Managed configuration

  • Profile name
    Add a unique profile name that highlights the policies and restrictions applicable to this profile. You can later use the name for tracking and debugging. To ensure good user experience, we recommend using a name less than 50 characters in length.
  • KPE Premium License key
    If your UEM console supports KPE license information, enter your KPE License there. For UEM consoles not showing this information, enter your KPE License Key for your Knox Premium license in this field. This field does not apply to Blackberry users. Applies to devices running Android P and Knox v3.2.1 or higher. To buy a Premium license, contact your Samsung Knox Reseller.
  • Debug Mode
    The informative mode shows policy results and errors on the device. We recommend enabling this mode only during the test phases and not during final deployment.
  • Device-wide policies (Device Owner)
    A global group of policies and restrictions that are applicable to all users of the device. This list includes items that impact all users on the device, whether they fall under personal or work profiles. Availability: Knox 3.0 and above.
    • Enable device policy controls
      Use this control to enable or disable device-wide policies. Enable this option before using any using any of the Device-wide policies. If this option is disabled, KSP does not apply any policies in default user (User 0).
    • DeX policy
      A group of policies for Samsung DeX control and customization, including items related to enabling and disabling DeX, managing DeX restrictions, and customization of the DeX experience for the user. Availability: Knox v3.1 or higher.
      • Enable DeX policy controls
        Use this control to enable or disable DeX mode controls for the device. Enable DeX controls before using any of the DeX restriction policies. If DeX controls are not enabled, any settings for items in the DeX Policy group are ignored.
      • Manage DeX restrictions
        Use these controls to turn individual DeX restrictions on or off. On Knox v3.1 or higher.
        • Allow Dex connection
          Use this control to allow the device to accept DeX connections on your phone.
        • Enforce the use of Ethernet connection
          Use this control to enforce the use of ethernet connectivity in DeX mode. When this functionality is enabled, cellular data, wifi, and other such connections are not available in Dex mode. By default, ethernet use is not enforced.
        • Enforce the use of virtual MAC address
          Enable this control to use a virtual MAC address for a device in DeX mode to differentiate between the different modes of the device on your network.
        • Manage list of apps disabled in DeX mode
          Use this control to list the apps that are disabled when the device is in DeX mode. Enter the values as a comma separated list of package names.To find package names, use a browser on a computer to go to app information on the Play store and find the app’s URL showing after “id=”.
      • Customize Dex Experience
        Use this control to enable customization of your DeX mode. Availability is for devices running Knox v3.1 or higher with a Premium license.
      • DeX customization profile
        Use this control to add a unique DeX profile name that highlights the DeX policies applicable to this profile. This profile name must match the value set as the "DeX profile name" in the DeX customization profile section.
    • VPN policy
      A group of policies for VPN setup and configuration. IT admins can enforce these policies for fully managed devices with or without a Work profile. Availability: All Knox versions with a Premium license.
      • Enable VPN controls
        Use this control to enable or disable VPN controls for the device. Enable VPN controls before changing any VPN related settings. If VPN controls are not enabled, any settings for VPN related items are ignored.
      • VPN type
        Choose the VPN type applicable to the apps on the device. For fully managed devices without a Work profile, choose between all apps or specific apps. For devices with a Work profile, choose between all three options.
      • Manage list of apps that use VPN
        Use these controls to add a list of applications at a device-wide or Work profile-specific level that can bypass VPN and connect to the network directly.
        • Select apps in the device, in the main user
          For fully managed devices with app-specific VPN, enter a comma-separated list of package names to specify apps that must use VPN to connect. For devices with a Work profile, enter the Personal profile apps that must use VPN to connect. To use VPN for all apps, do not enter any app names. Default value is all apps.
        • Select apps in the work profile
          For fully managed devices with a Work profile and the VPN type set to Selected Apps, enter the list of Work profile apps that must use VPN to connect. Enter a comma-separated list of package names to specify the apps. To use VPN for all Work profile apps, leave blank. Default value is all apps.
      • Enable on-demand VPN
        For fully managed device with or without a Work profile, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
      • Manage list of apps that can bypass VPN
        Use these controls to add a list of applications at a device-wide or Work profile-specific level that can bypass VPN and connect to the network directly.
        • Apps in main user
          For fully managed device with or without a Work profile, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
        • Apps in work profile
          For fully managed devices with a Work profile, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
      • Name of VPN profile to use
        Enter the name of the primary VPN configuration profile that apps can use for network connections. This profile name must match the "Profile name" value set in one of the "VPN profiles" below.
      • Enable VPN chaining
        Use this control to enable the use of two VPNs to double encrypt the data-traffic from apps added to the VPN profile.
      • Name of secondary VPN profile to use
        For devices with multiple VPN profiles, enter the name of the outer VPN configuration profile. This VPN server decrypts all data before passing it to the VPN client. This profile name must match the value set in the VPN profiles section.
    • Firewall and Proxy policy
      A group of policies for firewall setup and configuration. IT admins can enforce these policies for fully managed devices with or without a Work profile. Availability: All Knox versions
      • Enable firewall controls
        Use this control to enable or disable the firewall controls for fully managed devices with or without a Work profile.
      • Name of firewall configuration to use
        Enter the name of the primary firewall configuration profile that apps can use for network connections. This profile name must match the value set in the Firewall profiles section.
      • Enable Proxy on device
        Use this control to enable or disable a global proxy on a device that routes all internet traffic through a proxy server of your choice. This works for both WiFi and data connections. You can use either a fixed proxy server address or a proxy auto-config (PAC) file. According to your selection here, the settings provided in either the "Manual proxy configuration" or "Proxy auto configuration" section below will be used.
    • Call and Messaging control
      A group of policies to manage device-wide call and messaging restrictions.
      • Enable call and messaging controls
        Use this control to enable or disable the phone call and text messaging functionality on the device.
      • Manage RCS messaging
        Use this control to block RCS on the device. RCS (Rich Communication Services) is an advanced messaging system that aims at making SMS messages more interactive. For example, letting users transmit in-call multimedia. By default, RCS messaging is allowed.
    • Device Restrictions
      A group of controls to allow or block specific operations on the user's device. Availability: Knox v2.7 or higher with a Standard license.
      • Enable device restriction controls
        Use this control to enable or disable restriction controls for the device. Enable these controls before changing any device restriction settings. If these controls are not enabled, any device restriction settings are ignored.
      • Allow microphone
        Use this setting to disable the microphone without user interaction. Disabling this control restricts the use of the microphone for recording purposes, but does not impact the use of the phone application on the device.
