Knox Service Plugin (KSP) offers a subset of existing Knox Platform for Enterprise (KPE) features to our enterprise customers' devices. The following table describes KSP features in detail.
| KSP app version | Release date |
|---|---|
| 1.3.71 (22.11) | November 2022 |
| 1.3.60 (22.09) | September 2022 |
| 1.3.51 (22.07) | July 2022 |
| 1.3.42 (22.05) | May 2022 |
| 1.3.32 (22.03) | March 2022 |
| 1.3.26 (22.01) | January 2022 |
| 1.3.21 (21.11) | November 2021 |
| 1.3.12 (21.09) | September 2021 |
| 1.2.95 (21.07) | July 2021 |
| 1.2.84 (21.05) | May 2021 |
| 1.2.74 | March 2021 |
| 1.2.63 | January 2021 |
| 1.2.57 | November 2020 |
| 1.2.45 | September 2020 |
| 1.2.26 | July 2020 |
| 1.2.16 | May 2020 |
| 1.2.09 | April 2020 |
| 1.1.99 | March 2020 |
| 1.1.92 | February 2020 |
| 1.1.80 | December 2019 |
| 1.1.72 | November 2019 |
| 1.1.67 | October 2019 |
| 1.1.60 | September 2019 |
| 1.1.50 | August 2019 |
| 1.1.42 | July 2019 |
| 1.1.26 | June 2019 |
| 1.1.19 | May 2019 |
| 1.1.01 | April 2019 |
Features
Category
Feature
License Type
Supported Deployment
KPE version required
Additional notes
New policies for setting device names
IT admins can now remotely edit the device name that is displayed in connections — for example Bluetooth or Wi-Fi.
IT admins can also specify whether users are allowed to edit the setting (available through Settings > About phone > Edit).
Standard
DO (WP-C device side is not supported)
Set Device Name — no version requirements
Allow Device Name Change by End User — Knox 3.9+
Set Device Name — no version requirements.
Allow Device Name Change by End User — Minimum supported OS version is Android 13.
These policies belong to the Device and Settings customization profile > Enable Device Name in Settings policy group.
New policies for controlling 3rd-party apps on the Samsung keyboard toolbar.
IT admins can now control whether these 3rd-party apps are available on the Samsung keyboard toolbar:
- Search
- Spotify
- YouTube
- AdjustSize
- ARemoji
- Bitmoji
- Expression
- Mojitok
- SamsungPass
- Translation
Premium
Work profile on a company-owned device (WP-C), DO
Knox 3.9+
Minimum supported OS version is Android 13.
These policies belong to the Device and Settings customization profile > Samsung keyboard controls > Samsung Keyboard Toolbar Controls policy group.
Policies to control device power-on state
IT admins can control the behavior of devices when they are connected or disconnected from the power source. For details, see Device power setting based on power source connection.
Standard
DO, WP-C (device side)
Knox 3.7+
Minimum supported OS version is Android 11.
These policies belong to the Device-wide policies > Device Settings policy group.
To enable these policies, you need to also enable Enable device-wide policies.
Policy updated to change default value
The Allow moving files from personal space to work profile policy is now disabled by default. This policy is used to control whether users can move files from a personal profile to a work profile.
Premium
PO, WP-C (PO)
Knox 3.9+
This change affects only devices using Android 13 and later.
This policy belongs to the Work profile policies > RCP Policy policy group.
To enable this policy, you need to also enable the Enable work profile policies policy.
New policy to allow setting a device's screen brightness
As an IT admin, you can set a device's screen brightness to a specific value between 0 and 255. For details, see Setting screen brightness to a specific value.
Premium
DO, WP-C (device side)
Knox 3.8+
Minimum supported OS version is Android 12.
Supported devices: Samsung Galaxy Tab S8+.
Kiosk Browser mode is required in your UEM.
This policy belongs to the Device and Settings customization profile > Configure values in settings menu > Configure a setting menu item > Display > Adaptive brightness policy group.
To enable these policies, you need to also enable the following:
- Under Device-wide policies, enable Enable device-wide policies.
- Under Device-wide policies > Device customization controls, enable Enable device customization.
New policy to block specific phone numbers for calls and text messages
IT admins can now create blocklists and allowlists of phone numbers on configured devices. Both incoming and outgoing calls and text messages are blocked.
Premium
DO
Knox 3.4.1+
Minimum supported OS version is Android 10.
This policy belongs to the Device-wide policies > Call and Messaging control policy group.
To enable this policy, you need to also enable the Enable device-wide policies policy.
New policy to block users from clearing app data or cache
IT admins can now create blocklists that restrict device users from clearing the data and cache of specific apps in App info > Storage.
Premium
DO, PO, and WP-C (PO)
Knox 3.2.1+
Minimum supported OS version is Android 9.
This policy belongs to the Device-wide policies > Application management policies policy group.
To enable this policy, you need to also turn on the Enable device-wide policies policy.
Device eSIM menu no longer hidden
When the Enable Advanced Restrictions controls policy is enabled, the device eSIM menu is no longer hidden, except when the Allow dual SIM operation policy is disabled.
Premium
DO, WP-C (device side)
Knox 3.4+
Minimum supported OS version is Android 10.
This policy belongs to the Device-wide policies > Advanced Restriction policies policy group.
To enable this policy, you need to also enable the Enable device-wide policies policy.
Screenshot storage location policy
On Android 13 and higher devices, IT admins can apply the Configure the screen capture file storage path policy to specify the screenshot storage location in the work profile.
Premium
PO and WP-C (PO)
Knox 3.9+
Minimum supported OS version is Android 13.
