Managed configuration

Profile name
Add a unique profile name that highlights the policies and restrictions applicable to this profile. You can later use the name for tracking and debugging. To ensure good user experience, we recommend using a name less than 50 characters in length.
KPE Premium or Knox Suite License key
If your UEM console supports KPE license information, enter your KPE License there. For UEM consoles not showing this information, enter your KPELicense Key for your Knox Premium license in this field. This field also supports the new Knox Suite license key or Knox Platform for Customization (KPC) licensekey. This field does not apply to Blackberry users. Applies to devices running Android P and Knox v3.2.1 or higher. To buy a KPE Premium / Knox Suite or KPC license, contact your authorized Samsung Knox Reseller.
Debug Mode
The informative mode shows policy results and errors on the device. We recommend enabling this mode only during the test phases and not during final deployment.
Separated Apps policies
A group of policies and restriction that are applicable to Separated apps.
- Enable Separated Apps
  Turn Separated Apps policies on or off. Enable this option before using any of the Separated Apps policies. If this option is disabled, KSP will apply policy to remove Separated Apps from the device, all apps installed inside Separated Apps will be uninstalled from the device.
- Allow List Policy
  A group of policies for specifying the list of apps to be separated and whether the specified list of apps should be installed outside or inside of the separate space.Available Knox 3.7 or higher
  Location for Separate Apps installation
  If the value is set to Outside, List of specified apps will be installed outside (i.e. in user0), apps not in the list will be installed inside. if the value is set to Inside, List of specified apps will be installed inside (i.e. inside separate space), apps not in the list will be installed outside
  Outside
  Inside
  List of Apps to Separate
  Provide list of applications that will be separated from all the other apps not in this list. Note: If Outside is selected for Location of Separate Apps installation then existing apps installed outside in User0 that are not part of this list will be uninstalled
Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)
A global group of policies and restrictions that are applicable to all users of the device. This list includes items that impact all users on the device, whether they fall under personal or work profiles. Availability: Knox 3.0 and above.
- Enable device policy controls
  Use this control to enable or disable device-wide policies. Enable this option before using any of the device-wide policies. If this option is disabled, KSP does not apply any policies in default user (User 0).
- DeX policy
  A group of policies for Samsung DeX control and customization, including items related to enabling and disabling DeX, managing DeX restrictions, and customization of the DeX experience for the user. Availability: Knox v3.1 or higher.
  Enable DeX policy controls
  Use this control to enable or disable DeX mode controls for the device. Enable DeX controls before using any of the DeX restriction policies. If DeX controls are not enabled, any settings for items in the DeX Policy group are ignored.
  Manage DeX restrictions
  Use these controls to turn individual DeX restrictions on or off. On Knox v3.1 or higher.
  Allow Dex connection
  Use this control to allow the device to accept DeX connections on your phone.
  Enforce the use of Ethernet connection
  Use this control to enforce the use of ethernet connectivity in DeX mode. When this functionality is enabled, cellular data, wifi, and other such connections are not available in Dex mode. By default, ethernet use is not enforced.
  Enforce the use of virtual MAC address
  Enable this control to use a virtual MAC address for a device in DeX mode to differentiate between the different modes of the device on your network.
  Manage list of apps disabled in DeX mode
  Use this control to list the apps that are disabled when the device is in DeX mode. Enter the values as a comma separated list of package names.To find package names, use a browser on a computer to go to app information on the Play store and find the app’s URL showing after “id=”.
  Customize Dex Experience (Premium)
  Use this control to enable customization of your DeX mode. (Configure DeX customization profile below)
- VPN policy (Premium)
  A group of policies for VPN setup and configuration. IT admins can enforce these policies for fully managed devices with or without a Work profile. Availability: All Knox versions with a Premium license.
  Enable VPN controls
  Use this control to enable or disable VPN controls for the device. Enable VPN controls before changing any VPN related settings. If VPN controls are not enabled, any settings for VPN related items are ignored.
  VPN type
  Choose the VPN type applicable to the apps on the device. For fully managed devices without a Work profile/Separated Apps, choose between all apps or specific apps. For devices with a Work profile, choose between all three options.
  Device-wide
  Work profile/Separated Apps only
  Selected Apps(Per-app)
  Manage list of apps that use VPN
  Use these controls to add a list of applications at a device-wide or Work profile/Separated Apps specific level that can use VPN and connect to the network directly.
  Select apps in the device, in the main user
  For fully managed devices with app-specific VPN, enter a comma-separated list of package names to specify apps that must use VPN to connect. For devices with a Work profile, enter the Personal profile apps that must use VPN to connect. To use VPN for all apps, do not enter any app names. Default value is all apps.
  Select apps in the Work profile/Separated Apps
  For fully managed devices with a Work profile/Separated Apps and the VPN type set to Selected Apps, enter the list of Work profile/Separated Apps apps that must use VPN to connect. Enter a comma-separated list of package names to specify the apps. To use VPN for all Work profile/Separated Apps, leave blank. Default value is all apps.
  Enable on-demand VPN
  For fully managed device with or without a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can use VPN connections. To use VPN for all apps, do not enter any app names.
  Manage list of apps that can bypass VPN
  Use these controls to add a list of applications at a device-wide or Work profile/Separated Apps specific level that can bypass VPN and connect to the network directly.
  Apps in main user
  For fully managed device with or without a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
  Apps in work profile/Separated Apps
  For fully managed devices with a Work profile/Separated Apps, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
  Name of VPN profile to use
  Enter the name of the primary VPN configuration profile that apps can use for network connections. This profile name must match the "Profile name" value set in one of the "VPN profiles" below.
  Enable VPN chaining
  Use this control to enable the use of two VPNs to double encrypt the data-traffic from apps added to the VPN profile.
  Name of secondary VPN profile to use
  For devices with multiple VPN profiles, enter the name of the outer VPN configuration profile. This VPN server decrypts all data before passing it to the VPN client. This profile name must match the value set in the VPN profiles section.
- Firewall and Proxy policy
  A group of policies for firewall setup and configuration. IT admins can enforce these policies for fully managed devices with or without a Work profile. Availability: Knox v2.7 or higher with a Premium license.
  Enable firewall controls
  Use this control to enable or disable the firewall controls for fully managed devices with or without a Work profile.
  Name of firewall configuration to use
  Enter the name of the primary firewall configuration profile that apps can use for network connections. This profile name must match the value set in the Firewall profiles section.
  Enable Proxy on device
  Use this control to enable or disable a global proxy on a device that routes all internet traffic through a proxy server of your choice. This works for both WiFi and data connections. You can use either a fixed proxy server address or a proxy auto-config (PAC) file. According to your selection here, the settings provided in either the "Manual proxy configuration" or "Proxy auto configuration" section below will be used.
  None
  Use manual proxy configuration
  Use proxy auto-config (PAC)
- Call and Messaging control
  A group of policies to manage device-wide call and messaging restrictions.
  Enable call and messaging controls
  Use this control to enable or disable the phone call and text messaging functionality on the device.
  Manage RCS messaging
  Use this control to block RCS on the device. RCS (Rich Communication Services) is an advanced messaging system that aims at making SMS messages more interactive. For example, letting users transmit in-call multimedia. By default, RCS messaging is allowed.
  Set disclaimer text for messages
  Use this control to set a disclaimer text with all the outgoing SMS and MMS from the device. The disclaimer text should be limited to 30 characters.
- Device Restrictions
  A group of controls to allow or block specific operations on the user's device.
  Enable device restriction controls
  Use this control to enable or disable restriction controls for the device. Enable these controls before changing any device restriction settings. If these controls are not enabled, any device restriction settings are ignored.
  Allow microphone
  Use this setting to disable the microphone without user interaction. Disabling this control restricts the use of the microphone for recording purposes, but does not impact the use of the phone application on the device.
  Allow WiFi
  Use this control to allow or restrict the device's ability to connect to Wi-Fi networks.
  Allow WiFi Direct
  Use this control to allow or restrict the device's ability to connect to Wi-Fi Direct networks.
  Allow Bluetooth
  Use this control to allow or restrict the device's ability to make Bluetooth connections.
  Allow cellular data
  Use this control to allow or restrict the device's ability to use the cellular data connection.
  Tethering controls
  A group of controls to configure the use of tethering technologies on the device.
  Allow tethering
  Use this control to allow or block all types of tethering on the device. Enable this control before changing any other tethering settings. If this control is not enabled, any changes to other tethering settings are ignored.
  Allow WiFi tethering
  Use this control to allow or block tethering on Wi-Fi. If the use of all tethering is disabled, changing these settings has no impact.
  Allow Bluetooth tethering
  Use this control to allow or block tethering on Bluetooth. If the use of all tethering is disabled, changing these settings has no impact.
  Allow USB tethering
  Use this control to allow or block tethering on USB. If the use of all tethering is disabled, changing these settings has no impact.
  Allow USB media player
  Use this control to enable or disable the use of an external USB media player on the device.
  Allow USB host storage
  Use this control to enable or disable the use of an external USB storage device, such as an external hard disk or a flash drive.
  Setup USB exception list
  If the Allow USB host storage setting is enabled, use this control to configure the use of one or more classes of USB devices or USB composite device on the mobile device. If the Allow USB host storage setting is disabled, any settings in this section have no impact. A USB Composite Device is a peripheral device that supports more than one device class. If you use this policy to control a USB Composite Device, ensure that you add all supported classes in the exception list.
  Allow all
  Audio
  CDC Data
  Communication
  Human Interface Device
  Mass Storage
  Miscellaneous
  Still Image
  Vendor Specific
  Wireless Controller
  Allow USB debugging
  Use this control to enable or disable the device to enter into a USB debugging mode.
  Allow developer mode
  Use this control to enable or disable the device to enter into a developer mode.
  Allow Share Via option
  Use this control to enable or disable the Share Via option that presents User options to share data from one application to another application using one of the many available options.
  Allow power saving mode
  Use this control to enable or disable the device from entering the Power Saver mode automatically.
