Managed configuration

Configuration name

Profile name
Configured
Add a unique profile name that highlights the policies and restrictions applicable to this profile. You can later use the name for tracking and debugging. To ensure good user experience, we recommend using a name less than 50 characters in length.
Knox profile
KPE Premium or Knox Suite License key
Configured
If your UEM console supports KPE license information, enter your KPE License there. For UEM consoles not showing this information, enter your KPELicense Key for your Knox Premium license in this field. This field also supports the new Knox Suite license key or Knox Platform for Customization (KPC) licensekey. This field does not apply to Blackberry users. Applies to devices running Android P and Knox v3.2.1 or higher. To buy a KPE Premium / Knox Suite or KPC license, contact your authorized Samsung Knox Reseller.
Debug Mode
Configured
The informative mode shows policy results and errors on the device. We recommend enabling this mode only during the test phases and not during final deployment.
Separated Apps policies
A group of policies and restriction that are applicable to Separated apps.
- Enable Separated Apps
  Configured
  Turn Separated Apps policies on or off. Enable this option before using any of the Separated Apps policies. If this option is disabled, KSP will apply policy to remove Separated Apps from the device, all apps installed inside Separated Apps will be uninstalled from the device.
- Allow List Policy
  A group of policies for specifying the list of apps to be separated and whether the specified list of apps should be installed outside or inside of the separate space.Available Knox 3.7 or higher
  Location for Separate Apps installation
  Configured
  If the value is set to Outside, List of specified apps will be installed outside (i.e. in user0), apps not in the list will be installed inside. if the value is set to Inside, List of specified apps will be installed inside (i.e. inside separate space), apps not in the list will be installed outside
  Outside
  Inside
  List of Apps to Separate
  Configure
  Provide list of applications that will be separated from all the other apps not in this list. Note: If Outside is selected for Location of Separate Apps installation then existing apps installed outside in User0 that are not part of this list will be uninstalled
Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)
A global group of policies and restrictions that are applicable to all users of the device. This list includes items that impact all users on the device, whether they fall under personal or work profiles. Availability: Knox 3.0 and above.
- Enable device policy controls
  Configured
  Use this control to enable or disable device-wide policies. Enable this option before using any of the device-wide policies. If this option is disabled, KSP does not apply any policies in default user (User 0).
- DeX policy
  A group of policies for Samsung DeX control and customization, including items related to enabling and disabling DeX, managing DeX restrictions, and customization of the DeX experience for the user. Availability: Knox v3.1 or higher.
  Enable DeX policy controls
  Configured
  Use this control to enable or disable DeX mode controls for the device. Enable DeX controls before using any of the DeX restriction policies. If DeX controls are not enabled, any settings for items in the DeX Policy group are ignored.
  Manage DeX restrictions
  Use these controls to turn individual DeX restrictions on or off. On Knox v3.1 or higher.
  Allow Dex connection
  Configured
  Use this control to allow the device to accept DeX connections on your phone.
  Enforce the use of Ethernet connection
  Configured
  Use this control to enforce the use of ethernet connectivity in DeX mode. When this functionality is enabled, cellular data, wifi, and other such connections are not available in Dex mode. By default, ethernet use is not enforced.
  Enforce the use of virtual MAC address
  Configured
  Enable this control to use a virtual MAC address for a device in DeX mode to differentiate between the different modes of the device on your network.
  Manage list of apps disabled in DeX mode
  Configured
  Use this control to list the apps that are disabled when the device is in DeX mode. Enter the values as a comma separated list of package names.To find package names, use a browser on a computer to go to app information on the Play store and find the app’s URL showing after “id=”.
  
