Any mobile device used for the US military must meet a minimum set of STIG requirements. This ensures the maximum protection for sensitive military data and improves the security of Department of Defense (DoD) information systems. Knox meets the STIG requirements when appropriate APIs are applied to lock down the device. These APIs are described in the table below.
For a full list of STIG documentation including past releases see the Knox certifications page.
This guide is an explicit list of the APIs required to reach STIG compliance on a Samsung Knox device. It is addendum to the official STIG configuration tables to help remove any ambiguous interpretation of MDM agnostic language used. The intended audience is either MDM developers responsible for implementing configuration controls, or Administrators (MDM) wishing to verify that an MDM has used the correct API.
Use the following API reference table to help audit your device configuration:
set[Policy] to either get[Policy] or is[Policy] and look for APIs in the
Samsung Knox API Reference and Android API Reference.
| S. No. | Policy No. | Method | Policy Group | Policy Name | Options | Settings | Comment | Severity | API LIST | API Value | Device/Asset | Work Environment | COBO DA USER 0 | COBO DO | COPE DA USER 0 | COPE DO | COPE DA WORK PROFILE | COPE PO |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 |
1 |
Password Requirements |
Minimum password length |
0+ |
6 |
II |
DevicePolicyManager setPasswordMinimumLength |
6 (preferred, minimum) |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|||
| 2 |
BasePasswordPolicy setPasswordMinimumLength |
6 (preferred, minimum) |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
| 3 |
2 |
# 1 |
Password Requirements |
Minimum password quality |
Unspecified, Something, Numeric, Numeric(Complex), Alphabetic, Alphanumeric, Complex |
Numeric(Complex) |
Choose Method #1 or #2.
Alphabetic, Alphanumeric, and Complex are also acceptable selections but will cause the user to select a complex password, which is not required by the STIG. |
II |
DevicePolicyManager setPasswordQuality |
PASSWORD_QUALITY_NUMERIC_COMPLEX (preferred) |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|
| 4 |
BasePasswordPolicy setPasswordQuality |
PASSWORD_QUALITY_NUMERIC_COMPLEX (preferred) |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
| 5 |
# 2 |
Password Requirements |
Minimum password quality |
Unspecified, Something, Numeric, Numeric(Complex), Alphabetic, Alphanumeric, Complex |
Numeric |
II |
DevicePolicyManager setPasswordQuality |
PASSWORD_QUALITY_NUMERIC (minimum) |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|||
| 6 |
KPE Password Requirements |
Maximum sequential numbers |
0+ |
2 |
PasswordPolicy setMaximumNumericSequenceLength |
2 (preferred, maximum) |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||
| 7 |
BasePasswordPolicy setPasswordQuality |
PASSWORD_QUALITY_NUMERIC (minimum) |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
| 8 |
PasswordPolicy setMaximumNumericSequenceLength |
2 (preferred, maximum) |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
|
9 |
3 |
Password Requirements |
Max time to screen lock |
0 minutes |
15 minutes |
II |
DevicePolicyManager setMaximumTimeToLock |
900000 ms (minimum) |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||
| 10 |
BasePasswordPolicy setMaximumTimeToLock |
900000 ms (minimum) |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
|
11 |
4 |
Password Requirements |
Max password failures for local wipe |
0+ |
10 |
II |
DevicePolicyManager setMaximumFailedPasswordsForWipe |
10 (minimum) |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||
| 12 |
BasePasswordPolicy setMaximumFailedPasswordsForWipe |
10 (minimum) |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
|
13 |
5 |
Restrictions |
Installs from unknown sources |
Allow/Disallow |
Disallow |
Google play must not be disabled. Disabling Google play will cause system instability and critical updates will not be received. Users will not be able to log into Google play in the Work Environment with personal accounts when applying KNOX-10-003900 |
II |
DevicePolicyManager addUserRestriction |
DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
||
| 14 |
RestrictionPolicy setAllowNonMarketApps |
FALSE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
|
15 |
6 |
Restrictions |
Trust agents |
Allow/Disallow |
Disallow |
II |
DevicePolicyManager setKeyguardDisabledFeatures |