  Allow data saver mode
  Use this control to enable or disable the device from entering the Data Saver mode automatically.
  Allow VPN connections
  Use this control to enable or disable VPN connections on the device.
  Allow user to modify Settings
  Use this control to allow or restrict the user from changing the device settings.
  Enforce external storage encryption
  Use this control to enable external storage (SD Card) encryption. Enabling this option prompts the user to start encryption. For security reasons, we recommend setting the policy to use an alphanumeric password.
  Allow SD card access
  Use this control to enable or disable Secure Digital (SD) card access.
  Allow backup on Google Server
  Use this control to enable or disable backup of data on the Google Server.
  Allow installation of Non-Google Play Apps
  Use this control to allow or disallow installation of Non-Google Play Applications.
  Allow Video Recording
  Use this control to enable or disable video recording.
  Allow Android Beam on device
  Use this control to allow or disallow Android Beam on device.
  Allow Camera
  Use this control to enable or disable camera.
  Allow Clipboard
  Use this control to enable or disable clipboard.
  Allow Smart Switch
  Use this control to allow or disallow smart switch to seamlessly transfer contacts, photos, music, videos, messages, notes, calendars and more to virtually any Samsung Galaxy device
  Allow UWB
  Use this control to allow or disallow UWB on the device
- Advanced Restriction policies (Premium)
  A group of controls to manage advanced restriction policies. A KPE Premium license is required for all policies in this group.
  Enable Advanced Restrictions controls
  Use this control to enable advanced controls on the device.
  Allow wi-fi scanning
  Use this control to block the device from scanning for Wi-Fi networks in range to improve the accuracy of location detection. Availability with Knox 3.2 or higher.
  Allow bluetooth scanning
  Use this control to block the device from scanning for bluetooth devices in range to improve the accuracy of location detection. Availability with Knox 3.2 or higher. Note: If disabled, all Bluetooth functionality is disabled. If Bluetooth scanning is disabled, the device declines location accuracy and does not allow apps and services to scan for and connect to nearby devices automatically via Bluetooth.
  Allow remote control
  Use this control to block connections to the device, using third-party remote control apps. Availability with Knox 3.0 or higher.
  Enable Common Criteria (CC) mode
  Use this control to enable services to bring the device into the Common Criteria-evaluated configuration, called CC Mode. For devices enrolled in a UEM, these settings are set at the UEM level.
  Allow dual SIM operation
  Use this control to enable or disable the secondary SIM card slot on a dual SIM device. Disabling this policy blocks functions on the second SIM, preventing calls, SMS / MMS and data. Enabling the policy returns all ordinary functions to the previously blocked SIM. This policy is ignored by devices that only have one SIM.
  WiFi Advanced Detect suspicious network
  A group of controls to configure WIPS to prevents unauthorized network access to local area networks and other information assets by wireless devices.
  Enable WIPS Control
  Use this control to enable or disable WIPS options. If this control is disabled, any changes to other WIPS related settings have no impact.
  Allow WIPS Enforcement
  Select this option to enforce the feature, Disallow end user to bypass WIPS
  0 off
  1 on
  Allow WIPS Advance Protection
  Select this option to Disallow end user to change WIPS
  0 off
  1 on
  Set USB Device Connection Type
  Use this control to select the usb connection type
  DEFAULT
  MTP
  PTP
  MIDI
  CHARGING
- Firmware update (FOTA) policy
  A group of controls to configure firmware updates settings.
  Enable firmware controls
  Use this control to enable or disable advanced firmware update options. If this control is disabled, any changes to other firmware update related settings have no impact.
  Allow firmware update over-the-air
  Use this control to enable or disable firmware updates using Firmware-Over-The-Air (FOTA) technology. When this policy controls is set to false, all possible OTA upgrade requests (user initiated, server initiated, and system initiated) are blocked; the user may see server messages related to new firmware updates but any attempt to upgrade fails. This does not block user from updating firmware using recovery mode.
  Allow firmware update in recovery mode
  Use this control to enable or disable firmware updates when the device is in recovery mode. Recovery Mode is a device mode which allows users to factory reset, fix some problems or apply software updates on the device. If the firmware controls are disabled, any changes to this setting have no impact.
  Enforce firmware auto update on Wi-Fi (Premium)
  Use this control to enable or disable automatic firmware updates when the device is connected to Wi-Fi network. Enabling this control will turn-on the device setting to auto-update on W-Fi and block the user from modifying it. Disabling this control will reset the setting and allow user to freely modify the setting on the device. If the firmware controls are disabled, any changes to this setting have no impact.
  Enable E-FOTA client installation & launch
  Use this control to enable or disable installation and launch of E-FOTA client
- Device Settings (Premium)
  A group of controls for device settings. A KPE Premium license is required for all policies in this group.
  Enable device settings controls
  Use this control to enable device settings
  Hide Settings Backup and Reset
  Use this control to hide backup and reset settings
  Hide Settings Airplane Mode
  Use this control to hide airplane mode settings
  Hide Settings Language
  Use this control to hide language settings
  Hide Settings Lock Screen
  Use this control to hide lock screen settings
  Hide Settings Bluetooth
  Use this control to hide bluetooth settings
  Hide Settings Developer
  Use this control to hide developer settings
  Hide Settings WiFi
  Use this control to hide WiFi settings
  Set System Language & Country
  A group of controls to set the system locale with default language & country on the device
  Set Language
  Use this control to set the default device language; Two character lower case language code as defined in ISO 639-1.
  Set Country
  Use this control to set the default device country; Two character upper case country code as defined in ISO 3166-1. This can be optionally followed by a hash (#) and a four character script code as defined in ISO 15924.
  Enable Mobile Data
  Use this control to turn on mobile data
  Enable Auto Start Up
  Use this control to Auto Boot the device when connected to Power Source
  Set input method
  A group of controls to set the input method on the device
  Set input method package name
  Enter the specified package name for input method. Default package name is for XCover/TabActive Pro devices
  Enable No Battery Mode
  Use this control to enable or disable No Battery Mode
  Set Power Saving Mode
  Set the power saving mode of the device
  Enable power saving mode controls
  Use this control to allow power saving mode policy on the device
  Set Limit CPU
  Use this control to turn on the limit CPU
  Set Reduce Brightness
  Use this control to turn on the Reduce Brightness
- Password Policy
  A group of policies to manage password policies on the device, including enabling or disabling the ability to manage passwords and other authentication methods to log in to the device.
  Enable password policy controls with KSP
  Use this control to allow management of password policies on the device. Enable this option before changing any password related settings. If this option is not enabled, any settings for password and other authentication related items are ignored.
  Biometric authentication
  A group of policies to manage the biometric authentication option without user interaction.
  Enable fingerprint authentication
  Use this control to allow or stop the use of fingerprint recognition for authentication.
  Enable Iris authentication
  Use this control to allow or stop the use of iris recognition for authentication.
  Enable Face recognition
  Use this control to allow or stop the use of facial recognition for authentication.
  Enable multifactor authentication (Premium)
  Use this control to enable or disable multifactor authentication (2FA). Once enabled, a device is only unlocked after two authentication methods are provided, including one biometric input (face / iris / fingerprint) and one lock screen method (PIN / password / pattern).This feature is available only on Knox 3.2.1 and above. Caution: Incorrect use of this policy together with “One Lock” and “Biometric policy” can lock your device.
  Password Change (Premium)
  A group of policies to manage password change.
  Enforce Password Change
  Use this control to enforce password change. if no password set, enforce to set. Caution: Verify password enforcement condition before saving any new policy otherwise it will enforce password at unexpected time
  Password Enforcement timeout
  Enter the value in mins up to which user can cancel/delay the password change
  Password Restriction
  A group of policies to manage password restriction.
  Maximum Character Sequence Length
  Use this policy to specify the maximum length of an alphabetic sequence that is allowed for a device password.
  Maximum Numeric Sequence Length
  Use this policy to specify the maximum length of numeric sequence that is allowed for a device password.
  Minimum Password Length
  Use this policy to specify minimum length password allowed for device.
  Allowed Time for User Activity before Device Locks
  Enter the maximum number of time in seconds for user activity until the device will lock. A Value of 0 means there is no restriction; Caution: The API takes into effect immediately
  Maximum Failed Password Attempt to Wipe Data
  Enter the maximum number of failed password allowed until the data in the device is wiped. Caution: The API takes into effect immediately with the # of failed attempts and data will be wiped completely and no possible way to revert
  Maximum Failed Password Attempt to Disable Device
  Set the maximum permitted failed password attempts before the device is rendered inoperable. When the set value is exceeded, the device container is disabled and a blocking page displays to the user. The impacted device can be re-enabled using API by setting set this value to zero (0). However, KSP cannot be used to unlock just the impacted device, and each device within the impacted device group will have this feature disabled. Additionally, when the disabled device is rebooted it remains in a file-based encrypted state, and is unable to receive any KSP policies.
  Define Password Quality
  Select level of complexity you would like to define for the device password; From No Password to Complex Password (letter, numeric, alphanumeric); Numeric Complex Password must include numeric character with no repeating or ordered
  No Password
  Some Password
  Numeric
  Alphabet
  Alphanumeric
  Numeric Complex
  Complex
  Disable Keyguard Feature
  Select the Keyguard feature to disable
  None
  Disable Trusted Agents
  Enable password visibility
  Use this policy to control the visibility of Password while Typing
- Application management policies
  A group of policies to configure and manage applications on the device.
  Enable application management controls
  Use this control to enable or disable advanced application management settings.
  Battery optimization allowlist
  Use this control to exempt applications from battery usage optimizations such as Android Doze mode. For a fully managed device with a Work profile, enter the list of application on the personal profile to allowlist. To specify Work profile-only apps, go to Work Profile Policies > App Management section. Enter a comma-separated list of package names to specify the apps to allowlist.
  Notifications allowlist
  Use this control to stop applications from showing notifications on the status bar. When this policy is enabled, notifications from all applications are blocked except for the apps specified in this allowlist. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax.