  Customize Dex Experience (Premium)
  Configured
  Use this control to enable customization of your DeX mode. (Configure DeX customization profile below)
- VPN policy (Premium)
  A group of policies for VPN setup and configuration. IT admins can enforce these policies for fully managed devices with or without a Work profile. Availability: All Knox versions with a Premium license.
  Enable VPN controls
  Configured
  Use this control to enable or disable VPN controls for the device. Enable VPN controls before changing any VPN related settings. If VPN controls are not enabled, any settings for VPN related items are ignored.
  VPN type
  Configured
  Choose the VPN type applicable to the apps on the device. For fully managed devices without a Work profile/Separated Apps, choose between all apps or specific apps. For devices with a Work profile, choose between all three options.
  Device-wide
  Work profile/Separated Apps only
  Selected Apps(Per-app)
  Manage list of apps that use VPN
  Use these controls to add a list of applications at a device-wide or Work profile/Separated Apps specific level that can use VPN and connect to the network directly.
  Select apps in the device, in the main user
  Configure
  For fully managed devices with app-specific VPN, enter a comma-separated list of package names to specify apps that must use VPN to connect. For devices with a Work profile, enter the Personal profile apps that must use VPN to connect. To use VPN for all apps, do not enter any app names. Default value is all apps.
  Select apps in the Work profile/Separated Apps
  Configure
  For fully managed devices with a Work profile/Separated Apps and the VPN type set to Selected Apps, enter the list of Work profile/Separated Apps apps that must use VPN to connect. Enter a comma-separated list of package names to specify the apps. To use VPN for all Work profile/Separated Apps, leave blank. Default value is all apps.
  Enable on-demand VPN
  Configured
  For fully managed device with or without a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can use VPN connections. To use VPN for all apps, do not enter any app names.
  Manage list of apps that can bypass VPN
  Use these controls to add a list of applications at a device-wide or Work profile/Separated Apps specific level that can bypass VPN and connect to the network directly.
  Apps in main user
  Configure
  For fully managed device with or without a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
  Apps in work profile/Separated Apps
  Configure
  For fully managed devices with a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
  Name of VPN profile to use
  Configured
  Enter the name of the primary VPN configuration profile that apps can use for network connections. This profile name must match the "Profile name" value set in one of the "VPN profiles" below.
  VPN profile 1
  Enable VPN chaining
  Configured
  Use this control to enable the use of two VPNs to double encrypt the data-traffic from apps added to the VPN profile.
  Name of secondary VPN profile to use
  Configure
  For devices with multiple VPN profiles, enter the name of the outer VPN configuration profile. This VPN server decrypts all data before passing it to the VPN client. This profile name must match the value set in the VPN profiles section.
- Firewall and Proxy policy
  A group of policies for firewall setup and configuration. IT admins can enforce these policies for fully managed devices with or without a Work profile. Availability: Knox v2.7 or higher with a Premium license.
  Enable firewall controls
  Configured
  Use this control to enable or disable the firewall controls for fully managed devices with or without a Work profile.
  Name of firewall configuration to use
  Configured
  Enter the name of the primary firewall configuration profile that apps can use for network connections. This profile name must match the value set in the Firewall profiles section.
  Firewall config 1
  Enable Proxy on device
  Configured
  Use this control to enable or disable a global proxy on a device that routes all internet traffic through a proxy server of your choice. This works for both WiFi and data connections. You can use either a fixed proxy server address or a proxy auto-config (PAC) file. According to your selection here, the settings provided in either the "Manual proxy configuration" or "Proxy auto configuration" section below will be used.
  None
  Use manual proxy configuration
  Use proxy auto-config (PAC)
- Call and Messaging control
  A group of policies to manage device-wide call and messaging restrictions.
  Enable call and messaging controls
  Configured
  Use this control to enable or disable the phone call and text messaging functionality on the device.
  Manage RCS messaging
  Configured
  Use this control to block RCS on the device. RCS (Rich Communication Services) is an advanced messaging system that aims at making SMS messages more interactive. For example, letting users transmit in-call multimedia. By default, RCS messaging is allowed.
  Set disclaimer text for messages
  Configure
  Use this control to set a disclaimer text with all the outgoing SMS and MMS from the device. The disclaimer text should be limited to 30 characters.
- Device Restrictions
