How is the Knox container affected by VPN On-Premise Bypass?

The Knox container is not affected by VPN profiles provisioned outside of the container, no matter what type of VPN profile it is. For VPN On-Premise Bypass to apply to container apps, the profile must be provisioned inside the container.

Apps affected by VPN On-Premise Bypass need to be configured on a “per-app” basis. If "device wide*" behavior is desired, this can be achieved by associating all applications the VPN profile. Container applications need to be separately associated to VPN profiles.

You can use Knox to manage VPN connections, but only for user accounts that you control. This typically includes the default user and any Knox Workspaces that you activate. VPN connections for apps installed in user accounts that you don’t control, such as those created for Android for Work managed profiles, must be managed separately.