  App update controls
  Application update policy
  Use this control in combination with the following List of apps control to allow or restrict updates to specific apps. The default value is set to ‘None’, meaning apps on your device update per the policies you’ve specified in your Device Settings and in app settings on Managed Google Play Store.
  None
  Allow update for specified apps only
  Block updates for specified apps only
  List of apps
  Use this field to allow or restrict app updates for specific apps. Enter the values as a comma separated list or wildcard to specify multiple apps, if you want to use advanced query, please use correct regular expression syntax.
  Allow USB Devices for default access by Application (Configure profiles below)
  Use this setting to grant user permission for one or more usb devices to be used by a particular package. Use the Allowed USB devices for Applications section for Configurations.
  Application Allowlist by Pkg Name
  Use this control to allowlist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax. If the package name of an application currently being installed matches a package name pattern in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
  Application Blocklist by Pkg Name
  Use this control to blocklist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax. If the application package is already installed, the API does not affect the existing installation.
  Application Allowlist by Signature used
  Use this control to allowlist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist. If the signature of an application currently being installed matches the signature in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
  Application Blocklist by Signature used
  Use this control to blocklist applications to be installed on the DO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist. If the application package is already installed, the API does not affect the existing installation.
  Disable Application without user interaction
  Use this control to disable application without user interaction. The disabled application package is not uninstalled but the device user cannot use it. The API does not affect the future application package state. Enter the values as a comma separated list, for example, "com.xyz, com.abc".
  Force Stop Blocklist
  Use this control to prevent the user from stopping certain applications. The stop actions include force stop in Settings app, stopping through third-party applications, stopping any background process by system and stopping any service from the application. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  Widget Allowed List
  Use this control to allow widget to be installed on the DO. When this policy is enabled, widget matching the list will be allowed to installed and rest all the other widgets will be blocked. Enter the values as a comma separated list or wildcard to specify multiple widget to the allow. If the package name matches the pattern in both the blacklist and whitelist, the whitelist will takes priority.
  Widget Blocked List
  Use this control to block widget to be installed on the DO. When this policy is enabled, a user cannot add widgets with package names that match the list, and existent widgets are removed from the launcher home screen. Enter the values as a comma separated list or wildcard to specify multiple widget to the block. If the package name matches the pattern in both the blacklist and whitelist, the whitelist will takes priority.
  Package Name for Auto-Launch
  Enter the package name of the application that needs to be launched after it is installed along with the Component name. Example: PackageName/ComponentName
- Device Admin allowlisting
  A group of policies to manage Device Administrator (DA) privileges to specific apps when KSP is launched on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is launched.
  Enable device admin controls
  Use this control to enable or disable Device Admin allowlisting control for applications on a device where KSP is launched.
  Allowlisted DAs
  By default, KSP will block activation of any application as device admin, except those specified in this allowlist. Enter a comma-separated list of packages to specify the list of apps to allowlist.
- Device customization controls (Premium)
  A group of policies to customize the device user interface. Configure the "Device customization profile" that the device user must use in this section. Availability: Premium license with Customization permissions.
  Enable device customization
  Use this control to enable or disable device customization. (Configure Device customization profile below)
- Device Controls
  A group of policies to manage device controls, such as APN settings, NFC policies, certificate management, and more.
  APN Setting Policy
  A group of policies to create, update and remove Access Point Name (APN) settings on the device.
  Enable APN settings policy control
  Use this control to enable or disable APN settings for the device. Enable this control before changing any APN settings. If this control is not enabled, any APN settings are ignored.
  Name of APN Configuration to add or update
  Enter the name of the APN configuration profile that needs to be added or updated. Ensure that the name used here matches at least one name in the APN configuration > name field. For example, “samsungAPN3”
  Allow user to change APN Settings
  Use this control to allow or prevent user from changing the APN settings.
  NFC Policy
  A group of policies to control Near Field Communications (NFC) settings. For example turning NFC on or off.
  Enable NFC policy controls
  Use this control to enable or disable NFC settings for the device. Enable this control before changing any NFC settings. If this control not enabled, any NFC settings are ignored.
  Turn on NFC
  Use this control to turn NFC on or off. If this setting is disabled, all NFC related functions will not work such as NFC based payment systems or NFC tags.
  Allow user to change NFC state
  Use this setting to allow or prevent users from changing the current NFC state (on or off).
  Wi-Fi Policy
  A group of policies to control Wi-Fi settings. For example setting Wi-Fi hotspots, allowing specific connections etc.
  Enable Wi-Fi policy controls
  Use this control to enable or disable Wi-Fi polices on a device. If this control not enabled, any Wi-Fi settings you change are ignored.
  Set Wi-Fi hotspot SSID
  Use this control to name the Wi-Fi hotspot saved on a device. For example, you can set a custom name, such as “MyMobileWifi”, instead of using the default SSID.
  Set Wi-Fi hotspot password
  Use this control to enforce a password when a Wi-Fi mobile hotspot is enabled. If this field is empty, users can create unsecured hotspot network. Passwords should be eight or more characters long.
  Allow user to change hotspot setting
  Use this control to allow users to change Wi-Fi hotspot settings on the device. If this setting is off, users cannot make modifications to the hotspot settings on their device
  Allow open Wi-Fi connection
  Use this control to allow devices to start an open (non-secured) Wi-Fi hotspot or connect to open and unprotected Wi-Fi access points. If this control is off, users cannot connect to unsecured Wi-Fi networks or start an open (non-secured) Wi-Fi hotspot.
  Allow Minimum Wi-Fi Security Requirement
  Use this option to allow user to select the minimum security requirement for Wifi Connection. Note: This policy can be applied only if open wifi connection is disabled
  WEP
  WPA
  LEAP, PWD
  FAST, PEAP
  TLS, TTLS, SIM, AKA, AKA'
  Block Wi-Fi N/W Connection
  Add SSID to the list of blocked network to prevent user to connect
  Allow Automatic Wi-Fi Connection to saved SSIDs
  Use this control to allow or deny automatic connections of saved SSIDs
  Allow Control for Wi-Fi Password to be Visible
  Use this control to make the password hidden or visible in the network edit diaglog
  Allow Wi-Fi State Change
  Use this control to allow or deny user access to make Wi-Fi state change
  Allow to configure Wi-Fi (Configure details below)
  Use this control to allow configuration of WiFi
  Advanced Wi-Fi Policy (Premium)
  A group of policies to control Advanced Wi-Fi settings. For example setting roam trigger, roam delta, roam scan period etc.
  Enable Advanced Wi-Fi Policy Controls(Configure profiles below)
  Use this control to enable or disable Advanced Wi-Fi polices on a device. If this control not enabled, any Advanced Wi-Fi settings you change are ignored.
  Bluetooth Policy
  A group of policies to control bluetooth settings. For example you can block certain bluetooth profiles or services. Note: These controls have no impact if “Allow BT” is disabled in the “device restrictions” section.
  Enable bluetooth policy controls
  Use this control to enable or disable bluetooth settings. If this control is not enabled, any changes you make to bluetooth settings are ignored.
  Enable bluetooth profiles
  Use this control to allow or block peripherals from connecting based on their bluetooth profiles.
  None
  Bluetooth Advanced Audio Distribution (A2DP)
  Bluetooth Audio/Video Remote Control (AVRCP)
  Bluetooth HandsFree (HFP)
  Bluetooth Headset (HSP)
  Bluetooth Phone Book Access (PBAP)
  Bluetooth Serial Port (SPP)
  Allowlist Bluetooth Service by UUID
  Use this control to allow peripherals from connecting based on their Bluetooth service UUID. When enabled, all peripherals except those with UUIDs specified here are blocked from operating with the device. The UUIDs should be as per BT SIG specifications. See the KSP Admin guide for a list of frequently used UUIDs.
  NONE
  ALL
  A2DP_ADVAUDIODIST_UUID
  A2DP_AUDIOSINK_UUID
  A2DP_AUDIOSOURCE_UUID
  AVRCP_CONTROLLER_UUID
  AVRCP_TARGET_UUID
  BNEP_UUID
  BPP_UUID
  DUN_UUID
  HFP_AG_UUID
  HFP_UUID
  HID_UUID
  HSP_AG_UUID
  HSP_UUID
  NAP_UUID
  OBEXOBJECTPUSH_UUID
  PANU_UUID
  PBAP_PSE_UUID
  PBAP_UUID
  SPP_UUID
  Blocklist Bluetooth Service by UUID
  Use this control to block peripherals from connecting based on their Bluetooth service UUID. When enabled, all peripherals except those with UUIDs specified here are allowed from operating with the device. The UUIDs should be as per BT SIG specifications. See the KSP Admin guide for a list of frequently used UUIDs.
  NONE
  ALL
  A2DP_ADVAUDIODIST_UUID
  A2DP_AUDIOSINK_UUID
  A2DP_AUDIOSOURCE_UUID
  AVRCP_CONTROLLER_UUID
  AVRCP_TARGET_UUID
  BNEP_UUID
  BPP_UUID
  DUN_UUID
  HFP_AG_UUID
  HFP_UUID
  HID_UUID
  HSP_AG_UUID
  HSP_UUID
  NAP_UUID
  OBEXOBJECTPUSH_UUID
  PANU_UUID
  PBAP_PSE_UUID
  PBAP_UUID
  SPP_UUID
  Allow Device discoverable Mode
  Use this control to enable or disable Bluetooth discoverable mode.
  Boot banner
  A group of controls to add, change, or show a banner upon device restart. Available with a KPE Premium license.
  Enable banner on device reboot
  Use this control to show a banner on the device display when the device restarts. Default value is set to not show a banner upon device reboot.
  Custom Banner Message
  If you want to show custom text to the user when the device restarts, enter the text in this field.
  Battery Optimization (Premium)
  A group of controls to optimize battery usage. Available with a KPE Premium license.
