Knox Guard Admin Guide

Set Knox Guard default policies

On this page

Set default device lock values

Set the Knox Guard default device lock message and contact information displayed for users whose payment delinquency resulted in a device lock.

NOTE— For information on locking a device that has been offline for a configurable period of time, go to Set an offline device lock.

NOTE— For information on locking and unlocking specific selected user devices, go to: Locking and unlocking devices.

NOTE— If you want to launch an application from the lock screen, the specific activities when the device is locked should be predefined on the application. Please refer to the following guide for more information.

To set Knox Guard default device lock settings:

Select Policies from the left-hand navigation menu.
Select DEFAULT LOCK SCREEN from the DEVICE LOCK field.

Enter a 350 character maximum Message users receive when their device is locked by Knox Guard. The message should contain information on how a delinquent subscription resulted in a device lock and the phone number and email address for contacting the appropriate resource for unlocking their device.
Enter the Phone number for the contact resource locked device users call for making a delinquent payment and unlocking their device. Special characters can be used if necessary.
Enter the E-mail address of the contact resource locked device users contact for making a delinquent payment and unlocking their device. Either a phone number or Email is required as a contact resource.
Select Block incoming calls when device is locked options for blocking the incoming call when the devices get locked (SIM Lock, Offline lock or any lock case)
Other customer options to enable couple of options

Select 'Make an app available on the lock screen' to specify an app package name and a signature to be accessed from the device lock screen. You can customize the menu label on the lock screen 'Customize menu label on the device' menu. If you do not enter a menu label, then the default application name extracted from the APK will be displayed.
Keep in mind, the specified application must be installed on the device. If you have registered an applicatin via 'Application installation' policy, the use the 'Import APK' button, which will automatically retrieve the application information.

REFRESH ACCOUNT STATUS is selected by default. This displays a 'Refresh account status' button on the device so the user can get the latest device status from the Knox Guard service when the device's network connection is weak or unavailable
Select SAVE to commit the default device lock settings.

Set an offline device lock

Optionally set an offline lock that automatically locks a device when been offline for a configurable period of time.

NOTE— A device can be rendered offline when the user does not purposely connect to a network. When this occurs, the device is not receiving its policy from its dedicated Knox Guard server. Once an offline device is locked, the device user is required to contact their carrier to restore functionality. The device user must share the challenge code on their device's lock screen (generated when the device was locked), and then the admin provides a PIN to the device user to enter on their device to restore its functionality.

To set an offline device lock:

Select Policies from the left-hand navigation menu.
Select OFFLINE LOCK from the DEVICE Lock field.
Enable Turn on Offline Device Lock to automatically lock specific devices that are offline for a defined period of time.

Refer to the Specify how long to wait before locking an offline device area and set the Days offline from 15 - 200 days.
Set a 200 character maximum Warning notification displayed to the device user before the offline device is locked. This notification displays as a full screen message.
Determine when to Send warning message a defined number of Days before locking device. This provides the device owner an opportunity to restore their offline device and connect to the Knox Guard server before their device is locked. Once the user connects to a network while receiving an offline error message, the Offline Lock Time will be reset to the original value configured by the admin.
Enter a 200 character maximum default Offline Device Lock warning message displayed when the device lock is enabled on the offline device. This is a pop-up message that can be dismissed by the device user prior to their device being locked. Since this message is for an offline lock, it should be set before the device is enrolled.
Enter the Phone number of the contact resource locked device users call for restoring their offline device. Special characters can be used if necessary.
Enter the E-mail address of the contact resource locked device users contact for making a delinquent payment and unlocking their offline device.
The Block incoming calls when device is locked checkbox lets an admin know if the device has been set in the Devices screen to block incoming calls. For information on configuring this setting for a specific device, go to: Lock devices.
Refer to the Other customer support options setting to review how additional support settings have been defined, and how apps have been made available on the device lockscreen. These settings cannot be configured within the Policies portion of the Knox Guard console and must be configured using the 'Default lock screen'.
Select SAVE to commit the default offline device lock settings.

NOTE— Once an offline device is locked, the device user is required to contact their carrier to restore functionality. The device user must share the challenge code on their device's lock screen (generated when the device was locked), and the admin provides a PIN for the device user to enter on their device to restore its functionality.

NOTE— Once the user connects to a network after receiving an offline device lock message, the Offline Lock Timer resets to the original configured value.