KEYGUARD_DISABLE_TRUST_AGENTS |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|||
| 16 |
BasePasswordPolicy setKeyguardDisabledFeatures |
KEYGUARD_DISABLE_TRUST_AGENTS |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
|
17 |
7 |
Restrictions |
Face |
Allow/Disallow |
Disallow |
II |
DevicePolicyManager setKeyguardDisabledFeatures |
KEYGUARD_DISABLE_FACE |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|||
| 18 |
PasswordPolicy setBiometricAuthenticationEnabled |
BIOMETRIC_AUTHENTICATION_FACE, FALSE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
|
19 |
8 |
Restrictions |
Debugging features |
Allow/Disallow |
Disallow |
For KPE(LEGACY) COPE deployments this configuration is the default configuration. If the management tool does not provide the capability to enable/disable “debugging features”, there is NO finding because the default setting cannot be changed. |
II |
DevicePolicyManager addUserRestriction |
DISALLOW_DEBUGGING_FEATURES |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
||
| 20 |
RestrictionPolicy allowDeveloperMode |
FALSE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
|
21 |
9 |
Restrictions |
USB file transfer |
Allow/Disallow |
Disallow |
For KPE(AE) deployments this configuration is the default configuration. If the management tool does not provide the capability to configure “USB file transfer”, there is NO finding because the default setting cannot be changed. |
II |
DevicePolicyManager addUserRestriction |
DISALLOW_USB_FILE_TRANSFER |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
||
| 22 |
RestrictionPolicy setUsbMediaPlayerAvailability |
FALSE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
|
23 |
10 |
KPE Wifi |
Unsecured hotspot | Allow/Disallow | Disallow | II | WifiPolicy allowOpenWifiAp |
FALSE | X | Y | Y | Y | Y | N/A | N/A | |||
|
24 |
11 |
KPE Multiuser |
Multi-user mode |
Allow/Disallow |
Disallow |
KPE(LEGACY) deployed Samsung Tablets ONLY. |
II |
MultiUserManager |
FALSE |
X |
Y |
N/A |
Y |
N/A |
N/A |
N/A |
||
|
25 |
12 |
KPE Restrictions |
CC mode |
Enable/Disable |
Enable |
I |
AdvancedRestrictionPolicy setCCMode |
TRUE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||
|
26 |
13 |
# 1 |
Restrictions |
SD Card |
Enable/Disable |
Disable |
Choose Method #1 or #2.
Method #1: Disable SD card (if not using SD card).
Method #2: Enable Data-at- Rest protection. |
I |
DevicePolicyManager addUserRestriction |
DISALLOW_MOUNT_PHYSICAL_MEDIA |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|
| 27 |
RestrictionPolicy setSdCardState |
FALSE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
| 28 |
# 2 |
KPE Encryption |
External storage encryption |
Enable/Disable |
Enable |
I |
DeviceSecurityPolicy setExternalStorageEncryption |
TRUE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||
|
29 |
14 |
# 1 |
Policy Management |
Core app white list |
core apps list |
List approved core apps |
COPE Personal Environment ONLY.
Choose Method #1 or #2.
Method #1: Fully managed device with work profile enrollment.
Method #2: KPE system app disable list. |
II |
Enroll device as an Android Enterprise device which disables required system apps by default (use 'DevicePolicyManager enableSystemApp' to re-enable a system app) |
X |
N/A |
Y |
N/A |
Y |
N/A |
Y |
||
| 30 |
# 2 |
KPE Application |
System app disable list |
core app list |
List non-AO-approved system app packages |
II |
ApplicationPolicy setDisableApplication |
Package Name |
X |
Y |
Y |
Y |
Y |
Y |
Y |
|||
|
31 |
15 |
# 1 |
KPE audit log |
Audit Log |
Enable/Disable |
Enable |
Choose Method #1 or #2.
Method #1: KPE Audit Logging KPE audit log
Method #2: AE Audit Logging Restrictions |
II |
AuditLog enableAuditLog (MDM must also provide means to read the Log in the console) |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
||
| 32 |
# 2 |
Restrictions |
Security logging |
Enable/Disable |
Enable |
II |
DevicePolicyManager setSecurityLoggingEnabled (MDM must also provide means to read the Log in the console) |
TRUE |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|||
| 33 |
Restrictions |
Network logging |
DevicePolicyManager setNetworkLoggingEnabled (MDM must also provide means to read the Log in the console) |
TRUE |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|||||||
|
34 |
16 |
# 1 |
KPE Restrictions |
USB host mode exception list |
APP AUD CDC COM CON CSC HID HUB MAS MIS PER PHY PRI STI VEN VID WIR |
HID |
Choose Method #1 or #2.