  Enable battery optimization
  Use this control to optimize battery and enable device to shutdown, if the user is inactive for the set user inactivity timeout
  Set User Inactivity Timeout
  Enter the user inactivity timeout in seconds(10 minutes as minimum) for device to shutdown, in order to optimize battery.
- Device Key Mapping
  A group of controls to map key up. Available with a KPE Premium license.
  Enable Key Mapping
  Use this control to enable key mapping. Enable this control before changing any Device Key Mapping settings. If this control is not enabled, any Device Key Mapping settings are ignored.
  Enable XCover/Active Key Mapping for Microsoft Teams
  Use this control to enable key mapping for passing intent for Microsoft Teams package.
  XCover/Active key Mapping for specific application
  A group of controls to enable XCover/Active key mapping for a specific application
  Package Name
  Enter the name of the package (application) that will receive the XCover key mapping action
  Use Samsung Intent
  If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
  Intent for Key press
  Enter the intent name provided by the Application Vendor for XCover Key Press
  Intent for Key release
  Enter the intent name provided by the Application Vendor for XCover Key Release
  Top Key Mapping for specific application
  A group of controls to enable Top key mapping for a specific application
  Package Name
  Enter the name of the package (application) that will receive the Top key mapping action
  Use Samsung Intent
  If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
  Intent for Key press
  Enter the intent name provided by the Application Vendor for Top Key Press
  Intent for Key release
  Enter the intent name provided by the Application Vendor for Top Key Release
  Enable Key Mapping to Launch applications (Configure profiles below)
  Use this control to enable key mapping for specific action for defined package
- Enterprise Billing policy (Premium)
  A group of policies to control Enterprise Billing policies. This allows separate bill generation for both personal and enterprise data usage, accomplished by routing respective traffic through 2 different APNs on a device. Before using this feature, check that it is supported by your network operator.
  Enable enterprise billing policy
  Use this control to enable or disable Enterprise Billing settings for the device. Enable this control before changing any Enterprise Billing settings. If this control is not enabled, any Enterprise Billing settings are ignored.
  Name of APN configuration to use for Enterprise apps
  Use this to specify the names of the APN configurations for Enterprise Billing. If you have more than one, enter the values as a comma separated list, For example, "APN_1, APN_2".
  List of apps to use enterprise billing
  Use this to setup list of apps that should use the Enterprise Billing. Enter the values as a comma separated list of the application packages, for example, "com.xyz, com.abc".
  VPN profile names to use enterprise billing
  Use this to specify the names of the VPN profiles to route over the Enterprise Billing APN. Enter the values as a comma separated list of the VPN profile name, for example "VPN profile 1, VPN profile 2"
  Allow roaming
  Use this to allow or prevent devices from using enterprise data while roaming when configured with Enterprise Billing. If enabled, enterprise data stays connected while roaming. If prevented, apps using enterprise data do not connect to the network.
- Universal Credential Manager policy (Premium)
  A group of policies to manage credentials in both external and internal device storage, for example, a smartcard, micro SD card, or embedded Secure Element. A KPE Premium license is required for all policies in this group.
  Enable UCM policy controls
  Use this control to enable or disable UCM policies. Enable this option before using any of the UCM policies. If this option is disabled, any UCM settings and policies are ignored.
  UCM plugin for device lock
  A group of policies to specify how to use a UCM plugin for device unlock.
  Enable UCM plugin for device lock
  Use this control to enable or disable device unlock through a UCM plugin. Enable this option to allow the specified plugin app to use stored credentials to unlock a device. Once enabled, device users cannot change the lock type. Disable to let device users control the lock type.
  Name of UCM plugin configuration to use
  Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
  Show lock type settings directly
  Enable this control to display a screen showing the screen lock setting when UCM plugin for device lock is turned on. Disable if device users must go to device Settings to view or change the lock type.
  General purpose UCM plugin
  A group of policies to control a credential storage and UCM plugin that manages the credential storage.
  Enable a general purpose UCM plugin
  Use this control to enable or disable a general purpose UCM plugin. Enable this option to manage a credential storage and the UCM Plugin used to access the storage. Disable to prohibit general access to the storage space.
  Name of UCM plugin configuration to use
  Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
- Certificate management policies (Premium)
  A group of policies to control certificate management settings. For example, disable certificates, restrict certificates and more.
  Enable certificate management controls
  Use this control to enable or disable certificate management settings for the device. Enable this control before changing any certificate management settings. If this control is not enabled, any Enterprise certificate management policy is ignored.
  Certificate revocation
  Choose the Certificate revocation method most appropriate for your devices.
  Enable revocation check
  Use this to check certificate validation. For example if you list “com.samsung.email” in a allowlist, any certificates used by this app for SMIME encryption or signing is first checked against a list of Certificate Revocation List (CRL) to verify that they are still valid. Enter the application package names to check as a comma separated list, for example (“com.xyz, com.abc”)
  Not enabled
  Enable for all apps
  Enable for specified apps only
  Enable OCSP check before CRL
  Use this to perform certificate validation using OSCP before checking a CRL. If the OCSP response is inconclusive the device performs a CRL check.
  List of apps to enable for verification
  Use this to perform certificate revocation on a list of applications. Enter the values as a comma separated list of the application packages, for example, “com.xyz, com.abc”.
  Add trusted CA certificate
  Enter the name of a Trusted CA Alias which was already defined in Certificate Alias. Enter the values as a comma separated list of the Trusted CA Alias
  Block User from removing Certificate
  Use this control to block the user from removing certificates from the keystore. By default, users are allowed to remove certificates from the keystore.
  Allow applications to read private keys without alerting user (Configure profiles below)
  Use this setting to Allow application to read private keys without alerting user. To specify application package name, host, port, alias & storage name that will be matched with what applications provided. Use the Allowed apps for reading private keys section.
  Install Certificate in keystore(s) silently
  Enter the name of a CA Alias which will be installed silently in the device keystore(s). Enter the values as a comma separated list of the CA Alias
- Client Certificate management (CCM) policies (Premium)
  A group of policies to control client certificate management settings.
  Enable client certificate management controls
  Use this control to enable or disable client certificate management settings for the device. Enable this control before changing any client certificate management settings. If this control is not enabled, any Enterprise client certificate management policy is ignored.
  Add packages to be exempted from access control
  Enter Name of the packages to be exempted from access control.Enter the values as a comma separated list of the package names.
- Network Platform Analytics (NPA) (Premium)
  A group of controls to enable and configure NPA clients to collect network activity data on the device. Available with a KPE Premium license.
  Enable NPA Controls
  Use this control to allow your NPA client to collect network activity data on the device. Enable this option before you specify any other options for your NPA client.
  NPA Client
  Select the NPA Client that can collect network activity data on the device.
  Cisco Connect
  NPA Profile for Data Points
  Enter the name of the profile that specifies the data points you want the NPA Client to collect. This profile name must match the ‘Profile Name’ value set in the NPA Data Points Profile section.
- Audit Log (Premium)
  A group of controls to enable audit log on the device. Available with a KPE Premium license
  Enable Audit Log
  Use this control to enable audit log to capture events such as Password policies set for devices; App installation and removal; Certificate failure and key generation; Account creation and removal; File exchange attempts over Wi-Fi etc
  Audit Log Policy Configuration
  A group of controls to configure audit log on the device. Available with a KPE Premium license
  Audit Log Policies
  Use this control to select granular audit log on the device
  All Group
  Application Group
  Events Group
  Network Group
  Security Group
  System Group
  Audit Log Outcome
  Use this control to select audit log outcome on the device
  All
  Failures
  Successes
  Audit Log Severity Level
  Use this control to select severity level of Audit Log
  All
  Alert
  Critical
  Error
  Warning
  Audit Log Frequency
  Use this control to select the Audit log frequency
  2 Hours
  6 Hours
  12 Hours
  24 Hours
- Date Time Change
  A Group of control to enable Date and Time Change
  Enable Date Time Policy controls
  Use this control to enable Date and Time Change
  Allow Date Time change
  Use this setting to allow or disallow date time change
- Device Account Policy
  A group of controls for Device Account Policy
  Enable Device Account Policy controls
  A group of controls to Enable Device Account Policy
  Enable Device Account policies (Configure profiles below)
  Use this setting to enable device account addition policies
- Peripheral Configuration Policy
  A group of controls for Peripheral Configuration Policy
  Enable Peripheral Configuration controls
  Use this setting to enable peripheral configurations. Use the Peripheral Configuration section to configure various peripheral devices.
Work profile policies (Profile Owner)
A group of policies and restrictions that are applicable to the Work profile user of the device. Starting Knox 3.0, a KPE Premium license activation is required for using any policy in the work profile.
- Enable work profile policies
  Enable this setting before using any of the Work Profile policies. If this setting is disabled, KSP does not apply any policy changes inside the Work Profile.
- Work profile configuration (Premium)
  A group of policies that control the configuration of the Work Profile on the device, for example rename the tab and allow moving apps in and out of the Workspace.
  Enable work profile configuration controls
  Use this setting to enable or disable configuration controls for the Work Profile on the device. Enable this setting before using any of the Work profile configuration controls. If this setting is disabled, KSP does not apply any changes to the Work profile.
  Allow adding apps from personal space to work profile
  Use this setting to allow or restrict the user from installing any personal workspace apps to the Work Profile.
  Customize work profile tab name
  Use this field to specify a custom name for the Work Profile tab on the home screen and device settings. Availability: KPE Premium license, Knox 3.4 and higher.
  Customize personal tab name
  Use this field to specify a custom name for the personal workspace tab on the home screen and device settings. Availability: KPE Premium license, Knox 3.4 and higher.
- Continuous Multi Factor Authentication Policy
  A group of policies for advance access control on work profile
  Enable Continuous Multi Factor Authentication
  Use this setting to enable or disable configuration controls for the Advance Access. Enable this setting before using any of the Advance Access controls. If this setting is disabled, KSP does not apply any changes to the Advance Access.
