- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Open API reference
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Device restrictions are a dedicated group of controls to allow or deny specific device access restriction operations. These controls require Knox version 2.7 or above and a Standard license.
- Set the Allow microphone control to True to enable the device microphone without user intervention. When set to False, the microphone is disabled for recording, but does not impact the device's phone application.
- Set the Allow Wi-Fi control to True to permit the device to connect to Wi-Fi networks.
- Set the Allow Wi-Fi Direct control to True to permit the device to connect to Wi-Fi Direct supported networks without an access point or router resource.
- Set the Allow Bluetooth control to True to enable the device to make Bluetooth connections.
- Set the Allow cellular control to True to enable the device to make cellular connections.
-
Refer to the following Tethering controls to configure
tethering on a device and permit the device to share its Internet
connection:
-
Set the Allow Tethering control to True to permit
all tethering types on the device. This control must be enabled
before any other tethering control is set, or other tethering
settings will be ignored.
- Set Allow Wi-Fi tethering to True to permit tethering over a Wi-Fi connection.
- Set Allow Bluetooth tethering to True to permit tethering over a Bluetooth connection.
- Set Allow USB tethering to True to permit tethering over a USB connection.
-
Set the Allow Tethering control to True to permit
all tethering types on the device. This control must be enabled
before any other tethering control is set, or other tethering
settings will be ignored.
- Set the Allow USB media player control to True to permit the use of an external USB media player on the device.
- Set the Allow USB host player control to True to permit the use of an external USB storage device—such as an external hard disk or flash drive—on the device.
-
Use the Setup USB exception list to permit the configuration
and use of one or more USB device classes. The Allow USB host storage
setting must be enabled to define USB exceptions. If the Allow USB
host storage setting is disabled, any USB exceptions will not be
committed. Ensure you add all supported classes USB classes to the
exception list. Options include:
- Allow all (default setting)
- Audio
- CDC Data
- Communication
- Human Interface Device
- Mass Storage
- Miscellaneous
- Still Image
- Vendor Specific
- Wireless Controller
- Set the Allow USB debugging control to True to permit the device to enter into USB debugging mode. Debugging mode permits new applications to be copied to a device via USB for testing prior to deployment.
- Set the Allow developer mode control to True to permit the device to enter into developer mode and configure system behaviors to improve device performance.
- Set the Allow Share Via Option control to True to present user options to share data from one application to another.
- Set the Allow power saving mode control to True to permit the device to enter power save mode automatically. Setting this control to False restricts the device from entering power save mode by itself.
- Set the Allow data saver mode control to True to permit the data to enter data saver mode automatically. Data saver reduces device data usage by preventing some applications from sending or receiving data in the background.
- Set the Allow VPN connections control to True to permit VPN connections between this device and another peer device.
- Set the Allow user to modify Settings control to True to permit the user to change their device settings. Setting this value to False restricts device user setting updates.
- Enforce external storage encryption—set to True—to enable external storage (SD Card) encryption. Samsung recommends using an alphanumeric password. The default setting is False.
- Set the Allow backup on Google Server control to True to enable a data backup on the Google server. Backups are a recommended practice when device data needs to be periodically restored from a Google Server resource. If disabled—set to False—a device user is unable to use a Google Server as a data backup resource.
- Set the Allow SD card access control to True to enable Secure Digital (SD) card access. Consider enabling this setting if intending to utilize a high capacity flash memory card with the device. If disabled—set to False—any device user attempt to transfer data to the device's SD card fails, and the user is unable to use a SD card as a memory resource.
- Set the Allow installation of non-Google Play Apps control to True to permit the installation of applications that were are not procured from the Google Play store. If set to False, a device user cannot install non-Google Play apps, and cannot access the device UI until the administrator enables access again. While Google Play has a wide variety of applications for Android, consider enabling this setting to install those application that may not be available on the Google Play store's application listing.
- Set the Allow Android Beam on device control to True to enable the device to use NFC and Bluetooth as data and video beam transfer mechanisms. If Android Beam is disabled—set to False—S Beam is also disabled on the device.
- Set the Allow Camera control Camerato True to enable the use of the device camera. Setting this value to False renders the device's camera inoperable. If this policy has been applied for user 0, then the camera is disabled for user 0, as well as all the containers and users defined on the device.
- Set the Allow Video Recording control to True to enable the device to use video recording functionality. Setting this control to False restricts video recording, but still permits the use of the device camera.
-
Set the Allow Multiple User control to False to restrict
additional users from accessing the device and its potentially
proprietary data.
NOTE—This setting is only available for tablet devices in Legacy DA mode to meet STIG compliance.