Method #1: Use USB exception list (preferred), which allows DeX usage.
Method #2: Disable USB host mode (fall back if exception list policy cannot be applied). |
II |
RestrictionPolicy setUsbExceptionList |
USBInterface.HID.getValue() |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|
| 35 |
RestrictionPolicy allowUsbHostStorage (must be toggled off/on for USB exception list to take effect) |
TRUE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
| 36 |
# 2 |
KPE Restrictions |
USB host mode |
Enable/Disable |
Disable |
II |
RestrictionPolicy allowUsbHostStorage |
FALSE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||
|
37 |
17 |
# 1 |
Restrictions |
Bluetooth |
Allow/Disallow |
Allow |
Choose Method #1, #2 or #3.
Method #1: AO decision: Allow Bluetooth and train users.
Training is covered in KNOX-10-009900.
Method #2: AO decision: Disallow use of Bluetooth.
Method #3: Use KPE Bluetooth UUID Whitelisting to allow only DoD-approved profiles. |
III |
DevicePolicyManager clearUserRestriction |
DISALLOW_BLUETOOTH |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|
| 38 |
RestrictionPolicy allowBluetooth |
TRUE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
| 39 |
# 2 |
Restrictions |
Bluetooth |
Allow/Disallow |
Disallow |
III |
DevicePolicyManager addUserRestriction |
DISALLOW_BLUETOOTH |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|||
| 40 |
RestrictionPolicy allowBluetooth |
FALSE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
| 41 |
# 3 |
KPE Bluetooth |
Bluetooth UUID Whitelist |
A2DP_ADVAUDIODIST_UUID A2DP_AUDIOSINK_UUID A2DP_AUDIOSOURCE_UUID AVRCP_CONTROLLER_UUID AVRCP_TARGET_UUID BNEP_UUID BPP_UUID DUN_UUID FTP_UUID HFP_AG_UUID HFP_UUID HSP_AG_UUID HSP_UUID NAP_UUID OBEXOBJECTPUSH_UUID PANU_UUID PBAP_PSE_UUID PBAP_UUID SAP_UUID SPP_UUID |
HFP_AG_UUID HFP_UUID HSP_AG_UUID HSP_UUID SPP_UUID A2DP_ADVAUDIODIST_UUID A2DP_AUDIOSINK_UUID A2DP_AUDIOSOURCE_UUID AVRCP_CONTROLLER_UUID AVRCP_TARGET_UUID PBAP_PSE_UUID PBAP_UUID |
III |
BluetoothPolicy addBluetoothUUIDsToWhiteList |
HFP_AG_UUID, HFP_UUID, HSP_AG_UUID, HSP_UUID, SPP_UUID, A2DP_ADVAUDIODIST_UUID, A2DP_AUDIOSINK_UUID, A2DP_AUDIOSOURCE_UUID, AVRCP_CONTROLLER_UUID, AVRCP_TARGET_UUID, PBAP_PSE_UUID, PBAP_UUID |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||
| 42 |
BluetoothPolicy addBluetoothUUIDsToBlackList |
"*" (Wildcard String) |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
| 43 |
BluetoothPolicy activateBluetoothUUIDRestriction |
TRUE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||||||||
| 44 |
18 |
# 1 |
User Agreement |
User Agreement |
User Agreement |
Include DoD-mandated warning banner text in User Agreement |
Choose Method #1, #2 or #3.
Method #1: Put the DoD Warning banner text in the User Agreement (preferred method).
Method #2: Put the DoD Warning banner in the Lock Screen message.
Method #3: Enable the KPE Reboot Banner. |
III |
Put the DoD Warning banner text in the User Agreement |
|
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|
| 45 |
# 2 |
Restrictions |
Lock Screen Message |
Enable/Disable |
Enable |
III |
DevicePolicyManager setDeviceOwnerLockScreenInfo |
DoD Warning banner text |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|||
| 46 |
# 3 |
KPE Banner |
Banner text |
Configure |
DoD-mandated warning banner text |
III |
BootBanner enableRebootBanner |
TRUE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||
| 47 |
19 |
# 1 |
Restrictions |
Config Date Time |
Allow/Disallow |
Disallow |
Choose Method #1, #2 or #3. Each method uses a different API to accomplish the same result. Any of the methods are acceptable.