  Continuous Multi Factor Authentication Method
  Use this settings to select continuous multi factor authentication method for work profile. If face is selected and unknown face is detected by the device then profile will be locked immediated
  None
  Access Control Using Face
- RCP policy (Premium)
  A group of policies to control Data sync on specific applications
  Enable RCP Policy Controls
  Use this control to enable RCP settings for the Applications. If this control is not enabled, any RCP policy settings you change are ignored and the device may use RCP with default values.
  Allow moving files from personal space to work profile
  Use this setting to allow or restrict the user from moving files from personal workspace to the Work Profile.
  Allow moving files from work profile to personal space
  Use this setting to allow or restrict the user from moving files from Work Profile to personal workspace.
  Enable RCP data sync policy (Configure profiles below)
  Use this setting to enable RCP data sync policy. To apply specific data sync policies, use the RCP data sync config section.
  Enable Sharing of Clipboard Data to Owner
  Use this setting to set the policy value of sharing clipboard to owner from container.
- VPN policy (Premium)
  A group of policies for Knox VPN setup and customization. Availability: All Knox versions with a Premium license.
  Enable VPN controls
  Use this control to enable or disable VPN controls for the device. Enable VPN controls before changing any VPN related settings. If VPN is not enabled, any settings for VPN related items are ignored.
  VPN type
  For devices with a Work profile, choose the VPN type applicable to the apps in the work profile. Choose between all apps in the Work profile or specific apps within the Work profile.
  Work profile
  Selected Apps (Per App)
  Manage list of apps that can use VPN
  For devices with a Work profile and where the VPN type is set to Selected Apps, enter a comma-separated list of package names to specify apps that must use VPN to connect. To use VPN for all apps within the Work profile, do not enter any app names.
  Enable on-demand VPN
  For devices with a Work profile and where the VPN type is set to Selected Apps, use this control to start VPN on-demand when one of the specified apps is connects to the network. When no apps are in use, VPN is terminated. By default, all apps use VPN on-demand.
  Manage list of apps that can bypass VPN
  For devices with a Work profile, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
  Name of VPN profile to use
  Enter the name of the primary VPN configuration profile that apps can use for network connections. This name must match the "profile name" of one of the profiles in "VPN profiles" section.
  Enable VPN chaining
  Use this control to enable the use of two VPNs to double encrypt the data-traffic from apps added to the VPN profile. By default, this value is set to disallow VPN chaining.
  Name of secondary VPN profile
  For devices with multiple VPN profiles, enter the name of the outer VPN configuration profile. This VPN server decrypts all data before passing it to the VPN client. This name must match the "profile name" of one of the profiles in "VPN profiles" section.
- Firewall policy (Premium)
  A group of policies for firewall setup and configuration. IT admins can enforce these policies for devices with a Work profile.
  Enable firewall controls
  Use this control to enable or disable the firewall controls for the Work profile.
  Name of firewall configuration to use
  Enter the name of the primary firewall configuration profile that apps can use for network connections. This profile name must match the value set in the Firewall profiles section.
- Restrictions in work profile (Premium)
  A group of controls to allow or block specific operations in the work profile user.
  Enable work profile restriction controls
  Enable this before using any of the Work Profile Restrictions below. If this is disabled, KSP will ignore any value set below and will not enforce any restrictions.
  Allow microphone
  Use this setting to disable the microphone without user interaction. Disabling this control restricts the use of the microphone for recording purposes, but does not impact the use of the phone application on the device.
  Allow Share Via option
  Use this control to enable or disable the Share Via option that presents User options to share data from one application to another application using one of the many available options.
  Allow Bluetooth
  Use this control to enable or disable Bluetooth inside container. (supported from Android 10 and above only)
  Allow Camera
  Use this control to enable or disable camera.
  Allow Clipboard
  Use this control to enable or disable clipboard.
  Allow Video Recording
  Use this control to enable or disable video recording.
- Advanced restrictions in work profile (Premium)
  A group of controls to manage advanced restriction policies on the Work Profile. Availability: Premium license.
  Enable advanced restrictions in work profile
  Use this control to enable advanced controls in the Work Profile, such as Wi-Fi or Bluetooth scanning.
  Allow remote control
  Use this control to block connections to the device, using third-party remote control apps.
- Password Policy (Premium)
  A group of policies to manage password policies on the device, including enabling or disabling the ability to manage passwords and other authentication methods to log in to the Work profile. These policies apply to all devices with a Work profile.
  Enable password policy controls with KSP
  For devices with a Work profile, use this control to allow management of password policies on the Work profile. Enable this option before changing any related settings. If this option is not enabled, any settings for password and authentication related items are ignored.
  Biometric authentication
  A group of policies to manage the biometric authentication options without user interaction. Knox Workspace does not use facial recognition as an authentication method.
  Enable fingerprint authentication
  Use this control to allow or stop the use of fingerprint recognition for authentication.
  Enable Iris authentication
  Use this control to allow or stop the use of iris recognition for authentication.
  Enable Face recognition
  Use this control to allow or stop the use of facial recognition for authentication.
  Enable multifactor authentication
  Use this control to enable or disable multifactor authentication (2FA). Once enabled, the workspace is only unlocked after two authentication methods are provided, including one biometric input (face / iris / fingerprint) and one lock screen method (PIN / password / pattern). This feature is available only on Knox 3.2.1 and above. Caution: Incorrect use of this policy together with “One Lock” and “Biometric policy” can lock your device.
  Password Change (Premium)
  A group of policies to manage password change.
  Enforce Password Change
  Use this control to enforce password change. if no password set, enforce to set. Caution: Verify password enforcement condition before saving any new policy otherwise it will enforce password at unexpected time
  Password Enforcement timeout
  Enter the value in mins up to which user can cancel/delay the password change
  Password Restriction
  A group of policies to manage password restriction.
  Maximum Character Sequence Length
  Use this policy to specify the maximum length of an alphabetic sequence that is allowed for the work profile.
  Maximum Numeric Sequence Length
  Use this policy to specify the maximum length of numeric sequence that is allowed for the work profile.
  Minimum Password Length
  Use this policy to specify minimum length password allowed for the profile.
  Allowed Time for User Activity before Work Profile Locks
  Enter the maximum number of time in seconds for user activity until the work profile will lock. A Value of 0 means there is no restriction; Caution: The API takes into effect immediately
  Maximum Failed Password Attempt to Wipe Data
  Enter the maximum number of failed password allowed until the data in the work profile is wiped. Caution: The API takes into effect immediately with the # of failed attempts and data will be wiped completely and no possible way to revert
  Maximum Failed Password Attempt to Disable Work Profile
  Set the maximum permitted failed password attempts before the device is rendered inoperable. When the set value is exceeded, the device container is disabled and a blocking page displays to the user. The impacted device can be re-enabled using API by setting set this value to zero (0). However, KSP cannot be used to unlock just the impacted device, and each device within the impacted device group will have this feature disabled. Additionally, when the disabled device is rebooted it remains in a file-based encrypted state, and is unable to receive any KSP policies.
  Define Password Quality
  Select level of complexity you would like to define for the work profile password; From No Password to Complex Password (letter, numeric & alphanumeric); Numeric Complex Password must include numeric character with no repeating or ordered
  No Password
  Some Password
  Numeric
  Alphabet
  Alphanumeric
  Numeric Complex
  Complex
  Disable Keyguard Feature
  Select the Keyguard feature to disable
  None
  Disable Trusted Agents
  Enable password visibility
  Use this policy to control the visibility of Password while Typing
- Application management policies (Premium)
  A group of policies to configure and manage applications inside the Work Profile on the device.
  Enable application management controls
  Use this control to enable or disable advanced application management settings.
  Battery optimization allowlist
  Use this control to exempt applications from battery usage optimizations such as Android Doze mode. Enter a comma-separated list of package names to specify the apps to allowlist.
  Notifications allowlist
  Use this control to stop applications from showing notifications on the status bar. When this policy is enabled, notifications from all applications in the workspace are blocked except for the apps specified in this allowlist. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax.
  Install app from personal to work profile
  Use this control to install an existing application from the personal (default) space into the Work Profile, without requiring user interaction.
  Allow USB Devices for default access by Application (Configure profiles below)
  Use this setting to grant user permission for one or more usb devices to be used by a particular package. Use the Allowed USB devices for Applications section for Configurations.
  Application Allowlist by Pkg Name
  Use this control to allowlist applications to be installed on the PO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist, if you want to use advanced query, please use correct regular expression syntax. If the package name of an application currently being installed matches a package name pattern in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
  Application Blocklist by Pkg Name
  Use this control to blocklist applications to be installed on the PO. When this policy is enabled, third-party application (application that is not part of system image) based on the application package name will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax. If the application package is already installed, the API does not affect the existing installation.
  Application Allowlist by Signature used
  Use this control to allowlist applications to be installed on the PO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be allowlisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the allowlist. If the signature of an application currently being installed matches the signature in both the blocklist and allowlist, the allowlist takes priority and the application is installed.
  Application Blocklist by Signature used
  Use this control to blocklist applications to be installed on the PO. When this policy is enabled, third-party application (application that is not part of system image) based on the signature used by the application will be blocklisted. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist. If the application package is already installed, the API does not affect the existing installation.
  Disable Application without user interaction
  Use this control to disable application without user interaction. The disabled application package is not uninstalled but the device user cannot use it. The API does not affect the future application package state. Enter the values as a comma separated list, for example, "com.xyz, com.abc".
  Force Stop Blocklist
  Use this control to prevent the user from stopping certain applications. The stop actions include force stop in Settings app, stopping through third-party applications, stopping any background process by system and stopping any service from the application. Enter the values as a comma separated list or wildcard to specify multiple apps to the blocklist, if you want to use advanced query, please use correct regular expression syntax.
  Package Name for Auto-Launch
  Enter the package name of the application that needs to be launched after it is installed along with the Component name. Example: PackageName/ComponentName
- Device Admin allowlisting (Premium)
  A group of policies to manage Device Administrator (DA) privileges to specific apps when KSP is launched on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is launched.