      • Allow WiFi
        Use this control to allow or restrict the device's ability to connect to Wi-Fi networks.
      • Allow WiFi Direct
        Use this control to allow or restrict the device's ability to connect to Wi-Fi Direct networks.
      • Allow Bluetooth
        Use this control to allow or restrict the device's ability to make Bluetooth connections.
      • Allow cellular data
        Use this control to allow or restrict the device's ability to use the cellular data connection.
      • Tethering controls
        A group of controls to configure the use of tethering technologies on the device.
        • Allow tethering
          Use this control to allow or block all types of tethering on the device. Enable this control before changing any other tethering settings. If this control is not enabled, any changes to other tethering settings are ignored.
        • Allow WiFi tethering
          Use this control to allow or block tethering on Wi-Fi. If the use of all tethering is disabled, changing these settings has no impact.
        • Allow Bluetooth tethering
          Use this control to allow or block tethering on Bluetooth. If the use of all tethering is disabled, changing these settings has no impact.
        • Allow USB tethering
          Use this control to allow or block tethering on USB. If the use of all tethering is disabled, changing these settings has no impact.
      • Allow USB media player
        Use this control to enable or disable the use of an external USB media player on the device.
      • Allow USB host storage
        Use this control to enable or disable the use of an external USB storage device, such as an external hard disk or a flash drive.
      • Setup USB exception list
        If the Allow USB host storage setting is enabled, use this control to configure the use of one or more classes of USB devices or USB composite device on the mobile device. If the Allow USB host storage setting is disabled, any settings in this section have no impact. A USB Composite Device is a peripheral device that supports more than one device class. If you use this policy to control a USB Composite Device, ensure that you add all supported classes in the exception list.
      • Allow USB debugging
        Use this control to enable or disable the device to enter into a USB debugging mode.
      • Allow developer mode
        Use this control to enable or disable the device to enter into a developer mode.
      • Allow Share Via option
        Use this control to enable or disable the Share Via option that presents User options to share data from one application to another application using one of the many available options.
      • Allow power saving mode
        Use this control to enable or disable the device from entering the Power Saver mode automatically.
      • Allow data saver mode
        Use this control to enable or disable the device from entering the Data Saver mode automatically.
      • Allow VPN connections
        Use this control to enable or disable VPN connections on the device.
      • Allow user to modify Settings
        Use this control to allow or restrict the user from changing the device settings.
      • Enforce external storage encryption
        Use this control to enable external storage (SD Card) encryption. Enabling this option prompts the user to start encryption. For security reasons, we recommend setting the policy to use an alphanumeric password.
    • Advanced Restriction policies
      A group of controls to manage advanced restriction policies. A KPE Premium license is required for all policies in this group.
      • Enable Advanced Restrictions controls
        Use this control to enable advanced controls on the device.
      • Allow wi-fi scanning
        Use this control to block the device from scanning for Wi-Fi networks in range to improve the accuracy of location detection. Availability with Knox 3.2 or higher.
      • Allow bluetooth scanning
        Use this control to block the device from scanning for bluetooth devices in range to improve the accuracy of location detection. Availability with Knox 3.2 or higher.
      • Allow remote control
        Use this control to block connections to the device, using third-party remote control apps. Availability with Knox 3.0 or higher.
      • Enable Common Criteria (CC) mode
        Use this control to enable services to bring the device into the Common Criteria-evaluated configuration, called CC Mode. For devices enrolled in a UEM, these settings are set at the UEM level.
      • Allow dual SIM operation
        Use this control to enable or disable the secondary SIM card slot on a dual SIM device. Disabling this policy blocks functions on the second SIM, preventing calls, SMS / MMS and data. Enabling the policy returns all ordinary functions to the previously blocked SIM. This policy is ignored by devices that only have one SIM.
    • Firmware update (FOTA) policy
      A group of controls to configure firmware updates settings. Availability: Knox v2.0 or higher.
      • Enable firmware controls
        Use this control to enable or disable advanced firmware update options. If this control is disabled, any changes to other firmware update related settings have no impact.
      • Allow firmware update over-the-air
        Use this control to enable or disable firmware updates using Firmware-Over-The-Air (FOTA) technology. When this policy controls is set to false, all possible OTA upgrade requests (user initiated, server initiated, and system initiated) are blocked; the user may see server messages related to new firmware updates but any attempt to upgrade fails. This does not block user from updating firmware using recovery mode.
      • Allow firmware update in recovery mode
        Use this control to enable or disable firmware updates when the device is in recovery mode. Recovery Mode is a device mode which allows users to factory reset, fix some problems or apply software updates on the device. If the firmware controls are disabled, any changes to this setting have no impact.
      • Enforce firmware auto update on Wi-Fi
        Use this control to enable or disable automatic firmware updates when the device is connected to Wi-Fi network. Enabling this control will turn-on the device setting to auto-update on W-Fi and block the user from modifying it. Disabling this control will reset the setting and allow user to freely modify the setting on the device. If the firmware controls are disabled, any changes to this setting have no impact. Availability: Premium license.
    • Password Policy
      A group of policies to manage password policies on the device, including enabling or disabling the ability to manage passwords and other authentication methods to log in to the device.
      • Enable password policy controls with KSP
        Use this control to allow management of password policies on the device. Enable this option before changing any password related settings. If this option is not enabled, any settings for password and other authentication related items are ignored.
      • Biometric authentication
        A group of policies to manage the biometric authentication option without user interaction. Availability: Knox v2.3 or higher.
        • Enable fingerprint authentication
          Use this control to allow or stop the use of fingerprint recognition for authentication.
        • Enable Iris authentication
          Use this control to allow or stop the use of iris recognition for authentication.
        • Enable Face recognition
          Use this control to allow or stop the use of facial recognition for authentication.
      • Enable multifactor authentication
        Use this control to enable or disable multifactor authentication (2FA). Once enabled, a device is only unlocked after two authentication methods are provided, including one biometric input (face / iris / fingerprint) and one lock screen method (PIN / password / pattern).This feature is available only on Knox 3.2.1 and above. Caution: Incorrect use of this policy together with “One Lock” and “Biometric policy” can lock your device.
    • Application management policies
      A group of policies to configure and manage applications on the device.
      • Enable application management controls
        Use this control to enable or disable advanced application management settings.
      • Battery optimization whitelist
        Use this control to exempt applications from battery usage optimizations such as Android Doze mode. For a fully managed device with a Work profile, enter the list of application on the personal profile to whitelist. To specify Work profile-only apps, go to Work Profile Policies > App Management section. Enter a comma-separated list of package names to specify the apps to whitelist. Availability: Knox v2.7 or higher.