Advanced controls

Set a default SIM control configuration

NOTE— This functionality is only available upon request. Please contact your Knox Guard administrator to enable this feature.

NOTE— For step-by-step instructions to apply this policy to selected user devices, go to: SIM control.

Create a default SIM control configuration to restrict default SIM functionality or lock the device. The default SIM configuration can be used consistently across deployments until specific modifications are needed for specific deployment objectives.

To set a default SIM control configuration for Knox Guard managed devices:

Select Policies from the left-hand navigation menu.
Select SIM CONTROL.

Refer to the MCC and MNC fields to assess if a default Mobility Country Code (MCC) and Mobile Network Code (MNC) has been applied to uniquely identify the selected device’s mobile network carrier for SIM control restriction exclusion. Each mobile device carrier has their own unique MCC and MNC pair.
Set the following restrictions for an unlisted MCC/MNC:
- Lock device - Select this option to lock a device's SIM functionality. This helps prevent using unlisted SIM cards. If you select 'Turn on network registration verification', it further validates that a deactivated SIM card is not being misused by comparing the defined MCC/MNC of the network operator.
- Incoming/Outgoing calls - Select this option to restrict a selected device’s ability to make/recieve a voice call.
- SMS/MMS/RCS - Select this option to restrict a selected device’s texting capability.
- Data usage - Select this option to restrict a selected device’s ability to use data consumptive applications.
- Apply the above restrictions when international roaming is in use – Select this option to restrict device voice, text and data usage when connecting to a mobile network in a country other than the device’s original deployment country. This option is applicable to non-whitelisted SIMs in a dual SIM device only.
Other customer support options menu is also displayed on SIM lock screen but it is centrally configured in Default lock screen.
Select SAVE to commit the default SIM control settings.

Set default application for installation

NOTE— This functionality is only available upon request. Please contact your Knox Guard administrator to enable this feature.

A custom app can be installed on devices for various company functions. The app can be updated using Google Play. If the target device already has the app, then the system checks the app version and installs or keeps the latest one. This functionality is not available in 'Bulk Actions' mode.

NOTE—

App uninstallation prevention is applied for the installed app by default, except for the Android Go devices.
When installing a new app, the old one remains on the device but the uninstallation prevention is shifted to the new app. Thus the user can manually uninstall the old app.

To set app installation settings:

Select Policies from the left-hand navigation menu.
Select APPLICATION INSTALLATION from the ADVANCED CONTROLS field.
Upload application which is in APK format and lower than 100 MB. Optionally, check the box to launch the application after first installation.
Select SAVE to commit the default application installation settings.
Click CONFIRM int he Install application on all customer devices pop-up once you are sure you uploaded correct APK. This action is irreversible.

Messaging

Set default overdue notifications

Set the Knox Guard overdue notification message text and subscription payment contact information displayed to users receiving overdue notifications.

NOTE— For information on sending overdue notifications to selected user devices, go to: Overdue payment notifications and reminders.

To set Knox Guard default overdue notification settings:

Select Policies from the left-hand navigation menu.
Select DEFAULT OVERDUE NOTIFICATIONS from the MESSAGING field.

Select the Initially show notifications as a full-screen message on user devices to make notifications display as full screen message before the message displays on the notification panel. Selecting this option makes notifications difficult to ignore. Optionally select the Preview full-screen message link to preview how the full-screen message displays on the user device.
Optionally select the Enter the Phonenumber users call for making a payment and stopping overdue notifications. Special characters can be used if necessary.
Define the Notification 1, Notification 2 and Notification 3 messages users could receive as a payment overdue notification from Knox Guard. The three available notification options can contain information on why the notification is sent. Each notification can contain a different severity in its messaging in respect to how long payments are overdue. If needed, include a properly formatted URL (http://www...). When the device user taps the URL hyperlink, it opens a relevant Web page within the device browser. The URL is optional, but could be of assistance to subscribers who want to make device payment queries as seamless as possible. Up to 10 notifications can be defined with escalating overdue payment severity as needed.
Select SAVE to commit the default overdue notification settings.

Set default blink reminders

Set the Knox Guard default blink interval, message text and subscription payment contact information displayed to users receiving reminder messages for delinquent subscription payments.

NOTE— For information on sending blink reminders to selected user devices, go to: Overdue payment notifications and reminders.