This policy is belongs to the Work profile policies > Work profile configuration policy group.
To enable this policy, you need to also enable the Enable work profile policies policy.
Policy status on KAI console
IT admins can now get visibility into a KSP policy deployment status. Several valuable data points, such as KSP installation status and KSP policy status (success or failure), are now visible on a new widget on the Knox Asset Intelligence dashboard. For more information, see the Knox Asset Intelligence release notes.
Knox Suite license
Work profile on a company-owned device, DO
Knox 3.7.1+
Minimum supported OS version is Android 11.
This functionality will be available with the Knox cloud services 22.08 release.
Allow/disallow factory reset
IT admins can now apply the Allow Factory Reset policy. This policy enables or disables the factory reset button in the device settings, and enables the factory reset entry in the recovery options.
Premium
DO
Knox 3.7.1+
Minimum supported OS version is Android 11.
Policy descriptions (tooltips) explain why eSIM menu is hidden.
When the Enable Advanced Restrictions controls or Enable APN settings policy control policies are enabled, the device eSIM menu is hidden to prevent conflicts between functions. The policy descriptions, which display as tooltips in your UEM, explain this behavior.
Premium
DO
Knox 3.7.1+
Minimum supported OS version is Android 11.
Side key customization
IT admins can now customize the function of the side key (power key) on non-ruggedized devices.
Premium
N/A
Knox 3.7.1+
Minimum supported OS version is Android 11.
Advanced Access Control enhancement
IT admins can now enable or disable continuous authentication by analyzing the user's typing pattern, in addition to the existing face recognition function.
Premium
N/A
Knox 3.8+
Minimum supported OS version is Android 12.
Knox Manage reapplies KSP policies
Knox Manage now always applies the Knox Service Plugin policy to Galaxy devices, even if there's no change in the Wi-Fi configuration of the devices. For example, if an IT admin creates a profile with Wi-Fi settings, and pushes it to a Galaxy device, but the device user later connects to a different Wi-Fi access point, then the profile reapplies to the device.
Premium
DO
Knox 3.8+
Minimum supported OS version is Android 12.
Deprecation of the Client Certificate Management (CCM) policies
The Client Certificate Management (CCM) policies are deprecated in KSP 22.05. You should no longer use these these policies with Android 12 (Knox 3.8) and higher devices.
Premium
N/A
Knox 3.8+
Minimum supported OS version is Android 12.
DualDAR - DO Mode
The latest version of DualDAR will now support fully managed DO configurations without needing the work profile to encrypt all the users and app data.
KPE DualDAR
DO
Knox 3.8+
Minimum supported OS version is Android 12. This feature is available on the S22 and Tab S8. Dual DAR in WP-C PO mode is already supported.
Removed Home Key long press function
As of version 22.03, the Home Key long press function will be removed.
Bluetooth scanner support
IT admins can now manage and configure Bluetooth scanners through a single SDK.
Standard
DO
Knox 3.8+
Minimum supported OS version is Android 12.
Control keyboard menu
IT admins can apply a policy to disable the Third-party content menu on Samsung keyboards. Any changes made to the Samsung keyboard will be grayed out once this policy is applied.
Standard
DO
Knox 3.8+
Minimum supported OS version is Android 12.
Control Wi-fi proxy setting
IT admins can apply a policy to disable the proxy setting in the Wi-Fi settings. The policy ensures that blocklisted domains remain unaccessable for the duration of the policy. If there is a previous proxy set, that proxy should be removed when the proxy setting is disabled by the policy. This policy is reversable.
Standard
DO
Knox 3.8+
Minimum supported OS version is Android 12.
Modified KSP to launch KAI reliably
IT admins can enroll devices to Knox Asset Intelligence through background enrollment for devices that are unable to enroll through manual enrollment. For unenrolled devices, background enrollment should be used to re-enroll the device.
Standard
WP-C, DO
Knox 3.7.1+
Minimum supported OS version is Android 11.
Disable Wi-Fi sharing via QR code
IT admins can apply a policy to lock down devices and prevent users from sharing the Wi-Fi credentials. The QR code icon to share the Wi-Fi credentials can either be blocked or be hidden all together.
Standard
DO
Knox 3.8+
Minimum supported OS version is Android 12.
Toggle on-screen keyboard
From Knox 3.7.1, IT admins could enable the on-screen keyboard after a physical keyboard has been plugged in. For devices with Knox 3.8, the on-screen keyboard can be toggled ON/OFF or greyed out.
Standard
DO, KIOSK
Knox 3.8+
Minimum supported OS version is Android 12.
Control the device safe mode
IT admins can apply a new policy which controls the device safe mode when running DeX on a fully managed device. After agreeing to make this change, the temperature at which apps shut down when running in DeX mode will increase from 45C to 53C. Please read the agreement carefully before enabling this setting.
Standard
DO, WP-C
Knox 3.8+ (AUS model only)
Minimum supported OS version is Android 12.
Control the Network Mode
IT admins can configure and control the Mobile Network menu in DO mode. Once an IT Admin changes the Network mode through an API, the customer will not be able to change the network settings. This feature can be operated in each Network mode (3G/LTE/5G).
Standard
DO, WP-C(device side)
Knox 3.7+ for S21+
Minimum supported OS version is Android 11.
Deprecating E-billing and UCM functions
The E-billing feature has been deprecated from Knox version 3.7. The UCM function will be deprecated from Knox 3.7.1 and onwards.
Premium
DO, WP-C (device side)
Knox 3.7+ for S21+
Minimum supported OS version is Android 11.