      • Notifications whitelist
        Use this control to stop applications from showing notifications on the status bar. When this policy is enabled, notifications from all applications are blocked except for the apps specified in this whitelist. Enter the values as a comma separated list, for example, "com.xyz, com.abc". You can also use a wildcard to add all apps to the whitelist, for example, "com.xyz.*".
    • Device Admin whitelisting
      A group of policies to manage Device Administrator (DA) privileges to specific apps when KSP is launched on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is launched.
      • Enable device admin controls
        Use this control to enable or disable Device Admin whitelisting control for applications on a device where KSP is launched.
      • Whitelisted DAs
        By default, KSP will block activation of any application as device admin, except those specified in this whitelist. Enter a comma-separated list of packages to specify the list of apps to whitelist.
    • Device customization controls
      A group of policies to customize the device user interface. Configure the "Device customization profile" that the device user must use in this section. Availability: Premium license with Customization permissions.
      • Enable device customization
        Use this control to enable or disable device customization.
      • Device customization profile to use
        When device customization control is enabled, use this field to configure the name of the "device customization profile" to use. This should match the "Device customization profile name".
    • Device Controls
      A group of policies to manage device controls, such as APN settings, NFC policies, certificate management, and more.
      • APN Setting Policy
        A group of policies to create, update and remove Access Point Name (APN) settings on the device.
        • Enable APN settings policy control
          Use this control to enable or disable APN settings for the device. Enable this control before changing any APN settings. If this control is not enabled, any APN settings are ignored.
        • Name of APN Configuration to add or update
          Enter the name of the APN configuration profile that needs to be added or updated. Ensure that the name used here matches at least one name in the APN configuration > name field. For example, “samsungAPN3”
      • NFC Policy
        A group of policies to control Near Field Communications (NFC) settings. For example turning NFC on or off.
        • Enable NFC policy controls
          Use this control to enable or disable NFC settings for the device. Enable this control before changing any NFC settings. If this control not enabled, any NFC settings are ignored.
        • Turn on NFC
          Use this control to turn NFC on or off. If this setting is disabled, all NFC related functions will not work such as NFC based payment systems or NFC tags.
        • Allow user to change NFC state
          Use this setting to allow or prevent users from changing the current NFC state (on or off).
    • Enterprise Billing policy
      A group of policies to control Enterprise Billing policies. This allows separate bill generation for both personal and enterprise data usage, accomplished by routing respective traffic through 2 different APNs on a device. Before using this feature, check that it is supported by your network operator.
      • Enable enterprise billing policy
        Use this control to enable or disable Enterprise Billing settings for the device. Enable this control before changing any Enterprise Billing settings. If this control is not enabled, any Enterprise Billing settings are ignored.
      • Name of APN configuration to use for Enterprise apps
        Use this to specify the names of the APN configurations for Enterprise Billing. If you have more than one, enter the values as a comma separated list, For example, "APN_1, APN_2".
      • List of apps to use enterprise billing
        Use this to setup list of apps that should use the Enterprise Billing. Enter the values as a comma separated list of the application packages, for example, "com.xyz, com.abc".
      • VPN profile names to use enterprise billing
        Use this to specify the names of the VPN profiles to route over the Enterprise Billing APN. Enter the values as a comma separated list of the VPN profile name, for example "VPN profile 1, VPN profile 2"
      • Allow roaming
        Use this to allow or prevent devices from using enterprise data while roaming when configured with Enterprise Billing. If enabled, enterprise data stays connected while roaming. If prevented, apps using enterprise data do not connect to the network.
    • Universal Credential Manager policy
      A group of policies to manage credentials in both external and internal device storage, for example, a smartcard, micro SD card, or embedded Secure Element. A KPE Premium license is required for all policies in this group.
      • Enable UCM policy controls
        Use this control to enable or disable UCM policies. Enable this option before using any of the UCM policies. If this option is disabled, any UCM settings and policies are ignored.
      • UCM plugin for device lock
        A group of policies to specify how to use a UCM plugin for device unlock.
        • Enable UCM plugin for device lock
          Use this control to enable or disable device unlock through a UCM plugin. Enable this option to allow the specified plugin app to use stored credentials to unlock a device. Once enabled, device users cannot change the lock type. Disable to let device users control the lock type.
        • Name of UCM plugin configuration to use
          Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
        • Show lock type settings directly
          Enable this control to display a screen showing the screen lock setting when UCM plugin for device lock is turned on. Disable if device users must go to device Settings to view or change the lock type.
      • General purpose UCM plugin
        A group of policies to control a credential storage and UCM plugin that manages the credential storage.
        • Enable a general purpose UCM plugin
          Use this control to enable or disable a general purpose UCM plugin. Enable this option to manage a credential storage and the UCM Plugin used to access the storage. Disable to prohibit general access to the storage space.
        • Name of UCM plugin configuration to use
          Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
    • Certificate management policies
      A group of policies to control certificate management settings. For example, disable certificates, restrict certificates and more.
      • Enable certificate management controls
        Use this control to enable or disable certificate management settings for the device. Enable this control before changing any certificate management settings. If this control is not enabled, any Enterprise certificate management policy is ignored.
      • Certificate revocation
        Choose the Certificate revocation method most appropriate for your devices.
        • Enable revocation check
          Use this to check certificate validation. For example if you list “com.samsung.email” in a whitelist, any certificates used by this app for SMIME encryption or signing is first checked against a list of Certificate Revocation List (CRL) to verify that they are still valid. Enter the application package names to check as a comma separated list, for example (“com.xyz, com.abc”)
        • Enable OCSP check before CRL
          Use this to perform certificate validation using OSCP before checking a CRL. If the OCSP response is inconclusive the device performs a CRL check.
        • List of apps to enable for verification
          Use this to perform certificate revocation on a list of applications. Enter the values as a comma separated list of the application packages, for example, “com.xyz, com.abc”.
  • Work profile policies (Profile Owner)
    A group of policies and restrictions that are applicable to the Work profile user of the device.
    • Enable work profile policies
      Enable this setting before using any of the Work Profile policies. If this setting is disabled, KSP does not apply any policy changes inside the Work Profile.
    • VPN policy
      A group of policies for Knox VPN setup and customization. Availability: All Knox versions with a Premium license.
      • Enable VPN controls
        Use this control to enable or disable VPN controls for the device. Enable VPN controls before changing any VPN related settings. If VPN is not enabled, any settings for VPN related items are ignored.
