- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Welcome
- Overview
- How-to guides
- Manage licenses
- Scanning profiles
- Apps and activities
- Scan engine settings
- Keystroke output rules
- Export configuration and deploy through EMM
- Set the camera scan trigger
- Connect a hardware scanner
- Configure the output path
- Use the scanner overlay
- Check a configuration in test mode
- Use intent output
- Knox Capture AR
- Get started
- How-to videos
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Capture: Scandit Edition
- Introduction
- How it works
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Knox Guard REST API
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Password
policy
Refer to the following to device password management policies to enable or disable password management capabilities and set device login authentication values.
To set a unique device password policy:
- In your UEM console, open the Device Configuration Profile associated with your target devices, and then on the middle navigation menu, click Properties. The Device Configuration Policy Properties page opens.
- On the Properties page, in the Settings list, click Configure. The OEMConfig page for the Device Configuration Policy opens.
- Next to the appropriate Profile Owner or Device Owner field, click Configure.
- Navigate to one of the following Password Policy fields as needed. Click Configure. Once the updates have been completed Click OK. Updated password settings are saved and deployed to devices based on the deployment schedule.
- Set the Enable password policy controls with KSP value to True to permit the management of password policies on a device. Enable this option before changing any of the device's password settings. If this option is not set to True, then any password or user authentication settings are ignored.
-
Refer to the following Biometric authentication options to use
personal traits (fingerprints, iris, and facial recognition) as device
user authenticators. Consider biometric authenticators as an alternative
to traditional passwords that are susceptible to human mistakes,
phishing attempts and duplication.
- Enable fingerprint authentication— Set this value to True to permit the use of fingerprint recognition as a device user authenticator.
- Enable Iris authentication— Set this value to True to permit the use of an iris as a device user authenticator. Iris scanning measures the unique patterns in the human iris (the colored circles in the eye). The iris scanner then creates a digital representation of the data and store it in a database for potential use as a user authenticator.
- Enable Face recognition— Set this value to True to utilize a digital image of a device user's face as an authenticator. An authentication request matches the user's facial image with the image stored in the database before device access is granted. If a lock is set in DO and it is using P/P/P authentication, the user should not be able to use facial authentication in PO.
- Set the Enable multifactor authentication value to True to enable multifactor authentication (2FA), enforcing a device unlock only after two successful authentication methods are provided. If enabling multifactor authentication, one authentication method must be biometric (fingerprint, iris, or face), and the other must be a lock screen method (PIN, password, or pattern). Multifactor authentication is only supported on Knox 3.2.1 and above devices. Keep in mind, the incorrect use of multifactor authentication with "One lock" and a biometric policy could result in a locked device requiring qualified support assistance to unlock.
-
Refer to the following Password change options to enforce how
device users set their login password and the interval it is changed:
- Set the Enforce Password Change value to True to force the user to change their password the next time they login to their device. If no password has been set, use this option to force the user to create a password. Verify existing password enforcement conditions before setting this value to True to ensure password enforcement changes do not occur at an unexpected time. If unsure, set this value to False.
- Configure a Password Enforcement timeout<string> to define the maximum number of minutes a device user can wait to cancel or delay a password change.
-
Refer to the following Policy Restriction settings to manage
various password complexity characteristics:
- Set the Maximum Character Sequence Length <string> to define the maximum alphanumeric character sequence permitted for a device password. A value of zero (0) means there is no restriction on alphanumeric sequence length.
- Set the Maximum Numeric Sequence Length<string> to specify the maximum numeric sequence length permitted for a device password. A value of zero (0) means there is no restriction on numeric sequence length.
- Set the Minimum Password Length<string> to specify the minimum number of characters permitted for the device password. The larger the number, the greater potential strength of the device password. A value of zero (0) means there is no restriction.
- Define the Allowed Time for User Activity before Device Locks to set the maximum number of milliseconds <string> for user activity before the device will lock. A value of zero (0) means no activity restrictions are in place.
- Set the Maximum Failed Password Attempts to Wipe Data to define the number of failed password attempts <string> allowed before the data on the device is wiped and rendered unavailable. A value of zero (0) means there is no restriction on the number of failed login attempts. Keep in mind, the string provided via the API takes effect immediately, with no chance to revert the data once the defined number of password attempts is exceeded.
- Enter the Maximum Failed Password Attempts to Disable Work Profile to set the number of failed password attempts <string> before the work profile and device itself are disabled. Once disabled, the device user is unable to restore the device with the password, and an administrator must re-enable the device. A value of zero (0) means there is no restriction on the number of failed login attempts.
-
Refer to the Define Password Quality value to select the level of
complexity required when setting a device's work profile password. From
No Password to Complex Password (letter, numeric and alphanumeric
characters required). A Numeric Complex password must include numeric
characters with no repeating or ordered integers. Options include:
- No Password
- Some Password
- Numeric
- Alphabet
- Alphanumeric
- Numeric Complex
- Complex
- Use the Disable Keyguard Feature to select the specific Keyguard feature to disable. Keyguard is the code utilized in a device unlock operation. Options include None and Disable Trusted Agents.
- Set the Password Visibility control to True to enable the ability to hide the password from view when entered on the device. Setting this control to False disables the ability to hide the password when entered, and provides no additional security.