting key mapping controls collectively, go to: Key mapping considerations.
    NOTE—For information on integrating a hardware key re-mapping configuration directly with the Samsung Knox SDK, go to: Hardware key re-mapping.
    • Set the Enable Key Mapping value to True to utilize a group of controls to map device key configurations for a specified application. This setting must be set to True to utilize the options and controls in this key mapping section. Setting this value to False restricts hardware key mapping capabilities. The following hardware key mapping options are available:
      • Provide the Package Name <string> of the application receiving the customized key mapping configuration. Once the package name is defined, refer to the following key mapping options:
        • Top_Key_Short_Press
        • Top_Key_Long_Press
        • XCover_Key_Short_Press
        • XCover_Key_Long_Press
    • Set the Enable PTT Key Mapping for Microsoft TEAMS value to True to enable key mapping support to pass an intent for a Microsoft Teams application package.
    • Set the Enable Key Mapping for specific apps value to True to enable key mapping for a specific hardware press action and application package.
    • Set the Enable Key Mapping to Launch and Exit applications control <bundle> to launch a specific enterprise application package <name> and configure the button press intent and override default intent if applicable. Once the package is defined, refer to the following key mapping options:
      • Top_Key_Short_Press
      • Top_Key_Long_Press
      • XCover_Key_Short_Press
      • XCover_Key_Long_Press
    NOTE—If the application receiving the key mapping configuration has already been launched and is in the background, pressing a hardware key a second time will not bring it to the foreground and will kill the application.

    Key mapping considerations

    When enabling key mapping controls, control options should not all be used collectively, as there is a precedence amongst settings that can make using them together problematic.

    Using the above for reference, an admin should not use B+C+D together, and just B, C, or D should be used.

    Keep the following usage scenarios in mind when planning your key mapping configuration:

    • Amongst B, C, and D, the precedence order is B>C>D for XCover Key. D is supported on both XCover Key and Top Key, with Top Key settings applied.
    • If just B and C are checked, B is applied.
    • If just B and D are checked, B is applied for XCover Pro. D is supported on both XCover Key and Top Key, with Top Key settings applied.
    • If just C and D are checked, C is applied for XCover Key. D is supported on both XCover Key and Top Key, with Top Key settings applied.
    • If B, C, and D are all checked, B is applied for XCover Pro. D is supported on both XCover Key and Top Key, with Top Key settings applied.

    Device settings policies

    Refer to the following to utilize a group of controls for device setting management. A KPE Premium license is required for this device settings group.

    1. In your UEM console, open the Device Configuration Profile associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
    2. On the Properties page, in the Settings list, click Configure. The OEMConfig page for the Device Configuration Policy opens.
    3. Next to the appropriate Device Owner field, click Configure.
    4. Navigate to one of the following Device settings fields as needed. Click Configure. Once the updates have been completed Click OK. Updated device settings are saved and deployed based on the deployment schedule.
    • Set the Enable device settings controls control to True to enable the configuration of the following device settings. If set to False, the following device setting controls are not configurable:
      • Set the Hide Settings Backup and Reset control to True to hide device backup and device restore functions on the device, effectively restricting the user from backup and restore operations. If set to False, the device user can make device backup and restore operations as they need.
      • Set the Hide Settings Airplane Mode control to True to hide airplane mode functions on the device, effectively restricting the user from putting their device in airplane mode. If set to False, the device user can put their device in airplane mode as required when traveling.
      • Set the Hide Settings Language control to True to hide language settings from the device display, effectively restricting the user from changing the device language. If set to False, the user can change their device's language settings.
      • Set the Hide Settings Lock Screen & Security control to True to hide device lock screen settings. Set this control to False to display device lock screen settings with no restrictions.
      • Set the Hide Settings Bluetooth control to True to hide Bluetooth settings on the device. Set this control to False to display Bluetooth settings with no restrictions.
      • Set the Hide Settings Developer control to True to hide developer settings (USB debugging, etc.) on the device. Set this control to False to display developer settings with no restrictions.
      • Set the Hide Settings WiFi control to True to hide WiFi settings on the device. Set this control to False to display WiFi settings with no restrictions.
      • Refer to the following Set System Language & Country controls to set the system and default language and country on the device.
        • Use the Set Language control to set the default language <string> displayed on the device. Enter a two character, lower case, language code as defined in ISO 639-1.
        • Use the Set Country control to set the default country <string> displayed on the device. Enter a two character, upper case, country code as defined in ISO 3166-1. This can optionally be followed by a hash (#) and a four character script code as defined in ISO 15924.
      • Set the Enable Mobile Data control to True to display mobile data settings on the device. Set this control to False to prevent mobile device data from displaying on the device.
      • Set the Enable Auto Startup control to True to permit the auto boot of the device when connected to a power source.