Roaming configuration
IT admins can configure the roaming settings of a device. The roaming configuration can be changed and locked by the IT admin and the settings can only be configured in DO mode.
Standard
DO
Knox 3.7.1+ for XCover Pro / Knox 3.7+ for S20
Minimum supported OS version is Android 11.
Enable onscreen keyboard
Customers can manually provision their setting to allow an onscreen keyboard to display after plugging in a physical keyboard. For devices with Knox version 3.7.1 and older, the onscreen keyboard setting can be toggled ON/OFF. If this policy is disabled by IT admins, the on-screen keyboard will not be displayed after a physical keyboard has been plugged in.
Standard
DO, KIOSK
Knox 3.7.1+ for Tab Active Pro / Tab Active 3. Knox 3.7+ for S21
Minimum supported OS version is Android 11.
Removal of insecure VPN types
In Android S, Google is removing the ability to create the following VPN types directly from the Settings app:
- L2TP
- PPTP
- IPSec Xauth PSK
- IPSec Xauth RSA
- IPSec Hybrid RSA
Standard
DO, WP-C(device side)
Knox 3.7+ for S21+.
Minimum supported OS version is Android 12.
Prevent users from dismissing KPE T&C popup permanently
IT admins can promt end-users to agree to the KPE terms and conditions by displaying it through a popup every two minutes. If accepted, the popup will stop. If the popup is skipped, policies won't be applied to the managed device and the popup will continue to display every two minutes.
Standard
DO, WP-C(device side)
Knox 3.7+.
Minimum supported OS version is Android 10.
Multi-time configuration via QR scanning
IT admins can change the settings of a device that has already been distributed and running. A device with existing KSP policies can scan a QR code generated by KME Direct to upload and apply new policies to the device.
Standard
DO, WP-C(device side)
Knox 3.7.1+ for XCover Pro. Knox 3.7.1+ for Tab Active Pro / Tab Active 3.
Minimum supported OS version is Android 11.
E-Billing schema updates
In order to simplify the user experience, we are constantly reviewing policies within the KSP Schema that are seeing minimal adoption. Based on this review, we will soon be removing the E-Billing policies in the next KSP release (21.09). Due to this upcoming deprecation, refrain from using these policies.
Peripheral plug and play
This release introduces peripheral devices such as barcode readers, to help enterprises collect inventory data, track delivery status, and identify Point-of-Sale (POS) transactions. This improvement helps lower operational costs, improve customer experience, and maximize profits in manufacturing and retail sectors.
Using KSP, IT admins can configure these devices with a plugin and package name, register the device, and set the USB connection type. When the device user plugs in the peripheral device after the profile is deployed to the device, the peripheral device is automatically configured and ready to go.
Standard
DO
Knox 3.7.1+ for XCover Pro
Minimum supported OS version is Android 11. Knox peripheral plugin APK needs to be installed for the policies to be applied. For more information see Peripheral Configuration.
Peripheral Configuration— Barcode Scanner
The IT admin can configure the following options while setting up a barcode scanner:
- Input Prefix
- Input Suffix
- Input timestamp
- Enable Beep sound
- Barcode data process mode
- WEDGE
- STORE
- Check duplicated barcode
Standard
DO
Knox 3.7.1 + for XCover Pro
Minimum supported OS version is Android 11. Knox peripheral plugin APK needs to be installed for the policies to be applied.
Deep Settings Customization— Side key long press
The IT admin can configure the side key to perform multiple actions, such as, wake Bixby or power off the device on long press. The Wake Bixby functionality is currently supported only in WP-C work profile and is grayed out or unavailable in other modes.
Premium
DO, WP-C
Knox 3.7+ for all devices. Knox 3.7 for Note20 / Knox 3.7.1+ for XCover Pro or XCover 5
Minimum supported OS version is Android 11. For general information on how to configure deep settings, see Deep Settings Customization.
Device key mapping— Samsung Intent
IT admins can now enable or disable a Samsung intent for the Push-To-Talk (PTT) and Top keys for PO as well as DO. When this is enabled, any custom intent definitions for key press and key release will be ignored.
Premium
DO, PO and WP-C (work profile only)
Knox 3.7.1+ for XCover Pro, XCover 5 and Tab Active 3
Minimum supported OS version is Android 11. Top key Samsung Intent is supported only in XCover Pro. For more information on Device key mapping controls, see Device key mapping.
Device key mapping— application auto launch
A specific application can be set to launch automatically after installation. Additionally, if a component name is set along with the application package name, this setting launches the respective component screen on launch, otherwise the application launcher screen is displayed.
Premium
DO, PO and WP-C work profile only
N/A
For more information on application management, see Application management policies.
Device settings— power saving mode
The IT admin can now save power in power saving mode by two new ways:
- Configure CPU usage limit
- Reduce brightness level
Premium
DO
Knox 3.7+
Minimum supported OS version is Android 11.
MacID Randomization
KSP now allows IT admins to disable MAC address randomization for WPA2 and WPA3 enterprise devices that use EAP PEAP, TLS, or TTLS.
Premium
DO, WP-C (device-side)
N/A
Minimum supported OS version is Android 10.
New VPN client
Sectra Mobile VPN was added to the list of VPN vendors. The features and specifications for this vendor allow the IT admin to set Base URL to download client certificate, Differentiated Services value to have a varying ‘Quality of Service’, option to send application data over TLS or DTLS, and ‘keep alive’ feature to keep the tunnel always active.
Premium
N/A
Knox 3.7.1+
Minimum supported OS version is Android 11.