      • VPN type
        For devices with a Work profile, choose the VPN type applicable to the apps in the work profile. Choose between all apps in the Work profile or specific apps within the Work profile.
      • Manage list of apps that can use VPN
        For devices with a Work profile and where the VPN type is set to Selected Apps, enter a comma-separated list of package names to specify apps that must use VPN to connect. To use VPN for all apps within the Work profile, do not enter any app names.
      • Enable on-demand VPN
        For devices with a Work profile and where the VPN type is set to Selected Apps, use this control to start VPN on-demand when one of the specified apps is connects to the network. When no apps are in use, VPN is terminated. By default, all apps use VPN on-demand.
      • Manage list of apps that can bypass VPN
        For devices with a Work profile, enter a comma-separated list of package names to specify apps that can bypass VPN connections. To use VPN for all apps, do not enter any app names.
      • Name of VPN profile to use
        Enter the name of the primary VPN configuration profile that apps can use for network connections. This name must match the "profile name" of one of the profiles in "VPN profiles" section.
      • Enable VPN chaining
        Use this control to enable the use of two VPNs to double encrypt the data-traffic from apps added to the VPN profile. By default, this value is set to disallow VPN chaining.
      • Name of secondary VPN profile
        For devices with multiple VPN profiles, enter the name of the outer VPN configuration profile. This VPN server decrypts all data before passing it to the VPN client. This name must match the "profile name" of one of the profiles in "VPN profiles" section.
    • Firewall policy
      A group of policies for firewall setup and configuration. IT admins can enforce these policies for devices with a Work profile. Availability: All Knox versions.
      • Enable firewall controls
        Use this control to enable or disable the firewall controls for the Work profile.
      • Name of firewall configuration to use
        Enter the name of the primary firewall configuration profile that apps can use for network connections. This profile name must match the value set in the Firewall profiles section.
    • Restrictions in work profile
      A group of controls to allow or block specific operations in the work profile user. Availability: Knox v2.7 or higher with a Standard license.
      • Enable work profile restriction controls
        Enable this before using any of the Work Profile Restrictions below. If this is disabled, KSP will ignore any value set below and will not enforce any restrictions.
      • Allow microphone
        Use this setting to disable the microphone without user interaction. Disabling this control restricts the use of the microphone for recording purposes, but does not impact the use of the phone application on the device.
      • Allow Share Via option
        Use this control to enable or disable the Share Via option that presents User options to share data from one application to another application using one of the many available options.
    • Advanced restrictions in work profile
      A group of controls to manage advanced restriction policies on the Work Profile. Availability: Premium license.
      • Enable advanced restrictions in work profile
        Use this control to enable advanced controls in the Work Profile, such as Wi-Fi or Bluetooth scanning.
      • Allow remote control
        Use this control to block connections to the device, using third-party remote control apps.
    • Password Policy
      A group of policies to manage password policies on the device, including enabling or disabling the ability to manage passwords and other authentication methods to log in to the Work profile. These policies apply to all devices with a Work profile.
      • Enable password policy controls with KSP
        For devices with a Work profile, use this control to allow management of password policies on the Work profile. Enable this option before changing any related settings. If this option is not enabled, any settings for password and authentication related items are ignored.
      • Biometric authentication
        A group of policies to manage the biometric authentication options without user interaction. Knox Workspace does not use facial recognition as an authentication method.
        • Enable fingerprint authentication
          Use this control to allow or stop the use of fingerprint recognition for authentication.
        • Enable Iris authentication
          Use this control to allow or stop the use of iris recognition for authentication.
      • Enable multifactor authentication
        Use this control to enable or disable multifactor authentication (2FA). Once enabled, the workspace is only unlocked after two authentication methods are provided, including one biometric input (face / iris / fingerprint) and one lock screen method (PIN / password / pattern). This feature is available only on Knox 3.2.1 and above. Caution: Incorrect use of this policy together with “One Lock” and “Biometric policy” can lock your device.
    • Application management policies
      A group of policies to configure and manage applications inside the Work Profile on the device.
      • Enable application management controls
        Use this control to enable or disable advanced application management settings.
      • Battery optimization whitelist
        Use this control to exempt applications from battery usage optimizations such as Android Doze mode. For a fully managed device with a Work profile, enter the list of application on the personal profile to whitelist. To specify Work profile-only apps, go to Work Profile Policies > App Management section. Enter a comma-separated list of package names to specify the apps to whitelist. Availability: Knox v2.7 or higher.
      • Notifications whitelist
        Use this control to stop applications from showing notifications on the status bar. When this policy is enabled, notifications from all applications in the workspace are blocked except for the apps specified in this whitelist. Enter the values as a comma separated list, for example, "com.xyz, com.abc". You can also use a wildcard to add all apps to the whitelist, for example, "com.xyz.*".
    • Device Admin whitelisting
      A group of policies to manage Device Administrator (DA) privileges to specific apps when KSP is launched on the device. By default, DA level access is blocked for all apps. KSP cannot deactivate DA level access for an app that is already activated before KSP is launched.
      • Enable device admin controls
        Use this control to enable or disable Device Admin whitelisting control for applications on a device where KSP is launched.
      • Whitelisted DAs
        By default, KSP will block activation of any application as device admin, except those specified in this whitelist. Enter a comma-separated list of packages to specify the list of apps to whitelist.
    • Enterprise Billing policy
      A group of policies to control Enterprise Billing policies. This allows separate bill generation for both personal and enterprise data usage, accomplished by routing respective traffic through 2 different APNs on a device. Before using this feature, check that it is supported by your network operator.
      • Enable enterprise billing policy
        Use this control to enable or disable Enterprise Billing settings for the device. Enable this control before changing any Enterprise Billing settings. If this control is not enabled, any Enterprise Billing settings are ignored.
      • Name of APN configuration to use for Enterprise apps
        Use this to specify the names of the APN configurations for Enterprise Billing. If you have more than one, enter the values as a comma separated list, For example, "APN_1, APN_2".
      • Apps to use Enterprise billing
        Use this to specify whether you would like to setup all apps in the workspace or specific apps only to use the Enterprise Billing.
      • List of apps to use enterprise billing
        Use this to setup list of apps within the workspace that should use the Enterprise Billing. Enter the values as a comma separated list of the application packages, for example, "com.xyz, com.abc".