  Enable device admin controls
  Use this control to enable or disable Device Admin allowlisting control for applications on a device where KSP is launched.
  Allowlisted DAs
  By default, KSP will block activation of any application as device admin, except those specified in this allowlist. Enter a comma-separated list of packages to specify the list of apps to allowlist.
- Device Key Mapping
  A group of controls to map hardware key. Available with a KPE Premium license and Knox 3.7.1
  Enable Key Mapping
  Use this control to enable key mapping. Enable this control before changing any Device Key Mapping settings. If this control is not enabled, any Device Key Mapping settings are ignored.
  Enable XCover/Active Key Mapping for Microsoft Teams
  Use this control to enable key mapping for passing intent for Microsoft Teams package.
  XCover/Active key Mapping for specific application
  A group of controls to enable XCover/Active key mapping for a specific application
  Package Name
  Enter the name of the package (application) that will receive the XCover key mapping action
  Use Samsung Intent
  If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
  Intent for Key press
  Enter the intent name provided by the Application Vendor for XCover Key Press
  Intent for Key release
  Enter the intent name provided by the Application Vendor for XCover Key Release
  Top Key Mapping for specific application
  A group of controls to enable Top key mapping for a specific application
  Package Name
  Enter the name of the package (application) that will receive the Top key mapping action
  Use Samsung Intent
  If this option is enabled, the intent definitions below will be ignored. Supported from Knox 3.7.1
  Intent for Key press
  Enter the intent name provided by the Application Vendor for Top Key Press
  Intent for Key release
  Enter the intent name provided by the Application Vendor for Top Key Release
- Enterprise Billing policy (Premium)
  A group of policies to control Enterprise Billing policies. This allows separate bill generation for both personal and enterprise data usage, accomplished by routing respective traffic through 2 different APNs on a device. Before using this feature, check that it is supported by your network operator. E-Billing will not be supported in PO starting in R-OS and above.
  Enable enterprise billing policy
  Use this control to enable or disable Enterprise Billing settings for the device. Enable this control before changing any Enterprise Billing settings. If this control is not enabled, any Enterprise Billing settings are ignored.
  Name of APN configuration to use for Enterprise apps
  Use this to specify the names of the APN configurations for Enterprise Billing. If you have more than one, enter the values as a comma separated list, For example, "APN_1, APN_2".
  Apps to use Enterprise billing
  Use this to specify whether you would like to setup all apps in the workspace or specific apps only to use the Enterprise Billing.
  All apps in Workspace
  Selected apps only
  List of apps to use enterprise billing
  Use this to setup list of apps within the workspace that should use the Enterprise Billing. Enter the values as a comma separated list of the application packages, for example, "com.xyz, com.abc".
  VPN profile names to use enterprise billing
  Use this to specify the names of the VPN profiles to route over the Enterprise Billing APN. Enter the values as a comma separated list of the VPN profile name, for example "VPN profile 1, VPN profile 2"
  Allow roaming
  Use this to allow or prevent devices from using enterprise data while roaming when configured with Enterprise Billing. If enabled, enterprise data stays connected while roaming. If prevented, apps using enterprise data do not connect to the network.
- Universal Credential Manager policy (Premium)
  A group of policies to manage credentials in both external and internal device storage, for example, a smartcard, micro SD card, or embedded Secure Element. A KPE Premium license is required for all policies in this group.
  Enable UCM policy controls
  Use this control to enable or disable UCM policies in the workspace. Enable this option before using any of the UCM policies. If this option is disabled, any UCM settings and policies are ignored.
  UCM plugin for workspace lock
  A group of policies to specify how to use a UCM plugin for device unlock.
  Enable UCM plugin for workspace lock
  Use this control to enable or disable device unlock through a UCM plugin. Enable this option to allow the specified plugin app to use stored credentials to unlock the workspace. Once enabled, device users cannot change the lock type. Disable to let device users control the lock type.
  Name of UCM plugin configuration to use
  Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
  Show lock type settings directly
  Enable this control to display a screen showing the screen-lock setting when UCM plugin for workspace lock is turned on. Disable if device users must go to workspace Settings to view or change the lock type.
  General purpose UCM plugin
  A group of policies to control a credential storage and UCM plugin that manages the credential storage.
  Enable a general purpose UCM plugin
  Use this control to enable or disable a general purpose UCM plugin. Enable this option to manage a credential storage and the UCM Plugin used to access the storage. Disable to prohibit general access to the storage space.
  Name of UCM plugin configuration to use
  Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
- Dual Data-at-rest (DAR) Encryption (Premium)
  These controls will work on devices with Dual DAR version 1.1 or above and only when Dual DAR has already been setup for the Workspace using either supported UEM or via Knox Mobile Enrollment (KME) portal. Note: You need a KPE Premium license with Dual DAR add-on to use this feature.
  Enable Dual DAR controls
  Use this control to enable Dual DAR settings for the Workspace. If this control is not enabled, any Dual DAR policy settings you change are ignored and the device may use Dual DAR with default values.
  Data lock timeout type
  Use this control to set a data lock type. This locks the credential encrypted (CE) storage and flushes the key from memory. Once locked, apps can’t use the CE until user provides the credential again.
  No lock-out
  Specified value
  Data lock timeout value (in minutes)
  Use this control to specify the data lock timeout value in minutes. To use this feature, you must set the data lock timeout type to specified value.
  Restrict access to device encrypted (DE) storage
  Use this control to enable or disable access restrictions to the DE storage. By default, apps in the Workspace are allowed to access the DE storage. Enabling this control prevents apps, other than those allowlisted by Admin, to access DE storage.
  List of apps allowed to access DE storage
- Certificate management policies (Premium)
  A group of policies to control certificate management settings. For example, disable certificates, restrict certificates and more.
  Enable certificate management controls
  Use this control to enable or disable certificate management settings for the workspace. Enable this control before changing any certificate management settings. If this control is not enabled, any Enterprise certificate management policy is ignored.
  Certificate revocation
  Choose the Certificate revocation method most appropriate for your workspace.
  Enable revocation check
  Use this to check certificate validation. For example if you list “com.samsung.email” in a allowlist, any certificates used by this app for SMIME encryption or signing is first checked against a list of Certificate Revocation List (CRL) to verify that they are still valid. Enter the application package names to check as a comma separated list, for example (“com.xyz, com.abc”)
  Not enabled
  Enable for all apps
  Enable for specified apps only
  Enable OCSP check before CRL
  Use this to perform certificate validation using OSCP before checking a CRL. If the OCSP response is inconclusive the device performs a CRL check.
  List of apps to enable for verification
  Use this to perform certificate revocation on a list of applications. Enter the values as a comma separated list of the application packages, for example, “com.xyz, com.abc”.
  Add trusted CA certificate
  Enter the name of a Trusted CA Alias which was already defined in Certificate Alias. Enter the values as a comma separated list of the Trusted CA Alias
  Block User from removing Certificate
  Use this control to block the user from removing certificates from the keystore. By default, users are allowed to remove certificates from the keystore.
  Allow applications to read private keys without alerting user (Configure profiles below)
  Use this setting to Allow application to read private keys without alerting user. To specify application package name, host, port, alias & storage name that will be matched with what applications provided. Use the Allowed apps for reading private keys section.
  Install Certificate in keystore(s) silently
  Enter the name of a CA Alias which will be installed silently in the device keystore(s). Enter the values as a comma separated list of the CA Alias
- Client Certificate management (CCM) policies
  A group of policies to control client certificate management settings.
  Enable client certificate management controls
  Use this control to enable or disable client certificate management settings for the device. Enable this control before changing any client certificate management settings. If this control is not enabled, any Enterprise client certificate management policy is ignored.
  Add packages to be exempted from access control
  Enter Name of the packages to be exempted from access control.Enter the values as a comma separated list of the package names.
- Network Platform Analytics (NPA) (Premium)
  A group of controls to enable and configure NPA clients to collect network activity data on the device. Available with a KPE Premium license.
  Enable NPA Controls
  Use this control to allow your NPA client to collect network activity data on the device. Enable this option before you specify any other options for your NPA client.
  NPA Client
  Select the NPA Client that can collect network activity data on the device.
  Cisco Connect
  NPA Profile for Data Points
  Enter the name of the profile that specifies the data points you want the NPA Client to collect. This profile name must match the ‘Profile Name’ value set in the NPA Data Points Profile section.
- Audit Log (Premium)
  A group of controls to enable audit log on the device. Available with a KPE Premium license.
  Enable Audit Log
  Use this control to enable audit log to capture events such as Password policies set for devices; App installation and removal; Certificate failure and key generation; Account creation and removal; File exchange attempts over Wi-Fi etc
  Audit Log Policy Configuration
  A group of controls to configure audit log on the device. Available with a KPE Premium license
  Audit Log Policies
  Use this control to select granular audit log on the device
  All Group
  Application Group
  Events Group
  Network Group
  Security Group
  System Group
  Audit Log Outcome
  Use this control to select audit log outcome on the device
  All
  Failures
  Successes
  Audit Log Severity Level
  Use this control to select severity level of Audit Log
  All
  Alert
  Critical
  Error
  Warning
  Audit Log Frequency
  Use this control to select the Audit log frequency
  2 Hours
  6 Hours
  12 Hours
  24 Hours
- Device Account Policy (Premium)
  A group of controls for Device Account Policy
  Enable Device Account Policy controls
  A group of controls to Enable Device Account Policy
  Enable Device Account policies (Configure profiles below)
  Use this setting to enable device account addition policies
DeX customization profile (Premium)
A group of settings that help customize Samsung DeX experience for the user. These features are available only with a KPE Premium license.
- Set Home alignment
  Select the alignment of apps and icons for the homescreen when the device is in DeX mode. Available options are sort items by type, by item name in alphabetical order, or in a custom grid arrangement. Default value is custom grid.
  Custom Grid
  Alphabetic Grid
  Type Grid
- Set screen timeout
  Enter the duration for which the device must be inactive in Dex mode before the screen times out. Default duration of inactivity is 30 seconds.
