SAMSUNG Knox Manage 20.2 Administrator Guide

Knox Manage
Administrator’s Guide
Solution version 20.2
Published: February 2020
version 20.2.1
Table of Contents
1
Configuring basic environments 36
Setting the user authentication method 36
Configuring Android Enterprise environments 37
Introducing Samsung Knox Setting an APNs certificate (iOS only)

Setting the SEG profile (Galaxy devices only)
39
41
Manage
Knox Manage components 10
Knox Manage strengths 11
Knox Manage system requirements
Knox Manage Admin Portal
13
14
3
Header 14
Main menu 16 User/Group/Organization
List 17
Viewing the user list 44
Detail page 18
Function icon 19 Viewing the user details 46
New version release and alert pop-ups 20 Creating user accounts 47
Registering a single user account 47
Available services by device type and OS 21
Registering bulk user accounts 48
Registering a single AD/LDAP user account 49
Registering multiple AD/LDAP user accounts 50
Managing user accounts 51
2
Modifying user account details 51
Sending device commands to users 52
Sending enrollment guides to users via
Starting up email and SMS

Sending templates or user notifications to
53
users via email 54

Setting up an account 23 Changing the user account password 54
Creating a Samsung account 24
Resetting the user account password 55
Creating a Knox Manage account 24
Deleting user accounts 55
Signing in to Knox Manage 25
Viewing the organization list 56
Managing licenses 26
Viewing the license information 27 Viewing the organization details 58
Registering a license 27 Managing organizations 60
Renewing an expired license 29 Adding an organization 60
Modifying an existing license 30 Modifying the organization details 61
License FAQ 31 Changing user’s organizations 62
Assigning applications to organizations 63
Using the Getting Started 33
Understanding the Getting Started page 34 Assigning and applying profiles to organizations 64
Following the step-by-step guide 35 Applying the latest profiles to organizations 64
2
Table of Contents
Assigning and distributing content to Enrolling devices 100

organizations 65 Enrolling a single device 100
Deleting the organizations 65 Using Knox Mobile Enrollment (Samsung
devices only) 106
Viewing the group list 66
Using Zero Touch Enrollment (Android
Viewing the group details 67 Enterprise devices only) 116
Creating groups of users or devices 71 Using the Apple Device Enrollment Program
(iOS devices only) 121
Registering a group 71
Registering an AD/LDAP sync group 72 Managing devices 127
Unenrolling devices 127
Managing groups 73
Sending device commands to devices 129
Adding users to user groups 73
List of device commands: Android Enterprise 131
Adding devices to device groups 74
List of device commands: Android Legacy/
Assigning applications to groups 74 Knox Workspace 134
Assigning and applying profiles to groups 75 List of device commands: iOS 139
Assigning and distributing content to groups 76 List of device commands: Windows 142
Sending device command requests to groups 76
Checking the locations of the devices in the group 77 Managing limited enrollment 143
Deleting the groups 77 Checking the locations of the devices 144
Syncing user information with AD/LDAP 78 Viewing device logs 145

Adding sync services 79
Viewing a list of sync services 87
Changing the sync targets 88
Viewing sync results 88
5
Running sync services 89
Viewing sync exceptions 90
Viewing sync history 92
Content
Viewing the content list 148
Viewing the content details 149
4 Adding content
Assigning content
150
151
Device Distributing content 151

Managing content 152
Viewing the device list 95 Modifying content 152
Viewing the device details 97 Deleting content 152
3
Table of Contents
6 7
Application Profile
Viewing the application list 155 Viewing the profile list 188
Viewing the application details 157 Viewing the profile details 190
Adding applications 160 Creating profiles 192
Adding internal applications 161 Creating a new profile 192
Adding public applications (Google Play Store) 165 Copying a profile 193
Adding public applications (Managed Exporting a profile 193
Google Play Store) 166 Adding events for profiles 195
Adding public applications (iOS App Store) 167
Configuring policies by device platform 198
Adding public applications (Managed
Google Play Private) 168 Configuring Android Enterprise Policies 199
Configuring Samsung Knox (Android
Assigning applications 169 Enterprise) Policies 229
Assigning internal applications 169 Configuring Android Legacy Policies 243
Assigning Google Play applications 171 Configuring Knox Workspace (Android
Assigning Managed Google Play applications 172 Legacy) Policies 293
Assigning iOS App Store applications 173 Configuring iOS Policies 322
Assigning Managed Google Play Private Configuring Windows Policies 350
applications 174 Applying configurations automatically
(Android only) 357
Managing applications 175
Modifying applications 175 Assigning and applying profiles 361
Managing application categories 176 Assigning to groups 361
Assigning to organizations 362
Using the Volume Purchase Program (iOS only) 177
Before using the VPP 178 Managing profiles on the list 363
Setting up the VPP 180 Managing applications for specific purposes 363
Managing VPP users 182 Setting up the profile priorities 364
Managing VPP applications 184
Modifying profiles in detail 365
Setting the profile update schedule 366
Collecting device location information 367
4
Table of Contents
8
Controlling devices with the RS Viewer 388
Using the functions of the RS Viewer 389
Controlling devices in Knox Manage 391

Kiosk
Introduction 370
Strengths of Knox Manage Kiosk 370
10
Kiosk types 371
Supported environment 371
Basic functions in a Kiosk menu 372
Creating a Single App Kiosk 373 Advanced

Creating a Multi App Kiosk 374
Creating a Multi App Kiosk 374 Managing Enterprise-Firmware Over The Air
(E-FOTA) 395
Creating a Kiosk application by copying a
Multi App Kiosk 375 Viewing the E-FOTA group list 395
Configuring a Kiosk in a Profile 375 Assigning devices to an E-FOTA group for
firmware updates 396
Exploring Kiosk Wizard 376 Modifying the firmware update configurations 397
Kiosk Settings 377 Viewing the firmware update status of devices 398
Kiosk Preview 378 Viewing the change histories of E-FOTA groups 398
Kiosk components 379
Managing Certificates 399
Allowing device settings 380
Certificate authority (CA) 399
Using the Kiosk Browser 381 Certificate templates 404
Specifying the URL for Kiosk Browser 381 External certificates 408
Deploying Kiosk mode on a device 382 Viewing certificates issuing history 410
Sending device commands 382 Integrating a directory server 411
Configuring profile policy 383 Viewing the directory server status 411
Exiting Kiosk mode 383 Adding a directory server 412
Updating directory server status 414
Copying a directory server 415
Modifying directory server information 415
Deleting directory servers 416
9 Setting a directory connector

Viewing the directory connector status
Adding a directory connector
416
416
417
Remote Support Testing a directory service 419
Setting the directory service operating hours 421
Before Using Remote Support 386 Copying a directory connector 422
Supported platforms 386 Modifying directory connector information 422
Disabling the firewall 387 Deleting directory connectors 422
Installing the RS Viewer 387

5
Table of Contents
Managing Open API 423 Configuring the Keepalive settings 463

Managing API clients 423
Adding a notice 464
Invalidating tokens 426
Viewing the API log 426 Managing message templates 465
Basic message templates 465
Viewing the API client log 426
Adding message templates 466
Using Cloud Connector 427 Managing added message templates 467
Preparing for installation 428
Installing the SCC client 431 Managing master data 468
Running SCC client 432 Setting the logo 469
Configuring the SCC client 432 Managing administrator accounts 470
Updating the SCC client 433 Adding an administrator 470
Integrating services in Knox Manage 433 Selecting profiles to manage for sub-
Fixing background service errors 436 administrators 471
Selecting organizations to manage for sub-
Using Mobile Admin 437 administrators 472
Mobile Admin basic information 437
Activating administrator accounts 472
Understanding the Mobile Admin screen 438
Activating technical support administrators 473
Starting up Mobile Admin 441
Managing devices on Mobile Admin 442
Managing users on Mobile Admin 446
Configuring Microsoft Exchange 447
12
Configuring the Exchange server 448
Configuring ADCS and AD for Microsoft
Exchange 450
Monitoring
Configuring a profile for Microsoft Exchange 451
Accessing Microsoft Exchange on the device 452
Setting the dashboard 475

Basic dashboards 475
Widget type dashboards 477
Viewing another dashboard 477
11 Adding a dashboard
Managing dashboards
478
479
Setting Viewing reports

Viewing the report list
481
481
Viewing a report 482
Configuring the environment 455
Report list 484
List of environment settings 455
Adding a report 486
Setting Knox Manage Agent policies 460 Report queries list 488
Applicable policies for Knox Manage Agent 460
Managing reports 493
6
Table of Contents
Viewing audits 494

Understanding audit events 494
Viewing the audit list 495
Setting audit targets 496
Viewing audit logs 496
Downloading audit logs as an Excel file 498
Audit event classification 499
Managing alerts 501

Viewing entire alerts 501
Configuring alerts 502
Viewing the device log 503

Viewing the service history 504
13
Appendix
Lists of audit events 508
Device audit events 508
Server audit events 511
Admin Portal audit events 528
Lists of error codes 546

Client error codes 546
Admin Portal access error codes 554
AppWrapper error codes 577
List of Open API 579

Glossary 586
7
1
Introducing Samsung
Knox Manage
Introducing Samsung
Knox Manage
Samsung Knox Manage is an EMM solution which provides integrated management of mobile
devices. Various policies can be customized for device management and assigned to mobile
devices. Applications can be assigned to be only available to employees on their mobile devices
while working. Once administrators register the employees and their devices, the integrated
management of mobile devices begins. Improve business efficiency and secure company data using
Knox Manage.
This chapter explains the following topics:
→→ Knox Manage components

→→ Knox Manage strengths
→→ Knox Manage system requirements
→→ Knox Manage Admin Portal
→→ Available services by device type and OS
Introducing Samsung Knox Manage 9

Knox Manage components
The cloud-based Knox Manage has the following components.
2 Admin Portal
Android devices
3 5
Firewall
2
4 Active
Directory
Knox Manage
Cloud
iOS devices Connector 6
2
2 Certificate
Authority
Windows devices
Samsung KNOX
Workspace devices
No. Name Description
1 Knox Manage Administrator Portal Configures and manages Knox Manage environments.
An application installed on Android, iOS, and Windows

2 Knox Manage Agent
mobile devices
3 Knox Manage server Knox Manage cloud server
Transfers data securely between the client’s enterprise

4 Knox Manage Cloud Connector server and the Knox Manage server. For more
information, see Using Cloud Connector.
Imports the client’s directory-based user information. For

5 Lightweight Directory Access Protocol more information, see Syncing user information with AD/
LDAP and Integrating a directory server.
Generates certificates for authentication when using a

6 Certificate Authority network, such as Wi-Fi, VPN, Exchange, or APN. For more
information, see Adding a certificate authority (CA).

Knox Manage strengths
Easy creation of launcher applications with Kiosk Wizard
Knox Manage provides Kiosk Wizard, that helps you set up devices to display only specific
applications, widgets, and notifications. You can configure Kiosk devices to perfectly fit your work
and service.
Quick troubleshooting via Knox Manage Remote Support
Knox Manage provides Remote Support to solve any device or application issues quickly and
precisely. Remote Support also helps prevent the same issues from arising again through analyzing
the logs.
Optimal management of OS versions using E-FOTA
Knox Manage enables wireless firmware management via Enterprise Firmware-Over-The-

Air (E-FOTA). E-FOTA helps resolve security risks for vulnerable OS versions and guarantees
compatibility between software developed in the company and any new OS versions.
Integrated management of Android Enterprise devices
Knox Manage provides a full management service for any type of Android Enterprise device. You
can save service support costs through the easy assignment of policies, applications, and the latest
updates.
Optimized Knox Manage Admin Portal
The user interface of the Knox Manage Admin Portal is designed to be administrator-centric. You
can easily monitor the security status of enrolled devices and quickly collect information needed for
prompt action.
Support of differentiated Samsung Knox
Knox Manage supports the latest firmware of Samsung Knox, the mobile enterprise security platform
embedded into Samsung Galaxy devices. In addition, Knox Manage fully guarantees fully supports
for the latest Knox API.

Effortless content management
Knox Manage comes with the ability to upload and distribute images, documents, audio, and even
videos. You can set the distribution target from a single user or device to groups or organizations.
Moreover, the Content Delivery Network (CDN) allows you to distribute content more quickly and
safely and reduce the data transfer load.
Bulk device enrollment and application assignment
Knox Manage provides the means for the easy and quick enrollment of mobile devices en masse
through Knox Mobile Enrollment (KME) for Android devices or the Device Enrollment Program (DEP)
for iOS devices. In the case of iOS devices, Apple’s Volume Purchase Program (VPP) is also available
to help conveniently assign the desired applications.
Easy initial setup with the Getting Started guide
Knox Manage provides the Getting Started guide which outlines the process for initial environment
setup. By following the guide, you can become proficient at adding users, enrolling devices, and
applying policies promptly.
Strong data protection
Knox Manage has incorporated top-level security requirements since the initial design process in
order to protect corporate data from possible data security threats:
• All data between the server and mobile device is encrypted with AES-256 (AES: Advanced
Encryption Standard).
• Two-factor authentication is supported through applications and communication based on

security certificates.
Storage of device analysis data
In addition to monitoring devices in real time, Knox Manage also provides audits. You can check
events that occur in the system, applied policies, tampering and compliance violations, etc., and take
appropriate actions against them.
Direct Boot enabled
Knox Manage supports Direct Boot on Android 7 and higher devices. Knox Manage is executed after
the user reboots the device and before the device is unlocked. The commands that can be executed
before unlocking are limited.

Knox Manage system requirements
Meet the requirements listed below to ensure the efficient operation of Knox Manage:
Item Requirement
OS Microsoft Windows XP or higher
• Google Chrome version 41 or higher

Administrator’s
PC
Browser • Mozilla Firefox version 37 or higher
• Microsoft Internet Explorer 11
Resolution 1680 x 1050 (px)
Android Enterprise Android 6.0 (Marshmallow) or higher
Android Legacy Android 5.0 (Lollipop) or higher
User’s device iOS iOS 9.0 or higher
A desktop computer on which Microsoft Windows 10

Windows Version 1703 or higher has been installed (Pro/Enterprise/
Home)
English, Portuguese, Spanish, French, German, Italian,

Admin Portal
Supported Korean
language Any of the above languages set in the device language
Knox Manage Agent
settings
Note • Online help in the Admin Portal is only available in English.

• You can select a language in the portal without changing the browser’s language.
• If the selected language in Knox Manage Agent is not supported on the mobile device, Knox
Manage Agent will be displayed in English.

Knox Manage Admin Portal
Get familiar with the Knox Manage Admin Portal’s interface features before starting the Admin Portal.
2 3
Appears on every page. The logo, account ID, and the menus for alerts,
licenses, online help, and the session time reset are provided. You can
1 Header also download related applications and programs.
Click next to the account ID to view more menus. For more
information, see Header.
Appears on every page. The Knox Manage features are listed by type. For
2 Main menu
more information, see Main menu.
Displays a list of information for the selected Main menu or the details
about the selected resource. For more information, see List.
3 Content page
When you enter a value on this page, you must fill out any input field with
an asterisk (*).
Header
Find out more about the elements in the header.
1 2 3 4 5 6
Click the logo to go to the main page. You can change the logo and color theme.
1 Logo
For more information, see Setting the logo.

Click to view license information, alerts, and token and certificate information.
• License: View the expiration statuses of licenses. Click the number to navigate
to the license list.
2 Notification • Monitoring: View the list of alerts and the monitored violations. Click the
number to navigate to the alert list.
• Token & Certificate: View the expiration status of the APN certificates and the
DEP or VPP tokens. Click the number to navigate to each list.
Click to customize more settings.
3
Portal • High Contrast Theme: Apply a high contrast theme to the Admin Portal to help
Settings with poor vision.
• Change Language: Change the display language.
Hover the mouse over an object to use help information and related applications
or programs.
• Getting Started: View the start guide to learn how to use Knox Manage. For
more information, see Using the Getting Started.
• Manual: View online help.
• Release Note: View the major changes in the new version on the outline.
• Technical Support: Allow technical support administrators to remotely access
the Admin Portal and set the allowed period of time for access.
• Download: Download a list of devices, applications, or reports after exporting
them. You can also download a related application or program to use Knox
4 Support Manage.
–– My Download: Download a list of devices, applications, or reports that you
have exported under the corresponding menus. You can click Download on
each downloaded item to save it.
–– Cloud Connector / Remote Support: Download a related application or
program to use Knox Manage.
–– Cloud Connector Client: A program installed on the client’s site for using
Samsung Cloud Connector (SCC)
–– Remote Support Viewer (Admin): A program installed on the
administrator’s PC for viewing and controlling the user’s device
–– Remote Support App (Device): An application installed on mobile devices
for Remote Support
Click next to the account ID to view more menus.
• Session: Enter the maximum session time limit for the Admin Portal. If the limit
is exceeded, you will be signed out automatically. You can enter a value from 1
5 Account ID
to 60.
• Change Password: Change your account password.
• Logout: Sign out of the Admin Portal.
Extend
6 View the remaining session time. Click to refresh it.
Session

Main menu
The Admin Portal’s Main menus help you perform any required tasks that you need to perform as an
administrator. Find out what you can do in each menu.
Menu Description
Manage the mobile devices enrolled in Knox Manage. Check the details of each
Device device and send commands to the devices. When a device has problems, you can
solve them with Remote Support.
Manage the users enrolled in Knox Manage. Check the details for each user
User
including the group or organization they belong to and their devices.
Manage the user or device groups enrolled in Knox Manage. Assign and apply
Group
profiles or send commands to desired groups.
Manage the user organizations enrolled in Knox Manage. Create or delete sub-
Organization
organizations. Assign and apply profiles to desired organizations.
Manage internal or public applications in Knox Manage. Assign applications to

Application
groups or organizations.
Create new profiles and set policies in them for device management. Assign and
Profile apply profiles to mobile devices in groups or organizations. Edit or delete the
existing profiles.
Upload a single Kiosk application or use the Kiosk Wizard to create a Multi App
Kiosk Kiosk. Set new Kiosk applications to profiles for assignment. Control the enrolled
Kiosk applications.
Content Upload and share content, such as images or document files.
Monitor and manage the Admin Portal. Track events in the Admin Portal through
History the audit, log, and history. Set alerts to notify device users of important events. Send
general notices to users.
Configure the settings for the Android and iOS device environments, the Admin
Setting Portal environment, Knox Manage Agent policies, and the Keepalive feature.
Schedule for profile updates. Manage licenses for using Knox Manage.
Configure the advanced settings for E-FOTA and any external systems to be
Advanced synchronized or integrated. Manage certificates issued from the external certificate
authority and Open API.

List
When you click one of the Main menus, the initial information is displayed as a list on the content
page.
The following are the attributes of lists:
• Rearrange the list by clicking (ascending order) or (descending order) next to the column
headers.
• Filter the list by clicking next to the column headers when there are more than two types of
value.
• Adjust the length of the columns by putting the mouse pointer between the columns and dragging
it when the mouse pointer changes to .
• Rearrange the column order by placing the mouse pointer over the column header you want to
move and dragging it when mouse pointer changes to . While dragging the column header,
will appear next to the column header. If it changes to , you can drop it in a place where
appears.
On the device, application, or profile lists, the personalized settings of the columns will be saved. The
saved settings will be retained before you delete the web browser’s cookies. You can also return the
column settings to their default settings by clicking Revert Column Settings.

Detail page
When you click one of the items on the list, detailed information about the selected item is displayed
on the detail page. The detail page is organized as follows.
1 Summary Displays the basic information.
Displays the detailed data and information of the selected item in

2 Tabs categories. Function buttons are provided for using various functions in
the selected tab.
Function buttons in
3 The buttons for the available functions related to the selected item
the footer

Function icon
When you click the following icons, various actions are performed in the Admin Portal.
Icon Description
Delete Select an item to delete and click . Confirm the deletion.
/ / Tooltip Click / / to open a brief guide, detail, or alert about an item.
Download Click to download an item.
Upload Click and select a file to upload.
Search Input a keyword and click to search for an item.

New version release and alert pop-ups
After signing in, pop-ups about new version releases and/or alerts will automatically appear, and you
can view the provided information through the pop-ups.
New version release pop-up

When the Admin Portal is upgraded to a new version, the new version release pop-up will inform you
of the major changes in the new version with an outline.
Alert pop-up
The alert pop-up appears after the new version release pop-up. The pop-up informs you of the
followings while also providing the possibility to take action:
Item Description
License Click the displayed number of the devices to renew them. For more information, see
expiration Managing licenses.
APNs certificate Click the displayed number of the certificate to renew them. For more information,
expiration see Setting an APNs certificate (iOS only).
Apple DEP token Click the link provided for new token issuance. For more information, see Issuing a
expiration DEP token.
Apple VPP token Click the link provided for new token issuance. For more information, see
expiration Downloading a VPP token from the VPP website.
Policy Click any item to view the detailed information and take appropriate action. For more
assignment error information about alerts, see Managing alerts.

Available services by device type and OS
Supported services in Knox Manage differ by device type and OS. Look at the following table and
discover the available services depending on the user’s device.
Service Android Enterprise Android Legacy iOS Windows
Knox Workspace v
E-FOTA v
Kiosk v v
Content distribution v v
Volume Purchase Program (VPP) v
Knox Mobile Enrollment (KME) v v
Zero Touch Enrollment (ZTE) v
Device Enrollment Program (DEP) v
Remote Support v v

2
Starting up
Starting up
To begin using Knox Manage, you will need to create an account and purchase the necessary
licenses. Once you are registered and signed into the Knox Manage Admin Portal, you can configure
initial settings for using mobile devices with Knox Manage.
→→ Setting up an account
→→ Managing licenses
→→ Using the Getting Started
→→ Configuring basic environments
Setting up an account
You must create the following accounts to start using Knox Manage:
• A Samsung account
• A Knox Manage account
Both accounts are necessary to sign in to the Admin Portal. If you already have both a Samsung and
Knox Manage account, see Signing in to Knox Manage.
Starting up 23
Creating a Samsung account
To create a Samsung account, complete the following steps:
1. Visit the Knox Web Portal (https://www.samsungknox.com).
2. On the top right of the screen, click Enroll.
3. Enter your company email address and click NEXT.
4. Read and accept the terms of use and click AGREE.
5. Enter your email address and personal information and click NEXT.
• Changing the portal to use your phone number to sign in is not recommended, because your
email address is the required credential for registering an account.
6. Sign in to your email account and find the verification email.
7. In the verification email, click VERIFY ACCOUNT.
8. When you see the window notifying you that your account has been activated, click START.
9. Enter the information required to enroll your Samsung account and click Submit.
Creating a Knox Manage account

To create a Knox Manage account, complete the following steps:
1. Sign in to the Knox Web Portal (https://www.samsungknox.com) using your Samsung account.
2. On the top right of the screen, click Dashboard.
3. In the Knox Manage menu in the Other Knox solutions section, click TRY FOR FREE.
4. Enter your Knox Manage SLM license key.
• If you do not have a Knox Manage SLM license key, click Generate trial key to make a trial
license key.
5. Enter the information required to enroll your account and click Set up Knox Manage.
• “User ID”@”Organization domain” will be the ID for the Knox Manage login.
• The password you enter will be the password for the Knox Manage login.
Starting up 24
Signing in to Knox Manage
To sign in to the Knox Manage Admin Portal, complete the following steps:
1. Sign in to the Knox Web Portal (https://www.samsungknox.com) using your Samsung account.
2. In the Knox Manage menu, in the Other Knox solutions section, click Launch under Knox Manage.
• You will be automatically logged in to the Knox Manage Admin Portal with the account and
tenant information created when you created your Knox Manage account.
Starting up 25
Managing licenses
Licenses are required to use Knox Manage. Licenses are issued with SLM license keys from the
Samsung Electronics License Management System.
The license types are as follows:
Type Description
The necessary license for using Knox Manage
Knox Manage (KM)

• Includes the maximum capacity of registrable device and the validity period.
• Provides an alert 90 days prior to the expiration date. After the expiration
date, your access to Knox Manage will be denied.
An additional license for using the Knox Workspace after installing Knox
Manage on Android Legacy devices
Knox Workspace (KWS)

• Includes the maximum capacity of registrable device and the validity period
(not exceeding the specified value in the KM license).
• Provides an alert 30 days prior to the expiration date. After the expiration
date, Knox Workspace will be locked.
E-FOTA A license to use the E-FOTA service
Licenses can be purchased on a monthly, yearly, or biennial basis. You can increase or decrease the
number of licenses and extend or shorten each license’s validity period. When purchasing licenses
on a yearly basis, you can only increase the number of licenses and extend their validity periods. For
more information about purchasing licenses, contact the Knox Manage support team.
Licenses are granted and revoked in the order in which the devices were enrolled. Attempting to
register devices in excess of the device count will result in failure. For more information, see License
FAQ.
Starting up 26
Viewing the license information
To view how many devices can be registered to Knox Manage, you must aggregate all of the devices
with the same license type. Each license has a different validity period, so the total number of devices
you can register may differ, based on the validity period. Newly-purchased licenses and renewed
licenses are also aggregated with the existing number of devices.
The number of valid licenses for each device can be displayed on the dashboard by adding the
Device List by License report to the dashboard. For more information, see Viewing reports.
Registering a license
To activate Knox Manage and its features, you must first register the license key.
Starting up 27
Registering a KM/KWS license
To register a Knox Manage or Knox Workspace license key, complete the following steps:
1. Navigate to Setting > License.
2. Click Add.
3. In the “Add License” window, enter the license key and click .
• The license will be verified and its detailed information will appear at the bottom of the window.
4. Click Save.
Note On the license list, the No. of Device(s) in Use column displays the total of enrolled devices,
expired devices, and disconnected devices.
Registering an E-FOTA license

An E-FOTA license is required to use the E-FOTA service, which is a feature for updating devices.
To register an E-FOTA license key, complete the following steps:
2. Click Add.
3. In the “Add License” window, enter the license key and click .
• The license will be verified and its detailed information and authentication fields will appear at
the bottom of the window.
4. Enter the authentication information you received from the SLM in the authentication fields.
• Client ID: Access ID for calling APIs from the E-FOTA server
• Client Secret: Access password for calling APIs from the E-FOTA server
• Customer ID: Client ID for the E-FOTA service
5. Click Save.
Note If no E-FOTA license is registered, the menu for E-FOTA management in the Admin Portal will not
open.
Starting up 28
Renewing an expired license
When KM and KWS licenses have expired, users are not able to access Knox Manage or use Knox
Workspace on mobile devices while the existing policies are still being applied.
View the following table to see what happens in detail when licenses expire:
Case Description
• A pop-up alert notifies the user of license expiration.

• Device controls are restricted.
Admin Portal
• Available device commands: Unenroll service, Update
Knox Manage license
license, Collect audit logs, Collect logs, and Collect
expired
diagnosis information
• Access to the Knox Manage service is restricted.

User device
• The existing policies still apply.
• Device controls and Knox Workspace management are
unavailable.
Admin Portal
Knox Manage and Knox • You may only unenroll devices. When you unenroll
devices, Knox Workspace is deleted from them.
Workspace licenses
expired • Access to the Knox Manage service is restricted.
User device • The existing policies still apply.
• Knox Workspace is locked and becomes unusable.
Licenses can be renewed on a monthly, yearly, or biennial basis through validity period extensions or
renewal contracts. The license information can be updated via the following methods:
• Automatic updates via Knox Manage server scheduling

• Automatic updates once daily for applied licenses via SLM server scheduling
• Manual updates:
–– Renewing a license in all assigned devices
–– Renewing a license in selected devices
E-FOTA licenses cannot be renewed in the following cases:
• When the E-FOTA firmware update type is set to Force and the end date in the update schedule is
set later than the current date
• When an E-FOTA group is assigned in Advanced > E-FOTA Management
Starting up 29
Renewing a license in all assigned devices
To renew an existing license and update all assigned devices, complete the following steps:
2. Click the checkbox for the license you want to renew and click Modify.
3. In the “Modify License” window, enter the new license key and click .
• The license will be verified and its detailed information will appear at the bottom of the window.
4. Click Save.
Renewing a license in selected devices

To renew an existing license in selected devices, complete the following steps:
1. Navigate to Device.
2. Click the checkbox for the device you want to renew and click Update License.
Modifying an existing license

Delete a license if you want to stop using it, or synchronize the license information with the Samsung
Electronics License Management (SLM) System when the license information is updated in the SLM
System.
Deleting an existing license

To delete a registered license, complete the following steps:
2. Click the checkbox for the license you want to delete and click Delete.
3. In the “Delete” window, click OK.
Note When you delete an E-FOTA license, the information about the devices assigned to the existing
E-FOTA group will also be deleted. To keep the device information, you must renew the license.
Starting up 30
Synchronizing an existing license
To synchronize a license’s information with the SLM, complete the following steps:
2. Click the checkboxes for the licenses you want to synchronize and click Sync.
License FAQ
Refer to the following FAQs to understand licenses better. If you want further information about
purchasing licenses or extending their period, contact the Knox Manage support team.
Q: How are Knox Manage licenses allocated to devices?
A: Licenses with shorter expiration dates will be allocated first following the First Expired/First Out
(FEFO) method.
Q: Once the total number of licenses is increased through renewal or extension, how are they
allocated?
A: If there are more licenses than devices after the increase, licenses are allocated to all devices in
the order in which they were enrolled.
Q: If there are more devices than licenses after increasing the number of licenses, how are the
licenses allocated?
A: Licenses are allocated to devices in the order that the devices were enrolled. Extra devices without
licenses become unavailable with the existing policy still applied.
Q: When I renew an expired license, does the license come into effect and enroll the relevant
devices immediately?
A: For iOS and Windows devices, they are enrolled immediately. For Android devices, they can be
enrolled according to the schedule set on the system or by sending a device command.
Starting up 31
Q: When a license expires, does it expire in the order the devices were enrolled?
A: When a license being used on various devices expires, all the devices become unable to use Knox
Manage simultaneously.
Q: If I want to allocate the renewed licenses only to new devices (not already existing registered
devices), what should I do?
A: After increasing the number of licenses, you should first unenroll the existing registered devices,
and then enroll the new devices. The renewed licenses will then be allocated to the new devices.
Q: When a factory reset command is sent from the Admin Portal to a device, will the license be
revoked automatically?
A: The license will be revoked automatically if the factory reset is completed successfully. If the
factory reset fails, the license will not be revoked and the device will become unenrolled.
Starting up 32
Using the Getting Started
After you are registered and signed in to the Knox Manage Admin Portal, the welcome page will
appear and provide you with brief information about the key features of Knox Manage. You can follow
a step-by-step guide to better understand the Admin Portal by clicking Let’s Get Started from the
welcome page or by clicking > Getting Started in the header.
Starting up 33
Understanding the Getting Started page
When you click Getting Started on the Main menu, the step-by-step guide for major features and
quick links to the online help guide will be shown. The Getting Started page is organized as follows.
Displays brief information about the key features of Knox Manage

and provides guides that you can easily follow. Click Let’s Get
Started to start. If you did not complete the whole processes,
1 Step-by-step guide you can resume from where you paused by clicking Continue
from Step X. You can also start them again from the beginning by
clicking Explore Again. For more information, see Following the
step-by-step guide.
Provides quick links to the online help guide. Click on each card to
2 Help link go to the related page of the online help guide. You can also click
Go to Online Help Guide to move to the main page of the guide.
Starting up 34
Following the step-by-step guide
You can perform major Knox Manage tasks and configure initial settings in a focused environment.
The data you create or modify is actually applied to Knox Manage in real time. The guide page is
organized as follows.
Displays only the menu for the current step. Other menus are
1 Main menu
grayed out and are not selectable while performing tasks.
2 Brief guide Displays actions to take in order to complete tasks.
Displays which steps are completed and the step that you are
3 Progress bar
currently performing. Click to stop.
Starting up 35
Configuring basic environments
Configure how device users are verified when they sign in to Knox Manage. You can also configure
the required environments to use certain types of devices.
Setting the user authentication method

Set up the authentication method for when device users sign in to Knox Manage on their mobile
devices.
To set the authentication method, complete the following steps:
1. Navigate to Setting > Configuration > Basic Configuration, and then click Authentication Setting
at the bottom of the page.
2. In the “Authentication Setting” window, select the authentication method.
• Automatic: Verifies the device users using the default method provided by Knox Manage.
Locally registered users will use their user ID and password saved in the Knox Manage server.
Synchronized users will use their user ID and password imported by AD/LDAP synchronization.
• Manual: Customizes the authentication method by user type.

3. If you selected Manual, select the authentication method by user type.
• Sync User Authentication Settings: Select the authentication method for synchronized users.
Item Description
• globalEmmAuthenticator: Uses the user ID and password saved in

the Knox Manage server.
• globalLdapAuthenticator: Uses the user ID and password imported
Authenticator by AD/LDAP synchronization.
• globalLdapServiceAuthenticator: Uses the user ID saved in the
Knox Manage server and the password imported from the AD/LDAP
server accessed by a directory service.
If you selected globalLdapServiceAuthenticator, enter the directory

LDAP Service ID
service ID to use for accessing the AD/LDAP server.
Starting up 36
• Local User Authentication Settings: Select the authentication method for locally registered
users.
Item Description
Set identical to the Sync Uses the same authentication method as set in the “Sync User
User Authentication Settings Authentication Settings” section.
• globalEmmAuthenticator: Uses the user ID and password saved in

the Knox Manage server.
• globalLdapAuthenticator: Uses the user ID and password imported
Authenticator by AD/LDAP synchronization.
• globalLdapServiceAuthenticator: Uses the user ID saved in the
Knox Manage server and the password imported from the AD/LDAP
server accessed by a directory service.
If you selected globalLdapServiceAuthenticator, enter the directory

LDAP Service ID
service ID to use for accessing the AD/LDAP server.
4. Click Save.
Configuring Android Enterprise environments

To use Android Enterprise devices, you must register Samsung Knox Manage as the EMM provider in
the Google Play Console and configure the basic environment of Managed Google Play, which is the
digital distribution platform for Android Enterprise.
To configure the Android Enterprise environments, complete the following steps:
1. Navigate to Setting > Android > Android Enterprise.
2. Click Register EMM.
• The Google Play Console will appear.

3. Sign in to the Google Play Console using your Google account.
4. Create a Managed Google Play account and register Samsung Knox Manage as the EMM provider.
• When registration is finished, the Managed Google Play account information and Google API
settings will appear on the Admin Portal’s “Android Enterprise” page.
Starting up 37
5. On the “Android Enterprise” page of the Admin Portal, select the layout of Managed Google Play.
• Basic Store Layout: When users access Managed Google Play on their devices, the
applications are displayed without categorization.
• Advanced Store Layout: When users access Managed Google Play on their devices, the
applications are displayed in the categories you set when adding applications in Knox Manage.
Note You can configure the categories for the Managed Google Play layout in Application > Manage
Category.
6. Select the auto-update condition of the applications to be assigned to the devices.
• Update on Wi-Fi only: The applications will be automatically updated only when a Wi-Fi network
connection is available.
• Allow user to configure: The applications will be updated only when the user authorizes the
update.
• Always auto update: The applications will be automatically updated when any network is
connected.
• Never auto update: The applications will not be updated.

7. Click Add & Approve next to Knox Service Plugin Application to add and approve it.
• To add policies that use the Knox Service Plugin agent, see Configuring Samsung Knox
(Android Enterprise) Policies.
Note To use the Knox Service Plugin agent properly, you must update the Knox Manage Agent to
V19.12 or higher. If the Knox Service Plugin agent is installed on a device with a version of
Knox Manage Agent lower than V19.12, you may not be able to receive app feedback in the
event of policy changes.
8. Click Save.
Starting up 38
Deleting EMM provider information
To delete the registered EMM provider information from Knox Manage, complete the following steps:
1. Navigate to Setting > Android > Android Enterprise.
2. On the “Android Enterprise” page, click Unregister EMM.
• The information registered on the Google Play Console will be deleted, and the user will no
longer be able to use the device as an Android Enterprise device.
• Deleted EMM provider information can be restored by re-registering it within 30 days.
Permanently deleting EMM provider information

To delete the registered EMM provider information permanently, complete the following steps:
1. Sign in to the Google Play Console (https://developer.android.com/distribute/console).
2. Click Delete Enterprise.
• All the information will be deleted within 24 hours and cannot be restored.
Setting an APNs certificate (iOS only)

Apple Push Notification service (APNs) is required to control iOS devices with Knox Manage. An
APNs certificate is valid for one year. If the certificate is expired, you cannot send device commands
to iOS devices. For more information about APNs, see https://developer.apple.com/library/content/
documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html.
To activate APNs, you must register an APNs certificate. The APNs certificate registration requires
three actions:
Step Action
1 Receive a Certificate Signing Request (CSR) file from the Admin Portal.
2 Receive an APNs certificate from Apple.
3 Upload the certificate to the Admin Portal.
Starting up 39
To register an APNs certificate, complete the following steps:
1. Navigate to Setting > iOS > APNs Setting.
2. On the “APNs Setting” page, click Generate Request at the bottom of the page.
• A signed CSR file will be downloaded to your PC.

3. Visit the Apple Push Certificate Portal (https://identity.apple.com/pushcert) and sign in using your
Apple account.
• If you do not have an Apple account, visit the Apple website (https://appleid.apple.com) and
create your account. It is recommended to create a new account for business use because the
account will be continuously used for renewing the APNs certificate.
4. Click Create a Certificate.
5. Read and accept the terms of use.
6. On the “Create a New Push Certificate” page, click Choose File.
7. Select the downloaded CSR file and click Upload.
8. On the “Confirmation” page, click Download.
• The APNs certificate will be downloaded to your PC as a PEM file.

9. On the “APNs Setting” page of the Admin Portal, click Upload APNs Certificate.
10. In the “Upload APNs Certificate” window, click and select the downloaded PEM file.
11. Click Save.
Note • You can download the registered APNs certificate by clicking Download APNs Certificate.
• If you have issued an APNs certificate with an external CSR file, you can import the certificate
by clicking Import APNs Certificate.
Renewing an APNs certificate

The existing APNs certificate can be renewed before the expiration date. The renewal process is
same as the process for new registration.
When renewing the existing APNs certificate, you must use the same Apple ID that you used to
create the certificate.
Note Users do not need to reinstall the Knox Manage Agent after certificate renewal.
Starting up 40
Setting the SEG profile (Galaxy devices only)
Samsung Enterprise Gateway (SEG) is a cloud-based facility which provides communication between
the MDM and the mobile devices running Universal MDM Client (UMC). Samsung Galaxy devices are
equipped with UMC, which enables directly installing Knox Manage on the devices and enrolling them
in the Admin Portal. To use SEG, you must connect Knox Manage to the SEG server by configuring
the SEG profile.
To set the SEG profile, complete the following steps:
1. Navigate to Setting > Configuration > Basic Configuration, and then click SEG Profile Setting at
bottom of the page.
2. In the “SEG Profile Setting” window, view the profile information and modify it if necessary.
• Profile ID: The retrieved SEG profile ID is displayed.

• Profile Name: Enter the profile name.
• Tenant ID: Tenant ID to be linked with the SEG profile. The tenant ID registered on the Knox
Manage server is displayed.
• Domain: Enter the email address domain if necessary. The domain will be mapped with the
user email addresses and used as the domain of the email address in the user invitation
message.
• SEG Region: Select the same region as the one registered on the Knox Manage server.
• EMM Client APK: The download URL for the APK file of the Knox Manage Agent. The retrieved
URL is displayed.
• EMM EULA: The EULA for getting the users’ agreement to the collection of their personal
information when they enroll the devices through direct installation. The retrieved EULA is
displayed.
• Additional EULAs: Enter the URLs of additional EULAs to show to users.

3. Click Save.
Starting up 41
3
User/Group/
Organization
User/Group/
Organization
Create user accounts in the Admin Portal directly or add them from existing employee information by
synchronizing it with the Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) system.
To enroll devices, a user account must be created in advance. After you creating a user account, the
user can enroll their devices and log in to Knox Manage.
Also, users must belong to a group or an organization to be assigned profiles and have them applied.
You can create a group of users or devices to manage simultaneously, and you can also manage
users by organizations, which can be added in the Admin Portal or synchronized from your corporate
directory server.
Assign & Apply Profiles
or
User
Group Organization
Enroll Devices
User/Group/Organization 43
→→ Viewing the user list

→→ Viewing the user details
→→ Creating user accounts
→→ Managing user accounts
→→ Viewing the organization list
→→ Viewing the organization details
→→ Managing organizations
→→ Viewing the group list
→→ Viewing the group details
→→ Creating groups of users or devices
→→ Managing groups
→→ Syncing user information with AD/LDAP
Viewing the user list

Navigate to User to view all the user accounts registered in the Admin Portal on the “User” page. You
can also perform specific functions to the selected user account among the list.
Search for desired users by user ID, user name, user groups/
1 Search field
organization, or user type.
Add a single user account. For more information, see Registering

Add
a single user account.
Add bulk user accounts using a template. For more information,

Bulk Add
see Registering bulk user accounts.
Add a single AD/LDAP user account or multiple user accounts at

Add via AD/
a time. For more information, see Registering a single AD/LDAP
LDAP
user account and Registering multiple AD/LDAP user accounts.
Device Send device command requests to the user’s enrolled devices.

Command For more information, see Sending device commands to users.
Send templates or user notifications registered in Knox Manage

Function
2 Send Email to users via email. For more information, see Sending templates
buttons
or user notifications to users via email.
Provide users with installation guides to allows users to enroll

Request
their devices. For more information, see Sending enrollment
Enrollment
guides to users via email and SMS.
Change
Activate or deactivate the user account.
Status
Modify the selected user account details. For more information,

Modify
see Modifying user account details.
Delete the selected user accounts. For more information, see

Delete
Deleting user accounts.
3 User list View the brief information of the user accounts on the list.
Viewing the user details
View each user’s details by clicking a user name on the user list. You can view the detailed
information on the selected user account.
The following function buttons are available:
Function button Description
Enter a new password between 8 and 30 characters and confirm it. For
Change Password
more information, see Changing the user account password.
Reset the password. A temporary password will be sent to the user via
Reset Password
email.
Change Status Activate or deactivate the user account.
Select templates or user notifications registered in Knox Manage to send

Send Email to the user via email. For more information, see Sending templates or user
notifications to users via email.
Send enrollment guides via email or SMS, if the user has no enrolled
Request Enrollment devices. For more information, see Sending enrollment guides to users via
email and SMS.
Function buttons in the footer
You can perform specific functions to the selected user using the function buttons in the footer. The
following function buttons are available:
Back Return to the user list.
Delete Delete the selected user account.
Modify Modify the selected user account information.
Creating user accounts
Create a single user account directly in the Admin Portal or bulk users at a time using a template. You
can also create user accounts from existing employee information by synchronizing it with the Active
Directory (AD)/Lightweight Directory Access Protocol (LDAP) system.
Registering a single user account

To register a single user account directly in the Admin Portal, complete the following steps:
1. Navigate to User.
2. On the “User” page, click Add.
3. On the “Add User” page, enter the following user information:
• User ID: Enter a user ID to log in to Knox Manage with for device enrollment.
• Password: Enter a password between 8 and 30 characters.
–– Click the checkbox next to Reset after Sign-in to allow users to change their password when
they first logged in.
• Confirm Password: Repeat the password.

• User Name: Enter the user’s full name.
• Email: Enter the user’s email address.
• Mobile Number: Select the country number and enter the user’s mobile number to send the
URL address for device enrollment via SMS.
• User Group / Organization: Click Select, and in the “Select User Group / Organization” window,
select the user group on the User Group tab and the organization on the Organization tab.
Note If you do not select an organization, the user will automatically belong to the “Undefined”
organization.
• Android Manage Type: Select the Android enrollment type among Android Legacy, Android
Enterprise, or Follow Organization Type.
Note The user’s Android manage type takes a higher priority than the organization’s Android
manage type. Even if you move the user to a different organization, the Android enrollment
type set for the users still applies to the users.
• AD/LDAP Sync: Allow the creating of user accounts from the AD/LDAP system. If AD/LDAP
Sync is selected, the existing user information will be synchronized from the AD/LDAP system
and registered to the Admin Portal.
Note To create AD/LDAP user accounts, you must connect AD/LDAP directory services with Knox
Manage and add a sync service. For more information about adding a sync services, see
Adding sync services.
• Tag: Click Add, and in the “Add Tag” window, enter new tags to add.
4. Click Save & Request Enrollment to save the user account and send an installation guide to help
users enroll their devices.
• Click Save to create the user account and not send an installation guide to the user.
5. In the “Save User” window, click OK.
Registering bulk user accounts

To register bulk user accounts at a time, complete the following steps:
2. On the “User” page, click Bulk Add.
3. In the “Bulk Add Users” window, follow the guideline to download and fill out the Excel file
template.
4. Click , and then select the complete Excel file template filled with the user information.
5. Click OK.
6. In the “Save User” window, click OK.
Registering a single AD/LDAP user account
To register a single AD/LDAP user account, complete the following steps:
Note Before registering AD/LDAP user accounts, you must connect AD/LDAP directory services with
Knox Manage and add a sync service. For more information about adding a sync service, see
2. On the “User” page, click Add via AD/LDAP.
3. In the “Select AD/LDAP Sync Type” window, select Single User Sync, and then click OK.
4. On the “Add User” page, enter the AD/LDAP user information:
• Sync target: Click Select to open the “Select Sync Target” window, select a sync service, and
then search for users by user name. Select a user to add, and then click OK.
• User ID: The ID of the user that you selected as Sync target will appear here.
• DN: The unique Distinguished Name of the AD/LDAP object will be entered automatically.
• Password: Enter a password between 8 and 30 characters.
–– Click the checkbox next to Reset after Sign-in to allow users to change their password when
they first logged in.
• Confirm Password: Repeat the password.

• User Name: Enter the user’s full name.
• Mobile Number: Select the country number and enter the user’s mobile number to send the
URL address for device enrollment via SMS.
• User Group / Organization: Click Select, and in the “Select User Group / Organization” window,
select the user group on the User Group tab and the organization on the Organization tab.
Note If you do not select an organization, the user will automatically belong to the “Undefined”
organization.
Note The user’s Android manage type takes a higher priority than the organization’s Android
manage type. Even if you move the user to a different organization, the Android enrollment
type set for the users still applies to the users.
• AD/LDAP Sync: Allow the creating of user accounts from the AD/LDAP system. If AD/LDAP
Sync is selected, the existing user information will be synchronized from the AD/LDAP system
and registered to the Admin Portal.
• You can also enter additional information such as employee number, display name, and
department in the “Additional Information” area.
5. Click Save & Request Enrollment to save the user information and enroll the user at the same
time.
• Click Save to only save the user information.
Registering multiple AD/LDAP user accounts

To register AD/LDAP user accounts at a time, complete the following steps:
Note Before registering AD/LDAP user accounts, you must connect AD/LDAP directory services with
Knox Manage and add a sync service. For more information about adding a sync service, see
2. On the “User” page, click Add via AD/LDAP.
3. In the “Select AD/LDAP Sync Type” window, select Multiple User Sync, and then click OK.
4. In the “Multi User Sync” window, select a sync service, and then search for users with their names.
5. Click the checkboxes for users to add, and then click OK.
• To delete the selected users on the selected users list, click .
Managing user accounts
You can view the detailed user account information, modify user account details, send enrollment
guides or templates registered in Knox Manage to users via email and/or SMS, and delete user
accounts.
Modifying user account details

To modify the user account details, complete the following steps:
2. On the “User” page, click the checkbox next to the user ID to modify the account details, and then
click Modify.
3. On the “Modify User” page, modify the following user information if necessary:
• User Name: Modify the user’s full name.

• Email: Modify the user’s email address.
• Mobile Number: Modify the country number and the user’s mobile number to send the URL
address for device enrollment via SMS.
• User Group / Organization: Click Select and then, in the “Select User Group / Organization”
window, select the user group on the User Group tab and the organization in the Organization
tab.
• AD/LDAP Sync: Allow creating user accounts from the AD/LDAP system.
• Additional Information: Enter the following additional information for the user.
–– Employee No.: Enter the employee number.
–– First / Middle / Last Name: Enter the first, middle, and last names.
–– Display Name: Enter the desired name to be displayed on EMM.
–– Department: Enter the department name.
–– Administrator DN: Enter the administrator DN.
–– Email User Name: Enter the user’s email name.
–– Phone: Enter the phone number.
–– UPN: Enter the user principal name (UPN).
–– Position: Enter the job position.
–– Site: Enter the site name.
–– Security Level: Enter the security level.
–– User-Defined 1–3: Enter the desired user-defined parameter.
4. Click Save & Request Enrollment to save the modified user account information and send
enrollment guides via email.
• Click Save to save the modified user account information and not send an installation guide to
the user.
5. In the “Save & Request Enrollment” window, click OK.
Sending device commands to users

You can send device commands to the user’s enrolled devices. For more information on each device
command, see Sending device commands to devices.
To send device commands, complete the following steps:
2. On the “User” page, click the checkbox next to the user ID to send a device command to.
3. Click Device Command and select the supported OS platform (enrolled device).
4. In the “Device Command” window, select a desired device command.
5. In the “Request Command” window, click OK.
Sending enrollment guides to users via email and SMS
To provide users with installation guides to allows users to enroll their devices, you can send the
following guides to users:
Via Guide name Description
Email Installation guide Provides the Knox Manage Agent installation links and
QR codes for Android Direct Installation, Android Knox
Public store URL address Mobile Enrollment (KME), and for all of the different OS
(including QR codes) platforms.
Provides the Knox Manage application login

User credential guide
information.
SMS
Provides the information needed for users to install
UMC (Universal MDM Client)
Knox Manage through the Universal MDM Client (UMC)
guide
pre-loaded on Android devices.
KME (Knox Mobile Enrollment) Provides the KME program guides for users who have
guide enrolled their devices through KME.
Users can download and install the Knox Manage application from public stores or using the QR
code. Once users connect to the Internet and log in to Knox Manage with their user ID and password,
the devices are automatically enrolled.
To send enrollment guides to users via email and SMS, complete the following steps:
2. On the “User” page, click the checkbox next to the user ID you want to send enrollment guides to,
and then click Request Enrollment.
Note To send enrollment guides to users via SMS, the mobile numbers of the users must be registered
to their accounts.
3. In the “Request Enrollment” window, click the checkboxes for the guides to send, and then click
OK.
• Click to view the preview of the selected guideline.
Sending templates or user notifications to users via email
To send templates or user notifications registered in Knox Manage to users via email, complete the
following steps:
2. On the “User” page, click the checkbox next to the user ID you want to send enrollment guides to,
and then click Send Email.
3. In the “Send Email” window, select a template file from the template list, and then click Send.
• Click to view a preview of the selected template.
Note For more information on templates, see Managing message templates.
Changing the user account password

To change the user account password, complete the following steps:
2. On the “User” page, click a user name to change its password.
3. On the “User Detail” page, click Change Password.
4. In the “Change Password” window, enter the following user password information:
• New Password: Enter a new password between 8 and 30 characters. The password must be a
combination of letters, numbers and special characters.
• Confirm Password: Repeat the new password.

5. Click Save.
• Click the checkbox next to Reset after sign-in to allow the user to change the password when
logged in first.
Resetting the user account password
To reset the user account password, complete the following steps:
2. On the “User” page, click a user name to reset its password.
3. On the “User Detail” page, click Reset Password.
4. In the “Reset Password” window, click OK.
• A temporary user account password will be sent to the user via email.
Deleting user accounts

To delete user accounts, complete the following steps:
Note To delete a user account, the status of all the devices must be “Disconnected,” “Expired,” or
“Unenrolled.”
2. On the “User” page, click the checkbox next to the user ID you want to delete, and then click
Delete.
3. In the “Delete User” window, click OK.
Viewing the organization list
Navigate to Organization to view all the organizations registered in the Knox Manage Admin Portal
on the “Organization” page. You can also perform specific functions to the selected organizations
among the list.
2
3
1 Search field Search for a desired organization.
Add a sub-organization in the parent organizations individually,

or add a sub-organization by synchronizing organizations
Add with the Active Directory (AD)/Lightweight Directory Access
Protocol (LDAP) system. For more information, see Adding an
organization.
Add a sub-organization to the selected organization individually,

or add a sub-organization by synchronizing organizations with
Add Sub-Org
the Active Directory (AD)/Lightweight Directory Access Protocol
(LDAP) system.
Apply the latest assigned profile to the selected organization.

Apply Latest
For more information, see Applying the latest profiles to
Profile
Function organizations.
2
buttons Modify the selected organization details. For more information,
Modify
see Modifying the organization details.
Delete the selected organization. For more information, see

Delete
Deleting the organizations.
Application Assign applications to the selected organization. For more

(Assign) information, see Assigning applications to organizations.
Profile Assign profiles to the selected organization. For more

(Assign) information, see Assigning and applying profiles to organizations.
Assign content to the selected organizations. For more

Content
information see Assigning and distributing content to
(Assign)
organizations.
3 Organization list View the brief information of the organizations on the list.
Viewing the organization details
View each organization’s details by clicking an organization name on the organization list. For more
information about each section of the detail page, see Detail page.
Summary area
The summary area contains the information about the selected organization such as organization
settings, user’s device types and detailed information.
Tab: User
The User tab shows the user account information in the organization.
• Detail: Move to the “User Detail” page for the selected user. For more information on the “User
Detail” page, see Viewing the user details.
Add Add users to the selected organization.
Move the selected users to other existing organizations. For more

Change Organization
information, see Changing user’s organizations.
Send templates or user notifications registered in the Knox Manage Admin

Send Email Portal to users via email. For more information, see Sending templates or
user notifications to users via email.
Send installation guides to the selected users via email and SMS. For more
information, see Sending enrollment guides to users via email and SMS.
Request Enrollment
Note To send enrollment guides to users via SMS, the mobile
numbers of the users must be registered to their accounts.
Delete the selected users from the organization. If a user in the

Delete User organization is deleted, the user will be moved to the “Undefined”
organization.
Tab: Device
The Device tab shows the enrolled device information of users in the organization.
• Detail: Move to the “Device Detail” page for the selected device. For more information on the
“Device Detail” page, see Viewing the device details.
The following function button is available:
Refresh Update the list of devices.
Tab: Application
The Application tab shows the applications assigned to the organization. The following function
buttons are available:
Unassign Unassign the application assigned to the organization.
Modify the settings for the selected application. For more information, see
Modify Setting
Modifying applications.
Tab: Profile
The Profile tab shows the profiles assigned or applied to the organization.
Unassign Unassign the profile assigned to the organization.
Tab: Content
The Content tab shows the content assigned to the organization.
• See Deploy Area: View the areas where the content is distributed. For more information, see
Assigning and distributing content to organizations.
Unassign Unassign the content assigned to the organization.
You can perform specific functions to the organization using the function buttons in the footer.
Back Return to the organization list.
Delete current organization. The profile assigned to the organization will

Delete
be unassigned from the users.
Modify the organization details. For more information, see Modifying the
Modify
organization details.
Assign Assign applications, profiles, or content to the selected organizations.
Apply Latest Profile Apply the latest assigned profiles to the selected organizations.
Managing organizations
Configure the hierarchy of organizations for users and apply various profiles to each organization.
After configuring the organizations and assigning the users to each organization, you can view the
information on user account, enrolled devices, applications, and profiles by organization.
Adding an organization
Create a sub-organization in the parent organizations individually, or add a sub-organization by
synchronizing organizations with the Active Directory (AD)/Lightweight Directory Access Protocol
(LDAP) system.
To add a sub-organization, complete the following steps:
1. Navigate to Organization.
2. On the “Organization” page, click Add.
3. On the “Add Organization” page, enter the following user information:
• Parent Organization: Select the parent organization to add a sub-organization to.

• Inheritable Profile: Displays the profiles inherited with the parent organization. If there is no
inheritable profiles, “None” is displayed.
Note The applications assigned to the parent organization will not be inherited.
• Code: Enter a new organization code that complies with the organization format.
Note Once the organization code is saved, you cannot change it.
• Name: Enter a new organization name.

• AD/LDAP Sync: Allow the creating of organizations from the AD/LDAP system. If AD/LDAP
Sync is selected, the existing organization information, including its sub-organizations, will be
synchronized from the AD/LDAP system and registered to the Admin Portal.
Note To create AD/LDAP organizations, you must connect AD/LDAP directory services with Knox
Manage and add a sync service. For more information about adding a sync services, see
• Android Manage Type: Select the Android enrollment type between Android Legacy and
Android Enterprise.
• Sub-Administrator: Select the administrators to manage the organization. If you log in to the
Admin Portal for the first time as a super administrator, there will be no subadministrators
registered to the Admin Portal. For more information on creating subadministrators, see
Adding an administrator.
4. Click Save & Assign, and in the “Save & Assign” window, click Application, Profile, or Content to
select what to assign to the organization.
• Application: Select the applications to assign to the organization, and then modify the
application settings.
• Profile: Select the profiles to assign to the organization, and then view the selected profile
details.
• Content: Select the content to assign to the organization.

• Click Save to register the organization.
Modifying the organization details

After you create an organization, you can modify the organization information.
To modify the organization information, complete the following steps:
2. On the “Organization” page, click the checkbox next to the desired organization to modify its
details, and then click Modify.
• To expand or collapse the parent organization, click or next to the organization name. You
can also double-click the row of the desired organization to expand or collapse it.
3. In the “Modify Organization” window, modify the following existing organization information:
• Code: Displays the organization’s code.

Note Once the organization code is saved, you cannot change it.
• Name: Enter a new organization name.

• Parent Organization: Select the parent organization to add a sub-organization.
• Inheritable Profile: Displays the profiles inherited with the parent organization.
• AD/LDAP Sync: Allow creating organizations from the AD/LDAP system.
• Android Manage Type: Select the Android enrollment type between Android Legacy and
Android Enterprise.
• Sub-Administrator: Click Select to add sub-administrators to the organization.

4. Click Save.
Changing user’s organizations

You can change a user’s organizations to the desired organizations.
To change a user’s organizations, complete the following steps:
2. On the “Organization” page, click a specific organization name to move the user between
organizations.
Note
To expand or collapse the parent organization, click or next to the organization name. You
can also double-click the row of the desired organization to expand or collapse it.
3. On the “Organization Detail” page, click the User tab.
4. On the User tab, click the checkboxes next to the user IDs, and then click Change Organization.
5. In the “Select Organization” window, click the desired organization in the tenant tree, and then click
OK.
Note
Click or to expand or collapse the parent organization.
Assigning applications to organizations

After applications are registered to the Admin Portal, you can assign them to specific organizations.
To assign applications to organizations, complete the followings steps:
2. On the “Organization” page, click the checkbox next to the organization name you want to assign
the application to, and then click Application next to Assign.
3. In the “Select Application” window, click the checkboxes next to the applications to assign, and
then click Assign.
Note You can also click Manage Control App to add additional applications to the list. For more
information on adding control applications, see Managing applications for specific purposes.
4. On the “Assign Application” page, configure the assignment settings, and then click Assign.
Note Settings for applications to an organization vary depending on the applications supported by
each target device’s OS platform. For more information on configuring settings for assigning
applications, see Assigning applications.
5. In the “Assign Application” window, click OK.
Assigning and applying profiles to organizations
After profiles are registered to the Admin Portal, you can assign and apply them to specific
organizations.
To assign and apply profiles to organizations, complete the followings steps:
2. On the “Organization” page, click the checkbox next to an organization name you want to assign
and apply the profile to, and then click Profile next to Assign.
3. In the “Select Profile” window, select the profile to assign, and then click Assign.
Note For more information on assigning and applying profiles, see Assigning to organizations.
4. On the “Assign Profile” page, click Assign & Apply.
• Click Assign to assign the profile to the selected organizations and to not apply the profile now.
5. In the “Apply Profile” window, click OK. The profile will be assigned and applied to the selected
organizations at the same time.
Applying the latest profiles to organizations

Apply the latest assigned profile to an organization.
To apply an assigned profile to an organization, complete the following steps:
2. On the “Organization” page, click the checkbox next to the organization name you want to apply
the latest profile to, and then click Apply Latest Profile.
3. In the “Apply Profile” window, click OK.
Assigning and distributing content to organizations
After content is uploaded to the Admin Portal, you can assign and distribute it to specific
organizations.
To assign or distribute content to organizations, complete the following steps:
2. On the “Organization” page, click the checkbox next to the organization name you want to assign
and distribute content to, and then click Content next to Assign.
3. In the “Select Content” window, click the checkboxes for the content items, and then click Assign
& Deploy.
• Click Assign to assign the content to the selected organizations and not to distribute it now.
Deleting the organizations

To delete organizations, complete the following steps:
2. On the “Organization” page, click the checkbox next to the organization name you want to delete,
and then click Delete.
Note If you delete a parent organization that has sub-organizations, the sub-organizations will become
parent organizations.
3. In the “Delete Organization” window, click OK.
Viewing the group list
Navigate to Group to view all the groups registered in the Knox Manage Admin Portal on the “Group”
page. You can also perform specific functions to the selected groups among the list.
2
3
1 Search field Search for a desired group.
Add a group of users or devices. For more information, see

Add
Registering a group.
Add a group from existing employee information by synchronizing it

Add via AD/
with the AD/LDAP system. For more information, see Registering an
LDAP
AD/LDAP sync group.
Send device command requests to the enrolled devices in the

Device
group. For more information, see Sending device command
Command
requests to groups.
Function Check Check the locations of each enrolled device in the group For more
2 Location information, see Checking the locations of the devices in the group.
buttons
Delete the selected group. For more information, see Deleting the
Delete
groups.
Application Assign applications to the selected groups. For more information,

(Assign) see Assigning applications to groups.
Profile Assign profiles to the selected groups. For more information, see
(Assign) Assigning and applying profiles to groups.
Content Assign content to the selected groups. For more information see
(Assign) Assigning and distributing content to groups.
3 Group list View the brief information of the groups on the list.
Viewing the group details
View each group’s details by clicking a group name on the group list. For more information about
each section of the detail page, see Detail page.
Summary area
The summary area contains the information about the selected group such as group and user’s
device types.
• Modify Setting: Modify the sync settings of the current AD/LDAP group. In the “Modify Sync
Setting” window, enter the following information:
–– AD/LDAP Sync: Enable or disable sync services.
–– Sync Group Member: Select whether sync all users or only the selected users of the group. (Do
Not Sync, Sync All, Sync Selected Only)
–– Profile/App Auto Apply: Select when to apply a profile or application to a group member
automatically. (When Adding a User, When Deleting a User, When Deleting a Group)
Tab: User (For user or AD/LDAP groups)
The User tab for user groups shows the information of the user accounts in the group.
Add a user to the group from the user list. For more information, see
Add
Adding users to user groups.
Send templates or user notifications registered in Knox Manage to

Send Email users via email. For more information, see Sending templates or user
Request Enrollment
Delete the selected user from the group.

Delete User
Note You cannot delete users from the AD/LDAP group.
Tab: User (For device groups)
The User tab for device groups shows the information of the user’s devices and user accounts in the
group.
Send templates or user notifications registered in Knox Manage to

Send Email users via email. For more information, see Sending templates or user
Request Enrollment
Tab: Device (For user or AD/LDAP groups)
The Device tab for user groups shows the device status and information of the user’s devices in the
group.
• Detail: Move to the “Device Detail” page for the selected user’s device. For more information on the
Tab: Device (For device groups)
The Device tab for device groups shows the device status and information of the user’s devices in the
group.
• Detail: Move to the “Device Detail” page for the selected device. For more information on the
Add a device from the device list to the group. For more information, see
Add
Adding devices to device groups.
Delete Delete the selected device from the group.
Tab: Application
The Application tab shows the applications assigned to the group. The following function buttons are
available:
Unassign Unassign the applications assigned to the group.
Modify Setting Modify the settings of the applications assigned to the group.
Tab: Profile
The Profile tab shows the profiles assigned to the group. The following function buttons are
available:
Unassign Unassign the profiles assigned to the group.
Tab: Content
The Content tab shows the content assigned to the group.
• See Deploy Area: View the areas where the content is distributed. For more information, see
Assigning and distributing content to groups.
Unassign Unassign the content assigned to the group.
Tab: Command History
The Command History tab shows the command histories of the group.
• Detail: Move to the “Device Detail” page for the selected user’s device. For more information, see
Viewing the device details.
You can perform specific functions to the group using the function buttons in the footer.
Back Return to the group list.
Delete Delete the selected group.
Sync Sync the current AD/LDAP group.
Assign Assign applications, profiles, or content to the selected group.
Select the device to view its location on the mobile ID list and view the
Check Location device location on the map. For more information, see Checking the
locations of the devices in the group.
Apply Latest Profile Apply the latest assigned profiles to the selected group.
Select a device command and send it to the enrolled devices in the

Device Command
selected group.
Creating groups of users or devices
A group can be composed either of users or devices. Once a group is created, you can assign and
apply applications and profiles to the group of users or devices. Create a group directly in the Admin
Portal or from existing employee information by synchronizing it with the Active Directory (AD)/
Lightweight Directory Access Protocol (LDAP) system.
Registering a group
To create a group of users or devices, complete the following steps:
1. Navigate to Group.
2. On the “Group” page, click Add.
3. On the “Add Group” page, enter the following user information:
• Name: Enter a group name.

• Type: Select one of the following group types.
–– User: A group composed of user accounts only
–– Device: A group composed of devices only
4. On the user or device list, click the checkboxes next to the user IDs or device names to include
them in the group. After the users or devices are selected, they will be displayed on the selected
user or selected device list.
• You can also search for and select devices using filters. In the “Selected Device” area, click
Select via Filter, and then click the checkboxes for the filters you want to apply, such as user
status, position, and security level. Filtered devices will be added to the selected device list.
5. Click Save & Assign, and in the “Save & Assign” window, click Application, Profile, or Content to
select what to assign or deploy to the group.
• Application: Select the applications to assign to the group, and then modify the application
settings.
• Profile: Select the profiles to assign to the group, and then view the selected profile details.
• Content: Select the content to assign to the group.
Registering an AD/LDAP sync group
To create a group from existing employee information by synchronizing it with the AD/LDAP system,
complete the following steps:
2. On the “Group” page, click Add via AD/LDAP.
3. In the “Select Sync Target” window, enter the AD/LDAP group information:
• Sync target: Select a synchronization service to search for groups. If you have selected a
synchronization service, the relevant filter is automatically entered.
• Keyword Search: Enter a keyword to search for groups within the selected range, and then click
Search.
4. Select a group from the search result, and then click OK.
5. On the “Add AD/LDAP Group” page, enter the following group information:
• Sync target: Click Select to open the “Select Sync Target” window. For more information, see
step 3.
• Group Name: Enter a group name.

• Profile/App Auto Apply: Select when to apply a profile or application to a group member
automatically. (When Adding a User, When Deleting a User, When Deleting a Group)
• Sync Group Member: Select whether sync all users or only the selected users of the group.
–– Sync All: Sync all members of the group.
–– Sync Selected Only: Sync only the selected members of the group.
6. Click Save.
Managing groups
After configuring the groups of users or devices, apply various profiles to each group. You can also
view the detailed information of the user account, devices, device locations, applications, and profiles
by group.
Adding users to user groups

After creating a user group, you can add users to it.
To add users to a user group, complete the following steps:
2. On the “Group” page, click a specific user group name to add users to.
Note The group type must be User.
3. On the “Group Detail” page, click the User tab.
4. On the User tab, click Add.
5. In the “Select User” window, click the checkboxes next to the user ID to select users to add and
then, click Add. To delete the selected users on the selected user list, click .
6. In the “Add User” window, click Yes.
Note To apply the changed group’s profile to the added or deleted user’s devices, select Yes.
Adding devices to device groups
After creating a device group, if required, you can add devices to the desired device group.
To add devices to a device group, complete the following steps:
1. Navigate to Groups.
2. On the “Group” page, click a specific device group name to add devices to.
Note The group type must be Device.
3. On the “Group Detail” page, click the Device tab.
4. On the Device tab, click Add.
5. In the “Select Device” window, click the checkboxes next to the device name to select devices to
add, and then click Add. To delete the selected devices on the selected device list, click .
• You can also search for and select devices using filters. In the “Selected Device” area, click
Select via Filter, and then click the checkboxes for the filters you want to apply, such as user
status, position, and security level. Filtered devices will be added to the selected device list.
6. In the “Add Device” window, click Yes.
Note To apply the changed group’s profile to the added or deleted user’s devices, select Yes.
Assigning applications to groups

After applications are registered to the Admin Portal, you can assign them to specific groups.
To assign applications to groups, complete the followings steps:
2. On the “Group” page, click the checkbox next to the group name you want to assign the application
to, and then click Application next to Assign.
3. In the “Select Application” window, click the checkboxes next to the applications to assign, and
then click Assign.
Note You can also click Manage Control App to add additional applications to the list. For more
information on adding control applications, see Managing applications for specific purposes.
4. On the “Assign Application” page, configure the assignment settings, and then click Assign.
Note Settings for applications to a group vary depending on the applications supported by each target
device’s OS platform. For more information on configuring settings for assigning applications, see
Assigning applications.
Assigning and applying profiles to groups

After profiles are registered to the Admin Portal, you can assign and apply them to specific groups.
To assign and apply profiles to groups, complete the followings steps:
2. On the “Group” page, click the checkbox next to the group name you want to assign and apply the
profile to, and then click Profile next to Assign.
3. In the “Select Profile” window, select the profile to assign, and then click Assign.
Note For more information on assigning and applying profiles, see Assigning to groups.
4. On the “Assign Profile” page, click Assign & Apply to assign and apply the profile to the selected
groups at the same time.
• Click Assign to assign the profile to the selected groups and not to apply the profile now.
Assigning and distributing content to groups
After content is uploaded to the Admin Portal, you can assign and distribute them to specific groups.
To assign and distribute content to groups, complete the following steps:
2. On the “Group” page, click the checkbox next to group name you want to assign and distribute
content to, and then click Content next to Assign.
3. In the “Select Content” window, click the checkboxes for the content items, and then click Assign
& Deploy.
• Click Assign to assign the content to the selected groups and not distribute them now.
4. In the “Assign & Deploy Content” window, click OK.
Sending device command requests to groups

You can send device command requests to the user’s enrolled devices. For more information on each
device command, see Sending device commands to devices.
To send device command requests, complete the following steps:
2. On the “Group” page, click the checkbox next to the group name to send a device command
request to.
3. Click Device Command and select the supported OS platform or manage type (enrolled device).
4. In the “Device Command” window, select a desired device command.
Checking the locations of the devices in the group
You can check the locations of each enrolled device in the group.
To check the device locations, complete the following steps:
2. On the “Group” page, click the checkbox next to the group name to view the locations of the
enrolled devices in the group, and then click Check Location.
3. In the “Check Location” window, click a desired activated device on the device list and view its
detailed location information, such as its latitude, longitude, and altitude, over the last 30 days.
Deleting the groups

To delete groups, complete the following steps:
2. On the “Group” page, click the checkbox next to the group name you want to delete, and then click
Delete.
3. In the “Delete Group” window, click Yes.
Note To maintain the assigned applications and profiles of this group for the user, select No. To
unassign the applications and profiles of this group from the user, select Yes.
Syncing user information with AD/LDAP
Add information about users, groups, and organizations to the Knox Manage server through the
Active Directory (AD) service that is built upon the industry-standard Lightweight Directory Access
Protocol (LDAP). This service enables you to keep user, organizational, and group information
synchronized across multiple sites throughout the enterprise and update information on demand or
automatically at specified intervals.
The AD/LDAP service provided by Knox Manage includes filtered search capabilities for viewing user
information and historical data about sync services. For synchronizing Knox Manage data between
the enterprise and cloud servers, SAMSUNG provides the Cloud Connector secure data transfer
channel. For more information, see Using Cloud Connector.
Firewall
Knox Manage
Cloud AD/LDAP
Connector
User Devices
Adding sync services
Add AD/LDAP directory services in Knox Manage to synchronize user, organizational, and group
information. Once added, you can sync through the corresponding menus in User, Group, and
Organization.
To add a sync service, complete the following steps:
1. Navigate to Advanced > AD/LDAP Sync > Sync Service.
2. On the “Sync Service” page, click Add.
3. On the “Add Sync Service” page, enter information required for specifying the basic information
about a sync service.
• Sync Service Name: Enter the sync service name (up to 25 characters consisting of letters,
numbers, and special characters (- or _ only). It will be used to distinguish each sync service
and also used when selecting sync services in User, Group, and Organization.
• Target: Click the checkbox next to User, Group, or Organization as the target information to
retrieve from the directory through the sync service.
• Scheduler: Select Use next to Scheduler to use automatic synchronization and enter the
schedule and iteration cycle in the Schedule tab below:
–– Time Zone: Click the drop-down menu and select the time zone to use for the automatic
synchronization. You can change the default in Setting > Configuration > Basic
Configuration.
–– Sync Interval: Click the drop-down menu and select a sync service interval: Once, Hourly,
Daily, Weekly, Monthly, or Advanced Settings. If you select Advanced Settings, set a regular
interval in month, week, day, or hour format using cron expressions.
–– Time: Set the start time for the sync service.
–– Start Date: Set the start date for the sync service.
–– Target of Scheduler: Click the checkbox next to User, Group, or Organization as the target
information to retrieve from the directory through the scheduled sync service.
4. Click the Server tab and enter information required for specifying the LDAP server information.
• Directory Type: Select a directory. Select Other when connecting to other directory servers
except the Microsoft Active Directory.
• IP/Host: Enter the IP or host address of the directory, and the TCP port number for
communicating with the directory server. The default port number used for unencrypted
communication with the directory server is 389.
• Encryption Type: Select None (No encryption), SSL (Secured Socket Layer), or TLS (Transport
Layer Security) as the encryption method for the internet communication protocol used for
communicating with the directory server.
• Auth Type: Select None, Simple, DIGEST-MD5(SASL), or CRAM-MD5(SASL) as the

authentication method used when establishing a connection with the directory server. After
selecting DIGEST-MD5(SASL) or CRAM-MD5(SASL), fill out the Authentication details field for
the chosen Auth Type as follows:
Auth Type Description
Configure the settings for Simple Authentication and Security Layer (SASL),
a telnet-based protocol:
• SASL Realm: Enter the realm value of the SASL server in domain format
(e.g., sample.com).
• Quality of Protection: Select the quality of the data protection from the
followings.
–– Authentication Only: Protect data only upon authentication.
–– Authentication with integrity: Ensure integrity of all the data
exchanged, as well as authentication.
DIGESTMD5(SASL)/ –– Authentication with integrity and privacy: Ensure integrity of all data
CRAMMD5(SASL) exchanges, as well as authentication through data encryption.
• Protection Strength: Select a data protection level, and determine
whether or not mutual authentication should be performed when
exchanging data.
–– High: Use 128-bit encryption.
–– Medium: Use 56-bit encryption.
–– Low: Use 40-bit encryption.
–– Mutual Authentication: Click the checkbox next to Mutual
Authentication to ensure data validity by inserting the key into the data
exchanged between the client and server.
• User ID: Enter the administrator information of the directory server in the following forms:
–– domain/administrator ID,
–– administrator ID @ domain,
–– or CN = administrator ID, CN = Users, DC = domain, and DC = com.
• Password: Enter the user ID’s password.

