Firewall and Proxy policy
A group of policies for firewall setup and configuration. IT admins can enforce these policies for fully managed devices with or without a Work profile. Availability: All Knox versions
  • Enable firewall controls
    Use this control to enable or disable the firewall controls for fully managed devices with or without a Work profile.
  • Name of firewall configuration to use
    Enter the name of the primary firewall configuration profile that apps can use for network connections. This profile name must match the value set in the Firewall profiles section.
  • Enable Proxy on device
    Use this control to enable or disable a global proxy on a device that routes all internet traffic through a proxy server of your choice. This works for both WiFi and data connections. You can use either a fixed proxy server address or a proxy auto-config (PAC) file. According to your selection here, the settings provided in either the "Manual proxy configuration" or "Proxy auto configuration" section below will be used.
Firewall policy (Premium)
A group of policies for firewall setup and configuration. IT admins can enforce these policies for devices with a Work profile. Availability: All Knox versions.
  • Enable firewall controls
    Use this control to enable or disable the firewall controls for the Work profile.
  • Name of firewall configuration to use
    Enter the name of the primary firewall configuration profile that apps can use for network connections. This profile name must match the value set in the Firewall profiles section.
Firewall configuration profile
A group of controls that drive the firewall configuration on the device
  • Firewall configuration name
    Enter the name of the firewall configuration profile in this field. Use a unique and descriptive name, including the name of the firewall provider and other identifying descriptions. For example, FirewallProvider1. Use the value in this field as a reference for the value in the Firewall profile name in the firewall policy section.
  • Allow rules
    A group of controls to specify the network connections allowed on the device. The firewall allow rule takes precedence over the deny rules.
      • Hostname (IP or IP range)
        Enter a host IP or IP range in IPv4 or IPv6 format to allow incoming or outgoing data packets. For example, 100.0.0.10 or 100.0.0.0100.0.0.10 or use * for all IP addresses.
      • Port or Port range
        Enter a port number or range of port numbers that are allowed. For example, use 8080 or 80808085 or use * for all ports.
      • Port location
        Specify whether the ports are remote or local. Local ports are ports on the device, while Remote ports are those on the server end point. For example, to allow connections to FTP server at port 21, you must specify allow rule with "Remote" port location.
      • Network interface
        Specify the type of connection for which the firewall rule is applicable.
  • Deny rules
    A group of controls to specify the network connections denied access on the device. CAUTION: Adding a DENY ALL rule disconnects the device completely from Network. To retain control on the device, always add ALLOW rules that guarantee UEM Agent connectivity before adding a DENY ALL rule.
      • Hostname (IP or IP range)
        Enter a host IP or IP range in IPv4 or IPv6 format to block incoming or outgoing data packets. For example, use 100.0.0.10 or 100.0.0.0100.0.0.10 or use * to block all IP addresses.
      • Port or Port range
        Enter a port number or range of port numbers that are blocked. For example, use 8080 or 80808085 or use * for all ports.
      • Port location
        Specify whether the ports are remote or local. Local ports are ports on the device, while Remote ports are those on the server end point. For example, to block port 21 (FTP) on the device from receiving connections, you must block "Local" port.
      • Network interface
        Specify the type of connection for which the firewall rule is applicable.
      • Application
        Specify the package name of the application for which this DENY rule is applied. Leave the field empty to apply the rule to all connections on the device.
  • Reroute rules
    A group of controls to specify when and how firewall access requests are rerouted.
      • Intended hostname (IP or IP range)
        Enter a IP address or range of target host for which all data packets are automatically rerouted.
      • Intended port or port range
        Enter a target port number or range of port numbers for which all data packets are automatically rerouted.
      • Destination host IP
        Enter the IP address of target host to which all data packets are automatically rerouted.
      • Destination port
        Enter the port numer of target host to which all data packets are automatically rerouted.
      • Network interface
        Specify the type of connection for which the reroute rule is applicable.
      • Application
        Specify the package name of the application for which this reroute rule is applied. Leave the field empty to apply the rule to all connections on the device.
  • Reroute exceptions
    A group of controls to specify which data connections are not rerouted.
      • Hostname (IP or IP range)
        Enter a IP address or range of target host for which the data packets are not rerouted
      • Port or Port range
        Enter a target port number or range of port numbers for which the data packets are not rerouted.
  • Domain filters
    A group of controls to specify how traffice to and from specific domains are handled.
      • Blocked domains
        Specify the domains to which access requests are denied. Domains can be specified a comma separated list of URLs. Partial URLs with * (wildcard) at the beginning and/or at the end of the URL are also accepted.
      • Allowed domains
        Specify the domains to which access requests are allowed. Domains can be specified a comma separated list of URLs. Partial URLs with * (wildcard) at the beginning and/or at the end of the URL are also accepted.
      • Scope of domain filter
        Specify whether the firewall should determine whether to block or allow connection requests from all applications or specific applications only.
      • List of applications to apply the domain filter to
        If you set the scope of the domain filter to selected applications only, enter a comma-separated list of package names of applications to which the firewall domain rules apply.
  • Prioritize Domain filters over allow and deny rules
    Enable this flag to process Domain Filters before other firewall rules. Once enabled, next time an application tries to send a domain name resolution request, the Domain rules will be analyzed before Firewall rules, deciding to allow or block the request. Note that this would allow data packets if there is a specific whitelist rule for that domain in Domain Filter. Data packets to non-whitelisted domains may still be blocked if there is a Firewall deny rule for it.