      • VPN profile names to use enterprise billing
        Use this to specify the names of the VPN profiles to route over the Enterprise Billing APN. Enter the values as a comma separated list of the VPN profile name, for example "VPN profile 1, VPN profile 2"
      • Allow roaming
        Use this to allow or prevent devices from using enterprise data while roaming when configured with Enterprise Billing. If enabled, enterprise data stays connected while roaming. If prevented, apps using enterprise data do not connect to the network.
    • Universal Credential Manager policy
      A group of policies to manage credentials in both external and internal device storage, for example, a smartcard, micro SD card, or embedded Secure Element. A KPE Premium license is required for all policies in this group.
      • Enable UCM policy controls
        Use this control to enable or disable UCM policies in the workspace. Enable this option before using any of the UCM policies. If this option is disabled, any UCM settings and policies are ignored.
      • UCM plugin for workspace lock
        A group of policies to specify how to use a UCM plugin for device unlock.
        • Enable UCM plugin for workspace lock
          Use this control to enable or disable device unlock through a UCM plugin. Enable this option to allow the specified plugin app to use stored credentials to unlock the workspace. Once enabled, device users cannot change the lock type. Disable to let device users control the lock type.
        • Name of UCM plugin configuration to use
          Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
        • Show lock type settings directly
          Enable this control to display a screen showing the screen-lock setting when UCM plugin for workspace lock is turned on. Disable if device users must go to workspace Settings to view or change the lock type.
      • General purpose UCM plugin
        A group of policies to control a credential storage and UCM plugin that manages the credential storage.
        • Enable a general purpose UCM plugin
          Use this control to enable or disable a general purpose UCM plugin. Enable this option to manage a credential storage and the UCM Plugin used to access the storage. Disable to prohibit general access to the storage space.
        • Name of UCM plugin configuration to use
          Enter the name of a UCM plugin configuration, which specifies how credential storage is used. Ensure that the name used here matches at least one name in the UCM Plugin Configurations > Name field.
    • Certificate management policies
      A group of policies to control certificate management settings. For example, disable certificates, restrict certificates and more.
      • Enable certificate management controls
        Use this control to enable or disable certificate management settings for the workspace. Enable this control before changing any certificate management settings. If this control is not enabled, any Enterprise certificate management policy is ignored.
      • Certificate revocation
        Choose the Certificate revocation method most appropriate for your workspace.
        • Enable revocation check
          Use this to check certificate validation. For example if you list “com.samsung.email” in a whitelist, any certificates used by this app for SMIME encryption or signing is first checked against a list of Certificate Revocation List (CRL) to verify that they are still valid. Enter the application package names to check as a comma separated list, for example (“com.xyz, com.abc”)
        • Enable OCSP check before CRL
          Use this to perform certificate validation using OSCP before checking a CRL. If the OCSP response is inconclusive the device performs a CRL check.
        • List of apps to enable for verification
          Use this to perform certificate revocation on a list of applications. Enter the values as a comma separated list of the application packages, for example, “com.xyz, com.abc”.
  • DeX customization profile
    A group of settings that help customize Samsung DeX experience for the user. These features are available only with a KPE Premium license.
    • DeX profile name
      Use this control to add a unique DeX profile name that highlights the DeX policies applicable to this profile. This name must be used as reference in the “DeX customization profile” of the “DeX policy” section at the device-wide group.
    • Set Home alignment
      Select the alignment of apps and icons for the homescreen when the device is in DeX mode. Available options are sort items by type, by item name in alphabetical order, or in a custom grid arrangement. Default value is custom grid.
    • Set screen timeout
      Enter the duration for which the device must be inactive in Dex mode before the screen times out. Default duration of inactivity is 30 seconds.
    • Allow screen timeout change
      Change this setting to allow or block device users to modify the screen timeout settings when the device is in DeX mode. Default value is set to allow device users to modify the timeout settings.
    • Set loading logo
      Use these controls to add the logo or image to show on the display when the device is starting DeX mode.
      • Logo image location type
        Select the appropriate source type for the location of your image file. To use Base64 string option, convert the source PNG image file to a Base64 encoded string and copy the data to the “Logo image file” field. Please be aware that some UEM console may set size limits. To provide the logo as Web URL type, use a public URL that KSP can access. To provide the logo as local file path, ensure that the image file is available in that path before KSP is launched and ensure that the path is accessible to KSP application.
      • Logo image content or location
        Depending upon the source type you selected, enter the file's location path or URL in this field. For the base 64 string source type, add the converted image data in this field.
    • Set DeX wallpaper
      Use these controls to add the wallpaper image to show on the display when the device is in DeX mode. This feature will work only on devices with Knox 3.3, API level 28 and above.
      • Wallpaper image
        Select the appropriate source type for the location of your image file. To use Base64 string option, convert the source PNG image file to a Base64 encoded string and copy the data to the "wallpaper image file" field. Please be aware that some UEM console may set size limits. To provide the logo as Web URL type, use a public URL that KSP can access. To provide the logo as local file path, ensure that the image file is available in that path before KSP is launched and ensure that the path is accessible to KSP application.
      • Image content or location
        Depending upon the source type you selected, enter the file's location path or URL in this field. For the base 64 string source type, add the converted image data in this field.
      • Which wallpaper to setup?
        Use this control to indicate which wallpaper(s) to configure with the new imagery.
    • Skip DeX welcome screen
      Change this setting to skip the DeX welcome screen containing the Terms and Conditions that shows when the device first connects to DeX mode.
    • Skip overscan detection screen
      Change this setting to skip automatic detection of overscan boundaries and size adjustment overlay screen on the monitor.
    • Auto-start DeX on HDMI connection
      Change this setting to start DeX mode automatically when HDMI cable is connected to the device. This feature is available on Knox v3.4 or higher.
    • Hide apps in App Drawer
      For devices in DeX mode, enter the list of apps whose icons must be hidden from the App Drawer. These applications will not be disabled. Enter a comma-separated list of package names for the list of applications to hide.
    • Enable mouse cursor flow
      Change this setting to allow extending of the mouse cursor from the monitor to the host device when using a Dual view mode.
    • Add application shortcuts on DeX
      Use these controls to add shortcuts to one or more apps on the device when the device is in DeX mode. Shortcuts work only when the DeX homescreen uses the custom grid.
        • App package name
          The package name of the application that is launched using the app shortcut. You can find the package names on the Play store, under the app’s URL as the information after “id=”.
        • Class name
          If required, enter the class name within the application component to launch. Leave this value empty to launch the application in default view.
        • Position X
          If required, enter the X coordinates of the app shortcut position starting from zero when the device is in DeX mode.
        • Position Y
          If required, enter the Y coordinates of the shortcut position starting from zero when the device is in DeX mode.