5. Click the User, Group, or Organization tab according to your selection in Target in the Preferences
tab, and then enter the following information:
• For more information on the User tab, see Customizing user information.
• For more information on the Group tab, see Customizing group information.
• For more information on the Organization tab, see Customizing organization information.
6. Click Save & Sync.
7. In the “Save & Sync Service” window, click OK.
• Click View next to Expected Sync Result to preview the sync result before starting sync.
Customizing user information

Customize user information on the User tab in the “Add Sync Service” window.
To customize the user information when adding the sync service, complete the following steps:
about a sync service. For more information, see Adding sync services.
Note When entering the information on the “Add Sync Service” page, you must select User for the sync
service target.
4. Click the User tab, and then enter the following information:
• Base DN: Click Select to open the “Select Base DN” window and select a starting location for
searches in the directory server. Entering a Base DN value can reduce the time required to
search for data by limiting searches to a specific location.
–– Selected DN: Shows the selected DN (Distinguish Name).
• Filter: Click Select to open the “Select Object Class” window and select an Object Class
and attributes for the LDAP Syntax string that will be used to filter search results. For more
information about setting filters, see Adding a directory connector.
–– Recommended Properties: Displays the recommended properties of the selected object
class.
–– Return Value: Displays the LDAP Syntax of the selected property information and object
class.
–– Default: Select the object class name defined by default as a filter.
–– Custom: Select the object class name defined by connected directory server as a filter.
• Sync Target: Select to add specific targets that are not already specified as targets for the sync
service.
–– Directly Select (Recommended): Click Select to open the “Select Sync Target” window and
select the desired target.
–– All in Config: All users are selected.
• Auto Deploy: Profiles are automatically applied to the user devices when organization
information is changed.
• Permanent Delete: Select how to process users who have been deleted from the directory
server in Knox Manage.
–– Keep: Select to keep the user’s data in Knox Manage.
–– Delete: Select to clear the user’s data from Knox Manage. Deleted users are then added to
the list of Sync exceptions. To view this list, navigate to Advanced > AD/LDAP Sync > Sync
Service, and on the “ Sync Service” page, click Manage Sync Exception and view Exception
Type with a value of Deleted (Source).
5. Click next to Detail in the Mapping Information area and enter information for mapping
the user attributes of the directory server and the user attributes entered when registering
user accounts in Knox Manage. The most common values of a directory server are entered
automatically, but you can change them according to the directory server.
• User ID: Enter a user ID up to 220 characters.

• User Name: Enter the user’s login name that will be used for the Windows domain. Enter the
UPN in “User’s login name@domain_name” format.
• Employee No.: Enter the employee’s number.

• Mobile No.: Enter the user’s mobile number.
• DN (Distinguished Name): Enter the unique name of the LDAP object.
• Object Identifier: Enter the ID used to distinguish the synced user.
• Organization: Enter the organization name.
• Status: Enter the status of the user account.
• Last Updated Date: Enter the last date when the user information was updated.
• Created Date: Enter the date when the user was created.
• First Name: Enter the user’s first name.
• Middle Name: Enter the user’s middle name.
• Last Name: Enter the user’s last name.
• Display Name: Enter the user’s display name.
• Department: Enter the user’s department.
• Administrator DN: Enter the unique name of the administrator.
• Email User Name: Enter the user’s email username.
• Contact: Enter the contact information.
• UPN: Enter the User Principal Name (UPN).
• User Identifier: Enter the name used to distinguish the synced user.
• Default Country Code: Enter the default country code.
• Organization Code: Enter the organization code.
• Position Code: Enter the position code.
• Site: Enter the site information.
• Security Level: Select a security level for the user.
• User Certificate: Select a user certificate.
• User-Defined 1: Enter a user defined value.
Note • Click Select to the right of each item to search for the attributes defined in the directory
server.
• Click Refresh to the right of each item to reset the saved values back to the default values.
• Click the checkbox next to User Static Input Value to delete the default mapped values and
to allow you to enter values manually.
Customizing group information
Customize group information on the Group tab in the “Add Sync Service” window.
To customize the group information when adding the sync service, complete the following steps:
Note When entering the information on the “Add Sync Service” page, you must select the sync service
target as Group.
4. Click the Group tab, and then enter the following information:
searches on the directory server. Entering a Base DN value can reduce the time required to
service.
–– All in Config: All groups are selected.
• Permanent Delete: Select how to process groups which have been deleted from the directory
server in Knox Manage.
–– Keep: Select to keep the group’s data in Knox Manage.
–– Delete: Select to clear the group’s data from Knox Manage. Deleted groups are then added to
the list of Sync exceptions. To view this list, navigate to Advanced > AD/LDAP Sync > Sync
Service, and on the “ Sync Service” page, click Manage Sync Exception and view Exception
Type with a value of Deleted (Source).
5. Click next to Detail in the Mapping Information area and enter information for mapping the
group attributes of the directory server and the group attributes entered when registering groups
in Knox Manage. The most common values of a directory server are entered automatically, but you
can change them according to the directory server.
• Group Name: Enter the name for the group.

• Member: Select a member for the group.
• Organization: Select the organization to which the group belongs. If left unspecified, the group
will not belong to any organization.
• DN (Distinguished Name): Enter the unique name of the LDAP object.

• Object Identifier: Enter the ID used to distinguish the synced group.
• Group Identifier: Enter the name used to distinguish the synced group.
server.
Customizing organization information

Customize organization information on the Organization tab in the” Add Sync Service” window.
To customize the organization information when adding the sync service, complete the following
steps:
Note When entering the information on the “Add Sync Service” page, you must select the sync service
target as Organization.
4. Click the Organization tab, and then enter the following information:
searches on the directory server. Entering a Base DN value can reduce the time required to
service.
–– All in Config: All organizations are selected.
• Permanent Delete: Select how to process organizations which have been deleted from the
directory server in Knox Manage.
–– Keep: Select to keep the organization’s data in Knox Manage.
–– Delete: Select to clear the organization’s data from Knox Manage. Deleted organizations are
then added to the list of Sync exceptions. To view this list, navigate to Advanced > AD/LDAP
Sync > Sync Service, and on the “ Sync Service” page, click Manage Sync Exception and view
Exception Type with a value of Deleted (Source).
5. Click next to Detail in the Mapping Information area and enter information for mapping the
organization attributes of the directory server and the organization attributes entered when
registering organizations in Knox Manage. The most common values of a directory server are
entered automatically, but you can change them according to the directory server.
• Organization Code: Enter the organization code.

• Organization Name: Enter the organization name.
• Member: Enter the member of the organization.
• Organization: Enter the member’s organization.
• DN: Enter the unique name of the organization.
• Object Identifier: Enter the ID used to distinguish the synced organization.
• Organization Identifier: Enter the name used to distinguish the synced organization.
• Company Number: Enter the company number.
• Upper Organization Code: Enter the code for an organization in a higher tier than the
organization to which the user belongs. It allows synchronizing the organization by maintaining
the hierarchical relationships in the organization chart.
• Department Head ID: Enter the ID of the department head.
• Department Head Name: Enter the name of the department head.
• Department Head Position: Enter the position of the department head.
• Display Order: Enter the display order.
server.
Viewing a list of sync services

After adding sync services, you can view the available sync services in a list.
From the Sync Services list, view the following information of each sync service ID:
• Sync Service Name: Click to view the preferences, entered users, and organizational and group
information of the sync service.
• Target: Check the target to be retrieved from the directory server.

• Scheduler: Check if automatic synchronization on schedule is in use.
• Sync Status: Check the status of the sync service. If the sync service is in progress, “In Progress”
appears, and if the sync service is scheduled to sync at a specific time, “Waiting” appears.
• Sync Interval
• Last Updated
From the Sync Services list, click the checkbox for a sync service and click Sync to synchronize data
immediately. For more information, see Running a sync service on demand.
Changing the sync targets
Enable or disable sync services by user, organization, or group. The sync targets are identical to the
ones that are set as AD/LDAP on the User, Organization, or Group page.
2. On the “Sync Service” page, click a sync service name.
3. In the User, Group, or Organization tab on the “Sync Service Detail” page, click the checkbox for a
sync service and click Enable Sync.
• Click Disable Sync to exclude from the sync targets.

4. In the User, Group, or Organization tab, click Add to add a sync target.
Viewing sync results

Navigate to the User, Group, or Organization tab to view users, organizations, or groups added to
Knox Manage after running a sync service.
• User: View the targets set to AD/LDAP under Type.

• Organization: View the targets set to AD/LDAP under Type.
• Group: View the targets set to AD/LDAP under Type.
Running sync services
Synchronization occurs automatically according to the schedule specified. The Sync Interval value
can be set while adding a sync service (see Adding sync services). You can also perform on-demand
synchronization at any time and can also add additional targets while doing so. The pop-up window
that appears when running an on-demand sync service shows the expected number of targets, which
helps you determine whether or not to run the synchronization.
Running a sync service automatically

Synchronize data automatically on the schedule specified. When adding or modifying sync services,
select Use next to Scheduler and specify schedules for automatic synchronization. For more details,
see Adding sync services.
• The history of the sync service can be viewed in Advanced > AD/LDAP Sync > Sync History.
Running a sync service on demand

Synchronize data on demand at any point in time by choose to synchronize the targets already
specified for a service or adding, modifying, or deleting targets as needed.
To run a sync service on demand, complete the following steps:
2. On the “Sync Service” page, click the checkbox for a sync service and click Sync.
3. In the “Sync” window, select a sync target type, select to preview the sync result before starting
sync, and click OK.
4. In the “Expected Sync Results” window, check the expected synced targets and click OK.
Note Navigate to Advanced > AD/LDAP Sync > Sync History to view the history of the sync service.
Viewing sync exceptions
Navigate to Advanced > AD/LDAP Sync > Sync Service, and on the “ Sync Service” page, click
Manage Sync Exception to view all the list of users, organizations and groups that are excluded from
the sync service in the “Manage Sync Exception” window.
The sync exceptions list is sorted and managed according to the Exception Type.
• Deleted (EMM): Targets that are deleted manually by the administrator

• Deleted (Source): Targets that have been deleted from the directory server and, therefore, also
deleted in Knox Manage. This exception applies when you set the Permanent Delete option to
Delete in the User, Group, or Organization tab on the “Add Sync Service” page.
• Deleted (Synchronized Group): Target groups that have been deleted from the directory server and,
therefore, also deleted in Knox Manage. This exception applies when you select Yes next to Sync
Group Member in the Group tab on the “Add Sync Service” page.
• Duplicated: A user, group, or organization with the same ID exists in Knox Manage.
• Rejected: A group or organization has been specifically excluded from synchronization in Knox
Manage, because the AD/LDAP Sync checkbox is not checked in the group and organization
information in Group or Organization.
• Inappropriate: Targets whose registered information in the directory server is not appropriate for
Knox Manage’s architecture.
Restoring sync exceptions

View exceptions by Exception Type and restore them. When restoring exceptions for a target,
synchronization begins immediately. Once synchronized, the target appears in the list of
synchronized targets.
To restore a sync exception, complete the following steps:
2. On the “ Sync Service” page, click Manage Sync Exception.
3. In the “Manage Sync Exception” window, click the checkbox next to the target and click Delete &
Sync Service to restore it.
4. In the “Delete & Sync Service” window, click OK.
Deleting sync exceptions
Targets that have been removed from the list of Sync exceptions are added to the list of sync
targets for the relevant sync service again. They will be synchronized automatically according to the
schedule or when you set to synchronize them on demand.
To delete a sync exception, complete the following steps:
2. On the “ Sync Service” page, click Manage Sync Exception.
3. In the “Manage Sync Exception” window, enter a target ID or target type and click .
• Exception Type: The sync exceptions list is sorted according to the Exception Type.
• Target ID: The Sync exception ID such as user ID, group, ID, or organization name.
• Integration System ID: The base DN of the directory server set for the sync service.
• Target Type: The Sync exception type, such as a user and group.
• Service Name: The sync service name used to distinguish each sync service.
• Last Updated: The last date when the sync exception was created.
4. Click the checkbox next to the target and click Delete.
Once an exception is deleted, the target is added to the list of sync targets for the relevant sync
service again, and will be synced automatically according to the schedule. For more information on
running the sync service immediately, see Running a sync service on demand.
Viewing sync history
You can search for a history of previously-run sync services by sync type or period. To search for a
sync history, complete the following steps:
1. Navigate to Advanced > AD/LDAP Sync > Sync History.
2. On the “Sync History” page, set the request date, select a task type, enter a sync service name, and
click Search.
3. Click Detail on the row of the relevant service to view additional details. You can view the history
of changes made to the sync service, users, organizations, and groups by tab.
4
Device
Device
Knox Manage supports various device enrollment methods. After successful user authentication and
login to Knox Manage, the devices are automatically enrolled and registered to their user accounts on
Knox Manage. Before enrolling devices, a user account must be created to register enrolled devices
to it. For more information on creating user accounts, see Creating user accounts.
After devices are enrolled and registered to the specific organization and group in the Admin Portal,
you can assign and apply various policies, applications, and content files to the organizations
and groups. You can control the enrolled devices using device commands and view the detailed
information for each enrolled device.
→→ Viewing the device list

→→ Viewing the device details
→→ Enrolling devices
→→ Managing devices
→→ Managing limited enrollment
→→ Checking the locations of the devices
→→ Viewing device logs
Device 94
Viewing the device list
Navigate to Device to view all the devices registered in the Knox Manage Admin Portal on the
“Device” page. You can also perform specific functions to the selected devices among the list.
On the device list, the personalized settings of the columns will be saved. The saved settings will be
retained before you delete the web browser’s cookies. You can also return the column settings to
their default settings by clicking Revert Column Settings.
Device 95
Search for devices by device name, IMEI / MEID, user name,

1 Search field and status. Click Advanced Search to filter by device platform &
management type, enrollment type, security issue, etc.
Send the device commands to the selected device on the device

Device
list. For more information, see Sending device commands to
Command
devices.
Only devices that have the Report device location policy applied
Check Location can be checked. For more information, see Checking the
locations of the devices.
Remote Remotely control the selected device with the RS Viewer from
Support your computer. For more information, see Remote Support.
Add or delete the tags of the selected devices in order to filter

Manage Tag by specific information. Multiple tags can be also added to a
Function device.
2
buttons
Update License Update the license of the selected devices on the device list.
Unenroll the selected devices on the device list. For more

Unenroll
information, see Unenrolling devices.
Delete Delete the selected unenrolled devices from the device list.
Bulk Add Tags Add bulk device tags using a template.
Export a list of devices as a CSV file. When exporting is

complete, you can download the exported list. In the header
Export to CSV
of the Knox Manage Admin Portal, click > Download > My
Download, and then click Download next to the exported item.
Revert Column
Resets the column settings to the default settings.
Settings
View brief information for the enrolled devices on the list. You
can add more columns by clicking > Columns, and then
3 Device list clicking the checkboxes for the columns you want to add.
Information of the devices, such as model number, OS version,
and MAC address, can be viewed in the added columns.
Device 96
Viewing the device details
View each device’s details by clicking a device name (or tag) to on the device list. For more
Summary area
The summary area contains the information about the selected device such as device’s status, and
detailed information.
• Detail: View the detailed device’s user information. For more information about the “User Detail”
page, see Viewing the device details.
• See History: View the detailed histories of the device status.
Tab: Security
The Security tab shows the device’s detailed security status.
• Detail (Knox Manage Agent Policy): View the assigned and applies policies created by Knox
Manage Agent.
Tab: Device Information
The Device Information tab shows the device’s detailed information.
• Detail: Display additional device information at the bottom of the page.
Tab: Network
The Network tab shows the device’s detailed network status such as Wi-Fi and SIM information.
Note Wi-Fi Transfer Data and Network Transfer Data do not appear on Android 10 (Q) devices.
Device 97
Tab: Application
The Application tab shows the applications installed, assigned or controlled to the selected device. In
the Application tab, the following tabs are additionally provided.
Application tab Description
View the information of the installed applications to the device. The following
function buttons are available:
• Sync Installed App List: Update the installed application list.

Installed Application
• Install or Update: Select the application to install on the device or to update
if it is already installed.
• Export to CSV: Download a list of applications as a CSV file.
Assigned Application View the information of the assigned applications to the device.
Controlled Application View the information of the controlled applications to the device.
Tab: Profile
The Profile tab shows the detailed information on the profile and policies assigned to the selected
device.
Tab: Content
The Content tab shows the list of the content files assigned to the selected device.
Tab: Group / Organization
The Group / Organization tab shows the detailed information on the groups and organizations that
the selected device belongs to.
• Detail (Group): Move to the “Group Detail” page for the selected group. For more information on the
“Group Detail” page, see Viewing the group details.
• Detail (Organization): Move to the “Organization Detail” page for the selected organization. For
more information on the “Organization Detail” page, see Viewing the organization details.
Device 98
Tab: Command History
The Command History tab shows the history of device commands sent to the selected device. You
can also view the detailed information on the audit events for each device command.
• See Audit Event: View in detail the audit events that occurred while completing a device command.
Device Log Download the device logs.
Re-Request Re-request the requested device command on the list.
You can perform specific functions to the devices using the function buttons in the footer.
Back Return to the device list.
View the audit log details for the selected device. For more information, see Viewing
Audit Log
audit logs.
Delete Delete the selected device.
Add or delete the tags of the selected devices in order to filter by specific information.
Manage Tag
Multiple tags can be also added to a device.
Remotely control the selected device with the RS Viewer from your computer. For
Remote Support
more information, see Remote Support.
Device 99
Enrolling devices
Select one of the following methods depending on the supported device type of the user’s device and
the enrollment types to install the Knox Manage application on user’s devices.
Enrollment type Method Supported device type
Send a Knox Manage application installation guide

to users via email or SMS through the Knox Manage
Single enrollment All devices
Admin Portal. For more information see Enrolling a
single device.
Use Knox Mobile Enrollment (KME) to enroll a large

number of Samsung devices. For more information,
Bulk enrollment Samsung devices
see Using Knox Mobile Enrollment (Samsung devices
only).
Use Zero Touch Enrollment (ZTE) to enroll a large

number of Android Enterprise (For non-Samsung Android Enterprise (For
Bulk enrollment
devices). For more information, see Using Zero Touch non-Samsung devices)
Enrollment (Android Enterprise devices only).
Use Apple’s Device Enrollment Program (DEP) to enroll

a large number of iOS devices. For more information,
Bulk enrollment iOS
see Using the Apple Device Enrollment Program (iOS
devices only).
Enrolling a single device

Send a Knox Manage application installation guide to users via email or SMS through the Knox
Manage Admin Portal. Also, users can directly download the Knox Manage application and enroll
their devices. For Android Enterprise (AE) devices, you can use a token or QR code to enroll the
devices.
Device 100
Enrolling general devices (Android Legacy, iOS and Windows)
Send a Knox Manage application installation guide to users via email or SMS through the Knox
Manage Admin Portal. Also, users can directly download Knox Manage application from their public
application stores.
Note Before enrolling devices, a user account must be created to register enrolled devices to it. For
more information on creating user accounts, see Creating user accounts.
1. Select one of the following methods to send the Knox Manage application installation guide to
users.
• Sending the Email_Agent Installation template to send QR code via email, allowing users
to install the Knox Manage application on their devices. For more information, see Sending
templates or user notifications to users via email.
• Sending the installation URL address or QR code via email or SMS. For more information, see
Sending enrollment guides to users via email and SMS.
Also, users can directly search for the Knox Manage Agent application from their public app
store and download it.
2. Install Knox Manage application by clicking the URL address or scanning the QR code depending
on the request methods, and then launch the Knox Manage application on the device.
3. On the log in screen, enter a user ID and password to sign in to Knox Manage. If you log in to Knox
Manage successfully, the profiles, policies and applications will be applied to the device.
Note For Android Legacy with Knox Workspace devices running Android 10 (Q) or higher, tap the
enrollment notification on the status bar to install the Knox Workspace manually.
Device 101
Enrolling Android Enterprise (AE) devices
Knox Manage supports the following Android Enterprise (AE) manage types. Each manage type can
be enrolled differently.
Personal area Personal area

(Work-managed) (unmanaged)
Work area
Work Profile Corporately Work Profile Corporately

managed managed
Work Profile Work Profile
Fully Managed Type Fully Managed Work Profile Type

(Corporate-owned) With Work Profile Type (Bring your own device)
(Corporate-owned)
• Fully Managed type: This type allows you to control the whole corporate owned device using Knox
Manage. To activate as a Fully Managed type, the device must be factory reset.
• Fully Managed with Work Profile type: This type, a combination of the Fully Managed and Work
Profile types, allows you to control corporate owned devices. You can manage the device’s
personal area by sending device commands while controlling business applications and data
within the separate Work Profile. Users can install and use personal applications on their device’s
personal area, and, in this case, Knox Manage cannot control applications installed in the personal
area or their data.
• Work Profile type: This type allows you to control personal devices (BYOD). In this case, Knox
Manage only manages the Work Profile, which is the work area separated from the personal area,
on the device.
Device 102
Enrolling as the Fully Managed type
Enroll Android Enterprise (AE) devices in the Fully Managed type to control the whole area of the
device. The device should be factory reset in advance. Select one of the following methods.
Method Supported version
Use a token (afw#KnoxManage).

Android 6.0 (Marshmallow) or higher
For more information, see Using a token.
Use a QR code sent via Email.

Android 7.0 (Nougat) or higher
For more information see Using a QR code.
Using a token
Enter the token (afw#KnoxManage) to enroll the Android Enterprise (AE) devices in the Fully
Managed or Fully Manage with Work Profile type. If the token is applied successfully, the Knox
Manage app will be automatically installed on the device.
To enroll using a token, complete the following steps:
1. Turn on the factory reset device, and then on the device screen, tap START.
2. On the “Connect to Wi-Fi” screen, select an available Wi-Fi network, and then tap NEXT.
3. On the “Agree to Terms and Conditions” screen, read the terms and conditions, and then tap the
checkbox next to “I have read and agree to all of the above”. Then, tap Agree. The device will
check for updates and the updated will be applied.
4. On the “Sign in” screen, enter “afw#KnoxManage” in the Email or phone field, and then tap Next.
5. On the “Android Enterprise” screen, tap Install to download the Knox Manage application on the
device. The Knox Manage application will be downloaded and launched automatically.
6. On the “Set up your device” screen of the Knox Manage Agent, read the privacy policy of Knox
Manage and Google, and then tap Accept & continue. The Knox Manage application will launch
automatically.
7. On the “Sign in with your Samsung Knox Manage Account” screen, enter a user ID and password,
and then tap SIGN IN to sign in to Knox Manage. Depending on the profiles applied to the device,
the device will be enrolled as the Fully Managed or Fully Managed with Work Profile type.
Device 103
Using a QR code
Use a QR code sent via email to enroll the devices as the Fully Managed or Fully Managed with Work
Profile type. For more information on sending a QR code, see Sending enrollment guides to users via
email and SMS.
To enroll using a QR code, complete the following steps:
1. Turn on the factory reset device, and then, on the welcome screen, tap the screen 5 times to
launch QR code enrollment. The QR Reader app will be downloaded and the device camera will
launch to scan the QR code automatically.
2. Scan the QR code sent by email. The Knox Manage URL and tenant information included in the QR
code will be detected.
3. On the “Connect to Wi-Fi” screen, select an available Wi-Fi network, and then tap NEXT.
4. On the “Agree to Terms and Conditions” screen, read the terms and conditions, and then tap the
checkbox next to “I have read and agree to all of the above.” Then, tap Agree. The Knox Manage
application will launch automatically.
and then tap SIGN IN to sign in to Knox Manage. Depending on the profiles applied to the device,
the device will be enrolled as the Fully Managed or Fully Managed with Work Profile type.
Enrolling as the Fully Managed with Work Profile type

Enroll the Android Enterprise (AE) devices as the Fully Managed with Work Profile type to control
the separate work and personal areas. The enrollment methods are the same as those for the Fully
Managed type, but the applied profile should be set as Create Work Profile on Fully Managed. For
more information, see Creating a new profile.
Note • For devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to
install the Work Profile manually.
• KSP policies are not applicable to the Fully Managed with Work Profile type. For devices that are
enrolled as the Fully Managed type with KSP policies applied, these policies can remain even
after the device type changes to the Fully Managed with Work Profile type. It is recommended
to remove them manually.
Method Supported version
Use a token (afw#KnoxManage).

Android 6.0 (Marshmallow) or higher
For more information, see Using a token.
Use a QR code sent via Email.

Android 7.0 (Nougat) or higher
For more information see Using a QR code.
Device 104
Enrolling as the Work Profile type
To enroll the Android Enterprise (AE) devices as the Work Profile type, provide an installation guide to
the users to install the Knox Manage application on the devices. You can send an installation guide
via email or SMS or users can download the Knox Manage application directly from their public app
store.
To enroll AE devices as Work Profile devices, complete the following steps:
1. On the device screen, tap the installation URL address sent to users via email or SMS to download
and install the Knox Manage application on the device.
Note You can also search for the Knox Manage application from the Google Play Store to download and
install it on the AE device.
2. On the device, launch the Knox Manage application.
and then tap SIGN IN to sign in to Knox Manage.
Note For devices running Android 10 (Q) or higher, tap the enrollment notification on the status bar to
install the Work Profile manually.
4. On the “Set up a work profile” screen, read the privacy policy of Knox Manage, and then tap Agree.
The work applications with the briefcase badge icons, which can be managed by Knox Manage,
will appear on the device.
Device 105
Using Knox Mobile Enrollment (Samsung devices only)
Samsung Knox Mobile Enrollment (KME) allows you to quickly and easily enroll a large number of
corporate-owned Samsung devices. The devices are automatically enrolled when users connect to
the internet and log in to Knox Manage. Even if you reset the devices enrolled by the KME program,
the Knox Manage application is re-installed automatically and the devices are re-enrolled in to Knox
Manage.
The KME program provides the following advantages:
• Enroll a large number of devices in bulk without having to manually enroll each device.
• Allow the KME devices to automatically install the Knox Manage application when the KME devices
are reset.
To enroll devices using the KME program, the following procedures must be performed.
Register devices to KME

Log in to the KME portal. Create MDM profiles. through Knox Reseller Portal
or Knox Deployment App.
Log in to Knox Manage Assign MDM profiles

for enrollment. to the KME devices.
Note For more information about the KME program, refer to the KME Admin Guide (https://docs.
samsungknox.com/KME-Getting-Started/Content/about-kme.htm).
Device 106
Before using Knox Mobile Enrollment
To use Knox Mobile Enrollment (KME) properly, the followings must be prepared:
• See the list of available countries at the Samsung Knox website and check if the KME program is
available in your country.
• Prepare a device from the following carrier or reseller to use the KME program:
–– A distributor approved by the KME program
–– A dealer sharing IMEI or serial numbers directly with the Samsung representative
• Make sure the devices are Samsung Galaxy devices with Knox 2.4 or higher.
• Sign up for an account in the Samsung Knox Web Portal.
• To install Knox Manage, devices must have more than 50% of their battery charged.
• Before enrolling devices using Android Enterprise’s Fully Managed Device, make sure the devices
are running on Samsung Galaxy S8 and Android 5.0 (Lollipop) or above. For more information
about Android Enterprise, visit the Android website at https://www.android.com/enterprise/.
Logging in to the Knox Mobile Enrollment Portal

To use Knox Mobile Enrollment (KME), you should log in to the Knox Mobile Enrollment Portal.
To log in to the Knox Mobile Enrollment Portal, complete the following steps:
1. Visit the Knox Portal at https://www.samsungknox.com, and click Sign in in the upper right-corner
of the screen.
2. Enter a Samsung account ID and password, and then click SIGN IN.
3. On the main Knox Portal page, navigate to SOLUTIONS > Knox Mobile Enrollment.
4. On the Knox Mobile Enrollment page, click Get Started.
5. Enter a work email address and click APPLY FOR FREE. If the application is approved, you will
receive a welcome email with instructions on Knox Mobile Enrollment (KME).
6. On the My Knox solutions page, click LAUNCH CONSOLE on Knox Mobile Enrollment.
Device 107
Creating MDM profiles
Before enrolling devices, create MDM profiles for Android (Legacy) and Android Enterprise through
the Knox Mobile Enrollment Portal.
Knox Manage supports two types of KME enrollments for MDM profiles: Android (Legacy) and
Android Enterprise:
Profile type Targeted device Description
Create this profile for the legacy method of managing

Device Admin Android Legacy
devices.
Create this profile for fully managed or dedicated

Device Owner Android Enterprise
devices.
Creating MDM profiles for Android Legacy devices

To create MDM profiles for the Device Admin profile type, complete the following steps:
1. On the Knox Mobile Enrollment Portal, navigate to MDM Profiles.
2. In the upper-right corner of the “MDM Profiles” page, click CREATE PROFILE.
3. On the “Select profile type” page, click DEVICE ADMIN.
4. On the “Device Admin profile details” page, enter the following basic information
• Profile Name: Enter an appropriate profile name to distinguish it from others with similar
attributes. Special characters are not permitted.
• Description: Enter a profile description (200 characters maximum) to further differentiate this
profile from others.
• MDM Server URI: Enter the Knox Manage server for the relevant regions as stated in the
following table:
Region Domain
Asia https://ap01.manage.samsungknox.com
US https://us01.manage.samsungknox.com
EU https://eu01.manage.samsungknox.com
Depending on the tenant, you may have to change the domain URI. Refer to your prefix server address
of the Knox Manage Admin Portal, and then enter that value in the MDM Server URI. For example, if your
server address is https://ap02.manage.samsungknox.com/emm/admin/login.do, your MDM Server URI
should be https://ap02.manage.samsungknox.com
Note Once you have created an MDM profile, you cannot change the MDM server URI.
Device 108
• Server URI is not required for my MDM: Select this option if you either do not need to point to
the MDM’s enterprise installation or are unable due to connection restraints.
5. Click CONTINUE.
6. On the “Device Admin profile settings” page, set the following MDM configuration settings.
• MDM Agent APK: Click ADD MDM APPS and enter the Knox Manage APK link information
stated in the following table, and then click SAVE. The application will be automatically installed
on the device when it connects to the internet.
Region Domain
Asia http://install-ap.manage.samsungknox.com/KnoxManageEMMService.apk
US http://install-us.manage.samsungknox.com/KnoxManageEMMService.apk
EU http://install-eu.manage.samsungknox.com/KnoxManageEMMService.apk
• Custom JSON Data (as defined by MDM): Enter the tenant information including the TenantId
and TenantType in the java script object notation (JSON) format, as in {”TenantId”:”YOUR_
TENANT”, ”TenantType”:”M”}.TenantId refers to the name of your Knox Manage
company account. It occurs after @ in your Knox Manage Username. For example, your
JSON data entry may be used as follows: {”TenantId”:”knoxteam.samsung.com”,
”TenantType”:”M”}. For more information about JSON and related technology, go to http://
json.org.
7. Set the following device settings.
• Enrollment settings: Select the additional enrollment setting options.

Note The Skip Setup Wizard option performs independently from the Allow end user to cancel
enrollment, and both options can be enabled at the same time.
–– Skip Setup Wizard: Skips the setup wizard screen and allows you to start the enrollment
process much faster.
Note This option is not currently available on all AT&T devices.
–– Allow the end user to cancel enrollment: Permits end-users to cancel enrollment on their
devices.
• Privacy Policy, EULAs and Terms of Service: Click Samsung Knox Privacy Policy to view the
specific privacy policy text displayed to device users based on their geographic region.
• ADD LEGAL AGREEMENT: Enter the agreement title and agreement text.
• Support contact details: View the support contact details.
Device 109
• EDIT: Update the company name, company address, support phone number, and support email
address displayed on the devices after successful enrollment. If required, click Save as default
support contact details to use this same information as the default contact information.
Note If the device owner (DO) support is enabled for the profile, then only the client name is
editable, and the remaining fields are inactive.
• Associate a Knox license with this profile: Pass the Knox license key directly to the intended
device for easier Knox profile configuration.
8. Click CREATE to create the device admin supported profile configuration for Android (Legacy). To
view the created MDM profile, navigate to MDM Profiles on the Knox Mobile Enrollment Portal.
Creating MDM profiles for Android Enterprise devices

To create MDM profiles for the Device Owner profile type, complete the following steps:
2. In the upper-right corner of the “MDM Profiles” page, click CREATE PROFILE.
3. On the “Select profile type” page, click DEVICE OWNER.
4. On the “Device Owner profile details” page, enter the following basic information for the device
owner profile.
• Profile Name: Enter an appropriate profile name to distinguish it from others with similar
attributes. Special characters are not permitted.
• Description: Enter a profile description (200 characters maximum) to further differentiate this
profile from others.
5. Enter the following MDM information for the device owner profile.
• Pick your MDM: Select the specific Knox Manage MDM profile assigned the device owner
privilege.
• MDM Agent APK: Enter the Knox Manage APK link information stated in the following table.
The application will be automatically installed on the device when it is connected to the
internet.
Region Domain
Asia http://install-ap.manage.samsungknox.com/KnoxManageEMMService.apk
US http://install-us.manage.samsungknox.com/KnoxManageEMMService.apk
EU http://install-eu.manage.samsungknox.com/KnoxManageEMMService.apk
Device 110
• MDM Server URI: enter the Knox Manage server for the applicable region as stated in the
following table:
Region Domain
Asia https://ap01.manage.samsungknox.com
US https://us01.manage.samsungknox.com
EU https://eu01.manage.samsungknox.com
Depending on a tenant, you may have to change a domain URI. Refer to your prefix server address of
the Knox Manage Admin Portal, and then enter that value in the MDM Server URI. For example, if your
server address is https://ap02.manage.samsungknox.com/emm/admin/login.do, your MDM Server URI
should be https://ap02.manage.samsungknox.com
Note Once you have created a MDM profile, you cannot change the MDM server URI.
6. Click CONTINUE.
7. On the “Device Owner profile settings” page, set the following MDM configuration settings.
• Custom JSON Data (as defined by MDM): Enter the tenant information including the TenantId
and TenantType in the java script object notation (JSON) format, as in {”TenantId”:”YOUR_
TENANT”, ”TenantType”:”M”}.TenantId refers to the name of your Knox Manage
company account. It occurs after @ in your Knox Manage Username. For example, your
JSON data entry may be used as follows: {”TenantId”:”knoxteam.samsung.com”,
”TenantType”:”M”}. For more information about JSON and related technology, go to http://
json.org.
• Dual DAR: Secures the KME enrollment data with two layers of encryption, even when the
device is powered off or in an unauthenticated state.
Note The Dual DAR function is only supported on devices running Knox version 3.4 or higher.
–– Enable Dual DAR: Enable the Dual DAR function. If the Dual DAR function is enabled, click the
checkbox next to Use3rd party crypto app and click ADD PACKAGE NAME AND SIGNATURE
to enter the package name and signature for using the 3rd part crypto app.
8. Set the following devices settings.
• System apps: Select the system application settings.

–– Disable system applications: Disable all applications to the device owner supported profile.
–– Leave all system applications enabled: Enable all applications on the device owner
supported profile. If this option is not selected, only the default applications and the Knox
Manage application are installed on the user devices.
Device 111
• Privacy Policy, EULAs and Terms of Service: Click Samsung Knox Privacy Policy to view the
specific privacy policy text displayed to devices users based on their geographic region.
–– ADD LEGAL AGREEMENT: Enter the agreement title and agreement text.
• Company name: Enter the MDM organization name displayed at the time of device enrollment.
9. Click CREATE to create a device owner supported profile configuration for Android Enterprise. To
view the created MDM profile, navigate to MDM Profiles on the Knox Mobile Enrollment Portal.
Modifying MDM profiles

To modify an MDM profile, complete the following steps:
2. On the profile list, click the checkbox next to the profile name to modify its information.
3. Modify the selected profile information, and then click SAVE.
Note Once you have created an MDM profile, you cannot change the MDM server URI.
Registering devices to the Knox Mobile Enrollment Portal

Depending on the device purchase type, you can register devices to the Knox Mobile Enrollment
Portal using the following methods
• Knox Reseller Portal: For devices purchased from approved Samsung resellers
• Samsung Knox Deployment App (NFC tagging): For devices purchased from third-party resellers,
or for the purpose of testing
For devices purchased from approved Samsung resellers

If the devices were purchased from approved Samsung resellers, you can register the devices to the
Knox Mobile Enrollment Portal using the Knox Reseller Portal. For more information on using the
Knox Reseller Portal and how to register devices, see the Knox Reseller Portal Admin Guide (https://
docs.samsungknox.com/samsung-reseller-guide/Content/manage-devices.htm) and follow the
instructions.
After the devices are registered successfully, on the Knox Mobile Enrollment Portal, navigate
to Devices > UPLOADS to view the registered device information with the reseller’s information
including the registration date and the number of devices, IMEI information, and applied profiles.
For devices purchased from third-party resellers

To register devices purchased from third-party resellers or for the purpose of testing to the Knox
Mobile Enrollment Portal using the Samsung Knox Deployment app through NFC tagging, complete
the following steps:
Device 112
Note The user information must be registered in the Knox Mobile Enrollment Portal to register the
devices. For more information on how to add device users, see Adding new device users.
1. Download the “Samsung Knox Deployment” app from the Google Play Store on your device and
install it.
2. Run the “Samsung Knox Deployment” app on your device.
3. On the login screen, enter your Knox Mobile Enrollment Portal user ID and password, and then tap
SIGN IN.
4. Tap ENROLL VIA NFC.
Note The NFC mode on your device must be turned on for NFC tagging.
5. On the “Get started” screen, tap START.
6. Select a desired MDM profile to apply, and then tap NEXT.
7. Tag the user device to your device. To view the information of the registered devices on the Knox
Mobile Enrollment Portal, navigate to Devices > UPLOADS.
Assigning MDM profiles and user credentials

After the devices are registered in the Knox Mobile Enrollment Portal, assign the MDM profiles and
user credentials to the registered devices. You can assign them to the registered devices either
individually or in bulk using a CSV file.
Individual Assignment
To assign MDM profiles and user credential to a registered device individually, complete the following
steps:
1. On the Knox Mobile Enrollment Portal, navigate to Devices.
2. At the top of the “Devices” page, click the ALL DEVICES tab.
3. On the device list, click the checkboxes next to IMEI information to assign an MDM profile and
user credential to them. Alternately, you can also click the checkboxes next to IMEI information,
and then click ACTIONS > Configure devices.
Note The device windows appear differently depending on how many devices on the list you select.
Device 113
4. On the “Device Details” or “Configure selected devices” window, enter the following device
information.
• “Device Details” window (When configuring a single selected device)

–– MDM Profiles: Select the desired MDM profile from the drop-down list to assign it to the
selected device.
–– Tags: Enter a tag to use when searching for specific devices.
–– User ID: Modify the Knox Manage user ID.
–– Password: Modify the Knox Manage user password.
• “Configure selected devices” window (When configuring two or more selected devices)
–– Modify the MDM profile of selected devices: Select the desired MDM profile from the drop-
down list to assign to the selected device.
–– Add tags to selected devices: Enter a tag to use when searching for specific devices. Click
the checkbox next to Overwrite existing tags if you want to use the newly entered tag to
overwrite existing tags.
–– User credentials: Select one of the following options for the user credentials of devices from
the drop-down list.
–– Keep current credentials: Maintain the existing user credential information for the
selected devices.
–– Clear user credentials: Remove the existing user credential information for the selected
devices.
–– Overwrite user credentials: Modify the user ID and password.
5. Click SAVE to save the modified device details. The device status changes to Profile assigned. To
update the device status, click .
Bulk Assignment
You can assign the MDM profiles and user credentials for up to 10,000 registered devices at once.
To assign MDM profiles and user credential to a registered device individually, complete the following
steps:
2. On the “Devices” page, click ALL DEVICES > ACTIONS > Download devices as CSV at the bottom
of the page to download the kme_devices.csv file.
3. Open the downloaded CSV file and enter the information in the columns of the Excel file, and then
save the file as a .csv file.
4. At the left bottom of the Knox Mobile Enrollment Portal, click BULK ACTIONS.
5. On the “Bulk actions” page, click View instructions in the BULK CONFIGURE section to read the
instructions to ensure the CSV file is completely filled out, and the click GOT IT.
6. On the “Bulk configure” page, click BROWSE, and then select the saved .csv file.
Device 114
7. In the “(Optional) Configure profiles and tags” area, enter the following information.
• Modify the MDM profile of selected devices: Select the desired MDM profile from the drop-
down list to assign it to the selected devices.
• Tags: Enter a tag to use when searching for specific devices. Click the checkbox next to
Overwrite existing tags if you want to use the newly entered tag to overwrite existing tags.
8. Click SUBMIT. To view the bulk-added information, navigate to Devices > ALL DEVICES.
Adding new device users

You can add a new device user to the list of existing users.
To add a new device user, complete the following steps:
1. On the Knox Mobile Enrollment Portal, navigate to Device Users.
2. On the “Device Users” page, click ADD DEVICE USERS to add a new device user.
3. On the “Add device user” window, enter a user ID and password to create unique KME device user
credentials.
Note The user ID and password should both be the credentials of the Knox Manage.
4. Click ADD to add new device user.
Unenrolling KME devices

To disable the use of KME devices, you must unenroll them in the Knox Manage Admin Portal, and
then delete them in the Knox Mobile Enrollment Portal. For more information about how to unenroll
enrolled devices in the Knox Manage Portal, see Unenrolling devices.
To delete the KME devices, complete the following steps:
2. On the “Devices” page, click the ALL DEVICES tab.
3. On the device list, click the checkboxes next to the IMEI information to delete the registered
device, click ACTIONS > Delete devices.
4. In the “Delete devices” window, click DELETE. The selected devices will be deleted from the KME
Portal.
Note Once a device is deleted from the KME Portal, the device is permanently removed from the
system.
Device 115
Using Zero Touch Enrollment (Android Enterprise devices only)
Zero Touch Enrollment (ZTE) allows you to quickly and easily enroll a large number of corporate-
owned Android Enterprise devices for non-Samsung devices. Once the devices are registered to
the ZTE Portal, the devices are automatically enrolled when users connect to the Internet and log
in to Knox Manage. Even if you reset the devices enrolled by ZTE, the Knox Manage application is
reinstalled automatically and the devices are re-enrolled in to Knox Manage.
ZTE provides the following advantages:
• Enrolls a large number of devices in bulk without having to manually enroll each device.
• Allows the ZTE devices to automatically install the Knox Manage application when the ZTE devices
are reset.
• Prevents unauthorized devices from joining your EMM environment to enhance your security.
• Allows resellers to add devices to the ZTE Portal.
To enroll devices using ZTE, the following procedures must be performed.
Log in to
Create Knox
the Zero Touch Enrollment
Manage configurations
Portal.
Log in to Knox Manage Assign Knox

for enrollment. Manage configurations
to ZTE devices.
Note For more information about ZTE, refer to the https://www.android.com/enterprise/management/

zero-touch/#partners.
Before using Zero Touch Enrollment (ZTE)

To use Zero Touch Enrollment (ZTE) properly, the following must be prepared:
• Make sure that the devices are compatible with ZTE from the list of Android Zero Touch Devices at
https://androidenterprisepartners.withgoogle.com/devices/#!#Zero-touch.
• Prepare a device from the following carrier or reseller to use ZTE:

–– Zero touch reseller partner
–– Google partner and not from a consumer store.
Device 116
• Make sure the devices are running on Android Oreo (8.0 and later) or a Pixel phone with Android
Nougat (7.0).
• Sign up for a Google account associated with the corporate email. A personal Gmail account
cannot be used. To create a Google account for the corporate, visit the Google website at https://
accounts.google.com/signup/v2/webcreateaccount?flowName=GlifWebSignIn&flowEntry=SignUp
&nogm=true.
• Before enrolling devices using Android Enterprise’s Fully Managed Device, make sure the devices
are running on Samsung Galaxy S8 and Android 5.0 (Lollipop) or above. For more information
about Android Enterprise, visit the Android website at https://www.android.com/enterprise/.
Logging in to the Zero Touch Enrollment (ZTE) Portal

You can log in to the Zero Touch Enrollment (ZTE) Portal using the Google account with the corporate
email.
To log in the ZTE Portal, complete the following steps:
1. Visit the ZTE Portal at https://partner.android.com/zerotouch.
2. Enter your Google account information and then click NEXT to log in to the ZTE Portal. Once you
have logged in to the ZTE Portal, the following navigation pages are provided on the ZTE Portal.
• Configurations: Create, modify, and delete Knox Manage configurations.

• Devices: Displays the registered device list. You can assign also apply the created Knox
Manage configurations to the selected devices on the list.
• Users: Add, modify, or delete the users who can access and manage the portal.
• Resellers: Add resellers to share your account with multiple resellers.
Creating Knox Manage configurations

To create Knox Manage configurations, complete the following steps:
1. On the Zero Touch Enrollment (ZTE) Portal, navigate to Configurations.
2. On the “Configurations” page, click .
3. In the “Add a new configuration” window, enter the following information.
• Configuration name: Enter a configuration name.

• EMM DPC: Select Samsung Knox Manage from the EMM DPC dropdown list.
• DPC extras: Enter the JSON data (Samsung Knox Manage DPC extras) as follows.
Device 117
{
“android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED”:true,
“android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE”: {
“ServerUrl”: “Your Server Url”,
“TenantId”: “Your Knox Manage Tenant ID”,
“TenantType”: “M”,
“Method”: “ZeroTouch”
}
}
Note Enter the server URL of the DPC extras for the applicable region as stated in the following table:
Region Domain
Asia https://ap01.manage.samsungknox.com/emm
Asia (India only) https://ap02.manage.samsungknox.com/emm
US https://us01.manage.samsungknox.com/emm
EU https://eu01.manage.samsungknox.com/emm
• Company Name: Enter the name of your organization. It will be displayed on the user’s device
during enrollment.
• Support email address: Enter a corporate IT admin email address. It will be displayed on the
user’s device during enrollment, and it can be used to contact the IT admin in case of any
enrollment issues.
• Support phone number: Enter a corporate IT support phone number. It will be displayed on
the user’s device during enrollment, and it can be used to contact the IT admin in case of any
enrollment issues.
• Custom message: Enter an optional message to be displayed on the device screen during
enrollment.
4. Click Add to create a new Knox Manage configuration.
Device 118
Assigning Knox Manage configurations to ZTE devices
Once Zero touch reseller partners have registered devices in the Zero Touch Enrollment (ZTE) Portal,
assign the newly created Knox Manage configurations to the devices. You can assign them to the
registered devices either individually or in bulk using a CSV file.
Individual Assignment
To assign a Knox Manage configuration to a device individually, complete the following steps:
1. On the Zero Touch Enrollment (ZTE) Portal, navigate to Devices.
2. On the “Devices” page, select the devices to which configurations are to be applied to on the
device list, and then, under Configuration, against the selected devices, the Knox Manage
configuration which you have created previously.
Bulk Assignment
To assign Knox Manage configurations to multiple devices at once using a CSV file, complete the
following steps:
2. On the “Devices” page, click > Download results as .csv to download the CSV file, and then
enter the device information in the CSV file.
• Open the CSV file and fill out the following fields in the file.
Field Example Description
This field should be always set as IMEI in uppercase

modemtype IMEI
characters.
modemid 123456789012347 Enter the IMEI number of the device.
serial ABcd1235678 Enter the serial number of the device.
model VM1A Enter the model name of the device.
manufacturer Google Enter the name of the device manufacturer.
This field should always be set as ZERO_TOUCH in

Profiletype ZERO_TOUCH
uppercase characters.
Enter the numeric ID of the configuration you want to apply

to the device. To see the configuration ID, check the table's
Profileid 54321
ID column on the “Configurations” page. To remove the
device from zero-touch enrollment, enter 0 (zero).
3. On the “Devices” page, click > Upload batch configurations, and then select the saved .csv
file to upload it. All the devices in the CSV file will be assigned to the specific Knox Manage
configuration.
Device 119
Logging in to Knox Manage for enrollment
After the Knox Manage configuration is assigned to ZTE devices, log in to Knox Manage to enroll the
devices.
To log in to Knox Manage for enrollment, complete the following steps:
1. Turn on the factory-reset device, and then tap Start on the Zero Touch Device Enrollment screen.
2. On the “Connect to mobile network” screen, insert a sim card or tap Skip.
3. On the “Connect to mobile network” screen, tap an available Wi-Fi network to connect to a
network. The device will check for updates.
4. On the “Set up your device” screen, read the privacy policy of Knox Manage and Google, and then
tap Accept & continue. The device will get account information for Knox Manage.
5. On the “Google Services” screen, tap Accept. The Knox Manage application will be installed and
launched automatically on the device.
and then tap SIGN IN to sign in to Knox Manage.
7. On the Knox Manage terms and agreements screen, read the terms of use, privacy policy, and end-
user license agreement, tap the checkbox next to Agree all, and then tap NEXT.
8. On the “Display over other apps” page, if required, tap All display over other. The device will be
registered and enrolled in the Knox Manage Admin Portal.
Deleting ZTE devices from the Zero Touch Enrollment (ZTE) Portal
You can delete devices from the ZTE Portal if you are required to transfer ownership. You can delete
one device at a time by selecting devices in the ZTE Portal.
To delete devices from the ZTE Portal, complete the following steps:
Note After you delete a device, you need to contact your reseller if you want to register the device in the
ZTE Portal again. Consider removing the Knox Manage configuration, if you want to temporarily
exclude a device from the ZTE Portal.
2. On the “Devices” page, select the device you want to remove, and then click DEREGISTER.
3. In the “Deregister device?” window, click DEREGISTER to delete the devices from the ZTE Portal.
Device 120
Using the Apple Device Enrollment Program (iOS devices only)
The Apple Device Enrollment Program (DEP) allows you to quickly and easily enroll a large number of
organization-owned Apple devices. Devices added by DEP will be enrolled automatically without user
intervention with the configured device management profiles.
Note Apple has announced a new consolidated platform, Apple Business Manager. Please visit https://
support.apple.com/business and find out more about the way to upgrade from DEP.
To enroll devices using DEP, the following procedures must be performed.
Issuing a DEP token Registering iOS devices

issued by Apple. to the Apple Business
Manager website.
Log in to Knox Manage

Setting DEP profiles.
for enrollment.
Before using the Apple Device Enrollment Program

To use the Apple Device Enrollment Program (DEP) properly, the followings must be prepared:
• Prepare a device from an Apple store, Apple theorized reseller, or carrier.

• Make sure the devices are iOS 9.0 or later.
• Register for an Apple Business account in Apple Business Manager or upgrade from DEP. To find
out more about upgrading from DEP to ABM, visit https://support.apple.com/en-us/HT208817.
Device 121
Issuing a DEP token
To use Apple Device Enrollment Program (DEP), you must request for a DEP token issued by Apple
through a public key, and then set up DEP in the Knox Manage Admin Portal.
To issue a DEP token and set up DEP, complete the following steps:
1. Navigate to Setting > iOS > DEP Server Setting. If you have issued a DEP token before, the
previously issued DEP token’s information and its expiration date are displayed.
2. On the “DEP Server Setting” page, click Download Public Key to download a public key in the .pem
format required to create a new MDM server in the Apple DEP Portal.
3. Visit the Apple Business Manager website at https://business.apple.com.
4. Sign in using your Apple Business account, and then enter the 6-digit verification code sent to the
mobile device registered to your Apple ID.
• The start window of the ABM site will appear.

5. On the Apple Business Manager website, navigate to Settings > Device Management Settings at
the bottom of the site, and then click Add MDM Server on the right of the screen.
6. Configure the MDM server settings, upload the public key file in the .pem format downloaded from
the Knox Manage Admin Portal, and then click Save.
7. Click Download Token on the right of the screen and download the Apple token file in the .p7m
format on to the computer.
Note Using a single token to enroll the DEP devices for one company is recommended.
8. On the “DEP Server Setting” page of the Knox Manage Admin Portal, click Upload DEP Token and
then select the DEP token file with .p7m format downloaded from ABM.
9. Click OK. If the DEP token file is uploaded successfully, the authentication processes between the
Knox Manage server and the Apple’s DEP server is completed.
10. Click Set Default Profile to set up a profile to be assigned to the DEP devices by default, and then
click OK.
Note For more information on setting a general profile, see Setting DEP profiles.
11. Click Set DEP Device Sync Interval to set the sync interval of DEP devices.
Device 122
Registering DEP devices
After the Device Enrollment Program (DEP) server is all set up, register iOS devices with the MDM
server in the Apple Business Manager website.
To register iOS devices in the Apple Business Manager website, complete the following steps:
1. Visit the Apple Business Manager website at https://business.apple.com, and then enter your
Apple ID and password to log in.
2. On the Apple Business Manager website, navigate to Device Assignments to assign iOS devices
to the MDM server you have already created.
3. Select the method for registering iOS devices from Choose Devices:
• Assign Device by Serial Number: Enter a list of device serial numbers to register the iOS device.
• Assign Devices by Order Number: Enter the Apple Purchase Order number so that the devices
are added automatically.
• Upload a .csv File: Upload a .csv file that includes the serial numbers.
4. Select Assign to Server as Action, and then select the MDM server group.
5. Click Done. If the iOS devices are registered successfully in the Apple DEP, navigate to View
Assignment History to view the registered device information and its assignment history.
Device 123
Setting DEP profiles
After the iOS devices are registered to the Apple Business Manager website, you must set the DEP
profile to be assigned to the devices through the Knox Manage Admin Portal.
The DEP profile is applied to the DEP devices when the DEP devices are enrolled.
To set a DEP profile, complete the following steps:
1. Navigate to Setting > iOS > DEP Server Setting.
2. On the “DEP Server Setting” page, click Set DEP Default Profile.
3. On the “Set DEP profile” window, set the following items in the DEP profile:
• Supervised Mode: Click the checkbox next to Apply to enable the supervised mode that is only
available on iOS devices and must be applied to the DEP devices.
–– Delete MDM profile: Click the checkbox next to Allow to allow users to delete the MDM
profile.
–– Supervising host certificate list: Click Add to add the registered certificate to the Apple
device you want to pair with the DEP devices.
• Pairing: Click to allow other Apple devices to pair with the DEP devices.
• Skip Settings: Select the items that appear during the device setup process after users turn on
their DEP devices for the first time. If the items are checked, they do not appear on the window.
4. Click Save to save the set DEP profile.
Assigning users to DEP devices

After the DEP devices are enrolled, you can assign users to them.
To assign users, complete the following steps:
1. Navigate to Setting > iOS > DEP Device Management.
2. On the “DEP Device Management” page, click the checkbox for a device you want to assign the
user to.
3. Click Assign User.
• Click Unassign User to remove the user assignment from the device. The device must be
unenrolled before unassigning the user.
4. On the “Select User” window, click the user you want to assign to the device, and then click OK.
After the user is successfully assigned, you can send device commands just as you would with
other devices controlled by Knox Manage.
Device 124
Managing DEP devices
In the Knox Manage Portal, the DEP devices registered in the Apple Device Enrollment Program (DEP)
are managed. You can synchronize with the DEP server in the Apple Business Manager website to
update the DEP device list in the Knox Manage Portal, modify and assign DEP profiles, and control
DEP devices.
Viewing the DEP device details

To view the DEP device details in the Knox Manage Portal, complete the following steps:
2. On the “DEP Device Management” page, click the serial number of the desired DEP device on the
list to view its details.
3. In the “Device Detail” window, view the selected DEP device information.
Synchronizing with the DEP server

To synchronize with the DEP server and the Apple Business Manager website to update the DEP
device list in the Knox Manage Portal, complete the following steps:
2. On the “DEP Device Management” page, click Sync DEP to synchronize with the DEP server.
3. On the “DEP device sync” window, click OK. The DEP device list in the Knox Manage Portal will be
updated.
Note If the server token has expired, you can no longer update the DEP device list.
Modifying and assigning the DEP profiles

To modify and assign DEP profiles to DEP devices, complete the following steps:
2. On the “DEP Device Management” page, click the checkboxes next to the DEP devices on the DEP
device list, and then click Set DEP profile to modify the DEP profile.
3. On the “Set DEP profile” window, modify the desired DEP profile items, and then click Save to save
the set DEP profile and return to the “DEP Device Management” page. For more information on
setting the DEP profiles, see Setting DEP profiles.
4. Click Sync DEP to synchronize with the DEP server to update the DEP device list. The modified
DEP profile will be assigned to the DEP devices.
Device 125
Unenrolling DEP devices
If you want to use DEP devices as general iOS devices or if the DEP devices are no longer required,
you can unenroll the DEP devices in the Apple Business Manager website.
To unenroll DEP devices, complete the following steps:
1. Visit the Apple Business Manager website at https://business.apple.com, and then enter your
Apple ID and password to log in.
2. On the Apple Business Manager website, navigate to Settings > MDM Servers.
3. On the “Server Details” page, click an MDM server to disable and delete it, and then click Edit >
Delete MDM Server.
4. In the popup window, click OK. All the DEP devices on the MDM server will be deleted.
Note To delete the MDM server and relocate the DEP devices on this server, select Reassign Devices
from the drop-down list. Then, select a different MDM server where you want to relocate the MDM
devices to and click Delete.
5. On the Knox Manage Portal, Navigate to Setting > iOS > DEP Device Management.
6. On the “DEP Device Management” page, click Sync DEP to synchronize with the DEP server.
7. In the “DEP device sync” window, click OK. The DEP device list in the Knox Manage Portal will be
updated according to the DEP server, and the DEP devices on the DEP server in the Knox Manage
Portal will be deleted.
Device 126
Managing devices
You can change the device’s status or send device commands to manage the devices registered in
Knox Manage.
Unenrolling devices
You can unenroll the devices registered in the Knox Manage server. The methods for unenrollment
differ depending on the device type.
To delete the Work Profile from Android Enterprise devices or delete Knox Manage from Fully
managed devices, send the Unenroll service command to devices.
Note When you unenroll Fully Managed or the Fully Managed with Work Profile devices, the devices will
be factory reset and the microSD cards of the devices with Android 7.0 (Nougat) - 8.0 (Oreo) can
be wiped. Please be cautious of potential data loss.
To simply change a logged in user’s details, send the Delete account command, and then allow the
user to log in again.
Unenrolling connected devices

To unenroll devices that are connected to the server, complete the following steps:
2. On the “Device” page, click a checkbox for a device you want to unenroll.
3. Click Unenroll.
4. In the “Unenroll Device” window, click OK.
Device 127
Unenrolling disconnected devices
When a device is unable to communicate with the server, you can send an offline unenrollment code
to the device. Then, the user can change the device’s status manually and unenroll the device.
To unenroll devices that are offline, complete the following steps:
2. On the “Device” page, click a checkbox for a device you want to unenroll.
3. Click Unenroll.
4. In the “Unenroll Device” window, check the Offline Unenrollment Code.
5. Click Force Unenroll.
• The unenrollment device command will be sent to the device.

6. Inform users of the use of the offline unenrollment code from step 4.
• When the user enters the received offline unenrollment code, the device will become
unenrolled, corresponding to its status on the server.
Note You can choose to delete the internal applications installed on Android devices and all of the
applications installed on devices with iOS 9.0 or above upon unenrollment.
To set automatic deletion, navigate to Setting > Configuration > Basic Configuration > Device, and
then set Delete App upon Unenrollment to Yes.
Allowing the users to unenroll their devices

If a device is connected to a network and can establish communication with the server, then users
can unenroll the devices by uninstalling the agent.
To allow the user to uninstall the agent, complete the following steps:
1. Navigate to Setting > Knox Manage Agent Policy.
2. On the “Knox Manage Agent Policy” page, click the ”Default” tab.
• You can also add more agent policy sets by clicking .
3. Set the Allow Unenroll Request policy to Allow.
4. Click Save & Apply.
Device 128
Sending device commands to devices
You can send device commands to enrolled devices by user, organization, group, or device and
control them remotely. For devices with Knox Workspace or Work Profile, you can select the tab
of the area on the top you want to send a device command to. Available device commands vary
depending on the device type. For more information on each device command, see the list of device
commands.
Note In general, device commands take a higher priority than profile policies. However, policies take
a higher priority than the following device commands: Install, Run, Uninstall, Locate the current
position, and Reset SD Card. For more information, see the list of device commands.
To send device commands, complete the following steps:
2. On the “Device” page, click the checkbox next to the device name to send a device command to,
and then click Device Command.
3. In the “Device Command” window, select the desired device command.
• For devices that have a Knox Workspace, click the target area between General and KNOX -
LightWeight Knox.
• For Fully Managed with Work Profile devices, click a target area between Fully Managed Device
and Work Profile.
Checking device commands in request

Check device commands that have not been sent successfully due to network or system issues. You
can resend the device commands in request or delete them individually or altogether. You can also
download all device commands in queue as an Excel file.
Note If no device command has been sent within the past six hours of restarting the device, then Knox
Manage Agent requests the server for a device command and can have it resent to the device.
Device 129
To check the device commands in request and resend or delete them individually or altogether,
complete the following steps:
1. Navigate to History > Device Command in Request.
2. Enter a request date, and user ID or mobile ID, and then click Search.
3. View the information of the device commands that have been found.
• To resend the device commands in request, click the checkboxes of the device commands to
resend, and then click Re-Request.
• To delete the device commands in request, click the checkboxes of the device commands to
delete, and then click Cancel Request.
Note To set the Knox Manage server to resend the device commands in request automatically, navigate
to Setting > Configuration > Basic Configuration, and then set the number next to Daily retries for
device commands in request.
Viewing device command history

You can view the device command history and related audit logs by date. You can also view the
details about the results of device commands, and collect the device control audit logs for each
event. For more information about audit log items, see Viewing audit logs.
To view the device command history, complete the following steps:
2. On the “Device” page, click a device name or a tag.
3. On the “Devices Detail” page, click the “Command History” tab.
4. Click a command name to view the audit result of the device command.
Note To view the device command logs by each platform, navigate to History > Group Command
History, enter a request date and a group ID or organization name, click Search, and then click a
group or organization name.
Device 130
List of device commands: Android Enterprise
The available device commands vary depending on the Android Enterprise manage types. For Fully
Managed with Work Profile devices, you can select either Fully Managed or Work Profile to send
device commands to.
Device
Device command Description
Sends the latest profile and application information to the device and
Apply Latest Profiles
controls the device with the profile and information.
Enable EAS (Samsung Email

Allows using Exchange ActiveSync for Samsung Email application.
App Only)
Disable EAS (Samsung

Disallows using Exchange ActiveSync for Samsung Email application.
Email App Only)
Locks a device. You can enter a reason for locking the device and a phone
number to contact when the device is lost. The entered information
appears on the locked device screen.
Lock Device
Note For non-Samsung Android devices, this policy supports only
the devices with Android 8.0 (Oreo) and lower.
Unlocks a device.
Unlock Device Note For non-Samsung Android devices, this policy supports only
the devices with Android 8.0 (Oreo) and lower.
Locks the device screen. If the device's screen is password-locked, then

Lock Screen
the user needs to enter the password to access the screen again.
Performs factory reset and changes the device status to Unenrolled.
• Initialize SD Card when factory reset: Click the checkbox to initialize the
SD card during a factory reset.
Factory Reset
• Deactivate Factory Reset Protection: This only appears when the profile
is applied with the Factory Reset Protection policy or when you send a
device command to multiple devices. Click the checkbox to perform a
factory reset without the Factory Reset Protection policy.
Turns off the device.
Power Off Device Note Only Samsung Galaxy devices are supported except the
devices with Android 10 (Q).
Reboot Device Reboots the device.
Device 131
Resets the device’s screen lock password and creates a temporary

password. After sending the device command, the temporary password
Reset Screen Password that can be found on the device’s detailed information page will be
delivered to the user. For more information, see the screen lock password
in Viewing the device details.
Initializes the external SD card of the device.
Note For devices whose External SD Card policy is set to

Reset SD Card Disallowed in the profile, you cannot reset the SD card using
the device command, because the policy takes a higher
priority than the device command.
Resets data usage among the Android device's inventory information.
• Wi-Fi transfer data (in/out)

Reset Data Usage • Network transfer data (in/out)
Note Only Samsung Galaxy devices are supported except the
devices with Android 10 (Q).
Resets the number of call(s) and number of missed call(s) among Android
device’s inventory information,
Reset Number of Calls
• Number of call(s)
• Number of missed call(s)
Deletes certificates installed by Knox Manage. You can select a certificate
Delete a CA Certificate
to delete.
Deletes certificates installed by the administrator. You can select a

Delete a User Certificate
certificate to delete.
Delete a User Install

Deletes all the certificates installed by the administrator.
Certificate
Application
Installs or updates applications on a device.

In the “Request Command” window, select an application to be installed or
updated.
Install or Update App
Note The Application installation blacklist/whitelist policies take a
higher priority than device commands.
Device 132
Deletes applications from a device.

In the “Request Command” window, select an application to be uninstalled.
Uninstall App
Note The Application uninstallation prevention list setting policy
takes a higher priority than device commands.
Apply Latest internal App Sends the latest internal application information and updates the device
Information according to the information.
Knox Manage
Sends a push message to the device.

In the “Push Notification” window, enter the title and content of the
message to send. You can also select between Notification and Pop up
for the send type.
Push Notification
Note • If the device is locked, you must unlock it to view pop ups.
• Pop ups may not appear on Work Profile (PO) devices with
Android 10 (Q) or a higher version.
Unenroll Device Unenrolls a selected device on the device list.
Update License Updates the license of a selected device on the device list.
Updates the Knox Manage Agent on the device for a new patch or version.
Update Knox Manage The agent information registered in the Knox Manage server is sent to a
device. The device automatically selects the appropriate agent to request
installation files from the server.
Updates the device user information such as the user activation status/
username/user settings (Secure Browser website URL information,
Update User Information bookmark information) and license information.
If the user is logged out from the enrolled device, you can send this device
command to enable the user to log in to Knox Manage automatically.
Locks the Knox Manage Agent.

When the application is locked, the users have to enter the screen lock
Lock Screen of Knox password which was configured during installation. If a user forgets the
Manage Agent password of Knox Manage Agent screen lock, you can send the Delete
Account command and make the user logged out from the Knox Manage
Agent. Then, the user can set the password again upon login.
Unlock Knox Manage Agent Unlocks the Knox Manage Agent.
Delete Account Deletes the account registered in the Knox Manage Agent.
Device 133
Exits the Kiosk mode without unenrollment. You can find the status of the
Exit Kiosk
Kiosk mode in the Security tab on the Device Detail page.
Collects the Knox Manage audit logs of the device. When the log size
Collect Audit Log exceeds the maximum size, logs are automatically sent to the server, but
the log file may be lost. For more detailed information, see Viewing audits.
Collect Device Log Collects the logs of devices.
Collects a device log to diagnose the cause of device lock.

Collect Diagnosis
Note Personally identifiable or sensitive information will be data
Information
masked.
Device Info.
Shows the current location of the device.
Collect current location To view the location of a device after sending a device command,
navigate to Device, click the checkbox for the device, and then click Check
Location.
Updates the inventory and application information on the device.
Sync Device Information To view the updated information after sending the device command,
navigate to Device, click a device name or tag, and view the information on
the “Device Detail” page.
Updates the information of installed applications.
Sync Installed App List To view the list of installed applications after sending a device command,
navigate to Device, click a device name or tag, and click the “Application”
tab.
Authenticate SIM Card Authenticates the SIM card on a device.
Authenticate SD Card Authenticates the external SD card on a device.
Checks if a device’s OS has been compromised. The result can be found

Attestation
from the device details.
List of device commands: Android Legacy/Knox Workspace

The available device commands vary depending on device manage type. For Android Legacy
with Knox Workspace devices, you can select either the General or KNOX area to send the device
command to.
Device 134
Device
Enable EAS (Samsung Email

Allows using Exchange ActiveSync for Samsung Email application.
App Only)
Disable EAS (Samsung

Disallows using Exchange ActiveSync for Samsung Email application.
Email App Only)
Locks a device. You can enter a reason for locking the device and a phone
number to contact when the device is lost. The entered information
appears on the locked device screen.
Lock Device
Note • For non-Samsung Android devices, Android 8.0 (Oreo) and
lower are only supported.
• Android 10 (Q) devices are not supported.
Unlocks a device.
Unlock Device
Note • For non-Samsung Android devices, Android 8.0 (Oreo) and
lower are only supported.
• Android 10 (Q) devices are not supported.
Locks the device screen. If the device's screen is password-locked, then

Lock Screen
the user needs to enter the password to access the screen again.
Factory Reset Performs factory reset and changes the device status to Unenrolled.
Turns off the device.

Power Off Device
Note Android 10 (Q) devices are not supported.
Reboot Device Reboots the device.

that can be found on the device’s detailed information page will be
Reset Screen Password delivered to the user. For more information, see the Knox password in
Note Android 9.0 (Pie) devices are not supported.
Initializes the external SD card of the device.
Note For devices whose External SD Card policy is set to

Reset SD Card Disallowed in the profile, you cannot reset the SD card using
the device command, because the policy takes a higher
priority than the device command.
Device 135
Resets data usage among the Android device’s inventory information.
• Wi-Fi transfer data (in/out)

Reset Data Usage • Network transfer data (in/out)
Note Android 10 (Q) devices are not supported.
Resets the number of call(s) and number of missed call(s) among Android
device’s inventory information.
Reset Number of Calls
• Number of call(s)
• Number of missed call(s)
Application
Installs or updates applications on a device.

In the “Request Command” window, select an application to be installed or
updated.
Install or Update App
Runs applications on a device.

In the “Request Command” window, select an application to be run.
Run App
Note The Application running blacklist/whitelist policies take a
Stops applications on a device.

Stop App
In the “Request Command” window, select an application to be stopped.
Deletes data from applications.

Delete App data
In the “Request Command” window, select an application to be deleted.

Uninstall App
Device 136
Knox Manage
Sends a push message to the device.

message to send. You can also select between Notification and Pop up
for the send type.
Push Notification
Note • If the device is locked, you must unlock it to view pop ups.
• Pop ups may not appear on Android Legacy devices with
Android 10 (Q) or a higher version.
Update License Updates the license of a selected device on the device list.
Updates the Knox Manage Agent on the device for a new patch or version.
Update Knox Manage The agent information registered in the Knox Manage server is sent to a
device. The device automatically selects the appropriate agent to request
installation files from the server.