  A group of controls to allow or block specific operations on the user's device.
  Enable device restriction controls
  Configured
  Use this control to enable or disable restriction controls for the device. Enable these controls before changing any device restriction settings. If these controls are not enabled, any device restriction settings are ignored.
  Allow microphone
  Configured
  Use this setting to disable the microphone without user interaction. Disabling this control restricts the use of the microphone for recording purposes, but does not impact the use of the phone application on the device.
  Allow WiFi
  Configured
  Use this control to allow or restrict the device's ability to connect to Wi-Fi networks.
  Allow WiFi Direct
  Configured
  Use this control to allow or restrict the device's ability to connect to Wi-Fi Direct networks.
  Allow Bluetooth
  Configured
  Use this control to allow or restrict the device's ability to make Bluetooth connections.
  Allow cellular data
  Configured
  Use this control to allow or restrict the device's ability to use the cellular data connection.
  Tethering controls
  A group of controls to configure the use of tethering technologies on the device.
  Allow tethering
  Configured
  Use this control to allow or block all types of tethering on the device. Enable this control before changing any other tethering settings. If this control is not enabled, any changes to other tethering settings are ignored.
  Allow WiFi tethering
  Configured
  Use this control to allow or block tethering on Wi-Fi. If the use of all tethering is disabled, changing these settings has no impact.
  Allow Bluetooth tethering
  Configured
  Use this control to allow or block tethering on Bluetooth. If the use of all tethering is disabled, changing these settings has no impact.
  Allow USB tethering
  Configured
  Use this control to allow or block tethering on USB. If the use of all tethering is disabled, changing these settings has no impact.
  Allow USB media player
  Configured
  Use this control to enable or disable the use of an external USB media player on the device.
  Allow USB host storage
  Configured
  Use this control to enable or disable the use of an external USB storage device, such as an external hard disk or a flash drive.
  Setup USB exception list
  Configured
  If the Allow USB host storage setting is enabled, use this control to configure the use of one or more classes of USB devices or USB composite device on the mobile device. If the Allow USB host storage setting is disabled, any settings in this section have no impact. A USB Composite Device is a peripheral device that supports more than one device class. If you use this policy to control a USB Composite Device, ensure that you add all supported classes in the exception list.
  Allow all
  Audio
  CDC Data
  Communication
  Human Interface Device
  Mass Storage
  Miscellaneous
  Still Image
  Vendor Specific
  Wireless Controller
  Allow USB debugging
  Configured
  Use this control to enable or disable the device to enter into a USB debugging mode.
  Allow developer mode
  Configured
  Use this control to enable or disable the device to enter into a developer mode.
  Allow Share Via option
  Configured
  Use this control to enable or disable the Share Via option that presents User options to share data from one application to another application using one of the many available options.
  Allow power saving mode
  Configured
  Use this control to enable or disable the device from entering the Power Saver mode automatically.
  Allow data saver mode
  Configured
  Use this control to enable or disable the device from entering the Data Saver mode automatically.
  Allow VPN connections
  Configured
  Use this control to enable or disable VPN connections on the device.
  Allow user to modify Settings
  Configured
  Use this control to allow or restrict the user from changing the device settings.
  Enforce external storage encryption
  Configured
  Use this control to enable external storage (SD Card) encryption. Enabling this option prompts the user to start encryption. For security reasons, we recommend setting the policy to use an alphanumeric password.
  Allow SD card access
  Configured
  Use this control to enable or disable Secure Digital (SD) card access.
  Allow backup on Google Server
  Configured
  Use this control to enable or disable backup of data on the Google Server.
  Allow installation of Non-Google Play Apps
  Configured
  Use this control to allow or disallow installation of Non-Google Play Applications.
  Allow Video Recording
  Configured
  Use this control to enable or disable video recording.
  Allow Android Beam on device
  Configured
  Use this control to allow or disallow Android Beam on device.
  Allow Camera
  Configured
  Use this control to enable or disable camera.
  Allow Clipboard
  Configured
  Use this control to enable or disable clipboard.
  Allow Smart Switch
  Configured
  Use this control to allow or disallow smart switch to seamlessly transfer contacts, photos, music, videos, messages, notes, calendars and more to virtually any Samsung Galaxy device
  Allow UWB
  Configured
  Use this control to allow or disallow UWB on the device
- Advanced Restriction policies (Premium)