Device key mapping in PO
IT admins can now remap Profile Owner (PO) rugged device keys, using KSP, to custom intent actions. Similar to the DO feature, IT admins can map PTT and side-keys to Microsoft teams, and configure top and side keys for key press and key release intents to specific application.
Premium
DO, WP-C
Knox 3.7.1+
Minimum supported OS version is Android 11. For more information on Device key mapping controls, see Device key mapping.
Device volume
- IT admins can set device volume for the following items:
- Voice Call
- System Sounds
- Ringer
- Media Playback
- Notifications
Premium
DO
Knox 3.7.1 +
For more information on device controls, see Device settings policies.
Widget access control
IT admins can either allow or block a set of widgets using an allowlist or a blocklist. If an allowlist is implemented, all other widgets not matching the list are blocked. If a blocklist is implemented, only the widgets from the list are blocked and any existing widgets are removed.
Premium
DO
Knox 3.7.1 +
Minimum supported OS version is Android 11. If a widget package name exists in both allow and block lists, it is set to be allowed. For more information on application management, see Application management policies.
Device key mapping—Home key long press
Home key long press is added to the button options for application launch.
Premium
DO
Knox 3.7.1 +
For more information on Device key mapping controls, see Device key mapping.
Samsung Keyboard
Samsung Keyboard settings can be configured for the following features:
- Emoticons
- Stickers
- GIF Keyboard
- Voice Input
- Live Message
- Handwriting Input
- Clipboard
- Modes
- Text Edit Panel
Premium
DO, WP-C
Knox 3.4.1 +
For more information on device controls, see Samsung Keyboard controls.
Device key mapping—application auto launch
A specific application can be set to launch automatically after installation. Additionally, if a component name is set along with the application package name, it launches the respective component screen on launch, otherwise the application launcher screen is shown.
Premium
PO
N/A
For more information on application management, see Application management policies.
Smart Switch control
Allows an admin to enable or disable the Smart Switch app used to transfer media and files.
Standard
DO
Knox 3.2.1 +
Disabled by default, IT admin can enable Smart Switch to allow data transfer. The source device can be in the DO or COMP mode.
UWB (ultra-wideband) Control
Allows an admin to allow or disallow UWB feature, allowing makes the feature ready to use (no user menu) from Quick Share. Admin can disallow other communication channels like BlueTooth and Wi-Fi.
Standard
DO, WP-C
Knox 3.7 +
Available with Galaxy Note 20 Ultra, Galaxy Z Fold 2, Galaxy S21+, and Galaxy S21 Ultra.
Device key mapping
Allows an admin to set Push to Talk (PTT) key and top key for short and long press, as well as side key for a double press to launch an app.
Premium
DO
- Note 20 → Knox 3.6 +
- XCover Pro → Knox 3.5 +
For more information on Device key mapping controls, see Device key mapping.
Continuous Multi Factor Authentication
Allows an admin to allow/disallow CMFA using face recognition. Continous authentication is applicable using face only to lock the profile, it cannot be used to unlock the profile. When an un-registered face is detected, profile will be locked.
Premium
PO, WP-C
Knox 3.7 +
Applicable only on work profile only not on device. User should be registered to use face as authentication for work profile.
Deep Setting: Display > Touch Senstivity
Allows an admin to turn on or off the Display > Touch Sensitivity menu which can be toggled by the end user depending upon gloved or glove-less use.
Premium
DO
Knox 3.7.1 +
For general information on how to configure deep settings, see Deep Settings Customization.
Disable MAC address randomization
Allows an admin to set a Wi-Fi network with MAC address randomization disabled.
Standard
DO, WP-C
Knox 3.4.1 +
Not supported on One UI Core devices. For more information, see Wi-Fi policy.
Top key support with custom intent
Allows an admin to set a custom intent for the top key of an XCover Pro devices.
Premium
DO
Knox 3.4 +
For more information, see Device key mapping.
No battery mode
Allows an admin to enable or disable "No Battery Mode" in the Quick Panel of a device.
Standard
DO, WP-C
NA
Available only on Samsung Galaxy Tab Active 3 series (T577, T575, and T570). For more information, see Device settings policies.
VPN with separated apps
The descriptions and choices in the schema were modified to support the Separated Apps mode.
Premium
DO
Knox 3.7 +
Minimum OS version is Android 11. For more information on VPN policies, see VPN.
Deep setting: WiFi > Disable internet connectivity
Allows an admin to disable Internet connectivity checking on devices. This is useful for customers that only access the internal network without Internet connection.
Premium
DO, WP-C
Knox 3.4 +
For general information on how to configure deep settings, see Deep Settings Customization.
Audit log
Allows an admin to configure audit log on the device.
Premium
DO, PO, WP-C
Knox 3.0 +
For more information, see Audit log.
DeX file transfer settings in the DeX customization profile
Allows an admin to enable or disable the ability to copy content from a PC to DeX.
Premium
DO, WP-C
Knox 3.6 +
For more information on configuring the DeX customization profile, see Enable DeX with basic customization.
DeX file transfer settings in the DeX customization profile
Allows an admin to enable or disable the ability to copy content from DeX to a PC.
Premium
DO, WP-C
Knox 3.6 +
For more information on configuring the DeX customization profile, see Enable DeX with basic customization.
Enterprise billing
Starting Android R, enterprise billing is not supported in PO mode.
Premium
DO
Knox 3.0 +
This feature is deprecated.
Work profile on company owned device support
- Enables admins to provide Android 11 devices additional privacy benefits to the device user.
Premium
WP-C
Knox 3.7 +
For more information, go to: Work profile on company owned device.