    Firmware update (FOTA) policies

    Refer to the following to enable or disable device firmware update settings:

    1. In your UEM console, open the Device Configuration Profile associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
    2. On the Properties page, in the Settings list, click Configure. The OEMConfig page for the Device Configuration Policy opens.
    3. Next to the appropriate Device Owner field, click Configure.
    4. Navigate to one of the following Firmware update (FOTA) fields as needed. Click Configure. Once the updates have been completed Click OK. Updated firmware settings are saved and deployed to devices based on the deployment schedule.
    • Set the Enable firmware controls control to True to enable advanced firmware management options. If this control is set to False, other firmware management related settings have no effect.
    • Set the Allow firmware update over-the-air control to True to enable FOTA updates. Set this value to False to block all OTA update requests (user, server, or system initiated). The user may still periodically see messages about available updates, but any attempt to upgrade will fail. Setting this value to False does not block firmware updates in recovery mode.
    • Set the Allow firmware update in recovery mode control to True to enable the ability to do an update when in recovery mode. Recovery mode permits the device user to factory reset, fix certain problems, or apply device software updates.
    • Set the Enforce firmware auto update on Wi-Fi control to True to enable an automatic firmware update when the device connects to a Wi-Fi network. Setting this control to True enables auto-update on Wi-Fi and blocks the device user from modifying it. Set this value to False to permit the device user to modify this setting on the device.
    • Set the Enable E-FOTA client installation & launch control to True to permit the installation and launch of the E-FOTA client on a device. Set this value to False to restrict an E-FOTA client install on the device.

    Restrictions in work profile policy

    Refer to the following controls to allow or block specific operations in a user's work profile. These controls require Knox version 2.7 or higher and a Standard license.

    • Set the Enable work profile restriction controls to True before using any of he work profile restrictions described in the policy group. If set to False, KSP will ignore any set value and not enforce restrictions.
      • Set the Allow microphone control to True to permit device microphone utilization without user interaction. If set to False, the device microphone is disabled for recording, but does not impact the device's phone application.
      • Set the Allow Share Via option control to True to permit the utilization of Share Via functionality and share data from one application to another application using one of many options. If set to False, applications are restricted from sharing data with one another.
      • Set the Allow Bluetooth control to True to permit bluetooth functionality within the device container. If set to False, bluetooth cannot be enabled inside the container.
      • Set the Allow Video Recording control to True to permit the device to record videos. If set to False, video recording capability is rendered inoperable. However, the device camera remains functional when video recording is disabled.

    Advanced restrictions in work profile policy

    Refer to the following to manage advanced restriction policies on a work profile. The following require a Premium license.

    To set unique advanced restrictions on work profiles:

    • Set the Enable advanced restrictions in work profile control to True to enable advanced controls within a work profile, such as Wi-Fi of bluetooth scanning.
    • Set the Allow remote control to True to block device connections using third-party remote control apps.

    Password policy

    Refer to the following to device password management policies to enable or disable password management capabilities and set device login authentication values.

    To set a unique device password policy:

    1. In your UEM console, open the Device Configuration Profile associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
    2. On the Properties page, in the Settings list, click Configure. The OEMConfig page for the Device Configuration Policy opens.
    3. Next to the appropriate Profile Owner or Device Owner field, click Configure.
    4. Navigate to one of the following Password Policy fields as needed. Click Configure. Once the updates have been completed Click OK. Updated password settings are saved and deployed to devices based on the deployment schedule.
    • Set the Enable password policy controls with KSP value to True to permit the management of password policies on a device. Enable this option before changing any of the device's password settings. If this option is not set to True, then any password or user authentication settings are ignored.
    • Refer to the following Biometric authentication options to use personal traits (fingerprints, iris, and facial recognition) as device user authenticators. Consider biometric authenticators as an alternative to traditional passwords that are susceptible to human mistakes, phishing attempts and duplication.
      • Enable fingerprint authentication - Set this value to True to permit the use of fingerprint recognition as a device user authenticator.
      • Enable Iris authentication - Set this value to True to permit the use of an iris as a device user authenticator. Iris scanning measures the unique patterns in the human iris (the colored circles in the eye). The iris scanner then creates a digital representation of the data and store it in a database for potential use as a user authenticator.
      • Enable Face recognition - Set this value to True to utilize a digital image of a device user's face as an authenticator. An authentication request matches the user's facial image with the image stored in the database before device access is granted. If a lock is set in DO and it is using P/P/P authentication, the user should not be able to use facial authentication in PO.
    • Set the Enable multifactor authentication value to True to enable multifactor authentication (2FA), enforcing a device unlock only after two successful authentication methods are provided. If enabling multifactor authentication, one authentication method must be biometric (fingerprint, iris, or face), and the other must be a lock screen method (PIN, password, or pattern). Multifactor authentication is only supported on Knox 3.2.1 and above devices. Keep in mind, the incorrect use of multifactor authentication with "One lock" and a biometric policy could result in a locked device requiring qualified support assistance to unlock.
    • Refer to the following Password change options to enforce how device users set their login password and the interval it is changed:
      • Set the Enforce Password Change value to True to force the user to change their password the next time they login to their device. If no password has been set, use this option to force the user to create a password. Verify existing password enforcement conditions before setting this value to True to ensure password enforcement changes do not occur at an unexpected time. If unsure, set this value to False.
      • Configure a Password Enforcement timeout <string> to define the maximum number of minutes a device user can wait to cancel or delay a password change.
    • Refer to the following Policy Restriction settings to manage various password complexity characteristics:
      • Set the Maximum Character Sequence Length <string> to define the maximum alphanumeric character sequence permitted for a device password. A value of zero (0) means there is no restriction on alphanumeric sequence length.
      • Set the Maximum Numeric Sequence Length <string> to specify the maximum numeric sequence length permitted for a device password. A value of zero (0) means there is no restriction on numeric sequence length.
      • Set the Minimum Password Length <string> to specify the minimum number of characters permitted for the device password. The larger the number, the greater potential strength of the device password. A value of zero (0) means there is no restriction.
    • Define the Allowed Time for User Activity before Device Locks to set the maximum number of milliseconds <string> for user activity before the device will lock. A value of zero (0) means no activity restrictions are in place.
    • Set the Maximum Failed Password Attempts to Wipe Data to define the number of failed password attempts <string> allowed before the data on the device is wiped and rendered unavailable. A value of zero (0) means there is no restriction on the number of failed login attempts. Keep in mind, the string provided via the API takes effect immediately, with no chance to revert the data once the defined number of password attempts is exceeded.
    • Enter the Maximum Failed Password Attempts to Disable Work Profile to set the number of failed password attempts <string> before the work profile and device itself are disabled. Once disabled, the device user is unable to restore the device with the password, and an administrator must re-enable the device. A value of zero (0) means there is no restriction on the number of failed login attempts.
    • Refer to the Define Password Quality value to select the level of complexity required when setting a device's work profile password. From No Password to Complex Password (letter, numeric and alphanumeric characters required). A Numeric Complex password must include numeric characters with no repeating or ordered integers. Options include:
      • No Password
      • Some Password
      • Numeric
      • Alphabet
      • Alphanumeric
      • Numeric Complex
      • Complex
    • Use the Disable Keyguard Feature to select the specific Keyguard feature to disable. Keyguard is the code utilized in a device unlock operation. Options include None and Disable Trusted Agents.
    • Set the Password Visibility control to True to enable the ability to hide the password from view when entered on the device. Setting this control to False disables the ability to hide the password when entered, and provides no additional security.

    Application management policies

    Refer to the following application management policies to configure and manage applications inside a device's work profile:

    • Set the Enable application management controls to True to enable the following application management settings. If set to False, these management settings will not be configurable.
      • Refer to the Battery optimization whitelist to enter a comma separated list of application package names <string> to include in the whitelist for battery optimization exemption.
      • Use the Notifications whitelist to stop applications from displaying notifications on the console status bar. All application notifications are blocked except those specified in the whitelist. Enter values as a comma separated list, for example, com.xyz, or com.abc, etc. You can also use a wildcard (com.abc*) for multiple applications.
      • Refer to the Install app from personal to work profile setting to install an existing application <string> from the default personal space into the work profile without deice user intervention. Provide a comma separated list of package names if specifying more than one application.
      • Set the following Allow USB devices for application configuration controls to set application configuration access for USB supported devices. Set the following options for USB devices:
        • Provide the Application Name <string> for the package name you would like to allow for USB configuration.
        • Refer to the USB Devices Configuration setting to define the following values allowed USB device access for configuration updates:
          • Set the hex value Product ID <string> for the USB devices allowed application updates.
          • Set the hex value Vendor ID <string> for the USB devices allowed application updates.
      • Use the Application Whitelist by Pkg Name control to whitelist applications intended for installation on the PO. Specified third party applications not part of the device system image will be whitelisted when included in a comma separated list. Include a wildcard (com.abc*) for multiple apps. When a currently installed app matches a package name <string> in both the whitelist and blacklist, then the whitelist has precedence and the package is installed.
      • Use the Application Blacklist by Pkg Name control to blacklist applications <string> by package name and prevent them from being installed on the PO. Specified third party application names not part of the device system image will be blacklisted when included in a comma separated list. Include a wildcard (com.abc*) for multiple apps. If the package is already installed, the API does not impact the existing package installation.
      • Refer to the Application Whitelist by Signature used control to whitelist third-party applications intended for installation on the PO based on the application's signature. Enter values as a comma-separated list. Include a wildcard (com.abc*) for multiple apps. When a currently installed app matches a package signature <string> in both the whitelist and blacklist, then the whitelist has precedence and the package is installed.
      • Use the Application Blacklist by Signature used control to blacklist applications by signature <string> and prevent them from being installed on the PO. Specified third party application signatures not part of the device system image will be blacklisted when included in a comma separated list. Include a wildcard (com.abc*) for multiple apps. If the package is already installed, the API does not impact the existing package installation.
      • Refer to the Disable application without user interaction control to disable specific applications <string> without device user interaction. A disabled application is not uninstalled, but it cannot be launched by the device user. The API does not affect the application state. Enter values as a comma separated list, for example, com.xyz, or com.abc, etc. You can also use a wildcard (com.abc*) for multiple applications.
      • Refer to the Force Stop Blacklist control to prevent the user from stopping specified applications <string>. Stop actions include a force stop in Settings app, stopping through third-party applications, stopping any background process, and stopping any process from the application. Enter the values as a comma separated list. Include a wildcard (com.abc*) for multiple apps in the blacklist.

    Certificate management policies

    Refer to the following certificate management policies to control certificate settings to disable and restrict certifications as needed for specific device deployments:

    • Set the Enable certificate management controls to True to enable specific certificate management controls for the workspace. Ensure this control is enabled before setting any certificate management settings. If disabled, certificate management policy updates are ignored.
    • Refer to the Certificate revocation value to set the revocation method best suited to your devices and deployment strategy. Options include:
      • Set the Enable revocation check value. For example, if you list com.samsung.email within a whitelist, certificates used by this app for encryption or signing is first checked against a Certificate Revocation List (CRL) to verify they are still valid. Enter application package names as comma separated list of values. For example, com.xyz, or com.abc, etc. Options include:
        • Not enabled
        • Enabled for all apps
        • Enabled for specific apps only
      • Set the Enable OCSP check before CRL value to True to conduct a certificate revocation status validation using Online Certificate Status Protocol (OCSP) before checking a CRL. If the OCSP response is inconclusive, the device performs a CRL check.
      • Refer to the List of Apps to enable for validation setting and enter comma separated values <string>of application packages targeted for certificate revocation. For example, com.xyz, or com.abc, etc.
    • Refer to the Add trusted CA certificate setting and add the name of a Trusted CA Alias <string> already defined in the Certificate Alias. Enter values as a comma separated list of trusted CA aliases.
    • Set the Block User from removing certificate control to False to restrict the user from removing certificates from the keystore. By default, users are allowed to remove certificate from the keystore.
    • Refer to the Allow apps to read private keys without alerting user value to define a group of controls defining applications allowed to read private key configurations without device user knowledge or intervention. Enter the following values:
      • Enter the Package Name <string> of the application receiving this private key read permission.
      • Enter the Host <string> of the server host receiving this private key read permission.
      • Enter the Port <string> of the server port receiving this private key read permission.
      • Enter the Alias <string> of the private key alias granted to an application.
      • Enter the StorageName <string> of the credential storage private key name allowing an application to read private keys.
    • Refer to the Install Certificate in keystore(s) silently value and enter the name of the CA Alias <string> installed silently within the device keystore. Enter values as a comma separated list of trusted CA aliases.