  A group of controls to manage advanced restriction policies. A KPE Premium license is required for all policies in this group.
  Enable Advanced Restrictions controls
  Configured
  Use this control to enable advanced controls on the device.
  Allow wi-fi scanning
  Configured
  Use this control to block the device from scanning for Wi-Fi networks in range to improve the accuracy of location detection. Availability with Knox 3.2 or higher.
  Allow bluetooth scanning
  Configured
  Use this control to block the device from scanning for bluetooth devices in range to improve the accuracy of location detection. Availability with Knox 3.2 or higher. Note: If disabled, all Bluetooth functionality is disabled. If Bluetooth scanning is disabled, the device declines location accuracy and does not allow apps and services to scan for and connect to nearby devices automatically via Bluetooth.
  Allow remote control
  Configured
  Use this control to block connections to the device, using third-party remote control apps. Availability with Knox 3.0 or higher.
  Enable Common Criteria (CC) mode
  Configured
  Use this control to enable services to bring the device into the Common Criteria-evaluated configuration, called CC Mode. For devices enrolled in a UEM, these settings are set at the UEM level.
  Allow dual SIM operation
  Configured
  Use this control to enable or disable the secondary SIM card slot on a dual SIM device. Disabling this policy blocks functions on the second SIM, preventing calls, SMS / MMS and data. Enabling the policy returns all ordinary functions to the previously blocked SIM. This policy is ignored by devices that only have one SIM.
  WiFi Advanced Detect suspicious network
  A group of controls to configure WIPS to prevents unauthorized network access to local area networks and other information assets by wireless devices.
  Enable WIPS Control
  Configured
  Use this control to enable or disable WIPS options. If this control is disabled, any changes to other WIPS related settings have no impact.
  Allow WIPS Enforcement
  Configured
  Select this option to enforce the feature, Disallow end user to bypass WIPS
  0 off
  1 on
  Allow WIPS Advance Protection
  Configured
  Select this option to Disallow end user to change WIPS
  0 off
  1 on
  Set USB Device Connection Type
  Configured
  Use this control to select the usb connection type
  DEFAULT
  MTP
  PTP
  MIDI
  CHARGING
- Firmware update (FOTA) policy
  A group of controls to configure firmware updates settings.
  Enable firmware controls
  Configured
  Use this control to enable or disable advanced firmware update options. If this control is disabled, any changes to other firmware update related settings have no impact.
  Allow firmware update over-the-air
  Configured
  Use this control to enable or disable firmware updates using Firmware-Over-The-Air (FOTA) technology. When this policy controls is set to false, all possible OTA upgrade requests (user initiated, server initiated, and system initiated) are blocked; the user may see server messages related to new firmware updates but any attempt to upgrade fails. This does not block user from updating firmware using recovery mode.
  Allow firmware update in recovery mode
  Configured
  Use this control to enable or disable firmware updates when the device is in recovery mode. Recovery Mode is a device mode which allows users to factory reset, fix some problems or apply software updates on the device. If the firmware controls are disabled, any changes to this setting have no impact.
  Enforce firmware auto update on Wi-Fi (Premium)
  Configured
  Use this control to enable or disable automatic firmware updates when the device is connected to Wi-Fi network. Enabling this control will turn-on the device setting to auto-update on W-Fi and block the user from modifying it. Disabling this control will reset the setting and allow user to freely modify the setting on the device. If the firmware controls are disabled, any changes to this setting have no impact.
  Enable E-FOTA client installation & launch
  Configured
  Use this control to enable or disable installation and launch of E-FOTA client
- Device Settings (Premium)
  A group of controls for device settings. A KPE Premium license is required for all policies in this group.
  Enable device settings controls
  Configured
  Use this control to enable device settings
  Hide Settings Backup and Reset
  Configured
  Use this control to hide backup and reset settings
  Hide Settings Airplane Mode
  Configured
  Use this control to hide airplane mode settings
  Hide Settings Language
  Configured
  Use this control to hide language settings
  Hide Settings Lock Screen
  Configured
  Use this control to hide lock screen settings
  Hide Settings Bluetooth
  Configured
  Use this control to hide bluetooth settings
  Hide Settings Developer
  Configured
  Use this control to hide developer settings
  Hide Settings WiFi
  Configured
  Use this control to hide WiFi settings
  Set System Language & Country
  A group of controls to set the system locale with default language & country on the device
  Set Language
  Configured
  Use this control to set the default device language; Two character lower case language code as defined in ISO 639-1.
  