Separated Apps
- Enables admins to securely separate non-work approved apps from work apps on a fully managed device.
Premium
DO
Knox 3.7 +
For more information, go to: Separated Apps. For information on Separated Apps controls, go to: Advanced policies and navigate to the Separated Apps policies section.
Deep settings special access
- Enables an admin to control the device video display when using other apps at the same time.
Premium
DO
Knox 3.0 +
For information on setting the Picture-in-Picture control for video permissions when using other apps, go to: Advanced policies and navigate to the Deep settings for Lockscreen policies section.
VPN over tethering
- Enables admins to ensure there is security-based certification available, so only a certified user can use VPN tethering with allow listed devices.
Premium
DO and PO
Knox 3.6 +
For information on configuring VPN tethering, go to: Advanced policies and navigate to the VPN > Enable VPN policy section.
Android VPN Management for Knox settings for PO
- Enables an admin to set a Knox VPN configuration using the Android VPN Management for Knox client in PO mode, as well as the certificate for VPN installed in PO.
Premium
PO
Knox 3.6 +
For information on configuring VPN, go to: Advanced policies and navigate to the VPN policy section.
Device key mapping
- Ensures an admin cannot enable XCover PTT key re-mapping when TEAMS key re-mapping is enabled. Alternatively, an admin cannot select TEAMS PTT key re-mapping if XCover PTT key re-mapping is enabled.
Premium, Knox Suite, or Knox Platform for Customization (KPC) license
DO
Knox 3.0 +
For information on Device key mapping controls, go to: Advanced policies and navigate to the Device key mapping policies section.
- Enables an admin to control deep settings for DeX monitor display resolution.
Premium
DO
Knox 3.1 +
For information on configuring Samsung DeX controls, go to: Advanced policies and navigate to the DeX section.
Removal of potentially offensive language from Admin Guide
- With this release potentially offensive terms such as "whitelist" and "blacklist" have been removed from the KSP Admin Guide in favor of "allowlist" and "blocklist".
NA
NA
NA
NA
Quick panel configuration
- Enables IT admins to display or hide specific setting shortcuts on the device quick panel display.
Premium
DO
Knox 3.0 +
For information on setting the quick panel configuration, go to: Advanced policies and navigate to the Quick panel configuration section.
Lockscreen - Deep settings configuration
- Enables IT admins to set unique deep settings for the device lockscreen roaming clock, face widget, and notification configuration.
Premium
DO
Knox 3.0 +
For information on deep setting roaming clock, face widget an notification controls for the lockscreen, go to: Advanced policies and navigate to the Lockscreen customization policies > Deep settings for Lockscreen policies section.
Lockscreen - Deep settings configuration
- Enables IT admins to set unique deep settings for device language and input controls, including text-to-speech and on-screen keyboard controls.
Premium
DO
Knox 3.0 +
For information on deep setting language and input controls for the lockscreen, go to: Advanced policies and navigate to the Lockscreen customization policies > Deep settings for Lockscreen policies section.
Lockscreen - Deep settings configuration
- Enables IT admins to set unique deep settings for sound and vibration controls, including notification sounds, charging, keyboard, and orther device sounds.
Premium
DO
Knox 3.0 +
For information on deep setting sound and vibration controls for the lockscreen, go to: Advanced policies and navigate to the Lockscreen customization policies > Deep settings for Lockscreen policies section.
Lockscreen - Deep settings configuration
- Enables IT admins to set unique deep setting display controls for the lockscreen, including brightness, blue light filter settings, navigation bar, and font utilization.
Premium
DO
Knox 3.0 +
For information on deep setting display controls for the lockscreen, go to: Advanced policies and navigate to the Lockscreen customization policies > Deep settings for Lockscreen policies section.
Client certificate management (CCM)
- Enables IT admins to utilize a group of client specific certificate management controls.
Premium
DO
Knox 3.0 +
For information on setting the client-side certificate management configuration, go to: Advanced policies and navigate to Client certificate management (CCM) policies.
Device key mapping
- Enables IT admins to configure the PTT key used to launch a specific enterprise application package by name. The admin can define the button press intent and override default as applicable.
Premium, Knox Suite, or Knox Platform for Customization (KPC) license
DO
Knox 3.0 +
For information on Device key mapping controls, go to: Advanced policies and navigate to the Device key mapping policies section.
Device settings
- Enables IT admins to control the language usage shortcut, including hiding language settings within the Settings menu, and setting or greying out specific values.
Premium
DO
Knox 3.0 +
For information on language utilization and shortcut controls, go to: Advanced policies and navigate to Deep settings customization > Configure unique deep settings, or refer to the Device setting policies section.
Deep settings and Lockscreen
- Enables IT admins to control the numeric font size setting (0-7), font style (SamsungOne or Gothic Bold), and specific notification settings when employees log into their device.
Premium
DO
Knox 3.0 +
For information on font size and style controls, go to: Advanced policies and navigate to Deep settings customization > Configure unique deep settings, or refer to Lockscreen customization policies.
APN setting policy
- Enables an admin to define the preferred APN resource, and prevent the change or deletion of pushed APN settings.
Premium
PO
Knox 3.0 +
For information on APN settings, go to: Advanced policies and navigate to the Device controls > APN setting policy section.
Device settings
- Enables IT admins to hide Wi-Fi settings, set device language country usage, enable auto start when connected to power, and mobile data management.
Premium
DO
Knox 3.0 +
For information on hiding Wi-Fi settings, language and country usage, connected power consumption, and mobile data management go to: Advanced policies and navigate to Device setting policies.