    • Add URL shortcuts on DeX
      Use these controls to add shortcuts to one or more URLs on the device when the device is in DeX mode. Shortcuts work only when the DeX homescreen uses the custom grid.
        • URL
          URL of the website to launch.
        • Title
          Title to use for the URL shortcut
        • Position X
          If required, enter the X coordinates of the URL shortcut position starting from zero when the device is in DeX mode.
        • Position Y
          If required, enter the Y coordinates of the URL shortcut position starting from zero position when the device is on DeX mode.
        • Browser to launch the URL
          Select the browser to use to navigate to the URL specified in the shortcut. The choices are Samsung Internet and Google Chrome browsers.
    • Disable buttons on the DeX panel
      Use this control to disable one or more specific buttons that show up on the DeX panel.
  • Device customization profile
    A group of controls to configure and customize the device user's experience. These features are available only with a KPE Premium license with customization permissions.
    • Device customization profile name
      Use this control to add a unique device customization profile name that highlights the settings applicable to this profile. This name must be used as reference in the "Device customization profile to use" field of the "Device customization controls" section at the device-wide group.
    • Samsung keyboard controls
      Use this control to enable and configure Samsung's built-in keyboard.
      • Disable Predictive text
        Use this control to enable or disable the use of predictive text to facilitate typing on the device by suggesting words the device user may want to use in a text field. Predictions are based on the context of other words in the message and the first few letters typed.
      • Disable Keyboard settings
        Use this control to enable or disable the settings that let the user switch between different Samsung Keyboard options.
    • Quick Panel configuration
      A group of policies to customize the access to the Quick Settings Panel on the device.
      • Items on Quick Panel
        Use these controls to hide or show one or more items from the list of shortcuts available in the Quick Settings Panel. Other shortcuts not listed here will be shown by default.
        • Show airplane mode control
          Use this control to show or hide shortcut to the airplane mode control on quick settings panel.
        • Show screen rotatation control
          Use this control to show or hide shortcut to the screen rotation control on quick settings panel.
        • Show always-on screen control
          Use this control to show or hide shortcut to the always-on screen control on quick settings panel.
        • Show bluetooth control
          Use this control to show or hide shortcut to the bluetooth control on quick settings panel.
        • Show Samsung DeX control
          Use this control to show or hide shortcut to the Samsung DeX control on quick settings panel.
        • Show mobile hotspot control
          Use this control to show or hide shortcut to the mobile hotspot control on quick settings panel.
        • Show NFC control
          Use this control to show or hide shortcut to the NFC control on quick settings panel.
        • Show background sync control
          Use this control to show or hide shortcut to the background data sync control on quick settings panel.
        • Show Wi-Fi control
          Use this control to show or hide shortcut to the Wi-Fi control on quick settings panel.
      • Allow user to edit Quick Panel
        Use this control to allow or block the device user from editing the configuration of the Quick Settings Panel.
  • VPN profiles
    A group of configuration settings for the VPN profiles used to drive the primary and secondary VPN clients on the device. You can define up to two VPN profiles that are used for VPN Chaining.
      • Profile name
        Enter the name of the VPN profile in this field. Use a unique and descriptive name, including the name of the VPN server and other identifying descriptions. For example, KnoxOuterVPN or CIscoInnerVPN. This field should be used as reference in the "Name of VPN profile to use" or "Name of secondary VPN profile" section at device-wide or work profile level VPN policy controls.
      • Vendor
        Select the VPN Vendor that manufactured your VPN client. To use Strong Swan VPN that is part of the Knox framework, select Knox built-in. To use another VPN client that is not the default Knox built-in client, ensure that the appropriate VPN client is installed before KSP is launched. KSP does not automatically install the VPN client.
      • Host
        Enter a server host IP or domain name format. Refer to your VPN provider's documentation for the formats applicable to your VPN client.
      • VPN connection type
        Select the type of security protocol that the VPN client uses to connect to the server. Some VPN Vendors may not support some of the connection types. Refer to your VPN provider's documentation for this information.
      • Include UID/PID meta data
        Use this control to enable the inclusion of metadata about the unique identifier of the device's user (UID) and the processes running on the device (PID).
      • Proxy
        Use these controls to add information about the proxy server and other configurations used with this VPN profile.
        • Enable Proxy with VPN
          If required, use this control to use proxy servers with your VPN connection.
        • Server
          If your configuration uses proxy servers, enter the VPN proxy server information in this field. Contact your Network or IT Administrator for this information.
        • Port
          Enter the port number on the device that the proxy uses for communication. Contact your Network or IT Administrator for this information.
        • PAC (Proxy auto config)
          Specify the URL for your proxy's automatic configuration file that determines the appropriate proxy server to use for each URL accessed. Contact your Network or IT Administrator for this information.
        • Proxy authentication type
          Proxy use is possible without authentication or with basic or NTLM authentication using admin provided credential or user credentials. Contact your Network or IT Administrator for more information.
        • Username
          If you want to use admin provided credentials, enter the username for use with the proxy server. Leave this field empty to let the device user use their own credentials for the device.
        • Password
          For proxies that use the IT admin provided credentials, enter the password used with the proxy username. Leave this field empty if you didn't provide a proxy username earlier and to let the device user use their own credentials for the device.
      • Cisco AnyConnect VPN client settings
        Use these controls to specify values for the vendor-specific attributes for your Cisco AnyConnect VPN client. Contact your Network or IT Administrator for more information.
        • authentication
          Select the type of authentication that your VPN client uses. Your IT admin provides this information when setting up the Cisco AnyConnect profile.
        • ike-identity
          If you selected the EAP-GTC, EAP-MD5, EAP-MSCHAPv2, or IKE-RSA authentication type for your VPN profile, enter the IKE Identity information to use. Your IT admin provides this information when setting up the Cisco AnyConnect profile.
        • usergroup
          Enter the name of the usergroup that is authorized to use the VPN client profile.
        • certalias
          If your configuration uses certificates to establish a connection, enter the certificate alias here. KSP checks whether the certificate is installed and will wait for up to 5 minutes before retrying if it is not found. Your IT admin provides this information when setting up the Cisco AnyConnect profile.
      • Pulse Secure VPN client settings
        Use these controls to specify the vendor-specific attributes for your Pulse Secure VPN client. Refer to your VPN provider's documentation for this information.
        • Authentication realm
          The authentication realm specifies the conditions that users must meet in order to sign into the VPN server. Your IT admin provides this information when setting up the VPN profile.
