- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Knox Guard REST API
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Refer to the following certificate management policies to control certificate settings to disable and restrict certifications as needed for specific device deployments:
- Set the Enable certificate management controls to True to enable specific certificate management controls for the workspace. Ensure this control is enabled before setting any certificate management settings. If disabled, certificate management policy updates are ignored.
-
Refer to the Certificate revocation value to set the revocation
method best suited to your devices and deployment strategy. Options
include:
-
Set the Enable revocation check value. For example, if you
list com.samsung.email within an allow list, certificates used by
this app for encryption or signing is first checked against a
Certificate Revocation List (CRL) to verify they are still
valid. Enter application package names as comma separated list of
values. For example, com.xyz, or com.abc, etc. Options include:
- Not enabled
- Enabled for all apps
- Enabled for specific apps only
- Set the Enable OCSP check before CRL value to True to conduct a certificate revocation status validation using Online Certificate Status Protocol (OCSP) before checking a CRL. If the OCSP response is inconclusive, the device performs a CRL check.
- Refer to the List of Apps to enable for validation setting and enter comma separated values <string>of application packages targeted for certificate revocation. For example, com.xyz, or com.abc, etc.
-
Set the Enable revocation check value. For example, if you
list com.samsung.email within an allow list, certificates used by
this app for encryption or signing is first checked against a
Certificate Revocation List (CRL) to verify they are still
valid. Enter application package names as comma separated list of
values. For example, com.xyz, or com.abc, etc. Options include:
- Refer to the Add trusted CA certificate setting and add the name of a Trusted CA Alias <string> already defined in the Certificate Alias. Enter values as a comma separated list of trusted CA aliases.
- Set the Block User from removing certificate control to False to restrict the user from removing certificates from the keystore. By default, users are allowed to remove certificate from the keystore.
-
Refer to the
Allow apps to read private keys without alerting user value to
define a group of controls defining applications allowed to read private
key configurations without device user knowledge or intervention. Enter
the following values:
- Enter the Package Name<string> of the application receiving this private key read permission.
- Enter the Host<string> of the server host receiving this private key read permission.
- Enter the Port<string> of the server port receiving this private key read permission.
- Enter the Alias<string> of the private key alias granted to an application.
- Enter the StorageName<string> of the credential storage private key name allowing an application to read private keys.
- Refer to the Install Certificate in keystore(s) silently value and enter the name of the CA Alias <string> installed silently within the device keystore. Enter values as a comma separated list of trusted CA aliases.
