License permissions
With Knox 3.7.1, there are new permissions for the ISV APIs, which don’t need the device admin (DA) permission. Refer to the ISV permissions for more details.
Prior to Knox 3.7.1, the different Knox licenses were granted the following app permissions:
| License | SDK | Category | Permission | Description |
|---|---|---|---|---|
| Standard | Knox SDK | Accounts | com.samsung.android.knox.permission.KNOX_EMAIL | Control email app settings |
| Accounts | com.samsung.android.knox.permission.KNOX_EXCHANGE | Configure Microsoft Exchange ActiveSync accounts and settings | ||
| Accounts | com.samsung.android.knox.permission.KNOX_LDAP | Create, delete, and get Lightweight Directory Access Protocol (LDAP) account settings | ||
| Apps | com.samsung.android.knox.permission.KNOX_APP_MGMT | Manage apps inside and outside of Knox containers: install, uninstall, enable, disable, set behavior, get notifications, get state | ||
| Connections | com.samsung.android.knox.permission.KNOX_APN | Create, update, and remove Access Point Name (APN) setting | ||
| Connections | com.samsung.android.knox.permission.KNOX_BLUETOOTH | Control Bluetooth settings; enable or disable Bluetooth access | ||
| Connections | com.samsung.android.knox.permission.KNOX_BLUETOOTH_SECUREMODE | Control Bluetooth Secure Mode settings | ||
| Connections | com.samsung.android.knox.permission.KNOX_BROWSER_PROXY | Control the Samsung Internet browser's HTTP proxy settings | ||
| Connections | com.samsung.android.knox.permission.KNOX_BROWSER_SETTINGS | Control the Samsung Internet browser's settings | ||
| Connections | com.samsung.android.knox.permission.KNOX_GLOBALPROXY | Configure a proxy server for apps on the device | ||
| Connections | com.samsung.android.knox.permission.KNOX_WIFI | Configure Wi-Fi for a secure Knox container, configure Wi-Fi settings and manage Wi-Fi profiles for a device | ||
| Devices | com.samsung.android.knox.permission.KNOX_DATE_TIME | Control the device date and time settings | ||
| Devices | com.samsung.android.knox.permission.KNOX_DEX | Control DeX mode settings | ||
| Devices | com.samsung.android.knox.permission.KNOX_ENTERPRISE_DEVICE_ADMIN | Manage policies enforced on a device | ||
| Devices | com.samsung.android.knox.permission.KNOX_GEOFENCING | Create, destroy, monitor a virtual perimeter for a geographical area | ||
| Devices | com.samsung.android.knox.permission.KNOX_HW_CONTROL | Configure Near Field Communication (NFC) settings, control audio and video recordings, device power off | ||
| Devices | com.samsung.android.knox.permission.KNOX_INVENTORY | Get info about the device | ||
| Devices | com.samsung.android.knox.permission.KNOX_KIOSK_MODE | Manage a basic Kiosk mode on a device | ||
| Devices | com.samsung.android.knox.permission.KNOX_LICENSE_LOG | View data logs, such as the number of API calls for a given package on a device | ||
| Devices | com.samsung.android.knox.permission.KNOX_LOCATION | Control the settings related to location services | ||
| Devices | com.samsung.android.knox.permission.KNOX_LOCKSCREEN | Customize the device lock screen: wallpaper, image, emergency number | ||
| Devices | com.samsung.android.knox.permission.KNOX_MULTI_USER_MGMT | Manage multiple users on a device | ||
| Devices | com.samsung.android.knox.permission.KNOX_PHONE_RESTRICTION | Restrict features such as airplane mode, Android Beam, background process limit, clipboard share, data saving, developer mode, factory reset, fast encryption, firmware recovery, Google sync, killing activities, lock screen view, OTA upgrades, power saving mode, S Beam, SD card move, safe mode, screen pinning, share list, smart clip mode, stop system app, USB host storage, VPN, wallpaper change, Wi-Fi direct, wearables | ||
| Devices | com.samsung.android.knox.permission.KNOX_REMOTE_CONTROL | Remotely inject key/motion events and capture/stream the device display; remotely inject key, pointer, and trackball events into the device UI | ||
| Devices | com.samsung.android.knox.permission.KNOX_ROAMING | Control device roaming settings | ||