Method #1: Restrict User from configuring time.
Method #2: Require Auto Time.
Method #3: Disable Date/Time change (KPE). |
II |
DevicePolicyManager addUserRestriction |
DISALLOW_CONFIG_DATE_TIME |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|
| 48 |
# 2 |
Restrictions |
Set auto (network) time required |
Require/Do not require |
Require |
II |
DevicePolicyManager setAutoTimeRequired |
TRUE |
X |
N/A |
Y |
N/A |
Y |
N/A |
N/A |
|||
| 49 |
# 3 |
KPE Date Time |
Date Time Change |
Enable/Disable |
Disable |
II |
DateTimePolicy setDateTimeChangeEnabled |
FALSE |
X |
Y |
Y |
Y |
Y |
N/A |
N/A |
|||
| 50 |
20 |
# 1 |
Enrollment Configuration |
Default device enrollment |
Full managed, Fully managed with work profile, Legacy managed, Legacy managed with Legacy Workspace |
Fully managed |
COPE deployment: Choose Method #1 or #2.
COBO deployment: Choose Method #3 or #4. |
II |
Enroll device as an Android Enterprise device (DO) |
|
X |
N/A |
Y |
N/A |
Y |
N/A |
Y |
|
| 51 |
# 2 |
Enrollment Configuration |
Default device enrollment |
Full managed, Fully managed with work profile, Legacy managed, Legacy managed with Legacy Workspace |
Legacy managed |
II |
Enroll device as a Device admin managed device |
|
X |
Y |
N/A |
Y |
N/A |
N/A |
N/A |
|||
| 52 |
# 3 |
Enrollment Configuration |
Default device enrollment |
Full managed, Fully managed with work profile, Legacy managed, Legacy managed with Legacy Workspace |
Fully managed with work profile |
II |
Enroll device as an Android Enterprise device (DO) |
|
X |
N/A |
Y |
N/A |
Y |
N/A |
Y |
|||
| 53 |
startActivity |
DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE |
X |
N/A |
N/A |
N/A |
Y |
N/A |
N/A |
|||||||||
| 54 |
# 4 |
Enrollment Configuration |
Default device enrollment |
Full managed, Fully managed with work profile, Legacy managed, Legacy managed with Legacy Workspace |
Legacy managed with Legacy Workspace |
II |
Enroll device as a Device admin managed device |
X |
Y |
N/A |
Y |
N/A |
N/A |
N/A |
||||
| 55 |
KnoxContainerManager createContainer |
CreationParams() |
X |
N/A |
N/A |
Y |
N/A |
N/A |
N/A |
|||||||||
| 56 |
21 |
Restrictions |
Outgoing beam |
Allow/Disallow |
Disallow |
COBO ONLY. |
II |
DevicePolicyManager addUserRestriction |
DISALLOW_OUTGOING_BEAM |
X |
N/A |
Y |
N/A |
N/A |
N/A |
N/A |
||
| 57 |
RestrictionPolicy allowAndroidBeam |
FALSE |
X |
Y |
Y |
N/A |
N/A |
N/A |
N/A |
|||||||||
| 58 |
22 |
KPE Restrictions |
Share Via List |
Allow/Disallow |
Disallow |
Disabling “Share Via List” will also disable functionality such as “Gallery Sharing” and “Direct Sharing”. |
II |
RestrictionPolicy allowShareList |
FALSE |
X |
Y |
Y |
N/A |
N/A |
Y |
Y |
||
| 59 |
23 |
Restrictions |
Backup service |
Allow/Disallow |
Disallow |
COBO ONLY. |
II |
DevicePolicyManager setBackupServiceEnabled |
FALSE |
X |
N/A |
Y |
N/A |
N/A |
N/A |
N/A |
||
| 60 |
RestrictionPolicy setBackup |
FALSE |
X |
Y |
Y |
N/A |
N/A |
|||||||||||
| 61 |
24 |
KPE RCP |
Move file to personal |
Allow/Disallow |
Disallow |
COPE ONLY.