        • Authentication profile role
          The authentication role specifies the session and personalization settings, as well as the type of resources they can access. For example, the role defines whether the user can access all websites, some websites, or emails only.
        • certAlias
          Enter the name of the authentication certificate that your VPN client uses to connect to the server. KSP checks whether the certificate is installed and will wait for up to 5 minutes before retrying if it is not found. Your IT admin provides this information when setting up the VPN profile.
        • RSASoftToken
          Enter the name of RSA software token generator to use that the VPN client uses to connect to the server. Your IT admin provides this information when setting up the VPN profile.
        • SafeNetSoftToken
          Enter the name of SafeNet software token generator to use that the VPN client uses to connect to the server. Your IT admin provides this information when setting up the VPN profile.
        • Retry
          Enable this to allow VPN client to retry automatically in case of failure to connect.
      • Parameters for Knox built-in VPN (for Strong Swan)
        Use these controls to specify vendor-specific attributes for your Knox built-in VPN client.
        • Authentication type
          Select the type of authentication that your Knox built-in VPN client uses.
        • Auto retry in minutes
          When the VPN client is unable to connect or drops an active connection to the server, it automatically tries to reconnect. Enter the time interval, in minutes, after which the VPN client tries to reconnect. Default interval is two minutes
        • Identifier
          Enter the built-in unique VPN identifier that applies to your VPN provider. This information applies to the ipsec_ike2_psk authentication type. Your IT admin provides this information when setting up the VPN client profile.
        • Pre-shared key
          Enter your VPN client's pre-shared key, that is a form of password, that applies to your VPN client profile. This information applies to the ipsec_ike2_psk authentication type. Your IT admin provides this information when setting up the VPN client profile.
        • User certificate alias
          Enter the alias that identifies the user certificate used for the your VPN client. Your IT admin provides this information when setting up the VPN client profile.
        • CA certificate alias
          Enter the alias that identifies the CA certificate used in your VPN cilent for ipsec_hybrid_rsa and ipsec_ike2_rsa authentication types. Your IT admin provides this information when setting up the VPN client profile.
        • Server certificate alias
          If your client uses ipsec_hybrid_rsa and ipsec_ike2_rsa, enter the name of the server certificate to use for authenticating connections. Your IT admin provides this information when setting up the VPN client profile.
        • OCSP URL
          If your client uses ocsp_url for ipsec_ike2_rsa, enter the URL to use for connections. Your IT admin provides this information when setting up the VPN client profile.
  • Firewall configuration profile
    A group of controls that drive the firewall configuration on the device
    • Firewall configuration name
      Enter the name of the firewall configuration profile in this field. Use a unique and descriptive name, including the name of the firewall provider and other identifying descriptions. For example, FirewallProvider1. Use the value in this field as a reference for the value in the Firewall profile name in the firewall policy section.
    • Allow rules
      A group of controls to specify the network connections allowed on the device. The firewall allow rule takes precedence over the deny rules.
        • Hostname (IP or IP range)
          Enter a host IP or IP range in IPv4 or IPv6 format to allow incoming or outgoing data packets. For example, 100.0.0.10 or 100.0.0.0–100.0.0.10 or use * for all IP addresses.
        • Port or Port range
          Enter a port number or range of port numbers that are allowed. For example, use 8080 or 8080–8085 or use * for all ports.
        • Port location
          Specify whether the ports are remote or local. Local ports are ports on the device, while Remote ports are those on the server end point. For example, to allow connections to FTP server at port 21, you must specify allow rule with "Remote" port location.
        • Network interface
          Specify the type of connection for which the firewall rule is applicable.
    • Deny rules
      A group of controls to specify the network connections denied access on the device. CAUTION: Adding a DENY ALL rule disconnects the device completely from Network. To retain control on the device, always add ALLOW rules that guarantee UEM Agent connectivity before adding a DENY ALL rule.
        • Hostname (IP or IP range)
          Enter a host IP or IP range in IPv4 or IPv6 format to block incoming or outgoing data packets. For example, use 100.0.0.10 or 100.0.0.0–100.0.0.10 or use * to block all IP addresses.
        • Port or Port range
          Enter a port number or range of port numbers that are blocked. For example, use 8080 or 8080–8085 or use * for all ports.
        • Port location
          Specify whether the ports are remote or local. Local ports are ports on the device, while Remote ports are those on the server end point. For example, to block port 21 (FTP) on the device from receiving connections, you must block "Local" port.
        • Network interface
          Specify the type of connection for which the firewall rule is applicable.
        • Application
          Specify the package name of the application for which this DENY rule is applied. Leave the field empty to apply the rule to all connections on the device.
    • Reroute rules
      A group of controls to specify when and how firewall access requests are rerouted.
        • Intended hostname (IP or IP range)
          Enter a IP address or range of target host for which all data packets are automatically rerouted.
        • Intended port or port range
          Enter a target port number or range of port numbers for which all data packets are automatically rerouted.
        • Destination host IP
          Enter the IP address of target host to which all data packets are automatically rerouted.
        • Destination port
          Enter the port numer of target host to which all data packets are automatically rerouted.
        • Network interface
          Specify the type of connection for which the reroute rule is applicable.
        • Application
          Specify the package name of the application for which this reroute rule is applied. Leave the field empty to apply the rule to all connections on the device.
    • Reroute exceptions
      A group of controls to specify which data connections are not rerouted.
        • Hostname (IP or IP range)
          Enter a IP address or range of target host for which the data packets are not rerouted
        • Port or Port range
          Enter a target port number or range of port numbers for which the data packets are not rerouted.
    • Domain filters
      A group of controls to specify how traffice to and from specific domains are handled.
        • Blocked domains
          Specify the domains to which access requests are denied. Domains can be specified a comma separated list of URLs. Partial URLs with * (wildcard) at the beginning and/or at the end of the URL are also accepted.
        • Allowed domains
          Specify the domains to which access requests are allowed. Domains can be specified a comma separated list of URLs. Partial URLs with * (wildcard) at the beginning and/or at the end of the URL are also accepted.
        • Scope of domain filter
          Specify whether the firewall should determine whether to block or allow connection requests from all applications or specific applications only.
        • List of applications to apply the domain filter to
          If you set the scope of the domain filter to selected applications only, enter a comma-separated list of package names of applications to which the firewall domain rules apply.
    • Prioritize Domain filters over allow and deny rules
      Enable this flag to process Domain Filters before other firewall rules. Once enabled, next time an application tries to send a domain name resolution request, the Domain rules will be analyzed before Firewall rules, deciding to allow or block the request. Note that this would allow data packets if there is a specific whitelist rule for that domain in Domain Filter. Data packets to non-whitelisted domains may still be blocked if there is a Firewall deny rule for it.