  Set Country
  Configured
  Use this control to set the default device country; Two character upper case country code as defined in ISO 3166-1. This can be optionally followed by a hash (#) and a four character script code as defined in ISO 15924.
  
  Enable Mobile Data
  Configured
  Use this control to turn on mobile data
  Enable Auto Start Up
  Configured
  Use this control to Auto Boot the device when connected to Power Source
  Set input method
  A group of controls to set the input method on the device
  Set input method package name
  Configured
  Enter the specified package name for input method. Default package name is for XCover/TabActive Pro devices
  com.sec.android.inputmethod
  Enable No Battery Mode
  Configured
  Use this control to enable or disable No Battery Mode
  Set Power Saving Mode
  Set the power saving mode of the device
  Enable power saving mode controls
  Configured
  Use this control to allow power saving mode policy on the device
  Set Limit CPU
  Configured
  Use this control to limit CPU usage on Power Saving Mode
  Set Reduce Brightness
  Configured
  Use this control to reduce brightness on Power Saving Mode
- Password Policy
  A group of policies to manage password policies on the device, including enabling or disabling the ability to manage passwords and other authentication methods to log in to the device.
  Enable password policy controls with KSP
  Configured
  Use this control to allow management of password policies on the device. Enable this option before changing any password related settings. If this option is not enabled, any settings for password and other authentication related items are ignored.
  Biometric authentication
  A group of policies to manage the biometric authentication option without user interaction.
  Enable fingerprint authentication
  Configured
  Use this control to allow or stop the use of fingerprint recognition for authentication.
  Enable Iris authentication
  Configured
  Use this control to allow or stop the use of iris recognition for authentication.
  Enable Face recognition
  Configured
  Use this control to allow or stop the use of facial recognition for authentication.
  Enable multifactor authentication (Premium)
  Configured
  Use this control to enable or disable multifactor authentication (2FA). Once enabled, a device is only unlocked after two authentication methods are provided, including one biometric input (face / iris / fingerprint) and one lock screen method (PIN / password / pattern).This feature is available only on Knox 3.2.1 and above. Caution: Incorrect use of this policy together with “One Lock” and “Biometric policy” can lock your device.
  Password Change (Premium)
  A group of policies to manage password change.
  Enforce Password Change
  Configured
  Use this control to enforce password change. if no password set, enforce to set. Caution: Verify password enforcement condition before saving any new policy otherwise it will enforce password at unexpected time
  Password Enforcement timeout
  Configured
  Enter the value in mins up to which user can cancel/delay the password change
  Password Enforcement timeout
  Password Restriction
  A group of policies to manage password restriction.
  Maximum Character Sequence Length
  Configured
  Use this policy to specify the maximum length of an alphabetic sequence that is allowed for a device password.
  Maximum Character Sequence Length
  Maximum Numeric Sequence Length
  Configured
  Use this policy to specify the maximum length of numeric sequence that is allowed for a device password.
  Maximum Numeric Sequence Length
  Minimum Password Length
  Configured
  Use this policy to specify minimum length password allowed for device.
  Minimum Password Length
  Allowed Time for User Activity before Device Locks
  Configured
  Enter the maximum number of time in seconds for user activity until the device will lock. A Value of 0 means there is no restriction; Caution: The API takes into effect immediately
  Allowed Time for User Activity before Device Locks
  Maximum Failed Password Attempt to Wipe Data
  Configured
  Enter the maximum number of failed password allowed until the data in the device is wiped. Caution: The API takes into effect immediately with the # of failed attempts and data will be wiped completely and no possible way to revert
  Maximum Failed Password Attempt to Wipe Data
  Maximum Failed Password Attempt to Disable Device
  Configured
  Set the maximum permitted failed password attempts before the device is rendered inoperable. When the set value is exceeded, the device container is disabled and a blocking page displays to the user. The impacted device can be re-enabled using API by setting set this value to zero (0). However, KSP cannot be used to unlock just the impacted device, and each device within the impacted device group will have this feature disabled. Additionally, when the disabled device is rebooted it remains in a file-based encrypted state, and is unable to receive any KSP policies.
  Maximum Failed Password Attempt to Disable Device
  Define Password Quality
  Configured
  Select level of complexity you would like to define for the device password; From No Password to Complex Password (letter, numeric, alphanumeric); Numeric Complex Password must include numeric character with no repeating or ordered
  No Password
  Some Password
  Numeric
  Alphabet
  Alphanumeric
  Numeric Complex
  Complex
  Disable Keyguard Feature
  Configured
  Select the Keyguard feature to disable
  None
  Disable Trusted Agents
  Enable password visibility
  Configured
  Use this policy to control the visibility of Password while Typing
- Application management policies
  A group of policies to configure and manage applications on the device.
  Enable application management controls
  Configured
  Use this control to enable or disable advanced application management settings.
  Battery optimization allowlist
  Configured
  Use this control to exempt applications from battery usage optimizations such as Android Doze mode. For a fully managed device with a Work profile, enter the list of application on the personal profile to allowlist. To specify Work profile-only apps, go to Work Profile Policies > App Management section. Enter a comma-separated list of package names to specify the apps to allowlist.
  