This configuration is the default configuration. If the management tool does not provide the capability to configure “Move files to personal”, there is NO finding because the default setting cannot be changed. |
II |
RCPPolicy allowMoveFilesToOwner |
FALSE |
X |
N/A |
N/A |
N/A |
N/A |
Y |
Y |
||
| 62 |
25 |
KPE RCP |
Sync calendar to personal |
Allow/Disallow |
Disallow |
COPE ONLY. |
II |
RCPPolicy setAllowChangeDataSyncPolicy |
CALENDAR, EXPORT, FALSE |
X |
N/A |
N/A |
N/A |
N/A |
Y |
Y |
||
| 63 |
26 |
Restrictions |
Autofill services |
Allow/Disallow |
Disallow |
KPE(AE) deployments ONLY. |
DevicePolicyManager addUserRestriction |
DISALLOW_AUTOFILL |
X |
N/A |
Y |
N/A |
N/A |
N/A |
Y |
|||
| 64 |
27 |
# 1 |
Restrictions |
Account management |
Account types, Enable/Disable |
Disable for: Work email app, Samsung Accounts, Google Accounts, and each AO-approved App that uses accounts for data backup/sync. |
Choose Method #1 or #2.
Method #1: AE Account management
Method #2: KPE Account Addition Blacklist |
II |
DevicePolicyManager setAccountManagementDisabled |
Account types [Work email app, Samsung Accounts, Google Accounts, and each AO-approved App that uses accounts for data backup/sync], TRUE. |
X |
N/A |
Y |
N/A |
N/A |
N/A |
Y |
|
| 65 |
# 2 |
KPE Account |
Account addition blacklist |
Blacklist |
"Blacklist all" for Work email app, Samsung accounts, and Google accounts. |
II |
DeviceAccountPolicy addAccountsToAdditionBlackList |
Account types [Work email app, Samsung accounts, and Google accounts], "*" (Wildcard String) |
X |
Y |
Y |
N/A |
N/A |
Y |
Y |
|||
| 66 |
28 |
# 1 |
Policy Management |
Core app white list |
core app list |
List approved core apps |
Choose Method #1 or #2.
Method #1: KPE(AE) enrollment
Method #2: KPE system app disable list |
II |
Enroll device as an Android Enterprise device which disables required system apps by default (use 'DevicePolicyManager enableSystemApp' to re-enable a system app) |
|
X |
N/A |
Y |
N/A |
Y |
N/A |
Y |
|
| 67 |
# 2 |
KPE Application |
System app disable list |
core app list |
List non-AO-approved system app packages |
II |
ApplicationPolicy setDisableApplication |
Package Name |
X |
Y |
Y |
Y |
Y |
Y |
Y |
|||
| 68 |
29 |
# 1 |
KPE Restrictions |
Revocation check |
Enable/Disable |
Enable |
Choose Method #1 or #2.
Method #1: Certificate Revocation List (CRL) checking
Method #2: Online Certificate Status Protocol (OCSP), with CRL fallback |
II |
CertificatePolicy enableRevocationCheck |
"*" (Wildcard String), TRUE |
X |
Y |
Y |
N/A |
N/A |
Y |
Y |
|
| 69 |
# 2 |
KPE Restrictions |
OCSP check (with revocation check fallback) |
Enable/Disable |
Enable |
II |
CertificatePolicy enableOcspCheck |
"*" (Wildcard String), TRUE |
X |
Y |
Y |
N/A |
N/A |
Y |
Y |
|||
| 70 |
CertificatePolicy enableRevocationCheck |
"*" (Wildcard String), TRUE |
X |
Y |
Y |
N/A |
N/A |
Y |
Y |
|||||||||
| 71 |
30 |
# 1 |
Policy Mangement |
Certificates |
Configure |
Include DoD certificates in work profile |
Choose Method #1 or #2.
Method #1: Use AE Key management Policy Management.