Exits the Kiosk mode without unenrollment. You can find the status of the
Exit Kiosk
Kiosk mode in the Security tab on the Device Detail page.

Collect Diagnosis
Information
masked.
Device 137
Device Info.
Location.

To view the updated information after sending the device command,
Sync Device Information the “Device Detail” page.
Note For iOS devices, only the hardware status is updated.
tab.
Authenticate SIM Card Authenticates the SIM card on a device.
Authenticate SD Card Authenticates the external SD card on a device.
Checks if a device’s OS has been compromised. The result can be found

Attestation
from the device details.
Container
Only the Workspace area of Knox Workspace is supported.
Locks the Knox Workspace. Users cannot access the Knox Workspace
Lock Knox Workspace
unless you unlock it by sending this command.
Unlock Knox Workspace Unlocks the Knox Workspace.
Resets the Knox Workspace password. When the user forgets the Knox
Workspace password, this command is sent to reset the password.
Note Depending on the Android OS version, the process to re-

configure the new password may differ. For Android 8.0
Reset Knox Workspace (Oreo) or higher, the user will receive a temporary password
Password after Knox Manage authentication. And then, the user can re-
configure the new Knox Workspace password. For operating
systems lower than Android 8.0 (Oreo), the user can re-
configure the Knox Workspace password directly after Knox
Manage authentication.
Device 138
Deletes the selected Knox Workspace. Inventory information is updated on

Uninstall Knox Workspace
the server upon deletion.
List of device commands: iOS

The available device commands vary depending on device manage type.
Device
Lock Device Blocks some functions of the device without locking the device.
Unlock Device Unlocks a device.

Initializes the block settings of the device.

Initialize Blocked
Information (Supervised) Note Only iOS Supervised devices are supported.
Device 139
Application
Installs applications on a device.

In the “Request Command” window, select an application to be installed.
Install

Uninstall App
Knox Manage
Sends an emergency message to the device. The message icon is shown

on the status bar of the device.
Push Notification
message.

Device 140

Collect Diagnosis
Information
masked.
Sync App Auto-removal Syncs the application auto-deletion property when managed applications
Property (When service is are deactivated if the value of Delete app during Unenrollment process
deactivated) has changed in the server configuration.
Device Info.
Location.

To view the updated information after sending the device command,
Sync Device Information the “Device Detail” page.
Note For iOS devices, only the hardware status is updated.

For iOS devices, you can also request to delete application feedback when
sending the device command.
Sync Installed App List
To view the list of installed applications after sending a device command,
tab.
Checks the service connection status of the device.

To check the status of the device after sending the device command,
navigate to Device, click a device name or tag, click the “Security” tab, and
view the connection status below the device name.
Check Connection Status
• Enrolled: The device is connected to the Knox Manage server.
• Disconnected: The device is disconnected from the Knox Manage
server.
• Unenrolled: Keepalive is not configured.
Collects the ID of the profile applied to the device.

Collect Profile ID If the device has been enrolled, then the ID is automatically collected from
the device’s inventory information without sending the device command.
Device 141
List of device commands: Windows
The available device commands vary depending on device manage type.
Device
Lock Device Locks the device.

Knox Manage
Sends an emergency message to the device.

Push Notification The message icon is shown on the status bar of the device. In the “Push
Notification” window, enter the title and content of the message.

Delete account Deletes the account registered in the Knox Manage Agent.
Device 142
Device Info.
Location.
Sync Device Information To view the updated information after sending the device command,
the “Device Detail” page.
tab.
Managing limited enrollment

You can set only the devices that are registered with their IMEI (International Mobile Equipment
Identity) numbers to be enrolled in Knox Manage.
IMEI numbers can be registered individually or collectively using an XLS file. You can also register Wi-
Fi only devices with their serial numbers instead of IMEI numbers.
To register IMEI numbers individually, complete the following steps:
1. Navigate to Setting > Android > Limited Enrollment.
2. On the “Limited Enrollment” page, click Activate at the bottom of the page.
• You can also activate the Limited Enrollment feature by navigating to Setting > Configuration >
Basic Configuration > Device, and then setting Limited Enrollment to Activate.
3. Click Add.
4. In the “Add Device” window, select IMEI/MEID or Serial Number.
Device 143
5. Enter an IMEI/MEID or serial number into the field.
• Enter the serial number of a Wi-Fi only device.

6. Click Save.
To register IMEI numbers collectively, complete the following steps:
1. Navigate to Setting > Android > Limited Enrollment.
2. On the “Limited Enrollment” page, click Activate at the bottom of the page.
• You can also activate the Limited Enrollment feature by navigating to Setting > Configuration >
Basic Configuration > Device, and then setting Limited Enrollment to Activate.
3. Click Bulk Add.
4. In the “Bulk Add Devices” window, click Download Template.
5. Enter the IMEI numbers in the downloaded XLS file, and then save it.
• Enter the serial number of a Wi-Fi only device.

6. In the “Bulk Add Devices” window, click , and select the saved XLS file.
7. Click Save.
Checking the locations of the devices

You can check the locations of the selected devices. Only the devices that have the location policy
applied can be tracked.
To check the device locations, complete the following steps:
2. On the “Device” page, click the checkbox for a device to check its location, and then click Check
Location.
3. In the “Check Location” window, search by date and view the location history.
• Click Export to GPX to download a GPX file that includes detailed device location information.
You can use a GPX viewer to open the file.
Device 144
Viewing device logs
View a device log to verify that the device commands sent from the Admin Portal were successfully
received by the device.
To view a device log, complete the following steps:
2. On the “Device” page, click the device to view its log.
3. On the “Device Detail” page, click Command History.
4. View the device command history.
• To download the device logs, click Device Log. In the “Device Log” window, set the log
collection period and download the desired logs by clicking .
• To view in detail the audit events that occurred while completing a device command, click See
Audit Event in the row of the device command.
Device 145
5
Content
Content
Upload various types of content, such as documents, images and videos, on the Knox Manage cloud
server and distribute them to device users directly. Content can be uploaded without a storage limit
and sent safely and quickly through the Content Delivery Network (CDN).
The following conditions are required to upload and distribute content.
• Only enrolled Android devices are available.

• Content files must be 300 MB or less.
• Available content formats:
Type Format
Document doc(x), ppt(x), xls(x), gul, hwp, pdf, rtf, wks, wpd, txt
Image bmp, gif, jpeg, jpg, png, psd, tif, tiff, ico
Video 3gp, avi, mkv, mp4, mov, mpg, mpeg, rm, swf, wmv, wav, mp3
File vcf, rar, zip, json
→→ Viewing the content list

→→ Viewing the content details
→→ Adding content
→→ Assigning content
→→ Distributing content
→→ Managing content
Content 147
Viewing the content list
Navigate to Content to view all the items on the “Content” page. You can also perform specific
actions on the selected items.
2
3
1 Search field Search for desired content.
Add new content to the list. For more information, see Adding
Add
content.
Assign Assign new content. For more information, see Assigning content.
Distribute new content. For more information, see Distributing

Function Deploy
2 content.
buttons
Modify the selected content details. For more information, see
Modify
Modifying content.
Delete the selected content. For more information, see Deleting

Delete
content.
3 Content list View the brief information of the contents on the list.
Content 148
Viewing the content details
View each content details by clicking a content item’s name on the content list. For more information
about the organization structure of the detail page, see Detail page.
Summary area
The summary area contains information about the selected content, such as the file name, extension
type, size, the date of the last update, and the deploy area.
Tab: Device
The Device tab shows the information of devices that the content was distributed to and when the
device users downloaded the content.
Function buttons Description
Tab: Assigned Target
The Assigned Target tab shows the list of groups, organizations, users, and devices that the content
was assigned to and the last date when the content was assigned to the targets. You can perform
specific actions on the targets selected on the list.
Unassign Revoke the content assign from the selected targets.
You can perform specific functions on the content using the function buttons in the footer.
Content 149
Back Return to the content list.
Delete the content from the content list. The content will also be deleted
Delete
from the distribution target devices.
Modify Replace the content file or modify the content name or deploy area.
Assign Assign the content to the targets.
Deploy Distribute the content to the targets.
Adding content
To add new content on the Knox Manage server, complete the following steps:
1. Navigate to Content.
2. On the “Content” page, click Add.
3. In the “Add Content” window, enter the following information:
• File: Click and select the content to upload.
• Content Name: Enter the content name.

• Download Path: Set the path to save the downloaded content.
–– Public external storages are not supported.
–– Sandboxing in applications is not supported.
• Deploy Area: Select the area where the content will be distributed.
–– Android Enterprise: Content will be distributed to each enrolled area. For Fully Managed with
Work Profile devices, content will be distributed to the Work Profile area.
–– Android Legacy: Content will be distributed to the general area.
–– Android Legacy with Knox Workspace: You can select an area to install the content between
the general area, Knox Workspace, or both.
4. Click Save & Assign to select the assign target.
• Click Save to save the content information only.

5. Configure the assign and distribution target. For more information, see Assigning content.
Content 150
Assigning content
To assign content, complete the following steps:
2. On the “Content” page, click the checkbox for the content you want to assign.
3. Click Assign.
4. On the “Assign Content” page, select the target type.
• If you selected Group or Organization, click the checkboxes for the groups or organizations you
want to assign the content to.
• If you selected User, click Select User to open the “Select User” window. In the “All Users “area,
click the checkboxes for the users you want to assign the content to, and then click OK.
• If you selected All Devices, all enrolled devices will be the target.
5. Click Assign & Deploy to assign the content to the target and distribute it at the same time.
• Click Assign to only assign the content to the targets and not to distribute it now.
Distributing content
To distribute content, complete the following steps:
2. On the “Content” page, click the checkbox for the content you want to distribute.
3. Click Deploy.
4. In the “Deploy Content” window, confirm the content name and the deploy area, and then click OK.
Note The content is automatically redistributed, even if the target users enroll new devices after the
distribution or delete the content from their devices.
Content 151
Managing content
Manage the content uploaded on the Knox Manage server. You can modify or delete existing content.
Modifying content
Modify the content registered in Knox Manage for the target you select.
To modify existing content, complete the following steps:
2. On the “Content” page, select the content you want to modify and click Modify.
3. On the “Modify Content” page, modify the existing information.
4. Click Save & Deploy to save the content and distribute the modified content to the target.
• Click Save to save the content now and distribute it to the target later.
Deleting content
To delete existing content, complete the following steps:
2. Click the checkbox for the content you want to delete.
Content 152
6
Application
Application
Manage mobile applications with Knox Manage. Add various types of applications to the application
list and assign them to desired mobile devices. Control the settings for the added applications. For
Android Enterprise devices, you can make your company’s own exclusive distribution platform by
putting the desired applications in Managed Google Play. In addition, you can add iOS applications in
bulk through the Apple Volume Purchase Program (VPP).
The application types used in Knox Manage are as follows:
Type Description
Applications developed for your company’s exclusive use. These

Internal applications applications can be added by uploading APK files for Android devices and
IPA files for iOS devices.
Public applications (Google Applications disclosed to the public and downloaded from the Google Play
Play Store) Store
Public applications
Applications disclosed to the public and downloaded from the Managed
(Managed Google Play
Google Play Store
Store)
Public applications (iOS App Applications disclosed to the public and downloaded from the iOS App
Store) store
Public applications
Private applications in Managed Google Play. These applications can be
(Managed Google Play
added by uploading the installation files to Managed Google Play.
Private)
Applications disclosed to the public and purchased from the VPP

Public applications (Volume
website. These applications can be added by registering the VPP token or
Purchase Program)
uploading redeemable codes.
Application 154
→→ Viewing the application list

→→ Viewing the application details
→→ Adding applications
→→ Assigning applications
→→ Managing applications
→→ Using the Volume Purchase Program (iOS only)
Viewing the application list

Navigate to Application to view all the applications on the “Application” page. You can also perform
specific functions for the selected applications on the list.
On the application list, the personalized settings of the columns will be saved. The saved settings will
be retained before you delete the web browser’s cookies. You can also return the column settings to
Application 155
1 Search field Search for a desired application.
Add a public or internal application to the list. For more

Add
information, see Adding applications.
Synchronize the application data in Knox Manage if you visited

Sync MGP Managed Google Play (MGP) and made any changes to the
applications.
Synchronize the VPP application data from the VPP website if

you purchased the applications through managed distribution.
Sync VPP
For more information, see Adding VPP applications (managed
distribution).
Upload the redeemable codes of the VPP applications if you

Upload
purchased the applications through redeemable codes from the
Redemption
VPP website. For more information, see Adding VPP applications
Code
(redeemable codes).
Assign and apply the selected applications to group/

Assign
organizations. For more information, see Assigning applications.
Function Modify the selected application details. For more information, see
2 Modify
buttons Modifying applications.
Delete the selected applications.
Note Please be aware of conditions below when an

application is deleted from the device:
Delete • When the selected application is configured to

uninstall upon unassignment.
• When you set the Manage Deletion option as
Console + Device from Setting > Configuration >
Basic Configuration > App & Service Desk.
Add a new application category, or delete or modify the existing

Manage
categories. You can also change the category order. For more
Category
information, see Managing application categories.
Revert
Column Resets the column settings to the default settings.
Settings
3 Application list View the brief information of the applications on the list.
Application 156
Viewing the application details
View each application’s details by clicking an application name on the application list. For more
Summary area
The summary area contains the information about the selected application, such as the application
name, application type, supported platform, and application version. You can click Detail to view
more information.
• For public applications, you can click Update to the Latest Version to update the application when
the latest version of the application is released on the digital distribution platform.
• For internal applications, you can click See History to see the application update history.
Tab: Device
The Device tab shows the list of devices that the application was assigned to. You can perform
specific functions on the selected devices among the list.
Function button Description Supported application type
• Internal
• Public (Google Play Store)
• Public (Managed Google
Refresh Update the list of devices. Play Store)
• Public (iOS App Store)
Play Private)
• Internal
Install the application directly to the selected
Install Play Store)
devices.
Private)
Application 157
Update the internal application directly on the

selected devices. To update, the installation file must
Update
be replaced with a new one. For more information,
• Internal
see Modifying applications.
• Internal
Remove the application directly from the selected
Uninstall Play Store)
devices.
Play Private)
• Internal
Export a list of devices where the application is • Public (Google Play Store)
installed as a CSV file. When exporting is complete,
you can download the exported list. In the header of
Export to CSV Play Store)
the Knox Manage Admin Portal, click > Download
> My Download, and then click Download next to the • Public (iOS App Store)
exported item. • Public (Managed Google
Play Private)
Tab: Assigned Group/Organization
The Assigned Group/Organization tab shows the list of groups and organizations that the application
was assigned to. You can perform specific functions on the selected groups and/or organizations on
the list.
• Internal
Remove the application assignment from the
Unassign Play Store)
selected groups/organizations.
Play Private)
Application 158
• Internal
Modify the assignment settings applied to the
Modify Setting Play Store)
selected group/organization.
Play Private)
Tab: Assigned User (VPP application only)
Public applications from the Volume Purchase Program (VPP) only have the Assigned User tab.
This tab shows the list of VPP users that the application was assigned to. You can perform specific
functions on the selected users on the list.
Unassign
Remove the application assignment from the • Public (Volume Purchase
selected users. Program)
You can perform specific functions on the application using the function buttons in the footer.
Back Return to the application list. • All

• Internal
Delete the application from the application list. You • Public (Managed Google
Delete can also set the application to be deleted from the Play Store)
devices in the assigned groups/organizations.
Play Private)
Application 159
• Internal
Modify Modify the basic information of the application. Play Store)
Play Private)
Make the public application from Google Play Store

available in the Managed Google Play Store by
approving the application permissions on behalf of
Approve the device users. The approved public application • Public (Google Play Store)
will be managed in the Managed Google Play Store
and can be assigned to both Android Legacy and
Android Enterprise devices.
Revoke the approval of the application permissions

so the public application is no longer managed in
Unapprove
the Managed Google Play Store. The unapproved • Public (Managed Google
applications will be removed from the Managed Play Store)
Google Play Store and can be assigned only to
Android Legacy devices.
• Internal
Install the application directly on the selected • Public (Managed Google
Install devices. You can select the devices to install the Play Store)
application to.
Private)
Assign the application to groups/organizations/VPP

Assign
users.
• All
Adding applications
To assign applications to a mobile device, you must first add them to the application list.
Application 160
Adding internal applications
To add internal applications, complete the following steps:
1. Navigate to Application.
2. On the “Application” page, click Add.
3. In the “Select Application Type” window, select Internal and click OK.
4. On the “Add Application” page, enter the following information:
• Platform: Select the mobile OS.

• Application File: Click and select either an APK file for an Android application or an IPA file
for an iOS application.
• Name: Enter the application name.

• Version: The retrieved application version is displayed. If there is no value, “-“ is displayed.
• Package Name (Android): The retrieved package name is displayed. If there is no value, “-“ is
displayed.
• Bundle ID (iOS): The retrieved bundle ID for the application is displayed.

• Bundle Name (iOS): The retrieved bundle name is displayed. If there is no value, “-“ is displayed.
• URL Scheme (iOS): The retrieved URL scheme is displayed. If there is no value, “-“ is displayed.
• Platform & Source: The application’s platform and source are displayed.
• Type: The application type is displayed as “Internal.”
• Category: Select the application category. If you click Manage Category, you can add or modify
application categories.
• App Wrapper (Android): Reconfigure and save the application so that security policies, such as
text copy and screen capture, can be controlled in the Admin Portal.
• Unassign Option: Check if you want to uninstall the app from the device upon unassignment.
• Managed App Setting (iOS): Select Yes if you are adding an application that is designed to
change the Mobile Device Management (MDM) settings of applications on iOS devices.
• Key & Value (iOS): If you selected Yes in Managed App Setting, click Add and enter the key and
value of a MDM setting you want to change. You can add one key and its value at a time.
Note Ask the application developers about the key and value for the MDM settings. For example,
if you want to add the ManagedAppConfig application and set its default URL to http://www.
samsungsds.com, the key is the server URL and the value is http://www.samsungsds.com.
Application 161
• Description: Enter a description for the application.
• Icon: Select the application icon image.
• Screenshot: Select screenshots of the application to provide a preview for Android device
users.
5. Click Save & Assign to save the information and proceed to assign the application.
• Click Save to save the information and return to the application list.
6. Assign the application. For more information, see Assigning internal applications.
App wrapping
Using Knox Manage’s App Wrapper, you can add security policy control functions, such as copy and
paste (text only), screen lock, and screen capture, to internal applications. Another advantage of
using App Wrapper is that it also allows you to insert code that lets you control security policies for
internal applications used by customers and then reconfigure the applications, without having to
modify the source code. Thus, you can add new functions in a short amount of time, even if you aren’t
knowledgeable in platform development.
Please note the following while using the Knox Manage App Wrapper:
• Conversion using the Knox Manage App Wrapper is limited to internal applications. There may be
copyright issues when converting public applications.
• The security logic application that checks the signing key may not function normally.
The functions that you can configure using App Wrapper are screen capture, screen lock, copy
and paste (text only), and registration of INI configuration files. The existing and wrapped internal
applications are distinguished by different icons on the user device.
• Screen lock: If the Knox Manage Agent’s screen is locked because of the Knox Manage Agent’s
Lock device after (second) value set in Profile, then the wrapped internal applications will also be
locked. Therefore, you need to enter the screen lock password and unlock the screen of the Knox
Manage Agent or the wrapped internal applications if you want to use them.
• Configuration INI file: You can register a configuration file in wrapped applications and configure
additional control settings. Register wrapped applications and an INI configuration file in Profile,
and apply them to a device. Then, the INI configuration file is saved to the device’s data storage.
For more information about how to register the INI file required for a wrapped application, see
Assigning internal applications.
To use the INI file, you need to add the source code to read the INI file from the internal application.
For more information, see Reading the configuration file.
Application 162
Reading the configuration file
To use the value of the INI configuration file in internal app, you need to look up the path and file
name of the configuration file and add the source that reads the string.
The code that is required to read a configuration file is described below.
private String readINIFile(String fileName) throws

FileNotFoundException, IOException, Exception
{
StringBuffer sb = new StringBuffer();
BufferedReader br = null;
int ch = 0;
br = new BufferedReader(new FileReader(fileName));
while((ch = br.read()) != -1) {
sb.append((char) ch);
}
br.close();
return sb.toString();
}
// Path : /data/data/[packagename]/files/ini
private String getINIFolder(Context context)
{
return context.getFilesDir() + File.separator +
“ini”;
}
// ini File Name : [packagename].ini */

private String getINIFileName(Context context)
{
return context.getPackageName() + “.” + “ini”;
}
• The getINIFolder function searches for the directory path where the configuration file is saved.
• The getINIFileName function searches for the name of the {PackageName}.ini file.
• The readINIFile function reads the configuration file through the file path received as a
parameter value, and then sends a text value.
Application 163
The code that calls the readINIFile() function after determining the existence of the file is as
follows:
btnIniRead.setON-CLICKListener(new ON-CLICKListener() {
@Override
public void ON-CLICK(View v) {
String text = null;
String filePath = getINIFolder(mContext) +

File.separator + getINIFileName(mContext);
File file = new File(filePath);
if(file.exists())
{
try {
text = readINIFile(filePath);
} catch (FileNotFoundException e) {
text = “FileNotFoundException”;
e.printStackTrace();
} catch (IOException e) {
text = “IOException”;
} catch (Exception e) {
text = “Exception”;
}
}
else
{
text = “File Not Found”;
}
editIniRead.setText(text);
}
)
• The full path where a configuration file can be saved: getINIFolder(mContext) + File.
separator + getINIFileName(mContext)
Application 164
Adding public applications (Google Play Store)
Note Only free applications are available in Knox Manage.
To add public applications via the Google Play Store, complete the following steps:
3. In the “Select Application Type” window, select Public and click OK.
4. On the “Add Application” page, select Google Play Store and search for the application you want to
add.
• If you want to change the country of the selected platform, click the checkbox next to Set
Country and select the country.
5. In the search results, click the application to add and then click Select.
6. Modify the imported information if necessary.


8. Assign the application. For more information, see Assigning Google Play applications.
Application 165
Adding public applications (Managed Google Play Store)
To add public applications via the Managed Google Play Store, complete the following steps:
4. On the “Add Application” page, select Managed Google Play Store and search for the application
you want to add.
5. In the search results, click the application to add and then click Approve.
6. Read the application permissions and click Approve.
7. Configure the approval and notification settings and click SAVE.


9. Configure Unassign Option. Check if you want to uninstall the app from the device upon
unassignment.
11. Assign the application. For more information, see Assigning Managed Google Play applications.
Application 166
Adding public applications (iOS App Store)
To add public applications via the iOS App Store, complete the following steps:
4. On the “Add Application” page, select iOS App Store and search for the application you want to
add.
5. In the search results, click the application to add.


8. Assign the application. For more information, see Assigning iOS App Store applications.
Application 167
Adding public applications (Managed Google Play Private)
To add applications via Managed Google Play Private, complete the following steps:
3. In the “Select Application Type” window, select Public(Managed Google Play Private) and click
OK.
4. In the “Managed Google Play Private Apps” window, click +.
5. Enter the title of the private application, and click Upload APK and select the apk file to be
uploaded.
• The uploaded apk file must have a unique package name.

6. Click Create.
• The private application list will appear.

• It will take 10 to 20 minutes for the new application to appear on the private application list.
7. Click the application to edit the detailed information if necessary.
• You can add a description or screenshots for the application by clicking Make advanced edits.
8. Close the “Publish Google Private Apps” window.
9. On the “Application” page, click Sync MGP.
10. In the “Sync MGP” window, click OK.
11. To configure the unassignment option, click Modify and click the checkbox for Unassign Option
to allow app uninstallation upon unassignment.
12. Assign the application. For more information, see Assigning Managed Google Play Private
applications.
Application 168
Assigning applications
Assign the applications registered in Knox Manage to mobile devices. Find out how to assign
applications by application type.
Assigning internal applications

To assign added internal applications, complete the following steps:
2. On the “Application” page, click the checkbox for the applications to be assigned.
3. Click Assign.
4. On the “Assign Application” page, configure the assignment settings.
• Target Device: For Android internal applications, select the target device type.
• Install Area (Android): Select the area where the application will be installed.
–– Android Enterprise: The designated installation area based on the device type is displayed.
–– Android Legacy: For Android Legacy with Knox Workspace devices, select the areas to install
the application.
• Install Type: Select the installation type.

–– Manual: Allow users to install the application manually.
–– Automatic (Removable): Set the application to be installed automatically. Users are allowed
to remove the application.
–– Automatic (Non-removable): Set the application to be installed automatically. Users are not
allowed to remove the application.
Note The installation type may be designated depending on the target device type.
• Text copy: Allow users to copy text in the application.

• Screen capture (Android): Allow users to capture screens in the application.
• Auto-run after Install (Android): Set to start the application immediately after installation.
Application 169
• Home Screen Shortcut (Samsung Galaxy device only): Add a shortcut for the application on the
Home screen of the device.
Note Once users delete the shortcut, it will not be added again.
• Printing (iOS): Allow users to print the application screens.

• Share list (iOS): Allow users to use sharing features while using the application.
5. Select the target type.
6. Search for the target groups/organizations and click the checkbox for the groups/organizations to
assign.
7. Click Assign.
8. In the “Assign Application” window, view the assignment information and click OK.
Application 170
Assigning Google Play applications
To assign the added applications via the Google Play Store, complete the following steps:
3. Click Assign.
• Target Device: The target device type is designated as Android Legacy.

• Install Area: The designated installation area is displayed.
• Install Type: The installation type is designated as manual. Device users will install the
application manually.
• Auto-run after Install: Set to start the application immediately after installation.
assign.
7. Click Assign.
Application 171
Assigning Managed Google Play applications
To assign the added applications via the Managed Google Play Store, complete the following steps:
3. Click Assign.
• Target Device: Select the target device type.

• Install Area: The designated installation area based on the device type is displayed.
• Install Type: For Android Legacy devices, the installation type is designated as manual. For
Android Enterprise devices, you can select the installation type.
• Managed Configuration: Customize the additional settings only for the application. This option
appears only when you assign the application to Android Enterprise devices.
–– When configuring Gmail, Outlook, or the Samsung email (v6.0 or higher) application, if you
want to use the information stored in the Knox Manage server, enter $emailaddress$ in the
Email Address field and $username$ in the Username field.
–– If you use the Exchange ActiveSync type, your email address, account password, and the
exchange server name should be entered.
assign.
7. Click Assign.
Application 172
Assigning iOS App Store applications
To assign the added applications via the iOS App Store, complete the following steps:
3. Click Assign.
• Target Device: The target device type is designated as iOS.

assign.
7. Click Assign.
Application 173
Assigning Managed Google Play Private applications
To assign the added public applications via Managed Google Play Private, complete the following
steps:
3. Click Assign.
• Target Device: The target device type is designated as Android Enterprise.

• Install Area: The installation area is designated as the work area.
assign.
7. Click Assign.
Application 174
Managing applications
Modify the registered applications in Knox Manage. You can also categorize the applications and
customize the categories.
Modifying applications
To modify the basic information of applications, such as the name and category, complete the
following steps:
2. On the “Application” page, click the checkbox for the applications to be modified.
3. Click Modify.
4. On the “Modify Application” page, modify the information you entered when adding the
application.
• For internal applications, you can upload the updated versions of them.
• You can modify the Unassign Option setting for internal/MGP Public/MGP Private applications.
5. Click Save.
6. In the “Save Changes” window, click OK.
• If you changed the installation file for updating, you can enter your comment for the update
history. After saving the comment, you can also send an update request to the users who have
installed the application.
Application 175
Managing application categories
If you register application categories, applications will be displayed in categories on the mobile
devices. Add new categories or modify the existing categories for classifying applications.
Adding categories
To add a new category, complete the following steps:
2. On the “Application” page, click Manage Category.
3. In the “Manage Category” window, click Add.
4. In the “Add Category” window, enter the following information:
• Name: Enter the category name.

• Description: Enter a description for the category.
5. Click Save.
Note • Up to 15 categories can be added and up to 100 applications can be registered in each
category.
• A new category is added as the last in the order.
• If you do not set the category when adding an application, the application will be in the
Common category.
Changing the category order

To rearrange the category, complete the following steps:
3. In the “Manage Category” window, select one or more categories to be moved and click or .
4. Click Save.
Application 176
Modifying categories
To modify an existing category, complete the following steps:
3. In the “Manage Category” window, select a category to be modified and click Modify.
4. In the “Modify Category” window, modify the existing information.
5. Click Save.
Deleting categories
To delete an existing category, complete the following steps:
3. In the “Manage Category” window, select a category to be deleted and click Delete.
4. In the “Delete Category” window, click OK.
Using the Volume Purchase Program

(iOS only)
Knox Manage supports the Apple Volume Purchase Program (VPP), a program that enables buying
and uploading iOS applications in bulk and lets you easily distribute the applications to iOS device
users. When you simply add the applications purchased on the VPP website to the Admin Portal
and select the application users, the users will be able to use the applications. For more information
about the Apple VPP, see https://www.apple.com/business/vpp/ or the Apple VPP guide (https://
images.apple.com/business/docs/VPP_Business_Guide.pdf).
Application 177
To add applications through the VPP, the following procedures must be performed.
Register a download Add the applications

Purchase iOS
VPP token on Add VPP users. and assign them to
applications.
the Admin Portal. VPP users.
Before using the VPP

Verify the following prerequisites before using the Apple VPP.
• Make sure that the Apple VPP is available in your country. For more information about VPP
availability, see https://support.apple.com/en-us/HT207305.
• Make sure that your organization has an Apple Business account. If not, create an account at
https://business.apple.com.
• The VPP applications can be assigned to the devices running iOS 7.0 or higher, or macOS 10.9 or
higher.
Note The VPP website (http://deploy.apple.com) has been incorporated into the Apple Business
Manager website (https://business.apple.com) as of December 1, 2019. Upgrade to Apple
Business Manager with the guides from the website.
The following explanation has important information for using the Apple VPP. Get familiar with it
before you start the VPP.
Distribution method
When you purchase applications through the VPP, you must choose between the following
distribution methods for the applications.
• Managed distribution
• Redeemable codes
Application 178
Managed Distribution
Using managed distribution is recommended. The purchased applications will be added to Knox
Manage when you register a VPP token on the Admin Portal. After assigning the applications, you
can unassign and reassign them. Each VPP user receives a license code, which allows them to use
the applications after you have assigned them. Upon a change in the application assignment, the
application information and total number of license codes will be updated automatically.
To add purchased applications through managed distribution, the following procedures must be
performed.
Download a VPP token Register the VPP token

Purchase applications.
from the VPP website. on the Admin Portal.
Add the purchased

Assign the applications applications to Knox Add registered iOS users
to VPP users. Manage by synchronizing as VPP users.
the servers.
Redeemable Codes
The applications will be added to Knox Manage when you upload the spreadsheet containing
the redeemable codes for the purchased applications on the Admin Portal. The spreadsheet is
downloaded after purchase. Once you assign the applications to VPP users, you cannot unassign or
reassign them.
To add purchased applications through redeemable codes, the following procedures must be
performed.
Download a spreadsheet
Add registered
Purchase applications. containing the
iOS users as VPP users.
redeemable codes.
Assign the applications

Upload the spreadsheet.
to VPP users.
Application 179
Status of users
The VPP users’ statuses are divided into three types:
• Registered: The user is registered as a VPP user. A VPP invitation has been sent to the user, but the
user has not yet accepted the invitation.
• Associated: The user is registered as a VPP user and has accepted the invitation. The user’s device
is associated with the user’s Apple account. Apple gives the user a VPP Client user ID, which
allows them to use the assigned applications.
• Retired: The user has been removed from the VPP user list on the Admin Portal. The user
information is no longer visible in the Admin Portal but remains on the VPP website.
Setting up the VPP

Purchase applications to use.
If you purchase applications through managed distribution, before adding the applications to Knox
Manage, you must download a VPP token from Apple and register it on Knox Manage. A VPP token
functions as a link between the VPP website and Knox Manage and enables importing the license
codes of the purchased applications.
A VPP token can be renewed on a yearly basis. Thirty days prior to the expiration date a pop-up alert
will appear reminding you to renew the token.
Purchasing applications on the VPP website

This section explains a brief procedure for purchasing applications.
To purchase applications, complete the following steps:
1. Visit the Apple Business Manager website (https://business.apple.com).
2. Sign in to the website using your Apple Business account.
3. Search for and click the application you want to buy.
Application 180
4. Enter the application quantity and select the distribution method.
• Managed Distribution: Add the application by registering a VPP token. For more information,
see Managed Distribution.
• Redeemable Codes: Add the application by uploading a redeemable code. For more
information, see Redeemable Codes.
5. Purchase the application.
• If you buy a paid application, use your VPP Credit or a credit card to pay for it.
Downloading a VPP token from the VPP website

If you purchased applications through managed distribution, download a VPP token to add the
applications to Knox Manage.
To download a VPP token, complete the following steps:
1. Sign in to the Apple Business Manager website (https://business.apple.com) using your Apple
Business account.
2. Click Apps and Books and download the token.
Registering the VPP token

Register the downloaded VPP token on the Knox Manage Admin Portal to add the purchased
applications through managed distribution.
To register the VPP token, complete the following steps:
1. Navigate to Setting > iOS > VPP Server Setting.
2. On the “VPP Server Setting” page, click Upload VPP token at the bottom of the page.
3. In the “Upload VPP token” window, click and select the downloaded token file.
4. Click OK.
• When the upload is finished, VPP integration will be complete and the VPP applications will be
added to the application list in the Admin Portal.
5. Enter the interval at which the VPP server will be synced to the Knox Manage server and click
Setting.
• You can enter an interval from 0 to 120 hours.
Application 181
Managing VPP users
Add iOS device users who are enrolled in the Admin Portal as VPP users. The added VPP users
will receive an invitation message. If there are VPP users who are registered but did not accept the
invitation on their devices, you can resend the invitation message. When VPP users are removed or
their statuses are changed on the Admin Portal, you can synchronize the user information with the
VPP website.
Adding VPP users

Add the users of activated iOS devices as VPP users. The users will be registered on the VPP website
as well as the Admin Portal.
To add VPP users, complete the following steps:
1. Navigate to Setting > iOS > VPP User Management.
2. On the “VPP User Management” page, click Add.
3. In the “Add VPP User” window, select the users you want to add.
4. Click OK.
• The invitation message will be sent to the users through notifications or email.
Reinviting VPP users

Send another invite to the users who have not accepted the invitation yet.
To send an invitation message, complete the following steps:
2. On the “VPP User Management” page, click the checkboxes for the users with a registered status
you want to invite.
3. Click Send Invitation.
4. In the “Invite” window, click OK.
Application 182
Removing VPP users
Remove registered VPP users and revoke their license codes.
To remove VPP users, complete the following steps:
2. On the “VPP User Management” page, click the checkboxes for the users you want to remove.
3. Click Delete.
4. In the “Delete User” window, click OK.
Synchronizing VPP user information

If you modified VPP user information on the Admin Portal, synchronize the information on the VPP
website with the information on the Admin Portal.
There are two synchronization methods:
• Automatic synchronization via scheduling in Setting > iOS > VPP Server Setting
• Manual synchronization
To synchronize the user information manually, complete the following steps:
2. On the “VPP User Management” page, click Sync VPP.
3. In the “Sync VPP User” window, click OK.
Application 183
Managing VPP applications
Add VPP applications to the Admin Portal and assign them to the iOS devices of VPP users. For
applications you are using the managed distribution type for, you can unassign and reassign the
applications.
Adding VPP applications (managed distribution)

Add the applications purchased through managed distribution by synchronization.
There are two synchronization methods:
• Automatic synchronization via scheduling in Setting > iOS > VPP Server Setting
• Manual synchronization
To synchronize the applications manually, complete the following steps:
2. On the “Application” page, click Sync VPP.
3. In the “Sync VPP” window, click OK.
Adding VPP applications (redeemable codes)

Add the purchased applications through redeemable codes by uploading the code spreadsheet on
the Admin Portal.
To upload the redeemable codes, complete the following steps:
2. On the “Application” page, click Upload Redemption Code.
3. In the “Upload Redemption Code” window, click and select the code spreadsheet downloaded
from the VPP website.
4. View the code list and click Save.
Application 184
Assigning a VPP application
Only one VPP application at a time can be assigned.
To assign an application to VPP users, complete the following steps:
2. On the “Application” page, search for the application you want to assign.
• To search, enter the name or select the iOS for platform and Volume Purchase Program for
source and click Search.
3. Click the checkbox for the application, and then click Assign.
4. On the “Assign Application” page, select the users you want to assign the application to and click
Assign.
Unassigning a VPP application

You can unassign applications you are using the managed distribution type for.
To unassign an application from assigned VPP users, complete the following steps:
2. On the “Application” page, search for the application you want to unassign.
• To search, enter the name or select the iOS for platform and Volume Purchase Program for
source and click Search.
3. Click the application you want to unassign.
4. On the “Application Detail” page, select the users to unassign the application from and click
Unassign.
5. In the “Unassign Application” window, click OK.
• The unassigned users will receive a message telling them that the application is no longer
being used and can be removed.
Application 185
7
Profile
Profile
A profile is a set of policies containing device configurations and settings. Profiles allow you to
control device functions and data, such as the camera, screen lock, Bluetooth, or firewalls quickly and
efficiently. With profiles, you can also install the Wi-Fi, VPN, and Exchange settings of your company
on user devices.
Profiles can also be configured to run in specific situations, such as at a specific time or when the
device is running a specific application.
Create profiles Assign profiles Apply profiles
Policies Organizations / Groups User Device
→→ Viewing the profile list

→→ Viewing the profile details
→→ Creating profiles
→→ Configuring policies by device platform
→→ Assigning and applying profiles
→→ Managing profiles on the list
→→ Modifying profiles in detail
→→ Setting the profile update schedule
→→ Collecting device location information
Profile 187
Viewing the profile list
Navigate to Profile to view all the profiles on the “Profile” page. You can also perform specific
functions on the selected profiles on the list.
On the profile list, the personalized settings of the columns will be saved. The saved settings will be
retained before you delete the web browser’s cookies. You can also return the column settings to
Profile 188
No Name Description
1 Search field Search for a desired profile.
Add Create a new profile. For more information, see Creating a new profile.
Import policies from a CEA file. In the “Import Policy” window, enter the
Import profile name, click to open a CEA file, and then click OK. You can
Policy add a profile by importing policies that were downloaded in the ‘Profile
Detail’ screen.
Copy Copy the selected profile and create a new profile. For more information,
Profile see Copying a profile.
Assign the selected profile to a group or an organization. For more

Assign
information, see Assigning to groups and Assigning to organizations.
Apply the selected profile to a group or an organization after assigning

Apply
it.
Function Modify the policies of the selected profile. For more information, see
2 Modify
buttons Configuring policies by device platform.
Delete the selected profile. If the profile has been applied to a group or
Delete
an organization, it cannot be deleted.
Set up the profile priorities for when multiple profiles are being applied
Manage
to the same group or organization. For more information, see Setting up
Priority
the profile priorities.
Manage Add applications by package name to control them with a blacklist or

Control whitelist. For more information, see Managing applications for specific
App purposes.
Revert
Column Resets the column settings to the default settings.
Settings
3 Profile list View the brief information of the profiles on the list.
Profile 189
Viewing the profile details
View each profile’s details by clicking a profile name on the profile list.
Summary area
The summary area contains the information about the profile, such as the profile name, description,
supported platform, and profile version.
• Hover the mouse over to see controllable device types.
• Click See History to see the profile update history.
Tab: Policy
The Policy tab shows the policies that belong to the selected profile.
Tab: Device
The Device tab shows the list of devices that the profile was applied to. You can perform specific
functions to the selected devices on the list.
• Click See Policy to see the policies that are applied to the device in the row.
Apply Apply the profile to selected devices.
Profile 190
Tab: Assigned Group / Organization
The Assigned Group / Organization tab shows the list of groups and organizations that the profile
was applied to. You can perform specific functions on the selected groups and organizations on the
list.
Unassign Remove the profile from the selected groups/organizations.
Apply Apply the profile to the devices that belong to the selected groups/organizations.
You can perform specific functions on the profile using the function buttons in the footer.
Back Return to the profile list.
Delete the profile. If the profile has been applied to a group or an organization, it
Delete
cannot be deleted.
Export the policies of the profile as a CEA file. You can use the Import Policy feature
Export Policy
to add a profile from a file.
Modify Profile Modify the existing information of the selected profile. For more information, see
Info. Modifying profiles in detail.
Modify the policies of the profile. For more information, see Modifying profiles in
Modify Policy
detail.
Assign the profile to a group or an organization. For more information, see Assigning
Assign
to groups and Assigning to organizations.
Apply Apply the profile to devices after assigning it.
Profile 191
Creating profiles
Create a new profile or copy an existing one to make another. You can also specify events such as
the time and location for profiles.
Creating a new profile

To add a new profile, complete the following steps:
1. Navigate to Profile.
2. Click Add.
3. On the “Add Profile” page, enter the following information:
• Name: Enter a name for the profile. The entered name cannot be changed after saving.
• Platform: Click the checkboxes to select device platforms.
–– If you have selected the Android Enterprise platform and want to set a policy that uses the
Samsung Knox API, click the Samsung Knox checkbox.
–– If you have selected the Android Enterprise platform, you can activate a device as a Fully
Managed with Work Profile type by clicking the Create Work Profile on Fully Managed
checkbox. The Fully Managed with Work Profile type is only supported for devices running
Android 8.0 (Oreo) or higher.
–– If you have selected the Android Legacy platform, you can create a Knox Workspace by
clicking the Knox Workspace checkbox.
• Event Profile: Click to enable an event profile. For more information, see Adding events for
profiles.
• Description: Enter a description for the profile.

4. Click Save & Set Policy to save the information and to proceed with configuring the profile detail.
• Click Save to save the information and return to the profile list.
5. Configure the profile details. For more information, see Configuring policies by device platform.
Profile 192
Copying a profile
Copy an existing profile and create a new profile. When you reuse a profile, you cannot load
information about the organizations or groups to which the profile has been assigned.
To copy a profile, complete the following steps:
2. On the “Profile” page, click the checkbox for the profile to be copied.
3. Click Copy Profile.
4. On the “Copy Profile” page, modify the existing information if necessary.
• Name: Enter the name of a profile.

• Platform: Add a device platform to an existing profile.
• Event Profile: Click to enable an event profile. For more information, see Adding events for
profiles. When copying an existing event profile and creating a new one, the event type of the
new profile cannot be changed.

5. Click Save & Set Policy to save the information and proceed to configure the profile details.
Exporting a profile
You can export a registered profile, save it as a CSV file, and import it to the Knox Manage server for
management.
To export a profile, complete the following steps:
2. On the “Profile” page, click a profile name.
3. On the “Profile Detail” page, click Export Policy.
4. In the “Export” window, click OK. The policies of the selected profile will be downloaded as a CEA
file.
Profile 193
Note Policies about the settings, such as Wi-Fi, VPN, Exchange, Certification, APN, and Email Account,
and the policies below cannot be exported.
Policy Description
Application
• App Execution blacklist setting
Android • Application uninstallation prevention list setting
Enterprise • System app activation setting
Kiosk
• Kiosk app settings
Samsung Application
Knox • Battery optimization exceptions
(Android DeX
Enterprise) • Application execution blacklist(Android)
Application
• App Installation black/whitelist setting
• Application execution black/whitelist setting
• Application execution prevention list setting
• Application uninstallation prevention list setting
• Battery optimization exceptions
Android Kiosk
(Legacy) • Kiosk app settings
Phone
• Set app voice recording whitelist
System
• Device Administrators to install and activate apps
DeX
• Application execution blacklist(Android)
Application
• App Installation black/whitelist settings
• App Execution blacklist setting
• Application execution prevention list setting
• Application uninstallation prevention list Setting
• Battery optimization exceptions
Knox • App installation authority whitelisting settings
Workspace • TIMA CCM profile whitelist
• TIMA CCM profile app access restriction exception list settings
• Settings for whitelisting apps allowing external SD card
• Set General area app installation list
• App Data deletion control setting
Security
• Enforce Multi factor Authentication
Application
iOS • Application black/whitelist settings
• Autonomous single app mode
Application
Windows
• Add App Install Black/Whitelist
Profile 194
Adding events for profiles
Profiles can be configured with specific events for them, such as time, location, or application. The
policies in these profiles will be applied only when the set events are met. If multiple platforms are
selected, only the applicable events for the selected platform will be displayed. For example, the Day
& Time will be displayed if Android Legacy and iOS are selected at the same time.
Event types and information

Profiles can have six different event types:
Type Description Offline support
Applies the profile configured to the devices on a

specified day or time.
Day & Time You should configure the time zone, days and the Supported
timeframe to apply policies on a specified day and time
only.
Applies the profile configured to devices when a specified

Application Supported
application is being used on the user’s device.
Applies the profile configured to devices when the device

is connected to a specific Wi-Fi SSID.
Note For devices with Android 9.0 or a higher

Wi-Fi SSID Supported
version, the location setting must be turned
on to enable searching Wi-Fi SSIDs and use
events.
Applies the profile configured or locks the device when an

SIM Change Not supported
unauthorized SIM is installed.
Applies the profile configured to devices when the

roaming service is used.
If the device cannot communicate with the server
Roaming temporarily due to roaming, the profile is applied when Not supported
the communication network becomes available again,
such as when airplane mode is turned off or the device is
rebooted.
Applies the profile configured to devices when the device

is located near a specific geographic area.
Enter an address to search for, and then Google Maps
will display the location, and latitude and longitude
Geofencing automatically. Supported
You can also enter a size to view the radius set by the
location.
Note This feature is available only in Asia-pacific.
Profile 195
To add an event for a profile, complete the following steps:
2. Click Add.
3. On the “Add Profile” page, enter the following information:
• Name: Enter the name of a profile.

• Platform: Select a device platform.
• Event Profile: Click to enable the use of events.

• Event Type: Select an event type.
• Requirement: Shows the requirements for the selected event type. This option appears only
when an event profile is enabled.
–– Day & Time: The policy for changing the date and time should be restricted. Navigate to
Android Enterprise or Android Legacy > System in the profile and set the Automatic Date
and Time option to Disallow.
–– Application: If an application is on the blacklist, that application cannot be selected for this
type.
–– Wi-Fi SSID: Wi-Fi should be allowed.
–– Geofencing: GPS should be allowed.
• Conditions: Configure the conditions depending on the selected event type. This option
appears only when the profile has events enabled. For more information about the condition’s
details, see Supported platforms by event type.
• Allow Run Offline: Allow the profile to be applied to the device even when it is offline.
This option appears only if events are enabled. This option only supports the Day & Time,
Application, Wi-Fi SSID, and Geofencing types.
• Lock Device when changing SIM: Locks the device when the SIM is changed. This option
appears only when the SIM Change type event has been selected.
• Notification: Sends a notification to device users when the profile starts or stops being applied.
• Showing on Device: Enter the message for a notification to be displayed on the device screen
when the profiles is applied.
4. Click Save & Set Policy to save the information and proceed to configure the profile details.
• Click Save to save the information and return to the profiles list.
Profile 196
Supported platforms by event type
Supported platforms
Android Enterprise Knox

Android Legacy
Event Type Fully Managed Work Profile Workspace
iOS
Non- Non- Non-
Samsung Samsung Samsung Samsung
Samsung Samsung Samsung
Day & Time O O O O O O O O
Application X X X X O X O X
Wi-Fi SSID O O O O O O O X
SIM Change O O X X O X O X
Roaming O O X X O O O X
Geofencing O X X X O X X X
Note The SIM Change and Roaming types allow only one event per profile.
Profile 197
Configuring policies by device platform
Specify the policies for device controls, such as the security policy or application policy. After
specifying the policies, you can directly apply the profile to the assigned organization or group.
To add policies to a profile, complete the following steps:
2. On the “Profile” page, click the name of the profile to configure policies for.
• You can also click Save & Set Policy to save the profile information and proceed with
configuring the profile details when adding a profile.
3. On the “Profile Detail” page, click Modify Policy.
4. Configure the policy details by device platform. Each device platform has different groups of
policies.
5. Click Apply to apply the policy to devices.
• Click Assign to assign the policy to a group or organization.
→→ Configuring Android Enterprise Policies

→→ Configuring Samsung Knox (Android Enterprise) Policies
→→ Configuring Android Legacy Policies
→→ Configuring Knox Workspace (Android Legacy) Policies
→→ Configuring iOS Policies
→→ Configuring Windows Policies
Profile 198
Configuring Android Enterprise Policies
Create a profile and register policies for Android Enterprise devices.
Knox Manage supports three types of Android Enterprise: Fully Managed, Work Profile, Fully
Managed with Work Profile:
Type Description
Fully Managed Controls the whole device.
Work Profile Controls only designated work areas.
Controls both the personal and work areas and applies different
Fully Managed with Work Profile
policies to each of them.
Note • The Fully Managed with Work Profile type is only supported by the devices of Android 8.0 (Oreo)
or higher version.
• Some policies support only Samsung Galaxy devices.
You can configure the policies below for Android Enterprise devices. The availability of each policy
varies depending on the enrollment type and the OS version.
→→ System
Provides backup and restore settings and other features. Updates the operating system on a device.
→→ Interface
Controls the network settings, such as Bluetooth, Wi-Fi Direct, and tethering.
→→ Security
Configures the security settings, such as the password and lock screen.
→→ Kiosk
Configures Kiosk applications on a Kiosk device and controls the device settings.
→→ Application
Configures options for application controls such as installation, verification, and permission.
→→ Location
Allows the use of GPS or collecting location data from a device.
→→ Phone
Configures the phone settings, such as airplane mode, the microphone settings, and the cellular network
settings.
→→ Container
Allows data transfers within the Work Profile or with other devices.
Profile 199
→→ Factory Reset Protection
Configures the security policy to prevent the unauthorized use of a device after a factory reset.
→→ Wi-Fi
Configures the Wi-Fi settings, such as SSID, security type, and proxy.
→→ VPN
Configures a VPN (Virtual Private Network) on Android Enterprise devices.
→→ Bookmark
Configures the bookmark settings, such as the configuration ID and installation area.
→→ Certificate
Allows using new certificate authority (CA) certificates and configuring the certificate settings.
System
Fully Managed will be referred to as DO (Device Owner).
Work Profile will be referred to as PO (Profile Owner).
Policy Description Supported devices
User Certificate DO/PO: Android 4.3

Allows the setting of user certificates.
Settings or higher
Allows using the camera. DO: Android 4.0 or

higher, Samsung
Note If the device is activated as a Work Profile, Knox 1.0 or higher
Camera
the camera function only in the Work Profile
PO: Android 5.0 or
will be controlled.
higher
DO: Samsung Knox

Allows use of the screen capture function, which is 1.0 or higher
Screen capture
already set as default. PO: Android 5.0 or
higher
Allows modification (add/delete) of the accounts added

Account for each application. DO/PO: Android 4.3
Modification • Disallow: Disallows to add or delete users even if the or higher
Add/Delete User policies are allowed.
Profile 200
Add a specific account type blacklist that should not be

added on the device (Setting> Accounts and backup >
Accounts).
Specify the correct account name to block. For instance,
enter com.google.android.gm.pop3 for a Gmail (pop3)
account.
Note Here are the account names of the

applications that are mainly used:
Application Package name Account name
Google Play com.google.android.

com.google
Service gms
Google Play com.google.android. com.google.android.

Service gms gms.matchstick
com.google.android. com.google.android.
Gmail
gm gm.pop3
Gmail
gm gm.exchange
> Account Gmail
gm gm.legacyimap
DO/PO: Android 5.0
Blacklist
Samsung com.samsung.
Experience android. com.osp.app.signin
Service mobileservice
Samsung com.samsung.
com.samsung.
Experience android.
android.coreapps
Service mobileservice
Samsung com.samsung. com.samsung.

Experience android. android.
Service mobileservice mobileservice
Duo
apps.tachyon apps.tachyon
com.nhn.android. com.nhn.android.
NAVER
search naveraccount
com.facebook. com.facebook.auth.
Facebook
katana login
com.microsoft.
com.microsoft.
Outlook office.outlook.USER_
office.outlook
ACCOUNT
com.microsoft. com.microsoft.
OneDrive
skydrive skydrive
Profile 201
DO: Android 5.0 or

Allows the user to configure the VPN settings on the higher
VPN Setting
device. PO: Android 7.0 or
higher
DO: Android 5.0 or

Add User Allows adding the new users on the device.
higher
DO: Android 4.3 or

Delete User Allows deleting the added users.
higher
Allows using Safe Mode. This policy retains device control DO: Android 6.0 or
Safe mode functions such as camera control, but not Knox Manage higher, Samsung
applications and preloaded applications. Knox 1.0 or higher
DO: Android 7.0 or

Change wallpaper Allows changing the home and lock screens. higher, Samsung
Knox 1.0 or higher
DO: Android 4.0 or

External SD card Allows using the external SD card. higher, Samsung
Knox 1.0 or higher
Allows writing to an external SD card.
Note If the external SD card policy is allowed but

> Write to external DO: Samsung Knox
SD card the Write to external SD card policy is not, 1.0 or higher
then external SD cards can only be read and
do not have reset control.
DO: Android 5.0 or

Factory reset Allows a device factory rest. higher, Samsung
Knox 1.0 or higher
Allows using Android Beam which transfers data via NFC.

DO: Android 5.0 or
S Beam Note Android 10 (Q) or higher devices are not higher, Samsung
supported. Knox 1.0 or higher
Allows a window to be created and launched at the top

DO: Android 5.0 or
Create Window when users use a multi-window transformed into a pop-up
higher
window or a split screen mode on the device.
Allows executing the Easter Egg games on devices with DO: Android 6.0 or
Easter Egg
specific actions. higher
DO: Android 9.0 or

Brightness Setting Allows changing of the screen brightness level.
higher
Allows the always on display feature that displays brief

DO: Android 9.0 or
AOD information on the lock screen, such as notifications or
higher
time.
Profile 202
System Error Allows an error dialog display function when an DO: Android 9.0 or
Screen application shutdowns abnormally. higher
Select a measure to take when a compromised OS is

detected.
• Lock device: Locks the device.

• Lock Email: Locks email use.
• Factory reset + Initialize SD card: Simultaneously
If compromised OS factory resets the user device and the SD card. DO: Android 1.0 or
is detected • Factory reset: Resets the user device but not the SD higher
card.
Note The factory reset (only) function is

unsupported in Android 2.0 or lower. To
reset the device, select the Factory reset +
Initialized SD card option.
Set the device to display a notification when a device

control event is applied.
• User defined: Users can set event notifications on the

Set Notifications device from the Settings menu of the Knox Manage DO: Android 1.0 or
from an event to Agent. higher, Samsung
On. • Show notification: Displays the notification when an Knox 1.0 or higher
event for device control is applied.
• Hide notifications: Hides the notification when an event
for device control is applied.
Set the device to display a notification when an event for

device control is disengaged.
• User Defined: Users can set event notifications on the

Set Notifications device from the Settings menu of the Knox Manage DO: Android 1.0 or
from an event to Agent. higher, Samsung
Off. • Show notification: Displays a notification when an Knox 1.0 or higher
event for device control is disengaged.
• Hide notifications: Hides a notification when an event
for device control is disengaged.
Set the removal of notifications from the device Quick

panel.
• User Defined: Users can remove notification on the

DO: Android 1.0 or
Fix Event device from the settings menu of Knox Manage Agent.
higher, Samsung
Notification • Disallow to Remove Notification: Users cannot remove Knox 1.0 or higher
notifications on the device Quick Panel.
• Allow to Remove Notification: Users can remove
Profile 203
DO: Android 4.1 or

Encryption for Specifies the encryption of the device’s internal storage or
higher, Samsung
storage the external SD card.
Knox 1.0 or higher
Check the checkbox to select the storage to be encrypted.

> Storage
Note External SD card encryption is applicable to
encryption
Samsung Galaxy devices only.
Allows using the NTP (Network Time Protocol) server.

NTP Settings
Register this server to sync the server time to a device.
DO: Samsung Knox

> Server address Enter the NTP server address.
2.5 or higher
> Maximum Set the maximum number of attempts for connecting to

the NTP server to retrieve the time information. DO: Samsung Knox
number of
2.5 or higher
attempts The value can be between 0 – 100 attempts.
Set the cycle to reconnect to the server via NTP.

> Polling cycles DO: Samsung Knox
(hr) The value can be between 0 – 8760 hours (8760 hours = 2.5 or higher
1 year).
Set the cycle to re-connect to the NTP server after

> Short polling experiencing a timeout. DO: Samsung Knox
cycle (sec) 2.5 or higher
The value can be between 0 – 1000 seconds.
Set the connection timeout on the NTP server. DO: Samsung Knox
> Timeout (sec)
The value can be between 0 – 1000 seconds. 2.5 or higher
Automatic Date and DO: Android 5.0 or

Allows changing the date and time settings.
Time higher
Allows selecting a time zone to apply for the device.

DO: Android 5.0 or
Select Time Zone Note If you enabled this policy, the Automatic Date higher, Samsung
and Time policy will be allowed. Knox 1.0 or higher
> Time Zone Select a time zone from the list.
Language Setting Allows the language setting policy. DO: Android 9.0
Allows users to change the Location settings.

Location Setting • Disallow: Users cannot change the on/off setting of the DO: Android 9.0
device location.
Profile 204
Allows backup of the device data.
Note If the backup function can be found on your

device at Google > Backup, it may seem
possible to turn the backup setting on or off, DO: Android 8.0 or
Backup
even if this policy is set to Disallow. However, higher
the functionality of backup is prohibited,
regardless of mobile UI, when the Backup
policy is set to Disallow.
Interface
DO/PO: Android 9.0

Printing Allows the printing function.
or higher
Allows auto-completion of information that you enter on DO/PO: Android 8.0

Autofill Service
websites in the Android browser. or higher
Allows the network usage rest function on a set date.

DO: Android 6.0 or
Network Reset Note For Android 7.0 or lower devices, this applies higher
to Samsung devices (Knox1.0+) only.
Mobile Network DO: Android 5.0 or

Allows configuring the mobile network settings.
Setting higher
DO: Android 4.3 or

Allow Wi-Fi Change Allows changing the Wi-Fi Settings.
higher
Allow using Wi-Fi. If the Wi-Fi policy has not been

applied successfully, the device will try to apply it again
30 minutes later after Knox Manage is activated.
DO: Android 1.0 or
• Allow: Allows using Wi-Fi
Wi-Fi higher, Samsung
• Disable On: Disallows turning Wi-Fi on. It is turned off at Knox 1.0 or higher
all times.
• Disable Off: Disallows turning Wi-Fi off. It is turned on
at all times.
Profile 205
Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection.
Note • Set the Wi-Fi policy to Allow or Disable Off

before using this policy.
DO: Samsung Knox
> Wi-Fi Direct
• The direct connection of the two devices 1.0 or higher
may cause the device function or the
menu to be controlled, depending on the
device type.
DO: Android 5.0 or

Tethering Setting Allows tethering Settings.
higher
Allows using Bluetooth. DO: Android 8.0 or

Bluetooth • Allow: Allows turning Bluetooth on. higher, Samsung
Knox 1.0 or higher
• Disable On: Disallows turning Bluetooth on.
> Desktop PC DO: Samsung Knox
Allows PC connection with the user’s device via Bluetooth.
connection 1.0 or higher
Allows data exchanges with other devices via Bluetooth DO: Samsung Knox
> Data transfer
connection. 1.0 or higher
DO: Samsung Knox

> Search mode Allows device search mode.
1.0 or higher
DO: Android 4.3 or

Bluetooth Setting Specifies the controls for the Bluetooth use.
higher
DO: Android 8.0 or

Bluetooth Share Allows Bluetooth sharing.
higher
DO: Android 4.3 or

PC connection Allows connecting user’s device to PC. higher, Samsung
Knox 1.0 or higher
Profile 206
Security
Set the password for the device screen lock. Use of the
camera is prohibited when the device is screen locked.
The password can be applied to the following areas.
• Fully Managed: The whole device area for Fully

Managed (DO) devices, or personal area for Fully
Managed with Work Profile devices.
• Work Profile: The personal area of Work Profile (PO)
devices. If you want to configure the password policy
for a Work Profile container, navigate to Security >
Work profile password.
Device Password
Note • For the Fully Managed (DO) type and the
Fully Managed with Work Profile type, if
the strength of the screen lock password
of the device is lower than the device
policy, the device will be locked through
the Lock Task mode. The users of the
devices will not be able to use any other
functions until the password is configured.
• If the device is using a One Lock
password and the policy for the personal
area and work area have been configured
differently, the stronger password policy
will be applied.
Profile 207
Set the minimum password strength on the screen.
• Weak Biometric: Set the password using a low-security

biometric recognition method.
• Pattern: Set the password using a pattern or a
password with a higher degree of complexity.
• Numeric: Set the password using numbers or a
password with a higher degree of complexity.
• Numeric Complex: Set the password containing at
least numeric characters with no repeating (4444) or DO: Android 2.2 or
ordered (1234, 4321, 2468) sequences. higher, Samsung
> Minimum
• Alphabetic: Set the password containing at least Knox 2.0 or higher
strength alphabetic (or other symbol) characters. PO: Android 7.0 or
• Alphanumeric: Set the password using alphanumeric higher
characters or a password with a higher degree of
complexity.
• Complex: Set it so that the passwords must include
alphanumeric and special characters.
Note The password strength increases in the

following ascending order: Weak Biometric
< Pattern < Numeric < Numeric Complex <
Alphabetic < Alphanumeric < Complex.
Set the minimum length of the password.

The value can be between 4 - 16 characters for Numeric
or Alphanumeric.
DO: Android 2.2 or
The value can be between 6 - 16 characters for Complex. higher, Samsung
>> Minimum Knox 2.0 or higher
length Note Minimum length of the pattern password
PO: Android 7.0 or
refers to the number of lines connecting
higher
each dot. For example, if the policy value is 4,
at least four lines connecting five dots must
be entered.
DO: Android 3.0 or

>> Minimum Set the minimum password length. higher
number of letters The value can be between 1 - 10 characters. PO: Android 7.0 or
higher
DO: Android 3.0 or

>> Minimum Set the minimum number of numeric and special
higher
number of non- characters required in the password.
letters PO: Android 7.0 or
The value can be between 1 - 10 characters.
higher
Profile 208
DO: Android 3.0 or

>> Minimum Set the minimum number of lowercase letters required in
higher
number of the password.
lowercase letters PO: Android 7.0 or
higher
DO: Android 3.0 or

>> Minimum Set the minimum number of uppercase letters required in
higher
number of capital the password.
letters PO: Android 7.0 or
higher
>> Minimum DO: Android 3.0 or

Set the minimum number of numeric characters allowed
number of higher
in the password.
numeric PO: Android 7.0 or
characters The value can be between 1 - 10 characters.
higher
DO: Android 3.0 or

>> Minimum Set the minimum number of special characters required in
higher
number of special the password.
characters PO: Android 7.0 or
The value can be between 1 -10 characters.
higher
Set the minimum number of new passwords that must be

used before a user can reuse the previous password.
DO: Android 3.0 or
The value can be between 0 - 10 times.
>> Manage higher, Samsung
password history Knox 1.0 or higher
Note If the password is ‘Knox123!’ and the
(times) PO: Android 7.0 or
minimum value is set as 10, the user must
use ten other passwords before reusing higher
‘Knox123!’ as password.
DO: Android 3.0 or

Set the maximum number of days before passwords must higher, Samsung
>> Expiration after be reset. Knox 1.0 or higher
(days)
The value can be between 0 - 365 days. PO: Android 7.0 or
higher
Set the maximum number of incorrect password attempts

>> Maximum before access is restricted. DO: Android 2.2 or
Failed Login You can set this only when Numeric, Alphanumeric, or higher, Samsung
Attempts Complex is selected. Knox 2.0 or higher
Profile 209
Select the action to be performed when the maximum

number of failed attempts is reached.
For the Fully Managed (DO) type:
• Lock device: Locks the device. DO: Android 2.2 or

>>> If maximum
• Factory reset + Initialize SD card: Simultaneously higher, Samsung
failed login resets the user device and the SD card. Knox 2.0 or higher
attempts
exceeded • Factory reset: Resets the user device but not the SD PO: Android 7.0 or
card. higher
For the Work Profile (PO) type:
• Work Profile removal: Deletes the Work Profile

container.
Set the duration for locking the device when the user has
>> Screen lock not set up a password for the screen lock. DO: Samsung Knox
timeout (min) 1.0 or higher
The value can be between 0 - 60 minutes.
>> Maximum Set the maximum number of consecutive numeric

length of characters allowed in a password. DO: Samsung Knox
sequential 1.0 or higher
numbers The value can be between 1 - 10 words.
>> Maximum Set the number of consecutive letters allowed in a

length of password. DO: Samsung Knox
sequential 1.0 or higher
characters The value can be between 1 - 10 words.
Allows blocking functions on the lock screen.

Block function
Note The visibility of the notifications on the lock
setting on lock
screen screen depends on the options you set in the
application.
Profile 210
Select the functions to be blocked on the lock screen

when a password policy is set on a device.
For the Fully Managed (DO) type:
• All: Blocks all functions on the lock screen.

• Camera: Blocks direct camera control on lock screen.
• Trust Agent: Blocks the Smart Lock function which
automatically unlocks the screen in certain conditions,
such as during a certain physical activity, at a specific
location, or when devices are added.
DO: Android 5.0 or
• Fingerprint: Blocks the fingerprint unlock function.
> Block functions higher
on lock screen • Previews in pop-ups: Displays notifications on the lock
PO: Android 7.0 or
screen but hides private content set in the application.
higher
• Notifications: All notifications are hidden via the lock
screen
For the Work Profile (PO) type:

location, and or when certain devices are added.
• Fingerprint: Blocks the fingerprint screen unlock
function.
Enable multifactor authentication (2FA) that unlocks

a device only after two authentication methods are
provided, including one biometric input (face/iris/
fingerprint) and one lock screen method (PIN/password/
Enforce Multi factor pattern). DO: Samsung Knox
Authentication 3.0 or higher
Note Incorrect use of this policy together with
“One Lock” and “Biometric policy” can lock
your device.
DO: Android 9.0 or

Screen timeout Allows the user to change the Screen Timeout setting.
higher
DO: Android 2.2 or

Maximum screen Set the maximum time limit that a user can linger before
higher, Samsung
timeout screen timeout.
Knox 2.0 or higher
Profile 211
Set to use the Work Profile container screen lock

password on the Work Profile installation, the users are
directed to set the Work Profile screen lock password.
Note • If users forget their password and ask you,

you should send the device command
to reset the password and guide them to
input the temporary password that was
sent. For more information about the
Work profile procedure, see Viewing the device details.
password • If the device is using a One Lock
password, and the policy for the personal
area and work area have been configured
differently, the stronger password policy
will be applied.
• If you want to configure the policy for
the personal area of a Work Profile (PO)
device, navigate to Security > Device
password.
• Weak Biometric: Set the password using a low-security

biometric recognition method.
• Pattern: Set a password with a pattern or with a higher
degree of complexity.
• Numeric: Set a password with numbers or with a higher
degree of complexity.
• Numeric Complex: Set the password containing at
least numeric characters with no repeating (4444) or
ordered (1234, 4321, 2468) sequences.
> Minimum PO: Android 2.2 or
strength • Alphabetic: Set the password containing at least higher
alphabetic (or other symbol) characters.
• Alphanumeric: Set a password with alphanumeric
characters or with a higher degree of complexity.
• Complex: All passwords must include alphanumeric
and special characters.
Note The password strength increases in the

following ascending order: Weak Biometric
< Pattern < Numeric < Numeric Complex <
Alphabetic < Alphanumeric < Complex.
Profile 212

The value can be between 4 - 16 characters. for Numeric
or Alphanumeric.
The value can be between 6 - 16 characters for Complex.
>> Minimum PO: Android 2.2 or
length Note Minimum length of the pattern password higher
be entered.
>> Minimum Set the minimum password length. PO: Android 3.0 or
number of letters The value can be between 1 - 10 characters. higher
>> Minimum Set the minimum number of numeric and special

characters allowed in the password. PO: Android 3.0 or
number of non-
higher
letters The value can be between 1 - 10 characters.
>> Minimum Set the minimum number of lowercase letters allowed in

the password. PO: Android 3.0 or
number of
higher
lowercase letters The value can be between 1 - 10 characters.
>>Minimum Set the minimum number of uppercase letters allowed in

number of capital
higher
>> Minimum Set the minimum number of numeric characters allowed

in the password. PO: Android 3.0 or
number of
higher
numeric character The value can be between 1 - 10 characters.
>> Minimum Set the minimum number of special characters allowed in

number of special
higher
characters The value can be between 1 - 10 characters.

>> Manage
PO: Android 3.0 or
password history Note If the password is ‘Knox123!’ and the higher
(times)
use ten other passwords before reusing
Set the maximum number of days before the password

>> Expiration after must be reset. PO: Android 3.0 or
(days) higher
The value can be between 0 - 365 days.
Profile 213
>> Maximum Set the maximum number of incorrect password attempts

before access is restricted. PO: Android 2.2 or
Failed Login
higher
Attempts The value can be between 0 - 10 times.

Block function
Note The visibility of the notifications on the lock PO: Android 4.2 or
setting on lock
screen depends on the options you set in the higher
screen
application.
Select the function to be blocked on the lock screen when

a password policy is set on a device.

> Block functions such as during a certain physical activity, at a specific
on lock screen location, and or when certain devices are added.
• Fingerprint: Blocks the fingerprint screen unlock
function.
• Previews in pop-ups: Displays notifications on the lock
SafetyNet Allows the use of SafetyNet attestation to validate the DO/PO: Android 6.0
Attestation integrity of the device. or higher
> Verification Set an interval at which the SafetyNet Attestation API

Interval (days) assesses the devices.
Select a measure.
> Verification
• Admin Alert: Sends an alert to the administrator.
Failure Policy
(During • Unenrollment (Factory Reset) (for DO only): Unenrolls
Enrollment) the device and performs a factory reset.
• Unenrollment (for PO only): Unenrolls the device.
Select a measure.
• Admin Alert: Sends an alert to the administrator.

> Verification
Failure Policy
• Lock device (for DO only): Locks the device.
(After Enrollment) • Unenrollment (Factory Reset) (for DO only): Unenrolls
the device and performs a factory reset.
• Unenrollment (for PO only): Unenrolls the device.
Profile 214
Kiosk
Select a Kiosk feature to use on a device.
• Single app: Runs a single application on the device’s

home screen.
• Multi app: Runs multiple applications that are
developed using the Kiosk Wizard.
• Kiosk Browser: Opens webpages that are specified by
the administrator.
Note • To use the Kiosk Browser, the Kiosk DO: Samsung Knox
Browser application must be registered 1.0 or higher
Kiosk app settings
as a Knox Manage application. For more Non-Samsung DO:
details, contact the TMS administrator. Android 9.0 or higher
• Single App Kiosks are not available with
non-Samsung Android Enterprise Fully
Managed (DO) devices that are equipped
with Android 6.0-8.0.
• Knox Manage provides Single App Kiosk
with Google managed applications for
Android Enterprise devices with version
9.0(Pie) or higher.
Click Select, and then choose Public applications

(Managed Google Play Store) or Kiosk applications from
the Kiosk application list. Alternatively, click Add, and then
> Set application
manually add applications. For more information about
adding single applications, see Creating a Single App
Kiosk.
Click Select to select multiple Kiosk applications from the

> Set application list or click New to create a Multi App Kiosk. To learn how
to use the Kiosk Wizard, see Exploring Kiosk Wizard.
When setting up the Kiosk Browser, the package name

> Set Kiosk
of the application registered as the Kiosk Browser will be
Browser
automatically selected.
Set the default page URL to call in the Kiosk Browser.
Note You can enter a URL that is up to 128 bytes

> Default URL
including alphanumeric characters and some
special characters (_,., -, *, /).
Profile 215
Use the screen saver for the multi-app kiosk and the
Kiosk Browser. When no user activity has been sensed
for a certain amount of time set in the Auto Screen Off
or Session Timeout settings on the device, the registered
> Screen Saver images or video files will be activated on the device
display.
Note The Screen Saver for the Kiosk Browser only

runs while the device is charging.
>> Screen Saver

Select either an image or video type screensaver.
Type
Select image files for the screen saver. You can add up
to 10 image files in the PNG, JPG, JPEG, or GIF format
(animated files are not supported). Each image file must
be less than 5 MB.
• To upload an image file, click Add and select a file.