Advanced restrictions
- Enables IT admins to set the USB connection type utilized by the device.
Premium
DO
Knox 3.0 +
For information on setting the device USB connection type, go to: Advanced policies and navigate to the Advanced restriction policies section.
Device restrictions
- Enables IT admins to enable or disable device user access to clipboard data. Also enables admins to either enable or disable multiple user access to the device and its potentially sensitive data.
Standard
DO and PO
Knox 3.0 +
For information on enabling clipboard data access and multiple user device restrictions, go to: Advanced policies and navigate to the Device restriction policies section.
Password policies
- Enables IT admins to hide password visibility while device users type the password to better secure the device.
Standard
DO and PO
Knox 3.0 +
For information on password controls, go to: Advanced policies and navigate to the Password policies section.
Firmware update (FOTA)
- Enables IT admins to install and launch an EFOTA client on an employee device automatically.
Standard
DO
Knox 3.0 +
For information on FOTA controls, go to: Advanced policies and navigate to the Firmware update (FOTA) policies section.
Deep settings: Access Manageability
- Enables IT admins to control the accessibility of configuration settings when designated special needs employees attempt to log into their device.
Premium
DO and PO
Knox 3.0 +
For information on setting accessibility controls, go to: Advanced policies and navigate to the Lockscreen policies section.
Delay configuration
- This feature permits an admin to delay applying configurations for applications not yet installed. Specifically, this feature assists admins by automatically validating whether an application is installed before applying related policies.
Standard
DO
Knox 3.0 +
Restrictions in work profile policy
- This control permits bluetooth functionality within the device container.
Premium
PO
Knox 3.0 +
For information on managing Bluetooth within the device container, go to: Advanced policies and navigate to the Restrictions in work profile policy section.
Device settings
- This feature permits an admin to hide selected settings from the device user. Specifically, backup and reset, airplane mode, language, lockscreen, Bluetooth, and developer settings can be individually hidden as device deployment considerations warrant.
Premium
DO
Knox 3.0 +
For information on managing and hiding settings on a device, go to: Advanced policies and navigate to the Device settings policy section.
Application management policy
- This setting enables admins to set application restrictions so specific applications cannot be stopped by the device user. This setting also removes all packages from the force stop blocklist and allowlist.
Premium
DO and PO
Knox 3.0 +
For information on preventing a device user from stopping a specified application, go to: Advanced policies and navigate to the Application management policy section.
Application management policy
- This setting enables admins to set application restrictions so specific applications cannot be stopped by the device user. This setting also removes all packages from the force stop blocklist and allowlist.
Premium
DO and PO
Knox 3.0 +
For information on preventing a device user from stopping a specified application, go to: Advanced policies and navigate to the Application management policy section.
Restrictions in work profile policy
- This setting permits admins to restrict the device user from making a video recording with their device. The device camera remains functional when video recording is disabled.
Standard
DO and PO
Knox 3.0 +
For information on restricting device video recording capabilities, go to: Advanced policies and navigate to the Restrictions in work profile policy section.
Lockscreen
- This setting permits admins to hide specific Settings menu items from the user's device display. Thus permits the admin to set specific settings as appropriate for an intended deployment, then hiding the setting to avoid the user changing it.
Standard
DO and PO
Knox 3.0 +
For information on hiding Settings menu items from the device user, go to: Advanced policies and navigate to the Lockscreen customization policies section.
KSP versioning
- This functionality lets an admin determine which KSP version is being deployed to better ensure the latest version is deployed to the enterprise.
Standard
DO and PO
Knox 3.0 +
This KSP versioning enhancement helps admins validate the date the current KSP version was published to the Play Store and ensure they are supporting the latest available feature set.
Application management policy
- Enables an admin to allowlist or blocklist an application signature allowing it to be installed (allowlisted) or blocked (blocklisted) in either DO or PO. The installed package is not be part of the system image.
Premium
DO and PO
Knox 3.0 +
For information on setting application management controls, go to: Advanced policies and navigate to the Application management policies section.
Application management policy
-This policy enables an IT admin to disable an application in either DO or PO without uninstalling it, preventing the device user from launching the application.
Premium
DO and PO
Knox 3.0 +
For information on setting application management controls, go to: Advanced policies and navigate to the Application management policies section.
Password policy
- Enables an IT admin to specify the maximum numeric sequence length permitted in a device (and container) password.
Standard
PO
Knox 3.0 +
For information on password controls, go to: Advanced policies and navigate to the Password policies section.
Password policy
- Enables an IT admin to specify the maximum alphanumeric sequence length permitted in a work profile (PO) password.
Standard
PO
Knox 3.0 +
For information on password controls, go to: Advanced policies and navigate to the Password policies section.
Password policy
- Enables an IT admin to set the maximum length of time to lock a device and container.
Standard
DO and PO
Knox 3.0 +
For information on password controls, go to: Advanced policies and navigate to the Password policies section.
Password policy
- Enables an IT admin to set a minimum password length for a device (and container).
Standard
DO and PO
Knox 3.0 +
For information on password controls, go to: Advanced policies and navigate to the Password policies section.
Password policy
- Enables an IT admin to set the maximum number of device user failed password attempts before the device (and container) wipes its data.
Standard
DO and PO
Knox 3.0 +
For information on password controls, go to: Advanced policies and navigate to the Password policies section.
Password policy
- Enables an IT admin to set the maximum number of device user failed password attempts before the device (and container) no longer permit password entry and device access.
Standard
DO and PO
Knox 3.0 +
For information on password controls, go to: Advanced policies and navigate to the Password policies section.