| Security | com.samsung.android.knox.permission.KNOX_CERT_PROVISIONING | Manage certificates: install, list, configure app usage; manage credential storage: reset, unlock | ||
| Security | com.samsung.android.knox.permission.KNOX_CLIPBOARD | Add, read, and clear clipboard data | ||
| Security | com.samsung.android.knox.permission.KNOX_FIREWALL | Configure firewall rules to restrict Internet access to IP addresses or domains | ||
| Security | com.samsung.android.knox.permission.KNOX_REMOTE_ATTESTATION | Verify that a device has authorized firmware | ||
| Security | com.samsung.android.knox.permission.KNOX_RESTRICTION_MGMT | Restrict features such as airplane mode, Android Beam, background process limit, clipboard share, data saving, developer mode, factory reset, fast encryption, firmware recovery, Google sync, killing activities, lock | ||
| Security | com.samsung.android.knox.permission.KNOX_SECURITY | Control device accounts such as those supported by the native e-mail app and Google account; control password policies for a secure Knox container; control security features like data encryption; control password policies for a device; customize the font on a device; manage certificates and keystores; customize the device lock screen: wallpaper, image, emergency number; control the global proxy used by a device; customize the banner message shown during a device reboot | ||
| Security | com.samsung.android.knox.permission.KNOX_SENSITIVE_DATA_PROTECTION | Manipulate files as sensitive: set, create, remove from sensitive database | ||
| Security | com.samsung.android.knox.permission.KNOX_SPDCONTROL | Enable, disable automatic security policy updates | ||
| VPN | com.samsung.android.knox.permission.KNOX_VPN | Create, configure, update, and delete Android VPN profiles | ||
| Knox POS SDK | Security | com.samsung.android.knox.permission.KNOX_ENHANCED_ATTESTATION | Verify that a device has authorized firmware using the EnhancedAttestationPolicy | |
| Knox Tizen SDK | Apps | http://developer.samsung.com/tizen/privilege/mdm.application | Manage apps: install, uninstall, enable, disable, set behavior, get notifications, get state | |
| Connections | http://developer.samsung.com/tizen/privilege/mdm.bluetooth | Control Bluetooth settings, enable or disable Bluetooth access | ||
| Connections | http://developer.samsung.com/tizen/privilege/mdm.wifi | Control Wi-Fi settings, enable or disable Wi-Fi access | ||
| Devices | http://developer.samsung.com/tizen/privilege/mdm.datetime | Control the device date and time settings | ||
| Devices | http://developer.samsung.com/tizen/privilege/mdm.device | Control device settings | ||
| Devices | http://developer.samsung.com/tizen/privilege/mdm.kiosk | Manage a basic Kiosk mode on a device | ||
| Devices | http://developer.samsung.com/tizen/privilege/mdm.location | Control location services settings | ||
| Devices | http://developer.samsung.com/tizen/privilege/mdm.misc | Control miscellaneous device policies | ||
| Devices | http://developer.samsung.com/tizen/privilege/mdm.phonerestriction | Control phone settings and restrictions, limit incoming or outgoing SMS and phone call | ||
| Devices | http://developer.samsung.com/tizen/privilege/mdm.restriction | Control device settings and restrictions | ||
| Devices | http://developer.samsung.com/tizen/privilege/mdm.roaming | Control data roaming settings | ||
| Security | http://developer.samsung.com/tizen/privilege/knox.attestation | Verify that a device has authorized firmware | ||
| Security | http://developer.samsung.com/tizen/privilege/mdm.firewall | Configure firewall rules to restrict Internet access to IP addresses or domains | ||
| Security | http://developer.samsung.com/tizen/privilege/mdm.password | Control password settings | ||
| Security | http://developer.samsung.com/tizen/privilege/mdm.security | Control device security settings and restrictions, configure lockscreen settings, and install security certificates | ||
| Premium | Knox SDK | Apps | com.samsung.android.knox.permission.KNOX_ADVANCED_APP_MGMT | Access external SD card |
| Connections | com.samsung.android.knox.permission.KNOX_EBILLING | Separate the bills for personal and enterprise data usage | ||