>>> Image • To delete an image file, click next to the name of the
uploaded image file.
Note The device control command must be

transferred to the device to apply an image
file to it.
Select a video file for the screen saver. You can add only
one video file in the MP4 or MKV format. The video file
must be less than 50 MB.
• To upload a video file, click Add and select a file.

>>> Video • To delete a video file, click next to the name of the
uploaded video file.

transferred to the device to apply a video to
it.
Allows the use of the session timeout feature for the

Kiosk Browser. If the user does not use the device for a
set time, the device deletes user information, such as the
> Session timeout cache and cookies, in the device Kiosk Browser and goes
to the main page URL:
• Apply: Enables the session timeout feature for the

browser.
Set the session timeout in seconds for the Kiosk Browser.

>> Time (sec) The value can be between 10 - 3600 secs (default is
1800).
Profile 216
> Text Copy Allow the copying of text strings in the Kiosk Browser.
> Javascript Allow the running of the JavaScript contained in websites.
Allow the use of an HTTP proxy for communications in

> Http Proxy
the Kiosk Browser.
Set the HTTP proxy server IP or domain address, and Port.

>> IP/
When not entered, the Port number is automatically set to
Domain:Port
80.
Set the key value to be added to the user agent. Allow

the Kiosk Browser to access the Web server and the user
agent key values contained in the HTTP header.
> User agent
settings key value Note User agent key settings can be used to
detect access to non-Kiosk Browsers on the
web server.
DO: Samsung Knox

Delete Kiosk app 1.0
Allows to delete applications along with policies from a
when policy is
device when the applied policy is deleted. Non-Samsung DO:
removed
Android 9.0
Prohibit hardware
Allows the use of the hardware keys.
key
Select hardware keys to disable. The availability of

Hardware keys can vary by device
> Disallow DO: Samsung Knox
hardware key(s) If you do not allow the use of the Task Manager, then it 1.0 or higher
will not run, even if the user taps the left menu key in the
Navigation bar at the bottom of the device.
Allows the use of specific features on Kiosk mode

Utilities setting DO: Android 9.0
devices.
Allows the use of the Power button to turn off or restart

> Power the device.
Allow is the default value.
Allows the use of the Recent task button. The Home

button also needs to be allowed to use the Recent task
> Recent apps button.
Disallow is the default value.
Allows the use of the system status bar, which displays

the time, network connectivity, and battery status.
> System status
bar Note For Android P or higher devices, you must
allow the notification bar as well to enable
the system status bar.
Profile 217
Allows the access to the notification bar. If this

policy is set to Allow, the Home policy will be allowed
> Notification bar automatically.
Allows the use of the Home button on the device.

> Home
Allows the screen lock policy to be applied to the device.

If it is set to Disallow, users can access the Kiosk device
> Key guard without a screen lock password, regardless of the screen
lock policy of the device.
Allow is the default value.
Application
DO: Android 4.3 or

Installation of higher
Allows the installation of applications from untrusted
application from
sources instead of just the Google Play Store. PO: Android 5.0 or
untrusted sources
higher
Allows application control from the settings application.

The following actions can be configured: DO: Android 5.0 or
App Control
higher
• Delete / Execute / Prevention / CACHE Removal / Data
Removal / Focused Exit / Default App Removal.
DO: Android 4.3 or

higher
App Installation Allows application installation.
PO: Android 5.0 or
higher
DO: Android 4.3 or

higher
App Uninstallation Allows application uninstallation.
PO: Android 5.0 or
higher
DO: Android 5.0 or

Allows application verification via Google for all device higher
App Verification
applications.
PO: Android 5.0 - 7.1
Profile 218
Allows application runtime permission settings for all

areas.
• Prompt: Prompts users to grant or deny permissions.

DO/PO: Android 6.0
App Permission • Grant: Grants all relevant permissions.
or higher
• Deny: Denies all relevant permissions.
Note This policy applies to all applications.
Add individual application. Set different permission

policies for each application.
• To add an application, click Add, and then select

applications in the “Select Application” window.
• To delete an application, click next to the added
application.
> App permission
DO/PO: Android 6.0
exception policy Note • This policy takes priority over the App or higher
list
Permission policy when both are applied.
• Among the application permissions, only
the dangerous permissions can be added
to this policy. For more information, see
https://developer.android.com/guide/
topics/permissions/overview.
App Execution
Set to prevent the execution of the device applications.
Blacklist Setting
Add applications to prevent their execution. Icon of the

blacklisted application disappears and users cannot run
the application.

> App execution DO/PO: Android 5.0
blacklist • To delete an application, click next to the added or higher
application.
Note An application that has been added on the

Application installation whitelist policy
cannot be added.
Application
uninstallation
Set to prevent the uninstallation of the device application.
prevention list
Setting
Profile 219
Add applications to prevent their uninstallation.

> Application • To add an application, click Add, and then select DO/PO: Android 5.0
uninstallation applications in the “Select Application” window.
or higher
prevention list
application.
Set to activate hidden system applications for Android

Enterprise devices to view. If a device is activated with
Android Enterprise, only designated applications appear
System App on the device.
Activation Setting
Note Applications cannot be activated if they
are listed under the Application installation
block list.
Add system applications to be activated.
> System App

• To add an application, click Add, and then select DO/PO: Android 5.0
Activation or higher
application.
Settings for
whitelisting apps Allows the use of an external SD card. The external SD
allowing external card cannot be used by default.
SD card
Add applications that can use an external SD card.

> Whitelisted • To add an application, click Add, and then select
apps for external applications in the “Select Application” window.
SD card
application.
Location
DO: Android 4.3 or

Configure to force quit the GPS feature of device. Users
higher, Samsung
can freely change this feature setting on the device if the
GPS Knox 1.0 or higher
Location Setting policy is set to Allow.
PO: Android 4.3 or
• Disable On: Disables the GPS feature on the device. higher
Profile 220
Allows collecting location data.
• User consent: Allows location data collection only with

the user’s consent. DO: Android 2.3 or
higher, Samsung
Report device Note Knox 1.0 or higher
If the Fully Managed with Work Profile type is
location
used, location data from devices is collected PO: Android 5.0 or
based on the Report Device Location value, higher
which is specified in the Fully Managed
Device policy.
Set an interval period to save the location data of the

DO: Android 2.3 or
device.
higher, Samsung
> Report device Knox 1.0 or higher
Note To set the collection interval, select either
location interval
Allow or User consent for the Report device PO: Android 5.0 or
location policy. higher
DO: Android 2.3 or

higher, Samsung
High Accuracy Set to use for collecting accurate GPS locations of the Knox 1.0 or higher
Mode devices.
PO: Android 5.0 or
higher
Phone
DO: Android 9.0 or

Airplane mode Allows the use of airplane mode. higher, Samsung
Knox 2.0 or higher
Allows the use of emergency broadcast settings.

Cell Broadcast The carrier can send a same message, such as an DO: Android 5.0 or
Setting emergency alert, to the devices connected to the same higher
cellular base station.
DO: Android 5.0 or

Volume Adjustment Allows adjusting the volume.
higher
DO: Android 5.0 or

higher, Samsung
Microphone Allows the use of the microphone. Knox 1.0 or higher
PO: Samsung Knox
1.0 or higher
Profile 221
DO/PO: Samsung
> Recording Allows recording with the microphone.
Knox 1.0 or higher
DO: Samsung Knox

> S Voice Allows the use of S Voice.
1.0 or higher
Allows the use of voice calls.

Voice Call (except DO: Android 5.0 or
Note To control Samsung devices, use the Prohibit
Samsung Device) higher
voice Call policy.
SMS (except DO: Android 5.0 or

Allows the use of text messages.
Samsung Device) higher
DO: Android 7.0 or

Data connection
Allows a data connection while using roaming service. higher, Samsung
during roaming
Knox 1.0 or higher
Container
Copy and Paste

Allows copying and pasting with the clipboard between PO: Android 5.0 or
Clipboard per
the personal and work areas. higher
Profile
Bluetooth Low Allows using Bluetooth Low Energy that enables very low PO: Samsung Knox
Energy power operation of the device. 2.4 or higher
PO: Android 8.0 or

Bluetooth Share Allows sharing via Bluetooth with other devices.
higher
Allows sharing contacts from the Profile Owner to the

Phone Book Access connected device via Bluetooth.
PO: Android 6.0 or
Profile (PBAP) via
Note The Bluetooth share policy must be set to higher
Bluetooth
Allow before using this policy.
Profile 222
Factory Reset Protection
You can set up a factory reset protection policy for Android Enterprise devices. This policy allows
you to prevent the unauthorized use of an organization’s devices via a special validation method for
unlocking them after a factory reset.
Policy Description
Allows enabling Factory Reset Protection.

To enable Factory Reset Protection, complete the following steps:
1. Select Allow from the drop-down list.

• Further information about the FRP will be displayed.
2. Click Go to Google API Webpage to generate user ID.
3. Sign in with your Google account.
• You can use an existing Google account or create one specifically
for use with factory reset protection. Please be aware that this
account will be used to validate device users. Android Enterprise
Factory Reset Protection
account should not be used.
4. Enter the below input values on the right side of API page.
• resourceName : people/me
• personalFields : metadata
5. Click Execute.
6. In a green header box, copy the “id” field value and paste it to the
Google User ID field in Knox Manage Admin Portal.
7. Enter the same account ID to the Google Account ID field you signed in
Google API page at step 3, and click to save it.
Profile 223
Wi-Fi
You can add more Wi-Fi policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each Wi-Fi setting.
Description Enter a description for each Wi-Fi setting.
Enter an identifier of a wireless router to connect to.

Network Name (SSID) You can also click Lookup to open the reference items list and select an
item from it. The reference value will be automatically entered.
Remove available Allows users to delete the Wi-Fi settings.
Allows to hide the network from the list of available networks on the
Hidden Network
device. The SSID does not broadcast.
Security type Specifies the access protocol used and whether certificates are required.
> WEP Set a WEP KEY index from WEP KEY 1 to 4.
> WPA/WPA2-PSK Enter a password.
Profile 224
Policy Description
Configure the following items:
• EAP Method: Select an authentication protocol from between PEAP and

TTLS.
• 2-step authentication: Select one from PAP and MSCHAP as a
secondary authentication method.
• User information input method: Select an input method for entering
user information.
–– Manual Input: Enter the user ID and Password for the Wi-Fi
connection.
You can also click Lookup to open the reference items list and select
an item from it. The reference value will be automatically entered.
–– Connector interworking: Choose a connector from the User
information Connector.
–– User Information: Use the user information registered in Knox
Manage to access Wi-Fi.
• External ID: Assign an external ID for Manual Input.
• User certificate input method: Select a user certificate confirmation
method.
–– EMM Management Certificate: Register an external certificate on
the Knox Manage server for each network setting, and then verify
> 802.1xEAP each network setting using that certificate. All users share this one
certificate for each network setting.
Note Navigate to Advanced > Certificate > External Certificate

to register network settings for each purpose.
–– Connector interworking: Verifies network settings using the user

information obtained by applying the filter set for the connector. To
verify the network settings on the device, you should set the Service
Type as Profile Configuration(Certification) when you register a
connector in Advanced > System Integration > Directory Connector.
To learn more about how to add a directory connector, see Adding
sync services.
When you search for a user using the filter set for the connector, the
user certificate (.p12 or .pfx) corresponding to the obtained user
information is applied along with a profile, allowing you to use this
certificate to verify the user.
–– Issuing external CA: Register a certificate obtained from an external
certificate authority to Advanced > Certificate > Certificate Template.
Then, you register a certificate template for each network setting,
and verify it as a user certificate. To learn more about how to add an
external certificate, see Adding external certificates.
Select a root certificate. Among the certificates registered in Advanced >

CA certificate Certificate > External Certificate, those with the Purpose set as Wi-Fi and
the Type set as Root will appear on the list.
Profile 225
Policy Description
Select a proxy server configuration method. You can use the server to
Proxy configuration
route through the proxy server when the device is connected to Wi-Fi.
Configure the proxy server manually.
• Proxy host name: Enter the host name of the IP address of the proxy
server
• Proxy port: Enter the port number used by the proxy server
> Manual • Proxy exception: Enter the IP address or domain address that cannot be
accessed through the proxy server.
If server authentication is required to use the proxy server, check the
Server authentication check box.
• User name: Enter the username for the proxy server.
• Password: Enter the password for the proxy server.
Configure the proxy server automatically.
> PAC automatic
configuration You should enter the PAC web address, the URL of the PAC file that
automatically determines which proxy server to use.
VPN
You can configure the VPN settings to connect to a private network through a public network. You
can add more VPN policy sets by clicking . Only the Pulse Secure VPN type can be configured for
Policy Description
Configuration ID Assign a unique ID for the VPN setting.
Description Enter a description for the VPN setting.
VPN type The VPN type is set to Pulse Secure by default and you cannot change it.
Creates a VPN connection when the device starts and maintains it while
Always On VPN
the device is turned on.
Server URL Enter the URL of the VPN server.
Select an authentication type for the VPN connection between Password,

Authentication Type
Certificate, and both.
Enter the user ID for the VPN connection.

User name You can also click Lookup to open the reference items list and select an
Password Enter the password for the VPN connection.
Identity Certificate Select a certificate to identify itself to its peer.
Profile 226
Policy Description
Set to use the VPN settings for the entire device or for selected
Route Type
applications.
Select applications to allow or disallow from using the VPN. To add an

> Apps to use VPN
application, click Whitelist Apps or Blacklist Apps, click Add, and then
Configuration
select applications in the “Select Application” window.
Bookmark
For Android Enterprise devices, a shortcut to the bookmarked address of a specific URL is created on
the home screen of the device, not in the web browser.
Note • Only the device user can delete the shortcuts manually.
• Deleting a bookmark policy from the Knox Manage Agent can render different effects based on
the OS version. In both cases, manual deletion by the device user is recommended:
–– Android Pie (9.0): Shortcuts will still appear grayed out on the home screen.
–– Android Oreo (8.0): Shortcuts will not be removed.
Policy Description
Configuration ID Assign a unique ID for each bookmark setting.
Description Enter a description for each bookmark setting.
Specifies a location to install the bookmark.
• ShortCut: Creates a shortcut of the bookmarked address on the home

screen of the device. Shortcut icons are created based on the Samsung
Launcher.
Installation area –– Android Enterprise devices only supports the shortcut type.
–– Shortcut icons may not be able to be created depending on the type
of launcher set by the user.
–– An administrator cannot delete the shortcut icon, but the user can
delete it manually.
ShortCut image Select a shortcut icon to be created on a user device.
Bookmark page URL Enter a website address to go to when a bookmark is selected.
Bookmark name Enter the bookmark name to be displayed as a title in the bookmark.
Profile 227
Certificate
You can install a user certificate on a device and use the certificate through Wi-Fi or on websites. You
can add more certificate policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each certificate setting.
Description Enter a description for each certificate setting.
Select an input method for entering certificate information.
• EMM Management Certificate: Register an external certificate on the

Knox Manage server for each network setting, and then verify each
network setting using that certificate. All users share this one certificate
for each network setting.
Note Navigate to Advanced > Certificate > External Certificate to

register network settings for each purpose.
• Connector interworking: Verifies network settings using the user

User certificate input
method
To learn more about how to add a directory connector, see Adding sync
services.
• When you search for a user using the filter set for the connector, the
• Issuing external CA: Register a certificate obtained from an external
Select a certification category when EMM Management Certificate is

selected in User certificate input method,
• CA certificate: Select a certificate to use from the CA certificate list.

Among the certificates registered in Advanced > Certificate > External
Certificate, those with the Purpose set as CA Cert and the Type set as
Certificate Category
Root will appear on the list.
• User certificate: Select a certificate to use from the User Certificate list.
Certificate, those with the Purpose has been set as CA Cert and the
Type set as User will appear on the list.
Apps with Delegated Add specific applications, which are installed on the device, to grant silent
Certificate Management privileged access via a certificate while running.
Profile 228
Configuring Samsung Knox (Android Enterprise) Policies
Create a profile and register policies only for Android Enterprise manage type Samsung devices.
Some policies that require the KSP agent may not be able to configure if you do not approve the KSP
agent in the Android Enterprise settings. These policies are marked with .
Note KSP policies are not applicable to the Fully Managed with Work Profile type. For devices that are
enrolled as the Fully Managed type with KSP policies applied, these policies can remain even
after the device type changes to the Fully Managed with Work Profile type. It is recommended to
remove them manually.
→→ System
Provides data sharing or save settings, developer options, and other features.
→→ Interface
Controls the network settings, such as Wi-Fi Hotspot and Bluetooth tethering, and controls the USB media
player settings.
→→ Security
Configures security settings, such as the Google Android security update policy.
→→ Kiosk
Configures the Kiosk device settings.
→→ Application
Configures the battery optimization exceptions setting.
→→ Browser
Configures the settings for the default web browser and Chrome browser.
→→ Phone
Configures the phone settings, such as the cellular network settings.
→→ Firewall
Configures the IP or a domain firewall policy for each application.
→→ DeX
Allows the use of DeX mode, an interface to use a mobile device like a desktop.
→→ APN
Configures the APN (Access Point Name) settings.
System
Profile 229
DO/PO: Samsung
Share Via Options Allows sharing of data from one application to another.
Knox 3.0 or higher
Domain blacklist
Allow using the domain blacklist.
Settings
Enter a domain blacklist that should not be used when

registering an Exchange or email account.
> Domain • To add a domain, enter the domain name in the field, DO: Samsung Knox
blacklist and click . 1.0 or higher
• To delete a domain, click next to the added domain
name.
Allows powering off the device.
Note • If this policy is disallowed, the use cannot

turn off the device and cannot perform
DO: Samsung Knox
Power off factory rest.
1.0 or higher
• The device command from an
administrator for factory reset is also
blocked.
DO: Samsung Knox

OTA Upgrade Allows an OTA upgrade for the device.
1.0 or higher
Allows the configuration changes within the System DO: Samsung Knox
Settings
Settings. 1.0 or higher
DO: Samsung Knox

Expand status bar Allows the expansion of the status bar.
1.0 or higher
Allows using the clipboard feature and sets the range.
• Allow: Allows the clipboard feature throughout the

entire system.
DO/PO: Samsung
Clipboard • Disallow: Disallows the clipboard feature throughout Knox 1.0 or higher
the entire system.
• Allow within the same app: Allows using the clipboard
feature only within the same application.
DO/PO: Samsung
Share via apps Allows the share app feature.
Knox 1.0 or higher
Allows using the Smart Select, which is one of the

Samsung device features. It allows users to clip a content DO: Samsung Knox
Smart Select
by drawing a circle with the S pen. Clipped contents can 2.3 or higher
be used on notes or anywhere else.
DO: Samsung Knox

Developer mode Allows using a developer mode.
2.0 or higher
Profile 230
Allows using a mock location, which specifies an

arbitrary location for development or test purposes. Use
DO: Samsung Knox
> Mock location this policy if the location information from the Update
1.0 or higher
Device Information in the Send Device Command seems
incorrect.
Allows setting the number of background processes.

> Background If this policy is disabled, the default number of DO: Samsung Knox
process limitation background processes will be set at the maximum 1.0 or higher
number.
Enables closing all running applications when the user

> Quit application logs out of the device.
DO: Samsung Knox
upon killing If this policy is disabled, the activation setting is disabled 1.0 or higher
activities on the device and the user cannot control the device
settings.
Allows using the reboot banner which appears on the DO: Samsung Knox
Reboot banner
user’s device when the device reboots. 1.0 or higher
Enter the text for the reboot banner. You can enter up to
1000 bytes.
> Reboot banners Note You can customize banners for Samsung DO: Samsung Knox
stationery Knox 2.2 + devices. For Samsung Knox 2.2 or higher
1.0 devices, only the message or banner
registered by the manufacturer is displayed.
Control Power DO: Samsung Knox

Allows power saving controls on the device.
saving mode 2.8 or higher
Allows using the hardware key on the device to update

Firmware download firmware. DO: Samsung Knox
mode control • Disallow: Disallows updating firmware with the 2.0 or higher
hardware key and performing a factory reset.
Samsung Keyboard Allows accessing the settings key from the Samsung DO: Samsung Knox
settings control keyboard. 2.0 or higher
Allows the device to use the data saver mode DO: Samsung Knox
Data Saver Mode automatically. 3.0 or higher
Whitelisted Device Enables blocking activation of any applications as device DO: Samsung Knox
Admin admin, except those specified on the whitelist. 3.0 or higher
Add applications to the whitelist.
> Whitelisted
Apps
application.
Profile 231
Interface
Allows NFC (Near Field Communication) control. DO: Samsung Knox

1.0 or higher
NFC Control Note Android 10 (Q) or higher devices are not
PO: Samsung Knox
supported.
2.4 or higher
Allows a device connection via OTG (On the Go). OTG

controls only the storage items and not the non-storage
items, such as a keyboard or mouse.
Note To use DeX, configure the policy to allow

DeX mode. If the configuration value is set
USB host storage as either allow or disallow, make the USB DO: Samsung Knox
(OTG) exception list as below: 1.0 or higher
• Using DeX only: All block.
• Using DeX, Keyboard, and Mouse: Hid.
• Using DeX, Keyboard, Mouse, Ethernet:
Hid, Communication, Cdc Data, Vendor
Spec.
> Set usb

Select a USB interface to use if the USB host storage
exception allowed
(OTG) policy is disallowed.
list
Select the USB interface to use from the USB exception

>> USB exception DO: Samsung Knox
allowed list. For more information, see https://www.usb.
allowed list 3.0 or higher
org/defined-class-codes.
DO: Samsung Knox

Wi-Fi hotspot Specify using mobile Wi-Fi hotspot on the device.
1.0 or higher
Allows using the Wi-Fi SSID whitelist. Devices can only

connect to the Wi-Fi APs on the whitelist.
Wi-Fi SSID whitelist Note For non-Samsung devices with Android 8.0
setting or a higher version, this policy can only be
applied when it has been agreed to grant
access to location information.
Profile 232
Add Wi-Fi APs to the whitelist. This policy is irrelevant to

adding or deleting the Wi-Fi setting profile.
> Wi-Fi SSID • To add a Wi-Fi AP, enter a Wi-Fi SSID and click . DO: Samsung Knox
whitelist • To add all Wi-Fi APs, click Add all to access the Wi-Fi 1.0 or higher
list.
• To delete a Wi-Fi AP, select a Wi-Fi SSID and click .
Allows using the Wi-Fi SSID blacklist. Devices cannot

connect to Wi-Fi APs on the blacklist.
Wi-Fi SSID Blacklist Note For non-Samsung devices with Android 8.0
Add Wi-Fi APs to the blacklist. This policy is irrelevant to

> Wi-Fi SSID • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add. DO: Samsung Knox
Blacklist • To add all Wi-Fi APs, click Add all to access the Wi-Fi 1.0 or higher
list.
Wi-Fi auto Allows automatic connection to the Wi-Fi SSID already DO: Samsung Knox
connection stored in the device. 1.0 or higher
Set a minimum security level for Wi-Fi.
Wi-Fi minimum Note The security level increases in the following DO: Samsung Knox
security level ascending order: OPEN < WEP < WPA < LEAP, 1.0 or higher
setting PWD < FAST, PEAP < TSL, TTLS, SIM, AKA,
AKA’
Allows devices to connect to open and unprotected Wi-Fi

Open Wi-Fi DO: Samsung Knox
access points. If this policy is disallowed, users cannot
Connection 3.0 or higher
connect to unsecured Wi-Fi networks.
Control for Wi-Fi

Makes the password hidden or visible in the network edit DO: Samsung Knox
password to be
dialog. 3.0 or higher
Visible
DO: Android 4.3 or

USB tethering Allows USB tethering. higher, Samsung
Knox 1.0 or higher
Allows Bluetooth tethering to share the internet DO: Samsung Knox

Bluetooth tethering
connection from one device to another. 1.0 or higher
Bluetooth UUID Allows connecting Bluetooth devices based on their

Whitelist Setting Universal Unique Identifier (UUID).
Profile 233
Select devices to allow Bluetooth connections with. Click

the checkboxes for Audio, File transfer, Phonebook,
Headsets, or Hands-free.
> Bluetooth UUID DO: Samsung Knox
whitelist Note When updating the policy, current Bluetooth 1.0 or higher
connection gets disconnected. Users must
reconnect.
Bluetooth UUID Allows disconnecting Bluetooth devices based on their

Blacklist Setting Universal Unique Identifier (UUID).
Select devices to block Bluetooth connections with. Click

> Bluetooth UUID DO: Samsung Knox
blacklist Note When updating the policy, current Bluetooth 1.0 or higher
reconnect.
DO: Samsung Knox

1.0 or higher
USB Debugging Allows USB debugging.
PO: Android 5.0 or
higher
Allows the use of an external USB media player on the DO: Samsung Knox
USB Mediaplayer device. 3.0 or higher
Security
Google Android Allows the user to select whether to receive updates on

the device. DO: Samsung Knox
security update
2.6 or higher
policy • Forced use: Set to receive security updates by default.
Profile 234
Kiosk
DO: Samsung Knox

Task manager Allow the use of the Task Manager.
1.0 - 2.4
Use the System bar which refers to the Status bar in

the Notifications area at the top of the device and the
Navigation bar in the Buttons area at the bottom. DO: Samsung Knox
System bar
For non-Samsung devices, even if you selected either 1.0 or higher
Allow status bar only or Allow navigation bar only, both
the status bar and the navigation bar will be disabled.
Allows the use of multiple windows. This is available for DO: Samsung Knox
Multiple windows
devices that provide the functionality of multiple windows. 1.0 or higher
Allows the use of Air command. Air command is a

function provided on Samsung devices. Menu items
appear when the user brings an S pen close to the screen. DO: Samsung Knox
Air command
2.2 or higher
Note Air command is not available on Kiosk mode
devices with Android Pie (9.0) or higher.
Allows the use of Air view. Air view is a function provided

on Samsung devices. Users can preview a picture or email DO: Samsung Knox
Air view
when they bring the S pen or finger close to the picture or 2.2 or higher
other content.
Allows the use of the Edge screen of the device. The Edge
screen allows users to create shortcuts on the edges of DO: Samsung Knox
Edge screen
the screen panel to frequently used applications, favorite 2.5 or higher
contacts, or the camera.
Application
Set to exempt applications from the battery optimization

Battery optimization mode. DO/PO: Samsung
exceptions Knox 2.7 or higher
Note This policy may cause battery loss.
Profile 235
Add applications to be exempted from battery

optimization mode.
> Apps excluded
from battery
optimization
application.
Browser
Allows cookies in the Android browser.
Note If cookies are not allowed, you cannot DO: Samsung Knox
Cookies
access websites that authenticate users with 1.0 or higher
cookies.
DO: Samsung Knox

JavaScript Allows JavaScript in the Android browser.
1.0 or higher
Allows auto-completion of information that you enter on DO: Samsung Knox

Autofill
websites in the Android browser. 1.0 or higher
DO: Samsung Knox

Pop-up block Allows blocking pop-ups in the Android browser.
1.0 or higher
Set the proxy server address for the Android browser.

Enter the value in the form of IP:port or domain:port in the
fields.
DO: Samsung Knox
Browser proxy URL Note • The Chrome browser and Samsung S 1.0.1 or higher
browser are supported.
• The supported version for Chrome is Knox
4.0.1 - 5.6.
Profile 236
Phone
Prohibit voice call Prohibits incoming and outgoing voice calls.
Specifies the types of voice calls to block:
• Incoming: Blocks incoming voice calls only.

DO: Samsung Knox
> Voice call • Outgoing: Blocks outgoing voice calls only. 1.0 or higher
If both are selected, only emergency calls can be made or
received.
Disallow SMS/MMS Allows sending and receiving SMS/MMS messages.
> Disallow Select the types of SMS/MMS messages to disable.

Incoming/ DO: Samsung Knox
Outgoing SMS/ Note At least one of the types should be selected. 1.0 or higher
MMS
WAP push during DO: Samsung Knox

Allows WAP push communications while roaming.
roaming 1.0 or higher
Data sync during DO: Samsung Knox

Allows data synchronization while roaming.
Voice calls during DO: Samsung Knox

Allows voice calls while roaming.
Prevents the use of the SIM card on a user device. To

use this policy, the default PIN of the SIM card should
be entered. Then, the new PIN number for the SIM card
Use SIM card should be entered. DO: Samsung Knox
locking 1.0 or higher
If the locked SIM card is registered to another device, the
device is locked and the user must enter a valid PIN to
unlock it.
Enter the default PIN found on the SIM card.

The value is 4 - 8 digit numbers.
> Default SIM PIN Note This policy is intended for use by Corporate-
Owned, Personally Enabled (COPE) devices
and is only applied if the PIN found on the
SIM card matches the default PIN.
Enter the new PIN number for the SIM card. The new PIN
number can be found next to SIM PIN Number in the
> New SIM PIN “Network“ tab of the “Device Detail” page.
Profile 237
DO: Samsung Knox

Cellular Data Allows the use of a cellular data connection.
3.0 or higher
Manage RCS DO: Samsung Knox

Allows Rich Communication Services (RCS) on the device.
Messaging 3.0 or higher
> Set Disclaimer Set a disclaimer text for all outgoing SMS and MMS
Text for messages. The disclaimer text should be limited to 30
Messages characters.
Firewall
Set to use the firewall to set target IP addresses. The DO/PO: Samsung
Firewall
firewall policy is enabled by default. Knox 1.0 - 2.4.1
Input values to permit the target IP and port address.

Configure the following:
1. Enter or click Add to search the Package Name of the

application.
2. Input the IP Address (range) and Port (range).
3. Select the Network Type:
• All
• Data: Only mobile network access is enabled.
> Permitted policy • Wi-Fi: Only Wi-Fi network access is enabled. DO/PO: Samsung
(IP) 4. Select Port Range: Knox 2.5 or higher
• All
• Local: Port access from the device is enabled.
• Remote: Port access from the target server is
enabled.
5. Click to add.
Note Before setting this policy, disable all IPs

by entering a wildcard character (*) to the
Prohibited Policy (IP) ranges.
Profile 238
Input values to prohibit the target IP and port address.


application.
2. Enter the IP Address (range) and Port (range).
• Enter a wildcard character (*) as an IP Address to
prohibit the use of the bandwidth.
3. Select Network Type:
• All
> Prohibited • Data: Mobile network access is disabled. DO/PO: Samsung
policy (IP) • Wi-Fi: Wi-Fi network access is disabled. Knox 2.5 or higher
4. Select Port Range:
• All
• Local: Port access from the device is disabled.
disabled.
5. Click to add.
Note When entering the IP address, you can

use a wildcard character (*) to disable the
bandwidth usage.
Input values to permit the target domain address.

application.
Note • Before setting this policy, disable all

> Permitted policy domains by entering a wildcard character DO/PO: Samsung
(Domain) (*) to the Prohibited policy (Domain) Knox 2.6 or higher
ranges.
• Use a wildcard character (*) to allow the
use of a specific domain. The character
must be placed before or after the domain
name.
e.g.) *android.com / www.samsung*
Profile 239
Input values to prohibit the target domain address.

application.
> Prohibited DO/PO: Samsung
policy (Domain) 2. Input the IP Address (range) and Port (range). Knox 2.6 or higher
Note Use a wildcard character (*) to prohibit a

specific domain.
Input values to specify the domain server address of all

applications or registered applications.

application.
2. Input DNS values. DO/PO: Samsung
> DNS setting
• DNS1: Primary DNS. Knox 2.7 or higher
• DNS2: Secondary DNS.
Note Only one DNS per application can be set and
it is effective only when there are no VPN or
Proxy policies assigned to the application.
Profile 240
DeX
Samsung DeX is an accessory that extends the functionalities of a mobile device. By connecting a
monitor, keyboard, and mouse to a Dex docking station, the mobile device can function as a desktop
computer
In Knox Manage, you can allow the use of DeX mode and control applications according to the
Application execution blacklist setting.
Allows the use of DeX mode.

DO: Samsung Knox
Allow DeX Mode • Disallow: The DeX station will not function even if a 3.0 or higher
mobile device is mounted on it.
Allows ethernet only for DeX. Mobile data, Wi-Fi, and DO: Samsung Knox
Allow Ethernet Only
tethering are blocked. 3.0 or higher
App execution
Use the blacklist for running DeX applications.
blacklist(Android)
Prohibits launching the specified applications.

When this policy is enabled and applied, the icons of the
blocked applications will disappear so that users cannot
launch them. However, the applications are not deleted.
The icons will reappear once the policy is changed or
Knox Manage is disabled.
> App execution • To add an application, click Add, and then select DO: Samsung Knox
blacklist applications in the “Select Application” window. 3.0 or higher
application.
Note Any applications that already have been

added to the Application whitelist cannot be
added to the Application blacklist.
APN
You can add more APN policy sets by clicking .
Policy Description
Configuration ID Enter an ID name to be displayed on the device.
Description Enter a description for an APN.
Profile 241
Policy Description
Allows users to delete APN settings. If you choose Disallow, then the
Remove available
button used to delete APN settings is disabled.
Access Point Name (APN) Enter the name of the access point.
Select the type of the access point.
• Default: default type.

Access Point Type
• MMS: Multimedia Messaging Service.
• Supl: IP-based protocol to receive GPS satellite signals.
Mobile Country Code (MCC) Enter the country code for the APN.
Mobile Network Code (MNC) Enter the carrier network code for the APN.
MMS Server (MMSC) Enter the server information for sending multimedia messages.
Enter the information of the proxy server for sending multimedia

MMS Proxy Server
messages.
Enter the port number of the proxy server for sending multimedia
MMS Proxy Server Port
messages.
Server Enter the WAP gateway server name.
Proxy Server Enter the information of the proxy server.
Proxy Server Port Enter the port number of the proxy server.
Enter the user name of the access point.

Access Point Username You can also click Lookup to open the reference items list and select an
Enter the password of the access point.

Access Point Password You can also click Lookup to open the reference items list and select an
Select an authentication method.
• None: Disables authentication.

Authentication Method • PAP: Requires a user name and password for authentication.
• CHAP: Uses encryption with a Challenge string for authentication.
• PAP or CHAP: Uses the PAP or CHAP authentication method.
Set as Preferred APN Applies APN settings to the device.
Profile 242
Configuring Android Legacy Policies
Create a profile and register policies for Android Legacy devices.
You can configure the policies below for Android Legacy devices. The availability of each policy
varies depending on the OS version.
→→ System
Provides backup and restore settings, developer options, and other features. Updates the operating
system on a device.
→→ Interface
Controls the network settings, such as Bluetooth, Wi-Fi Direct, and tethering.
→→ Security
Configures the security settings, such as the password and lock screen.
→→ Kiosk
Configures Kiosk applications on a Kiosk device and controls the device settings.
→→ Application
Configures options for application controls such as installation, verification, and permission.
→→ Location
Allows the use of GPS or collecting location data from a device.
→→ Browser
Allows the use of the default web browser and configures the settings for it.
→→ Phone
Configures the phone settings, such as airplane mode, the microphone, and the cellular network settings.
→→ Firewall
→→ Logging
Allows performing logging and configuring the settings.
→→ DeX
Allows the use of DeX mode, an interface to use a mobile device like a desktop.
→→ Wi-Fi
→→ Exchange
Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.
→→ Email Account
Configures the settings of a POP or IMAP email account.
→→ Bookmark
Configures the bookmark settings, such as the configuration ID and installation area.
Profile 243
→→ APN
Configures the APN (Access Point Name) settings.
→→ Knox VPN
Configures a VPN (Virtual Private Network) on Samsung Galaxy devices.
→→ VPN
Configures a VPN (Virtual Private Network) on Android devices.
→→ Certificate
System
Allows a device factory reset.
• Disallow: Factory reset using the hardware button is Samsung Knox 1.0
Factory reset
prevented. However, factory reset using the firmware or higher
update utility cannot be prevented.
Allows powering off the device.
• Disallow: The power off option menu does not

appear even with the use of a power button. However, Samsung Knox 1.0
Power off
powering off by separating the battery cannot be or higher
prevented. Factory reset is prohibited if this policy is
disallowed.
Allows backup of the device data.
Note If the backup function can be found on your

device at Google > Backup, it may seem
possible to turn the backup setting on or off, Samsung Knox 1.0
Backup
even if this policy is set to Disallow. However, or higher
the functionality of backup is prohibited,
regardless of mobile UI, when the Backup
policy is set to Disallow.
Samsung Knox 1.0

OTA upgrade Allows an OTA upgrade for the device.
or higher
Samsung Knox 1.0

Settings Allows the configuration of the System Settings.
or higher
Samsung Knox 1.0

System app close Allows force closing system applications.
or higher
App crash report to Allows reporting the application error occurrence Samsung Knox 1.0
Google information to Google. or higher
Samsung Knox 1.0

Multiple users Allows multiple users.
or higher
Profile 244
Samsung Knox 1.0

Expand status bar Allows the expansion of the status bar.
or higher
Samsung Knox 1.0

Change wallpaper Allows changing the home and the lock screens.
or higher
Automatic Date and Samsung Knox 1.0

Allows changing the date and time.
Time or higher
Allows using the camera.

Samsung Knox 1.0
Note If the camera in the general area is restricted,
Camera or higher, Android
the camera in the Knox Workspace is also 4.0 or higher
restricted.
Allows use of the camera for face unlock even when the
>Face recognition Samsung Knox 3.2.1
camera is disabled in the Camera policy. This policy is
camera or higher
available when Camera is set to Disallow all.
Allows use of the screen capture function, which is Samsung Knox 1.0
Screen capture
already set as default. or higher
Allows the clipboard feature throughout the

entire system. Samsung Knox 1.0
Clipboard
or higher
• Allow within the same app: Allows using the clipboard
feature only within the same application.
Samsung Knox 1.0

Share via apps Allows the share app function.
or higher
Allows using Android Beam which transfers data via NFC.

Samsung Knox 1.0
S Beam Note Android 10 (Q) or higher devices are not or higher
supported.
Samsung Knox 1.0

Encryption for Specifies the encryption of the device’s system storage or
or higher, Android
storage the external SD card.
1.0 or higher
Check the checkbox to select the storage to be encrypted.

> Storage
Note External SD card encryption is applicable to
encryption
Samsung Galaxy devices only.
Samsung Knox 1.0

External SD Card Allows using the external SD card.
or higher
Profile 245
Allows writing to an external SD card.
Note If the external SD card policy is allowed but

> Write to external Samsung Knox 1.0
SD card the Write to external SD card policy is not, or higher
then external SD cards can only be read and
do not have reset control.
Unauthorized SD Android 1.0 (SDK1

Allows using unauthorized SD cards.
Card or higher)
Select the control function to be triggered if device OS

tampering is detected.

Note Android 10 (Q) or higher devices are not
supported.
• Lock Email: Locks email use.

If compromised OS Samsung Knox 1.0
is detected • Factory reset + Initialize SD card: Simultaneously or higher
factory resets the user device and the SD card.
• Factory reset (only): Resets the user device but not the
SD card.
Note The factory reset (only) function is

unsupported in Android 2.0 or lower. To
reset the device, select the Factory reset +
Initialized SD card option.
Allows using the Smart Select, which is one of the

Samsung device features. It allows users to clip a content Samsung Knox 2.2
Smart Select
by drawing a circle with the S pen. Clipped contents can or higher
be used on notes or anywhere else.
Specifies to run or install EMM applications other than the

Knox Manage application.
• Allow: Allows installing or enabling EMM applications.

Device
• Disallow installation: Disallows installing EMM
applications.
Administrators to Samsung Knox 2.0
install and activate • Disallow activation: Disallows enabling EMM or higher
apps applications.
Note You cannot control this policy if another

EMM application is active before the policy
has been set.
Profile 246
Allows installing or activating select EMM applications

by adding them to the whitelist. This policy is available
only when the Device Administrator to Install and Activate
apps policy is set to Disallow installation or Disallow
activation.

> Exceptional app applications in the “Select Application” window. Samsung Knox 2.0
whitelist or higher
application.
• Disallow installation: Only the whitelisted applications
are allowed to be installed.
• Disallow activation: Only the whitelisted applications
are allowed to be activated.
Samsung Knox 2.0

Developer mode Allows using the developer mode.
or higher
Allows setting the default number of background

> Background processes. Samsung Knox 1.0
process limitation If this policy is disabled, the number of background or higher
processes will be set at the maximum number.
Enables closing all running applications when the user

> Quit application logs out of the device.
Samsung Knox 1.0
upon killing If this policy is disabled, the activation setting is disabled or higher
activities on the device and the user cannot control the device
settings.
Allows using the mock location, which specifies an

arbitrary location for development or test purposes.
Samsung Knox 1.0
> Mock location Use this policy if location information from the Update or higher
Device Information of the Send Device Command seems
incorrect.
Allows using Safe Mode. This policy retains device control

Samsung Knox 1.0
Safe mode functions such as camera control, but not Knox Manage
or higher
applications and preloaded applications.
Allows using the reboot banner which appears on the Samsung Knox 1.0
Reboot banner
user’s device when the device reboots. or higher
Enter the text for the reboot manager. You can enter up to
1000 bytes.
Note You can customize banners for Samsung

> Reboot banners Samsung Knox 2.2
stationery Knox 2.2 or higher devices. For Samsung or higher
Knox 1.0 devices, only the message or
banner registered by the manufacturer is
displayed.
Profile 247
Domain blacklist Samsung Knox 1.0

Allows using the domain blacklist.
Settings or higher
Enter a domain blacklist that should not be used when

registering an Exchange or email account.
> Domain • To add a domain, enter the domain name in the field,
blacklist and click Add.
name.
Allows using the NTP (Network Time Protocol) server. Samsung Knox 2.5
NTP Settings
Register this server to sync the server time to a device. or higher
Samsung Knox 2.5

> Server address Enter the NTP server address.
or higher
> Maximum Set the maximum number of attempts for connecting to

the NTP server to retrieve the time information. Samsung Knox 2.5
number of
or higher
attempts The value can be between 1 – 100 times.
> Polling cycle Set the cycle to reconnect to the server via NTP. Samsung Knox 2.5
(hr) The value can be between 1 – 8760 hours (8760 = 1 year). or higher
Set the cycle to re-connect to the NTP server after

> Short polling experiencing a timeout. Samsung Knox 2.5
cycle (sec) or higher
Set the connection timeout on the NTP server. Samsung Knox 2.5
> Timeout (sec)
The value can be between 1 – 1000 seconds. or higher
Sets the device to display notifications when a device

control event is applied.

Set Notifications Samsung Knox 1.0
device from the Settings menu of Knox Manage Agent.
from an event to or higher, Android
On. • Show notification: Displays the notification when an 1.0 or higher
event for device control is applied.
• Hide notifications: Hides the notification when an event
for device control is applied.
Sets the device to display the notifications when an event


Set Notifications Samsung Knox 1.0
device from the Settings menu of Knox Manage Agent.
from an event to or higher, Android
Off. • Show notification: Displays a notification when an 1.0 or higher
event for device control is disengaged.
• Hide notifications: Hides a notification when an event
Profile 248
Set the removal of the notification from the device Quick

panel.
• User Defined: Users can remove notification on the

Samsung Knox 1.0
Fix Event device from the settings menu of Knox Manage Agent.
or higher, Android
Notification • Disallow to Remove Notification: Users cannot remove 1.0 or higher
• Allow to Remove Notification: Users can remove
Control Power Samsung Knox 2.8

Allows power saving control on the device.
saving mode or higher
Allows using the hardware key on the device to update

Firmware download firmware. Samsung Knox 2.0
mode control • Disallow: Disallows updating firmware with the or higher
hardware key and performing a factory reset.
Samsung Keyboard Allows accessing the settings key from the Samsung Samsung Knox 2.0
settings control keyboard. or higher
Allows the device to use the data saver mode Samsung Knox 3.0
Data Saver Mode
automatically. or higher
Interface
Allows using Wi-Fi. If the Wi-Fi policy has not been

applied successfully, the device will try to apply it again
30 minutes later after Knox Manage is activated.
Samsung Knox 1.0
• Allow: Allows using Wi-Fi.
Wi-Fi or higher, Android
• Disable On: Disallows turning on Wi-Fi. It is turned off at 1.0 or higher
all times.
• Disable Off: Disallows turning off Wi-Fi. It is turned on
at all times.
Allows use of the Wi-Fi Direct (Wi-Fi P2P) connection.
Note • Set the Wi-Fi policy to Allow or Disable Off

before using this policy. Samsung Knox 1.0
> Wi-Fi Direct
or higher
• Depending on the device type, the direct
connection of the two devices may cause
the function or the menu to get controlled.
Profile 249
Samsung Knox 1.0

Wi-Fi hotspot Allows use of the Wi-Fi hotspot. or higher, Android
2.3 or higher
Allows using the Wi-Fi SSID whitelist. Devices can only

connect to the Wi-Fi APs on the whitelist.
Samsung Knox 1.0
Wi-Fi SSID whitelist Note For non-Samsung devices with Android 8.0 or higher, Android
setting or a higher version, this policy can only be 1.0 or higher
Add Wi-Fi APs to the whitelist. This policy is irrelevant to

adding or deleting the Wi-Fi setting profile. Android 1.0 (SDK1)
> Wi-Fi SSID • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add. or higher
whitelist • To add all Wi-Fi APs, click Add all to access the Wi-Fi Samsung Knox 1.0
list. or higher
Allows using the Wi-Fi SSID blacklist. Devices cannot

connect to Wi-Fi APs on the blacklist.
Wi-Fi SSID Blacklist Note For non-Samsung devices with Android 8.0
Add Wi-Fi APs to the blacklist. This policy is irrelevant to

Samsung Knox 1.0
> Wi-Fi SSID • To add a Wi-Fi AP, enter a Wi-Fi SSID and click Add.
or higher, Android
Blacklist • To add all Wi-Fi APs, click Add all to access the Wi-Fi 1.0 or higher
list.
Wi-Fi auto Allows automatic connection to Wi-Fi SSID already stored Samsung Knox 1.0
connection in the device. or higher
Set a minimum security level for Wi-Fi.

Wi-Fi minimum
The security level increases in the following ascending Samsung Knox 1.0
security level
order: OPEN < WEP < WPA < LEAP, PWD < FAST, PEAP < or higher
setting
TSL, TTLS, SIM, AKA, AKA’
Allows using Bluetooth.
• Allow: Allows using Bluetooth.

Samsung Knox 1.0
Bluetooth • Disable On: Disallows turning on Bluetooth. It is turned or higher, Android
off at all times. 1.0 or higher
• Disable Off: Disallows turning off Bluetooth. It is turned
on at all times.
Profile 250
> Desktop PC Allows Desktop PC connections with the user’s device via Samsung Knox 1.0
connection Bluetooth. or higher
Allows data exchanges with other devices via Bluetooth Samsung Knox 1.0
> Data transfer
connection. or higher
Samsung Knox 1.0

> Search mode Allows device search via Bluetooth.
or higher
Samsung Knox 1.0

> Bluetooth Allows Bluetooth tethering to share the internet
or higher, Android
tethering connection with another device.
4.2 or higher
Select a method to connect Bluetooth devices based on

their Universal Unique Identifier (UUID).
Bluetooth UUID • Blacklist configuration: Set a device to block Bluetooth
Black/Whitelist connections from certain devices.
• Whitelist configuration: Set a device to allow Bluetooth
connections to certain devices.
Select devices to block Bluetooth connections with. Click

> Bluetooth UUID Samsung Knox 1.0
blacklist Note When updating the policy, current Bluetooth or higher
reconnect.
Select devices to allow Bluetooth connections with. Click

> Bluetooth UUID Samsung Knox 1.0
whitelist Note When updating the policy, current Bluetooth or higher
reconnect.
Allows NFC (Near Field Communication) control.
Note • Samsung Knox 2.4 or higher is supported Samsung Knox 1.0

NFC control for Knox Workspace devices.
or higher
• Android 10 (Q) or higher devices are not
supported.
Samsung Knox 1.0

PC connection Allows connecting user’s device to PC. or higher, Android
1.0 or higher
Samsung Knox 1.0

USB tethering Allows USB tethering. or higher, Android
1.0 or higher
Profile 251
Allows a device connection via OTG (On the Go). OTG

controls only the storage items and not the non-storage
items, such as a keyboard or mouse.
USB host storage Note To use DeX when the USB host storage Samsung Knox 1.0
(OTG) (OTG) policy is disallowed, enable DeX in or higher
the Set USB exception allowed list policy.
Then configure the Allow DeX mode policy to
Allow.
> Set usb

Specify the use for the exception allowed list once the Samsung Knox 3.0
exception allowed
USB host storage (OTG) policy is disallowed. or higher
list
> USB exception Select the USB interface to use if the USB host storage Samsung Knox 3.0
allowed list (OTG) policy is disallowed. or higher
Samsung Knox 1.0

USB debugging Allows USB debugging.
or higher
Samsung Knox 1.0

Microphone Allows use of the microphone. or higher, Android
1.0 or higher
Samsung Knox 1.0

> Recording Allows the use of microphone recording.
or higher
Samsung Knox 1.0

> S Voice Allows the use of S Voice.
or higher
Allows using GPS.
• Allow: Allows using GPS.

• Disable On: Disallows turning on GPS. It is turned off at
all times.
• Disable Off: Disallows turning off GPS. It is turned on at
all times. Samsung Knox 1.0
GPS
or higher
Note • To use this policy, the GPS type on the
user device must be set as one of the
three types: High accuracy, Sleep, and
GPS.
• Devices running Android 10 (Q) or higher
are not supported.
Wearable
Samsung Knox 2.6
equipment policy Set to use the existing Mobile policy for the Gear policy.
or higher
inheritance
Profile 252
Security
Set the password for the device screen lock. Use of the
camera is prohibited when the device is screen locked.
Note • When a user has forgotten their screen

lock password, an administrator needs to
send the Reset screen password device
command, and then the user needs to
enter a temporary password. A temporary
password is generated randomly
Device Password according to the set Device Password
policies. For more information, see the
screen lock password in Viewing the
device details.
• For Knox Workspace devices with a One
Lock password, the password policy
which is stronger between the Android
Legacy and Knox Workspace area will be
applied.

The password strength increases in the following
ascending order: Pattern < Numeric < Must be
alphanumeric < Must include special characters.
• Pattern: Set the password using a pattern or a

password with a higher degree of complexity. Samsung Knox 2.0
> Minimum
• Numeric: Set the password using numbers or a or higher, Android
strength
password with a higher degree of complexity. 2.2 or higher
• Alphanumeric: Set the password using alphanumeric

characters or a password with a higher degree of
complexity.
• Complex: Set it so that the passwords must include
Set the maximum number of incorrect password attempts

before access is restricted.
>> Maximum Samsung Knox 2.0
Failed Login or higher, Android
Attempts Note 2.2 or higher
You can set this only when Numeric,
Alphanumeric, or Complex is selected.
Profile 253
Select the action to be performed when the maximum

number of failed attempts is reached.
Note Samsung Knox 1.0 or higher is supported for

Knox Workspace devices.
>>> If maximum
• Lock device: Locks the device. Samsung Knox 2.0
failed login
or higher, Android
attempts Note Android 10 (Q) or higher devices are not 2.2 or higher
exceeded supported.

resets the user device and the SD card.
• Factory reset: Resets the user device but not the SD
card.

Note Samsung Knox 2.0

>> Minimum Minimum length of the pattern password
or higher, Android
length refers to the number of lines connecting
2.2 or higher
be entered.

must be reset.
Samsung Knox 1.0
>> Expiration after The value can be between 0 - 365 days.
or higher, Android
(days)
Note 3.0 or higher
Samsung Knox 2.0 or higher is supported for

>> Manage Samsung Knox 1.0
password history Note or higher, Android
If the password is ‘Knox123!’ and the
(times) 3.0 or higher
use ten other passwords before reusing
Set the duration for locking the device when the user has
>> Screen Lock not set up a password for the screen lock. Samsung Knox 1.0
Timeout (min) or higher
The value can be between 0 - 60 minutes.
Profile 254

length of characters allowed in a password. Samsung Knox 1.0
sequential or higher

length of password. Samsung Knox 1.0
>> Block function

Note • The visibility of the notifications on the
lock screen depends on the options you
setting on lock Android 5.0 or higher
set in the application.
screen
• Samsung Knox 2.4 - 2.9 is supported for
Select the function to be blocked on the lock screen when

a password policy is set on a device.
• All: Blocks all functions on the lock screen.

• Camera: Blocks direct camera control on lock screen.
>>> Block
location, or when devices are added.
functions on lock
screen • Fingerprint: Blocks the fingerprint unlock function.
• Previews in pop-ups: Displays notifications on the lock
• Notifications: All notifications are hidden via the lock
screen
Note This policy can be implemented only when

the password level is set to pattern or higher.
Samsung Knox 2.0

> Maximum Set the maximum time limit that a user can linger before
or higher, Android
screen timeout screen timeout.
2.2 or higher
Allows Knox Manage to retry connecting according to the

Connection attempt
value that you specified when the device is disconnected
between server and
from Knox Manage. If not specified, communication will
device
be reattempted twice every 15 minutes.
Profile 255
Set a retry count when a device is disconnected from

Knox Manage and Knox Manage retries connecting to the
device in 1 minute intervals.
> Communication If the device is disconnected continuously despite retrying Android 1.0 (SDK 1)
retry count on the specified count, Knox Manage will retry connecting or higher
according to the Communication retry interval (min)
below.
Set a retry interval for when a device is disconnected

from Knox Manage. If Knox Manage receives the event
> Communication that the device is available, the server will try to connect Android 1.0 (SDK 1)
retry interval (min) immediately despite the waiting time. or higher
The value can be between 1 to 60 minutes.
Allows Smartcard Browser Authentication within the

internet browser.
When the policy is allowed, the Bluetooth security mode
is applied while the device is connected to the smart card
reader and will not accept other Bluetooth connections.
Smartcard Browser Note • To use this policy, Bluetooth smart card- Samsung Knox 1.0
Authentication related applications must be installed or higher
on the device and the smartcard must
be registered in the Settings menu of the
device.
supported.
Prevents users from deleting the certificate in the Settings Samsung Knox 1.0
Certificate deletion
menu of the device. or higher
Certificate Set the system to validate the certificate during

Samsung Knox 1.0
verification during installation. If the certificate fails validation, it cannot be
or higher
installation installed.
Communicates with the attestation server to determine

Samsung Knox 1.0.1
Attestation whether the user’s device is forged. If no option is
or higher
selected, attestation will not be processed.
Profile 256
Set the measure for when forgery of the device firmware

is detected. If detected, the creation of a new Knox
Workspace and the use of the existing Knox Workspace
are prohibited.
• Lock Knox Workspace: Locks the Knox Workspace.

• Delete Knox Workspace: Deletes the Knox Workspace.
> Action when • Lock device: Locks the device. Samsung Knox 1.0.1
verification fails or higher
supported.
• Factory reset + Initialization SD Card: Simultaneously

factory resets the user’s device and the SD card.
card.
Google Android Allows the user to select whether to receive updates on

the device. Samsung Knox 2.6
security update
or higher
Policy • Forced use: Set to receive security updates by default.
Kiosk
Select a Kiosk feature to use on a device.
• Single app: Runs a single application on the device’s

home screen.
• Multi app: Runs multiple applications that are
developed using the Kiosk Wizard.
• Kiosk Browser: Opens webpages that are specified by
the administrator. Samsung Knox 1.0
Kiosk app settings
or higher
Note • To use the Kiosk Browser, the Kiosk
Browser application must be registered
as a Knox Manage application. For more
details, contact the TMS administrator.
• Kiosks are not available with non-
Samsung Android Legacy devices.
Click Select and select a single Kiosk application from the

list. Alternatively, click Add and manually add applications. Samsung Knox 1.0
> Set application
For more information about adding single applications, or higher
see Creating a Single App Kiosk.
Profile 257
Click Select and select multiple Kiosk applications from

the list. Alternatively, click New and create a Multi App Samsung Knox 1.0
>Set application
Kiosk the Kiosk Wizard. To learn how to use the Kiosk or higher
Wizard, see Exploring Kiosk Wizard.
When setting up the Kiosk Browser, the package name

> Set Kiosk
of the application registered as the Kiosk Browser will be
Browser
automatically selected.
Set the default page URL to call in the Kiosk Browser.
> Default URL You can enter a URL that is up to 128 bytes including
alphanumeric characters and some special characters (_,.,
-, *, /).
Use the screen saver for the Multi App Kiosk and the
Kiosk Browser. When no user activity has been sensed
for a certain amount of time, set it in the Auto Screen Off
or Session Timeout settings on the device, the registered
images or video files will be activated on the device
display.
> Screen Saver
Note • The Screen Saver only runs while the
device is charging.
• The Screen Saver for the Kiosk Browser
only runs while the device is connected to
a power source.
>> Screen Saver

Select either an image or video type screensaver.
Type
Select image files for the screen saver. You can add up
to 10 image files in the PNG, JPG, JPEG, or GIF format
(animated files are not supported). Each image file must
be less than 5 MB.
• To upload an image file, click Browse and select a file.

>>> Image • To delete an image file, click next to the name of the
uploaded image file.

transferred to the device to apply an image
file to it.
Profile 258
Select a video file for the screen saver. You can add only
one video file in the MP4 or MKV format. The video file
must be less than 50 MB.
• To upload a video file, click Browse and select a file.

>>> Video • To delete a video file, click next to the name of the
uploaded video file.

transferred to the device to apply a video to
it.
Allows the use of the session timeout feature for the

Kiosk Browser. If the user does not use the device for a
set time, the device deletes user information, such as the
> Session timeout cache and cookies, in the device Kiosk Browser and goes
to the main page URL:
• Apply: Enable the session timeout feature for the

browser.
Set the session timeout in seconds for the Kiosk Browser.

>> Time (sec) The value must be between 10 - 3600 secs (default is
1800).
> Text Copy Allows the copying of text strings in the Kiosk Browser.
Allows the running of the JavaScript contained in

> Javascript
websites.
Allows the use of an HTTP proxy for communications in

> Http Proxy
the Kiosk Browser.
Set the HTTP proxy server IP or domain address, and Port.

>> IP/
When not entered, the Port number is automatically set to
Domain:Port
80.
Set the key value to be added to the user agent. Allow

the Kiosk Browser to access the Web server and the user
> User agent agent key values contained in the HTTP header.
settings key value
User agent key settings can be used to detect access to
non-Kiosk Browsers on the web server.
Delete Kiosk app

Allows deleting applications along with policies from the Samsung Knox 1.0
when policy is
device when the applied policy is deleted. or higher
removed
Profile 259
Allows the use of the Task Manager.

Samsung Knox
Task manager Note You can use the function to disable the 1.0–2.4 or higher
hardware key on SDK 2.5 or later.
Use the System bar which refers to the Status bar in

the Notifications area at the top of the device and the
Navigation bar in the Buttons area at the bottom. Samsung Knox 1.0
System bar
For non-Samsung devices, even if you selected either or higher
Allow status bar only or Allow navigation bar only, both
the status bar and the navigation bar will be disabled.
Prohibit hardware Samsung Knox 1.0

Allows the use of the hardware keys
key or higher
Select hardware keys to disable.

The availability of Hardware keys can vary by device.
> Disallow Samsung Knox 1.0
hardware key(s) If you do not allow the use of the Task Manager, then it or higher
will not run, even if the user taps the left menu key in the
Navigation bar at the bottom of the device.
Allows the use of multiple windows. This is available for Samsung Knox 1.0
Multi windows
devices that provide the functionality of multiple windows. or higher
Allows the use of Air command. Air command is a

Samsung Knox 2.2
Air command function provided on Samsung devices. Menu items
or higher
appear when the user brings an S pen close to the screen.
Allows the use of Air view. Air view is a function provided

on Samsung devices. Users can preview a picture or email Samsung Knox 2.2
Air view
when they bring the S pen or finger close to the picture or or higher
other content.
Allows the use of the Edge screen of the device. The Edge
screen allows users to create shortcuts on the edges of Samsung Knox 2.5
Edge screen
the screen panel to frequently used applications, favorite or higher
contacts, or the camera.
Application

Installation of sources instead of just the Google Play Store.
Samsung Knox 1.0
application from
Note Android 8.0 or higher is supported for Knox or higher
untrusted sources
Workspace devices.
Profile 260
Samsung Knox 1.0

Play Store Allows using the Google Play Store.
or higher
Samsung Knox 1.0

YouTube Allows using YouTube.
or higher
Set to control the application installation policies.

App Installation If no applications are added to the Application installation
Back/Whitelist blacklist and the Application installation whitelist, then no
Setting other applications except for the Knox Manage Agent will
be allowed to be executed and installed.
Add applications to prohibit their installation.

• To add all applications, click Add all.
application.
Note • If a control application registered with a

wildcard (*) in the package name is added
> App installation to this policy, the specific package will not Samsung Knox 1.0
blacklist be installed. or higher
e.g.) com.*.emm / com.sds.* /

com.*.emm.*
• Blacklisted applications cannot be
installed and will be deleted even if they
were previously installed.
• An application that has been added on the
Application installation whitelist cannot
be added.
Profile 261
Add applications to allow their installation.

application.

wildcard (*) in the package name is added
to this policy, the specific package will not
> App installation be installed. Samsung Knox 1.0
whitelist e.g.) com.*.emm / com.sds.* / or higher
com.*.emm.*
• Any applications not on the whitelist
are deleted, even if they are not on the
blacklist.
Application installation blacklist cannot
be added.
• Samsung Knox 2.0 or higher is supported
for Knox Workspace devices.
Set to control the application execution policies.

If the policy changes or Knox Manage is unenrolled,
Application
hidden applications reappear.
execution Black/
Whitelist Setting Note Android 8.0 (Oreo) or below is supported for
non-Samsung devices.
Add applications to prevent their execution. Icon of the

blacklisted application disappears and users cannot run
the application.

> Application applications in the “Select Application” window. Samsung Knox 1.0
execution • To delete an application, click next to the added or higher, Android
blacklist application. 2.2 or higher

Application installation whitelist cannot be
added.
Profile 262
Add applications to allow their execution. Icons of

applications that are not on the whitelist disappear
automatically. Knox Manage and the preloaded
applications are automatically registered on the whitelist.
• To add an application, click Add, and then select Samsung Knox 1.0
> Application or higher, Android
execution 2.2 or higher
whitelist • To delete an application, click next to the added
application.

Application installation blacklist cannot be
added.
Application force
stop prohibition list Set to prohibit applications from force stop.
setting
> Force stop Samsung Knox 1.0

Add applications to prohibit from force stop.
blacklist or higher
Application
execution Allows application installation but prevents application
prevention list execution.
setting
Add applications to be displayed but not executable.

Listed applications can be installed and the icons will be
> Application displayed, but they will not be executed.
Samsung Knox 2.0
execution • To add an application, click Add, and then select or higher
prevention list applications in the “Select Application” window.
application.
Application
uninstallation
Set to control the application uninstallation policies.
prevention list
Settings
Add applications to prevent their uninstallation.

> Application • To add an application, click Add, and then select Samsung Knox 1.0
uninstallation applications in the “Select Application” window.
or higher
prevention list
application.
Profile 263
Select from among the actions below to take if an internal

or a kiosk application is compromised:
• Disallow running: Prohibits the application’s execution.

• Uninstall: Deletes an application.
• Lock device: Locks the user’s device.
supported.
Action when apps • Notify Alert: The compromised status of the device is Samsung Knox 1.0
are compromised reported on the Dashboard. or higher

resets a user device and the SD card.
card.
Note Actions such as lock device, factory reset,

and the notify alert will be applied but only
for general Android devices and not for
Samsung Galaxy and LG Electronic devices.
Show ProgressBar Set to display the ProgressBar, which displays the Samsung Knox 1.0
when installing progress of the application downloads made in Knox or higher, Android
apps Manage. 1.0 or higher
Set to exempt applications from the battery optimization

function. This policy may cause battery loss.
Battery optimization
exceptions Note This policy is for devices running Android
(Nougat) or later.
> Apps excluded

Add applications to exempt them from the battery Samsung Knox 2.7
battery
optimization function. or higher
optimization
Profile 264
Location
Allows collecting location data.
• User consent: Allows location data collection only with

the user’s consent.
Note • When this policy is set to User consent,

location data can only be collected after
the user allows collection of device Samsung Knox 1.0
Report device location data in the permission pop-up. or higher, Android
location The Report device location policy has 2.3 or higher
a higher priority than the GPS policy or
the locate the current position device
command.
• For devices running Android 10 (Q) or
higher, this policy is supported only when
the GPS is enabled in the device settings.
Set an interval period to save the location data of the

device.
Samsung Knox 1.0
> Report device
Note To set the collection interval, select either or higher, Android
location interval
Allow or User Consent for the Report device 2.3 or higher
location policy.
Samsung Knox 1.0

High Accuracy Set to use for collecting accurate GPS locations of the
or higher, Android
Mode devices.
2.3 or higher
Browser
Browsers must be closed and opened again to apply the changes.
Allows using the Android browser.
Note The disallowed setting or blacklist setting

takes priority over others. If the disallowed Samsung Knox 1.0
Android browser setting is configured in any of the Android or higher
browser or the application blacklist policies,
the Samsung Internet browser cannot be
launched
Profile 265
Allows cookies in the Android browser.
Note If cookies are not allowed, you cannot Samsung Knox 1.0
> Cookies
access websites that authenticate users with or higher
cookies.
Samsung Knox 1.0

> JavaScript Allows JavaScript in the Android browser.
or higher
Allows auto-completion of information that you enter on Samsung Knox 1.0

> Autofill
websites in the Android browser. or higher
Samsung Knox 1.0

> Pop-up block Allows blocking pop-ups in the Android browser.
or higher
Set the proxy server address for the Android browser in

the general area.
fields.
Samsung Knox 1.0.1
Browser proxy URL
Note • The Chrome browser and Samsung S or higher
4.0.1 - 5.6.
Phone
Samsung Knox 2.0

Airplane mode Allows the use of airplane mode.
or higher
Allows the use of a cellular data connection.
Note This policy is applied after internal

applications that have been set as Automatic
Cellular data (Non-removable) are installed. If the cellular Samsung Knox 1.0
connection data connection policy is not applied or higher
successfully, the device tries again to apply
this policy 30 minutes later after Knox
Manage is activated.
Samsung Knox 1.0

Prohibit voice call Prohibits incoming and outgoing voice calls.
or higher
Profile 266
Specifies the types of voice call to block:
• Incoming: Blocks incoming voice calls only.

> Voice call • Outgoing: Blocks outgoing voice calls only
If both are selected, only emergency calls can be received
or made.
Add phone numbers to the blacklist to block incoming

voice calls.
> Incoming Call
blacklist
• To add a phone number, enter it in the field and click
.
• To delete a phone number, click next to it.
Add phone numbers to the blacklist to block outgoing

voice calls.
> Outgoing Call
blacklist
.
Samsung Knox 1.0

Data usage limit Allows the limiting of data usage.
or higher
Limits the maximum data usage for user devices. If data

usage exceeds the limit set on a device, data use is no
Data usage longer available. Samsung Knox 1.0
restrictions or higher
To get precise information on the amount of usage,
changing the date and time must not be allowed.
Set the maximum data amount for user devices for 1 day,
1 week, or 1 month.
Note • Daily usage is calculated at 12:00 p.m.

each day, weekly usage on Sundays, and
> Maximum monthly usage on the first day of each
usage month.
• When the maximum data amount is
reached, the data network will be blocked.
But if the user allows the data network, the
data usage of the user device will be reset.
Data connection Samsung Knox 1.0

Allows data connection when roaming.
during roaming or higher
WAP push during Samsung Knox 1.0

Allows WAP push communication while using roaming.
roaming or higher
Data sync during Samsung Knox 1.0

Allows data synchronization while roaming.
roaming or higher
Profile 267
Voice calls during Samsung Knox 1.0

Allows voice calls while roaming.
roaming or higher
Samsung Knox 1.0

Disallow SMS/MMS Prohibits sending and receiving SMS/MMS messages.
or higher
> Disallow Specifies the types of SMS/MMS messages to block.

Incoming/
Outgoing SMS/ Note At least one of the types should be selected.
MMS
Add phone numbers to the blacklist to block incoming

SMS/MMS messages.
> Incoming SMS
blacklist
.
Add phone numbers to the blacklist to block outgoing

SMS/MMS messages.
> Outgoing SMS
blacklist
.
Prevents the use of the SIM card on a user device. To

use this policy, the default PIN of the SIM card should
be entered. Then, the new PIN number for the SIM card
Use SIM card should be entered. Samsung Knox 1.0
locking or higher
If the locked SIM card is registered to another device, the
device is locked and the user must enter a valid PIN to
unlock it.
Enter the default PIN found on the SIM card.

The value is a 4 - 8 digit number.
> Default SIM PIN Note This policy is designed for use by Corporate-
Owned, Personally Enabled (COPE) devices
and is only applied if the PIN found on SIM
card matches the default PIN.
Enter the new PIN number for the SIM card. The new PIN
number can be found next to SIM PIN Number in the
> New SIM PIN “Network“ tab of the “Device Detail” page.
Profile 268
Allows recording phone conversations.

Set app voice Samsung Knox 3.0
recording whitelist Note If unspecified, voice recording is not allowed. or higher
Add applications that are allowed to record phone

conversations to the whitelist.
Note • The registered voice recording

applications cannot be deleted after
> App voice
being activated. To remove the registered Samsung Knox 3.0
recording
applications, you must factory reset the or higher
whitelist
device.
• If the registered voice recording
applications are activated on a device, the
device USB connection is blocked.
Firewall
The firewall supports IPv6 for SDK 2.6 or above. Even if the IPv4 and the IPv6 indicate the same
address, a separate configuration is required.
Set to use the firewall to set target IP addresses. The

firewall policy is enabled by default.
Samsung Knox 1.0
Firewall
Note Samsung Knox 1.0 - 2.4.1 is supported for - 2.4.1
Profile 269


application.
• All
• Wi-Fi: Only Wi-Fi network access is enabled.
> Permitted Policy 4. Select Port Range:
(IP) • All
enabled.
5. Click to add.
Note • Before setting this policy, disable all IPs

Prohibited policy (IP) ranges.
• Samsung Knox 2.5 is supported for Knox
Workspace devices.
Profile 270


application.
• All
• Data: Mobile network access is disabled.
> Prohibited • Wi-Fi: Wi-Fi network access is disabled. Samsung Knox 2.5
Policy (IP) 4. Select Port Range: or higher
• All
disabled.
5. Click to add.
Note • When entering the IP address, you can use

a wildcard character (*) to disabled the
bandwidth usage.
Workspace devices.

application.

domains by entering a wildcard character
> Permitted Policy (*) to the Prohibited policy (Domain) Samsung Knox 2.6
(Domain) ranges. or higher
name.
Workspace devices.
Profile 271
Input values to disable the target domain address.

application.
> Prohibited 2. Input the IP Address (range) and Port (range). Samsung Knox 2.6
policy (Domain) or higher
Note Use a wildcard character (*) to disable a
specific domain.
Samsung Knox 2.6 is supported for Knox
Workspace devices.


application.
2. Input DNS values. Samsung Knox 2.7
> DNS setting
• DNS1: Primary DNS. or higher
Note • If there are multiple firewalls, restricted firewalls have a higher priority.
• If a firewall is configured to all applications as well as in specific applications, the policy for
each application has a higher priority.
Logging
Set to enable the save logs feature.
• Enable: Set to perform logging. This is the default

value.
Samsung Knox 1.0
Save logs • Disable: Cannot record device logs. or higher, Android
1.0 or higher
Note If this policy is not specified, the Knox
Manage performs logging with the DEBUG
level.
Profile 272
Select a log level.
• DEBUG: Logs detailed device information for the

developers.
• INFO: Logs device information for the administrators.
Samsung Knox 1.0
> Log level • WARNING: Logs information that are not errors, or higher, Android
but the ones that require special attention for the 1.0 or higher
administrators.
• ERROR: Logs error information.
• FATAL: Logs critical error information, such as system
interruption.
Enter value for the maximum log size. Samsung Knox 1.0
> Maximum log
or higher, Android
size (MB) The value can be between 1 - 20 MB. 1.0 or higher
Enter value for the maximum days for log storage. Samsung Knox 1.0
> Maximum days
or higher, Android
for storage (day) The value can be between 1 – 30 MB. 1.0 or higher
DeX
Samsung DeX is an accessory that extends the functionalities of a mobile device. By connecting a
monitor, keyboard, and mouse to a Dex docking station, the mobile device can function as a desktop
computer
In Knox Manage, you can allow the use of DeX mode and control applications according to the
Application execution blacklist setting.
Allows the use of DeX mode.