  • Manual Proxy configuration
    A group of policies to specify the global proxy setting using a specified server host and port. Contact your network administrator for this information.
    • Server
      Enter the proxy server information in this field. Contact your Network or IT Administrator for this information.
    • Port
      Enter the port number of the proxy server host in this field. Contact your Network or IT Administrator for this information.
    • Username
      If your proxy uses authentication, then use this field. If you want to use admin provided credentials, enter the username for use with the proxy server. Leave this field empty if you do not use authentication or if the proxy requires users corporate credentials to authenticate.
    • Password
      If your proxy uses authentication, then use this field. If you want to use admin provided credentials, enter the password for use with the proxy server. Leave this field empty if you do not use authentication or if the proxy requires users corporate credentials to authenticate.
    • Host IP addresses to exclude from Proxy
      Specify any IP addresses you want to bypass the proxy. Enter the values as a comma separated list of the IP addresses, for example, “123.123.55.0, 123.123.50.0”.
    • Domain to exclude from Proxy
      Specify the domains that can bypass the proxy you have set. For example, you can specify that “samsung.com” as a domain and any DNS query to that domain and resulting data traffic will bypass the proxy.
  • Proxy auto-config (PAC)
    A group of policies to specify the Proxy auto-config (PAC) based proxy setting, for example, the server, port details and more
    • PAC (Proxy auto config) URL
      Specify the URL where a device fetches your Proxy Auto Configuration (PAC) file from. This file that determines the appropriate proxy server to use for each URL accessed. Contact your Network or IT Administrator for this information.
    • Authentication configurations
      A group of controls to specify one or more authentication configurations. Note that a different username and password can be used for each individual proxy listed in a PAC file.
        • Host
          Enter the host IP of a proxy server for which you want to specify the authentication info. Contact your Network or IT Administrator for this information.
        • Port
          Enter the port number of the proxy server host. Contact your network administrator for this information.
        • Username
          If you want to use admin provided credentials, enter the username for use with the proxy server. Leave this field empty if you do not use authentication or if the proxy requires users corporate credentials to authenticate.
        • Password
          If you want to use admin provided credentials, enter the password for use with the proxy server. Leave this field empty if you do not use authentication or if the proxy requires users corporate credentials to authenticate.
  • APN configurations
    A group of policies to specify one or more Access Point Name configurations. For example, APN name, APN type, authentication type and more.
      • Name
        Use this to specify a name of your APN configuration for easy reference. For example, "SamsungAPN"
      • APN (Access Point Name)
        Use this to specify the endpoint for your APN, for example "enterprise.telco.com". Get this value from your mobile operator
      • MCC (Mobile Country Code)
        The Mobile Country Code for your APN that uniquely identifies your mobile network operator, for example “302”. Get this value from your mobile operator.
      • MNC (Mobile Network Code)
        The Mobile Network Code for your APN that uniquely identifies your mobile network operator, for example “720”. Get this value from your mobile operator.
      • Authentication Type
        The authentication type for your APN. Get this value from your mobile operator
      • APN Type
        This indicates what type of data will be transferred over the APN. For example “MMS”. Get this value from your mobile operator
      • APN Protocol
        This is the protocol type that is used to send data packets, for example IPv4 of IPv6. Get this value from your mobile operator. Certain mobile devices only support some protocols. You may need to double check your devices are supported with your network settings.
      • APN Roaming Protocol
        This is the protocol type that is used to send data packets while roaming, for example IPv4 of IPv6. Get this value from your mobile operator.
      • MMS
        Specify the MMS configuration for this APN
        • MMSC
          Enter the Multimedia Messaging Service Center value. Get this value from your mobile operator.
        • MMS Proxy
          Enter the MMS proxy value. Get this value from your mobile operator.
        • MMS Port
          Enter the port number of MMS proxy. Get this value from your mobile operator.
      • Advanced Configuration
        Specify the advanced parameters of the APN configuration. Contact your mobile operator to get these values, if they are necessary.
        • Server
          (none)
        • Proxy
          (none)
        • Proxy
          (none)
        • Username
          (none)
        • Password
          (none)
  • UCM plugin configurations
    A group of controls to specify the configuration of one or more UCM plugins that access credential storage.
      • Name of UCM plugin configuration
        Enter a name to identify this UCM plugin configuration elsewhere in the UCM policy
      • Package name of UCM plugin application
        Enter the name of the UCM Vendor's app, also called as UCM plugin, used to manage credential storage. For example, com.mycompany.ucm.plugin.
      • Credential usage
        Select how this UCM Plugin configuration is used. Select ODE for On-Device Encryption, to use credentials to encrypt device data. Select Screen lock to use credentials to unlock the device. For other use cases, select General purpose
      • Pin properties
        A group of policies to configure PIN properties of the UCM plugin and credential storage.
        • PIN timeout type
          Applies only if the manufacturer's UCM plugin and credential storage support the caching of a PIN used to access the credential storage. When a device user enters a PIN (or verification), the plugin that accesses the credential storage is allowed to cache the PIN for the specified timeout period and does not have to prompt the user for it during this time. If you select "Unspecified", the behavior depends on the plugin implementation. The "Same as screen lock" option uses the same timeout as the device or workspace unlock. The "Use specified value" option, uses the value below.
        • PIN timeout value in minutes
          Applies only if you select a PIN timeout type of "Use specified value". Enter the number of minutes before a PIN times out and needs to be entered again. If you leave the field empty or use 0, the behavior depends on the UCM plugin implementation.
      • Application access controls
        A group of controls to define which apps can access credential storage.
        • Type of access restrictions
          Use this control to identify which apps can access the credential storage. Select Unrestricted access to allow all apps to have access, and Selected apps if only the apps below are allowed access.
        • List of allowed applications
          Enter a comma-separated list of package names to specify apps that can use the credential storage or access certificates stored in credential storage.
      • Access control when device or workspace is locked
        A group of controls to specify credential access while the device or workspace is locked.
        • Lock credential storage when device or workspace is locked
          Use this control to enable or disable credential storage lock. Enable this option to block access to credential storage when the device or workspace is locked. Disable this option to allow access to credential storage while the device or workspace is locked.
        • List of apps allowed to access credential storage when locked
          Enter a comma-separated list of package names to specify apps that can use the credential storage or access certificates stored in credential storage while the device or workspace is locked.