  Notifications allowlist
  Configured
  Use this control to stop applications from showing notifications on the status bar. When this policy is enabled, notifications from all applications are blocked except for the apps specified in this allowlist. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax.
  
  App update controls
  Application update policy
  Configured
  Use this control in combination with the following List of apps control to allow or restrict updates to specific apps. The default value is set to ‘None’, meaning apps on your device update per the policies you’ve specified in your Device Settings and in app settings on Managed Google Play Store.
  None
  Allow update for specified apps only
  Block updates for specified apps only
  List of apps
  Configured
  Use this field to allow or restrict app updates for specific apps. Enter the values as a comma separated list or wildcard to specify multiple apps, if you want to use advanced query, please use correct regular expression syntax.
  
  Allow USB Devices for default access by Application (Configure profiles below)
  Configured
  Use this setting to grant user permission for one or more usb devices to be used by a particular package. Use the Allowed USB devices for Applications section for Configurations.
  Application Allowlist by Pkg Name
  Configured
  Use this control to allowlist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax. If the package name of an application currently being installed matches a package name pattern in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
  
  Application Blocklist by Pkg Name
  Configured
  Use this control to blocklist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax. If the application package is already installed, the API does not affect the existing installation.
  
  Application Allowlist by Signature used
  Configured
  Use this control to allowlist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist. If the signature of an application currently being installed matches the signature in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
  
  Application Blocklist by Signature used
  Configured
  Use this control to blocklist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist. If the application package is already installed, the API does not affect the existing installation.
  
  Disable Application without user interaction
  Configured
  Use this control to disable application without user interaction. The disabled application package is not uninstalled but the device user cannot use it. The API does not affect the future application package state. Enter the values as a comma separated list, for example, "com.xyz, com.abc".
  
  Force Stop Blocklist
  Configured
  Use this control to prevent the user from stopping certain applications. The stop actions include force stop in Settings app, stopping through third-party applications, stopping any background process by system and stopping any service from the application. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  
  Widget Allowed List
  Configured
  Use this control to allow widget to be installed on the DO. When this policy is enabled, widget matching the list will be allowed to installed and rest all the other widgets will be blocked. Enter the values as a comma separated list or wildcard to specify multiple widget to the allow. If the package name matches the pattern in both the blacklist and whitelist, the whitelist will takes priority.
  