| Container | com.samsung.android.knox.permission.KNOX_CONTAINER | Configure a secure Knox container | ||
| Container | com.samsung.android.knox.permission.KNOX_CONTAINER_RCP | Manage data import to and export from the container | ||
| Customization | com.samsung.android.knox.permission.KNOX_CUSTOM_DEX | Customize the UI and UX of DeX mode | ||
| Customization | com.samsung.android.knox.permission.KNOX_CUSTOM_PROKIOSK | Manage the premium ProKiosk mode on a customized device | ||
| Customization | com.samsung.android.knox.permission.KNOX_CUSTOM_SETTING | Configure settings on a customized device | ||
| Customization | com.samsung.android.knox.permission.KNOX_CUSTOM_SYSTEM | Configure system behavior on a customized device | ||
| Security | com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION | Control firmware updates, ODE trusted boot verification, Common Criteria mode | ||
| Security | com.samsung.android.knox.permission.KNOX_ADVANCED_SECURITY | Enable/disable multi-factor authentication, lock/unlock a user | ||
| Security | com.samsung.android.knox.permission.KNOX_AUDIT_LOG | Enable/disable the log used for forensic analysis of the device | ||
| Security | com.samsung.android.knox.permission.KNOX_CCM_KEYSTORE | Manage certificates in the TIMA Client Certificate Manager (CCM) | ||
| Security | com.samsung.android.knox.permission.KNOX_CERTIFICATE | Manage certificates: disable, restrict install, get notifications, enable revocation status check | ||
| Security | com.samsung.android.knox.permission.KNOX_CERTIFICATE_ENROLLMENT | Enroll, renew, delete certificates using SCEP, EST-CMC and CMP | ||
| Security | com.samsung.android.knox.permission.KNOX_DLP_MGMT | Configure Data Loss Prevention (DLP) | ||
| Security | com.samsung.android.knox.permission.KNOX_ENHANCED_ATTESTATION | Verify that a device has authorized firmware, using the EnhancedAttestationPolicy | ||
| Security | com.samsung.android.knox.permission.KNOX_NPA | Manage Network Platform Analytics: register/unregister/list network monitor profiles, get platform version | ||
| Security | com.samsung.android.knox.permission.KNOX_SEAMS_MGMT | Create secure containers using SE for Android Management Service (SEAMS) | ||
| Security | com.samsung.android.knox.permission.KNOX_TIMA_KEYSTORE | Enable, disable the TIMA Keystore | ||
| Security | com.samsung.android.knox.permission.KNOX_TIMA_KEYSTORE_PER_APP | Enable, disable the TIMA Keystore per application | ||
| VPN | com.samsung.android.knox.permission.KNOX_VPN_CONTAINER | Configure SSL/IPSEC VPN profiles in a secure Knox container | ||
| VPN | com.samsung.android.knox.permission.KNOX_VPN_GENERIC | Configure SSL/IPSEC VPN profiles on a device | ||
| Knox Tizen SDK | Customization | http://developer.samsung.com/tizen/privilege/knoxcustom.admin | Register or enroll a Knox Custom client application that can manage a device | |
| Customization | http://developer.samsung.com/tizen/privilege/knoxcustom.prokiosk | Manage Prokiosk mode (premium version of Kiosk mode) on a device | ||
| Customization | http://developer.samsung.com/tizen/privilege/knoxcustom.setting | Control system settings and manage device features; enable or disable airplane mode; set Wi-Fi, mobile data, bluetooth, and data roaming states; set watch face; set power-saving mode | ||
| Customization | http://developer.samsung.com/tizen/privilege/knoxcustom.system | Manage system functionality, enable or disable automatic call answering mode | ||
| DualDAR | Knox SDK | Security | com.samsung.android.knox.permission.KNOX_DUAL_DAR | Provide two separate layers of data encryption and key generation for stronger security |
| UCM | Knox SDK | Security | com.samsung.android.knox.permission.KNOX_UCM_MGMT | Manage third-party credential storage (enable or disable the storage, install certificates and manage the access control), register with the UCM framework as an external credential storage agent, enforce the credential storage as a Lock Type or device encryption so that other admins cannot override it |
See also:
Is this page helpful?