Password policy
- Enables an IT admin to set criteria for password strength (minimum number of digits and special characters, etc.) for a device and its container
Standard
DO and PO
Knox 3.0 +
For information on password controls, go to: Advanced policies and navigate to the Password policies section.
Password policy
- Provides an IT admin the ability to control facial authentication within the work profile.
Standard
DO and PO
Knox 3.0 +
For information on password controls, go to: Advanced policies and navigate to the Password policies section.
Device restrictions
- Provides an IT admin the ability to enable or disable a user's ability to backup their device deta on a Google Server.
Standard
DO
Knox 3.0 +
For information on device restriction controls, go to: Advanced policies and navigate to the Device restriction section.
Device restrictions
- Provides an IT admin the ability to enable or disable user access to the device's Secure Digitial (SD) memory card.
Standard
DO
Knox 3.0 +
For information on device restriction controls, go to: Advanced policies and navigate to the Device restriction section.
Device restrictions
- Provides an IT admin the ability to either enable or disable the installation of non-Google Play apps on a device.
Standard
DO
Knox 3.0 +
For information on device restriction controls, go to: Advanced policies and navigate to the Device restriction section.
Device restrictions
- Provides an IT admin the ability to enable or disable Android Beam (NFC and Bluetooth functionality) on a device. Once disabled, a device user cannot send information (contacts, emails, etc.) using Android Beam.
Standard
DO
Knox 3.0 +
For information on device restriction controls, go to: Advanced policies and navigate to the Device restriction section.
Device restrictions
- Provides an IT admin the ability to enable or disable the device camera. Third party applications cannot enable the device camera once disabled using this function.
Standard
DO and PO
Knox 3.0 +
For information on device restriction controls, go to: Advanced policies and navigate to the Device restriction section.
Device controls
- Controls Bluetooth allowlist and blocklist UUID restrictions. When enabled, all peripherals except those with specified UUIDs are allowed or blocked from operating with a device.
Premium
DO
Knox 3.0 +
For information on Bluetooth device controls, go to: Advanced policies and navigate to the Device controls > Bluetooth policy section.
Device controls
- Enables an IT admin to configure a device so 3rd party applications can pass an intent based on the specific device key pressed. This in turn helps a device user invoke an application's functionality faster.
Premium
DO
Knox 3.0 +
N/A
Certificate management
- Enables an admin to install a certificate into the keystore silently, without user intervention.
Standard
DO and PO
Knox 3.0 +
For information on certificate controls, go to: Advanced policies and navigate to the Certificate management policies section.
- Configures a device user inactivity timeout to periodically shutdown the device to conserve battery power and extend battery life between charges
Premium
DO and PO
Knox 3.0 +
There is a 10 minute minimum timeout if setting a user inactivity period.
- Enables hard key mapping for specific device and application actions
Premium, Knox Suite, or Knox Platform for Customization (KPC) license
DO and PO
Knox 3.0 +
If the application receiving the key mapping configuration is already launched and in the background, pressing a hardware key a second time does not bring it to the foreground and kills the application.
Advanced Wi-Fi policy
- Once enrolled, this setting configures a roam trigger, roam duration period, and roam delta to improve device connectivity in an Enterprise environment
Premium
DO, WP-C (device-side)
Knox 3.0 +
N/A
Advanced Wi-Fi policy
- Disables the blocklisting of a device SSID resulting from an authentication failure, so the impacted device does not need to wait before attempting to reauthenticate
Premium
DO, WP-C (device-side)
Knox 3.0 +
N/A
Advanced Wi-Fi policy
- Enables or disables a DHCP check with each device roam to prevent the device from being dropped on the network. Turning off DHCP renewal allows the device to keep its current IP address.
Premium
DO, WP-C (device-side)
Knox 3.0 +
N/A
- Enables Wireless Intrusion Prevention System (WIPS) configuration options to both detect and prevent network access by an unauthorized Wi-Fi access point
Premium
DO and PO
Knox 3.0 +
For WIPS to succssfully function, ensure either one of the following three conditions is set WIPSEnforement - true/WIPSAdvanceProtection - true OR WIPSEnforement - true/WIPSAdvanceProtection - false OR WIPSEnforement - false/WIPSAdvanceProtection - true
- Allow VPN over a tethered connection so a allowlisted USB device can access and share resources with a peer device
Premium
DO and PO
Knox 3.0 +
N/A
Application management
- Allows USB device supported profiles to utilize specific configurations
Premium
DO and PO
Knox 3.0 +
N/A
Certificates
- Allow applications to read private keys without alerting the device user
Premium
DO and PO
Knox 3.0 +
N/A
- Wi-Fi and Bluetooth scanning
- Common Criteria (CC) mode
Premium
DO
Knox 3.0 +
N/A
- Wi-Fi and Bluetooth scanning
- Common Criteria (CC) mode
Premium
DO
Knox 3.0 +
- Allow or restrict the use of the secondary SIM card slot on a dual SIM device
Premium
DO
Knox 3.0 +
- Remote control of a device
Premium
DO and PO
Knox 3.0 +
- Manage battery optimization allowlist
- Manage allowlisted device admins
Standard
DO and PO
Knox 3.0 +
N/A
Application management
- Create and apply app update policies on the device
- Customize app update policies to override the app update policies specified in Device Settings
Standard
DO and PO
Knox 3.0 +
Application management
- Allow or block updates to specific apps
Standard
DO
Knox 3.0 +
- Allow or restrict the ability to move applications to a container.