- Allow screen timeout change
  Change this setting to allow or block device users to modify the screen timeout settings when the device is in DeX mode. Default value is set to allow device users to modify the timeout settings.
- Set loading logo
  Use these controls to add the logo or image to show on the display when the device is starting DeX mode.
  Logo image location type
  Select the appropriate source type for the location of your image file. To use Base64 string option, convert the source PNG image file to a Base64 encoded string and copy the data to the “Logo image file” field. Please be aware that some UEM console may set size limits. To provide the logo as Web URL type, use a public URL that KSP can access. To provide the logo as local file path, ensure that the image file is available in that path before KSP is launched and ensure that the path is accessible to KSP application.
  None
  Base 64 string
  Web URL
  Local file path
  Logo image content or location
  Depending upon the source type you selected, enter the file's location path or URL in this field. For the base 64 string source type, add the converted image data in this field.
- Set DeX wallpaper
  Use these controls to add the wallpaper image to show on the display when the device is in DeX mode. This feature will work only on devices with Knox 3.3, API level 28 and above.
  Wallpaper image
  Select the appropriate source type for the location of your image file. To use Base64 string option, convert the source PNG image file to a Base64 encoded string and copy the data to the "wallpaper image file" field. Please be aware that some UEM console may set size limits. To provide the logo as Web URL type, use a public URL that KSP can access. To provide the logo as local file path, ensure that the image file is available in that path before KSP is launched and ensure that the path is accessible to KSP application.
  None
  Base 64 string
  Web URL
  Local file path
  Image content or location
  Depending upon the source type you selected, enter the file's location path or URL in this field. For the base 64 string source type, add the converted image data in this field.
  Which wallpaper to setup?
  Use this control to indicate which wallpaper(s) to configure with the new imagery.
  All
  On lock screen
  On system
- Skip DeX welcome screen
  Change this setting to skip the DeX welcome screen containing the Terms and Conditions that shows when the device first connects to DeX mode.
- Skip overscan detection screen
  Change this setting to skip automatic detection of overscan boundaries and size adjustment overlay screen on the monitor.
- App allowlist to auto-launch on DeX connection
  Specify the list of applications you want to auto-launch in DeX mode. Apps here will be auto-launched in the DeX mode only if it is in-use right before DeX mode. Provide the app package names in a comma separated list. Leave the field empty to allow User to control the setting.
- Auto-start DeX on HDMI connection
  Change this setting to start DeX mode automatically when HDMI cable is connected to the device. This feature is available on Knox v3.4 or higher.
- Hide apps in App Drawer
  For devices in DeX mode, enter the list of apps whose icons must be hidden from the App Drawer. These applications will not be disabled. Enter a comma-separated list of package names for the list of applications to hide.
- Enable mouse cursor flow
  Change this setting to allow extending of the mouse cursor from the monitor to the host device when using a Dual view mode.
- Add application shortcuts on DeX
  Use these controls to add shortcuts to one or more apps on the device when the device is in DeX mode. Shortcuts work only when the DeX homescreen uses the custom grid.
  App package name
  The package name of the application that is launched using the app shortcut. You can find the package names on the Play store, under the app’s URL as the information after “id=”.
  Class name
  If required, enter the class name within the application component to launch. Leave this value empty to launch the application in default view.
  Position X
  If required, enter the X coordinates of the app shortcut position starting from zero when the device is in DeX mode.
  Position Y
  If required, enter the Y coordinates of the shortcut position starting from zero when the device is in DeX mode.
- Add URL shortcuts on DeX
  Use these controls to add shortcuts to one or more URLs on the device when the device is in DeX mode. Shortcuts work only when the DeX homescreen uses the custom grid.
  URL
  URL of the website to launch.
  Title
  Title to use for the URL shortcut
  Position X
  If required, enter the X coordinates of the URL shortcut position starting from zero when the device is in DeX mode.
  Position Y
  If required, enter the Y coordinates of the URL shortcut position starting from zero position when the device is on DeX mode.
  Browser to launch the URL
  Select the browser to use to navigate to the URL specified in the shortcut. The choices are Samsung Internet and Google Chrome browsers.
  Samsung Internet
  Chrome
- Disable buttons on the DeX panel
  Use this control to disable one or more specific buttons that show up on the DeX panel.
  Exit DeX button
  DeX labs buttons
  Context menu
- Configure file transfer settings
  A group of controls to enable/disable file copy, drag/drop, copy/paste
  Control file copy from PC to DeX
  Use this control to disable file copy from PC to DeX
  Control file copy from DeX to PC
  Use this control to disable file copy from DeX to PC
- Configure values in DeX settings menu
  A group of policies to customize the DeX settings menu. These settings are part of the Deep Settings Customization feature that is available on device with KPE Premium licenses on Knox v3.4 and higher.
  Name of the Setting item
  Select the menu item in the DeX settings that you want to control. Use this control in combination with the next control.
  DeX Settings > Resolution
  Set value for the setting
  Use this control to turn a DeX setting on or off. For items that support values other than a simple on or off, select Use Specified Value and use the next control to specify the value. Refer to the KSP Admin Guide for detailed information.
  On
  Off
  Use specified value
  Specify value
  If you selected Use Specified Value in the previous control, enter the actual value you want to set in this field. Refer to the KSP Admin Guide for detailed information.
  Allow end-user modification of this setting
  Use this control to allow or restrict (Grayout) the device user from changing these configuration settings. When this setting is disabled for a specific device setting item, the corresponding menu item on the UI is grayed out disabled for the device user.
  Configure to hide settings
  Use this control to hide settings.
Device and Settings customization profile (Premium)
A group of controls to configure and customize the device user's experience. These features are available only with a KPE Premium license with customization permissions.
- Samsung keyboard controls
  Use this control to enable and configure Samsung's built-in keyboard.
  Disable Predictive text
  Use this control to enable or disable the use of predictive text to facilitate typing on the device by suggesting words the device user may want to use in a text field. Predictions are based on the context of other words in the message and the first few letters typed.
  Disable Keyboard settings
  Use this control to enable or disable the settings that let the user switch between different Samsung Keyboard options.
  Samsung Keyboard Toolbar Controls
  Use this control to enable or disable toolbar configuration of Samsung Keyboard
  Disable Emoticon
  Use this control to enable or disable Emoticons on Keyboard Toolbar
  Disable Sticker
  Use this control to enable or disable Sticker on Keyboard Toolbar
  Disable Gif Keyboard
  Use this control to enable or disable Gif Keyboard on Keyboard Toolbar
  Disable Voice Input
  Use this control to enable or disable Gif Keyboard on Keyboard Toolbar
  Disable Live Message
  Use this control to enable or disable Live Message on Keyboard Toolbar
  Disable Handwriting Input
  Use this control to enable or disable Handwriting Input on Keyboard Toolbar
  Disable Clipboard
  Use this control to enable or disable Clipboard on Keyboard Toolbar
  Disable Modes
  Use this control to enable or disable Modes on Keyboard Toolbar
  Disable Text Edit Panel
  Use this control to enable or disable Text Panel Edit on Keyboard Toolbar
- Quick Panel configuration
  A group of policies to customize the access to the Quick Settings Panel on the device.
  Items on Quick Panel
  Use these controls to hide or show one or more items from the list of shortcuts available in the Quick Settings Panel. Other shortcuts not listed here will be shown by default.
  Show airplane mode control
  Use this control to show or hide shortcut to the airplane mode control on quick settings panel.
  Show screen rotatation control
  Use this control to show or hide shortcut to the screen rotation control on quick settings panel.
  Show always-on screen control
  Use this control to show or hide shortcut to the always-on screen control on quick settings panel.
  Show bluetooth control
  Use this control to show or hide shortcut to the bluetooth control on quick settings panel.
  Show Samsung DeX control
  Use this control to show or hide shortcut to the Samsung DeX control on quick settings panel.
  Show mobile hotspot control
  Use this control to show or hide shortcut to the mobile hotspot control on quick settings panel.
  Show NFC control
  Use this control to show or hide shortcut to the NFC control on quick settings panel.
  Show background sync control
  Use this control to show or hide shortcut to the background data sync control on quick settings panel.
  Show Wi-Fi control
  Use this control to show or hide shortcut to the Wi-Fi control on quick settings panel.
  Show Location control
  Use this control to show or hide shortcut to the Location control on quick settings panel.
  Show Screen Mirroring control
  Use this control to show or hide shortcut to the Screen Mirroring control on quick settings panel.
  Show Do Not Disturb control
  Use this control to show or hide shortcut to the Do Not Disturb control on quick settings panel.
  Show Dolby control
  Use this control to show or hide shortcut to the Dolby control on quick settings panel.
  Allow user to edit Quick Panel
  Use this control to allow or block the device user from editing the configuration of the Quick Settings Panel.
- Disable app suggestions
  Use this control to disable application suggestions in the task manager and other places on the device. Availability: Knox 3.4 and above.
- Enable battery protection setting
  Use this control to enable the "protect battery" device setting that stops charging before 100%. NOTE that this setting will not take effect until the next device reboot. Availability: Knox 3.4 and above. Select devices support this setting. This policy has no effect on unsupported device.
- Lockscreen customization
  A group of controls to allow customization of UI shortcuts available on the device’s lockscreen. Available with a KPE Premium license.
  Lockscreen shortcuts
  Use this control to enable the use of lockscreen shortcuts on the device. Enable this option before customizing app shortcuts.
  App for left shortcut
  Enter a package name to specify the app that opens when the user uses the left shortcut on the lockscreen.
  App for right shortcut
  Enter a package name to specify the app that opens when the user uses the right shortcut on the lockscreen.
- Configure values in settings menu
  A group of policies to customize the device settings menu. These settings are part of the Deep Settings Customization feature that is available on device with KPE Premium licenses on Knox v3.4 and higher. Support for individual settings varies based on the device’s model and OS.