Samsung Knox 3.0
Allow DeX mode • Disallow: The DeX station will not function even if a or higher
mobile device is mounted on it.
Allows ethernet only for DeX. Mobile data, Wi-Fi, and Samsung Knox 3.0
Allow Ethernet only
tethering are blocked. or higher
Application
Samsung Knox 3.0
execution Use the blacklist for running DeX applications.
or higher
blacklist(Android)
Profile 273
Prohibits launching the specified applications.

application.
Note • Any applications that already have been

> Application
added to the Application whitelist cannot
execution
be added to the Application blacklist.
blacklist
• When this policy is enabled and applied,
the icons of the blocked applications will
disappear so that users cannot launch
them. However, the applications are not
deleted. The icons will reappear once
the policy is changed or Knox Manage is
disabled.
Wi-Fi
Policy Description
Enter an identifier of a wireless router to connect to.

Remove available Allows users to delete the Wi-Fi settings.
Security type Specifies the access protocol used and whether certificates are required.
> WEP Set a WEP KEY index from WEP KEY 1 to 4.
> WPA/WPA2-PSK Enter a password.
Profile 274
Policy Description
• EAP Method: Select an authentication protocol from among PEAP, TLS,

and TTLS.
• 2-step authentication: Select one from PAP, MSCHAP, MSCHAPV2, or
GTC as a secondary authentication method. This is available when EAP
Method is set to TTLS or TLS.
• User information input method: Select an input method for entering
user information.
connection.
–– Connector interworking: Choose a connector from the User
Information Connector.
–– User Information: Use the user information registered in Knox
Manage to access Wi-Fi.
• User certificate input method: Select a user certificate confirmation
method.
–– EMM Management Certificate: Register an external certificate on
the Knox Manage server for each network setting, and then verify
each network setting using that certificate. All users share this one
certificate for each network setting.
> 802.1xEAP
Note Navigate to Advanced > Certificate > External Certificate
to register network settings for each purpose.
–– Connector interworking: Verifies network settings using the user

To learn more about how to add a directory connector, see Adding
sync services.
–– Issuing external CA: Register a certificate obtained from an external
• CA certificate: Select a root certificate. Among the certificates
registered in Advanced > Certificate > External Certificate, those with
the Purpose set as Wi-Fi and the Type set as Root will appear on the
list.
Profile 275
Policy Description
Select a proxy server configuration method. You can use the server to
Proxy configuration
route through the proxy server when the device is connected to Wi-Fi.
• Proxy host name: Enter the host name of the IP address of the proxy
server
• Proxy port: Enter the port number used by the proxy server
> Manual • Proxy exception: Enter the IP address or domain address that cannot be
accessed through the proxy server.
If server authentication is required to use the proxy server, check the
Server authentication check box.
• Password: Enter the password for the proxy server.
> Proxy automatic You should enter a PAC web address in the PAC web address field, the
configuration URL of the PAC file that automatically determines which proxy server to
use.
Exchange
You can add more Exchange policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each exchange setting.
Description Enter a description for each exchange setting.
Remove available Allows users to delete the exchange settings.
Allows to configure the Exchange settings by automatically filling out the

Office 365
Exchange server address and the SSL option as ‘Use’.
User information input

Select an input method for entering user information.
method
Select to manually enter the email address, account ID, and password of a
user.
> Manual Input
You can also click Lookup to open the reference items list and select an
Select to choose a connector from the User Information Connector list.
> Connector interworking Note All the connectors are listed in Advanced > System
Integration > Directory Connector.
Profile 276
Policy Description
Select to access the exchange server using the registered Knox Manage
> User Information
email and ID. The password must be entered from the user’s device.
Enter a domain address for the exchange server.

Domain You can also click Lookup to open the reference items list and select an
Enter the exchange server information such as IP address, host name or

URL.
Exchange server address
Note If Office365 is selected, outlook.office365.com will be
automatically entered.
Sync measure for the early Select the interval period to sync the past emails. The sync interval and
data synchronization are in accordance with the email application settings.

method
Register an external certificate on the Knox Manage server for each

network setting, and then verify each network setting using that certificate.
All users share this one certificate for each network setting.
> EMM Management
Certificate
• User Certificate: Select a certificate to use from the User Certificate list.
Verifies network settings using the user information obtained by applying
the filter set for the connector. To verify the network settings on the device,
you should set the Service Type as Profile Configuration (Certification)
when you register a connector in Advanced > System Integration
> Directory Connector. To learn more about how to add a directory
connector, see Adding sync services.
> Connector interworking
When you search for a user using the filter set for the connector, the user
certificate (.p12 or .pfx) corresponding to the obtained user information is
applied along with a profile, allowing you to use this certificate to verify the
user.
• User certificate Connector: Select a connector to use from the User

certificate Connector list.
Register a certificate obtained from an external certificate authority

to Advanced > Certificate > Certificate Template. Then, you register
a certificate template for each network setting, and verify it as a user
> Issuing external CA certificate. To learn more about how to add an external certificate, see
Adding external certificates.
• Issuing external CA: Select an external CA to use from the Issuing

external CA list.
Profile 277
Policy Description
Syncs schedules on a calendar from an Exchange server or a mail server

Sync calendar
to a device.
Sync contacts Syncs contact information in a phone book from a server to a device.
Sync task Syncs tasks items from a server to a device.
Sync notes Syncs notes from a server to a device.
Set to use SSL for email encryption.
SSL Note If Office365 is selected, the SSL option is automatically set to

‘Use’.
Signature Enter the email signature to use.
Notification Notifies the user of new emails.
Always vibrate on
Notifies the user of new emails with a vibration.
notification
Mutes email notifications.
Silent notification Note Always vibrate on notification and Silent notification cannot
be used at the same time.
Enter the email attachment file size limit in bytes.

Attachment capacity (byte)
The input value ranges from 1 to 52428800 (50MB).
Maximum Size of Email Select a maximum value for the email body size. This is only set once
Body (Kbyte) during the initial Exchange ActiveSync setup.
> Default Size of Email Select the default value for the email body size. This is only set once
Email Account
You can add more email account policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each email account setting.
Description Enter a description for each email account setting.
Remove available Allows users to delete the email account settings.
Default Account Specifies to use the default account.
User information Input

Method
Profile 278
Policy Description
Select to manually enter the email address, server ID and password of a

user.
> Manual Input
Select a connector from the user information connector list.
> Connector interworking Note The connectors are listed in Advanced > System Integration
> Directory Connector.
Select to access the relevant mail server using the registered Knox
Manage email, ID and password.
> User information
Note The password must be entered from the user’s device.
Incoming Server Protocol Select between the POP3 (pop3) and IMAP (imap) protocol.
Outgoing Server Protocol Entered automatically as SMTP.
Incoming Server Address/

Enter the Incoming Server address/port in a provided format.
port
Outgoing Server Address/

Enter the outgoing server address/port and port in a provided format.
port
Enter an incoming server ID to log in to the incoming mail server manually.

Incoming Server ID item from it. The reference value will be automatically entered.
Note This protocol is only available when Manual Input is selected.
Enter an outgoing server ID to manually log in to the outgoing mail server.

Outgoing Server ID item from it. The reference value will be automatically entered.
Enter an incoming server password to manually log in to the incoming mail

server.
Incoming Server Password item from it. The reference value will be automatically entered.
Profile 279
Policy Description
Enter an outgoing server password to manually log in to the outgoing mail

server
Outgoing Server Password item from it. The reference value will be automatically entered.
Incoming SSL Select to use SSL for encryption.
Outgoing SSL Select to use SSL for encryption.
Select an email notification method.
• Enable Notification: Activates email notification.

Notification • Enable ‘Always notify by vibrate mode’: Notifies the user of new emails
with a vibration.
• Disable Notification: Deactivates email notification.
All incoming certificates Allows receiving certificates.
All outgoing certificates Allows sending certificates.
Signature Enter an email signature to use.
Account Name Assign an account name.
Sender Name Assign a sender name.
Bookmark
You can add, modify, or delete the bookmarks in the Samsung S browser, the default browser on
Samsung Galaxy devices. You can add more bookmark policy sets by clicking .
Note • Browsers must be closed and opened again to apply the changes.
• Even if a user modifies a registered bookmark or registers a bookmark with the same URL and
name, it will not be deleted when the bookmark setting is deleted.
• Even if a user manually deletes the set bookmark, due to the limitations of Samsung devices,
the application may still appear to be installed. In this case, you have to delete the bookmark in
the profile, and then recreate the bookmark.
• The auto-installation of Bookmark settings is supported on devices running Android 6.0
Marshmallow or Android 7.0 Nougat, and only when BookMark is chosen in the Installation
area.
Policy Description
Configuration ID Assign a unique ID for each bookmark setting.
Profile 280
Policy Description
Specifies a location to install the bookmark.
• BookMark: Saves a bookmark in the S browser.

• ShortCut: Creates a shortcut for the bookmarked address on the home
screen of the device. Shortcut icons are created based on the Samsung
Installation area Launcher.
–– If a Shortcut has been selected, auto installation is not supported.
–– Shortcut icons may not be able to be created depending on the
type of launcher set by the user. An administrator cannot delete the
shortcut icon, but the user can delete it manually.
Bookmark name Enter the bookmark name to be displayed as a title in the bookmark.
APN
You can add more APN policy sets by clicking .
Policy Description
Configuration ID Enter an APN name to be displayed on the device.
Description Enter a description for an APN.
Allows users to delete APN settings. If you choose Disallow, then the
Remove available
button used to delete APN settings is disabled.
Access Point Name (APN) Enter the name of the access point.
Select the type of the access point.
• Default: default type.

Access Point Type
• MMS: Multimedia Messaging Service.
• Supl: IP-based protocol to receive GPS satellite signals.
Mobile Country Code (MCC) Enter the country code for the APN.
Mobile Network Code (MNC) Enter the carrier network code for the APN.
Enter the server information for sending multimedia messages.
• MMS Proxy Server: Enter the information of the proxy server for
MMS Server (MMSC) sending multimedia messages.
• MMS Proxy Server Port: Enter the port number of the proxy server for
sending multimedia messages.
Server Enter the WAP gateway server name.
Proxy Server Enter the information of the proxy server.
Proxy Server Port Enter the port number of the proxy server.
Profile 281
Policy Description
Enter the user name of the access point.

Access Point User Name You can also click Lookup to open the reference items list and select an
Enter the password of the access point.

Access Point Password You can also click Lookup to open the reference items list and select an
• None: Disables authentication.

Authentication Method • PAP: Requires a user name and password for authentication.
• CHAP: Uses encryption with a Challenge string for authentication.
• PAP or CHAP: Uses the PAP or CHAP authentication method.
Set as Preferred APN Applies APN settings to the device.
Knox VPN
Knox VPN settings are provided to help you set up a VPN on a Samsung Galaxy device more easily.
You can add more Knox VPN policy sets by clicking .
Note When Knox Workspace is used on an Android Legacy device, only one Knox VPN can be set on a
device regardless of the Knox Workspace area or general area. If the Knox VPN vendor is Cisco,
then it can be installed in both areas. To use a Knox VPN on both areas, you need to install the
vendor’s VPN Client application in each area.
Policy Description
Configuration ID Assign a unique ID for the Knox VPN setting.
VPN name Enter a VPN name to display on the user device.
Description Enter a description for the Knox VPN setting.
Remove available Allows users to delete the Knox VPN settings.
Select a VPN vendor from between Cisco and User defined. Input fields
vary depending on the selected VPN vendor name.
VPN vendor name Note Select User defined to set up a different vendor’s VPN
service, such as the Sectra mobile VPN. For more
information, see Entering a VPN vendor manually.
VPN client vendor package Entered automatically according to the selected VPN vendor name. If User
name defined is selected, you must manually enter this protocol.
VPN type Select a protocol.
Profile 282
Policy Description
Select an entering method for Knox VPN information.
• Manual Input: Only allowed for Cisco. For more information, see
Configuring a Knox VPN profile manually.
Entering methods for Knox
VPN • Upload profile: Allowed for all VPN vendors.
Note Input fields vary depending on the selected VPN vendor and
the entering method.
Allows uploading a Knox VPN profile when you set Entering methods for
Knox VPN to Upload profile.
You can upload a text file in the JSON format. JSON varies depending on
the VPN vendor and VPN type.
Upload Knox VPN profile
For more information about sample files, see the sample file of a Sectra
Mobile VPN configuration in Entering a VPN vendor manually and see the
sample file of Cisco VPN configuration in Sample file for uploading a Knox
VPN profile.



method
services.
Select a certificate to use from the CA certificate list. Among the

certificates registered in Advanced > Certificate > External Certificate,
CA Certificate
those with the Purpose set as Knox VPN and the Type set as Root will
appear on the list.
Profile 283
Policy Description
Select a certificate to use from the certificate list. Among the certificates
registered in Advanced > Certificate > External Certificate, those with the
Server certificate
Purpose has been set as Knox VPN and the Type set as User will appear
on the list.
Allows the use of FIPS mode.

FIPS mode FIPS (US Federal Information Processing Standards) encrypts all data with
FIPS-140-2 authentication modules between the server and client.
Auto Re-connection Allows connecting automatically when an error occurs.
Select to use a VPN for selected applications or for all applications in the
General area.
VPN route type by • By Application: Click Add next to The VPN applied package name per
application app and select applications, and then click Save.
• All packages of general area: All applications in the General area are
subject to a VPN.
Entering a VPN vendor manually

To use a VPN provided by a vendor other than Cisco, select User defined in the VPN vendor name
field. Then upload a text profile in the JSON format. The VPN Client must be installed on the device
before using a VPN.
For example when a Sectra VPN is used, set the options as below:
1. Enter com.sectra.mobilevpn in the VPN client vendor package name field.
2. Set VPN type to SSL.
3. Click Add next to Upload Knox VPN profile and upload a configuration file with the Sectra Mobile
VPN configuration parameters set.
• Upload a file in the JSON format to fully integrate the Sectra Mobile VPN in the Knox Manage
portal.
• Set the parameters as shown in the example below.
Profile 284
Parameter Description Example
The name of the VPN configuration profile that

profileName will be listed on the Knox Manage application and Sectra Mobile VPN
the VPN client GUI.
[
{“address”:”1.1.1.1”,
A list of 1 – 6 VPN servers with IP addresses “port”:443}
and a network port. This list will be in an order
{“address”:”2.2.2.2”,
servers of priority, with the default VPN server being the
“port”:444}
first on the list. The remaining VPN servers will be
used only if the default server is damaged. {“address”:”3.3.3.3”,
“port”:445}
]
A download server’s HTTP/S URL, where the http://download.server.

pkcx12BaseUrl
encrypted key materials are downloaded to. com/certs/
The MTU (Magnetic Tape Unit) is a size used on

Knox Manage’s virtual network interface. It is
the maximum size for the outgoing UDP (User
mtuSize Datagram Protocol) tunnel packets before being 1300
fragmented
The value must be between 576 – 1500 bytes.
Determines whether a DTLS tunnel is used. A

DTLS tunnel should be used if sensitive data is
being transmitted in real-time.
UseDtle E.g.) When streaming video and/or using VoIP True
calls.
The value must be either True or False. If unsure,
set to True.
Tunnel packets’ QoS (Quality of Serve) tag sent

from a client. Differentiated service is part of an
diffServe IP header. 0
The value must be between 0 – 63. 0 means
disabled.
Timer value for the interval of a KeepAlive packet

sent from a TCP tunnel.
The value must be between 1 – 18000.
• Sectra recommends to set this value as 1200

tcpKeepAlive seconds since is compatible with most mobile 1200
networks.
Note This is an important parameter that

needs to be selected with caution.
Profile 285
Parameter Description Example
The timer value for the standby period of a DTLS

tunnel that determines how long it idles without
receiving any data before it goes inactive.
dtlsInactivityTimeout The value must be between 1 – 300 seconds. 30
Note Sectra does not recommend setting

this value to 300 seconds.
[ {“profileName”:
1 – 3 traffic profiles the users can choose, ”BadNetworkProfil
for when a normal configuration is not e”,”mtuSize”:800,
sufficient. Traffic profiles can change the “tcpKeepAlive”:600},
following configuration parameters: mtuSize, {“profileName”:”
trarricProfiles
useDtls, diffServ, tcpKeepAlive and/or RealTimeProfile”
dtlsInactivityTimeout. The traffic profile also ,”mtuSize”:1500,
requires the name of the profile which is shown in “useDtls”:”true”,
the client GUI. “diffServ”:63}
]
Profile 286
The following is a sample file of a Sectra Mobile VPN configuration:
{
“KNOX_VPN_PARAMETERS”:{
“profile_attribute”:{
“profileName”:”Sectra Mobile VPN”,
“vpn_type”:”ssl”,
“vpn_route_type”:1
},
“knox”:{
“connectionType”:”keepon”
},
“vendor”:{
“connection”:{
“servers”: [
{“address”:”1.1.1.1”, “port”:443},
{“address”:”2.2.2.2”, “port”:444},
{“address”:”3.3.3.3”, “port”:555}
],
“ssl”: {
“basic”: {
“pkcs12BaseUrl”:”http://download.server.com/
certs/”,
“mtuSize”:1300,
“useDtls”:true,
“diffServ”:0,
“tcpKeepalive”:1200,
“dtlsInactivityTimeout”:30
}
}
},
“trafficProfiles”: [
{
“profileName”: “BadNetworkProfile”,
“mtuSize”:800,
“tcpKeepAlive”:600
},
{
“profileName”:”RealTimeProfile”,
“mtuSize”:1500,
“useDtls”:”true”,
“diffServ”:63
}
]
}
}
}
Profile 287
Configuring a Knox VPN profile manually
You can manually enter a profile only when the VPN vendor is Cisco. Select Manual Input in the
Entering method for Knox VPN field. Then set the options as below:
1. Enter the IP address, host name, or URL of the VPN server in the Server address.
• The VPN route type, which enables the use of VPN tunneling, is automatically entered.
2. Select to use user authentication.
3. Select a VPN connection type.
• Keep On: Keep the VPN connection.

• On Demand: Connect to the VPN upon request.
4. Select the chaining type.
5. Select to use the UID PID.
Profile 288
Sample file for uploading a Knox VPN profile
The following is a sample file with Cisco as the VPN vendor and IPSec as the VPN type:
{
“profileName”:”c1”,
“host”:”12.3.456.78”,
“isUserAuthEnabled”:true,
“vpn_type”:”ipsec”,
},
“ipsec”:{
“basic”:{
“username”:””,
“password”:””,
“authentication_type”:1,
“psk”:””,
“ikeVersion”:1,
“dhGroup”:0,
“p1Mode”:2,
“identity_type”:0,
“identity”:”test@sta.com”,
“splitTunnelType”:0,
“forwardRoutes”:[
{
“route”:””
}
]
},
“advanced”:{
“mobikeEnabled”:false,
“pfs”:true,
“ike_lifetime”:”10”,
“ipsec_lifetime”:”25”,
“deadPeerDetect”:true
},
“algorithms”:{
}
},
“knox”:{
“connectionType”:”keepon”,
“chaining_enabled”:”-1”,
“uidpid_search_enabled”:”0”
},
“vendor”:{
“setCertCommonName”:”space”,
“SetCertHash”:”pluto”,
“certAuthMode”:”Automatic”
}
}
}
Profile 289
The following is a sample file with Cisco, as the VPN vendor, and SSL, as the VPN type:
{
“profileName”:”c3”,
“host”:”cisco-asa.gnawks.com”,
“isUserAuthEnabled”:true,
“vpn_type”:”ssl”,
},
“ssl”:{
“basic”:{
“username”:”demo”,
“password”:”samsung”,
“authentication_type”:1,
“splitTunnelType”:0,
“forwardRoutes”:[
{
“route”:””
}
]
},
“algorithms”:{
“ssl_algorithm”:0
}
},
“knox”:{
“connectionType”:”keepon”,
“chaining_enabled”:”-1”,
“uidpid_search_enabled”:”0”
},
“vendor”:{
“setCertCommonName”:”space”,
“SetCertHash”:”pluto”,
“certAuthMode”:”Automatic”
}
}
}
Profile 290
VPN
can add more VPN policy sets by clicking .
Policy Description
VPN Name Enter a VPN name to display on the user device.
Remove available Allows users to delete the VPN settings.
Select a connection type and enter the parameters. Required parameters

vary depending on the selected connection type.
• PPTP: Set if PPP should be encrypted (MPPE).

• L2TP/IPSec PSK: Enter parameters in the L2TP Secret Key, IPSec
Identifier, and IPSec Pre-shared Key fields.
Connection type
• L2TP/IPSec RSA, IPSec Xauth RSA, IPSec Hybrid RSA: Select a
root certificate from IPSec CA Certificates. Among the certificates
registered in Advanced > Certificate > External Certificate, those with
the Purpose set as VPN and the Type set as Root will appear on the list.
• IPSec Xauth PSK: Enter parameters in the IPSec Identifier and IPSec
Pre-shared Key fields.
Enter the IP address, host name, or URL of the VPN server that the device
Server address
needs to access.
• Manual Input: Enter the user ID and Password for the VPN connection.
method • Connector interworking: Choose a connector from the User information
Connector. All the connectors are listed in Advanced > System
• User Information: Use the user information registered in Knox Manage
to access the VPN.
PPP Encryption (MPPE) Allows to encrypt data for the VPN connection.
DNS search domain Enter the DNS name.
DNS server Enter the DNS server address.
Forwarding route This is automatically entered when Subnet Bits is selected.
Subnet Bits The value can be set as none or select from /1 to /30.
Profile 291
Certificate
You can install a user certificate on a device and use the certificate through Wi-Fi or on websites. You
can add more certificate policy sets by clicking .
Policy Description
Configuration Assign a unique ID for each certificate setting.



method
connector in Advanced > System Integration > Directory Connector. To
learn more about how to add a directory connector, see Adding external
certificates.


Certification category
Certificate, those with the Purpose has been set as CA Cert and the
Type set as User will appear on the list.
Profile 292
Configuring Knox Workspace (Android Legacy) Policies
Create a profile and register policies for Knox Workspace devices.
You can configure the policies below for Knox Workspace devices. The availability of each policy
varies depending on the OS version.
→→ System
Allows various features, such as screen capture, clipboard, and share via apps.
→→ Interface
Allows adding a new Wi-Fi network or using a microphone and other features.
→→ Security
Configures the security settings, such as passwords and lock screen.
→→ Application
Configures options for application controls such as installation, blacklist/whitelist, and execution
prevention.
→→ Browser
Allows the use of the Android browser and configuring the settings for it.
→→ Firewall
→→ Container Data
Allows data transfers between the Knox Workspace area and the general area.
→→ Exchange ActiveSync
→→ Email Account
Configures the settings of a POP or IMAP email account.
→→ Bookmark
Configures the bookmark settings such as the configuration ID and bookmark name.
→→ Knox VPN
Configures the VPN (Virtual Private Network) on a Knox Workspace.
→→ Certificate
Profile 293
System
Allows using the screen capture function in the Knox

Workspace.
Samsung Knox 1.0
Screen capture Note Even if this policy is disallowed, you can still or higher
use the screen capture function through the
Remote Support Viewer in Remote Support.
Allows the clipboard feature.

Samsung Knox 1.0
Clipboard • Allow within the same app: The clipboard function can or higher
only be used within the same application.
Samsung Knox 1.0

Share via apps Allows the share app function in the Knox Workspace.
or higher
Google account Allows Google account synchronization in the Knox Samsung Knox 2.0
synchronization Workspace. or higher
App crash report to Report application error occurrence information to Google Samsung Knox 1.0
Google in the Knox Workspace. or higher
Allows forceful system application shutdowns in the Knox Samsung Knox 1.0
System app close
Workspace. or higher
Trusted Boot Samsung Knox 2.0

Allows Trusted Boot.
Verification or higher
Third Party Samsung Knox 2.0

Allows the use of third Party Keyboards.
Keyboard - 2.9
Allows adding accounts from the default email application Samsung Knox 1.0
Add Email Account
on the device. or higher
Set to use the email domain whitelist setting.
Note • The Add email account policy has a higher

priority than the Domain whitelist setting
Domain whitelist
policy.
setting
• The Domain whitelist setting policy does
not apply if the Add email account policy
is set to Disallow.
Enter the email domain whitelist to add.
> Domain
• To add a domain, enter the domain name in the field, Samsung Knox 1.0
and click .
Whitelist or higher
name.
Profile 294
Allows remote control within the Knox Workspace via

Remote Support.
Remote Support should be installed in the general area.
Allow Remote Samsung Knox 2.2
Control Note Policy changes using Remote Support in the or higher
Knox Workspace do not apply to the Remote
Support Viewer immediately. In this case,
reload the Knox Workspace area.
Interface
Add a new Wi-Fi Allows adding a new Wi-Fi network connection in the Knox Samsung Knox 1.0
network Workspace. - 2.4.1
Allows the controls for Microphone use in the Knox

Workspace.
Samsung Knox 1.0
Microphone
Note If this policy is disallowed, video recording is or higher
also disallowed.
Allows using microphone recording in the Knox Samsung Knox 1.0

> Recording
Allows using the camera in the Knox Workspace.
Note • If the camera policy in the General area

is disallowed, camera use in the Knox Samsung Knox 1.0
Camera
Workspace is also prohibited. or higher
• This policy allows taking pictures but

disallows video recording.
Allows using USB devices, such as printers and scanners,

via OTG in the Knox Workspace.
• Disallow is the default value.

Note • This policy is only allowed for non-storage Samsung Knox 2.5
Allow USB access
USB devices in USB accessary mode. or higher
• Devices from Verizon, the United States

telecommunications provider, are not
supported.
Profile 295
Set USB products to use in a specific application.
1. Enter the Package Name.

2. Select the Vendor ID.
3. Enter the Product ID.
> Allow access of Samsung Knox 2.1
• Only 4-digit, hexadecimal characters can be
USB devices or higher
entered.
• Multiple inputs should be separated by commas.
• Only the product ID for the selected vendor can be
entered.
4. Click to add, or click to delete.
Allows use of the Bluetooth Low Energy feature in the

Bluetooth Low Samsung Knox 2.4
Knox Workspace. To use this policy, set the Bluetooth
Energy or higher
connections in the general area to Allow.
Phone Book Access Allows use of the Phone Book Access Profile (PBAP).
Samsung Knox 2.7
Profile (PBAP) via Contacts on the Knox Workspace are sent to the
or higher
Bluetooth connected device if this policy is allowed.
Samsung Knox 2.4

NFC control Allows control of the NFC (Near Field Communication).
or higher
Profile 296
Security
Use a password to lock Knox Workspace.

Use of the camera is prohibited when the device is screen
locked.
Note • For devices with a One Lock password, the

password policy that is stronger between
Android Legacy and the Knox Workspace
area will be applied.
• When a user has forgotten their Knox
Workspace password, the administrator
Knox Container needs to send the Reset screen password
Password device command, and then the user needs
to enter a temporary password. For more
information, see the Knox password in
• If the Prohibited words policy has been
set, then the password cannot be reset
with a temporary password containing
the specified prohibited words. If this
happens, you will need to disable the
Prohibited words policy, save the relevant
profile again, and then apply it.
> Enterprise Controls Knox Workspace unlock with an enterprise ID.

Samsung Knox 2.4
identity • Use: Allows the choice to use an enterprise ID to log in. or higher
Authentication
• Forced use: Forces the use of an enterprise ID to log in.
>> Domain Enter the domain address of the enterprise identity server. Samsung Knox 2.4
Address The http(s) prefix can be omitted. or higher
Select a file to install inside the Knox Workspace for

enterprise ID authentication.
Note You can select an application such as

Samsung SSO Authenticator (com.sec. Samsung Knox 2.4
>> Setup file android.service.singlesignon), from or higher
the application list. Applications must
be pre-enrolled either on Application >
Internal application or Application > Public
application.
Use FIDO (Fast ID Online) authentication in a Knox Samsung Knox 2.7

>> Enable FIDO
Workspace when using an enterprise ID. or higher
Samsung Knox 2.7

>>> Request URL Set the URL to request for FIDO authentication.
or higher
Profile 297
>>> Response Samsung Knox 2.7

Set the URL to respond to FIDO authentication
URL or higher
Manage the applications to use for FIDO authentication.
Note The essential applications required for

>>> FIDO App Samsung Knox 2.7
Installed List FIDO authentication are automatically or higher
added to the list. You can add an additional
application if needed.
• Pattern: Set the password using a pattern or any other

password with a higher degree of complexity, such as
Numeric, Alphanumeric, or Complex options.
• Numeric: The password must consist of a 4 digit
number or be more complex. The screen can be locked
> Minimum Samsung Knox 2.0
using the Numeric, Alphanumeric, and Complex types
strength or higher
of passwords.
• Alphanumeric: Both letters and numbers must be
included. The screen can be locked using with the
Alphanumeric and Complex types of passwords.
• Complex: Set so that the passwords must include
>> Maximum Set the maximum number of incorrect password attempts

before access is restricted. Samsung Knox 2.0
Failed Login
or higher
Select the action to be taken when the maximum number

of failed attempts is reached.
A Workspace control command must be sent to unlock
>>> Action for the Knox Workspace.
failing allowed • Lock Knox Workspace: When the set number of Samsung Knox 1.0
count to retry password attempts has been reached, the Knox or higher
password Workspace is locked.
• Wipe Knox Workspace: When the set number of
password attempts has been reached, the Knox
Workspace is deleted.

>> Expiration after must be reset. Samsung Knox 2.0
(days) or higher
>> Manage Set the minimum number of new passwords that must be
used before a user can reuse the previous password. Samsung Knox 2.0
password history
or higher
(times) The value can be between 0 - 10 times.
Profile 298

If the Minimum strength is set to Pattern, at least more
than one stroke is required.
In the case of Complex, it must be equal to or greater than
the sum of the Minimum number of letters and Minimum
number of non-letters.
The value can be between 4 - 16 characters for Numeric
>> Minimum Samsung Knox 2.0
or Alphanumeric.
length or higher
The value can be between 6 - 16 characters for Complex.
Note The minimum length of the pattern password

be entered.
Set the minimum password length.

If the Minimum strength is set to Must be alphanumeric,
the number 1 must be entered.
In the case of Must include special characters, the
default value is the number 3. If you want to enter another
>> Minimum number, the number must be equal or greater than the Samsung Knox 2.0
number of letters sum of the Minimum number of lowercase letters and the or higher
Minimum number of capital letters:
The value can be between 1 – 10 characters.
The default value is 1 character for Alphanumeric.
The default value is 3 characters for Complex.
>> Minimum Set the minimum number of lowercase letters required in

the password. Samsung Knox 2.0
number of
or higher
lowercase letters The value can be between 1 - 10 characters.
>> Minimum Set the minimum number of uppercase letters required in

the password. Samsung Knox 2.0
number of capital
or higher
Profile 299
Set the minimum number of numbers and special

characters required in the password.
If Minimum strength is set to Must include special
characters, the default value is the number 2. If you
>> Minimum want to enter another number, the number must be
equal or greater than the sum of Minimum number of Samsung Knox 2.0
number of non-
numeric characters and the Minimum number of special or higher
letters
characters.
The default value is 2 characters for Must include special
characters.
Set the minimum number of numeric characters allowed

>> Minimum in the password.
number of Samsung Knox 2.0
numeric or higher
characters The default value is 2 characters for Must include special
characters.
Set the minimum number of special characters required in

>> Minimum the password.
Samsung Knox 2.0
number of special The value can be between 1 -10 characters.
or higher
characters The default value is 1 character for Must include special
characters.
>> Maximum Set maximum number of duplicated characters. Samsung Knox 1.0
length of repeated
The value can be between 1 -10 characters. or higher
characters

length of characters allowed in a password. Samsung Knox 1.0

length of password. Samsung Knox 1.0
Set the minimum length of letters that users must change

from the previous password. If the Minimum strength is
>> Minimum set to Number, Must be alphanumeric, or Must include Samsung Knox 1.0
length of special characters, it must be less than the Minimum or higher
character change length.
The value can be between 1 - 10 words.
>> Prohibited
Allows the use of prohibited words in a password.
words
Profile 300
Set prohibited words in a password.

>>> Set prohibited Samsung Knox 1.0
words
• To add a word, enter the word in the field and click .
or higher
• To delete a word, click next to the added word.
Maximum screen Set the maximum time limit that a user can linger before Samsung Knox 2.0
timeout screen timeout. or higher
Password visibility Samsung Knox 1.0

Shows the password when entering it.
settings or higher
Pattern lock Samsung Knox 1.0

Shows the password when entering it.
visibility settings or higher
Allows Smartcard Browser Authentication within the

internet browser.
When the policy is allowed, the Bluetooth security mode
is applied while the device is connected to the smart card
reader and will not accept other Bluetooth connections.
Smartcard Browser Note • To use this policy, Bluetooth smart card- Samsung Knox 1.0
Authentication related applications must be installed or higher
on the device and the smartcard must
be registered in the Settings menu of the
device.
supported.
Unlock with Samsung Knox 2.1

Allows the use of the fingerprint unlock control.
fingerprint or higher
Samsung Knox 2.2

Unlock with iris Allows the use of the iris unlock control.
or higher
Allows the use of two-step authentication.
• Use: Forces the screen lock to release via fingerprint or

iris recognition.
• Do not use: Disables the two-step authentication
settings via your fingerprint or iris recognition.
Enforce Multi factor Samsung Knox 2.0
Note When the Knox Workspace is created, it is
Authentication or higher
set to select only two factor authentication
on the password setup stage. Even when
the manager chooses to disable ‘Unlock
with fingerprint’ or ‘Unlock with Iris, you can
still use your fingerprint or iris for two-step
verification.
Block function
setting on lock Blocks the function set in the lock screen.
screen
Profile 301
Set the lock screen function options.

> Block functions Samsung Knox 2.4
on lock screen • Trust Agent: Set whether to use the Knox Quick Access - 2.9
on the lock screen.
Application
Installation of
application from Android 8.0 or higher
sources instead of just the Google Play Store.
untrusted sources
App Installation
Set to control the application installation policies on the
Black/Whitelist
Knox Workspace.
Setting
Add applications to prohibit their installation on the Knox

Workspace.

application.
> Application Note • If a control application registered with a

wildcard (*) in the package name is added Samsung Knox 1.0
installation
to this policy, the specific package will not or higher
blacklist
be installed.
com.*.emm.*
• Previously installed blacklisted
applications will also be removed.
cannot be added.
Profile 302
Add applications to allow their installation on the Knox

Workspace.

application.

> Application wildcard (*) in the package name is added Samsung Knox 2.0
installation to this policy, the specific package will not or higher
whitelist be installed.
com.*.emm.*
• Any applications not on the whitelist
are deleted, even if they are not on the
blacklist.
• An application that has been added to the
Application installation blacklist policy
cannot be added.
App Execution Set to control the execution blacklist on the Knox

Blacklist Setting Workspace.
Add applications to prevent their execution in Knox

Workspace. Icon of the blacklisted application disappears
and users cannot run the application.

> Application applications in the “Select Application” window.
Samsung Knox 1.0
execution • To delete an application, click next to the added or higher
blacklist application.
Note An application that has been added to the

cannot be added.
Application
execution Allows application installation but prevents application
prevention list execution.
setting
Profile 303
Add applications to be displayed but not executable on

the Knox Workspace. Listed applications can be installed
and the icons will be displayed, but they will not be
> Application executable. Samsung Knox 2.0
execution
prevention list
• To add an application, click Add, and then select or higher
application.
Application
uninstallation
Set to control the application uninstallation policies.
prevention list
Setting
Add applications to prevent their uninstallation on Knox

Workspace.
> Application
uninstallation
applications in the “Select Application” window. or higher
prevention list
application.
App installation
Set the applications with installation permissions on Knox
authority
Workspace.
whitelisting settings
Add applications to allow installation on the Knox

Workspace. Selected applications will be added to the
> Application View list with the package name of the applications.
Samsung Knox 1.0
installation • To add an application, click Add, and then select or higher
whitelist applications in the “Select Application” window.
application.
Allows Google Mobile Service (GMS) application

Samsung Knox 2.0
GMS application installation. If the GMS application policy is disallowed,
or higher
the basic applications provided by Google do not appear.
Allows the use of the TIMA Client Certificate Manager

(CCM) profile on Knox Workspace.
TIMA CCM profile • Entire application: Applications in the Knox Workspace
whitelist can access TIMA CCM.
• Whitelist Application: Only the added applications on
the whitelist can access TIMA CCM.
Profile 304
Add applications to access the TIMA CCM on the Knox

Workspace.
> TIMA CCM
profile application
whitelist
application.
TIMA CCM
profile app
Allows only the set applications to access the TIMA CCM
access restriction
profile even when the Knox Workspace is locked.
exception list
settings
Add applications to access the TIMA CCM profile even

when the Knox Workspace is locked.

application.
> TIMA CCM
profile app Samsung Knox 2.1
Note • If Whitelist Application is selected in the
access restriction or higher
TIMA CCM profile whitelist policy, only
exception list
the whitelisted applications can access
TIMA CCM.
• If Entire application is selected in the
TIMA CCM profile whitelist policy,
the access restrictions of the applied
applications are excluded.
Settings for
Allows the use of an external SD card in Knox Workspace.
whitelisting apps
The external SD card cannot be used by default in the
allowing external
Knox Workspace.
SD card
Add applications that can use an external SD card.

> Whitelisted • To add an application, click Add, and then select Samsung Knox 2.2
apps for external applications in the “Select Application” window.
or higher
SD card
application.
Battery optimization Set to exempt applications from the battery optimization

exceptions function. This policy may cause battery loss.
Profile 305
Add applications to exempt from the battery optimization

function on Knox Workspace.
> Apps excluded
from battery
optimization
application.
Set General area Allows the applications installed in the general area to be
app installation installed in the Knox Workspace area.
Add the applications in the general area to be installed in

the Knox Workspace area.

> General area applications in the “Select Application” window.
Samsung Knox 2.1
app installation • To delete an application, click next to the added or higher
list application.
Note A list of Android platform applications is

displayed in Profile > Manage Control App.
App Data deletion Allows control of the deletion of the internal application
control setting data inside Knox Workspace.
Add applications to protect the internal application data

from being deleted. The internal data delete button
is disabled to block users from arbitrarily deleting
application data.

> App Data • To delete an application, click next to the added Samsung Knox 1.0
deletion application. or higher
prevention list
Note Add the registered application to the App
Data deletion protection list policy with a
wildcard character in the package name.
Then the application data for the specific
registered package cannot be deleted.
e.g.) com.*.Knox Manage / com.sds.* /
com.*.Knox Manage.*
Add applications to delete the internal application data.
> App Data • To add an application, click Add, and then select
deletion applications in the “Select Application” window. Samsung Knox 1.0
protection • To add all applications, click Add all. or higher
exception list
application.
Profile 306
Application force
stop prohibition list Set to prohibit application from force stop.
setting
Add applications to prohibit force stop.
> Force stop

blacklist or higher
application.
Show ProgressBar Set to display the ProgressBar, which displays the

Samsung Knox 1.0
when installing progress of the application downloads made in Knox
or higher
apps Manage.
Browser
Browsers must be closed and opened again to apply the changes.
Samsung Knox 1.0

Android browser Allows using the Android browser in the Knox Workspace.
or higher
Allows cookies in the Android browser of the Knox Samsung Knox 1.0
> Cookies
Allows JavaScript in the Android browser of the Knox Samsung Knox 1.0
> JavaScript
Allows auto-completion of information that you enter on Samsung Knox 1.0

> Autofill
websites in the Android browser of the Knox Workspace. or higher
Allows blocking pop-ups in the Android browser of the Samsung Knox 1.0
> Pop-up block
Knox Workspace. or higher
Set the proxy server address for the Android browser in

the Knox Workspace.
fields.
Samsung Knox 1.0
Browser proxy URL
Note • The Chrome browser and Samsung S or higher
1.0.1 - 2.6.
Profile 307
Firewall
The firewall supports IPv6 for SDK 2.6 or above. Even if the IPv4 and the IPv6 indicate the same
address, a separate configuration is required.
Set to use the firewall to set target IP addresses. The Samsung Knox 1.0
Firewall
firewall policy is enabled by default. - 2.4.1
Select and configure the firewall type to use in Knox

Workspace.
• All Packages: Input values for Permission policy and

Prohibition policy.
> Firewall type Note Android 10 (Q) or higher devices are not
supported.
• By Application: Input values for Permission policy

(IP), Prohibition policy (IP), Permitted policy (Domain),
Prohibited policy (Domain), and DNS setting.
Input values to permit access through the firewall.
1. Enter a Host Pattern and Port.

2. Select a Network Type:
• All
• Wi-Fi: Only Wi-Fi network access is enabled.
>> Permission Samsung Knox 1.0
• All
policy - 2.4.1
enabled.
4. Click to add.
Note Before setting this policy, disable all IPs and

ports by entering a wildcard character (*) to
the Prohibited policy (IP) ranges
Profile 308
Input values to prohibit access through the firewall.
1. Enter a Host Pattern and Port.

• All
• Data: Only mobile network access is disabled.
>> Prohibition • Wi-Fi: Only Wi-Fi network access is disabled. Samsung Knox 1.0
policy - 2.4.1
• All
disabled.
4. Click to add.


application.
• All
• Data: Only mobile network access is enable.
>> Permitted • Wi-Fi: Only Wi-Fi network access is enable. Samsung Knox 2.5
policy (IP) 4. Select Port Range: or higher
• All
• Local: Port access from the device is enable.
enable.
5. Click to add.
Note Before setting this policy, disable all IPs

Prohibited policy (IP) ranges.
Profile 309


application.
• All
>> Prohibited • Data: Mobile network access is disable. Samsung Knox 2.5
policy (IP) • Wi-Fi: Wi-Fi network access is disable. or higher
• All
• Local: Port access from the device is disable.
disable.
5. Click to add.
Note When entering the IP address, you can

use a wildcard character (*) to disable the
bandwidth usage.

application.

>> Permitted domains by entering a wildcard character Samsung Knox 2.6
policy (Domain) (*) to the Prohibited policy (Domain) or higher
ranges.
name.
Profile 310
Input values to prohibit the target domain address.

application.
>> Prohibited Samsung Knox 2.6
policy (Domain) 2. Input the IP Address (range) and Port (range). or higher
Note Use a wildcard character (*) to disable a

specific domain.


application.
2. Input DNS values. Samsung Knox 2.7
>> DNS setting
• DNS1: Primary DNS. or higher
Container Data
Allows moving applications from the general area to the

Moving an Knox Workspace.
Samsung Knox 2.0
application to
Note Android 10 (Q) or higher devices are not or higher
container
supported.
Moving a file to Allows moving files from the general area to the Knox Samsung Knox 2.0
Knox area Workspace. or higher
Moving a file to Allows moving files from the Knox Workspace to the Samsung Knox 2.0
General area general area. or higher
Calendar sync Allows syncing calendar data between the general area
Android 8.0 or lower
setting and the Knox Workspace.
Set how the calendar data is synced between the general

area and the Knox Workspace:
> Calendar data • Allow Import: Allows to import the calendar data of the Samsung Knox 2.0
sync general area to the Knox Workspace. or higher
• Allow Export: Allow to export the calendar data of the
Knox Workspace to the general area.
Profile 311
Contacts sync Allows syncing contact data between the general area and
setting the Knox Workspace.
Sets Data Loss Protection (DLP):
> Contacts data

• Allow Import: Allows to import the calendar data of the Samsung Knox 2.0
general area to the Knox Workspace.
sync or higher
• Allow Export: Allows to export the calendar data of the
Knox Workspace to the general area.
Copy and Paste

Allows copying and pasting with the clipboard between
Clipboard per
the personal and work areas.
Profile
Exchange ActiveSync
You can add more Exchange Active policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each Exchange setting.
Description Enter a description for each Exchange setting.
Remove available Allows users to delete the Exchange settings in Knox Workspace.
Allows to configure the Exchange settings.
Office 365 Note This policy will automatically fill out the Exchange server
address and the SSL option as ‘Use’.

method
user.
> Manual Input
> User Information
Enter a domain address for the Exchange server.

Profile 312
Policy Description
Enter the Exchange server information such as IP address, host name or

Exchange server address
URL.
Sync measure for the early Select the interval period to sync the past emails. The sync interval and
data synchronization are in accordance with the email application settings.
Select the interval period to sync the past emails.
Email sync Interval Note The sync interval and synchronization are in accordance with
the email application settings.

method

> EMM Management
Certificate
• Certificate: Select a certificate to use from the User Certificate list.

user.


> Issuing External CA certificate. To learn more about how to add an external certificate, see

external CA list.
Sync calendar Syncs schedules on a calendar from a server to a device.
Sync contacts Syncs contact information in a phone book from a server to a device.
Sync task Syncs tasks items from a server to a device.
Sync notes Syncs notes from a server to a device.
Profile 313
Policy Description
SSL Note If Office365 setting is used, the SSL option is automatically

set to ‘Use’.
Signature Enter the email signature to use.
Notification Notifies the user of new emails.
Always vibrate on
Notifies the user of new emails with a vibration.
notification
Mutes email notifications.
Silent notification Note Always vibrate on notification and Silent notification cannot
be used at the same time.
Enter the email attachment file size limit in bytes.

Attachments capacity (byte)
The input value ranges from 1 to 52428800 (50MB).
Maximum Size of Email Select a maximum value for the email body size. This is only set once
Select the default value of the email body size.

> Default Size of Email
Note Select this setting after the Maximum Size of Email Body
Body (Kbyte)
(Kbyte) setting.
Profile 314
Email Account
You can add more email account policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each email account setting.
Description Enter a description for each email account setting.
Remove available Allows users to delete the email account settings in Knox Workspace.
Default Account Specifies to usage of the default account.
User Information input

method
Select this to enter the email address manually. You can also enter the
incoming server ID, incoming server password, outgoing server ID, and
> Manual Input outgoing server password for the email connection.
item from it. The reference value will be entered automatically.
Select a connector from the user information connector.
> Connector interworking Note The connectors are listed in Advanced > System Integration
> Directory Connector.
Select to access the relevant mail server using the registered Knox
> User Information Manage email, ID, and password. The password must be entered from the
user’s device.
Incoming Server Protocol Select between the POP3 (pop3) and IMAP (imap) protocol.
Outgoing Server Protocol Entered automatically as SMTP.
Incoming Server Address/

Enter the Incoming Server address/port in a provided format.
port
Outgoing Server Address/

Enter the outgoing server address in a provided format.
port
Enter an incoming server ID to log in to the incoming mail server manually.

This protocol is only available when Manual Input is selected.
Incoming Server ID
Enter an outgoing server ID to log in to the outgoing mail server manually.

This protocol is only available when Manual Input is selected.
Outgoing Server ID
Enter an incoming server password to log in to the incoming mail server

manually. This protocol is only available when Manual Input is selected.
Incoming Server Password
Profile 315
Policy Description
Enter an outgoing server password to manually log in to the outgoing mail

server. This protocol is only available when Manual Input is selected.
Outgoing Server Password
Incoming SSL Select this to use SSL encryption.
Outgoing SSL Select this to use SSL encryption.
Select an email notification method.
• Enable Notification: Activates email notification.

Notification • Enable ‘Always notify by vibrate mode’: Notifies the user of new emails
with a vibration.
• Disable Notification: Deactivates email notification.
All incoming certificates Allows receiving certificates.
All outgoing certificates Allows sending certificates.
Signature Enter an email signature to use.
Account Name Assign an account name.
Sender Name Assign a sender name.
Bookmark
You can add, modify, or delete the bookmarks in the Samsung S browser, the default browser on
Samsung Galaxy devices. You can add more bookmark policy sets by clicking .
Note • Browsers must be closed and opened again to apply the changes.
• Even if a user modifies a registered bookmark or registers a bookmark with the same URL and
name, it will not be deleted when the bookmark setting is deleted.
• Even if a user manually deletes the set bookmark, due to the limitations of Samsung devices,
the application may still appear to be installed. In this case, you have to delete the bookmark in
the profile, and then recreate the bookmark.
Policy Description
Name Assign a unique ID for each bookmark setting.
Bookmark name Enter a bookmark name to be displayed as the title in a bookmark.
Profile 316
Knox VPN
Knox VPN settings are provided to help you set up a VPN on a Knox Workspace more easily. You can
add more Knox VPN policy sets by clicking .
Note Only one Knox VPN can be set on a device regardless of the Know Workspace area or General
area.
Policy Description
Configuration ID Assign a unique ID for the Knox VPN setting.
VPN name Enter a VPN name to display on the user device.
Description Enter a description for the Knox VPN setting.
Remove available Allows users to delete the Knox VPN setting.
Select a VPN vendor among F5, Juniper, Cisco, and User defined. Input
fields vary depending on the selected VPN vendor name.
VPN vendor name Note Select User defined to set up a different vendor’s VPN
service, such as Sectra mobile VPN. For more information,
see Entering a VPN vendor manually.
VPN client vendor package Entered automatically according to the selected VPN vendor name. If User
name defined is selected, you must manually enter this protocol.
Entered automatically when you selected F5 or Juniper. If other vendors

VPN type
are selected, you must manually select this protocol.
Select an entering method for Knox VPN information.
• Manual Input: Allowed for all VPN vendors except for User defined. For
more information, see Configuring a Knox VPN profile manually.
Entering methods for Knox
VPN • Upload profile: Allowed for all VPN vendors.
Note Input fields vary depending on the selected VPN vendor and
the entering method.
Allows uploading a Knox VPN profile when you set Entering methods for
Knox VPNs to Upload profile.
You can upload a text file in the JSON format. JSON varies depending on
the VPN vendor and VPN type.
Upload Knox VPN profile
For more information about sample files, see the sample file of a Sectra
Mobile VPN configuration in Configuring a Knox VPN profile manually and
see the sample file of Cisco VPN configuration in Sample file for uploading
a Knox VPN profile.
Profile 317
Policy Description

network setting using that certificate.
Note All users share this one certificate for each network setting.
Navigate to Advanced > Certificate > External Certificate to

method
services.
• Not Applicable: Disables authentication.

Authentication Method • Certificate-based Authentication: Uses certificates for authentication in
the Knox VPN setting.
• CAC-based Authentication: Uses two-factor authentication provided by
CAC (Common Access Card).
Select a certificate to use from the CA certificate list. Among the

certificates registered in Advanced > Certificate > External Certificate,
CA Certificate
those with the Purpose set as Knox VPN and the Type set as Root will
appear on the list.
Select a certificate to use from the certificate list. Among the certificates
registered in Advanced > Certificate > External Certificate, those with the
Server certificate
Purpose has been set as Knox VPN and the Type set as User will appear
on the list.
Allows the use of FIPS mode.

FIPS mode FIPS (US Federal Information Processing Standards) encrypts all data with
FIPS-140-2 authentication modules between the server and client.
Auto Re-connection Allows connecting automatically when an error occurs.
Profile 318
Policy Description
Select to use a VPN for selected applications or for all applications in the
General area.
VPN route type by
application
• By Application: Click Add next to The VPN applied package name per
app and select applications, and then click Save.
• All Packages: All applications in the General area are subject to a VPN.
Configuring a Knox VPN profile manually

You can manually enter a profile when Manual Input is selected in the Entering methods for Knox
VPN field. Set the options as below:
1. Enter the IP address, host name, or URL of the VPN server in the Server address.
• The VPN route type, which enables the use of VPN tunneling, is automatically entered.
2. Select to use user authentication.
3. Enter the user information for authentication depending on the selected method of entering user
information:
• If the VPN vendor is set to F5 or Juniper, configure the following:
Method Description
Enter the user ID and Password for the VPN connection.

Manual Input You can also click Lookup to open the reference items list and select an
Choose a connector from the User information Connector.

Connector interworking All the connectors are listed in Advanced > System Integration > Directory
Connector.
User Information Use the user information registered in Knox Manage to access a VPN.
4. Select a VPN type and enter the parameters. Required parameters vary depending on the selected
VPN type.
• If the VPN type is set to SSL, enter the SSL algorithm that the server requires for the SSL
algorithm section.
Profile 319
5. Select a VPN connection type.
• KEEP ON: Keep the VPN connection.

• On Demand: Connect to the VPN upon request.
6. Select the chaining type.
7. Select to use the UID PID.
8. Select to use the Logon mode.
• Logon mode is used when the VPN vendor name is set to F5.
Profile 320
Certificate
You can add more certificate policy sets by clicking .
Policy Description


method
services.


Certificate category
User will appear on the list.
Profile 321
Configuring iOS Policies
Create a profile and register policies for iOS devices.
You can configure the policies below for iOS devices. The availability of each policy varies depending
on the OS version.
→→ System
Allows features such as camera, screen capture, and Siri.
→→ Security
Configures the password settings.
→→ Application
Allows using Gamer Center, iMessage, and YouTube, and also enables configuring options for application
controls, such as installation and blacklist/whitelist.
→→ Phone
Configures the phone settings such as video calling and voice dialing.
→→ Share
Allows the use of AirDrop and the transferring of data between managed applications and unmanaged
applications.
→→ Browser
Allows using the Safari browser and configuring its settings.
→→ iCloud
Configures the iCloud settings, such as backup, iCloud photo library, and photo sharing.
→→ Media
Enables selecting a country to choose the level of media content, such as movies, TV shows, and
applications
→→ Wi-Fi
Configures Wi-Fi settings, such as SSID, security type, and proxy.
→→ Exchange
→→ VPN
Configures VPNs (Virtual Private Network) on iOS devices.
→→ Certificate
→→ SSO
Configures the SSO (Single Sign On) settings for one-click access to all applications.
Profile 322
→→ Cellular
Configures the cellular network settings, such as AttachAPN and APNs.
→→ AirPrint
Configures the AirPrint settings to enable computers to automatically detect an AirPrint printer.
→→ Font
Allows the delivering of new fonts to devices.
→→ WebClip
Configures the display of web shortcuts on an iOS device.
→→ App Lock
Configures the functions of an application that is locked down on a supervised device
→→ Global HTTP Proxy

Configures a global HTTP proxy to direct all HTTP traffic through a designated proxy server.
→→ AirPlay
Configures the AirPlay settings to allow iOS devices to share content.
→→ Web Content Filter

Configures the settings for the Web content filter to control accessing specific URLs on a web browser.
→→ Managed domains
Specifies URLs or subdomains to allow downloading content from these domains without any restrictions.
→→ Network Usage Rules

Configures network usage rules to control which applications can access data or when the device is
roaming.
Profile 323
System
Camera Allows using the camera. iOS 4.0 or higher
Allows use of the screen capture function, which is

Screen capture iOS 4.0 or higher
already set as default.
iOS 5.0 (iPhone 4S)

Siri Allows using Siri.
iOS 6.0 (iPad 3)
> Siri on lock iOS 5.1 (iPhone 4S)

Allows using Siri on the lock screen.
screen iOS 6.0 (iPad 3)
> Web search iOS 7.0 or higher

Allows displaying the web search results on Siri.
result on Siri Supervised
Select to use the Profanity filter on Siri.

iOS 5.0 (iPhone 4S)
> Profanity filter
• Forced use: Users are forced to use the Profanity filter iOS 6.0 (iPad 3) or
on Siri.
on Siri higher
• User selection: Users are allowed to select whether to Supervised
use the Profanity filter on Siri.
Allows submitting diagnostic results and usage

Submission of information to the manufacturer.
diagnosis and iOS 6.0 or higher
Note Personally identifiable or sensitive
usage details
information will be data masked.
Passbook on lock
Allows using the Passbook on the lock screen. iOS 6.0 or higher
screen
Control center on
Allows using the Control center on the lock screen. iOS 7.0 or higher
lock screen
Display notifications
Allows displaying the notifications on the lock screen. iOS 7.0 or higher
on lock screen
Display Today view

Allows displaying the Today view on the lock screen. iOS 7.0 or higher
on lock screen
Manual installation Allows manual installation of the Apple Configuration iOS 6.0 or higher
for profile Profile. Supervised
Control editing iOS 7.0 or higher

Allows editing the account information.
account information Supervised
Automatic updates
of certificate trust Allows automatic updates of the certificate trust settings. iOS 7.0 or higher
settings
Profile 324
Select to encrypt the iTunes backup.

Encryption for • Forced use: Users are forced to encrypt. iOS 7.1 or higher
iTunes backup
• User selection: Users are allowed to select whether to
encrypt.
iOS 7.0 or higher

iTunes pairing Allows iTunes connection with unauthorized PCs.
Supervised
Select to use the Limit Ad tracking.
Limited Ad tracking
• Forced use: Users are forced to use Limit Ad tracking. iOS 7.0 or higher
use Limit Ad tracking.
iOS 8.0 or higher

Factory reset Allows a device to factory reset.
Supervised
Result of web iOS 8.0 or higher

Allows displaying the web search results from Spotlight
search with
search. Supervised
Spotlight
Allows users to configure any restrictions on the menus

by activating the block menu function. If the policy is iOS 8.0 or higher
Block configuration
prohibited, the users cannot configure the device via the Supervised
block menu function.
Select to automatically change the device name to a

Change device mobile ID when updating the profile. iOS 8.0 or higher
name For this policy, you can send a device command to set the Supervised
device name as the mobile ID.
Allow Bluetooth iOS 10.0 or higher

Allows modifying Bluetooth settings on the device.
Modification Supervised
Profile 325
Security
Set to apply the password policy when the screen is

Password policies
locked.
Set the password strength on the screen.
• None: Set the password with a four digit number.

• Numeric: Set the password using numbers
> Password
• Must be alphanumeric: Set the password using iOS 4.0 or higher
strength alphanumeric characters.
• Must include special characters: Set it so that the
passwords must include alphanumeric and special
characters.
> Maximum Set the maximum number of incorrect password attempts

Failed Login before resetting the device to its factory settings. iOS 4.0 or higher

> Minimum length iOS 4.0 or higher

> Expiration after must be reset. iOS 4.0 or higher
(days)
> Manage Set the minimum number of new passwords that must be
password history used before a user can reuse the previous password. iOS 4.0 or higher
(times) The value can be between 0 - 50 times.
Set the maximum inactive time before the screen of the

device is locked. The maximum allowed time varies by
device-type.
> Screenlock time
iOS 4.0 or higher
(min) Note 1, 3, and 4 minute intervals are available
with iPhone. 10 and 15 minute intervals are
available with iPad.
Set the time duration for device lock after turning off a
> Screenlock device screen without entering the password.
grace period iOS 4.0 or higher
(min) Note Select 0 to lock the device immediately.
> Screen unlock

Allows screen unlock with Touch ID. iOS 7.0 or higher
with Touch ID
Profile 326
Application
Allows the installation of applications.

Application
Note Applications can be installed using MDM but iOS 4.0 or higher
installation
cannot be installed using iTunes.
Allows using the App Store for application installation.

> Allow App Store iOS 9.0 or higher
Note Applications can be installed using MDM but
to install Apps Supervised
cannot be installed using iTunes.
Application iOS 6.0 or higher

Allows applications to be deleted.
uninstallation Supervised
iTunes Store Allows using the iTunes Store. iOS 4.0 or higher
> Explicit content iOS 4.0 or higher

Allows the purchase of explicit content from the iTunes
on music and
Store. Supervised
podcasts
> Require iTunes

Select to require the iTunes Store password for every
password for iOS 5.0 or higher
purchase made in the iTunes Store.
every purchase
iOS 6.0 or higher

Game Center Allows using Game Center.
Supervised
> Adding friends

Allows adding friends in Game Center. iOS 4.0 or higher
in Game Center
> Multiplayer iOS 4.0 or higher

Allows multiplayer games in Game Center.
games Supervised
iOS 6.0 or higher

iBookstore Allows iBookstore.
Supervised
Inappropriate iOS 6.0 or higher

content download Allows downloading unrated media content. Supervised (iOS 6.1
on iBookstore or below)
iOS 6.0 or higher

iMessage Allows using the messaging application.
Supervised
YouTube Allows using YouTube. iOS 5.1 or lower
iOS 7.0 or higher

Find friends Allows the Find My Friends function.
Supervised
In-app purchase Allows in-app purchases. iOS 4.0 or higher
Profile 327
Set to control the application installation policies. Both the

blacklist and whitelist policies can be applied at the same
time.
Application black/ Note If the Application black/whitelist Settings iOS 4.0

whitelist Settings policy is set with no applications, then no
other applications except for the Knox
Manage Agent will be allowed to be executed
and installed.
Add applications to prohibit their installation. Blacklisted

applications will be deleted even if they were previously
installed.

installation • To delete an application, click next to the added iOS 4.0 or higher
blacklist application.

Application installation whitelist cannot be
added.
Add applications to allow their installation. Any

applications not on the whitelist are deleted, even if they
are not on the blacklist.

installation • To delete an application, click next to the added iOS 4.0 or higher
whitelist application.

Application installation blacklist cannot be
added.
Set to use Autonomous Single App Mode, which enables

Autonomous single applications to use Single App Mode on request. This iOS 7.0 or higher
app mode policy grants a permission to perform the Application Supervised
Lock function.
Add applications to autonomously enable or disable

Single App Mode.
> List of apps iOS 7.0 or higher
allowing auto
applications in the “Select Application” window. Supervised
single app mode
application.
Profile 328
Allows the trusted Company applications. Company

To trust company
applications installed before the policy has been set can iOS 9.0 or higher
app
still be executed.
Phone
Modification
of cellular data iOS 7.0 or higher
Allows modifying cellular data usage per application.
settings for each Supervised
application
Video calling Allows video calling. iOS 4.0 or higher
Voice dialing Allows video dialing. iOS 4.0 or higher
Background fetch
Allows background fetch when roaming. iOS 4.0 or higher
for roaming
Share
Data transfer
Allows transferring data from managed applications
from managed
installed by Knox Manage to unmanaged applications iOS 7.0 or higher
to unmanaged
installed by users.
applications
Data transfer
Allows transferring data from unmanaged applications
from unmanaged
installed by users to managed applications installed by iOS 7.0 or higher
to managed
Knox Manage.
applications
iOS 7.0 or higher

AirDrop Allows the use of AirDrop.
Supervised
Consider AirDrop Allows the sharing of managed documents when using iOS 9.0 or higher
not managed AirDrop on the device. Supervised
Profile 329
Browser
Safari Allows using Safari, the default iOS browser. iOS 4.0 or higher
Set the cookies permission in Safari.
• Disallow: Disallows accepting cookies.

• Currently only connected websites are allowed: Allows
Cookies accepting cookies from the currently connected sites. iOS 6.0 or below
• Only visited websites are allowed: Allows accepting
cookies from the visited sites.
• Always: Always allows cookies.
JavaScript Allows JavaScript in Safari. iOS 6.0 or below
Allows auto-completion of information that you enter on

Autofill iOS 4.0 or higher
websites in Safari.
Block pop-ups Allows blocking pop-ups in Safari. iOS 4.0 or higher
Untrusted TLS
Allows to accept untrusted TLS certificates. iOS 5.0 or higher
certificate
Shows a warning message about potentially fraudulent

websites.
Web forgery • Forced use: Safari is forced to display a warning iOS 4.0 or higher
warning message.
use web forgery warning.
iCloud
Backup Allows backing up the device data on iCloud. iOS 5.0 or higher
Document
Allows synchronizing device documents on iCloud. iOS 5.0 or higher
synchronization
Allows use of the iCloud Photo Library for uploading

iCloud Photo Library iOS 9.0 or higher
photos and videos on iCloud.
Allows using Photo Stream for storing personal photos on

Photo stream iOS 5.0 or higher
iCloud.
Allows using Photo Sharing for sharing personal photos

Photo sharing iOS 6.0 or higher
through iCloud.
Profile 330
Allows synchronizing Keychain Synchronization on iCloud,

which helps users to have consistent access to their user
Keychain
account, name, password, credit card number, email, iOS 7.0 or higher
synchronization
contracts, schedule, and other user information on all their
devices.
Managed app Allows synchronizing managed applications installed by

iOS 8.0 or higher
synchronization the Knox Manage server to save data on iCloud.
Allows the use of Handoff, one of the Apple’s Continuity

Handoff features, to move and continue performing the same iOS 8.0 or higher
tasks seamlessly between devices through iCloud.
Media
Select a country to set a rating level for media content,

Rating for each such as movies, TV shows, and applications, from below:
iOS 4.0 or higher
country • United States/United Kingdom/New Zealand/Japan/
Ireland/Germany/France/Canada/Australia.
> Movies Set the maximum allowable movie rating. iOS 4.0 or higher
> TV Shows Set the maximum allowable TV show rating. iOS 4.0 or higher
> Apps Set the advertisement tracking restriction on the device. iOS 4.0 or higher
Wi-Fi
Policy Description
Enter the identifier of a wireless router to connect to.

Network name (SSID) You can also click Lookup to open the reference items list and select an
Security Type Specifies the access protocol used and whether certificates are required.
> WEP
> WPA/WPA2 Set a password.
> For all individuals
Profile 331
Policy Description
• Protocol
–– Permitted EAP Type: Select the EAP types to permit. You can select
> Enterprise WEP
multiple types.
–– EAP-FAST: Configure the EAP-FAST options. Enable the next options
by clicking the previous one.
–– A dynamic trust decision by the user: Select whether to use the
option.
–– Allow direct connection(Proxy URL): Select whether to use the
> Enterprise WPA/WPA2 option.
• Authentication
–– One-time password for connection: Check to enable.
connection.
> For all enterprises –– Connector interworking: Choose a connector from the User
information Connector.
• Trust
–– Root Certificate: Select a Root Certificate to use.
Check to enable Hotspot usage and configure its settings. If this policy is
Hotspot Availability enabled, the device will be connected to Wi-Fi access points that support
Hotspot 2.0.
> Hotspot Domain Name Assign an identifier to the Wi-Fi hotspot service displayed on a device.
> Operator Name Assign the name of the network provider shown on the device.
> Roaming Consortium OI Add a Roaming Consortium organization ID to connect to.
> Network Access ID Add an ID to authenticate network access.
Add both the Mobile Country Code (MCC) and the Mobile Network Code
(MNC).
> Hotspot Operator Code
Note For SK Telecom (a South Korean wireless telecom operator)
devices, enter 45005.
Check the checkbox to hide the network from the list of available networks
Hidden Network
on the device. The SSID does not broadcast.
Check the checkbox to use an automatic Wi-Fi connection.

Auto Connect (iOS 5 and
above) Note This setting is for iOS 5 or higher.
Profile 332
Policy Description
Specifies the permitted protocol for the Wi-Fi network.
Protocol Note This tab is enabled if the Security Type is selected as

Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.
Select more than one permitted protocol: TLS, LEAP, EAP-FAST, TTLS,
PEAP, and EAP-SIM.
> Permitted EAP Type
Note If TTLS is checked, select an extra protocol from the Internal
Authentication Protocol.
Select PAC protocols to use from the following:
• Use PAC: Determines whether to use PAC.

> EAP-FAST
• PAC Deployment: Check the Use PAC option to enable it.
• Anonymous PAC Deployment: Check PAC Deployment to enable it.
> A dynamic trust decision
Allows using a dynamic trust decision by the user protocol.
by user
> Allow direct connection

Allows using the direct connection protocol.
(Proxy URL)
Specifics the authentication of the Wi-Fi users. This tab is enabled if the
Authentication Security Type is selected as Enterprise WEP, Enterprise WPA/WPA2, or for
all enterprises
Select to ask users to enter the password whenever Wi-Fi is connected.
• If checked, the Auto Connect setting is automatically disabled.

> One-time password for
connection • If unchecked, the Auto Connect is automatically activated.
Note This setting is for iOS 5 or higher.
Specifies the user information used and whether certificates are required.
Select an input method as follows:
• Manual Input: Enter the user ID and Password for the Wi-Fi connection.
> User information input • Connector interworking: Choose a connector from the User information
method Connector.
an item from it when entering an ID for the Manual Input. The reference
value will be automatically entered.
Assign an external ID for Manual Input.
> External ID Note This setting is available when either TTLS, PEAP, or EAP-FAST
is selected.
Profile 333
Policy Description
Select the user certificate type.



> User Certificate Type Type as Profile Configuration(Certification) when you register a
services.
Specifies the required certificates. This tab is enabled if the Security Type
Trust
selected is Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.
> Trusted certificate name Add the name of the Trusted certificate.
> Root Certificate Select a Root Certificate.
Select a proxy server settings method.

Proxy
Note This setting is for iOS 5 or higher.
• Proxy IP Address and Port: Enter the IP address of the proxy server and
the port number used by the proxy server.
> Manual
• Proxy Authenticated User Password: Enter the password for the proxy
server.

> Auto
• Proxy Server URL: Enter the URL of the proxy server.
Profile 334
Exchange
Policy Description
Allows to configure the Exchange settings.
Office365 Note This policy will automatically fill out the Exchange server
address and the SSL option as ‘Use’.

method
user.
> Manual Input
> User information

Host Enter the host name of the email server.
SSL Note If Office 365 setting is used, the SSL option is automatically
set to ‘Use’.

method

> EMM Management
Certificate
• User Certificate: Select a certificate to use from the User Certificate list.
Profile 335
Policy Description

user.


> Issuing external CA certificate. To learn more about how to add an external certificate, see

external CA list.
Sync Interval Note The sync interval and synchronization are in accordance with
the email application settings.
Do not move message to

Select to use the policy.
other accounts
Available only on mail app Select to use the policy.
Do not sync the recently

Select to use the policy.
used email address
Activate S/MIME Check to activate and configure S/MIME functions for email security.
Profile 336
Policy Description
Select EMM Management Certificate or Connector interworking.


> S/MIME signing

certificate input method information obtained by applying the filter set for the connector. To
services.
Available only when EMM Management Certificate is selected.

> S/MIME Signing
Certificate Choose the signing certificate according to the S/MIME signing certificate
input method.
Available only when Connector interworking is selected

> S/MIME signing
certificate connector Choose the signing certificate connector according to the S/MIME signing
certificate input method.
Profile 337
Policy Description
Select EMM Management Certificate or Connector interworking.


> S/MIME encryption

certificate input method information obtained by applying the filter set for the connector. To
services.
Available only when EMM Management Certificate is selected.

> S/MIME Encryption
Certificate Choose the Encryption Certificate according to the S/MIME encryption
Available only when Connector interworking is selected

> S/MIME signing
certificate connector Choose the signing certificate connector according to the S/MIME signing
> S/MIME Enable Per

Check the checkbox to enable S/MIME per message.
Message Switch
VPN
can add more VPN policy sets by clicking .
Policy Description
Profile 338
Policy Description
Select a connection type and enter the parameters. Required parameters

vary depending on the selected connection type.
• L2TP: Set the Shared Security and Send All Traffic options.
• PPTP: Set the Encryption Step and Send All Traffic options.
• IPSec (Cisco): Enter the items depending on the selected device
authentication type:
–– If Device Authentication is set to certificate, set Domain/Host
Pattern, and Action for it. And then, select a User certification input
method and set to Include User PIN when a device is authenticated.
Connection type –– If Device Authentication is set to Shared Security/Group Name,
set Group Name and Shared Security options. And then, set to Use
mixed authentication and Password Request when a device is
connected with VPN.
• Cisco AnyConnect: Set the Group Name option.
• Juniper SSL: Set the Realm and Role options. If this is selected, Pulse
secure VPN, a new VPN, is supported and previous Juniper Pulse
versions will not be supported.
• SonicWALL Mobile Connect: Set the Login Group or Domain options.
• IKEv2: For IKEv2, see Configuring VPN IKEv2 connection.
Server address
needs to access.
Select applications that will be allowed to connect to a VPN automatically.

VPN Application Allocation
Click Add and select applications. And then, click OK.
Select URLs that will be allowed to connect to a VPN automatically on

Safari Domain Safari.
Enter a domain address, and then click .
Select a VPN type for each application.

VPN type for each app • packet-tunnel: for app-layer tunneling
• app-proxy: for packet-layer tunneling
User Connection Select an authentication type for user connection between Password and
Authentication Type RSA SecurID.
• Manual Input: Enter the user ID and Password for VPN connection.
method • Connector interworking: Choose a connector from the User information
Connector. All the connectors registered in Advanced > System
Integration > Directory are listed in the User information Connector.
• User Information: Use the user information registered in Knox Manage
to access VPN.
Profile 339
Policy Description
Set an ID for the VPN settings.

ID You can also click Lookup to open the reference items list and select an
Set a password for the VPN settings.