Premium
DO
Knox 3.0 +
- Certificate revocation
- Enable revocation check
- OCSP
Premium
DO and PO
Knox 3.0 +
N/A
Certificate management
- Add a Trusted CA alias
- Stop the user from removing certificates from the keystore
Premium
DO and PO
Knox 3.0 +
- Manage Wi-Fi hotspot settings
- Allow or block open Wi-Fi connections
Standard
DO
Knox 3.0 +
N/A
Device controls
- Show a custom banner on the device display on device restart
Premium
DO
Knox 3.0 +
- Manage Wi-Fi user profile and policy changes
- Allow or block specific network connections
- Allow or block automatic Wi-Fi connections
- Set minimum security requirements for a Wi-Fi connection
- Show or hide a Wi-Fi password in the network settings dialog
- Allow or restrict the user from changing the Wi-Fi connection state
Standard
DO
Knox 3.0 +
N/A
- Wi-Fi
- Bluetooth
- Cellular data
- Tethering (USB, Wi-Fi, and Bluetooth)
- USB devices
- Developer mode
- Power and data saver mode
- VPN connections
- Enforce external storage encryption
Standard
DO
Knox 3.0 +
- Microphone
- Sharing options
Standard
DO and PO
Knox 3.0 +
- Use Bluetooth profiles to manage connections from peripheral devices
Standard
DO
Knox 3.0 +
- Setup Samsung keyboard settings
- Show or hide items on Quick Panel
Standard
DO
Knox 3.0 +
N/A
- Disable app suggestions
- Enable battery protection settings
Premium
DO
Knox 3.4 +
N/A
- Customize the device settings menu using the Deep Settings Customization feature
Premium
DO
Knox 3.4 +
N/A
- Set data lock timeout type (minutes)
- Restrict access to device encrypted (DE) storage
Premium + (KPE Premium license with DDAR add-on)
DO and PO
Knox 3.3 +
- Manage data sync restrictions, including app- and property-level restrictions
- Enable use of RCP data sync policy controls
- Allow or block movement of apps between personal and Work profiles
- Enable and configure RCP data sync policies
Premium + (KPE Premium license with DDAR add-on)
PO
Knox 3.3 +
Device UI customization
- Customize the lockscreen and add shortcuts to open apps from the lockscreen
Premium
DO
Knox 3.0 +
- Add, update and manage APN settings
- Manage NFC
Standard
DO
Knox 3.0 +
- Dual APN based enterprise billing
- Modify APN settings
Premium
DO and PO
Knox 3.0 +
N/A
Firewall and Proxy
- Manage global proxy with static configuration
- Manage global proxy with PAC file
Standard
DO
Knox 3.0 +
N/A
-
Allow firmware update
over-the-air
- Allow firmware update in
recovery mode
Standard
DO
Knox 3.0 +
N/A
Mobile Virtual Network Operator (MVNO) configuration
- Customize the MVNO configuration on the device, including the type of configuration and the value
Standard
DO
Knox 3.2.1 +
Knox v3.4 or higher
Network Platform Analytics (NPA) data configuration
- Create NPA data configuration profiles
- Select specific data points to collect information
Standard
DO and PO
Knox 3.3 +
- Enable or disable authentication methods such as password and biometric authentication such as fingerprint, iris, or face recognition
Standard
DO
Knox 3.0 +
Passwords
- Enforce password change
- Specify the number of minutes up to which the user can cancel or delay the password change
Premium
DO and PO
Knox 3.3 +
Passwords
- Set the maximum length of an alphabetic sequence that is allowed for a device password
Standard
DO
Knox 3.3 +
RCP profile configuration for application data sync
- Configure the RCP profile to specify rules for syncing application data
Feature is Standard, but the Policies enforced by the configuration profile may be Premium
PO
Knox 3.3 +
- Enable and disable DeX
- Enforce Ethernet connection or virtual MAC address
- Set apps available in DeX mode
Standard
DO
Knox 3.1 +
- Set home alignment
- Set screen timeout
- Set loading logo
- Set DeX wallpaper
- Skip DeX welcome screen
- Skip overscan detection screen
- Auto-start DeX on HDMI connection
- Hide apps in app drawer
- Add application shortcuts on DeX
- Add URL shortcuts on DeX
Premium
DO
Knox 3.1 +
- Disable buttons on the DeX panel
Premium
DO
Knox 3.3 +
- Configure app launch behavior
Premium
DO
Knox 3.3 +
- Manage Universal storage credentials for all types of storage on the device; external and internal
- Set up and manage a UCM plugin for device lock and unlock
Premium
DO and PO
Knox 3.2 +
N/A
- Supported VPNs—Cisco AnyConnect, PulseSecure, Knox built in client (Android VPN Management for Knox)
- VPN types—device-wide, per-app, or workspace-wide
- Manage list of apps that can use or bypass VPN
- Enable on-demand VPN
Premium
DO and PO
Knox 3.0 +
- VPN chaining with two profiles
- Proxy over VPN
- Include UID/PID meta-data in VPN
Premium
DO and PO
Knox 3.0 +
- Silent authentication mode is supported for Pulse Secure VPN
Premium
DO and PO
Knox 3.0 +
Silent authentication for Pulse Secure VPN is currently available only on DO or COMP devices
- Support for Net Motion VPN on DO or PO deployments
Premium
DO and PO
Knox 3.0 +
Net Motion VPN supports the following:
- profile-wide VPN
- device-wide VPN
- on-demand VPN
- certificate based authentication
- NTLM authentication with username & password
- Device users can rename Workspace and personal tabs
- IT admins can allow or restrict the installation of apps from the Personal tab to the Workspace
Premium
DO and PO
Knox 3.0 +
N/A