Method #2: Use KPE Key management KPE Certificate. |
II |
DevicePolicyManager installCaCert |
CA certificate |
X |
N/A |
Y |
N/A |
N/A |
N/A |
Y |
|
| 72 |
DevicePolicyManager installKeyPair |
Client certificates and keys |
X |
N/A |
Y |
N/A |
N/A |
N/A |
Y |
|||||||||
| 73 |
# 2 |
KPE Certificate |
Certificates |
Configure |
Include DoD certificates in work profile |
II |
CertificateProvisioning installCertificateToKeystore (preferred) |
TYPE_CERTIFICATE/TYPE_PKCS12, Certificate, Alias, Decryption password, KEYSTORE_DEFAULT/KEYSTORE_FOR_WIFI/KEYSTORE_FOR_VPN_AND_APPS |
X |
Y |
Y |
N/A |
N/A |
Y |
Y |
|||
| 74 |
CertificateProvisioning installCertificateWithType (this method requires User interaction) |
TYPE_CERTIFICATE/TYPE_PKCS12, Certificate |
X |
Y |
Y |
N/A |
N/A |
N/A |
N/A |
|||||||||
| 75 |
31 |
# 1 |
Restrictions |
Config credentials |
Allow/Disallow |
Disallow |
Choose Method #1 or #2.
#1: Disallow User from configuring any credential.
#2: Disallow User from removing certificates. |
II |
DevicePolicyManager addUserRestriction |
DISALLOW_CONFIG_CREDENTIALS |
X |
N/A |
Y |
N/A |
N/A |
N/A |
Y |
|
| 76 |
# 2 |
KPE Restrictions |
Allow User Remove Certificates |
Allow/Disallow |
Disallow |
II |
CertificatePolicy allowUserRemoveCertificates |
FALSE |
X |
Y |
Y |
N/A |
N/A |
Y |
Y |
|||
| 77 |
32 |
# 1 |
Restrictions |
List of approved apps listed in managed Goolge Play |
List of apps |
List only approved work apps in managed Google Play |
Choose Method #1 or #2.
Method #1: Use managed Google Play [not available for KPE(LEGACY) deployments].
Method #2: Use KPE app installation whitelist.
Refer to the management tool documentation to determine the following:
|
II |
Configure managed Google Play with approved work apps |
X |
N/A |
Y |
N/A |
N/A |
N/A |
Y |
||
| 78 |
# 2 |
KPE Application |
App installation whitelist |
List of apps |
List only approved work apps |
II |
ApplicationPolicy addAppPackageNameToWhiteList (preferred) |
Package Name |
X |
Y |
Y |
N/A |
N/A |
Y |
Y |
|||
| 79 |
ApplicationPolicy addAppPackageNameToBlackList |
"*" (Wildcard String) |
X |
Y |
Y |
N/A |
N/A |
Y |
Y |
|||||||||
| 80 |
ApplicationPolicy addAppSignatureToWhiteList |
Package Signature |
X |
Y |
Y |
N/A |
N/A |
Y |
Y |
|||||||||
| 81 |
ApplicationPolicy addAppSignatureToBlackList |
"*" (Wildcard String) |
X |
Y |
Y |
N/A |
N/A |
Y |
Y |
|||||||||
| 82 | 33 |
# 1 |
Restrictions |
Unredacted Notifications |
Allow/Disallow |
Disallow |
Choose Method #1 or #2.
Method #1: Disable unredacted notifications on Keyguard (COBO or COPE).
Method #2: Use KPE notification sanitization for notifications (COPE ONLY). |
II |
DevicePolicyManager setKeyguardDisabledFeatures |
KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS |
X |
N/A |
Y |
N/A |
N/A |
N/A |
Y |
|
| 83 |
# 2 |
KPE RCP |
Show detailed notifications |
Allow/Disallow |
Disallow |
II |
RCPPolicy setAllowChangeDataSyncPolicy |
NOTIFICATIONS, SANITIZE_DATA, FALSE |
X |
N/A |
N/A |
N/A |
N/A |
Y |
Y |
|||
| 84 |
34 |
# 1 |
KPE RCP |
Sharing clipboard to personal |
Allow/Disallow |
Disallow |
COPE ONLY.
Choose Method #1 or #2. Method #1: KPE RCP Method #2: AE Restriction |
II |
RCPPolicy allowShareClipboardDataToOwner |
FALSE |
X |
N/A |
N/A |
N/A |
N/A |
Y |
Y |
|
| 85 |
# 2 |
AE Restriction |
Cross profile copy/paste |
Allow/Disallow |
Disallow |
II |
DevicePolicyManager addUserRestriction |
DISALLOW_CROSS_PROFILE_COPY_PASTE |
X |
N/A |
N/A |
N/A |
N/A |
N/A |
Y |