Password You can also click Lookup to open the reference items list and select an

–– User certificate: Select a certificate to use from the User Certificate

list.
Type as Profile Configuration (Certification) when you register a
User certificate input To learn more about how to add a directory connector, see Adding
method sync services. When you search for a user using the filter set for the
connector, the user certificate (.p12 or .pfx) corresponding to the
obtained user information is applied along with a profile, allowing you to
use this certificate to verify the user.
–– User Information Connector: Select a connector to use from the User
–– Issuing External CA: Select an external CA to use from the Issuing
external CA list.
Note User certificate input method appears only when certificate is

selected in the user connection authentication type or in the
device authentication.
Select the setting for the proxy server.
Proxy Settings
• Manual: Enter the proxy IP address and port number. Then, assign a
user name and proxy authenticated user password.
• Auto: Enter the proxy server URL address.
Profile 340
Configuring VPN IKEv2 connection
If the connection type is set to IKEv2, you can configure the setting as follows:
1. Set the VPN auto connection settings.
• VPN auto connection (Only devices allowed by director): Keeps VPN activated on the device.
• Allow users to deactivate auto connection: Allows users to deactivate auto connection on the
device.
• Use the same tunnel for both cellular and Wi-Fi: Configure the VPN connection information
to be used by both networks. To use different tunnels for configurations for cellular and Wi-Fi,
click the Cellular and Wi-Fi tabs and enter the VPN connection information.
• If a profile has more than two VPN settings with VPN auto connection checked, the profile will
not be installed on the device.
2. Enter the information below:
Item Description
Server address Enter the IP address, host name, or URL of the VPN server.
Enter the value to identify the IKEv2 client in the format below:
Local identifier
• FQDN, UserFQDN, Address, and ASN1DN
Enter the value in the format below:
Remote identifier
• FQDN, UserFQDN, Address, and ASN1DN
Select a VPN authentication method:
• Security sharing: Enter the security sharing password.

System authentication
• Certificate: Select a user certificate input method. Then enter the
common name of the server certificate issuer and the common name
of the server certificate.
Determines if EAP is activated. If activated, select

EAP activation • Certificate: Select a user certificate input method.
• Password: Enter the user ID and Password.
Set the interval for checking the usability of the VPN equipment.
Dead Peer
Note Check whether the resource should change or the content
Detection speed
should be modified.
Choose the Encryption algorithm.

Encryption algorithm • IKE SA: DES, 3DES, AES-128, AES-256, AES-128-GCM, AES- 256 GCM
• Sub SA: DES, 3DES, AES-128, AES-256, AES-128-GCM, AES-256-GCM
Profile 341
Item Description
Choose the Integrity algorithm.

Integrity algorithm • IKE SA: SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512
• Sub SA: SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512
Select the group to be used for Diffie Hellman algorithm.
Diffie Hellman group • IKE SA: 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21
• Sub SA: 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21
Enter the session expiration period.
Time(min) • IKE SA: Between 10 and 14440. The default value is 14440.
• Sub SA: Between 10 and 14440. The default value is 14440.
Enable NAT Keepalive and set the interval for Keepalive.
Enable NAT keepalive while
the device is in sleep mode Note This item is for iOS 9 or higher.
Set NAT KeepAlive intervals in seconds. The default value is 20 seconds.

NAT keepalive interval
Note This item is for iOS 9 or higher.
Select to use the IPv4/IPv6 internal subnet attribute of IKEv2.

Use IPv4/IPv6 internal
subnet properties Note This item is for iOS 9 or higher.
Select to deactivate portability and multi-homing (MOBIKE).

Disable portability and multi-
homing Note This item is for iOS 9 or higher.
Select to disable IKEv2 connection redirection.

Disable redirect
Note This item is for iOS 9 or higher.
Select to enable PFS (Perfect Forward Secrecy)

Enable a perfect forward
secrecy Note This item is for iOS 9 or higher.
Select the allowed traffic range when using Voicemails and AirPrint.
Voice mail box / AirPrint • Allow traffic to goes through tunnel/Allow traffic outside tunnel/Drop
traffic
Captive web sheet traffic

Allows captive web sheet traffic outside the VPN tunnel.
outside of VPN tunnel
Captive Network App bundle Enter the Captive Network App bundle identifier to allow and click to
identifier disallow this item.
Profile 342
Certificate
Policy Description
Select a certification category.
• CA Certificate: Select a certificate to use from the CA certificate list.

Certificate category Root will appear on the list.
SSO
SSO (Single Sign On) service offers one-click access to all of the applications without additional
authentication. You can add more SSO policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each SSO setting.
Description Enter a description for each SSO setting.
Account Name Enter the name that appears on the device.
Principal Name Enter the principal name.
Enter a domain name that is able to use SSO. You must enter the name in
Realm
upper case letters.
Enter a URL to be accessed with SSO.

URL Prefixes
Click , enter a URL, and then click .
Enter the bundle ID of an application that you can use through SSO. If there
App Identifier is no application added on the list, SSO can be used for all applications.
Click , enter the bundle ID of an application, and then click .
Profile 343
Cellular
Configure the cellular network settings and control how the device accesses the cellular network. If
an APN has already been set, the cellular configuration will not be applied. You can add more cellular
policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each cellular setting.
Description Enter a description for each cellular setting.
Configure the settings for an Attach APN.
• Name: Enter the name for the setting.

AttachAPN item from it. The reference value will be automatically entered.
• Authentication Method: Choose PAP or CHAP.
• Username: Enter the user name for user authentication.
• Password: Enter the password for user authentication.
Configure the setting for an APN.
• Name: Enter the name for the setting.

APNs • Authentication Method: Choose PAP or CHAP.

• Username: Enter the user name for user authentication.
• Proxy Server: Enter the IP address of a proxy server.
• Proxy Server Port: Enter the port number of a proxy server.
Profile 344
AirPrint
You can add a printer to the AirPrint list on the device and configure devices and printers that exist on
different networks conveniently. You can add more AirPrint policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each setting.
Description Enter a description for each setting.
Add printers that support AirPrint.

Click , enter an IP address and a resource path, and then click .
For the resource path, you can enter what’s below:
AirPrint Printer List • printers/Canon_MG5300_series
• printers/Xerox_Phaser_7600
• ipp/print
• Epson_IPP_Printer
Font
You can add more font policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each font setting.
Description Enter a description for each font setting.
Add a font to use on the device.

Font
Click Add and add a font.
WebClip
You can add more WebClip policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each web clip setting.
Description Enter a description for each web clip setting.
Label Enter a web clip name to be displayed on the device home screen.
URL Enter a web clip URL address.
Removable Check the checkbox to allow users to delete the web clip account settings.
Profile 345
Policy Description
Click Add, and then click Browse to select an icon that will be displayed on
the user’s device home screen. Then click OK to add.
Icon
• The icon must be 59 x 60 px and in the PNG file format.
• A white square image will be displayed if no icon is selected.
App Lock
You can add more App Lock policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each application lock setting.
Description Enter a description for each application lock setting.
App Bundle ID Enter the application bundle ID to identify applications.
Options Check the box to configure the application lock options.
> Touch Screen Allows device touchscreen mode.
> Screen Rotation Enables using the landscape or portrait mode of the device screen.
> Volume Button Enables adjusting the volume.
> Ringer Switch Enables the easy on and off ringer mode through a ringer switch.
> Power Button Allows turning the device on or off through the power button.
Enables automatically locking the device after a fixed amount of time

> Auto Lock
through auto lock.
> VoiceOver Turn on voice over for a screen-reading feature.
> Zoom In/Out Turn on the zoom feature to configure easy zooming on the screen display.
Turn on color inversion to show colors on the device screen as their

> Invert Colors
complementary colors.
Allows virtual home button to perform multiple actions on the screen with
> Assistive Touch
a simple tab.
> Speak Selection Turn on say optional item to select a text to be read aloud.
Turn on Mono Audio to play both audio channels in one ear using a
> Mono Audio
headset.
User Enabled Options Check the box to configure user enabled options.
> VoiceOver Enables Voice over for the screen-reading feature.
> Zoom In/Out Allows for configuring the easy zoom in and out feature on the display.
Allows color inversion to display colors on the device screen as their

> Invert Colors
complementary colors.
Profile 346
Policy Description
Allows virtual home button to perform multiple actions on the screen with
> Assistive Touch
a simple tab.
Global HTTP Proxy

You can add more global HTTP policy sets by clicking .
Policy Description
Configuration ID Assign a unique ID for each global HTTP proxy setting.
Description Enter a description for each global HTTP proxy setting.
Proxy Type Select and enter the corresponding items depending on the proxy type.
• Proxy Server and Port: Enter the IP address of a proxy server and the
port number of the proxy server.
> Manual
• Username: Enter the username for user authentication
• Proxy PAC URL: Enter the URL of the PAC file that defines the proxy
configuration.
> Auto • Proxy PAC Fallback Allowed (iOS 7 or above): Check the checkbox to
allow a direct connection from the user device if the PAC connection
fails.
Proxy Captive Login Allowed Check the checkbox to allow the device to bypass the proxy server to
(iOS 7 or above) display the login page for captive networks.
AirPlay
These policies support devices with iOS 7 or above. You can add more AirPlay policy sets by clicking
.
Policy Description
Configuration ID Assign a unique ID for each AirPlay setting.
Description Enter a description for each AirPlay setting.
Add an AirPlay device ID to the whitelist so that it is displayed on the user’s

Whitelist (Supervised) device.
Click , enter a device ID, and then click .
Add an AirPlay device password.

Passwords
Click , enter a device name and password, and then click .
Profile 347
Web Content Filter
You can add a specific URL to the whitelist or blacklist. These policies support devices with iOS 7 or
higher in Supervised mode. You can add more web content filter policy sets by clicking .
Policy Description
Auto Filter Enabled Check the checkbox to use the auto filter function.
Add a URL to allow access to.

Blacklisted URLs
Add a URL to block access to.

Permitted URLs
Add a bookmark to allow for access.

Whitelisted Bookmarks
Click , enter a URL, title, and path, and then click .
Managed domains
Set managed domains and protect corporate data. You can control what apps can open documents
downloaded from corporate domains using Safari. These policies support the devices with iOS 8 or
higher in Supervised mode. You can add more managed domains policy sets by clicking .
Policy Description
Add a domain to specify as a corporate domain for emails.

Email domains
Add a domain to specify a corporate domain for the web.

Web domains
Profile 348
Network Usage Rules
Configure network usage rules to allow data roaming and cellular data for applications. You can add
more network usage rules policy sets by clicking .
Policy Description
Managed app Network Add an application and allow cellular data and data roaming.
Settings Click , add an application, set the data settings, and then click .
Profile 349
Configuring Windows Policies
Create a profile and register policies for Windows devices.
You can configure the policies below for Windows devices. The availability of each policy varies
depending on the OS version.
→→ System
Allows the use of features such as factory reset, camera, screen capture and VPN.
→→ Interface
Controls the network settings, such as Bluetooth, Wi-Fi tethering, and NFC.
→→ Security
Configures the password settings.
→→ Application
Allows using the Windows App Store and configuring options for application controls, such as installation
and blacklist/whitelist.
→→ Phone
Allows overseas data roaming.
→→ Etc
Allows deleting PPKG (Provisioning Package) files or MDM profiles while using them.
→→ Wi-Fi
→→ Exchange
Configures the settings of a Microsoft Exchange ActiveSync account to synchronize data with it.
→→ VPN
Configures VPNs (Virtual Private Network) on Windows devices.
→→ Certificate
Configures the Knox Manage Agent Root, user certificates, and server certificates for use on the device.
Profile 350
System
Windows 10 (Mobile
Factory reset Allows a device factory reset.
/ Desktop) or higher
Windows 10 (Mobile
Camera Allows using the camera.
Windows 10
Screen Capture Allows using the screen capture function.
(Mobile) or higher
Windows 10
VPN Allows modifying the VPN settings.
(Mobile) or higher
Interface
Windows 10 (Mobile
Wi-Fi Allows the use of Wi-Fi.
Windows 10 (Mobile
> Wi-Fi Tethering Allows tethering the Wi-Fi connection.
Windows 10 (Mobile
Bluetooth Allows the use of Bluetooth.
Windows 10 (Mobile
> Search Mode Allows using device search via Bluetooth.
Windows 10
NFC Allows the use of NFC (Near Field Communication).
(Mobile) or higher
Windows 10
USB Allows USB tethering connections.
(Mobile) or higher
Profile 351
Security
Set to apply the password policy when the screen is

locked. The camera is disabled in screen lock mode.
Windows 10
Password policies Note If you have enabled Samsung Knox Manage (Mobile) or higher
for a device with no password, certificates
registered in the device will be deleted.
Set the maximum number of incorrect password

attempts.
Note If you enter the wrong password more than

> Maximum the allowed number of times, a challenge
Windows 10
Failed Login phrase appears, and then the system
(Mobile) or higher
Attempts begins the factory reset operation. A
challenge phrase is a particular phrase that
is presented to you to disable the autofill
feature and protect your information. You
need to enter the case sensitive challenge
phrase exactly.
Set the minimum length of the password. Windows 10

> Minimum length
The value can be between 4 - 16 words. (Mobile) or higher
> Maximum Set an idle time before the screen lock is enabled. Windows 10
Screen lock grace
The value can be between 0 – 999 minutes. (Mobile) or higher
period (Minutes)

must be reset.
> Expiration after The value can be between 0 - 730 days. Windows 10
(days) (Mobile) or higher
Note Set the number to 0 for an indefinite period.
Set the number of times that you can reuse the password
> Retain history that you previously used, including the current password. Windows 10
for (Mobile) or higher
Profile 352
Application
Windows App store Windows 10

Allows access to the Windows App Store.
access control (Mobile) or higher
Windows 10
Add App Install Set the Windows application policies based on the
(Mobile/Desktop) or
Black/Whitelist blacklist or the whitelist.
higher
Windows 10
> Add Preloaded
Set to automatically add preloaded applications. (Mobile/Desktop) or
App Automatically
higher
Add applications to allow their installation. Any

applications not on the whitelist are deleted, even if
previously installed.

Windows 10
> App Install/Run applications in the “Select Application” window.
(Mobile/Desktop) or
Whitelist • To delete an application, click next to the added higher
application.
Note Knox Manage Agent is automatically

registered on the list.
Add applications to prohibit their installation. Blacklisted

applications will be deleted even if they were previously
installed.

Windows 10
> App Install/Run applications in the “Select Application” window.
(Mobile/Desktop) or
Blacklist • To delete an application, click next to the added higher
application.

App Install/Run Whitelist cannot be added.
Phone
Windows 10
Data connection
Allows overseas data roaming (Mobile/Desktop) or
during roaming
higher
Profile 353
Etc
Windows 10
Allows users to delete provisioning package (PPKG) files
Delete PPKG (Mobile/Desktop) or
while using them.
higher
Windows 10
MDM Client
Allows users to delete MDM profiles while using them. (Mobile/Desktop) or
Unenrollment
higher
Wi-Fi
Policy Description
Enter the identifier of a wireless router to connect to.

Security type Specifies the access protocol used.
> Open Allows a Wi-Fi connection without a password.
> WEP Set a password in the Password field.
> WPA2 Personal Set a password in the Password field.
Enter an EAP XML configuration code.
> EAP Note The EAP XML tab is enabled only when EAP is selected for
the Security type.
Auto connection Check to use an automatic Wi-Fi connection.
Check the checkbox to hide the network from the list of available networks
Hide Network
on the device. The SSID does not broadcast.
Enter the IP address of a proxy server and the port number of the proxy
Proxy Server and Port
server.
Profile 354
Exchange
Policy Description

method
user.
> Manual Input
Note All the connectors are listed in Advanced > System

> Connector interworking Integration > Directory Connector. The email account that is
registered is the one registered in the connected directory’s
information.
> User Information

Server Name Assign an Exchange server name.
Select a configuration level for diagnostic logging.
• Logging off: Does not leave a record in the Event Viewer log.
Diagnostic Logging • Basic logging: Configure the default diagnostic log information.
• Advanced logging: Configure the diagnostic log information for the
security-related events.
Sync Schedule Select the interval period to sync the incoming emails.
Sync measure for the early

data
Sync calendar Syncs schedules on a calendar from a server to a device.
Sync contacts Syncs contact information in a phone book from an Exchange to a device.
Sync Email Syncs emails from an Exchange to a device.
Sync task Syncs tasks from an Exchange to a device.
SSL Set to use SSL for email encryption.
Profile 355
VPN
You can add more VPN policy sets by clicking .
Policy Description
Select a VPN vendor from among Pulse Secure VPN, F5, SonicWall Mobile
VPN vendor name
Connect, and Check Point Mobile.
Server address
needs to access.
Customer Configuration Enter the VPN vendor-specific settings in the XML format and click Save.
Remember Credentials Check to use remember credentials.
Always On Check to use always on mode.
Lock Down Check to use lock down mode.
DNS Suffix Enter a DNS Suffix.
Trusted Network Enter the IP address, host name, or URL.
Select the setting for the proxy server.

Proxy Settings • Manual: Enter the IP address of the proxy server.
• Auto: Enter the Auto Config URL.
Certificate
Policy Description
Select a certification category.
• Root: Select a certificate to use. Among the certificates registered in

Advanced > Certificate > External Certificate, those with the Purpose
set as CA Cert and Type set as Root will appear on the list.
Certificate category • User: Select a certificate to use. Among the certificates registered in
Advanced > Certificate > External Certificate, those with the Type set as
• Server: Select a certificate to use. Among the certificates registered in
Advanced > Certificate > External Certificate, those with the Type set as
Server will appear on the list.
Profile 356
Applying configurations automatically (Android only)
If you configured device settings for a profile, then the settings can be applied automatically on
the device without user action. If two or more values have been configured for the same category
on a device, then the user must select a category and apply the settings manually, except for Wi-Fi
settings. However, the bookmark settings cannot be applied automatically if the Installation area field
is set to Shortcut.
Refer to the following table for an example:
Category Value Application type
A
Wi-Fi
B Auto application
VPN C
D
Exchange Manual application
F
Device settings can be applied automatically once Knox Manage is activated and the policies are
applied. After the application is complete, you can see the results in a notification message.
Preparations
To apply configurations automatically, do the following:
• When using certificates and VPN settings in the Wi-Fi 802.1xEAP framework, install Credential
Storage (CS) so that trusted certificates can be stored in advance. CS installation means locking
the screen using an option more secure than a password.
• For the Knox VPN setting, install the Vendor Client in advance.
• For the Email and Exchange settings, install the Samsung Email application and agree to receive
notifications from the Email application (Galaxy S8 or higher).
• For the Knox workspace, install the VPN Vendor Client in the general area.
Profile 357
Restrictions
In the following cases, manual intervention is still required even configurations are applied
automatically.
• A Wi-Fi connection needs to be established in the device settings since devices cannot connect to
a Wi-Fi AP automatically.
• To connect a tunnel after installing a VPN or Knox VPN, it must be enabled manually.
• If the user deletes the auto-applied configuration, the deleted configuration is automatically
reapplied when the device is manually rebooted or restarted.
Categories of auto application

Configurations applied automatically can be categorized into Cases A, B, and C:
Category Description Application order
Settings that can be applied and updated

immediately after Knox Manage is activated and
policies are applied.
• Application and updates can be performed

automatically in the Knox Workspace area once
it is created and policies are applied.
• The Email and Exchange settings require
installation of the Samsung Email application.
• For Wi-Fi 802.1xEAP, select PEAP in the EAP
Methods, which is an authentication protocol, to
prevent the usage of certificates. The user does APN > Bookmark > Wi-Fi >
Case A
not need to select a screen lock type and add it Exchange > Email
when auto-installing Wi-Fi settings, because this
doesn’t require installation of Credential Storage
(CS).
• Auto application of the Bookmark settings
is supported on devices running Android 6.0
(Marshmallow) or Android 7.0 (Nougat), and
only when the Installation area field is set to
Bookmark. However, the Bookmark settings
cannot be applied automatically on Android
Enterprise devices.
Profile 358
Category Description Application order
Settings that can be applied or updated once

a screen lock password is set and additional
applications or certifications are installed.
• If no screen lock password has been set,

Case B configurations will not be applied automatically Wi-Fi > VPN > Knox VPN
and a notification message for setting the screen
lock password will appear instead. Tap Set
password on the notification message to open
the settings screen of the device.
Settings that must be applied manually by the user

Case C
from Knox Manage.
Note If you set up Exchange with a certificate, it will be categorized as Case B because it requires
certificate installation.
For more information, see the table below:
Additional
Android CS
Settings Knox application Automation
enrollment Type installation
category Workspace installation category
type required
required
None X X Case A
WEP X X Case A
Fully WPA/WPA2-
managed/ X X Case A
PSK
Wi-Fi Legacy G
Case A (When
X X a certificate is
802.1xEAP not in use)
Legacy O X Case B
Case A
Exchange Case B (When
Legacy G/K N/A X O
ActiveSync a certificate is
in use)
Email Legacy G/K N/A X O Case A
Certificate Legacy G N/A O X Case B
Fully
APN managed/ G N/A X X Case A
Legacy
Profile 359
Additional
Android CS
Settings Knox application Automation
enrollment Type installation
category Workspace installation category
type required
required
Fully
G N/A X X Case C
Bookmark managed
Legacy G/K N/A X X Case A
G PPTP O X Case B
P2TP/IPSec
G O X Case B
PSK
P2TP/IPSec
G O X Case B
RSA
VPN Legacy IPSec Xauth
G O X Case B
PSK
IPS ec
G O X Case B
Xauth RSA
IPSe c
G O X Case B
Hybrid RSA
G/K Cisco X O Case C
K F5 X O Case B
Case B
Knox VPN Legacy (When a
K Juniper X O certificate is
not in use, auto
application is
not supported.)
SSO Legacy G/K N/A X O Case C
Profile 360
Assigning and applying profiles
Assign a profile to a group or an organization. You must assign a profile before applying the policies
that are configured for it.
When multiple profiles are assigned to the same group or organization and there is a conflict within
the policies between the profiles, the latest assigned/applied profile has priority. Policies from
multiple profiles will be applied if they do not conflict with each other. If a device belongs to a group
and an organization at the same time, the policies of the profiles applied to the group have priority.
You have to apply a profile to a group or an organization after assigning it. You must apply a profile
to devices so that the profile policies can take effect. Profiles can be applied immediately or at a
specific time.
Assigning to groups
To assign a profile to a group, complete the following steps:
You can also assign a profile from the group list by navigating to Groups and selecting a group to
assign. For more information, see Assigning and applying profiles to groups.
2. On the “Profile” page, click the checkbox for a profile to be assigned.
3. Click Assign.
4. On the “Assign Profile” page, click Group.
5. Click the checkboxes for groups to be assigned with the selected profile.
• You can select multiple groups.

• If a group has already been assigned a profile and it is assigned to another profile, you can
preview the conflicting policies from the two profiles by clicking Preview Policy.
6. Click Assign & Apply to assign and apply the profile to the selected groups at the same time.
• Click Assign to assign the profile to the selected groups and not to apply the profile now.
7. In the “Assign Profile” window, click OK.
Profile 361
Assigning to organizations
To assign a profile to an organization, complete the following steps:
You can also assign a profile from the organization list by navigating to Organization and selecting
an organization to assign. For more information, see Assigning applications to organizations.
2. On the “Profile” page, click the checkbox for a profile to be assigned.
3. Click Assign.
4. On the “Assign Profile” page, click Organization.
5. Click the checkboxes for organizations to be assigned with the selected profile.
• You can select multiple organizations.

• If an organization has already been assigned a profile and it is assigned to another profile, you
can preview the conflicting policies from the two profiles by clicking Preview Policy.
• When a profile is assigned to an organization that has sub-organizations, the profile will be
applied to all the sub-organizations.
• If a sub-organization has not been assigned a profile, the profile of the super organization will
be inherited, but the inherited profile can be overwritten with a new profile.
• If a sub-organization has been assigned its own profile, then the profile of the super-
organization will not be inherited.
6. Click Assign & Apply to assign and apply the profile to the selected organizations at the same
time.
• Click Assign to assign the profile to the selected organizations and not apply the profile now.
7. In the “Assign Profile” window, click OK.
Note Sub-administrators who only have the Profile Managing Permission cannot assign or apply
profiles to organizations. In order for sub-administrators to be able to assign or apply profiles to
organizations, they need to be given both the Org and Profile Managing Permissions. For more
information, see Adding an organization.
Profile 362
Managing profiles on the list
Manage profiles from the profiles list. You can manage applications by package name or set up
profile priorities.
Managing applications for specific purposes

You can add applications by package name to control them in a blacklist or whitelist.
To add applications, complete the following steps:
2. Click Manage Control App.
3. In the “Manage Control App” window, click Add.
4. In the “Add Control App” window, enter the following information. Available items vary depending
on the platform.
• Platform: Select a platform.

• Package Name: Enter the application package name.
• Bundle ID: The retrieved bundle ID for the application is displayed.
• Bundle Name: The retrieved bundle name is displayed. If there is no value, “-“ is displayed.
• Publisher: Enter the application publisher.
• Application Name: Enter the application name.
• Preload App: Select whether to set the application as a preloaded application.
5. Click Save.
To modify applications, complete the following steps:
3. In the “Manage Control App” window, select an application name to modify, and then click Modify.
4. In the “Modify Control App” window, modify the information.
5. Click Save.
Profile 363
To delete applications, complete the following steps:
3. In the “Manage Control App” window, select an application name to delete, and then click Delete.
4. In the “Delete Application” window, click Save.
Setting up the profile priorities

Set up the profile priorities for when multiple profiles are being applied to the same group or
organization.
To set up priorities, complete the following steps:
2. On the “Profile” page, click Manage Priority.
3. In the “Manage Priority” window, click a profile to change the priority order.
4. Click or to change the priority order of the selected profile.
5. Click Save & Apply to save the changes and apply the changed profile to the devices.
• Click Save to save the changes and not apply the profile now.
• Click Preview to view the groups or organizations affected by the changed profile.
6. In the “Save Priority” or “Save Priority & Apply” window, click OK.
Profile 364
Modifying profiles in detail
Modify the policies in a profile currently being applied to devices. You can also modify other
information, such as conditions that are set for certain profiles.
Note Sub-administrators who only have the profile managing permission can only modify profiles that
they have created or ones already assigned to them. If you are a super administrator and wish to
assign profiles to sub-administrators, then see Adding an organization for more information.
To modify the profile information, complete the following steps:
2. On the “Profile” page, click the name of a profile to modify.
3. On the “Profile Detail” page, click Modify Profile Info.
4. On the “Modify Profile” page, modify the existing information if necessary.
5. Click Save & Set Policy to save the information and to proceed with configuring the profile in
detail.
To modify the profile policies, complete the following steps:
2. On the “Profile” page, click the name of a profile to modify.
3. On the “Profile Detail” page, click Modify Policy.
4. On the “Set Policy” page, configure the policies. For more information, see Configuring policies by
device platform.
5. Click Save & Assign to save the information and to proceed with assigning the policies to devices.
• Click Save to only save the information.
Profile 365
Setting the profile update schedule
You can set the schedule to update the latest policy applied to user devices on a regular basis.
To set the policy update schedule, complete the following steps:
1. Navigate to Setting > Configuration > Profile Update Schedule.
2. Click next to Profile Update Schedule to enable the scheduler feature.
3. Select a target type.
• Global Setting: All profiles will be updated according to the schedule.

• Set by Group / Organization: You can configure multiple schedules and select groups or
organizations for each schedule setting.
4. Select days and set start time, and time zone.
• Select groups or organizations for each schedule setting if you selected the group/organization
target type.
• The policy update time may vary depending on the time and time zone of the user device.
Profile 366
Collecting device location information
You can collect location data from devices on a regular basis.
The time in the collected location data is based on the device time. It may vary depending on the time
and time zone of the device.
To set the location collection policy for Android Enterprise and Android Legacy devices, complete the
following steps:
2. On the “Profile” page, click the name of the profile to configure the policy for.
3. On the “Profile Detail” page, click the “Policy” tab.
4. Click Modify Policy at the bottom of the page.
5. On the “Set Policy” page, navigate to the Location group of each device platform.
6. Set Report device location to Allow, User consent, or Disallow.
• Location data is collected from the device only when you allow it.
• When User consent is selected, the user should agree to permit data collection in the window
on the device. This window appears only once after the device is enrolled or the profile is
applied for the first time.
• This policy holds a higher priority than the GPS policy and the Collect current location
command. That is, when this policy is set to Disallow, either the device command is sent or
location data is not collected, even if the GPS policy is set to Allow or Disable on.
7. Set the data collection interval and accuracy mode.
• Report device location interval: Set the interval at which location data should be collected from
the user’s device. For example, if you set the interval to 30 minutes, location data is collected
from the device every 30 minutes after a profile is applied to the device.
• High Accuracy Mode: Enable this mode to improve the accuracy of collected location data.
When you enabled this mode, locations are detected using GPS and Wi-Fi and mobile networks.
When you disable it, the locating method that the user has specified on the device is used
instead.
–– For devices with Android 10 (Q) or higher, the user must agree to the notification on the
status bar that asks for permission to use location data.
–– When collecting location data by sending a device command, the locating method differs
depending on whether the High Accuracy Mode is in use.
8. Click Save.
Profile 367
8
Kiosk
Kiosk
Knox Manage provides Kiosk mode to efficiently manage devices for special purposes. With the Knox
Manage Kiosk feature, you can control the range of usability for end users by configuring limited
policies and applications. Depending on your use cases, you can configure different types of Kiosk
modes, such as Single App Kiosk, Multi App Kiosk, or Kiosk Browser. This allows you to manage the
Kiosk devices to fit your specialized needs.
Admin Portal User Devices
(e.g:Multi App Kiosk using Kiosk Wizard)
Create and
deploy an APK file
for the Kiosk screen
Single App Kiosk Training site

Multi App Kiosk Hotel
Kiosk Browser Restaurant
→→ Introduction
→→ Creating a Single App Kiosk
→→ Creating a Multi App Kiosk
→→ Exploring Kiosk Wizard
→→ Using the Kiosk Browser
→→ Deploying Kiosk mode on a device
Kiosk 369
Introduction
The Kiosk runs only in Legacy (Android) or Android Enterprise devices. When Kiosk mode is applied,
it is operated only in the configuration set by the administrator on the home screen of the device, and
the user cannot use it for a different purpose.
You can configure policies and applications to deploy on the device in Kiosk mode. When developing
an application that runs in Kiosk mode, it is recommended that you design it to run in full screen.
Strengths of Knox Manage Kiosk

In Knox Manage, you can utilize different types of Kiosk features, such as Single App Kiosk, Multi App
Kiosk, and Kiosk Browser.
Moreover, Knox Manage provides the Kiosk Wizard for Multi App Kiosk with intuitive and user-friendly
UI.
Note The web browser for Kiosk Browser is provided by Knox Manage by default.
The advantages of Knox Manage Kiosk are as follows:
• Conveniently deploy different types of applications on the Kiosk at the same time.
• Utilize diverse features, such as wallpaper, orientation, and icon setting.
• Disable Kiosk mode easily to manage the device quickly.
• Efficiently manage the device settings, such as Wi-Fi and Bluetooth.
Kiosk 370
Kiosk types
Kiosk types available in Knox Manage are as follows:
• Single App Kiosk: Kiosk mode with a single app only

• Multi App Kiosk: Kiosk mode with multiple apps that can be easily configured by Kiosk Wizard
• Kiosk Browser: A web browser for running only specific URLs for a special purpose
Supported environment
Kiosk mode is only available for Android OS.
Non-Samsung
Samsung Android
Samsung Android Non-Samsung Android
Enterprise Fully
Legacy Android Legacy Enterprise Fully
Managed Device
Managed Device
Single-app kiosk Single-app kiosk

Multi-app kiosk
Android 6.0 ~ 8.0 Multi-app kiosk Multi-app kiosk Not supported
Kiosk Browser
Kiosk Browser Kiosk Browser
Single-app kiosk Single-app kiosk Single-app kiosk

Android 9.0 or
Multi-app kiosk Multi-app kiosk Not supported Multi-app kiosk
Higher
Kiosk Browser Kiosk Browser Kiosk Browser
Note Knox Manage provides Single-app Kiosk with google managed apps for Android Enterprise
devices with version 9.0(Pie) or higher.
Kiosk 371
Kiosk Wizard operating environment
To run the Kiosk Wizard successfully, you need a PC or a laptop that meets specifications stated
below:
• CPU: i5, 2.X GHz or higher

• Memory: 4G or more
• HDD: 500G or more
• OS: Windows 7 or above
Basic functions in a Kiosk menu

The following functions are provided in Kiosk in the Admin Portal.
• Add: You can create a new Kiosk by selecting between Multiple App Kiosk and Single App Kiosk.
To create a single app Kiosk: See Creating a Single App Kiosk.
To create a multi app Kiosk: See Creating a Multi App Kiosk.
• Modify: You can modify an existing Kiosk.

• Copy: You can copy a multi app Kiosk and create a new Kiosk. A single app Kiosk does not support
the copy function.
For more information, see Creating a Kiosk application by copying a Multi App Kiosk.
• Delete: You can delete the selected Kiosk.

• Apply: Apply the selected Kiosk to the devices where the Kiosk policy is assigned.
Kiosk 372
Creating a Single App Kiosk
Create a Single App Kiosk by uploading a single APK file can be run in the Kiosk.
To convert an APK file into a Kiosk application, follow the steps below:
1. Navigate to Kiosk.
2. Click Add and click Single App Kiosk.
• Application File: Click to select an APK file. When the file is registered, platform, version and
package name are automatically entered.
–– Only Android applications are supported.
• Name: Enter name for the Kiosk.

• Integrity Validation: Select whether you want to validate the integrity of data with a cyclic
redundancy check (CRC). A CRC determines the check value used to ensure that there are no
errors in data sent through a network, and sends it along with the data.
3. Click Save.
Note When you register an application as a single app kiosk, Knox Manage AppWrapping might affect
your app signing key.
If your apk is dependent on an app signing key, please revise the AndroidManifest.xml file as
below and rebuild your apk.
1. Check whether it has category.HOME and category.DEFAULT. If not, please add it.
2. Add android:lockTaskMode configuration as below:
<activity
android:name=”.MainActivity”
android:lockTaskMode=”if_whitelisted”>

</activity>
3. Rebuild the apk and try to register as a single kiosk app.
Kiosk 373
Creating a Multi App Kiosk
Create a Multiple Application Kiosks using the Kiosk Wizard. You can configure the multi-app kiosk
with various applications and utilities as follows:
• Utility: Folder, Banner, Text, Calendar, Cock, Bookmark, Dialer, and Content.
You can also configure the Kiosk by setting a policy in the profile. For more information, see
Configuring profile policy.
Creating a Multi App Kiosk

To launch the Kiosk Wizard and create a new multi app Kiosk, follow the steps below:
2. Click Add and select Multiple App Kiosk.
3. Configure the Kiosk launcher using Kiosk Wizard in “Add Kiosk“ window.
• For details about each Kiosk Wizard component, see Exploring Kiosk Wizard.
4. Click Save to generate an APK file.
Kiosk 374
Creating a Kiosk application by copying a Multi App Kiosk
You can create a new Kiosk application by copying an existing Kiosk application. Kiosk copy is only
available for multiple application Kiosk.
To copy Kiosk application, follow the steps below:
2. Select a multi-app kiosk to copy from the list and click Copy.
3. Enter information in “Copy Kiosk“ window.
• You can modify the same information as you create a new multi-app Kiosk.
4. Click Save.
Configuring a Kiosk in a Profile

You can create a Kiosk when you set a Kiosk policy in the Profile menu.
To create a Kiosk in the Profile menu, follow the steps below:
2. Click Add to create a new profile.
3. On the “Add Profile” page, enter the required information, including Name and Platform, and then
click Save & Set Policy.
Note Kiosk policies are only available for Android Enterprise and Android Legacy platforms.
4. On the “Set Policy” page, click Kiosk under Android Enterprise or Android (Legacy).
5. Select a Kiosk type between Single app, and Multi app to create in Kiosk app settings.
6. Click Add to create a new Kiosk. If you want to configure the existing kiosks, click Select and
choose from the list of already registered Kiosks in the Kiosk menu.
7. Create a Kiosk in the “Add Kiosk” window and click Save.
8. Click Save or Save & Assign to apply the policy to the devices.
Kiosk 375
Exploring Kiosk Wizard
The Kiosk Wizard is an interface that enables an administrator to create a multi app Kiosk. Knox
Manage provides the Kiosk Wizard to help clients utilize Kiosk in a variety of work environments
without needing to purchase an additional Kiosk launcher or develop one.
Using the Kiosk Wizard, you can deploy various types of applications in Kiosk mode. Moreover, Knox
Manage provides diverse features, such as Bookmark and Clock, to be configured in devices using
Kiosk mode.
The Kiosk Wizard composition is as follows.
• Kiosk Settings: Basic and advanced settings for customizing Kiosks

• Preview: Preview screen of the device in Kiosk mode
• Component: Utilities and applications that can be added
Kiosk 376
Kiosk Settings
Configurable items are shown below:
• Name: Enter the name of the Kiosk.

• Package Name: Kiosk package name will be generated automatically.
• Orientation & Grid: Select between Landscape, Portrait, and Auto rotate for the Kiosk orientation
mode, and select a Grid setting.
• Background Color: If there is any space other than the Kiosk background image, it is filled with
black or white.
• Wallpaper: Upload an image to use as the Kiosk wallpaper. Click the box to add the wallpaper
image. You can upload up to 5 images. Then, click the gray box area in the “Add Wallpaper Image”
window.
–– Keep Original Size: Check to use the original size of the image.
–– Random Play: Check to show the registered wallpapers in random order.
• Screen Composition: You can add a status bar and logo on a customized Kiosk device.
–– When adding a logo, click Logo on the Preview screen. You can add an image via the “Add Logo
Image” window.
• Exit Kiosk Mode: You can configure the user-end actions to unenroll the Kiosk device. This touch
action can be used when the device is offline.
• Icon Size: Icon size can be adjusted from 50% to 100%

• Screen Lock: Select the screen lock options for a Kiosk device. You can set the screen lock
password for Kiosk mode, and you must deploy the policy if you want to change the password.
Kiosk 377
• Icon Text: Choose whether to show or hide the icon text. If you select Show, you can also configure
the style, such as the font color and shadow options.
• Rearrange: Check to allow users to rearrange icons on the device.

• Point Color: Set the color to be applied to the icons and page indicator in the launcher.
• Device Setting: Click Select to configure the device settings to be used in Kiosk mode.
–– You can select all items or select each item to be allowed in the “Select Device Setting” window.
• Page Rotation: Choose whether to allow users to return to the first page from the last page of
Kiosk mode.
• Effect: Select an effect for turning page.

–– Slide, Card, Box, Bulldoze and Corner
Kiosk Preview
You can preview Kiosk mode by dragging and dropping the components to the preview screen with
the configured settings.
• + / X: Click + to add page, or x to delete page. You can add up to 9 pages.
Kiosk 378
Kiosk components
Kiosk components consist of Utility, Internal applications, Public applications, and Control
applications. You can easily drag and drop components on the Preview screen for the customized
Kiosk layout.
• Folder: Knox Manage applications can be managed with Folders.

–– The name of folders can be modified. When there are applications in the folder, thumbnails
of the applications are shown. Double click the folder to add, delete, or move the applications
inside.
• Banner, Text, Calendar, and Clock: Drag and drop items on the preview screen, and configure
details from the pop-up window.
–– The Text component can be customized in the “Add Text” window, you can configure settings
such as the Text content, ratio, and text style.
–– The Banner component can be customized in the “Add Banner” window, you can configure
settings such as the ratio, image, and URL.
–– The Calendar component can be customized in the “add Calendar” window, you can configure
settings such as the ratio, widget style, and text color.
–– The Clock component can be customized in the “Add Clock” window, you can configure the
widget style, text color, and time format.
• Bookmark: You can configure the bookmark to use a specific URL. You can configure the icon
image of the bookmark, name, and URL.
• Dialer: The Dialer component is used for the call feature on the kiosk device.
• Content: The Content component is used so that device users can directly view content distributed
from the admin console.
Note For Fully Managed devices (Android 9.0 Pie or higher), the viewer applications for the
corresponding content must also be added to open the content.
• Applications: Choose applications to allow users to use in the Kiosk. You can search with
application category such as Internal, Public and Control.
Drag and drop the application to add to the preview screen. When you hover your mouse over
applications, you can find app name, version, and package name.
Note Maximum length of URL in Bookmark, Text, and Banner is 300 characters including special
characters.
Kiosk 379
Allowing device settings
You can allow users to change the kiosk device’s settings, such as Wi-Fi, Location, Bluetooth, Display,
NFC, Lock Screen, Mobile Data, Volume, Device Maintenance, and Mobile Networks.
For tablets, the setting items, such as Bluetooth, NFC, Mobile Data, and Location, can be accessed
even if the administrator has not allowed the Settings of the device to be changed. For tablet devices
with Android 9.0 or a higher version, all items of settings cannot be accessible if the administrator
has not allowed the Settings to the device.
Users can tap i in the bottom left corner of the Home screen, tap Settings in the Kiosk Launcher
details pop-up window, and then open the Settings screen.
To allow users to change the kiosk device’s settings, follow the steps below:
1. Click Select Settings in the top menu.
2. Choose the settings that you wish to allow in the ”Device Settings” window.
• Click the Select all to select all settings. If you click individual setting, the Select all becomes
disabled automatically.
• Any settings that are not supported by the device can’t be configured, even if you allow them.
3. Click Save.
Kiosk 380
Using the Kiosk Browser
Kiosk Browser is a kiosk application specifically designed to function as a secure browser that can
only open the URL specified in the policy.
To configure Kiosk Browser, you have to configure the Kiosk policy. For more information about these
policies, see Kiosk.
Specifying the URL for Kiosk Browser

To add the URL that Kiosk Browser should connect to, follow the steps below:
2. In the list, click the name of the profile to which you are trying to add a policy.
3. On the “Profile Detail” page, click Modify Policy in the footer.
5. Set Kiosk app settings to Kiosk Browser.
6. Enter values into the fields in the Kiosk Browser settings. For more information about available
Kiosk browser settings, see Kiosk for Android Enterprise devices and Kiosk for Android Legacy
devices.
• Default URL: Enter the URL of the default webpage that should be called when Kiosk Browser is
launched. You can enter the URL up to 128 bytes including alphanumeric characters and some
special characters (_,., -, *, /).
• Screen Saver: Configure the Screensaver settings to protect the screen when it is inactive for
the maximum inactive session time.
7. Click Save.
8. To deploy the policy, click Apply on the “Profile Detail” page.
• The updated Kiosk Browser policy will be applied to the devices that were assigned to the
profile.
9. When the confirmation message appears, click OK.
Kiosk 381
Deploying Kiosk mode on a device
You can deploy Kiosk mode on the enrolled devices as follows:
• Using device command: You can send the Install or Update App device command to devices to
deploy Kiosk mode. For more information, see Sending device commands.
• Using profile policy: You can configure the policy to deploy Kiosk mode to devices. For more
information, see Configuring profile policy.
Sending device commands

You can deploy Kiosk mode by sending the device command to the devices enrolled as Android
Enterprise/Legacy, follow the steps below:
2. Select the devices to deploy Kiosk mode to, and click Device Command.
3. In the “Device Command” window, click Application > Install or Update App.
4. In the “Request Command” window, select the Kiosk application registered in the Kiosk menu and
click OK.
Kiosk 382
Configuring profile policy
You can deploy Kiosk mode by configuring a profile policy and applying it to devices. When you
deploy the Kiosk by profile, you can directly configure the Kiosk types from the policy.
To configure the Kiosk in the profile, follow the steps below:
2. On the “Profile” page, click a profile name to add the Kiosk policy to.
3. On the “Profile Detail” page, click Modify Policy in the footer.
5. Set Kiosk app settings to Single app, Multi app, or Kiosk Browser.
6. Configure the profile details by Kiosk type. For more information about applicable policies, see
Kiosk for Android Enterprise devices and Kiosk for Android Legacy devices.
7. Click Save & Assign to save the information and to proceed with assigning the policies to devices.
• Click Save to only save the information.

• The Kiosk set in the policy will be automatically installed. If the Kiosk policy is deleted, the
Kiosk device will be automatically unenrolled.
Exiting Kiosk mode

When a device on which a multi app Kiosk is running cannot be controlled because it has lost the
connection with the server, the user can exit Kiosk mode with a pre-defined touch action configured
when you create the multi app Kiosk in Kiosk Wizard. Please be aware that this action will cause
unenrollment from Knox Manage. For more information about exiting the Kiosk mode, see Kiosk
Settings.
Moreover, for a device with a connection to a server, you can send a device command to exit Kiosk
which enables the device to exit the Kiosk mode and be managed in the normal mode. To restore the
device back to Kiosk mode, you must apply the profile again. For more information about sending a
device command, see Sending device commands to devices.
Kiosk 383
9
Remote Support
Remote Support
Control devices using Remote Support. It provides improved network service by dynamically
changing the data size according to the network conditions using the QoS method and sending data
to devices.
Remote Support Viewer Remote Support App
Firewall
The following components are required to use Remote Support:
• Remote Support Viewer (RS Viewer)

Shows the user’s device screen on an administrator’s computer.
• Remote Support Application (RS App)

Receives remote support on the user’s device.
→→ Before Using Remote Support

→→ Installing the RS Viewer
→→ Controlling devices with the RS Viewer
→→ Controlling devices in Knox Manage
Remote Support 385

Before Using Remote Support
Check the download sources, supported OS/platform, and firewall settings before using Remote
Support.
Supported platforms
Install the RS Viewer to the administrator’s computer and the RS app to the device from the following
sources:
Component Download source Supported OS version Supported platform
Remote Support
Knox Manage Admin Portal Microsoft Windows 7
Viewer (RS
(hereinafter Admin Portal) or higher
Viewer)
Android Legacy O
Knox O
• Knox Manage Admin
Portal (hereinafter Admin Android Enterprise
O
Remote Support Portal) Fully Managed
Android 5.0 (Lollipop)
Application (RS
App)
• Google Play or higher Android Enterprise
X
• Service Desk menu of the Work Profile
Knox Manage Agent. Android Enterprise
Fully Managed with X
Work Profile
Note • To receive support in Knox Workspace, the RS app should be installed in the General area of
the device. Also, you should enable the Allow RemoteControl policy of Knox Workspace on the
Admin Portal. To do so, navigate to Profiles, select a profile name for Knox Workspace, click
Modify Policy > Knox > System, and set Allow RemoteControl to Allow.
• The RS Viewer sends an access code for Remote Support via push service to enrolled devices
via push service. For unenrolled devices, the administrator should directly deliver the access
code by SMS or a phone call.
• The RS app should be installed in the general area and cannot be installed in the Work Profile
area. For Android Enterprise Work Profile devices or Fully Managed with Work Profile devices,
only the general area can be supported.
• For non-Samsung devices, several features, such as the Home, left/right controls, screen
rotation buttons, and touch controls, are not available while using Remote Support. Devices
should be controlled by the user.
• Download and install the latest versions of the RS Viewer and the RS app.
Remote Support 386

Disabling the firewall
Disable the firewall for domains and ports for the administrator’s computer, Remote Support server,
and TMS & CRS server.
The relevant servers are set up for each region (Asia, US, EU) as shown below:
Server Region Domain IP Port
Asia ap-rs.manage.samsungknox.com 52.76.170.118

Remote Support
US us-rs.manage.samsungknox.com 34.213.113.19 8118
server
EU eu-rs.manage.samsungknox.com 52.50.15.50
CRS crs.manage.samsungknox.com
Asia tms-ap.manage.samsungknox.com
TMS & CRS server N/A 443
US tms-us.manage.samsungknox.com
EU tms-eu.manage.samsungknox.com
Installing the RS Viewer

Download and install the latest version of the RS Viewer.
To install the RS Viewer, complete the following steps:
1. On the Admin Portal, click Download > Remote Support Viewer (Admin) and download the RS
Viewer installation file.
2. Run the downloaded file on the computer.
3. Select the language to install and click OK.
4. Click Next when the InstallShield Wizard starts.
5. Read the End User License Agreement carefully, select I accept the terms in the license
agreement, and click Next.
6. Set a folder to install the RS Viewer.
• Click Change to set a new path and click Next.

7. Click Install.
Remote Support 387

8. Once the installation is completed, click Finish.
• The Remote Support icon will be created on the computer.
Controlling devices with the RS Viewer

To control the user’s devices remotely with the RS Viewer from the computer, complete the following
steps:
1. Instruct the device user to install the latest version of the RS App.
2. Launch the RS Viewer from your computer.
3. To configure the environments of the RS Viewer, click at the top of the screen.
• Proxy Server enabled: If the administrator’s computer uses a proxy server, specify the use of
the proxy server, its IP address, and port number. Even if you do not set a proxy server, the proxy
server will be automatically detected and set.
Remote Support 388

• Transfer Quality: If Auto (the default value is Auto; you can select 30%, 50%, or 100%) is
selected, dynamically sized data can be transferred using the QoS method according to the
network condition, thus improving the network’s data transfer quality. The response time may
slow down as the transfer quality improves.
• Screen Capture Path: Click and specify the location to save captured screenshots.
• Recording Path: Click and specify the location to save video files.
4. Enter your ID and password for the Admin Portal, and click Connect.
5. Conduct remote service to the user’s device with the RS Viewer. For more information about the
functions of the RS Viewer, see Using the functions of the RS Viewer.
6. Stop Remote Support by tapping End on the device screen or clicking X in the upper-right corner of
the RS Viewer.
• You can click Disconnect on the RS Viewer only to disconnect the connection with the device
and not close the RS Viewer.
Using the functions of the RS Viewer

When a connection between the RS Viewer and the RS app is successfully established, the user’s
device screen will appear on the RS Viewer. The Menu button and the Previous button will start
functioning just like the features on the device. The Volume buttons on the left side and the Power
button on the right side will also start functioning. If the device’s screen is locked, you can unlock the
screen by clicking the Home button in the RS Viewer.
The Remote Support service provides the following functions:
Rotating the device screen

To change the orientation of the device’s screen to landscape or portrait mode, click in the upper-
right corner of the screen. The device’s screen will not rotate when the Home screen or the currently
running application does not support the screen rotation feature.
Capturing the device screen

Click in the upper-left corner of the screen to capture the device screen. Captured files are saved
in JPEG format and contain an administrator ID and a watermark.
Note You cannot capture device screens that application developers have designated as secure using
the Android WindowManager FLAG_SECURE setting. For more information, see https://seap.
samsung.com/content/important-notice-changes-knox-remote-control.
Remote Support 389

Recording the device screen
You can record the device’s screen and save the recording as a video file to find out if errors are
occurring on the device.
Note • Recorded videos are saved in AVI format and contain an administrator ID and a watermark.
• Up to 10 minutes of video can be recorded.
• The QoS function is not available while recording a video.
• If the maximum recording time is exceeded, a notification pop-up will appear and the recording
will stop.
To record the device screen, complete the following steps:
1. Click at the top of the screen.
2. Click Start to start recording a video.
• The recording time will be displayed at the bottom of the pop-up message, and the user will be
notified that the screen is being recorded through a notification on the device screen.
3. Click Stop to pause the recording or click Resume to restart the recording.
4. Click Stop to finish the recording
Transferring files
You can transfer files, such as log files, from a device to the administrator’s computer to check the
condition of the device. Files can also be transferred from the administrator’s computer to the device.
Note • Up to 200 MB of files can be transferred at a time.

• Transferred files are saved in the Download folder of the device’s internal storage and in the
Remote Support folder on the desktop screen of the computer.
To transfer files from the device to the computer, complete the following steps:
1. Click in the upper-right corner of the screen.
2. In the file browser, tap and hold on a file or folder to access the file selection mode.
3. Click the checkboxes for the files to transfer.
• You can also select a folder to transfer all the files in it.
4. Click File Transfer.
• To cancel the file transfer, click Cancel on the “File Transfer” window.
Remote Support 390

To transfer files from the computer to the device, drag files from the computer and drop them onto
the screen of the RS Viewer.
To cancel the file transfer, click Cancel in the “File Transfer” window.
Controlling devices in Knox Manage

To control the user’s devices remotely with the RS Viewer from the Admin Portal, complete the
following steps:
2. On the “Device” page, click the checkbox for the device you want to control.
3. Click Remote Support.
4. In the “Remote Support” window, complete the following steps according to the device type:
• For Android Enterprise Work Profile devices or unenrolled devices, select the country code and
enter the device phone number to send the access code.
• For enrolled devices, click an execution type that you want to use to start the RS app installed
on the user’s device.
–– Allowed by User: Runs the RS app only when the user has allowed the application to be
forcibly run.
–– Force Run: Run the RS app forcibly, regardless of whether the user has allowed forced
running of the application.
5. Click Run.
6. Instruct the user to enter the access code on the device.
7. Conduct remote service to the user’s device with the RS Viewer. For more information about the
functions of the RS Viewer, see Using the functions of the RS Viewer.
8. Stop Remote Support by tapping End on the device screen or clicking X in the upper-right corner
of the RS Viewer.
• You can click Disconnect on the RS Viewer only to disconnect the connection with the device
and not close the RS Viewer.
• When Remote Support ends, the elapsed hours will appear in the RS Viewer and on your device.
Remote Support 391

10
Advanced
Advanced
Knox Manage provides you with more advanced features on the Admin Portal:
Enterprise-Firmware Over The Air (E-FOTA) service
E-FOTA service allows you to manage and configure firmware updates on Samsung devices running
Android 7.0 Nougat or higher.
Certificates for applications
External certificates can be added for the different purposes and types on Knox Manage to use
network services such as Wi-Fi, VPN, Exchange, and APNs.
Directory server
Knox Manage provides the Active Directory (AD) service that is built upon the industry-standard
Lightweight Directory Access Protocol (LDAP) to access intra-enterprise data by integrating
corporate’s directory server.
Open API
Open API supports the development of Knox Manage functions, such as providing access to
the Knox Manage server, securing the authentication, and easily customizing the application
programming and services.
Samsung Knox Manage Cloud Connector (SCC)
SCC allows you to connect the user information in the client’s Active Directory/LDAP server and the
certificate information in the CA server with the user’s device, and thus use them safely.
Mobile Admin
Knox Manage’s Mobile Admin enables you to conveniently view the service history in a mobile
environment and provides essential device management features, helping you to improve productivity
at work.
Mail server
Mail servers, such as Microsoft Exchange Server or Office 365, can be integrated and used through
Knox Manage on the user’s device.
Advanced 393
→→ Managing Enterprise-Firmware Over The Air (E-FOTA)

→→ Managing Certificates
→→ Integrating a directory server
→→ Setting a directory connector
→→ Managing Open API
→→ Using Cloud Connector
→→ Using Mobile Admin
→→ Configuring the Exchange server
Advanced 394
Managing Enterprise-Firmware Over The
Air (E-FOTA)
Knox Manage supports an Enterprise-Firmware Over The Air (E-FOTA) service that allows you to
manage and configure firmware updates on Samsung devices running Android 7.0 Nougat or higher.
To use the E-FOTA service, you should register the E-FOTA license in the Knox Manage Admin Portal.
Once you have registered the E-FOTA license in the Knox Manage Admin Portal, the E-FOTA groups
organized by device model and carrier are created automatically. You can assign desired devices that
need to be updated to an E-FOTA group and update them with the desired firmware version.
Note If you want to use Knox E-FOTA Advanced on Android Enterprise devices, navigate to Profile
> Samsung Knox (Android Enterprise) > System and add Knox E-FOTA Advanced apk(com.
samsung.android.knox.efota) in the Whitelisted Device Admin policy and apply a profile.
Viewing the E-FOTA group list

Once you have registered an E-FOTA license in the Knox Manage Admin Portal, E-FOTA groups
organized by device model and carrier are created automatically. Navigate to Advanced > E-FOTA
Management to view all the E-FOTA group information on the ”E-FOTA Management” page. You can
also perform the following actions on this page.
Icon Description
E-FOTA Group Update Update the E-FOTA group information.
Search for a specific group for the entered group model name or carrier
Search code.
Assign devices to the E-FOTA group for firmware updates. For more
Assign Device information, see Assigning devices to an E-FOTA group for firmware
updates.
Select the firmware update type and specify the firmware version. For
Firmware update setting more information, see Modifying the firmware update configurations.
Update status per device View the firmware update status for each device in the E-FOTA group.
View the change histories of the E-FOTA group. For more information, see
E-FOTA change history Viewing the change histories of E-FOTA groups.
Advanced 395
Assigning devices to an E-FOTA group for firmware updates
If there are devices using the same model name and carrier code as the E-FOTA group created on
the E-FOTA group list on the ”E-FOTA Management” page, assign the devices to the E-FOTA group for
firmware updates.
To assign devices to an E-FOTA group for firmware updates, complete the following steps:
1. Navigate to Advanced > E-FOTA Management.
2. On the ”E-FOTA Management” page, click in the row of the E-FOTA group that you want to
assign devices to.
3. In the “Assign Device” window, click the checkboxes next to desired devices for firmware update
on the device list, and then click to add the selected devices to the device with E-FOTA group
list. The selected devices will be added to the device with the E-FOTA group list.
• To remove the devices on the device with E-FOTA group list, click the checkboxes next to the
devices to remove from the device with E-FOTA group list, and then click .
• To add all the devices to the device with E-FOTA group list, click Add all.
• To remove all the devices on the device with E-FOTA group list, click Remove all.
4. Click Next.
5. In the “Firmware update” window, select one of the following firmware update types from the drop-
down list.
• Select: Allows you to choose to update devices with the target firmware version or not. Users
can postpone the firmware update.
• Force: Updates the devices with the target firmware version forcibly at the set time. Users
cannot postpone the firmware update.
6. On the firmware version list, select the desired firmware version to apply to the devices, and then
click OK.
• Click of the target firmware version to view the detailed information on the target firmware
version.
• If you select Force for firmware update type, specify the following information on the “Firmware
Scheduling” window.
–– Start Date: Click to select a specific date to start the target firmware version update.
–– Start Time: Select a specific time to start the target firmware version update.
–– End Date: Click to select a specific date to end the target firmware version update.
–– End Time: Select a specific time to end the target firmware version update.
Advanced 396
Note • The updated date is set to GMT + 0.
• The start date and end date must be at least three days apart and can be up to a maximum of
seven days apart. Also, the gap between the start time and the end time must not exceed 12
hours.
Modifying the firmware update configurations

You can modify the set firmware update configurations for each E-FOTA group.
To modify the firmware update configurations, complete the following steps:
2. On the ”E-FOTA Management” page, click in the row of the E-FOTA group whose firmware you
want to modify to update its configuration.
3. In the “Firmware update” window, select one of the following firmware updates type from the drop-
down list.
• Select: Allows you to choose to update devices with the target firmware version or not. Users
can postpone the firmware update.
• Force: Update the devices with the target firmware version forcibly at the set time. Users
cannot postpone the firmware update.
4. On the firmware version list, select the desired firmware version to apply to the devices, and then
click OK.
• Click of the target firmware version to view the detailed information on the target firmware
version.
• If you select Force for firmware update type, specify the following information on the “Firmware
Scheduling” window.
–– Start Date: Click to select a specific date to start the target firmware version update.
–– Start Time: Select a specific time to start the target firmware version update.
–– End Date: Click to select a specific date to end the target firmware version update.
–– End Time: Select a specific time to end the target firmware version update.
Note • The updated date is set to GMT + 0.

• The start date and end date must be at least three days apart and can be up to a maximum
of seven days apart. Also, the gap between the start time and the end time must not exceed
12 hours.
Advanced 397
Viewing the firmware update status of devices
You can view the status of firmware updates of the devices in an E-FOTA group.
To view the firmware update status of the devices, complete the following steps:
2. On the ”E-FOTA Management” page, click in the row of the E-FOTA group that you want to view
the status of device firmware updates.
3. In the “Update status per device” window, view the detailed update status information for each
device, such as the user and device information, OS version, device status, and the detailed result
of the firmware updates.
• Click to send a device command to the filed or unapplied devices for updating the firmware
to the target OS version.
Viewing the change histories of E-FOTA groups

You can view the history of changes made to an E-FOTA group.
To view the change histories of an E-FOTA group, complete the following steps:
2. On the ”E-FOTA Management” page, click in the row of the E-FOTA group that you want to view
the change histories of.
3. In the “E-FOTA change history” window, view the detailed update information specified for the
relevant E-FOTA group and update results on the list. You can also view the log date, update type,
target firmware versions, and OS version.
Advanced 398
Managing Certificates
Enhance security by using certificates issued by applications. Add external certificates on Knox
Manage for the different purposes and types to use network services such as Wi-Fi, VPN, Exchange,
and APNs. You can view the details of the issued certificates and delete the invalid ones.
Certificate authority (CA)

Register the Certificate Authority (hereinafter CA) to use the Knox Manage certificate services.
Before adding the CA, first download the CA root certificate from a SCEP-supported CA server.
This also enables you to issue device certificates and external certificates. The Cloud Connector is
provided between the CA server and the Knox Manage server for secure data transmission. For more
information about the Cloud Connector, see Using Cloud Connector.
Adding a certificate authority (CA)

To add a CA, complete the following steps:
1. Navigate to Advanced > Certificate > Certificate Authority (CA).
2. On the “Certificate Authority (CA)” page, click Add.
3. On the “Add Certificate Authority” page, enter the following CA information.
• CA Name: Assign a unique name for each CA.

• Description: Enter a description for the CA.
• CA Type: Select a CA type. The input information varies depending on the selected CA type.
–– When the CA type is ADCS:
Item Description
Enter the CA server host URL address.

Host Name
e.g. http://emm.smartemm.com/
Select a method to send the certificate validity check request to the CA.
• CERTSRV: Validity is checked with the CRL method when logging

Request Method into the user device.
• URL: Validity is checked with the OCSP method when logging into
the user device.
Advanced 399
Item Description
Enter the CA Cert Chain URL address.
CA Cert Chain URL Note This field is automatically entered based on the host name
if the CERTSRV is selected as the request method.
Enter the registered Certificate Enrollment Web Service (CES) address

WSURL
to provide web service with the CA.
Key Algorithm Select a key algorithm type between EC and RSA.
Select a key length.
Key Length Note The key length varies depending on the selected key
algorithm type.
Select an authentication method between User account and

Auth Method
Certificate.
User ID Enter the Knox Manage user ID.
Password Enter the password for the user ID.
Workstation Enter the workstation information.
Domain Enter the domain name that is used on Knox Manage.
Select a certificate type.
Certificate Type Note This field appears only when Certificate is selected as the
authentication method.
Click Browse and select a certificate file in the CER, DER, PFX, or P12
format.
Certificate KeyStore
Note This field appears only when Certificate is selected as the
Enter the password for the uploaded certificate KeyStore file.
KeyStore Password Note This field appears only when Certificate is selected as the
Advanced 400
–– When the CA type is Generic SCEP or NDES:
Item Description
Enter the SCEP IP or URL to send the certificate validity check request
SCEP URL to the CA.
e.g. http://emm.smartemm.com/certsrv/mscep/mscep.dll
Only RSA is supported when Generic SCEP and NDES CA types are
Key Algorithm
selected.
Key Length Select a key length from among 2048, 3072, or 4096.
Select a challenge type to authenticate the selected CA type.
• Dynamic: Enter the information used on the Knox Manage server for
authentication configuration.
• Static: Enter the challenge password.
Challenge Type
• No Challenge: If no challenge is selected the challenge password is
not required.
Note The Dynamic field is enabled only when the NDES type CA
is selected.
Enter the Knox Manage user ID.
User ID Note This field appears only when Dynamic is selected as the
challenge type.
Enter the password for the user ID.
Password Note This field appears only when Dynamic is selected as the
challenge type.
Enter the domain name that is used on Knox Manage.
Domain Note This field appears only when Dynamic is selected as the
challenge type.
Challenge URL Enter the challenge URL address used on Knox Manage.
Enter the same password used for the authentication password.
Challenge Password Note This field appears only when Static is selected as the
challenge type.
Select a maximum number of retry to issue certificates.
Retry Count Note • The default value is set to 5.

• The retry count value can be between 1 – 10 times.
Advanced 401
–– When the CA type is CertAgent:
Item Description
Enter the RAMI IP address or URL to send the certificate validity check
RAMI URL request to the CA.
e.g. http://emm.smartemm.com/certagentadmin/ca/rami
algorithm type.
CA Account Enter the CA account ID.
Click Browse and select a certificate file in the CER, DER, PFX or P12
format.
KeyStore Password Enter the password for the uploaded certificate KeyStore file.
–– When CA type is EST:
Item Description
Host Name Enter the CA server host URL address.
Port Enter the CA server host port number.
Use proxy Click the Use proxy checkbox to enable proxy use for the CA server.
Enter the CA server label.

CA Label
Note Contact Knox Manage Technical Support for the CA label.
algorithm type.
Challenge Password Enter the password for the CA server authentication.
Select an authentication method between User account and

Auth Method
Certificate.
User ID Enter the Knox Manage user ID.
Password Enter the password for the user ID.
Advanced 402
Item Description
Click Browse and select a certificate file in the CER, DER, PFX or P12
format.
Note This field appears only when Certificate is selected as the
Enter the password for the uploaded certificate KeyStore file.
KeyStore Password Note This field appears only when Certificate is selected as the
• Test Connection: Click to check if the entered CA information connects to the CA server
successfully.
Note To add a CA, you must pass the connection test.
• Managing CA: Select a CA server name from the root CA list.

4. Click Save.
Viewing a certificate authority (CA)

Navigate to Advanced > Certificate > Certificate Authority (CA) to view all the CA information on the
“Certificate Authority (CA)” page.
To view the detailed information of a specific CA, click the CA name of a specific CA on the list.
Modifying a certificate authority (CA)

To modify a CA, complete the following steps:
2. On the “Certificate Authority (CA)” page, click the checkbox for the CA you want to modify, and the
click Modify.
3. On the “Modify Certificate Authority” page, modify the CA information. The information varies
depending on the selected CA type.
Note You can register a new root certificate when modifying the CA.
4. Click Save.
Advanced 403
Deleting a certificate authority (CA)
To delete a CA, complete the following steps:
2. On the “Certificate Authority (CA)” page, click the checkbox for the CA you want to delete, and the
click Delete.
3. In the “Delete Certificate Authority” window, click OK.
Note You can delete the CA only when there is no template in use.
Certificate templates
The CA server manages certificates through certificate templates. You can add multiple templates
and modify them to standardize and simplify the process of issuing certificates.
Adding certificate templates

To add a certificate template, complete the following steps:
1. Navigate to Advanced > Certificate > Certificate Template.
2. On the “Certificate Template” page, click Add.
3. On the “Add Certificate Template” page, enter the following information:
• Template Name: Assign a unique name for each certificate template.

• Description: Enter a description for the certificate template.
• Type: Only External is supported.
• Platform: You can select Android, iOS, or both. When both platforms are selected, the usage
types that can be commonly applied to them will be displayed.
Note Depending on the device platform, the certificate usage type varies.
Advanced 404
• CA: Select a CA. Input information varies depending on the selected CA type.
• CA Template Name: Enter the CA template name. The CA template name is required when
ADCS type CA is selected.
• Profile ID: Enter the profile ID. The profile ID is required when CertAgent type CA is selected.
Note A master profile will be used for an empty value.
• CA Label: Enter the CA label. The CA label is required when EST type CA is selected.
Note The label of the selected CA will be used for an empty value.
• Subject Name: Enter a subject name in a CN={Subject name value} format.

Note You can also click Lookup to open the reference item list and select an item from it. The
reference value will be automatically entered.
• Certificate Usage: Select a certificate usage type.

–– Wi-Fi: Authorizes connecting with AP for Wi-Fi.
–– VPN: Authorizes encrypted VPN communication when registering Knox Manage on devices.
–– Exchange: Authorizes user authentication and services in Exchange.
–– Knox Generic VPN: Authorizes encrypted VPN communication for Knox enabled Android
devices.
–– Knox VPN: Authorizes encrypted VPN communication specialized for Samsung devices.
• SAN Type: Select a SAN type, and then enter the SAN value. Then click to add.
Note You can also click Lookup to open the reference item list and select a SAN reference item
from it. The reference value will be automatically entered.
4. Click Save.
5. In the “OK” window, click OK.
Advanced 405
Viewing certificate templates
Navigate to Advanced > Certificate > Certificate Template to view all the template information on the
“Certificate Template” page.
• To view the detailed information of the specific certificate template, click a template name from
among the certificate templates on the list.
• To view the detailed information of the specific CA, click a CA from among the certificate
templates on the list.
Modifying certificate templates

To modify a certificate template, complete the following steps:
2. On the “Certificate Template” page, click the checkbox for the certificate you want to modify, and
the click Modify.
3. On the “Modify Certificate Template” page, modify the certificate template information.
• Template Name: Assign a unique name for the certificate template.

• Description: Enter a description for the certificate template.
• Type: Only External is supported.
• Platform: Select a device platform from among Common, Android or iOS.
• CA: Select a CA type. Input information will vary depending on the selected CA type.
• CA Template Name: Enter the CA template name. The CA template name is required when
ADCS type CA is selected.
• Profile ID: Enter the profile ID. The profile ID is required when CertAgent type CA is selected.
Note A master profile will be used for an empty value.
• CA Label: Enter the CA label. The CA label is required when EST type CA is selected.
Note The label of the selected CA will be used for an empty value.
• Subject Name: Enter a subject name in a CN={Subject name value} format.

Note You can also click Lookup to open the reference item list and select an item from it. The
reference value will be automatically entered.
Advanced 406
• Certificate Usage: Select a certificate usage type.
Note The device configuration for Wi-Fi needs to be checked if Wi-Fi is selected as the certificate
usage.
Note The device configuration for VPN needs to be checked if VPN is selected as the certificate
usage.
–– Exchange: Authorizes user authentication and services in Exchange.

–– Knox Generic VPN: Authorizes encrypted VPN communication for Knox enabled devices.
Note • This field appears only when Android is selected as the device platform.
• The device configuration for VPN needs to be checked if Knox Generic VPN is selected
as the certificate usage.
–– Knox VPN: Authorizes encrypted VPN communication specialized for Galaxy devices.
Note This field appears only when Android is selected as the device platform.
• SAN Type: Select a SAN type and then enter the SAN value. Then click to add.
Note You can also click Lookup to open the reference item list and select a SAN reference item
from it. The reference value will be automatically entered.
4. Click Save.
5. In the “OK” window, click OK.
Deleting certificate templates

To delete certificate templates, complete the following steps:
2. On the “Certificate Template” page, click the checkbox for the certificate template you want to
delete, and the click Delete.
3. In the “Delete Certificate Template” window, click OK.
Note You can delete the template in use only when the Android and iOS settings have been deleted
from the device management profile.
Advanced 407
External certificates
External certificates are used in the Profile policies for user authentication configuration. Register an
external certificate and manage it in Knox Manage without receiving a certificate issued from the CA.
Note APNs certificate, which authorizes the Apple Push Notification services, can be viewed but
not registered. For more information about registering APNs certificates, see Setting an APNs
certificate (iOS only).
Adding external certificates

To add an external certificate, complete the following steps:
1. Navigate to Advanced > Certificate > External Certificate.
2. On the “External Certificate” page, click Add.
3. On the “Add External Certificate” page, enter the following information:
• External Certificate Name: Assign a unique name for each external certificate.
• Purpose: Select a purpose for the external certificate.
–– Knox VPN: Authorizes encrypted VPN communication specialized for Galaxy devices.
–– Exchange: Authorizes the user authentication and services in Exchange.
–– CA Cert: Issued by the CA as requested by the user’s public key.
–– Knox Generic VPN: Authorizes encrypted VPN communication for Knox enabled devices.
–– Supervision Certificate: Authorizes iOS device pairing to use the remote detection mode.
Note If Supervision Certificate is selected as an external certificate purpose, the certificate type is
automatically selected as Server.
• Type: Select a type for the external certificate.

–– Root: Highest level of certificate that identifies the Root CA (Certificate Authority).
–– User: Certificate issued for general purposes, such as devices or applications.
–– Server: Server certificate for general purposes.
• File Name: Click and select a certificate file in the CER, DER, PFX or P12 format.
• Password: Enter the password of the selected certificate.

