- Basics
- The Knox Ecosystem
- White Paper
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Introduction
- Accept or reject devices
- Upload devices
- Delete devices
- Complete payment
- Send payment overdue notification
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Refer to the following to device password management policies to enable or disable password management capabilities and set device login authentication values.
To set a unique device password policy:
- In your UEM console, open the Device Configuration Profile associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
- On the Properties page, in the Settings list, click Configure. The OEMConfig page for the Device Configuration Policy opens.
- Next to the appropriate Profile Owner or Device Owner field, click Configure.
- Navigate to one of the following Password Policy fields as needed. Click Configure. Once the updates have been completed Click OK. Updated password settings are saved and deployed to devices based on the deployment schedule.
- Set the Enable password policy controls with KSP value to True to permit the management of password policies on a device. Enable this option before changing any of the device's password settings. If this option is not set to True, then any password or user authentication settings are ignored.
-
Refer to the following Biometric authentication options to use
personal traits (fingerprints, iris, and facial recognition) as device
user authenticators. Consider biometric authenticators as an alternative
to traditional passwords that are susceptible to human mistakes,
phishing attempts and duplication.
- Enable fingerprint authentication— Set this value to True to permit the use of fingerprint recognition as a device user authenticator.
- Enable Iris authentication— Set this value to True to permit the use of an iris as a device user authenticator. Iris scanning measures the unique patterns in the human iris (the colored circles in the eye). The iris scanner then creates a digital representation of the data and store it in a database for potential use as a user authenticator.
- Enable Face recognition— Set this value to True to utilize a digital image of a device user's face as an authenticator. An authentication request matches the user's facial image with the image stored in the database before device access is granted. If a lock is set in DO and it is using P/P/P authentication, the user should not be able to use facial authentication in PO.
- Set the Enable multifactor authentication value to True to enable multifactor authentication (2FA), enforcing a device unlock only after two successful authentication methods are provided. If enabling multifactor authentication, one authentication method must be biometric (fingerprint, iris, or face), and the other must be a lock screen method (PIN, password, or pattern). Multifactor authentication is only supported on Knox 3.2.1 and above devices. Keep in mind, the incorrect use of multifactor authentication with "One lock" and a biometric policy could result in a locked device requiring qualified support assistance to unlock.
-
Refer to the following Password change options to enforce how
device users set their login password and the interval it is changed:
- Set the Enforce Password Change value to True to force the user to change their password the next time they login to their device. If no password has been set, use this option to force the user to create a password. Verify existing password enforcement conditions before setting this value to True to ensure password enforcement changes do not occur at an unexpected time. If unsure, set this value to False.
- Configure a Password Enforcement timeout<string> to define the maximum number of minutes a device user can wait to cancel or delay a password change.
-
Refer to the following Policy Restriction settings to manage
various password complexity characteristics:
- Set the Maximum Character Sequence Length <string> to define the maximum alphanumeric character sequence permitted for a device password. A value of zero (0) means there is no restriction on alphanumeric sequence length.
- Set the Maximum Numeric Sequence Length<string> to specify the maximum numeric sequence length permitted for a device password. A value of zero (0) means there is no restriction on numeric sequence length.
- Set the Minimum Password Length<string> to specify the minimum number of characters permitted for the device password. The larger the number, the greater potential strength of the device password. A value of zero (0) means there is no restriction.
- Define the Allowed Time for User Activity before Device Locks to set the maximum number of milliseconds <string> for user activity before the device will lock. A value of zero (0) means no activity restrictions are in place.
- Set the Maximum Failed Password Attempts to Wipe Data to define the number of failed password attempts <string> allowed before the data on the device is wiped and rendered unavailable. A value of zero (0) means there is no restriction on the number of failed login attempts. Keep in mind, the string provided via the API takes effect immediately, with no chance to revert the data once the defined number of password attempts is exceeded.
- Enter the Maximum Failed Password Attempts to Disable Work Profile to set the number of failed password attempts <string> before the work profile and device itself are disabled. Once disabled, the device user is unable to restore the device with the password, and an administrator must re-enable the device. A value of zero (0) means there is no restriction on the number of failed login attempts.
-
Refer to the Define Password Quality value to select the level of
complexity required when setting a device's work profile password. From
No Password to Complex Password (letter, numeric and alphanumeric
characters required). A Numeric Complex password must include numeric
characters with no repeating or ordered integers. Options include:
- No Password
- Some Password
- Numeric
- Alphabet
- Alphanumeric
- Numeric Complex
- Complex
- Use the Disable Keyguard Feature to select the specific Keyguard feature to disable. Keyguard is the code utilized in a device unlock operation. Options include None and Disable Trusted Agents.
- Set the Password Visibility control to True to enable the ability to hide the password from view when entered on the device. Setting this control to False disables the ability to hide the password when entered, and provides no additional security.