  Name of the Setting item
  Select the menu item in the device settings that you want to control. Use this control in combination with the next control. Refer https://docs.samsungknox.com/admin/knox-service-plugin/advanced-policies.htm#mag_6 for additional configuration details.
  Accessibility > Advanced Settings
  Accessibility > Advanced Settings > Power and Volume up keys
  Accessibility > Advanced Settings > Flash Notification
  Accessibility > Installed Services
  Apps > Special access > Picture-in-Picture
  Display > Adaptive brightness
  Display > Accidental touch protection
  Display > Eye comfort shield (Blue light filter)
  Display > Eye comfort shield (Blue light filter) > Color temperature (Opacity)
  Display > Blue light filter > Turn on now
  Display > Eye comfort shield (Blue light filter) > Custom (Turn on as scheduled)
  Display > Eye comfort shield (Blue light filter) > Set schedule (Turn on as scheduled) > Sunset to sunrise / Custom
  Display > Eye comfort shield (Blue light filter) > Set schedule (Turn on as scheduled) > Custom > Start time
  Display > Eye comfort shield (Blue light filter) > Set schedule (Turn on as scheduled) > Custom > End time
  Display > Screen timeout
  Display > Screen zoom
  Display > Navigation bar
  Display > Navigation bar > Button order
  Display > Touch sensitivity
  Font size and style > Font Size (Accessibility / Display)
  Font size and style > Font Style (Accessibility / Display)
  General Management > Language and Input > Text-to-speech > PreferredEngine
  General Management > Language and Input > Text-to-speech > Pitch
  General Management > Language and Input > Text-to-speech > Speech rate
  General Management > Language and Input > Physical keyboard > Change language shortcut
  General Management > Language and Input > On-screen keyboard > Show Keyboard Button
  General Management > Language and Input > On-screen keyboard > Default keyboard
  Location > Improve accuracy with Wi-Fi
  Location > Improve accuracy with BT
  Lock Screen > Notifications
  Lock Screen > Notifications > Auto-reverse text color
  Lock Screen > Notifications > Transparency
  Lock Screen > Notifications > View style
  Lock Screen > Notifications > Hide content
  Lock Screen > Roaming clock
  Lock Screen > Roaming clock > Home time zone
  Lock Screen > Roaming clock > Show on Always On Display
  Notifications > Status bar > Display battery percentage
  Notifications > Status bar > Show icons
  Sounds and Vibration > Notification sounds
  Sounds and Vibration > Notification sounds > SIM1
  Sounds and Vibration > Notification sounds > SIM2
  Sounds and Vibration > System Sounds and vibration > Charging sound
  Sounds and Vibration > System Sounds and vibration > Dialing keypad tone
  Sounds and Vibration > System Sounds and vibration > Keyboard sound
  Sounds and Vibration > System Sounds and vibration > Keyboard vibration
  Sounds and Vibration > System Sounds and vibration > Screen lock sound
  Sounds and Vibration > System Sounds and vibration > Touch sound
  Sounds and Vibration > System Sounds and vibration > Touch vibration
  Sounds and Vibration > Use volume key for media
  Sounds and Vibration > Vibration pattern
  Sounds and Vibration > Vibration while ringing
  WiFi > Advanced > Switch to mobile data
  WiFi > Advanced > Switch to mobile data > Allow individual apps to switch
  WiFi > Advanced > Turn on WiFi automatically
  WiFi > Advanced > WiFi power saving mode
  WiFi > Advanced > Hotspot 2.0
  WiFi > Disable internet connectivity
  Side key > Press and hold
  Set value for the setting
  Use this control to turn a device setting on or off. For items that support values other than a simple on or off, select Use Specified Value and use the next control to specify the value. Note: For Font Style, only 2 options are available (SamsungOneUI-Regular.xml or Foundation.xml) and input has to be typed exactly as shown. Refer to the KSP Admin Guide for detailed information.
  On
  Off
  Use specified value
  Specify value
  If you selected Use Specified Value in the previous control, enter the actual value you want to set in this field. Refer to the KSP Admin Guide for detailed information.
  Allow end-user modification of this setting
  Use this control to allow or restrict the device user from changing these configuration settings. When this setting is disabled for a specific device setting item, the corresponding menu item on the UI is grayed out disabled for the device user.
  Configure to hide settings
  Use this control to hide settings
- Audio Volume Controls
  Use this control to configure the Audio Stream & Volume Controls
  Audio Stream
  Select the audio stream from the given choice
  Ringer
  Voice Call
  System Sounds
  Media Playback
  Notifications
  Volume Level
  Set the volume level of the selected audio stream; Max value is 15. For Voice Call, the control range is from 1 to 8.
VPN profiles (Premium)
A group of configuration settings for the VPN profiles used to drive the primary and secondary VPN clients on the device. You can define up to two VPN profiles that are used for VPN Chaining.
- Profile name
  Enter the name of the VPN profile in this field. Use a unique and descriptive name, including the name of the VPN server and other identifying descriptions. For example, KnoxOuterVPN or CIscoInnerVPN. This field should be used as reference in the "Name of VPN profile to use" or "Name of secondary VPN profile" section at device-wide or work profile level VPN policy controls.
  Vendor
  Select the VPN Vendor that manufactured your VPN client. To use Strong Swan VPN that is part of the Knox framework, select Knox built-in. To use another VPN client that is not the default Knox built-in client, ensure that the appropriate VPN client is installed before KSP is launched. KSP does not automatically install the VPN client.
  Knox built-in
  Cisco Any Connect
  Pulse Secure
  Net Motion
  Sectra Mobile
  STEE
  Host
  Enter a server host IP or domain name format. Refer to your VPN provider's documentation for the formats applicable to your VPN client. For Sectra, at least one server must be specified, and no more than six using the following format [address1:port1,address2:port2].
  VPN connection type
  Select the type of security protocol that the VPN client uses to connect to the server. Some VPN Vendors may not support some of the connection types. Refer to your VPN provider's documentation for this information.
  IPSEC
  SSL
  Include UID/PID meta data
  Use this control to enable the inclusion of metadata about the unique identifier of the device's user (UID) and the processes running on the device (PID).
  Proxy
  Use these controls to add information about the proxy server and other configurations used with this VPN profile.
  Enable Proxy with VPN
  If required, use this control to use proxy servers with your VPN connection.
  Server
  If your configuration uses proxy servers, enter the VPN proxy server information in this field. Contact your Network or IT Administrator for this information.
  Port
  Enter the port number on the device that the proxy uses for communication. Contact your Network or IT Administrator for this information.
  PAC (Proxy auto config)
  Specify the URL for your proxy's automatic configuration file that determines the appropriate proxy server to use for each URL accessed. Contact your Network or IT Administrator for this information.
  Proxy authentication type
  Proxy use is possible without authentication or with basic or NTLM authentication using admin provided credential or user credentials. Contact your Network or IT Administrator for more information.
  No Auth
  Basic Auth
  NTLMv2
  Username
  If you want to use admin provided credentials, enter the username for use with the proxy server. Leave this field empty to let the device user use their own credentials for the device.
  Password
  For proxies that use the IT admin provided credentials, enter the password used with the proxy username. Leave this field empty if you didn't provide a proxy username earlier and to let the device user use their own credentials for the device.
  Parameters for Knox built-in VPN (for Strong Swan)
  Use these controls to specify vendor-specific attributes for your Knox built-in VPN client.
  Authentication type
  Select the type of authentication that your Knox built-in VPN client uses.
  ipsec_xauth_rsa
  ipsec_xauth_psk
  ipsec_hybrid_rsa
  ipsec_ike2_rsa
  ipsec_ike2_psk
  Auto retry in minutes
  When the VPN client is unable to connect or drops an active connection to the server, it automatically tries to reconnect. Enter the time interval, in minutes, after which the VPN client tries to reconnect. Default interval is two minutes
  Identifier
  Enter the built-in unique VPN identifier that applies to your VPN provider. This information applies to the ipsec_ike2_psk authentication type. Your IT admin provides this information when setting up the VPN client profile.
  Pre-shared key
  Enter your VPN client's pre-shared key, that is a form of password, that applies to your VPN client profile. This information applies to the ipsec_ike2_psk authentication type. Your IT admin provides this information when setting up the VPN client profile.
  User certificate alias
  Enter the alias that identifies the user certificate used for the your VPN client. Your IT admin provides this information when setting up the VPN client profile.
  CA certificate alias
  Enter the alias that identifies the CA certificate used in your VPN cilent for ipsec_hybrid_rsa and ipsec_ike2_rsa authentication types. Your IT admin provides this information when setting up the VPN client profile.
  Server certificate alias
  If your client uses ipsec_hybrid_rsa and ipsec_ike2_rsa, enter the name of the server certificate to use for authenticating connections. Your IT admin provides this information when setting up the VPN client profile.
  OCSP URL
  If your client uses ocsp_url for ipsec_ike2_rsa, enter the URL to use for connections. Your IT admin provides this information when setting up the VPN client profile.
  Cisco AnyConnect VPN client settings
  Use these controls to specify values for the vendor-specific attributes for your Cisco AnyConnect VPN client. Contact your Network or IT Administrator for more information.
  authentication
  Select the type of authentication that your VPN client uses. Your IT admin provides this information when setting up the Cisco AnyConnect profile.
  EAP-AnyConnect
  EAP-GTC
  EAP-MD5
  EAP-MSCHAPv2
  IKE-RSA
  IKE-ECDSA
  ike-identity
  If you selected the EAP-GTC, EAP-MD5, EAP-MSCHAPv2, or IKE-RSA authentication type for your VPN profile, enter the IKE Identity information to use. Your IT admin provides this information when setting up the Cisco AnyConnect profile.
  usergroup
  Enter the name of the usergroup that is authorized to use the VPN client profile.
  certalias
  If your configuration uses certificates to establish a connection, enter the certificate alias here. KSP checks whether the certificate is installed and will wait for up to 5 minutes before retrying if it is not found. Your IT admin provides this information when setting up the Cisco AnyConnect profile.