• Description: Enter a description for the external certificate.
4. Click Save.
Advanced 408
Viewing external certificates
Navigate to Advanced > Certificate > External Certificate to view the external certificate information
on the “External Certificate” page.
Modifying external certificates

Modify external certificates by renewing the currently registered external certificate file with a new
file.
Note • The use and type of the external certificate cannot be modified.
• APNs certificates cannot be modified.
To modify an external certificate, complete the following steps:
2. On the “External Certificate” page, click the checkbox for the external certificate you want to
modify, and the click Modify.
3. On the “Modify External Certificate” page, modify the external certificate information.
4. Click Save.
Deleting external certificates

To delete an external certificate, complete the following steps:
2. On the “External Certificate” page, click the checkbox for the external certificate you want to
delete, and the click Delete.
Note APNs certificates and certificates in use cannot be deleted.
Advanced 409
Viewing certificates issuing history
Navigate to Advanced > Certificate > Certificates Issuing history to view a history of all issued
certificates. Issued certificates can be renewed upon expiration or user request. For Android devices,
users can update certificates. For iOS devices, certificates are automatically updated by the CA
server.
The certificate statuses of the issued certificates on Knox Manage are as follows:
• Generated: The certificate has been successfully issued and is currently in use.
• Deleted: The certificate is deleted by the administrator and cannot be used on Knox Manage.
• Revoked: The certificate has expired and has been revoked from the CA server.
Deleting certificates
You can delete certificates used on the iOS devices, which are saved and then distributed from the
Knox Manage server, unlike other device platforms. To delete a certificate, complete the following
steps:
1. Navigate to Advanced > Certificate > Certificates Issuing history.
2. On the “Certificate Issuing history” page, click to set an issued period.
3. Click the checkbox for the certificate you want to delete and click Delete.
Note Certificates used on devices other than iOS cannot be deleted.
Advanced 410
Integrating a directory server
Knox Manage provides the Active Directory (AD) service that is built upon the industry-standard
Lightweight Directory Access Protocol (LDAP) to access intra-enterprise data by integrating
corporate’s directory server.
Once the AD service is configured, you can perform the following:
• Keep user, organizational, and group information synchronized across multiple sites throughout
the enterprise and update information on demand or automatically at specified intervals.
• Simplify the user registration process within the company through VPN, Microsoft Exchange,
Certificate, or email account integration.
To configure and use the AD service, the following procedures must be performed:
Integrating Configuring
Configuring
a directory server user authentication settings
a directory connector
and search
Viewing the directory server status

Navigate to Advanced > Directory Integration > Directory Pool to view all the directory server status
information on the “Directory Pool” page.
To view the detailed information of a specific directory server, click the pool name of a specific
directory server on the list.
Advanced 411
Adding a directory server
Add a directory server in the Admin Portal to synchronize corporate user information by integrating
the corporate directory server.
To add a directory server, complete the following steps:
1. Navigate to Advanced > Directory Integration > Directory Pool.
2. On the “Directory Pool” page, click Add.
3. On the “Add Directory Pool” page, enter the following information:
• Directory Pool Name: Enter a name for the pool that is up to 20 characters and that consists
of letters, numbers, or special characters (only dashes and underscores are allowed) to
distinguish it from other directory services.
• Encryption Type: Select one of the following encryption types for the internet communication
protocol used for communication with the directory server.
–– None: No encryption
–– SSL: Secured Socket Layer
–– TLS: Transport Layer Security
• Auth Type: Select one of the following authentication types used for communication with the
directory server.
Note Knox Manage provides a secure channel between the directory server and the Knox Manage
server through Cloud Connector. If you select the authentication type as GSSAPI (Kerberos),
Cloud Connector cannot be used. For more information about Cloud Connector, see Using
Cloud Connector.
–– None: no encryption
–– Simple: Select this if you are not certain about the authentication type.
Advanced 412
–– DIGEST-MD5 (SASL), CRAM-MD5 (SASL), or GSSAPI (Kerberos): If you select one of these
authentication types, configure the additional advanced settings on the Authentication
Detailed Setting tab as follows:
Authentication type Description
Enter the following information for configuring the settings for Simple
Authentication and security layer (SASL), which is a telnet-based
protocol.
• SASL Realm: Enter the realm value of the SASL server in the relevant
domain’s format, such as sample.com.
• Quality of Protection: Select one of the following qualities of the
data protection options.
–– Authentication only: Protects the data only for authentication.
–– Authentication with integrity: Ensures the integrity of all the data
DIGESTMD5 (SASL) and exchanged, including authentication data.
CRAMMD5 (SASL) –– Authentication with integrity and privacy: Ensures integrity for
all the data exchanges, including authentications through data
encryption.
• Protection Strength: Select one of the data protection levels.
–– High: Use 128-bit encryption.
–– Medium: Use 56-bit encryption.
–– Low: Use 40-bit encryption.
–– Mutual authentication: Click the checkbox to ensure data validity
by inserting the key into the data exchanged between the client
and server.
Enter the following information for GSSAPI (Kerberos) authentication.
• Kerberos Credential Configuration: Select one of the following

methods for obtaining a Kerberos ticket.
–– Use native TGT: Select this if you have already issued a ticket in
the Admin Portal.
–– Obtain TGT from KDC: Issue a new ticket using the default user ID
and password.
• Kerberos Configuration: Select one of the following methods for
GSSAPI (Kerberos) configuring the Kerberos server.
–– Use native system configuration: Use the Kerberos server
information defined in the Java Property.
–– Use following configuration: Enter the following Kerberos server
information manually.
–– Kerberos Realm: Enter the realm of the Kerberos server.
–– KDC Host: Enter the Kerberos Key Distribution Center (KDC) host
or the IP address.
–– KDC Port: Enter the KDC port number.
Advanced 413
• IP/Host: Enter the IP or host address of the directory address. Enter the TCP port number that
should be used for communication with the directory server. 389 is the default port number
used for unencrypted communication with the directory server.
• User ID: Enter the user ID (administrator account) that can access the directory server and
read it. It can be entered in various forms, such as domain\administrator ID, administrator ID@
domain or CN=administrator ID, CN=Users, DC=domain, DC=com.
• Password: Enter the user ID’s password.

• Max Active Limit: Select the maximum number of active connections available from 10 to 50.
• Max Idle Limit: Select the maximum number of idle connections available from 0 to 30.
• Description: Enter a description of the directory server.
4. Click Test Connection to test suitability with the entered information of the directory server, and
then click Save to add the directory server.
Updating directory server status

Once you have added a directory server in the Knox Manage Admin Portal, you can update the status
information of the specific directory servers on the list.
To update the directory server status, complete the following steps:
2. On the “Directory Pool” page, click the checkbox for a specific directory server on the list, and then
click Check Directory Status to update its directory server status. You can view the updated status
information of the selected directory server on the list.
Advanced 414
Copying a directory server
You can copy an existing directory server and add a new directory server to the list.
To copy a directory server, complete the following steps:
2. On the “Directory Pool” page, click the checkbox for a specific directory server that you want to
copy information from, and then click Copy.
3. On the “Copy Directory Pool” page, modify the existing information if necessary, and click Save to
add a new directory server to the list.
Modifying directory server information

You can modify the information of an existing directory server.
To modify directory server information, complete the following steps:
modify the information of, and then click Modify.
3. On the “Modify Directory Pool” page, modify the existing information, and click Save to save the
modified information of the selected directory server on the list. For more information about
entering directory server information, see Adding a directory server.
Advanced 415
Deleting directory servers
You can delete directory servers from the list.
To delete directory servers, complete the following steps:
delete from the list, and then click Delete.
3. In the “Delete Connection Information” window, click OK.
Setting a directory connector

Using a directory connector, you can filter client’s user information on the directory server integrated
with Knox Manage.
Once a directory connecter is configured, you can perform the followings:
• Extract the required user information through the directory type, set range, and detailed filter
settings.
• Simplify the user registration process, which improve work efficiency.
To set a directory connector, the following settings must be configured.
• Directory type
• Base DN and range
• Filters
• Output field
Viewing the directory connector status

Navigate to Advanced > Directory Integration > Directory Service to view all the directory connector
status information on the ”Directory Service” page.
To view the detailed information of a specific directory server, click the service ID of the specific
directory connector on the list.
Advanced 416
Adding a directory connector
Add a directory connector to extract required client’s information on the directory server.
To add a directory connector, complete the following steps:
1. Navigate to Advanced > Directory Integration > Directory Service.
2. On the “Directory Service” page, click Add.
3. On the “Add Directory Service” page, enter the following information:
• Service ID: Enter a Service ID of up to 50 characters containing letters, numbers, and special
characters (only dashes and underscores are allowed).
• Service Name: Enter a Service name to distinguish it from other directory connectors.
• Status: Select the status of the directory connector to use. The default value is Activated.
• Pool Name: Select the pool (directory server) that you have already created for directory
servers in the Admin Portal. To view the detailed information for each registered pool, navigate
to Advanced > Directory Integration > Directory Pool.
• Service Type: Select one of the following service type to perform user authentication or user
searches on the directory server integrated with Knox Manage.
Classification Service type Description
Makes Authentication requests to a client’s directory

server.
Authentication Note The filter and output fields are

automatically entered in accordance with
the directory server type.
Authentication
Makes Authentication requests to a client’s directory
server.
User-defined
Note The filter and output fields must be
authentication
entered manually in accordance with your
desired settings.
Advanced 417
Classification Service type Description
Searches for user information only.
Note The filter and output fields are

User Search
Searches for organization information only.
Note The filter and output fields are

Organization Search
Searches for desired user information using the filter

User-defined search values entered manually. This information can also be
Search
sent to devices.
Searches for user information using the filter set for

the directory connector. To use this type, the policy of
Profile Configuration the user information input method must be selected
(User information) as Connector interworking. For more information on
configuring policies, see Configuring policies by device
platform.
Authenticates for a user using the filter set for the

directory connector. To use this type, the policy of
Profile Configuration
the user certificate information input method must
(Certificate
be selected as Connector interworking. For more
information)
information on configuring policies, see Configuring
policies by device platform.
Note To authenticate users on devices using globalLdapServiceAuthenticator selected as the

authenticator, select the service type as Authentication or User-defined authentication. For
more information about how to select the authenticator, see Setting the user authentication
method.
searches in the directory server. Entering a Base DN value can reduce the time required to
–– Selected DN: Shows the selected DN (Distinguish Name).
• Filter: Click Select to open the “Select Object Class” window and select an Object Class and
attributes for the LDAP Syntax string that will be used to filter search results.
–– Recommended Properties: Displays the recommended properties of the selected object
class.
–– Return Value: Displays the LDAP Syntax of the selected property information and object
class.
Advanced 418
–– Default: Select the object class name defined by default as a filter.
–– Custom: Select the object class name defined by connected directory server as a filter.
• Range: Select one of the following search range for the directory server based on the specified
base DN.
–– Object: Within the level of the base DN.
–– One Level: Within the level including the sub-level of the base DN.
–– Subtree: Within all sub-levels of the base DN.
• Output Field: Select one of the following return information range to only extract the desired
attributes.
–– All: Returns all attributes for the searched entries.
–– Select: Returns only the selected attributes for the searched entries. To select the desired
properties to be used for the filter, click Select Property to open the “Select Property” window
and select the desired properties on the loaded attribute list. To apply the selected properties
click Add.
–– To delete an attribute from the selected properties list, click next to the attribute.
Note • To modify the name of the selected sources and return properties, double-click an item on
the “Output Field Settings” field, and then modify it.
• The return property names may not be returned if the modified property names are same as
existing property names on the loaded attribute list.
4. Click Save to add a directory connector.
Testing a directory service

Before using the directory connector, check if the directory connector operates properly on the
directory server.
To test a directory connector, complete the following steps:
2. On the “Directory Service” page, click the checkbox for a directory connector that you want to test,
and then click Test.
Advanced 419
3. In the “Test” window, enter the following information:
• URL: Select the output form from the drop-down list. The URL will be automatically entered for
a test when the service is requested.
• Parameter: Enter a parameter key and value (ex. userId=administrator) in the filter.
–– Select: Select the desired parameter previously saved in the “Select Parameter” window that
you want to use as an input parameter.
To add an input parameter, click Add and, in the “Add Parameter” window, enter the following
information:
–– Parameter ID: Enter an input ID of up to 50 characters containing letters, numbers, and
special characters (only dashes and underscores are allowed) to distinguish it from other
parameters.
–– Description: Enter a description of the input parameter.
–– Parameter: Enter a parameter key and value (ex. userId=administrator) in the filter. The
test parameter must be identical to the value entered in the service’s filter.
4. Click Send to test the service connection, and then view the test results displayed in a tree
structure with the results expanded to the last node in the “Send Result” window.
Advanced 420
Setting the directory service operating hours
Set the operating hours for each directory connector to have them operate at a desired time and
record logs for the service. You can also notify users of the non-operating hours by sending a
message.
To set the directory service operating hours, complete the following steps:
2. On the “Directory Service” page, click the checkbox for a specific directory connector on the list,
and then click Connect.
3. On the “Connector Service” page, set the directory service operating hours and log service details.
Item Description
Select one of the following connector service time options.
• Always (Default): Operates the directory connector service time from 00:00 -
24:00, Monday to Sunday.
• Individual: Select the desired operating day and hours of the directory
Connector Service connector.
Time –– To add an operating schedule, select the desired day and hours, and then
click .
–– To delete a set schedule, click next to the set schedule.
–– View Timetable: Displays the previously set service operating schedule in a
time table.
Simulation Enter a simulation description for the operating schedule.
Message during non- Enter a message to notify users of non-operating hours. The message is sent to
operating hours user devices when the service is not operating.
Select one of the following log recording methods.
• Do not write the log (Default): Disables use of the service transaction log
Log Service Setting recording.
• Use the connector service transaction log: Enables use of the service
transaction log recording.
Advanced 421
Copying a directory connector
You can copy an existing directory connector and add a new directory connector to the list.
To copy a directory connector, complete the following steps:
2. On the “Directory Service” page, click the checkbox for a specific directory connector that you
want to copy information from, and then click Copy.
3. On the “Copy Directory Service” page, modify the existing information if necessary, and click Save
to add a new directory connector on the list.
Modifying directory connector information

You can modify the information of an existing directory connector.
To modify directory connector information, complete the following steps:
want to modify the information of, and then click Modify.
3. On the “Modify Directory Service” page, modify the existing information, and click Save to save
the modified information of the selected directory server on the list. For more information about
entering directory server information see, Adding a directory connector.
Deleting directory connectors

You can delete directory connectors from the list.
To delete directory connectors, complete the following steps:
want to delete from the list, and then click Delete.
Advanced 422
Managing Open API
Knox Manage uses the OAuth2 authentication method as a standardized open protocol to provide
an Open API for developers. With the Open API, you can support the development of Knox Manage
functions, such as providing access to the Knox Manage server, securing the authentication, and
easily customizing the application programming and services.
Managing API clients

Add and manage API clients via Knox Manage. Management of API clients includes copying,
modifying, deleting, and activating or deactivating API client accounts.
Viewing API clients

Navigate to Advanced > EMM API > API Client to view all the client information on the “API Client”
page.
To view detailed information of a specific API client, click the client ID of a specific API client on the
list.
Adding API clients

To add an API client, complete the following steps:
1. Navigate to Advanced > EMM API > API Client.
2. On the “API Client” page, click Add.
3. In the “Add API Client” window, enter the following API client information:
• Client ID: Assign a unique client ID to use for a token request.

• Password: Enter a new password between 8 and 30 characters. The password must be a
combination of letters, numbers, and special characters.
• Token Validity(sec): Enter the access time for when the Open API is called.
4. Click Save.
Advanced 423
Copying API clients
Copy an existing API client and create a new API client. When you reuse a client information, you
cannot load the client ID and password of the existing API client.
To copy an API client, complete the following steps:
2. On the “API Client” page, click the checkbox for the API client you want to copy, and the click Copy.
3. In the “Copy API Client” window, enter the following API client information:
• Client ID: Assign a unique client ID to use for a token request. The API client ID cannot be
modified.
• Password: Enter a new password between 8 and 30 characters. The password must be a
• Token Validity(sec): Displays the copied access time for when the Open API is called.
4. Click Save.
Modifying API clients

You can modify the information of an existing API client.
To modify an API client, complete the following steps:
2. On the “API Client” page, click the checkbox for the API client you want to modify the information
of, and the click Modify.
3. In the “Modify API Client” window, modify the following client information:
• Client ID: Displays the API client ID.

• Password: Modify the password between 8 and 30 characters. The password must be a
• Token Validity(sec): Modify access time for when the Open API is called.
4. Click Save.
Advanced 424
Deleting API clients
You can delete API clients from the list.
To delete an API client, complete the following steps:
2. On the “API Client” page, click the checkbox for the API client you want to delete from the list, and
the click Delete.
3. In the “Delete“ window, click OK.
Activating or deactivating API clients

To activate or deactivate API client, complete the following steps:
2. On the “API Client” page, click the checkbox for the API client you want to activate or deactivate,
and the click Change Status.
3. In the “Change Status” window, click OK.
• The status of the API client changes to Active or Inactive depending on its previous status.
Once activated, the Open API can be called using the API client. Once deactivated, the Open
API cannot be called using the API client.
Advanced 425
Invalidating tokens
Invalidate all the currently active tokens. An invalidated token cannot be used again and a new one
must be requested through the OAuth2 authentication method.
Note If you call the Open API with an invalidated token, an error message appears and the API call will
be disabled and a new token must be republished.
To invalidate tokens, complete the following steps:
2. On the “API Client” page, click the checkbox for the API client you want to invalidate tokens of, and
the click Token Invalidate.
3. In the “Token Invalidate” window, click OK.
Viewing the API log

Navigate to Advanced > EMM API > API Log to view all the API log information on the “API Log” page.
Viewing the API client log

Navigate to Advanced > EMM API > API Client Log to view all the API client log information on the
“API Client Log” page.
To view the API client log’s error details, click a specific API client log on the list. The error details are
displayed at the bottom of the page.
The following is a sample of error codes details from the API client log list:
Parameters:deviceId=&
Result:{“resultValue”:null,”resultCode”:”-102”,”resultMessage”:”deviceId -
Null or Empty string”}
Advanced 426
Using Cloud Connector
Samsung Knox Manage Cloud Connector (SCC) creates a secure channel for data transfers between
the client’s enterprise system and the Knox Manage cloud server. It allows you to connect the user
information in the client’s Active Directory/LDAP server and the certificate information in the CA
server with the user’s device, and thus use them safely.
SCC is configured as follows:
Knox Manage Public

in Cloud Network LDAP in Client Site
SCC Control
Service Server
LDAP A
LDAP A SCC SCC

Connector Server 1 Client A
Internet CA A
Knox
CA A L4
Manage
Connector
Server
LDAP B DB
Connector SCC LDAP B
SCC Client B
Server N Firewall Firewall
Knox Manage server
It is installed on the cloud and communicates with a user’s device to provide the Knox Manage
services. You can establish servers separately per tenant.
Connector
The Knox Manage server provides the LDAP and CA connectors to connect to the client’s LDAP and
CA servers. You can conduct a connection test when configuring LDAP and CA in the Admin Portal.
SCC
• SCC provides a secure channel between the client’s enterprise system and the Knox Manage cloud
server.
• SCC consists of the SCC client, SCC server, and Control Service Server.
• The SCC Client is installed on the client’s site and makes a secure Transport Layer Security (TLS)
channel with the SCC server.
Advanced 427
• The SCC Server is installed on the cloud. It sends the requests from the Knox Manage server to the
SCC client, and delivers the responses from the SCC client to the Knox Manage server.
• The SCC Control Service Server (CS server) is installed on the cloud and automatically assigns a
port number to be used for LDAP and CA service.
L4 Switch
The L4 Switch equally distributes the requests from the SCC client.
DB
DB saves the information of the LDAP and CA service of the tenant and the IP/Port information of the
SCC server.
Linked system
This refers to the client’s LDAP and CA servers to be linked with Knox Manage.
Preparing for installation

Before installing SCC, prepare the following:
License
Register the Knox Manage license in the Admin Portal.
SCC client server hardware
Microsoft Windows Server 2008 R2 (64-bit), 2012 (64-bit), or 2016 (64-bit) should be used to run the
server software.
Java Development Kit (JDK)
• Install Java Development Kit 1.7 (64-bit) or 1.8 (64-bit).

• Patch the JCE module based on JDK version. For more information, see Installing Java patches.
Network environments
• The firewall between the SCC Client and the LDAP server should be open.
• The firewall between the SCC Client and the CA server should be open.
• The firewall between the L4 switch for accessing the SCC Server and the SCC Client. Refer to the
list below for the firewall information of L4 domains according to the service regions.
Advanced 428
Region Domain:Port
scc-ap.manage.samsungknox.com:10000
Asia (Singapore)
scclts-ap.manage.samsungknox.com:8080
scc-us.manage.samsungknox.com:10000
US (Oregon)
scclts-us.manage.samsungknox.com:8080
scc-eu.manage.samsungknox.com:10000
EU (Ireland)
scclts-eu.manage.samsungknox.com:8080
TCP communication resources
The SCC Server and SCC Client are connected through TCP communication. To enhance the TCP
performance of the SCC Client, you must change the registry value. For more information, see Setting
up the TCP communication resource.
Checking the open source license

To check the open source license information used in SCC, refer to the following file on the folder
where the SCC Client is installed.
{SCC installation location}\scc-client\resources\SCCClient-

OpenSourceLicense.xml:
Installing Java patches

To operate Cloud Connector, the Java Development Kit (JDK) must be installed in advance, and then
the JCE module must be patched based on the JDK version. For example, if you are using JDK 1.7,
apply the Java patch for JDK 1.7, not the Java patch for JDK 1.8.
To install the Java Cryptography Extension (JCE) to support TLS v1.2 AES 256, complete the
following steps:
1. Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files that
match the JDK version. For more information, visit the Oracle website.
2. Decompress the downloaded file.
• A sub-folder named UnlimitedJCEPolicy will be created.

3. Check if the following files are included in the folder.
• README.txt
• local_policy.jar: Unlimited strength local policy file
• US_export_policy.jar: Unlimited strength US export policy file
Advanced 429
4. Copy two JAR files (local_policy.jar, US_export_ policy.jar) from the
UnlimitedJCEPolicy folder to the %JAVA_HOME% \jre\lib\security folder.
Note If the Java patch is not installed successfully, the Cloud Connector will not operate normally.
Setting up the TCP communication resource

It is recommended to change the registry value for the TCP resource in the SCC Client for enhanced
TCP performance.
To change the registry value, complete the following steps:
1. On your computer, open the Registry Editor.
2. Navigate to the path below:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3. Change each value of the following items. If the value does not exist, right-click on the mouse, and
then select New > DWORD (32- bit) Value to create a new one.
• TcpTimedWaitDelay
Change the default value of 240 (4 minutes) into 30 (30 seconds) to convert the disconnected
TCP resource rapidly. For more information, see https://technet.microsoft.com/enus/library/
cc938217.aspx.
• MaxUserPort
Change the default value from 5000 to the maximum value of 65534 to increase the number of
concurrent requests delivered to SCC from the application. For more information, see https://
technet.microsoft.com/kokr/library/cc938196.aspx.
Advanced 430
Installing the SCC client
To install the SCC client on a client’s site where the LDAP and CA are installed, complete the following
steps. The IP address and port number of the L4 switch for accessing the SCC server is configured in
the configuration file.
CAUTION Each tenant can only be mapped to one SCC Client.
1. From the Admin Portal, click Download > Cloud Connector Client and download the SCC Client.
2. Decompress the downloaded file.
3. Execute the SCC_Setup_{Version}_{Builddate}.exe file.
4. Select the language to use and click OK.
6. Read the End User License Agreement carefully, select I accept the terms in the license
agreement, and click Next.
7. Click Browse and specify a folder where JDK Home is installed.
• If the message ”The selected directory is not a Java directory” appears, specify another folder.
8. Click Next.
9. Set a folder to install JDK Home and click Next.
• The default installation path is C:\SamsungSDS\ and you can change the path if necessary.
10. Enter the tenant ID and click Install.
• The tenant ID is the corporate domain that comes after an @ when you log in to the Admin
Portal.
11. Once the installation is completed, click Finish.
• To register the SCC client service automatically to Windows for use as a background service,
click Register for Windows Service.
Advanced 431
Running SCC client
You can run the SCC client either by executing the batch file manually or allowing the Windows
background service to run it automatically.
Running SCC client manually

To run SCC client manually, execute the batch file from the path below:
SCC installation folder}/scc-client/bin/sccClientStart.bat
When you close the command window, the SCC client service will be terminated.
Running SCC client automatically

To run the SCC client automatically, complete the following steps:
1. Executing the batch file from the path below to register the SCC client to the Windows background
services:
{SCC installation folder}/scc-client/bin/scc_service_install.bat
2. Check the service name below in Start > Administrative Tools > Services:
SAMSUNG Knox Manage Cloud Connector Client(1) Background Service
3. Right-click on the service name and click Start to run the service.
• To stop the service, right-click on the service name and click Stop.
To disable the SCC client background service, execute the batch file from the path below:
{SCC installation folder}/scc-client/bin/scc_service_uninstall.bat
Configuring the SCC client

If the L4 domains in the service region are changed after installing the SCC client, modify SERVER_IP
and SERVER_PORT in the batch file below and restart the SCC client:
{SCC installation folder}\sccclient\bin\sccClientStart.bat file.
Advanced 432
Updating the SCC client
You can update Cloud Connector when a new version is available.
To update the SCC client, complete the following steps:
1. Create a backup file of the existing version of the SCC client.
• It is recommended to compress the existing installation folder and move the compressed file
to a backup folder.
• After the update, you can execute the SCC_Setup_{Version}_{Builddate}.exe file again
to delete the SCC client.
2. Stop the currently running SCC client.
• If the SCC client is running as a batch file, close the SCC Client Services window.
• If the SCC client is launched as a Windows background service, it automatically terminates and
reruns at the time of the update.
3. Decompress the new version of the SCC_{Region}.zip file.
4. Execute the SCC_Setup_{Version}_{Builddate}.exe file.
5. When the upgrade confirmation pop-up appears, click Yes.
7. Click Update.
• The SCC client and Java will be installed in the same path of the previous version.
8. Click Finish.
Integrating services in Knox Manage

The administrator at the client side can access the Admin Portal and configure the settings for LDAP
and CA service integration.
Integrating LDAP in Knox Manage

When the client’s LDAP is ready, the administrator should enter the LDAP server information in
the Admin Portal. The entered information is then sent to the SCC CS server with the tenant’s
information, and the SCC CS server assigns an IP and Port for the LDAP service to the SCC server.
From then on, Knox Manage will not connect directly with the LDAP server, but will use the LDAP
service using the IP and Port provided from the SCC server.
Advanced 433
To integrate LDAP on the Knox Manage Admin Portal, configure the Directory Integration in Advanced
> Directory Integration. For more information about LDAP integration, see Integrating a directory
server.
• IP/Host: Enter the host name of the LDAP service. (e.g. ldap.client.com)
• Port: The default port number is 389 and it can be modified.
Integrating CA in Knox Manage

The administrator should register the CA server in the Admin Portal to integrate the Knox Manage
server with the client’s CA server via SCC.
Advanced 434
The following example shows how to register an ADCS, one of the available CA types, in Advanced >
Certificate > Certificate Authority (CA) in the Admin Portal. This is applicable when HTTPS is used
for CA. For more information about the CA settings, see Adding a certificate authority (CA).
• Host Name: Enter the host name of the SCC server.

• WSURL: Enter the Certificate Enrollment Web Service (CES) address of the actual CA server
registered for the web service.
Note Although every CA type supported by Knox Manage is available, the ADCS CA’s Windows type
certification is not available.
Advanced 435
Fixing background service errors
If the SCC background service suddenly stops because of an error, the message below pops up or an
error log is created in the Windows Event Viewer.
This error occurs when the msvcr*.dll library cannot be loaded with Java. To fix the error, perform
one of the following two solutions:
Setting PATH from JAVA_HOME

The JAVA_HOME environment variable can be used to set the PATH. To set the PATH variable using
JAVA_HOME, complete the following steps:
1. In the Control Panel of your computer, select System and Security > System > Advanced system
settings > Environment Variables.
2. Select Path under System variables, and then click Edit.
3. Click New.
4. Enter {JAVA_HOME}\bin in the text input filed, and then click OK.
• For example, if JAVA is installed under C:\Program Files\JAVA, you can enter that path in
the text input field.
Copying msvcr*.dll
You can copy the msvcr*.dll file from the path {JAVA_HOME}\bin to the {SCC installation
folder}\bin path, and then restart SCC. The file name differs depending on the JAVA version. For
example, the JAVA version 1.8 has msvcr100.dll.
Advanced 436
Using Mobile Admin
Mobile Admin allows for convenient management by providing the administrators and sub-
administrators with Knox Manage’s key device management features. With Mobile Admin’s mobile-
friendly user interface, you can monitor users and devices on your own mobile devices. In addition,
the Mobile Admin limits the authority to manage or control the devices depending on the type of the
administrator.
Mobile Admin basic information

Knox Manage offers the following Mobile Admin features:
• Dashboard: Provides summarized information of the devices and users. You can also easily
monitor the security status of the enrolled devices by viewing the compliance violation and device
command history through the dashboard.
• Device management: Provides full management capabilities for devices of all OS types. You can
view the information of all enrolled devices and control the devices by sending a device command.
• User management: Manages all user accounts. You can view the information of the user accounts
and control the account status.
Meet the requirements listed below to ensure the efficient operation of Mobile Admin.
Item Requirement
Administrator’s PC Browser: Chrome/Resolution: 5.8-inch display (1440 x 2960 pixels)
Mobile OS All platforms are supported.
Supported language English, Korean
Note If the selected language in Mobile Admin is not supported on the mobile device, Mobile Admin will
be displayed in English.
Advanced 437
Understanding the Mobile Admin screen
Get familiar with the Mobile Admin’s interface features before starting Mobile Admin.
1 2 3 4
No. Item Description
Tap to open the side menus. The following menus are provided:
• Basic Information: View the admin name, company name, admin ID,
license version, license expiration date, and the number of registered
devices by the total number of devices in the tenant’s license.
• Dashboard: View the management status of devices and users. For
1 Menu more information, see Viewing the Mobile Admin dashboard.
• Devices: Manage the Knox Manage installed devices. For more
information, see Managing devices on Mobile Admin.
• Users: Manage the Knox Manage device users. For more information,
see Managing users on Mobile Admin.
• Logout: Logout from the Mobile Admin.
2 Content page name Displays the content page name of the selected side menu.
3 Refresh Tap to view the latest information on the content page.
Advanced 438
No. Item Description
Tap to view the alerts based on audit events that occurred on the device.
4 Alert For more information, see Viewing Mobile Admin alert list.
Displays a list of information for the selected side menu or the details
5 Content page
about the selected resources.
Note • If you do not use the Mobile Admin screen for longer than the maximum session timeout value,
the logout pop-up appears. Tap Cancel to stay logged in.
• The maximum session timeout value is set in Setting > Configuration > Basic Configuration >
Preferences on the Knox Manage Admin Portal.
Viewing the Mobile Admin dashboard

Tap > Dashboard to view the management status of devices and users and other information.
On the “Dashboard” screen, you can view the following information:
• Device Status: Displays the number of devices enrolled in Knox Manage and the number of devices
by device status.
–– Tap the total number of devices to move to the “Devices” screen.
• Compliance Violation: Displays the number of activated “Devices” with a root OS, root app, or no
profile.
–– Tap the number of occurrences of the violation to move to the “Devices” screen.
• Device/User(Activated): Displays the number of the activated devices and the number of activated
users.
–– Tap the number of the activated devices or users to move to the “Devices” or “Users” screen.
• OS Status(Activated): Displays the number of the activated devices by OS type and the ratio of
each OS to the total number of devices.
• Users by Organization: Displays the status of user accounts by organization including the
total number of organizations, total number of users, organization lists, and the users in each
organization.
• Device Command History: Displays the number of device commands sent to devices by date.
Advanced 439
Viewing Mobile Admin alert list
Tap on the right corner of the Mobile Admin screen to view the major changes on devices. Based
on the audit events that occurred on the user devices, you can view the alert list displaying the
information on the audit event name, device ID, and audit event duration.
The filter types of the alert list on Mobile Admin are as follows:
• Changes In Server Status: Displays only the alerts for the audit events that occurred when the
server’s certificate status or the system file changed, or in the following situations:
–– A server certificate has expired or been revoked.
–– A system file has been created, modified, or deleted.
–– A system file integrity error occurred.
–– An uncertified package has been found.
• Failed Policies: Displays only the alerts for the audit events that occurred when the device
commands sent to apply the policies via the device management profile failed.
• Changes In Device Status: Displays only the alerts for the audit events that occurred when the
device status changed.
• Security Violations: Displays only the alerts for the audit events that occurred when the device
violated policies or when a CheckPoint MTP finds a malicious application on the device.
Note The alerts for security violations that occurred within a week are displayed.
• Others: Displays other audit events.
You can also perform the following actions on this screen.
Icon Description
Tap to open the search window on the alert list. To close the search window,
Search re-tap the icon.
Sort Rearrange the alert list by date of creation or by ascending/descending order.
Filter Apply a filter to display a relevant audit event on the alert list.
Advanced 440
Starting up Mobile Admin
To begin using Mobile Admin, you will need to enter the Knox Manage Admin Portal URL in your
device’s browser. Then, tap Go to Mobile Admin at the bottom of the login page. Once you accessed
and logged in to the Mobile Admin, you can view and control Knox Manage’s device management
features on your device.
Logging in to Mobile Admin

Log in to Mobile Admin by using the same login credentials used for the Knox Manage Admin Portal.
Super administrators can use all the features provided in Mobile Admin, while sub-administrators
with Service Desk administrator privileges have restricted use.
To login to Mobile Admin, complete the following steps:
1. Visit the Knox Manage Admin Portal using the web browser on the device to access the Mobile
Admin.
2. At the bottom of the screen, tap Go to Mobile Admin.
• The Mobile Admin login page will appear.

3. Enter the Knox Manage admin ID and password on the Mobile Admin login page.
Note • If you enter incorrect user ID or password for 5 consecutive times, you will be locked out for
10 minutes.
• If you log in to the Mobile Admin portal for the first time or use a temporary password, enter a
new password and repeat the password to confirm.
4. On the “Privacy Policy” pop-up, tap the checkbox next to I agree.
5. Tap OK.
Creating Service Desk administrator accounts

To create a Service Desk administrator account, you will need to add a sub-administrator with Service
Desk administrator privileges on the Knox Manage Admin Portal.
To create a Service Desk administrator account, complete the following steps:
1. On the Knox Manage Admin Portal, navigate to Setting > Admin Console > Administrator.
2. On the “Administrator” page, click .
Advanced 441
3. In the “Add Administrator” window, enter the information. For more information, see Adding an
administrator.
Note When entering the information in the “Add Administrator” window, you must select the
administrator type as Sub-Admin and the administrator permission as Service Desk.
4. Click Save.
Using Mobile Admin at a Service Desk

Service Desk administrators can access Mobile Admin and manage the devices enrolled in Knox
Manage. For more information on the device command and device information, see Sending device
commands on Mobile Admin.
Note Not all features on Mobile Admin are available to the Service Desk administrators.
Managing devices on Mobile Admin

Manage the devices enrolled in Knox Manage with Mobile Admin. You can view device information
including the device activation type and device status. You can also control devices by sending
device commands or messages.
Using Mobile Admin device menu

Navigate to > Devices to view all the Knox Manage enrolled devices. To view detailed information
of a specific device, tap the device name of a specific device on the list.
Icon Description
Device Command Send a device command to the activated devices.
Search for a specific device for the entered device ID in the search window. To
Search close the search window, re-tap the icon.
Rearrange the device list by the date of occurrence or in ascending/

Sort descending order.
Filter Filter the device list by the current device account status.
Advanced 442
Viewing device activation types on Mobile Admin
Navigate to > Devices to view the device activation type at the right corner of the device list. The
activation type for Android Legacy devices is not displayed.
The device activation types on the device list are as follows:
• Knox Workspace: Android Legacy devices using Knox Workspace

• Fully Managed: Android Enterprise devices activated as a Fully Managed type. For more
information, see Enrolling Android Enterprise (AE) devices.
• Fully Managed with Work Profile: Android Enterprise devices activated as a Fully Managed with
Work Profile type. For more information, see Enrolling Android Enterprise (AE) devices.
• Work Profile: Android Enterprise devices activated as a Work Profile type. For more information,
see Enrolling Android Enterprise (AE) devices.
• DEP: iOS devices activated through DEP. For more information, see Using the Apple Device Using
the Apple Device Enrollment Program (iOS devices only).
Viewing device status on Mobile Admin

Navigate to > Devices to view the current status of a device on the device list. The statuses are
displayed as an icon.
The device statuses on the device list are as follows:
Icon Description
Provisioning The device is enrolled but Knox Manage is not activated.
Activated The device is registered as activated in Knox Manage.
The device cannot be controlled through Knox Manage. You can unenroll the
Deactivated device according to the device communication status.
The device has exceeded the set Keepalive interval, or the system blocked a
Blocked by System Knox Manage app installed on a device that has been factory reset.
The device cannot be controlled by administrators due to the expiration of the

license validity period.
Expired • You can change the status to Unenrolled.

• The status automatically changes to Enrolled upon license update. For
more information, see Renewing an expired license.
Advanced 443
Sending device commands on Mobile Admin
Control the device by sending device commands from the Mobile Admin. Depending on the device
activation type, you can select different areas to send device commands to. Device commands can
only be sent to activated devices.
• For more information on the Android Enterprise device commands, see List of device commands:
Android Enterprise.
• For more information on the Android Legacy device commands, see List of device commands:
Android Legacy/Knox Workspace.
• For more information on the iOS device commands, see List of device commands: iOS.
• For more information on the Windows device commands, see List of device commands: Windows.
To send device commands on Mobile Admin, complete the following steps:
1. Navigate > Devices.
2. On the “Devices” screen, tap the checkbox next to the device you want to control from the device
list.
• You can also tap to open the search window and enter a mobile ID you want to control.
3. Tap at the right corner of the device list.
• is enabled for activated devices only.
4. In the “Device Command” pop-up, tap the device command you want to send.
• Select an area to send a device command depending on the device activation type.
5. Tap OK.
Advanced 444
Sending messages on Mobile Admin
Send a text message to the device using Mobile Admin.
To send a message on Mobile Admin, complete the following steps:
1. Navigate to > Devices.
2. On the “Devices” screen, tap the checkbox next to the device you want to send a message to.
• You can also tap to open the search window and enter a mobile ID you want to send a
message to.
3. Tap at the right corner of the device list.
• is enabled for activated devices only.
4. In the “Device Command” pop-up, tap Send message.
5. On the “Send message” screen, enter the following information:
• Title: Enter the title of the message to be sent.

• Content: Enter the message to be sent.
6. Tap OK.
Advanced 445
Managing users on Mobile Admin
Manage the Knox Manage device users on Mobile Admin. You can view the detailed user account
information and control the status of the users.
Using Mobile Admin users menu

Navigate to > Users to view the information of the user accounts on Knox Manage. To view
detailed information of a specific user, tap the user name of a specific user on the list.
Icon Description
Search for a specific user for the entered user ID or user name in the search
Search window. To close the search window, re-tap the icon.
Rearrange the user list by the date of occurrence or in ascending/descending

Sort order.
Filter Filter the user list by the current user account status.
Activating or deactivating user accounts

To activate or deactivate the user account, complete the following steps:
1. Navigate to > Users.
2. On the “Users” screen, tap the user on the user list whose account you want to activate or
deactivate.
3. On the “User Information” screen, tap the following:
• Tap (Inactive) to activate the user account.

–– Once the user account is activated, devices enrolled for the user account can be controlled.
• Tap (Activated) to deactivate the user account.

–– Once the user account is inactive, devices enrolled for to the account cannot be controlled,
regardless of the device status.
4. In the confirmation message pop-up, tap OK.
Advanced 446
Configuring Microsoft Exchange
Mail servers, such as the Microsoft Exchange Server and Office 365, can be integrated with Knox
Manage on user’s devices. To integrate a mail server with Knox Manage, you should access and
configure the Microsoft Exchange Server by authenticating user information in the Active Directory
(AD) service based on a certificate issued by a Certificate Authority (CA). Before configuring
Exchange, the following items must be configured and prepared:
• Active Directory (AD) service (For more information on configuring the AD service, see Integrating
a directory server.)
• Certification Authority (CA) server (The client certificate must be issued for authentication.)
• Microsoft Exchange server (To use certificate based authentication in the Microsoft
Exchange server, visit the Microsoft website at https://technet.microsoft.com/EN-US/library/
mt791265(v=exchg.160).aspx and follow the instructions.)
• Registered user accounts and organizations (For more information on configuring the AD service,
see Creating user accounts and Adding an organization.)
• Cloud Connector Client (The Cloud Connector Client must be installed on the client site to
configure a secure channel with the Cloud Connector when connecting to the Active Directory
server and the CA server. For more information, see Installing the SCC client.)
Advanced 447
Configuring the Exchange server
To configure the Exchange server by authenticating the users on the devices with Exchange
ActiveSync, additional settings are required for Certificate Authentication (CA), SSL, and client
certificates.
Enabling Certificate Authentication (CA)

Active Directory Client Certificate Authentication must be enabled to configure Certificate
Authentication.
To configure Certificate Authentication (CA), complete the following steps:
1. On your desktop, click Start > Run.
2. Type inetmgr, and then click OK to open the Internet Information Services (IIS) Manager.
• Alternately, on your desktop, you can click Start > Programs or All Programs > Administrative
Tools > Internet Information Services (IIS) Manager to open the Internet Information Services
(IIS) Manager.
3. In the Connections node, select the name of your web server, and then double-click Authentication
in the “IIS” section.
4. Double-click Active Directory Client Certificate Authentication, and then click Enable in the
“Actions” window.
Advanced 448
Enabling SSL
After enabling Active Directory Client Certificate Authentication, the SSL must be enabled to use
Active Directory Client Certificate Authentication.
To enable SSL, complete the following steps:
(IIS) Manager.
3. In the Connections node, select Microsoft-Server-ActiveSync under Default Web Site, and then
double-click SSL Settings in the “IIS” section.
4. Click the checkbox next to Require SSL, and then click Require under Client certificates.
5. Click Apply in the “Actions” window.
Configuring client certificate mapping

Configure client certificate mapping after enabling Certificate Authentication and applying SSL.
To configure client certificate mapping, complete the following steps:
(IIS) Manager.
3. In the Connections node, select Microsoft-Server-ActiveSync under Default Web Site, and then
double-click Configuration Editor in the “IIS” section.
4. From the Section drop-down menu, navigate to system.webServer/security/authentication.
5. Select True in the “enabled” section, and then click Apply in the “Actions” window.
Advanced 449
Configuring ADCS and AD for Microsoft Exchange
To configure ADCS and AD for Exchange, some specific settings for the use of Exchange are required
when creating a directory server, directory connector, Certificate Authentication (CA), and certificate
template.
To configure ADCS and AD for Exchange, complete the following steps:
Note To provide a secure channel among directory servers, directory connectors, and CA servers, you
should install Cloud Connector in advance before configuring a profile with ADCS and AD for
Exchange. For more information about Cloud Connector, see Using Cloud Connector.
1. Add a directory server for accessing intra-enterprise data on the AD server. For more information
about entering information in detail, see Adding a directory server.
Note To use Cloud Connector, select TRUE from the Cloud Connector drop-down menu.
2. Add a directory connector for specific filtered searches. For more information about entering
detailed information, see Adding a directory connector.
Note If the service type is selected as Profile Configuration, the policy of the user information input
method must be selected as Connector interworking. For more information on configuring
policies, see Configuring policies by device platform.
3. Add a certificate authority (CA) for authenticating the users. For more information about entering
information in detail, see Adding a certificate authority (CA).
Note Once a connection test is completed, the target CA that issues and manages the relevant
certificates is displayed.
4. Add a certificate template. For more information about entering information in detail, see Adding
certificate templates. Also, for Exchange settings, the following must be done.
• The subject name must be selected as CN=(Email).

• The certificate usage must be selected as Exchange.
• The San type must be selected as Email Address and click to select Email from the SAN
reference item list.
Advanced 450
Configuring a profile for Microsoft Exchange
Configure a profile for Exchange using a certificate authority (CA) or a certificate connector. Some
specific settings for using Microsoft Exchange are required when creating a profile.
To configure a profile using a CA or certificate connector, complete the following steps:
1. Create a new profile. For more information about entering information in detail, see Creating a new
profile.
2. Add conditions for the profile. For more information about entering information in detail, see
Adding events for profiles.
3. Configure policies by device platform. For more information about entering information in detail,
see Configuring policies by device platform. Also, for the Exchange policy, the following must be
done.
• Click the checkbox next to Office 365 to configure the Exchange settings by automatically
filling out the Exchange server address and the setting the SSL option to Use.
• Set the user information input method to Connector interworking to use a directory connector.
For more information about creating a directory connector, see Adding a directory connector.
• Select one of the user certificate input methods.

–– Issuing external CA (Using a CA): Select the certificate template. For more information about
creating a certificate template see Adding certificate templates.
–– Connecting interworking (using a certificate connector): Select the certificate connector. For
more information about creating a certificate connector, see Adding a directory connector.
Note To enable a certificate connector, the service type of the directory connector must be set as
Profile Configuration (Certificate). For more information about selecting the service type, see
Adding a directory connector.
• Select Use for use of SSL to configure the SSL between the device and the Exchange server.
Advanced 451
Accessing Microsoft Exchange on the device
After all the settings for Exchange are completed through the Internet Information Services (IIS)
Manager and Admin Portal, access and use Exchange on the device.
To access Exchange on the device, complete the following steps:
1. On the Knox Manage application, tap Download Configuration from the side menu, and then tap
Install to download the Exchange configuration for the device. The user certificate for Exchange
will be installed on the device.
Note To install the Exchange configuration, the Knox Manage user ID must be same as the user ID of
the AD server.
2. Tap the notification to set up the new email account.
3. Accept the privacy policy and activate the device administrator, and then check if the email
account has been added to the Samsung Email application.
Note The user’s email address that is registered in the Knox Manage Admin Portal is used as the email
account for the Exchange server.
Advanced 452
11
Setting
Setting
Customize various settings in the Admin Portal. Set the Knox Manage Agent policies for user devices
and configure Keepalive, the program which is used for checking the statuses of devices. You can
also manage the templates of messages for users and the master data related to user information.
In addition, you can change the logo and header or manage other administrators’ accounts.
→→ Configuring the environment

Configures the environment options, such as login, device management, inventory schedule, the Knox
Manage App Store, MDM, and service desk.
→→ Setting Knox Manage Agent policies

Set the Knox Manage Agent policies, such as login, screen lock, and compliances.
→→ Configuring the Keepalive settings

Configure the Keepalive settings, such as the target type, expiration period, interval, and target groups/
organizations.
→→ Adding a notice
Add a notice for device users.
→→ Managing message templates

View the provided templates of messages for device users and add and manage new templates.
→→ Managing master data

Configure the master data of the device users’ position, security level, and work site.
→→ Setting the logo

Customize the logo and header in the Admin Portal.
→→ Managing administrator accounts

Add and manage administrator accounts in Knox Manage.
Setting 454
Configuring the environment
Configure the environment settings for the Admin Portal. You can customize the values for the
provided setting options.
To configure the environment, complete the following steps:
1. Navigate to Setting > Configuration > Basic Configuration.
2. On the "Basic Configuration" page, customize the environment settings. For more information
about the environment settings, see List of environment settings.
3. Click Save.
List of environment settings

The environment settings by category are as follows. All options have default values and the values
can be modified.
Preferences
Country/Time
Option Description
Select the country of the Admin Portal. The country code and the
corresponding language are used for user agreements, privacy policy,
Default Country Code
administrator/user enrollment, and public application enrollment on user
devices.
Select the time zone of the Knox Manage server. Based on the time zone, the
Time Zone information in the Admin Portal is displayed, tasks and events scheduled by
administrators are performed, and user and device statistics are collected.
Setting 455
Logo
For more information about setting the log, see Setting the logo.
Option Description
Click Select Image and upload the image file of your company logo. The
image must be a GIF, JPG, PNG, or BMP file. The file cannot be larger than
Logo Image
190 x 33 and must be 1 MB or lower.Click Default to use the default image as
your company logo.
Header Color Click the color box and set a color for the header.
Header Font Color Click the color box and set a color for the header text.
Preview Preview the company logo.
Authentication/Login
Configure the settings about the login environment and the administrator account.
Option Description
Enable the use of OTP authentication as well as an account ID and password

Two-Factor
when administrators sign in to the Admin Portal. For OTP authentication, the
Authentication
administrator’s mobile phone number or email address is required.
Allow Multi-point Logins Allow concurrent logins to the Admin Portal.
Select the response of the Knox Manage server when there are successive
failed login attempts.
Action When Admin
• Deactivate account until an upper level admin unlocks
Login Fails
• Disable login for 10 mins
• No action
Enter the maximum number of failed login attempts. When users exceed the
Maximum Failed Login maximum, their accounts are locked.
Attempts
You can enter a value from 3 to 10.
Enter an inactivity limit for administrator accounts. If sub-administrators

or read-only administrators do not sign in for longer than the limit you set,
Inactivity Limit on Admin their accounts are locked. To unlock their accounts, they must ask the super
Accounts (days) administrator.
Enter the maximum session time limit for the Admin Portal. If the limit is
Maximum Session exceeded, you will be signed out automatically.
Timeout (min)
Setting 456
Device
Device
Configure the device management settings.
Option Description
Enter the standard time gap for connection of the device and server. This
standard is used for displaying information in the Last Seen column of the
device list in the Device menu.
• If the gap between the current time and the last connected time of a device
Based on Last Seen does not exceed the standard, the Last Seen information of the device is
(time) displayed in green.
• If the gap between the current time and the last connected time of a device
exceeds the standard, the Last Seen information of the device is displayed
in red.
The value is entered in hours.
Limited Enrollment Enable enrollment of mobile devices using their IMEI or serial numbers.
Device Location View Enter the period for saving device location data. You can view the location of
Period (days) devices saved during that time period.
Maximum Number of
Select the number of devices that can be enrolled per user.
Active Devices per User
When you register an APNs certificate in the Admin Portal, this value is
automatically entered.
If the value is different from the value in the Current Subject Name field in
Setting > iOS > APNs Setting, complete the following steps:
APNs Topic for iOS
1. Start the command prompt on your PC.
2. Enter C:/> keytool -v -list -storetype pkcs12 –keystore
{APNS certificate filename}.p12 | find “UID“.
3. Change the APNs Topic value to the value appearing after “UID=”.
Select how many notifications you will receive per day to send device
commands which have been sent but not applied successfully.
• 0: You will receive no notification.

Daily retries for device
commands in queue • 1: You will receive a notification at 11 PM local time per tenant.
• 2: You will receive a notification at 10 AM and 10 PM local time per tenant.
Unapplied device commands are listed in History > Device Command in
Request.
Camera Option from

Enable the camera feature on iOS devices when the device screen is locked.
Lock Screen for iOS
Enable the applications installed on a device to be deleted when the device is

Delete App upon
unenrolled. The deletion targets are internal applications for Android devices
Unenrollment
and all applications installed through Knox Manage for iOS devices.
Setting 457
Option Description
Enable sending a notification to the device when no profile is applied to

Notification that policy is
a group or organization. When the user turns off the alarm in the device's
not applied
setting menu, notifications on whether the profile is applied will not appear.
Direct boot command Set the polling cycle to send the Knox Manage command for Android devices.
polling interval for If the polling interval is 0, polling will not be performed. However, polling is
Android (min) executed once after the Knox Manage Agent is started.
Inventory Scheduler
Configure the interval to collect the device inventory by mobile OS.
Option Description
Enter the interval for collecting the inventory information for Android devices.
You can enter a value from 4 to 24 or 0 (the device inventory is not collected).
Inventory Collection Note To set an interval for collecting the location data of Android
Interval for Android (hr) devices, navigate to Profile. Click a profile name and click Modify
Policy > Android Enterprise or Android (Legacy) > Location
> Report device location interval. For more information, see
Location (Android Enterprise) or Location (Android Legacy).
Inventory Collection Enter the interval for collecting the inventory information for iOS devices.
Interval for iOS (hr) You can enter a value from 4 to 24 or 0 (the device inventory is not collected).
Enter the interval for collecting the inventory information for Windows
Inventory Collection devices.
Interval for Windows (hr)
You can enter a value from 4 to 24 or 0 (the device inventory is not collected).
App & Service Desk
Application
Configure the application deletion setting.
Option Description
Select the area to delete applications from.
• Console: Deletes applications only from the application list in the Admin
Manage Deletion Portal.
• Console + Device: Deletes applications from the application list and also
from the devices in the assigned groups/organizations.
Setting 458
Knox Manage App Store
Configure the activation of the review feature in the Knox Manage App Store.
Option Description
Knox Manage App Store Enable users to evaluate and write a review about applications in the Knox
Review Manage App Store.
Service Desk
Enter the service desk information displayed on user devices.
Option Description
Service Desk Email Enter the service desk email address.
Service Desk Phone Enter the service desk phone number.
Setting 459
Setting Knox Manage Agent policies
You can set policies, such as login, screen lock, and compliances, for the Knox Manage Agent. When
the user runs the Knox Manage Agent, the defined policies are applied to the device.
To configure policies for the Knox Manage Agent, complete the following steps:
1. Navigate to Setting > Configuration > Knox Manage Agent Policy.
2. On the “Knox Manage Agent Policy” page, click the ”Default” tab.
• The policies set in the “Default” tab will be applied to every group or organization that is not
assigned specific policies in your tenant.
• To apply different agent policies to specific groups or organizations, click and configure an
agent policy set.
3. Configure the policy details. For more information about the applicable policies, see Applicable
policies for Knox Manage Agent.
5. In the "Save Changes" window, click OK.
Applicable policies for Knox Manage Agent

The following policies are available for Knox Manage Agent:
Set the maximum number of incorrect password Android

Maximum Failed Sign- attempts before access is restricted. iOS
in Attempts
The value can be between 0 - 10 times. Windows 10
Select the action to be performed when the

maximum number of failed attempts is reached.
• None: The device is unrestricted. Android

> Sign-in Failure
Policy
• Factory reset: Resets the user device. iOS
• Lock device: Locks the device. Windows 10
• Lock Knox Manage Agent: Locks the Knox
Manage Agent.
Android
Allows the use of the lock screen for the Knox
Use Lock Screen iOS
Manage Agent.
Windows 10
Setting 460
Select where the Knox Manage Agent will be

installed. Android
Install Area
• General Area
• Knox Workspace
Set the duration for locking the device when the Android
Lock Screen After user has not set up a password for the screen lock. iOS
(sec)
The value can be between 300 – 3600 seconds. Windows 10
Set the duration for locking the Knox Workspace

area screen when the application is not used for a
certain period of time.
Lock Knox Workspace Android
Screen After (sec)
Note The KWS license is required to set this
policy.
> Fingerprint Android

Allows the use of the fingerprint unlock control.
Authentication iOS
> Maximum Set the maximum number of incorrect password Android

Password Entry attempts before access is restricted. iOS
Attempts The value can be between 0 - 10 times. Windows 10
Select the action to be performed when the

maximum number of failed attempts is reached.
• None: The device is unrestricted. Android

>> Password Entry
Failure Policy
• Factory reset: Resets the user device. iOS
• Lock device: Locks the device. Windows 10
• Lock Knox Manage Agent: Locks the Knox
Manage Agent.
Android
> Minimum Set the minimum length of the password.
iOS
Password Length The value can be between 6 – 20 characters.
Windows 10
Select to include which character type in a

password. Android
> Requirements for
• At least 1 capital letter iOS
Password
• At least 1 number Windows 10
• At least 1 special character
> Allow 3 Android

Allows 3 or more consecutive characters to be
Consecutive iOS
used in a password.
Characters Windows 10
Setting 461
Sends a notification to the user when a new version

KM Agent Auto
of the KM agent is available on the device and
Update
prompts the user to update it.
Allow Unenroll Allows the disabling buttons on the device so that Android
Request deactivation requests can be sent. iOS
Show All Applied Allows showing all of the policies applied on the Android
Policies policy list in the Knox Manage Agent. iOS
Limitation of the Limits the display of the download screens of

Download Screen public applications in the Knox Manage Agent. Only Android
Display in the Public the registered public applications are displayed on iOS
Application the download screen.
Availability for Checks the Android OS version and performs

Android Version actions when the device violates the OS version Android
Control and conditions.
> Recommended
Sets the Android OS version. Android
Version
Sets the conditions for the recommended OS

version to apply the violation measures.
> Conditions for
Checking OS • Allow recommended version only Android
Version • Allow recommended version or below only
• Allow recommended version or above only
Select an action to perform when the device
violates the OS version and conditions.
> OS Version
Violation Policy
• Lock device: Locks the device. Android
• Lock EAS: The preloaded email application will
be hidden and the user cannot use it.
Checks the iOS OS version and performs actions

Availability for iOS
when the device violates the OS version and the iOS
Version Control
conditions.
> Recommended
Sets the iOS OS version. iOS
Version
Sets the conditions for the recommended OS

version to apply the violation measures.
> Version Control
• Allow recommended version only iOS
Policy
• Allow recommended version or below only
• Allow recommended version or above only
Select an action to perform when the device
> OS Version violates the OS version and the conditions. iOS
Violation Policy
Setting 462
Windows 10 Desktop Sets the data distribution mechanisms for

Windows 10
Data Deployment Windows 10 desktops.
Select a data provisioning package (PPKG) file to

apply to the desktops.
> PPKG File In the TMS Admin Portal, navigate to Management Windows 10
> Service Profile, and click . Then, navigate to
Settings > Windows 10 > PPKG File Management,
and select a provisioning package.
Windows 10 Mobile Sets the data distribution mechanisms for the

Windows 10
Data Deployment Windows 10 mobile devices.
Select a data provisioning package (PPKG) file to

apply on the mobile devices.
> PPKG File In the TMS Admin Portal, navigate to Management Windows 10
> Service Profile, and click . Then, navigate to
Settings > Windows 10 > PPKG File Management,
and select a provisioning package.
Configuring the Keepalive settings

You can configure the Keepalive settings to check the connection between the Knox Manage server
and the device. The Knox Manage server checks the connection between the server and the device at
the set interval.
To configure the Keepalive settings, complete the following steps:
1. Navigate to Setting > Configuration > Keepalive.
2. Click next to Keepalive to enable the feature.
3. Select a target type between Global Setting and Set by Group/Organization.
• Global Setting: Applies the Keepalive settings to all policies.

• Set by Group / Organization: Applies the Keepalive settings to selected groups or
organizations.
Setting 463
4. Configure the Keepalive settings.
• Keepalive Expiration (days): Select a period between 3 and 365 days. If there is no
communication between the Knox Manage server and a device for the set period, it attempts
to re-establish a connection directly. If the device still fails to establish communication, then its
status changes to Disconnected.
• Keepalive Expiration (hours): Select a cycle to check the connection status by checking the last
time the device and the server communicated.
• Group / Organization: Click Select and select user groups or organizations to apply the
Keepalive settings.
5. Click Save.
Adding a notice
Add a notice for device users. When you add multiple notices, the notice periods cannot overlap.
On user devices, notices are displayed in the language that the user sets when signing in to Knox
Manage.
To add a notice, complete the following steps:
1. Navigate to Setting > Notice.
2. On the “Notice” page, click Add.
3. Enter the subject and content of the notice and set the notice period.
• The start date of the notice must be within a month of the current day.
• Do not enter a space at the end of the notice content.
4. Click Save.
Setting 464
Managing message templates
Knox Manage provides message templates and helps you send text messages or emails with a good
and standardized format. In addition to basic message templates, you can add new templates for
general emails or emails to send temporary passwords to users.
Basic message templates

The basic message templates are as follows:
Template type Message type Template name
Agent Installation Email_Agent Installation
Administrator Authentication Email_Admin OTP
Administrator Account Information Email_Admin ID
Administrator Temporary
Email_Admin Temporary Password
Password
Email
User Temporary Password Email_User Password Reset
Email_Apple VPP Invite: The email

template for inviting VPP users
Apple VPP Email_Apple VPP Redeem: The email
template for installing purchased VPP
applications through redeemable codes
• User Credential
• Public Store Address
Agent Installation
• Direct Installation
SMS • KME Activation Address
Administrator Authentication Admin OTP SMS
Administrator Temporary
Admin Temporary Password
Password
Setting 465
Adding message templates
You can add general purpose email templates or templates for sending out temporary passwords.
To add a new template, complete the following steps:
1. Navigate to Setting > Message Template.
2. On the “Message Template” page, click Add.
3. On the “Add Message Template” page, enter the following information:
• Template Name: Enter the template name.

• Template Type: Select a type of the message template between Email and SMS.
• Message Type: Select the purpose of the email.
• Description: Enter a brief description of the template.
• Message Subject: Enter the email subject line.
• Content: Enter the body of the message.
–– If you click Search, you can select reference items that will be replaced with actual values
when the email is sent. Double-click an item to add it to content. For emails that send a
temporary password to a user, Temporary Password must be added.
–– To add an image to the template, click and add an image in the URL format.
4. Click Save.
5. In the "Save Message Template" window, click OK.
Note • Among the reference items in the “Reference Items” window, Copyright, EMM/TMS Service
URL, OTP Issuing URL are provided by Knox Manage. When you add one of the items, their
actual values are displayed in the template. If the values remain blank, contact the Knox
Manage Support team.
• Some characters can be automatically converted due to a cross-site scripting (XSS) issue while
adding a new template. For example, “onclick” is converted to “on-click.”
The following characters are converted: onafterprint, onbefor, onerror, onhashchange, onload,
onmessage, onoffline, ononline, onpage, onpopstate, onresize, onstorage, onunload, onblur,
onchange, oncontextmenu, onfocus, oninput, oninvalid, onreset, onsearch, onselect, onsubmit,
onkey, onclick, ondblclick, ondrag, ondrop, onmouse, onscroll, onwheel, oncopy, oncut, onpaste,
onabort, oncanplay, oncuechange, ondurationchange, onemptied, onended, onpause, onplay,
onprogress, onratechange, onseek, onstalled, onsuspend, ontimeupdate, onvolumechange,
onwaiting, onshow, ontoggle, script, frame, object, embed, meta, div, style, form, isindex, body,
base, bgsound, xml, document, applet, grameset, layer, alert
Setting 466
Managing added message templates
You can modify or delete newly added message templates. Basic message templates cannot be
modified or deleted.
Modifying message templates

To modify message templates, complete the following steps:
2. On the “Message Template” page, click the checkbox for the template you want to modify.
3. On the “Modify Message Template” page, modify the existing information.
4. Click Save.
5. In the "Save changes" window, click OK.
Deleting message templates

To delete message templates, complete the following steps:
2. On the “Message Template” page, click the checkbox for the template you want to delete.
3. In the "Delete" window, click OK.
Setting 467
Managing master data
Master data contains the following user information. The data appears as select options when you
add a single user.
• Position: The user’s position in the company

• Security Level: The user’s security level related to their access of company data
• Site: The user’s work site
Adding master data

To add a new value for master data, complete the following steps:
1. Navigate to Advanced > Master Data.
2. In the "Category" area, select a category between Position, Security Level, and Site.
3. In the "Master Data" area, click Add.
4. In the “Add Master Data” window, enter the data information.
• Category: The data category that you selected in step 2 is pre-entered.

• Key: Enter a key or code.
• Value: Enter a value.
• Select or not: Select the value to be the default in the data category.
Note
If you want to add additional reference codes, click Reference Code > and add a reference
code.
5. Click Save.
Modifying master data

To modify master data, complete the following steps:
2. On the “Master Data” page, select a category and search for the value you want to modify.
3. Click the checkbox for the value you want to modify and click Modify.
4. In the “Modify Master Data” window, modify the existing information.
5. Click Save.
Setting 468
Deleting master data
To delete master data, complete the following steps:
2. On the “Master Data” page, select a category and search for the value you want to delete.
3. Click the checkbox for the value you want to delete and click Delete.
4. In the "Delete" window, click OK.
• The keys provided as master data by default cannot be deleted.
Setting the logo

Change the Knox Manage logo to your company logo and customize the color for the header and/or
header text.
To set the logo, complete the following steps:
1. Navigate to Setting > Configuration > Basic Configuration.
2. Modify the logo image and/or the colors.
• Logo Image: Click Select Image and upload the image file of your company logo. The image
must be a GIF, JPG, PNG, or BMP file. The file cannot be larger than 190 x 33 and must be 1 MB
or lower. Click Default to use the default image as your company logo.
• Header Color / Font Color: Click the color box and set a color for the header and the header
text.
• Preview: Preview the company logo.

3. Click Save.
Setting 469
Managing administrator accounts
Add and manage other administrators’ accounts. Management of administrator accounts includes
changing passwords, selecting profiles and organizations to manage for administrators, and
activating technical support administrator access to user devices.
Administrators in Knox Manage are categorized into three types:
Type Description
• Add, modify, delete, activate, and deactivate sub-administrator accounts.

Super • Grant sub-administrators administration rights.
administrators • Select profiles to manage for sub-administrators.
• Select organizations to manage for sub-administrators.
• Manage the profiles designated by a super administrator or the profiles they
created.
Sub-administrators
• Manage the organizations designated by a super administrator or the
organizations they created.
Read-only
Only view all menus, including menus for administrators, in the Admin Portal.
administrators
Service
Sends device commands. You can allow all device commands or select specific
administrators
device commands for service administrator use.
(read only)
Adding an administrator
To add an administrator account, complete the following steps:
1. Navigate to Setting > Administrator.
2. On the “Administrator” page, click Add.
3. On the “Add Administrator” page, enter the following information:
• Event Type: Select how to add an administrator.

–– New: Create a new administrator account.
–– EMM User: Select a user from among the previously added users to be an administrator.
• Admin ID: Enter the administrator ID.

• Admin Name: Enter the administrator name.
• Email: Enter the administrator’s email address.
Setting 470
• Mobile Number: Enter the mobile phone number of the administrator.
• Type: Select the administrator type.
• Menu: Select the administration rights to give to the administrator.
• Service Type: Select which device commands service administrators are allowed to use.
–– Allow All Device Command: Allows service administrators to use all device commands.
–– Selected Device Command Only: Allows service administrators to use only selected device
commands.
• Device Command: Select a device command to allow for service administrators.

4. Click Save.
Changing passwords (super administrators)

Super administrators can change their account passwords and the passwords of sub-administrator
accounts.
To change passwords, complete the following steps:
2. On the "Administrator" page, click the checkbox for an administrator you want to change the
password of, and then click Change Password.
3. In the “Change Password” window, enter a new password.
4. Click Save.
Changing passwords (sub-administrators)

The initial password is designated by the super administrator. Sub-administrators must ask the super
administrator for an initial password for their first login. After the initial login, the “Change Password”
window will appear, allowing sub-administrators to change the password.
Selecting profiles to manage for sub-administrators

To select profiles to manage for sub-administrators, complete the following steps:
Setting 471
2. On the "Administrator" page, click the checkbox for a sub-administrator you want to give profiles to
manage to, and then click Assign.
3. In the “Select Profile” window, click the checkbox for profiles on the profile list, and then click
Assign.
• To delete the selected profiles from the selected profile list, click the checkbox that is checked
already to delete them.
4. Click Save.
Selecting organizations to manage for sub-administrators

To select organizations to manage for sub-administrators, complete the following steps:
2. On the "Administrator" page, click the checkbox for a sub-administrator you want to give
organizations to manage to, and then click Assign.
3. In the “Select Organization” window, select an organization from the All Organizations area and
click Assign.
• To delete the selected organizations from the assigned organization list, click in the row of
the organization you want to delete in the Selected Organization area.
4. Click Save.
Activating administrator accounts

When administrators do not sign in to Knox Manage for a long time, their accounts become inactive.
If inactive accounts are used to attempt to sign in to Knox Manage, a message notifying that the
account has been locked appears and the login attempt fails. Inactive accounts can be activated
again only by super administrators.
Setting 472
To activate administrator accounts, complete the following steps:
2. On the "Administrator" page, click the checkbox for an administrator you want to activate, and then
click Change Status.
3. In the "Change Status" window, click OK.
Note If you click Active in the row of an administrator, you can deactivate the administrator.
Activating technical support administrators

When technical support is necessary, you can allow technical support administrators to control the
Admin Portal. By activating technical support and setting the activation period, technical support
administrators can access the Admin Portal through the TMS admin portal and provide technical
support.
To activate technical support administrators, complete the following steps:
1. On the header, click next to the account ID.
2. Click Technical Support.
3. On the "Technical Support" window, click Activate Technical Support and set the access period.
• The start date of the access period is automatically set to the current date and can be
modified.
4. Click Save.
5. In the “Save” window, click OK.
Setting 473
12
Monitoring
Monitoring
Monitor the data in the Knox Manage server, such as the device status, user status, and so on. You
can also check the status of Knox Manage using audits, alerts, and history.
→→ Setting the dashboard

→→ Viewing reports
→→ Viewing audits
→→ Managing alerts
→→ Viewing the device log
→→ Viewing the service history
Setting the dashboard

After you sign in to the Admin Portal, the dashboard consisting of various reports or widgets appears.
Three basic types of dashboard are provided and, in addition, you can create a new, customized
dashboard by selecting the reports or widgets you wish to see.
Basic dashboards
Three basic types of dashboard are as follows:
Default dashboard
• Device: Displays the number of mobile devices by status and net changes in the total number of
devices. Click the number to view the devices in detail. Click X Issue to view the list of devices that
contain profiles that are not applied or applications that are compromised.
• User: Displays the number of users by status and net changes in the total number of users. Click
the number to view the users in detail. It also displays the number of users with no registered
device. Click Request Enrollment to send an email with the installation guide to the users.
Monitoring 475
• Last Seen: Displays the number of devices connected to the Admin Portal depending on the last
connected time. It also displays the number of devices that exceed the standard of 24 hours. Click
Go to Device List to view all the devices.
• Device Command History: Displays the number of device commands sent from the Admin Portal
and its change on a daily or weekly basis. Click X Issue to view the queued device commands on
the Device Command in Request page. You can cancel or resend a device command.
• Assigned Profile: Displays the assigned profiles and the number of devices with profiles assigned
in descending order.
• Assigned Application: Displays the assigned applications and the number of devices with
applications assigned in descending order.
• Enrollment History: Displays the number of enrolled devices and activated users on a daily basis.
• Platform Type: Displays the number and ratio of enrolled devices by mobile platform. Click the
number to view the devices in detail.
• License: Displays the numbers of registrable devices and enrolled devices, and the remaining
validity period of them by license type, such as Knox Manage, Knox Workspace, and E-FOTA.
• Device location: Displays the last location of devices and their information on Google Maps. All
devices are displayed except for unenrolled devices. Use the search field to search for a user ID.
To set to view the device locations, click , and in the “Modify Default Dashboard” window, click
Use next to Device Location Widget, and then click OK.
EMM dashboard
• New User Weekly: Displays the users newly added within a week.
• App Download Top3 (Current): Displays the three most downloaded applications up to the current
date.
• Device Count by Platform: Displays the number and ratio of enrolled devices by mobile OS. You
can exclude/include the item to display by clicking the chart legend.
• Device Count by Status: Displays the number and ratio of enrolled devices by status. You can
exclude/include the item to display by clicking the chart legend.
Device location
Displays the last location of devices and their information on Google Maps. All devices are displayed
except for unenrolled devices. Use the search field to search for a user ID.
Monitoring 476
Widget type dashboards
More widgets that can be selected for a widget type dashboard. The components of the default
dashboard can be used as widgets.
• Assigned Content: Displays up to 10 of the most assigned content items.

• Android Management Type: Displays the number of Android devices by management type.
• Users by Organization: Displays the number of activated users by organization in descending
order.
• Group & Organization: Displays the number of groups and organizations.

• AD/LDAP: Displays the number of updated devices through AD/LDAP sync.
• Device Location: Displays the last location of devices and their information on Google Maps. All
devices are displayed except for unenrolled devices. Use the search field to search for a user ID.
Viewing another dashboard

To view another dashboard, complete the following steps:
1. Navigate to Dashboard.
2. On the right top of the screen, click the drop down field displaying the current dashboard name.
3. Click a dashboard name you want to view.
• If the selected dashboard is the one that you have created, the modification icon ( ) next to
the field is activated for modifying the dashboard. For more information about modifying the
dashboard, see Modifying dashboards.
Monitoring 477
Adding a dashboard
To add a new dashboard, complete the following steps:
1. Navigate to Advanced > Dashboard Management.
2. On the “Dashboard Management” page, click Add.
3. In the “Select Dashboard Type” window, select a dashboard type and click OK.
• Report Type: Customize a dashboard by selecting reports.

• Widget Type: Customize a dashboard by selecting widgets.
4. On the “Add Dashboard” page, enter the dashboard name, ID, and description.
5. Click next to Main Dashboard if you want to set the dashboard as the main dashboard.
• If you set the dashboard as the main dashboard, the dashboard will appear when you navigate
to the “Dashboard” page.
6. Click Select next to Report or Widget to add reports or widgets to the dashboard.
7. In the “Select Report” or “Select Widget” window, click the checkboxes for the reports or the check-
circles for the widgets you want to add and then click OK.
8. Configure the settings for the selected reports.
• Report Form: Select whether to display data through a table or a chart.