  Widget Blocked List
  Configured
  Use this control to block widget to be installed on the DO. When this policy is enabled, a user cannot add widgets with package names that match the list, and existent widgets are removed from the launcher home screen. Enter the values as a comma separated list or wildcard to specify multiple widget to the block. If the package name matches the pattern in both the blacklist and whitelist, the whitelist will takes priority.
  
  Package Name for Auto-Launch
  Configured
  Enter the package name of the application that needs to be launched after it is installed along with the Component name. Example: PackageName/ComponentName
- Device Admin allowlisting
  A group of policies to manage Device Administrator (DA) privileges to specific apps when KSP is launched on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is launched.
  Enable device admin controls
  Configured
  Use this control to enable or disable Device Admin allowlisting control for applications on a device where KSP is launched.
  Allowlisted DAs
  Configured
  By default, KSP will block activation of any application as device admin, except those specified in this allowlist. Enter a comma-separated list of packages to specify the list of apps to allowlist.
- Device customization controls (Premium)
  A group of policies to customize the device user interface. Configure the "Device customization profile" that the device user must use in this section. Availability: Premium license with Customization permissions.
  Enable device customization
  Configured
  Use this control to enable or disable device customization. (Configure Device customization profile below)
- Device Controls
  A group of policies to manage device controls, such as APN settings, NFC policies, certificate management, and more.
  APN Setting Policy
  A group of policies to create, update and remove Access Point Name (APN) settings on the device.
  Enable APN settings policy control
  Configured
  Use this control to enable or disable APN settings for the device. Enable this control before changing any APN settings. If this control is not enabled, any APN settings are ignored.
  Name of APN Configuration to add or update
  Configured
  Enter the name of the APN configuration profile that needs to be added or updated. Ensure that the name used here matches at least one name in the APN configuration > name field. For example, “samsungAPN3”
  APN_1
  Allow user to change APN Settings
  Configured
  Use this control to allow or prevent user from changing the APN settings.
  Data Roaming Policy
  A group of policies to control the data roaming settings on the device.
  Enable data roaming policy control
  Configured
  Use this control to enable or disable data roaming settings for the device. Enable this control before changing any data roaming settings. If this control is not enabled, any data roaming settings are ignored.
  Allow user to change data roaming state
  Configured
  Use this setting to allow or prevent users from changing the current data roaming state (on or off).
  Allow user to change voice call state
  Configured
  Use this setting to allow or prevent users from changing the current voice call state (on or off).
  Network Mode Policy
  A group of policies to control the Network mode settings on the device.
  Enable network mode policy control
  Configured
  Use this control to set the network mode type for the device. Enable this control before changing any network mode settings. If this control is not enabled, any data roaming settings are ignored.
  Set Network mode
  Configured
  Use this control to set the network mode.
  5G/LTE/3G/2G(auto connect)
  LTE/3G/2G(auto connect)
  LTE/3G(auto connect)
  NFC Policy
  A group of policies to control Near Field Communications (NFC) settings. For example turning NFC on or off.
  Enable NFC policy controls
  Configured
  Use this control to enable or disable NFC settings for the device. Enable this control before changing any NFC settings. If this control not enabled, any NFC settings are ignored.
  Turn on NFC
  Configured
  Use this control to turn NFC on or off. If this setting is disabled, all NFC related functions will not work such as NFC based payment systems or NFC tags.
  Allow user to change NFC state
  Configured
  Use this setting to allow or prevent users from changing the current NFC state (on or off).
  Wi-Fi Policy
  A group of policies to control Wi-Fi settings. For example setting Wi-Fi hotspots, allowing specific connections etc.
  Enable Wi-Fi policy controls
  Configured
  Use this control to enable or disable Wi-Fi polices on a device. If this control not enabled, any Wi-Fi settings you change are ignored.
  Set Wi-Fi hotspot SSID
  Configured
  Use this control to name the Wi-Fi hotspot saved on a device. For example, you can set a custom name, such as “MyMobileWifi”, instead of using the default SSID.
  
  Set Wi-Fi hotspot password
  Configured
  Use this control to enforce a password when a Wi-Fi mobile hotspot is enabled. If this field is empty, users can create unsecured hotspot network. Passwords should be eight or more characters long.
  