To set Knox Guard default blink reminder settings:

Select Policies from the left-hand navigation menu.
Select DEFAULT BLINKING REMINDER from the MESSAGING field.

Set the blink message Period in either seconds, minutes, or hours. This is the interval blink messages are sent to delinquent devices.
Enter a 200 character maximum Message users receive when their device receives blink reminders from Knox Guard. The message should contain information on why these reminders are sent and the phone number and email address for contacting the appropriate resource stopping the reminder messages. If needed, include a properly formatted URL (http://www...). When the device user taps the URL hyperlink, it opens a relevant Web page within the device browser. The URL is optional, but could be of assistance to subscribers who want to make device payment queries as seamless as possible.
Enter the Phone number users call for making a delinquent payment and stopping the reminder messages. Special characters can be used if necessary. Either a phone number or E-mail address is required as a contact resource.
Enter the E-mail address users contact for making a delinquent payment and stopping the reminder messages. Either a phone number or E-mail address is required as a contact resource.
Refer to the Set limits for when blinking reminder can be shown to users portion of the screen to define a period of time when blink reminders are not displayed to device users.

Do not show everyday - Select this option to define a specific time period for disabling blink reminders at the same time, each day of the week.
Do not show during the selected time period of - Select this option to enable fields where specific days and times can be set for disabling blink reminders.

Select SAVE to commit the default blink reminder settings.

Settings

Set default enrollment values

Enable and create the Knox Guard default messages displayed on an end user device to communicate initial enrollment and SIM card change events.

To enable and set Knox Guard default enrollment and SIM card change messages:

Select Policies from the left-hand navigation menu.
Select ENROLLMENT NOTICES from the SETTINGS field.
Enable Enrollment notices to permit the end user device display of enrollment completion and SIM card change notifications if those options are enabled.

Select the COMPLETION OF ENROLLMENT checkbox to create a message displayed on a user device when the enrollment setup wizard is complete.

Enter a 200 character maximum Customize message devices receive upon enrollment completion in Knox Guard. The message should contain information on the device's payment plan and reference the phone number device users contact for information about their subscription.
Optionally, enter a Phone number device users call for information about their subscription with their carrier. Special characters can be used if necessary.

Select the DEVICE REBOOT checkbox to create a message displayed after each reboot stating the device is enrolled in a service plan. The intention of the message is to help prevent the device from being manipulated and resold while within the Knox Guard service period.

Enter a 200 character maximum Customize message devices receive upon each reboot.
Optionally, enter a Phone number device users call for information about their subscription with their carrier. Special characters can be used if necessary.

Select the SIM CARD CHANGE checkbox to display a default message on an end user device when the device's SIM card is changed. Optionally, enter a Phone number device users call for information about their subscription with their carrier.

Select SAVE to commit the default enrollment and SIM card change settings.

Set a default custom EULA

Create a default Knox Guard End User License Agreement (EULA) requiring agreement from subscriber device users.

NOTE— For additional information on managing Knox licenses, go to: License management.

To set a Knox Guard default EULA:

Select Policies from the left-hand navigation menu.
Select END USER LICENSE AGREEMENT from the SETTINGS field.
Select Enable custom EULA to enable the Agreement title and Agreement body fields needed to define a customized EULA. This setting is enabled by default.

Enter a 50 character maximum Agreement title for the EULA.
Define text for the Agreement body. The Agreement body states the terms of the EULA and should carefully state the terms requiring agreement.
Select SAVE to commit the default license EULA settings.

Set a default notification icon

Define a default Knox Guard notification icon to remove the potential recognition of Samsung device management and control as much as possible. In particular, this feature provides an option to change the icon displayed within customer subscription notifications. Once the icon image is uploaded and saved, future notifications display the custom icon on the top, left-hand corner, of the device.

NOTE— Only .png files are supported as device notification icons.

To set default device notification icons:

Select Policies from the left-hand navigation menu.
Select CUSTOMIZE NOTIFICATION ICON from the SETTINGS field.

Select UPLOAD CUSTOM ICON.
Navigate and select the image to display on an end user device as a notification icon. Once selected, the image displays as a preview before committing as a default image.
Either select RESET TO DEFAULT to return the device to its initial state or select CHANGE to select and preview a different notification icon.
Select OK when to commit the selected default notification icon to the device.