  Allow user to change hotspot setting
  Configured
  Use this control to allow users to change Wi-Fi hotspot settings on the device. If this setting is off, users cannot make modifications to the hotspot settings on their device
  Allow open Wi-Fi connection
  Configured
  Use this control to allow devices to start an open (non-secured) Wi-Fi hotspot or connect to open and unprotected Wi-Fi access points. If this control is off, users cannot connect to unsecured Wi-Fi networks or start an open (non-secured) Wi-Fi hotspot.
  Allow Minimum Wi-Fi Security Requirement
  Configured
  Use this option to allow user to select the minimum security requirement for Wifi Connection. Note: This policy can be applied only if open wifi connection is disabled
  WEP
  WPA
  LEAP, PWD
  FAST, PEAP
  TLS, TTLS, SIM, AKA, AKA'
  Block Wi-Fi N/W Connection
  Configured
  Add SSID to the list of blocked network to prevent user to connect
  
  Allow Automatic Wi-Fi Connection to saved SSIDs
  Configured
  Use this control to allow or deny automatic connections of saved SSIDs
  Allow Control for Wi-Fi Password to be Visible
  Configured
  Use this control to make the password hidden or visible in the network edit diaglog
  Allow Wi-Fi State Change
  Configured
  Use this control to allow or deny user access to make Wi-Fi state change
  Allow to configure Wi-Fi (Configure details below)
  Configured
  Use this control to allow configuration of WiFi
  Advanced Wi-Fi Policy (Premium)
  A group of policies to control Advanced Wi-Fi settings. For example setting roam trigger, roam delta, roam scan period etc.
  Enable Advanced Wi-Fi Policy Controls(Configure profiles below)
  Configured
  Use this control to enable or disable Advanced Wi-Fi polices on a device. If this control not enabled, any Advanced Wi-Fi settings you change are ignored.
  Bluetooth Policy
  A group of policies to control bluetooth settings. For example you can block certain bluetooth profiles or services. Note: These controls have no impact if “Allow BT” is disabled in the “device restrictions” section.
  Enable bluetooth policy controls
  Configured
  Use this control to enable or disable bluetooth settings. If this control is not enabled, any changes you make to bluetooth settings are ignored.
  Enable bluetooth profiles
  Configure
  Use this control to allow or block peripherals from connecting based on their bluetooth profiles.
  Allowlist Bluetooth Service by UUID
  Configured
  Use this control to allow peripherals from connecting based on their Bluetooth service UUID. When enabled, all peripherals except those with UUIDs specified here are blocked from operating with the device. The UUIDs should be as per BT SIG specifications. See the KSP Admin guide for a list of frequently used UUIDs.
  NONE
  ALL
  A2DP_ADVAUDIODIST_UUID
  A2DP_AUDIOSINK_UUID
  A2DP_AUDIOSOURCE_UUID
  AVRCP_CONTROLLER_UUID
  AVRCP_TARGET_UUID
  BNEP_UUID
  BPP_UUID
  DUN_UUID
  HFP_AG_UUID
  HFP_UUID
  HID_UUID
  HSP_AG_UUID
  HSP_UUID
  NAP_UUID
  OBEXOBJECTPUSH_UUID
  PANU_UUID
  PBAP_PSE_UUID
  PBAP_UUID
  SPP_UUID
  Blocklist Bluetooth Service by UUID
  Configured
  Use this control to block peripherals from connecting based on their Bluetooth service UUID. When enabled, all peripherals except those with UUIDs specified here are allowed from operating with the device. The UUIDs should be as per BT SIG specifications. See the KSP Admin guide for a list of frequently used UUIDs.
  NONE
  ALL
  A2DP_ADVAUDIODIST_UUID
  A2DP_AUDIOSINK_UUID
  A2DP_AUDIOSOURCE_UUID
  AVRCP_CONTROLLER_UUID
  AVRCP_TARGET_UUID
  BNEP_UUID
  BPP_UUID
  DUN_UUID