• Refresh Interval(Hour): Select the refresh interval for a report from 1 to 24 hours.
• Click See Input Value in the row of a report you want to view the detailed fields of.
• Click in the row of a report you want to delete.
9. If you have selected Last Seen from the widgets, you can set the ranges of the last seen period.
The last seen date range is more than 30 days.
10. Select the number of dashboard columns next to Layout and drag each to arrange the selected
reports or widgets.
• Click in the widget you want to delete.
11. Click Save.
12. In the “Save Dashboard” window, click OK.
Monitoring 478
Adding a dashboard based on an existing dashboard
To copy an existing dashboard to create a new dashboard, complete the following steps:
2. On the “Dashboard Management” page, click the checkbox for the dashboard you want to copy
and click Copy.
3. On the “Copy Dashboard” page, enter the dashboard name and ID.
4. Modify the existing information if necessary.
5. Click Save.
6. In the “Save Dashboard” window, click OK.
Managing dashboards
Change the main dashboard, which is displayed on the homepage, or modify existing dashboards.
Setting main dashboard

To set a dashboard as the main dashboard, complete the following steps:
2. On the “Dashboard Management” page, click the checkbox for the dashboard you want to set as
the main dashboard and click Change to Main.
3. In the “Change to Main” window, click OK.
Note You can remove the current main dashboard by selecting it and clicking Change to Sub. If there is
no main dashboard set in the dashboard list, the default dashboard becomes the main dashboard.
Monitoring 479
Modifying dashboards
Modify the newly added dashboards. Basic dashboards cannot be modified.
To modify dashboards, complete the following steps:
2. On the “Dashboard Management” page, click the checkbox for the dashboard you want to modify
and click Modify.
3. On the “Modify Dashboard” page, modify the existing information.
4. Click Save.
Deleting dashboards
Delete the newly added dashboards. Basic dashboards cannot be deleted.
To delete dashboards, complete the following steps:
2. On the “Dashboard Management” page, click the checkbox for the dashboard you want to delete
and click Delete.
3. In the “Delete Dashboard” window, click OK.
Monitoring 480
Viewing reports
Reports provide information about devices, users, applications, and profiles and help take appropriate
action when necessary. Knox Manage offers various reports by default. In addition, you can add new
reports using the report queries provided by Knox Manage.
Viewing the report list

Navigate to Advanced > Report to view the report list.
Search for desired reports by report name, report ID, or

1 Search field
registrant.
Add a new report using report queries. For more information,

Add
see Adding a report.
Copy Copy the selected report and create a new report.

Function
2 Modify the selected report details. For more information, see
buttons Modify
Modifying reports.
Delete the selected report. For more information, see Deleting

Delete
reports.
View the brief information of the reports on the list. To view the
3 Report list information in a report, click View. For more information, see
Viewing a report.
Monitoring 481
Viewing a report
You can view reports provided by Knox Manage and reports created by administrators. In the search
field, enter System in the Registrant field to search for reports provided by Knox Manage.
To view a report, complete the following steps:
1. Navigate to Advanced > Report.
2. On the “Report” page, click View in the row of the report you want to view.
3. View the information in each tab.
• You can perform specific functions on the selected report on this page. The following function
buttons are available:
Back Return to the report list.
Refresh Update the report information.
Enter conditions and filter the information. For more information, see Entering input
Modify Input Value
values.
Download Chart
Download the chart as an image file.
Image
Export the report information to an Excel file. When exporting is complete, you can
Export as Excel download the exported list. In the header of the Knox Manage Admin Portal, click
> Download > My Download, and then click Download next to the exported item.
Entering input values

To enter report conditions, complete the following steps:
1. On the “View Report” page, click Modify Input Value.
2. In the “Modify Input Value” window, enter report conditions.
• The conditions you can enter vary depending on the data type of the report field.
Field Description Supported data type
Select a condition type between Constant and Variable.
• Constant: A fixed value. Enter the date directly in the

Condition Type YYYY-MM-DD format. • Date
• Variable: A calculated value by variables. Enter variables
in Date Type, Before and After, and Date Detail.
Monitoring 482
Field Description Supported data type
• String
Input Value Enter a character or number manually as an input value. • Number
• Date (Constant)
Select the reference point for the date setting between
Date Type
This Day and This Month.
• Date
Enter a negative or positive number to calculate the time

Before and After from the reference point. For example, if you enter “-1,” it • Date
means one day or one month ago.
Select a value for further specifying the calculated time. If

This Day is selected, you can specify the time of the day.
Detailed Settings
If This Month is selected, you can specify the day of the
• Date
month.
3. Click See Result.
4. In the “See Result” window, click OK.
Monitoring 483
Report list
The default reports are as follows. For the input values of reports, the input field values of the report
queries are used. For more information, see Report queries list.
Report name Description Report query
Displays the device information by licenses

Device List by License Device License
registered on the Admin Portal.
Displays the last location of devices and their

information on Google Maps. All devices
Device location are displayed except for deactivated or
disconnected devices. Use the search field
to search for a user ID.
New Registered Users Displays the newly added users.
New Registered Displays the daily number of newly added

Users(C) users in a table and chart. User Basic Information
Displays the users newly added within the

New User Weekly
week.
Displays the inventory of the enrolled

Device Inventory
devices.
Apps Installed on Displays the number of applications installed

Device per device.
Device Count by Displays the number of enrolled devices by

Version mobile OS and their version.
Device Basic Information
Status status.

Platform mobile OS.

Manufacturer mobile device manufacturer.
User Count by Group Displays the number of users by group. User by Group
Device Count by
Displays the number of devices by group. Device by Group
Group
Displays the security information, such as

Device Security
whether the device is compromised or the Device Security Status
Status
Keepalive status, by device.
Device SIM/Roaming Displays the detailed information about the

Device Details Information
Status SIM card and roaming status of devices.
Displays information about the currently

Latest Profile of
applied profile and the information about the Device Profile Status
Device
change of the latest applied profile by device.
Monitoring 484
Report name Description Report query
Activated Device
Displays the number of devices on which an App Information Installed in
Count per App
application is installed by application. Device
Installed
Device Command in Displays the target device information of the

Device Command in Request
Request device commands in queue.
Displays the number of the device

Device Command
commands in queue per device in Device Command Queue Count
Queue Count
descending order.
Displays the applications newly added within

New Registered Apps App Basic Information
the week.
App Download Displays the current ranking by application

Ranking (Current) downloads. App Download Ranking
App Download Top3 Displays the three most downloaded (Current)
(Current) applications up to the current date.
App Download Displays the application download rankings

Ranking (Stats) of the previous day.
App Download Ranking (Stats)
App Download Top3 Displays the three most downloaded
(Stats) applications of the previous day.
Monitoring 485
Adding a report
Add a new report using report queries. Report queries are for filtering data or viewing statistics from
the aggregate table in the Knox Manage database.
To add a new report using report queries, complete the following steps:
2. On the “Report” page, click Add.
3. On the “Add Report” page, enter the report information.
• Report Name: Enter the report name.

• Report ID: Enter the ID for the new report.
• Description: Enter a description for the report.
• Chart: Select the chart type of the report.
• Legend: Select the location of the chart legend.
• Report Queries: Select the report query for the report. For more information, see Report queries
list.
4. Click Add next to Output Fields.
5. In the “Add Output Field” window, click the checkboxes for the report fields you want to add and
click OK.
6. Configure the detailed settings of the selected fields depending on their data types.
• To delete selected fields, click the checkbox for the fields you want to delete and then click
Delete.
• To rearrange the selected report fields, click the checkbox for a field and click or .
Data type Setting
• Output Name: Change the field name if necessary.

String • Chart Setting: Select the field as the chart category if you want to display the
chart.

• Output Format: Select the number display format.
Number • Summary Type: Select the numeric value to display on the chart from among
sum, average, maximum, and minimum.
• Chart Setting: Select the field as the chart series or category if you want to
display the chart.
Monitoring 486
Data type Setting

• Output Format: Select the date display format.
Date
• Chart Setting: Select the field as the chart category if you want to display the
chart.
7. Click Save.
8. In the “Save Report” window, click OK.
Adding a report based on an existing report

To copy an existing report to create a new report, complete the following steps:
2. On the “Report” page, select the report you want to copy and click Copy.
3. On the “Copy Report” page, enter the report name and ID.
4. Modify the existing information if necessary.
5. Click Save.
Monitoring 487
Report queries list
The default report queries are as follows. Each report query has input fields and output fields. Output
fields are used as elements included in reports. Input fields are the example for input values when
entering conditions of reports.
Report query Output field Input field
App Basic • Category • Test App • LANG

Information –– Input value: ko, en, zh
• App Name • Kiosk App
• App Version Code • Supporting Devices • APP_NAME
• App Version • Supporting Devices • APP_PLATFROM
• Package • Grade –– Input value: Android,
iOS, Windows
• App Type Code • Valid from
• APP_TYPE
• App Type • Valid To
–– Input value: IA, PA (IA:
• App Status • Registration Date Internal application, PA:
• Status • Download Public application)
• Platform • Source • IS_ACTIVATED
• IS_TEST
–– Input value: Y, N
• IS_KIOSK
–– Input value: Y, N
• DEVICE_TYPE
–– Input value: A, P, T (A:
All devices, P: Phone-
only, T: Tablet-only)
• ENROLL_DAYS
App Download • Ranking • Platform • LANG
Ranking (Current)
• Statistics Date • Test App • RANK
• Category • Kiosk App
• App Name • Supporting Devices
• App Version Code • Supporting Devices
• App Version • Grade
• Package • Valid from
• App Type Code • Valid To
• App Type • Registration Date
• App Status • Download
• Status
Monitoring 488
App Download • Ranking • Platform • LANG

Ranking (Stats)
• Statistics Date • Test App • RANK
• Category • Kiosk App
• App Name • Supporting Devices
• App Version Code • Supporting Devices
• App Version • Grade
• Package • Valid from
• App Type Code • Valid To
• App Type • Registration Date
• App Status • Download
• Status
App Download • Tenant ID • Test App • FROM_DATE
Statistics
• Statistics Date • Kiosk App • TO_DATE
• App ID • Grade
• App Name • Valid from
• Category ID • Valid To
• Category • Registration Date
• App Version Code • Download Total
• App Version • Download Last Year
• Package • Download Last 6
Month
• App Type Code
• App Status • Download Last 3
Month
• Platform
• Download Last 1
• Supporting Devices Month
• Auto Update • Creation Date
App Information • Package • Platform • DEVICE_STATUS
installed in Device –– Input value: BS, A, BL,
• App Name • Device Status
P, I (BS: Disconnected,
• App ID • Status
A: Enrolled, BL: Expired,
• EMM • Device Count P: Provisioned, I:
• App Version Code • Compromised Count Unenrolled)
• App Version • Installed Area • IS_NOT_LATEST
• Device ID • App Size –– Input value: Y, N
• Mobile ID • Mandatory
• User ID • No. of execution
• Platform
Monitoring 489
Device Basic • Device ID • Creation Date • USER_ID

Information
• Mobile ID • Present device • USER_NAME
management profile
• User ID • ORG_CODE
applied date
• User Name • ORG_NAME
• Last Connection
• Organization Code Date • OWNERSHIP
• Organization Name –– Input value: E, EC (E:
• Whether to be
BYOD, EC: COPE)
• Ownership code compromised
• Ownership • PLATFORM_CODE
• App Count
–– Input value: A, i, W
• Platform • Compromised App (A: Android, i: iOS, W:
• Platform Count
Windows)
• Network Service • Official App Count • VERSION
Provider Code • Whether the app to
• STATUS
• Network Service be compromised
–– Input value: BS, A, BL,
Provider Name • Battery Level (%) P, I (BS: Disconnected,
• Device Version • Memory Size (GB) A: Enrolled, BL: Expired,
• Device Version code P: Provisioned, I:
• Memory Usage (GB)
Unenrolled)
• Device Version • RAM Memory Size
(GB) • MANUFACTURER
• Phone
• RAM Memory Usage • MODEL
• Model
(GB) • IS_ROOTING
• Device OS
• AP Type –– Input value: Y, N
• Device Status
• AP Speed (GHz) • UNCONNECTED_DAYS
• Status
• Network transfer
• Modem Firmware data (in) (MB)
• Build Number
• Network transfer
• Build Type data (out) (MB)
• Product Name • Wi-Fi transfer data
• Device Kind (in) (MB)
• Manufacturer • Wi-Fi transfer data

(out) (MB)
• Device Organization
• Device Count
• Device Name
Device by Group • Group ID • Target Type code • GROUP_ID
• Group Type code • Target Type • GROUP_TYPE
• Group Type • Device ID –– Input value: User,
Device, SYNC
• Mobile ID
• Device Count • TARGET_TYPE
–– Input value: 0, 1 (0:
User Member, 1: Device
Member)
Monitoring 490
Device Command • Sent Date • User Name • PLATFORM_CODE

in Request –– Input value: A, i, W
• Mobile ID • IMEI
(A: Android, i: iOS, W:
• Platform Code • Phone
Windows)
• Platform • Transfer target
• MOBILE_ID
• Device Status Code • Device Command
Type • USER_ID
• Status
• User ID • Queue Count
Device Command • Ranking • User Name • PLATFORM_CODE

Queue Count –– Input value: A, i, W
• Mobile ID • IMEI
• Platform Code • Phone
Windows)
• Platform • Queue Count
• MOBILE_ID
• Device Status Code • Last Device
Command • USER_ID
• Status
• User ID • Last Sent Date
Device Details • Mobile ID • ICCID • USER_ID

Information
• User ID • SIM Status • USER_NAME
• User Name • SIM Country • ORG_NAME
• Email • SIM Network • PLATFORM_CODE
• Organization Name • Roaming Status –– Input value: A, i, W
• Ownership code • Current Country
Windows)
• Device Status Code • Current Network
• DEVICE_STATUS_CODE
• Status • Voice Roaming –– Input value: BS, A, BL,
• Platform Code • Data Roaming P, I (BS: Disconnected,
• Platform • IMSI A: Enrolled, BL: Expired,
P: Provisioned, I:
• Device Version • Device OS
Unenrolled)
• Phone • Device ID
• MAC Address • Telephone Type
• Model • Network Type
• Firmware • Modem Firmware
• IMEI • Manufacturer
• Serial Number • Device Type
• Device Count
Monitoring 491
Device License • License Key • Device Status Code • LICENSE_TYPE

• License Type • Status –– Input value: E-FOTA,
Knox Manage, Knox
• License Total • Mobile ID
Workspace
• Start Date • Platform Code
• End Date • Platform
• User ID • Device Count
• User Name • IMEI
• Device ID • Serial Number
Device Security • Device ID • Lock Status • USER_ID
Status
• Mobile ID • Locked Time • PLATFORM_CODE
• User ID • Unmanaged Status –– Input value: A, i, W
• User Name • Unmanaged Time
Windows)
• Platform Code • Device Count
• DEVICE_STATUS_CODE
• Platform • Last Device –– Input value: BS, A, BL,
Command
• Device Status Code P, I (BS: Disconnected,
• Device Status • Last Device A: Enrolled, BL: Expired,
Command Status P: Provisioned, I:
• Compromised
Unenrolled)
Device Status
• ROOTING_STATUS
–– Input value: Modified,
Official
• LOCK_STATUS
–– Input value: Locked,
Unlocked
• UNMANAGED_STATUS
–– Input value: Managed,
Unmanaged
User Basic • User ID • Site Code • USER_ID

Information
• User Name • Site Name • USER_NAME
• Email • Security Level Code • ENABLED
• Contact • Security Level –– Input value: 0, 1
(0: Deactivated, 1:
• Organization Code • Enabled
Activated)
• Organization Name • Status
• REGISTERED_DAY
• Company Code • Registration Date –– Input value: Number
• Company Name • User Count (e.g. “7” means that list
• Position Code • Number of Enrolled of users for last 7 days
Devices from current date)
• Position Name
• Number of
Registered Devices
Monitoring 492
User by Group • Group ID • Type code • GROUP_ID

• Group Type code • Target Type • GROUP_TYPE
• Group Type • User ID –– Input value: User,
Device, SYNC
• Target • User Name
• User Count • TARGET_TYPE
–– Input value: 0, 1 (0:
User Member, 1: Device
Member)
Managing reports
Modify or delete the newly added reports. The default reports cannot be modified or deleted.
Modifying reports
To modify the newly added reports, complete the following steps:
2. On the “Report” page, click the checkbox for the report you want to modify and click Modify.
3. On the “Modify Report” page, modify the existing information.
4. Click Save.
Deleting reports
To delete the newly added reports, complete the following steps:
2. On the “Report” page, click the checkbox for the report you want to delete and click Delete.
3. In the “Delete Report” window, click OK.
Monitoring 493
Viewing audits
Knox Manage provides audit service to monitor all tasks and records which occur while operating
Knox Manage. Auditing targets are called audit events and they can be customized. The events which
occur on the Admin Portal, the server, or enrolled devices are recorded in the log.
Understanding audit events

Audit events can be categorized by their point of occurrence and severity.
Occurrence point
• Console: Includes the events that occurred in the Admin Portal, such as the administrator’s login,
the management of policies and applications, and the connection of integrated systems.
• Device: Includes the events that occurred on mobile devices, such as device login, certificate
issuance, and the reception of device commands. If the audit log file on a device exceeds the size
limit, the file is sent to the server automatically and the audit logs are recorded in a new file.
• Server: Includes the request and respond events that occurred on the Knox Manage server when
the server and mobile devices communicate. The scheduled tasks on the server are also included.
Severity level
Level Name Description
Indicates that the event is a serious error. Your immediate action is

High Critical
required.
Indicates that the event is a general error. Your action is required but
Error
not urgent.
Warning Indicates that the event may potentially cause a problem.
Notice Indicates that you should be aware of the event.
Info Indicates that the event is for general information.
Low Debug Indicates that the event is defined in detail for developers.
Note To receive an alert about an audit event, set the alert level lower than the severity level of the audit
event. For more information, see Configuring alerts.
Monitoring 494
Viewing the audit list
Navigate to History > Audit Log to view the audit list
Search for desired audits by user ID, device name, audit result,
1 Search field
log date, audit type, event category and event name.
Manage Audit Set audit events to be recorded in the audit logs. For more
Function Target information, see Setting audit targets.
2
buttons Download audit logs and save them in an Excel file. For more
Download
information, see Downloading audit logs as an Excel file.
3 Audit list View the brief information of the audits on the list.
Monitoring 495
Setting audit targets
To set audit events to be recorded in the audit logs, complete the following steps:
1. Navigate to History > Audit Log.
2. On the “Audit Log” page, click Manage Audit Target.
3. In the “Manage Audit Target” window, click the checkbox for the audit events you want to set as
auditing targets.
• The severity of the selected audit events are recorded in the logs based on the value in the
Level column if the events are successful, and based on the value in the Fail Level column if the
events fail.
• For more information about audit event types and event categories, see Audit event
classification.
• You can cancel the selected auditing targets by removing the checkmark.
4. Click Save.
5. In the “Set Audit target” window, click OK.
Viewing audit logs

To view the log of audit events, complete the following steps:
2. Search for the audit logs you want to view.
• You can search for audit logs by selecting the audit event type and the log period.
–– Audit Type: Select the audit event type. Console/Server includes the history of device
commands sent from the Admin Portal and the changes made due to batch tasks on the
server. Device includes the history of policies applied to mobile devices, device enrollment,
and the event occurred on devices, such as revoking the enrollment of the Knox Manage
Agent.
–– Log Date: Select the start and end date of the log period.
Monitoring 496
3. View the audit logs.
• The View field displays the request ID. The request ID helps to track how the audit event is
applied to a device. The first three letters of the request ID complies with the following rule:
–– The first letter: Mobile OS of the device (A: Android, I: iOS, W: Windows)
–– The second letter: Application type (A: Android/iOS Knox Manage Agent, C: iOS Knox
Manage Client)
–– The third letter: Start point of the process (S: Server, D: Device)
E.g. AAS: The audit event started from the server and applied to the Knox Manage Agent
installed on the Android device.
• The User ID field displays the source of the audit event. If the audit event type is Console/
Server, refer to the following information:
–– When the audit event occurs while sending a device command or operating Knox Manage,
the administrator’s ID is displayed.
–– When a device command is sent, the administrator’s ID is displayed.
–– When a scheduled task is performed on the server, “SYSTEM” or the batchuser ID is
displayed.
• The Device Name field displays the name of the device on which the audit event occurred. If
there is no device or the audit event is a scheduled task, blank is displayed.
• If you can click in the row of a log, you can view the following information.
Item Description
• Request History: Detailed request of the audit event

• Result Code: The audit event result and its code
Process Info • Result History: Detailed result of the audit event. When you change a policy in
the Admin Portal, a new event is recorded in the profile category. E.g.) When an
Android policy is changed, all policy events to be saved in the request history of
“Save General Policy” are displayed.
This information appears only for the following audit events.
• The Server type: Agent Request to lock screen (Device → Server), Agent Request
Log Data to unlock device (Device → Server), Agent Request for work report (Device →
Server), Handle multiple devices by sending device control
• The Device type: Device Lock/Unlock History
4. To view the detailed flow of an audit event, click the request ID in the View field.
Monitoring 497
5. In the “Audit Event” window, view each audit log.
• The request ID helps track how the audit event is applied to a device. Click to view more
details.
Downloading audit logs as an Excel file

Download audit logs and save them in an Excel file. Downloaded logs are not deleted from the Knox
Manage server.
To download audit logs as an Excel file, complete the following steps:
2. Search for the audit logs you want to download.
• You can search for the audit logs by selecting the audit event type and the log period.
• You can also search for the audit logs by using the search field.
3. Click Download.
4. In the “Download” window, click OK.
Monitoring 498
Audit event classification
The classification of audit events based on the type and event category is as follows. For more
information about audit events, see Lists of audit events.
Occurrence point
Event Category
Console Server Device
AD/LDAP Sync O O
Admin Login O
Administrators O O
Alerts O
Android Enterprise O O
Applications O O
Certificate Status O
Certificates O
Compliance O O
Connectors O
Content O O
Dashboard O
Device O
Device Command O O O
Device Enrollment
O O
Program
Devices O O
E-FOTA O O
Email O O
EMM Agent (Knox

O
Manage Agent)
EMM Client (Knox

O
Manage Client)
Enrollment O O
Groups O
Integrations O
InventoryScheduler O
Kiosk Launcher O
Monitoring 499
Occurrence point
Event Category
Console Server Device
License
O
Management
Logs O O O
Notices O
Organization O
Profile O
Profiles O O O
Provision O
SEG Profile O O
Service Profiles O O
Settings O
SMS O O
System
O
Configuration
Time Trigger O
TxHistory O
User O
User Login O
User Management O
VPP Management O O
Windows O
Monitoring 500
Managing alerts
Set alerts for important audit events. When the audit events set as alerts occur, the number of
occurrences is displayed next to the History and Alert menus to help facilitate your next action.
Viewing entire alerts

To view the alerts of audit events, complete the following steps:
1. Navigate to History > Alert.
2. On the “Alert” page, enter a device name, select an alert type, event type, audit event, level of alert,
log date, and set the period, and then click Search.
3. Click the alert you want to view.
• There are four categories of alerts:

–– Failed Policies: Informs you that sent device commands or policies are not applied to
devices.
–– Changes in Device Status: Informs you of the device’s status change to Disconnected. In
this case, you cannot control the device because the Keepalive settings are expired and the
device does not communicate with the Knox Manage server.
–– Security Violation: Informs you of devices on which security violations have been detected
during periodical device inspection.
–– Others: Informs you of the occurrence of other types of audit events.
4. In the “Audit Log Detail” window, view the detailed information about the audit event.
• The necessary actions you must take according to the alert category are as follows:
Alert category Description
• If you cannot click the mobile ID on the alert list, it means the device’s status is
Unenrolled, Provisioning, or Disconnected and the policies are not applied. Check
the device’s status in Device.
Failed Policies
• If you see a log message about APNs or FCM in the “Log Detail” area, it means
the Public Push value is not registered. Register an APNs certificate in Setting >
iOS > APNs Setting. To configure the FCM settings, contact a TMS administrator.
Click the mobile ID of the disconnected device and check the Keepalive status. Also,
Changes in Device tell the device user to check the device’s network connection status. The violation of
Status Keepalive is detected when the connection of the device and the server is lost longer
than the time set in the Keepalive settings.
Monitoring 501
Alert category Description
• View the name of the package or application reported as the cause of the
problem in the “Log Detail” area and uninstall the package or application.
Security Violation • When the device’s status is Disconnected, the audit event “Agent Request to
report policy violation” occurs. In History > Audit Log, search for and view the
audit log to find out the cause of the disconnection.
Configuring alerts
Customize the alerts of audit events. You can also modify the default settings for alerts, such as the
level, and result.
To configure alerts, complete the following steps:
1. Navigate to History > Alert.
2. On the “Alert” page, click Manage Alerts.
3. In the “Manage Alerts” window, click the checkboxes for the audit events you want to add from the
All Audit Event area.
• To delete the selected audit events from the alert list, click in the row of the event you want
to delete in the Selected Audit Event area.
4. In the Selected Audit Event area, modify the level and result of the alerts if necessary.
• Type: Select an alert type.

• Level: In default, the alert level is set the same as the audit event level. Click the alert level and
modify it. To receive an alert, the alert level must be set the same or lower than the audit event
level. For more information about audit event levels, see Severity level.
• Status: Select the audit event result to receive an alert for when the result is a success, fail, or
for both.
5. Click Save.
6. In the “Save changes” window, click OK.
Monitoring 502
Viewing the device log
View device logs for monitoring device operation. Device logs include the inventory and log
messages of applied policies and device commands. The device with policy applied collects the log
based on the policy. For more information about the log policy, see Logging.
The default settings for device logs are as follows:
• Maximum collection capacity: 10 MB

• Maximum storage period: 7 days
• Log level: Records about debugging and other logs for developers
To view device logs, complete the following steps:
1. Navigate to History > Device Log.
2. On the “Device Log” page, search for a device by device name or user name. You can also search
by setting the collection date.
3. Click the row of the device.
4. In the “Log Files” area, view the log files.
• You can filter the collection period.

• The name format of log files is EMMAgent_yyyymmdd.
• To export a device log to a text file, click in the row of the log you want to export.
• To delete a device log, click in the row of the log you want to delete.
Monitoring 503
Viewing the service history
View the history of device commands or emails/messages sent from the Admin Portal.
Viewing device command history

To view the device command logs by each user or device, complete the following steps:
1. Navigate to History > Device Command History.
2. On the “Device Command History” page, enter a request date and a user or device name, and then
click Search.
3. Click a device command.
• If you click Detail in the row of a log, you can view the following information.
Item Description
• Request History: Detailed request of the audit event

• Result Code: The audit event result and its code
Process • Result History: Detailed result of the audit event. When you change a policy in
the Admin Portal, a new event is recorded in the profile category. E.g.) When an
Android policy is changed, all policy events to be saved in the request history of
“Save General Policy” are displayed.
This information appears only for the following audit events.
• The Server type: Agent Request to lock screen (Device → Server), Agent Request
Log Data to unlock device (Device → Server), Agent Request for work report (Device →
Server), Handle multiple devices by sending device control
• The Device type: Device Lock/Unlock History
To view the device command logs by each group or organization, complete the following steps:
1. Navigate to History > Group Command History.
2. On the “Device Command History in Group or Organization” page, enter a request date and a group
ID or organization name, and then click Search.
3. Click a group or organization name.
Monitoring 504
Viewing message history
View the history of sent emails and text messages.
• Emails are sent through the SMTP email delivery service. Knox Manage only tracks whether
an email has been sent successfully to the SMTP server. The recipient’s receipt of the email is
unknown.
• For text messages, Knox Manage only tracks whether a message has been sent. Whether the
message was received is unknown.
To view the emails or messages you have sent to users, complete the following steps:
1. Navigate to History > Email & SMS History.
2. On the “Email & SMS History” page, enter a user ID, email, or mobile number, and then set the send
date.
3. Click Search.
4. View the email and/or message history.
• To view the content of an email or message, click the email or message subject.
• When “Success” appears in the Status column, it only indicates that the email has been sent
successfully to the SMTP server, and the message has been sent from the Admin Portal. When
“Failed” appears in this column, you can check the failure cause in the “Log Detail” window.
• In the Sender ID column, the email sender account ID or the phone number of the outgoing text
message is displayed.
Monitoring 505
13
Appendix
Appendix
View the detailed information about audit events, error codes, and the Open API list used in the
Admin Portal. You can also refer to the glossary to understand the technical terms and abbreviations
used in this guide.
→→ Lists of audit events

→→ Lists of error codes
→→ List of Open API
→→ Glossary
Appendix 507
Lists of audit events
View the detailed information of audit events. You can view the lists of the audit events for the user
devices, servers, and the Admin Portal.
Device audit events

The list of device audit events for user devices while using Knox Manage is as follows:
Event Category Event Name
• Cert Issue Fail (Key Generation Error)

• Cert Verification Fail (Unknown)
• BasicConstraints Check Error
• Path Check Error
• Valid Date Check Error
• CRL Check Error
Certificate Status
• Cert Verification Fail (Unknown)
• Cert Issue Request
• Cert Issue Success
• Cert Issue Fail (Parameter Error)
• Cert Issue Fail (Not-initialized Object Error)
• Cert Issue Fail (Internal Error)
• Violated version control policy (Device)
Compliance • Violated recording prevention policy (Device)
• Check System Forgery
Appendix 508
• Failed to lock EMM screen (Device)

• Log on status is changed to logout (Device)
• Managed Google Play token issuance (Device)
• Managed Google Play account registration (Device)
• Managed Google Play account report (Device)
• Managed Google Play account removal (Device)
• SIM Card changed
• Network usages resetted.
Device
• Cellular data limit reached.
• Call limit reached.
• Agent has been started.
• Agent has been shutdowned.
• Failure of the randomization process.
• Failure of policy validation.
• Result of importing the certificates to be used for authentication of Agent
communications.
• Keepalive Time Limited

• Keepalive Notice
• Device Command Received
• Verify Device Command
• Device Command Added
• Device Command Process Started
• Device Command Process Finished
• Failure Installation Package
• Failure Installation Package in KNOX
Device Command • Failure Uninstallation Package
• Failure Uninstallation Package in KNOX
• Device Diagnosis Information
• Device Lock/Unlock History
• Failure Installation Package in Work Profile
• Failure Uninstallation Package in Work Profile
• Policy violation detected
• Exit due to policy violation
• Change Trigger State
• Change Profile
Appendix 509
• Device Boot Completed

• Change Network Connectivity
EMM Agent
• Change Agent Context
• Initialize Agent
• EMM Login Failed
• EMM Client Screen UnLock Failed
EMM Client • EMM Login Failed Count Exceeded
• EMM Client Screen UnLock Failed Count Exceeded
• Change Screen Lock Password EMM Client
• Push Registration Succeeded
• Push Unregistration Succeeded
• Enroll EMM Agent Started
• Enroll EMM Agent
• Unenroll EMM Agent Started
• Unenroll EMM Agent
Enrollment • Enable Device Admin
• Disable Device Admin
• Activate ELM License
• Activate KLMS License
• Enrollment Request by UMC Agent
• Report Enrollment Completed to UMC Agent
• Report Unenrollment Completed to UMC Agent
• Application installation request (Kiosk)
Kiosk Launcher
• Application list request (Kiosk)
• Start Audit Logging
Logs • Send Audit Log To Server
• Send EMM Agent Log
• Device Password Attempts Failed Count Exceeded
• Scheduler Raised
Profiles • KioskMode Result
• SIM card PIN code change
• Factory Reset Protection policy configured successfully.
User • Agreed to disable fingerprint lock (Device)
Appendix 510
Server audit events
The list of server audit events for the Knox Manage server and the external requests or inventory
scheduler from devices is as follows:
• Start external sync work

• Stop external sync work
• Add User By Sync
• Modify User By Sync
• Delete User By Sync
• Ignore AD/LDAP Synced User
• Error Occurred While Synching User
• Add Organization By Sync
• Modify Organization By Sync
AD/LDAP Sync
• Delete Organization By Sync
• Ignore AD/LDAP Synced Organization
• Error Occurred While Synching Organization
• Initialize Sync Process
• Finish Sync
• Start external sync operation
• Stop external sync operation
• Automatically send profile to target users after synchronization ends
• Request managed apps mapping action to target users after synchronization ends
Administrators • Delete the export files that have elapsed the retention period
• Failed to request the authentication token for Android Enterprise device
Android Enterprise enrollment
• Failed to update Google Device ID (Google → Device)
• Modify App Status Due To App Service Expiration Date
• Failed to import the app information from the multiple apps
Applications
• Request the Uninstall App device command in a group or organization
• Request to transfer App Install Device Command to assigned device
• Report policy violation
• Start Keepalive Check
Compliance
• Close Keepalive Check
• Handle Keepalive violations
Appendix 511
• Check Point MTP Malware detection information

• Update Device Status (System Block)
Compliance • Run Keepalive task
• No Keepalive task or not configured
• Update Device Status (Disconnected)
• Request Content List
Contents
• Report Content Status
• Distribute the latest device management profile/app information (Device control
transmit)
• Distribute the latest device management profile (Device control transmit)
• Distribute the latest information on internal application (Device control transmit)
• Implement User-defined event - Activate (Device control transmit)
• Implement User-defined event - Deactivate (Device control transmit)
• Implement Gate event - Activate (Device control transmit)
• Implement Gate event - Deactivate (Device control transmit)
• Disable Exchange block - Activate (Device control transmit)
• Disable Exchange block - Deactivate (Device control transmit)
• Install app (Device control transmit)
• Implement app (Device control transmit)
• Close app (Device control transmit)
Device Command
• Delete app data (Device control transmit)
• Delete app (Device control transmit)
• Allow/Disallow running an app - Allow (Device control transmit)
• Allow/Disallow running an app - Disallow (Device control transmit)
• Lock/Unlock the device - Lock (Device control transmit)
• Lock/Unlock the device - Unlock (Device control transmit)
• Reset screen password (Device control transmit)
• Factory reset (Device control transmit)
• Power off the device (Device control transmit)
• Reboot the device (Device control transmit)
• Initialize external SD card (Device control transmit)
• Activate/Deactivate CC mode - Activate (Device control transmit)
• Activate/Deactivate CC mode - Deactivate (Device control transmit)
Appendix 512
• Lock screen (Device control transmit)

• Attestation (Device control transmit)
• Initialize information on blocking (Device control transmit)
• Deactivate service (Device control transmit)
• Collect Audit log -Agent (Device control transmit)
• Collect log -Agent (Device control transmit)
• Collect diagnosis information (Device control transmit)
• Update License (Device control transmit)
• Update System app (Device control transmit)
• H/W status (Device control transmit)
• List of apps installed (Device control transmit)
• Location (Device control transmit)
• SIM verification (Device control transmit)
• Report the status (Device control transmit)
• Lock/Unlock container - Lock (Device control transmit)
• Lock/Unlock container - Unlock (Device control transmit)
• Reset container lock passcode (Device control transmit)
Device Command
• Delete container (Device control transmit)
• Install container app (Device control transmit)
• Run container app (Device control transmit)
• Close container app (Device control transmit)
• Delete container app data (Device control transmit)
• Delete container app (Device control transmit)
• Apply security policy (Device control transmit)
• Distribute the latest app management profile (Device control transmit)
• Check if a device has been rooted (Device control transmit)
• Unlock EMM Client (Device control transmit)
• Send a message (Device control transmit)
• Delete an account (Device control transmit)
• Collect Audit log - Client (Device control transmit)
• Collect log -Client (Device control transmit)
• Collect diagnosis information (Device control transmit)
• Update user information (Device control transmit)
Appendix 513
• Update system app (Device control transmit)

• Apply security policy - Deactivate (Device control transmit)
• Transfer event information (Device control transmit)
• Install AndroidForWork app (Device control transmit)
• Delete AndroidForWork app (Device control transmit)
• Deactivate service (Device control transmit)
• Invite program (Device control transmit)
• Invite To Program (Response)
• Check if an app has been installed (Device control transmit)
• Activate event to time - Deactivate (Device control transmit)
• Activate event to time - Activate (Device control transmit)
• Notice of a fail to activate service (Device control transmit)
• Request to activate visitor policy request (Device control transmit)
• Deactivate visitor policy request (Device control transmit)
Device Command
• Agent Invalid protocol
• Agent Invalid request
• Agent Request to distribute device management profile (Device → Server)
• Agent Respond to the request to distribute device management profile (Server
→ Device)
• Agent Request to enable/disable event (Device → Server)
• Agent Respond to the request to enable/disable event (Server → Device)
• Agent Request to block Exchange (Device → Server)
• Agent Respond to the request to block Exchange (Server → Device)
• Agent Request to disable blocking Exchange (Device → Server)
• Agent Respond to the request to disable blocking Exchange (Device → Server)
• Agent Request to install app (Device → Server)
• Agent Respond to the request to install app (Server → Device)
• Agent Request to run app (Device → Server)
• Agent Respond to the request to run app (Server → Device)
• Agent Request to close app (Device → Server)
• Agent Respond to the request to close app (Server → Device)
• Agent Request to delete app data (Device → Server)
Appendix 514
• Agent Respond to the request to delete app data (Server → Device)

• Agent Request to delete app (Device → Server)
• Agent Respond to the request to delete app (Server → Device)
• Agent Request to allow running app (Device → Server)
• Agent Respond to the request to allow running app (Server → Device)
• Agent Request to disallow running app (Device → Server)
• Agent Respond to the request to disallow running app (Server → Device)
• Agent Request to lock screen (Device → Server)
• Agent Respond to the request to lock device (Server → Device)
• Agent Request to unlock device (Device → Server)
• Agent Respond to the request to unlock device (Server → Device)
• Agent Request to reset lock device password (Device → Server)
• Agent Respond to the request to reset lock device password (Server → Device)
• Agent Request factory reset (Device → Server)
• Agent Respond to the request for factory reset (Server → Device)
• Agent Request to power off device (Device → Server)
• Agent Respond to the request to power off device (Server → Device)
Device Command
• Agent Request to reboot device (Device → Server)
• Agent Respond to the request to reboot device (Server → Device)
• Agent Request to initialize external SD card (Device → Server)
• Agent Respond to the request to initialize external SD card (Server → Device)
• Agent Request to set CC mode (Device → Server)
• Agent Respond to the request to set CC mode (Server → Device)
• Agent Request to turn off CC mode (Device → Server)
• Agent Respond to request to turn off CC mode (Server → Device)
• Agent Request to collect device information (Device → Server)
• Agent Respond to the request to collect device information (Server → Device)
• Multiple devices distributed sending
• Agent Request to update license (Device → Server)
• Agent Respond to the request to update license (Server → Device)
• Agent Request to update system app (Device → Server)
• Agent Respond to the request to update system app (Server → Device)
• Agent Request for SIM verification (Device → Server)
• Agent Respond to the request for SIM verification (Server → Device)
Appendix 515
• Agent Request to lock container (Device → Server)

• Agent Respond to the request to lock container (Server → Device)
• Agent Request to unlock container (Device → Server)
• Agent Respond to the request to unlock container (Server → Device)
• Agent Request to reset lock container password (Device → Server)
• Agent Respond to the request to reset container password (Server → Device)
• Agent Request to delete container (Device → Server)
• Agent Respond to the request to delete container (Server → Device)
• Agent Request to install container app (Device → Server)
• Agent Respond to the request to install container app (Server → Device)
• Agent Request to run container app (Device → Server)
• Agent Respond to the request to run container app (Server → Device)
• Agent Request to close container app (Device → Server)
• Agent Respond to the request to close container app (Server → Device)
• Agent Request to delete container app (Device → Server)
• Agent Respond to the request to delete container app (Server → Device)
• Agent Request to delete container app (Device → Server)
Device Command
• Agent Respond to the request to delete container app (Server → Device)
• Agent Request to report policy violation (Device → Server)
• Agent Respond to the request to report policy violation (Server → Device)
• Agent Request to reissue code to disable service (Device → Server)
• Agent Respond to the request to reissue code to disable service (Server →
Device)
• Agent Request for Attestation Nonce (Device → Server)
• Agent Respond to the request for Attestation Nonce (Server → Device)
• Agent Request for Attestation verification (Device → Server)
• Agent Respond to the request for Attestation verification (Server → Device)
• Agent Request for app information (Device → Server)
• Agent Respond to the request for app information (Server → Device)
• Agent Request to collect diagnosis information (Device → Server)
• Agent Respond to the request to collect diagnosis information (Server →
Device)
• Agent Request for work report (Device → Server)
• Agent Respond to the request for work report (Server → Device)
• Agent Request for command (Device → Server)
Appendix 516
• Agent Install profile (Server → Device)

• Agent Delete profile (Server → Device)
• Agent Search information on apps installed (Server → Device)
• Agent Search device information (Server → Device)
• Agent Search security information (Server → Device)
• Agent Device lock (Server → Device)
• Agent Reset password (Server → Device)
• Agent Factory reset (Server → Device)
• Agent Install app (Server → Device)
• Agent Information on apps installed through MDM
• Agent Delete app (Server → Device)
• Agent Set app properties (Server → Device)
• Agent Set the items included in app settings (Server → Device)
• Agent Information on Settings of apps installed through MDM (Server →
Device)
• Agent Information on properties of apps installed through MDM (Server →
Device)
Device Command
• Agent Feedback on settings of apps installed through MDM (Server → Device)
• Agent Initialize information on blocking (Server → Device)
• Agent Report status (Server → Device)
• Agent Respond to the request to handle command (Device → Server)
• Reset data usage (Device control transmit)
• Reset number of calls (Device control transmit)
• Agent Request to collect device and reset data usage (Device → Server)
• Agent Respond to the request to collect device and reset data usage (Server →
Device)
• Agent Request to collect device and reset number of calls (Device → Server)
• Agent Respond to the request to collect device and reset number of calls (Server
→ Device)
• Client Perform Server Init logic (Device → Server)
• Client Request to distribute the latest app management profile (Device →
Server)
• Client Respond to the request to distribute the latest app management profile
(Server → Device)
• Client Request for work report (Device → Server)
Appendix 517
• Client Respond to the request for work report (Server → Device)

• Client Request to activate application of security policy (Device → Server)
• Client Respond to the request to activate application of security policy (Server
→ Device)
• Client Request to deactivate application of security policy (Device → Server)
• Client Respond to the request to deactivate application of security policy (Server
→ Device)
• Client Request to delete security policy profile (Device → Server)
• Client Respond to the request to delete security policy profile (Server → Device)
• Client Request to backup bookmarks (Device → Server)
• Client Respond to the request to backup bookmarks (Server → Device)
• Client Request to backup homepages (Device → Server)
• Client Respond to the request to backup homepages (Server → Device)
• Client Request to send Device control (EMM Agent) (Device → Server)
• Client Respond to the request to send Device control (EMM Agent) (Server →
Device)
• Handle multiple devices by sending device control
Device Command
• Device command transmission for each area in multiple devices.
• Insert command
• Select command
• Delete command
• Update command
• Command queue retransmission is in progress.
• No target for command queue retransmission
• Command queue retransmission
• Command queue retransmission has started.
• Command queue retransmission is finished.
• Delete commands left due to unenrollment command
• Duplicated Command
• Delete records of policy violation (Device → Server)
• Delete records of policy violation (Server → Device)
• Agent Request for command (Server → Device)
• Client Request for command (Device → Server)
• Client Request for command (Server → Device)
Appendix 518
• Custom device control (Send device control)

• Request for command (Device → Server)
• Distribute device management profile (Server → Device)
• Collect device information (Server → Device)
• Device lock (Server → Device)
• Factory reset (Server → Device)
• Custom device control (Server → Device)
• Respond to the request to handle command (Device → Server)
• Start SyncML Session (Device → Server)
• Close SyncML Session (Server → Device)
• Register Push (WNS PFN) (Server → Device)
• Collect device and app information (Device control transmit)
• Collect device information (Device control transmit)
• Collect app information (Device control transmit)
• Collect current location information (Device control transmit)
• Collect audit information (Device control transmit)
• Collect log information (Device control transmit)
Device Command • Download content (Device control transmit)
• Update E-FOTA Firmware Version (Device control transmit)
• Agent Request to collect device and app information (Device → Server)
• Agent Respond to the request to collect device and app information (Server →
Device)
• Agent Request to collect app information (Device → Server)
• Agent Respond to the request to collect app information (Server → Device)
• Agent Request to collect device and current location information (Device →
Server)
• Agent Respond to the request to collect device and current location information
(Server → Device)
• Agent Request to collect device and audit information (Device → Server)
• Agent Respond to the request to collect device and audit information (Server →
Device)
• Agent Request to collect device and log information (Device → Server)
• Agent Respond to the request to collect device and log information (Server →
Device)
Appendix 519
• Agent Request to download content (Device → Server)

• Agent Respond to the request to download content (Server → Device)
• Agent Request to update fota firmware version (Device → Server)
• Agent Respond to the request to update fota firmware version (Server →
Device)
• Deactivate MDM agent for synchronization between server and device
• Flush command queue (Device control transmit)
• H/W status (Device control transmit)
• List of apps installed (Device control transmit)
• Send an INI File (Device → Server)
• Get device status (Device → Server)
• Send an INI File (Server → Device)
• Get device status (Server → Device)
• Collect Audit log - Client (Device control transmit)
• Collect log -Client (Device control transmit)
Device Command
• Check if a device has been rooted (Device control transmit)
• Agent Report status (Server → Device)
• Agent Invalid protocol
• Agent Invalid request
• Agent Request to distribute device management profile (Device → Server)
• Agent Respond to the request to distribute device management profile (Server
→ Device)
• Agent Request to install app (Device → Server)
• Agent Respond to the request to install app (Server → Device)
• Agent Request to run app (Device → Server)
• Agent Respond to the request to run app (Server → Device)
• Agent Request to close app (Device → Server)
• Agent Respond to the request to close app (Server → Device)
• Agent Request to delete app (Device → Server)
• Agent Respond to the request to delete app (Server → Device)
• Agent Request to lock screen (Device → Server)
• Agent Respond to the request to lock device (Server → Device)
Appendix 520
• Agent Request factory reset (Device → Server)

• Agent Respond to the request for factory reset (Server → Device)
• Agent Request to power off device (Device → Server)
• Agent Respond to the request to power off device (Server → Device)
• Agent Request to reboot device (Device → Server)
• Agent Respond to the request to reboot device (Server → Device)
• Agent Request to update license (Device → Server)
• Agent Respond to the request to update license (Server → Device)
• Agent Request to update system app (Device → Server)
• Agent Respond to the request to update system app (Server → Device)
• Agent Request to reissue code to deactive service (Device → Server)
• Agent Respond to the request to reissue code to deactive service (Server →
Device)
• Agent Request for app information (Device → Server)
• Agent Respond to the request for app information (Server → Device)
• Agent Request for work report (Device → Server)
Device Command
• Agent Respond to the request for work report (Server → Device)
• Agent Request for command (Server → Device)
• Agent Request to collect app information (Device → Server)
• Agent Respond to the request to collect app information (Server → Device)
• Agent Request to collect device and current location information (Device →
Server)
• Agent Respond to the request to collect device and current location information
(Server → Device)
• Agent Request to collect device and log information (Device → Server)
• Agent Respond to the request to collect device and log information (Server →
Device)
• Deactivate MDM agent for synchronization between server and device
• Request for property sync of app auto deletion when deactivating (Device →
Server)
• Respond to property sync of app auto deletion when deactivating (Server →
Device)
Appendix 521
• Request for profile deletion (Device → Server)

• Respond to profile deletion (Server → Device)
• Synchronize property of app auto deletion when deactivating (Device Command)
• Request for custom control (Device → Server)
• Respond to custom control (Server → Device)
• Respond to Agent command (Server → Device)
• Request for external SD card authentication (Device → Server)
• Respond to external SD card authentication (Server → Device)
• Authenticate external SD card (Device Command)
• Uninstall Application (MTP) (Device → Server)
• Uninstall Application (MTP) (Server → Device)
• Uninstall Application (MTP) (Device control transmit)
• Activate-Exception Profile
• Deactivate-Exception Profile
• Update event time (Device control transmit)
• Device command transmission for each area in one device
• Device command transmission for each area in multiple devices
Device Command • CSM deactivate (Device control transmit)
• CSM deactivation request (Server → Device)
• CSM deactivation response (Device → Server)
• Client Request for policy summary (Device → Server)
• Client Respond for policy summary (Server → Device)
• Collect EMM Client information (Server → Device)
• Update Agent User information (Server → Device)
• Agent Device Control Fail on a Device
• Client Device Control Fail on a Device
• Agent Device Control Success on a Device
• Client Device Control Success on a Device
• Request for Google managed app permission (Server → Google)
• Request for Management configuration of Google managed app (Server →
Google)
• Request for Google managed app installation (Server → Google)
• Request for Google managed app uninstallation (Server → Google)
• Request for user authentication password reset (Device → Server)
• Response to user authentication password reset (Server → Device)
Appendix 522
• Contents deployment (Send device control)

• Request for Agent contents deployment (Device → Server)
• Response to Agent contents deployment (Server → Device)
• Delete the audit logs elapsed over the retention period.
• Collect Profile ID (Device → Server)
• Collect Profile ID (Server → Device)
• Collect Profile ID (Send device control)
• Contents transfer
• Factory Reset (only) (Send Device Command)
• Agent Factory Reset (Only) request (Device → Server)
• Lock screen (Device → Server)
• Lock screen (Server → Device)
• SafetyNet Attestation Nonce Request (Device → Server)
• SafetyNet Attestation Nonce Request (Server → Device)
• SafetyNet Attestation Nonce Request (Device command transfer)
• SafetyNet Attestation Verification Request (Device → Server)
• SafetyNet Attestation Verification Request (Server → Device)
• SafetyNet Attestation Verification Request (Device command transfer)
Device Command
• Delete User Certificate (Device → Server)
• Delete User Certificate (Server → Device)
• Delete User Certificate (Device command transfer)
• Delete CA Certificate (Device → Server)
• Delete CA Certificate (Server → Device)
• Delete CA Certificate (Device command transfer)
• Delete CA Certificates for All Users (Device → Server)
• Delete CA Certificates for All Users (Server → Device)
• Delete CA Certificates for All Users (Device command transfer)
• Delete User Certificate for Work Profile (Device → Server)
• Delete User Certificate for Work Profile (Server → Device)
• Delete User Certificate for Work Profile (Device command transfer)
• Delete CA Certificate for Work Profile (Device → Server)
• Delete CA Certificate for Work Profile (Server → Device)
• Delete CA Certificate for Work Profile (Device command transfer)
• Delete All Users’ CA Certificates for Work Profile (Device → Server)
• Delete All Users’ CA Certificates for Work Profile (Server → Device)
• Delete All Users’ CA Certificates for Work Profile (Device command transfer)
• Push token initialization
Appendix 523
• Unlock Knox Manage Agent (Device control transmit)

• Lock Screen of Knox Manage Agent (Device control transmit)
• Exit Kiosk (Device → Server)
• Exit Kiosk (Server → Device)
• Exit Kiosk (Device command transfer)
Device Command
• Exchange License (Device → Server)
• Exchange License (Server → Device)
• Exchange License (Device command transfer)
• Request Knox Service Plugin feedback(Device → Server)
• Response Knox Service Plugin feedback(Server → Device)
• Start DEP Device Sync Scheduler
• End DEP Device Sync Scheduler
• DEP Device Sync (Server)
Device Enrollment
• Request create MDM Profile
Program
• Response create MDM profile
• Request DEP device information
• Response DEP device information
• E-FOTA API - Get Token
• E-FOTA API - Register CorpID
• E-FOTA API - Get Firmware List
• E-FOTA API - Restrict Firmware
• E-FOTA API - check group version
E-FOTA • E-FOTA API - view product, model, and agency
• E-FOTA API - network error
• E-FOTA API - Get License Information
• E-FOTA history - Create Group
• E-FOTA History - Edit Group
• E-FOTA history - Delete group
• Send Mail To Admin (Async)
Email • Send Mail To Device (Async)
• Send Mail To User (Async)
Appendix 524
• Prevent reactivation (Device → Server)

• Prevent reactivation (Server → Device)
• EMM Enrollment Spec (Device → Server)
• EMM Enrollment Spec (Server → Device)
• Update KLM/ELM license during activation (Device → Server)
• Update KLM/ELM license during activation (Server → Device)
• Disable service -Android (Device → Server)
• Disable service -Android (Server → Device)
• Confirm Enrollment (Knox) (Device → Server)
• Confirm Enrollment (Knox) (Server → Device)
• Agent Request to activate MDM (Device → Server)
• Agent Request to activate MDM (Server → Device)
• Agent Request for SCEP profile (Device → Server)
• Agent Request for SCEP profile (Server → Device)
• Agent Request for MDM profile (Device → Server)
• Agent Request for MDM profile (Server → Device)
• Agent Request for check-in (Device → Server)
• Agent Request for check-in (Server → Device)
Enrollment • Agent Request for token update (Device → Server)
• Agent Request for token update (Server → Device)
• Agent Request for check-out (Device → Server)
• Agent Request for check-out (Server → Device)
• Deactivate service (Device → Server)
• Deactivate service (Server → Device)
• Request SOAP message
• Respond to SOAP message
• Request for discovery URL (Device → Server)
• Respond to the request for discovery URL (Server → Device)
• Request for spec to issue certificate (Device → Server)
• Respond to the request for spec to issue certificate (Server → Device)
• Request to verify On-premis equipment (Device → Server)
• Respond to the request to verify On-premise equipment (Server → Device)
• Request to verify Federated equipment (Device → Server)
• Respond to the request to verify Federated equipment (Server → Device)
• Verify Security token
• Request to issue certificate (Device → Server)
• Respond to request to issue certificate (Server → Device)
Appendix 525
• Respond to the request to set DM Client

• Generate OTP Code
• UMC User Search Request
• UMC User Search Response
• UMC Enrollment Request
• UMC Enrollment Response
• UMC Enrollment Information Update Request
Enrollment
• UMC Enrollment Information Update Response
• UMC Unenrollment Request
• UMC Unenrollment Response
• UMC Enrollment Information Update Request
• UMC Enrollment Information Update Response
• UMC Unenrollment Request
• UMC Unenrollment Response
Exception Profile • Start Scheduler for Exception Policy per User
per User • Terminate Scheduler for Exception Policy per User
• Start InventoryScheduler Monitoring
• Terminate InventoryScheduler Monitoring
InventoryScheduler
• Start Inventory Collection Scheduler for iOS
• Terminate Inventory Collection Scheduler for iOS
• Add Knox License
• Revision Knox License
License
• Delete Knox License
Management
• Sync Knox License
• Interface Knox License
• Delete the audit logs elapsed over the retention period.
Logs • audit event white list change
• audit event white list receive
• The result of applying Agent device policy
• Agent Policy Apply Success on a Device
• Failed to Apply Agent Policy on Device
Profiles
• Start profile update
• Terminate profile update
• Save Knox Service Plugin feedback
Appendix 526
• Request for public key

• Activate provisioning
• Deactivate provisioning
Provision • Activate Knox provisioning
• Request To Changing Device Status To Provisioning Activate Status
• Request To Changing Device Status To Provisioning Deactivate Status
• Activate Work Profile provisioning
• Add SEG profile automatically
• Delete SEG profile automatically
SEG Profile • Renew SEG profile automatically
• Send SEG Rest API
• Response SEG Rest API
• Eula Download
Service Profiles
• Profile Download
Settings • Upload IDP Metadata to server
• Send SMS To Admin (Async)
SMS • Send SMS To Device (Async)
• Send SMS To User (Async)
• Start registration of Time Trigger when server operates
• Close registration of Time Trigger when server operates
Time Trigger
• Start Time Trigger sync
• Close Time Trigger sync
TxHistory • Error (Device command queue)
• User Authentication Failed
User Login • User Logged In
• User Logged Out
• VPP Sync start
VPP Management
• VPP Sync is terminated
Appendix 527
Admin Portal audit events
The list of Admin Portal audit events while operating Knox Manage is as follows:
• Request issue OAuth token

• Delete Existing Sync Service Settings
• Add New Sync Service Settings
• Renew Existing Sync Service Settings
• Delete Synced Device Information (User/Organization)
• Add Synced Device Information (User/Organization)
• Renew Synced Device Information (User/Organization)
• Delete Sync Exception Subject (User/Organization)
• Add Sync Exception Subject (User/Organization)
• Restore Sync Exception Subject (User/Organization)
• Change Sync Service Scheduled Status
• Delete Existing Multiple Sync Services
• Delete Existing Sync Service
• Delete Existing Sync Service Mapping Information
• Add New Sync Service
• Add New Sync Service Mapping Information
AD/LDAP Sync • Run Sync Service
• Modify Sync Service
• Start single item (User/Organization) sync
• Start sync test
• Delete Existing Sync Service
• Add New Sync Service
• Modify Sync Service
• Create Log for Sync Entity
• Create Log for Sync Service
• Check sync object number
• Add external sync service
• Update external sync service
• Delete external sync service
• Change External Sync Service Status
• Search external sync service
• Search external sync service list
• Request issue OAuth token
Appendix 528
• Search external sync map settings

• Search external sync object properties
• Update Sync Connection Settings
• Update Sync Schedule Settings
• Update Sync Mapping Settings
• Add Sync Targets
AD/LDAP Sync • Update Sync Flag Settings for Sync Targets
• Delete Sync Exceptions
• Delete Sync Services
• Delete Sync Task Queue
• Sync Progress Flag Initialization
• Create LDAP Entry
• Delete LDAP Entry
• Admin User Logged In
• Admin User Logged Out
• Admin Session Terminated Due To Timeout
Admin Login
• Admin User Locked Due To Login Attempt Failed
• The account is deleted
• The account is blocked for 10 minutes
• Update Administrator Information
• Delete Administrator
• Update Administrator's Status (Activate/Deactivate)
• Create Administrator Login Account
• Modify password after account has been created or password has been reset
• Update Password In Administrator Management Page
• Admin Configuration Information Gets Reset When Admin Account Is Created
Administrators
• Update Administrator Configuration Information
• Delete Administrator Configuration Information.
• This Action Occurs Only When Logging In. Update Administrator Configuration
Information.
• Determine Super Status Of Selected Administrator
• Insert Admin Organization
• Add Admin Organization (through organization)
Appendix 529
• Modify Public Push

• Modify Log Level
• Modify Google Account
• Tech. support activation & service period setting
• Reset Support Admin password
Administrators • Generate Export File
• Retry Export File Generation
• Download Export File
• Delete administrators
• Change administrators deactivate
• Change administrators activate
• Delete Alert Settings Created By Each Admin
• Add Alert Settings Created By Each Admin
• Update Alert Settings Created By Each Admin
• Update Multiple Audit Events For Alerts
Alerts • Reset Audit Events For Alerts
• Create temporary alert (for test only)
• Delete Audit Event For Alerts
• Add Audit Event For Alerts
• Update Audit Event For Alerts
• Android Enterprise Registration
Android Enterprise
• Android Enterprise Unregistration
Appendix 530
• Add/Modify Google Account

• Enter Multilingual Information When Adding App
• Modify Multilingual Information When Modifying App
• Modify Internal App Status
• Delete Internal App
• Delete Internal App
• Add Internal App
• Modify App (Internal/Public) Category
• Modify Internal App
• Upload Internal App File
• Register Internal App Icon
• Register Internal App Screenshot
• Delete System App
• Add System App
• Modify System App
• Upload System App File
Applications
• Add Category Multilingual Information
• Update Category Multilingual Information
• Delete Category
• Add Category
• Modify Category
• Modify Category Order
• Delete Public App
• Add Public App
• Modify Public App
• Delete System App File
• Delete Internal App File
• Create Control App
• Delete Kiosk App
• Add Kiosk App
• Register Kiosk App Physical File
• Delete Control App
Appendix 531
• Add Control App

• Modify Control App
• Public App Sync
• Create Category Temporary ID
• Delete Applications Comment
• Create Application Download List
• Delete App Temporary File
• Create App Temporary ID
• Create Kiosk App Temporary ID
• Update Kiosk App
• Delete App Temporary File
• Create App Temporary ID
• Upload Control App
• Create Public App Temporary ID
• Check Google Account Validity
• Add EMM Apps From Other Tenant
Applications • Delete EMM App Temporary File
• Create EMM App Temporary ID
• Update App Version
• Update App Version details
• Create Kiosk Wizard App Temporary ID
• Add Kiosk Wizard App
• Update Kiosk Wizard App
• Delete Contents File Event
• Register Contents File Event
• Delete Kiosk Image File Event
• Modify content files
• Approve google managed App
• Unapprove google managed App
• Profile Manager creates an owned profile
• Unassign a profile assigned to a profile manager
• Deleting a profile created by a profile manager
• Assign a profile to a profile manager
Appendix 532
• Assign App
• Unassign App
• Modify App Settings
• Request Access to Managed Google Play Apps (Device) (Server → Google)
• Request Access to Managed Google Play Apps (Group/Organization) (Server →
Google)
Applications • Delete Category

• Delete Application
• Add Public Application
• Request the Uninstall App device command in App Unassignment
• Request the Uninstall App device command in App Deletion
• Install app to assigned device
• Duplicate Managed Google Play App
• Register Certificate Profile Template
• Modify Certificate Profile Template
• Delete Certificate Profile Template
• Discard Certificate
• Issue Certificate
• Register CA Event
• Modify CA Event
• Delete CA Event
• Register ExternalCert Event
Certificates • Modify ExternalCert Event
• Delete ExternalCert Event
• Modify APNS Event
• Modify ExternalCert Event (File)
• Issue Device Certificate
• ReIssue Device Certificate
• ReNew Device Certificate
• Key Generation Error
• Request Issue Device Certificate
• Request ReIssue Device Certificate
Appendix 533
• Request ReNew Device Certificate

• Modify CA Event
• Delete CA Event
• Register Certificate Profile Template
Certificates
• Modify Certificate Profile Template
• Delete Certificate Profile Template
• Change iOS certificates status of Deleted
• Modify CA Event
• Renew Existing Directory Service
• Delete Directory Service
• Delete Return Data Mapping Information Set In Directory Service
Connectors
• Add Return Data Mapping Information Set In Directory Service
• Save New Directory Service
• Delete Directory Service
• Upload Content
• Modify Content
Contents • Delete Content
• Assign Content
• Unassign Content
Appendix 534
• Add Report Condition

• Modify Report Condition
• Delete Report Condition
• Add Report Query Fields
• Delete Report Query Fields
• Add Report Query
• Modify Report Query
• Delete Report Query
• Modify Report Condition
• Delete Report Condition
• Modify Report Status
Dashboard
• Download Report Result
• Download Report Chart
• Delete Report
• Add Report
• Modify Report
• Add Dashboard
• Modify Dashboard
• Delete Dashboard
• Modify Dashboard Status
• Modify Dashboard Main Page
• Initiate dashboard main page
• Try to Send Device Command To Multiple Devices in User&Organization or Group
Menu
• Try to Send Device Command To Single Device in Device Detail Menu
• Try to Send “update visitor profile” device command
Device Command • Try to Send Device Command To Multiple Devices in Device Command Popup
• Try to Send Device Command To Single Device in Device Command Popup
• Try to Send Device Command To Own Device in User Portal
• Delete google managed Application
• Install google managed Application
Appendix 535
• Create Apple DEP profile

• Define default Apple DEP profile
• Assign default Apple DEP profile
• Define Apple DEP Profile to DEP Server
• Assign Apple DEP Profile to DEP Server
Device Enrollment • DEP Device Sync (Console)
Program • Upload DEP Server Token
• Download Public Key
• DEP Assign User
• DEP Unassign User
• Assign User
• Unassign User
• Delete Device
• Register Device
• Update Device Status
• Download Device List
• Reset Device Status
• Modify Device List
• Deactivate device
• Download visitor list
Devices
• Send Visitor deactivation code
• Download device log
• Delete device log file
• Download device log file
• Delete device log file
• Modify device log file
• Download App List
• Download KME Device List
Appendix 536
• View Device Location

• View Device Location By User&Group
• Update Device License
• View Device License
• View Device Location by Dashboard
• Add Multiple Device Tags
• View Device Tags
• Add Device Tags
• Parse Phone Numbers for Remote Support
• Make Phone Numbers for Remote Support
• Download location history (GPX)
• Offline Unenrollment Code
• Delete Device
• Download App List
Devices
• Download Device List
• Download Location History (GPX)
• Force Unenroll Device
• Configure Phone Numbers for Remote Support
• Refresh Device Status
• Add Device Tag
• Update Device License
• Add Multiple Device Tags
• Change Mobile Number (Tizen Wearable)
• Download KME Device List
• Add Device
• Add Multiple Devices
• Deactivate device
• Reset Device Status
Appendix 537
• Create E-FOTA Group

• Delete E-FOTA Group
• Update E-FOTA Group
• Check E-FOTA group existence
• Update E-FOTA configurations
• Valid E-FOTA license check
• Update E-FOTA license
• Get License Information (Config)
• Update E-FOTA configurations
• Valid E-FOTA license check
• Update E-FOTA license
• Display update status by device
• View the number of status updates
E-FOTA
• List of target device list
• List of E-FOTA Applied List
• Add all to E-FOTA list
• Remove all from E-FOTA list
• Initialize device assignment list
• View E-FOTA license expiration date
• Updated E-FOTA Group List
• Save list of E-FOTA devices
• Add to E-FOTA list
• Remove from E-FOTA list
• Display whether E-FOTA application list is included
• Delete E-FOTA License
• Resend update E-FOTA firmware version Device command
• Delete Mail Template
• Modify Mail Template
Email • Add Mail Template
• Send Mail To User
• Send Enrollment Email/SMS
Appendix 538
• Delete Group Components (Device/User)

• Add Group Components (Device/User)
• Manually Delete Device/User From Group
• Manually Add Device/User From Group
• Delete Selected Group Filter Information
• Add Selected Group Filter Information
• Delete Selected Group Filter Information
Groups
• Add Selected Group Filter Information
• Delete Existing Group
• Add New Group
• Update Existing Group Information
• Delete Device Group Component (Device/User)
• Add Device Group Component (Device/User)
• Execute synchronization
• Delete Directory Connection Information
Integrations • Save New Directory Connection Information
• Renew Existing Directory Connection Information
• Device Audit Log Download
• Download Audit Log
Logs
• Modify Audit Use
• Download device diagnosis
• Delete Notice
• Add Notice
Notices • Modify Notice
• Add Notice Multilingual Information
• Modify Notice Multilingual Information
• Delete Existing Organization
• Add Organization Into Organization Chart
Organization • Update Existing Organization Information
• Renew Group Member's Organization Information
• Delete Existing Organizations
Appendix 539
• Save General Settings

• Save KNOX Settings
• Delete General Settings
• Delete KNOX Settings
• Create KNOX
• Delete KNOX
• Save Client App Control Policy
• Save Client Browser Policy
• Save Client Policy
• Save General Policy
• Save KNOX Policy
• Save Trigger General Policy
• Save Trigger KNOX Policy
• Delete Client App Control Policy
• Allocate EMM Profile To Group
• Allocate EMM Profile To Organization
• Create EMM Agent Profile
Profiles • Delete EMM Agent Profile
• Create Trigger
• Delete Trigger
• Create app management profile
• Delete Application Management Profile
• Export Application Management Profile
• Import Application Management Profile
• Modify Application Management Profile
• Copy Application Management Profile
• Modify KNOX Workspace Info
• Save mMail Policy
• Save Visitor Policy
• Save Group Mapping Info of Profile
• Save Org Mapping Info of Profile
• Export Device Management Profile
• Import Device Management Profile
• Modify Device Management Profile
• Copy Device Management Profile
Appendix 540
• Modify Event Priority

• Modify Event Info
• Modify Event Priority
• Select the profile setting in the Pool
• Select the Knox setting in the Pool
• Upload file
• Create Knox Workspace pool
• Delete Knox Workspace pool
• Create policy of SecuCamera
• Create policy of Knox portal
• Create general policy of Windows
• Select the policy in the Pool
• Create the Windows Event Policy
• Modify priority of User-Exception Profile
• Delete User-Exception Profile
• Add User-Exception Profile
• Modify User-Exception Profile
• Delete Pool
• Select the Event policy in the Pool
Profiles
• Request a retransmission handling of Command Transmission Queue
• Delete Device Command in Queue
• Save Policy
• Request to send Profile Update device command
• View Profile policy
• Save Profile policy
• Save profile update schedule
• View installed Google managed apps on device
• Install Google managed app (send Device command)
• Uninstall Google managed app (send Device command)
• Delete Android Enterprise Configuration
• Save Android Enterprise Configuration
• Save Android Enterprise policy
• Save Android Enterprise Event policy
• Save the policy for Multi Client App Control
• Retrieves a summary of policies and settings for a device management profile
• Retrieves the device management profile applied to the devices
• Retrieves a summary of existing device management profiles assigned to the
groups and new device management profiles
Appendix 541
• Retrieves a summary of existing device management profiles assigned to the

organizations and new device management profiles
• Changes the priorities of device management profiles and retrieves a summary
of device management profiles assigned to the groups or organizations
• View Device Mgt. Profile List
• Delete Device Mgt. Profile
• Create Device Mgt. Profile
• Create Device Mgt. Profile (Clone Profile)
• Modify Device Mgt. Profile
• View Device Mgt. Profile List
• Change Device Mgt. Profile Priority
• Retrieves a list of devices that are assigned a device management profile
• Retrieves by profile ID the group or organization that is assigned a device
management profile
• Assign Device Mgt. Profile
Profiles
• Unassign Device Mgt. Profile
• Retrieves a list of groups that are assigned a device management profile
• Retrieves a list of organizations that are assigned a device management profile
• Retrieves a list of groups and organizations that are assigned a device
management profile
• Retrieves by profile ID a list of groups and organizations that are assigned a
device management profile
• Save Device Mgt. Profile Policy
• View Device Mgt. Profile Policy Platform List
• Retrieves a list of profile settings including drafts
• Retrieves detailed information of a profile settings including drafts
• Save Draft Settings
• Delete Draft Settings
• Save Samsung Knox policy
• Retrieve Device Management Profiles Assigned to Devices
• Add SEG profile
• Delete SEG profile
• Update SEG profile
• View SEG profile list
SEG Profile
• View SEG profile detail
• View SEG server profile
• View target tenant for SEG profile
• View SEG domain
Appendix 542
• Modify basic information of service profile

Service Profiles
• Modify Service Profile
• Activate API User
• Deactivate API User
• Delete API User
• Add API User
• Invalidate API User Tokens
• Modify API User
• Delete Tablet Model
• Add Tablet Model
• Modify Tablet Model
• Cloud Connector Create Request
• Cloud Connector Confirm Request
• Cloud Connector Delete Request
• APNs Certificate Signing Request Download
• APNs Certificate Upload
• APNs Certificate Download
• APNs Certificate Import
• Add Master Data
Settings • Modify Master Data
• Delete Master Data
• Create IMEI
• Delete IMEI
• Update IMEI
• Upload IMEI file
• Modify Profile Update Settings Basic Info
• View Profile Update Settings List
• View Profile Update Settings
• Save Profile Update Settings
• Delete Profile Update Settings
• Modify Keep-Alive Settings Basic Info
• View Keep-Alive Settings List
• View Keep-Alive Settings
• Save Keep-Alive Settings
• Delete Keep-Alive Settings
• View Knox Manage Agent Policy List
• View Knox Manage Agent Policy
Appendix 543
• Save Knox Manage Agent Policy

• Delete Knox Manage Agent Policy
Settings • View Target Group/Organization List
• Change APK Download URL in QR Code
• Delete API Users
SMS • Send SMS To User
• Modify Authentication Setting
• Modify Server Configuration
• Modify Login/Header Image
System
• Modify Logo/Notification Text
Configuration
• Modify Server Configuration
• Modify End-User License Agreement
• Generate Android Enterprise Signing URL
• Modify User Authority
• Delete User Authority
• Create User Authority
• Delete User Device Bookmark
• Insert User Device Bookmark
• Insert User Device Bookmark
• Modify User Device Bookmark
• Modify User Device Bookmark
• Deactive User
• Delete User
• Add User
User Management • Modify User Information
• Reset Password (By User)
• Reset Password (By Admin)
• Confirm User Password
• Activate User
• Upload Excel Regarding User/Device Information
• Update mobile mail status
• Update security camera status
• Create users
• Initialize user password
• Create synchronized users
• Delete multiple users
Appendix 544
• Upload VPP token information downloaded from Apple webpage.

• Assign or withdraw VPP Application-specific licenses to users.
• View VPP Application on the Apple webpage and update the number of licenses
per app.
• Upload the VPP Redemption xls (xlsx) file downloaded from Apple webpage.
• Access the Apple webpage and update the VPP user information.
VPP Management
• Register the user on the Apple webpage, and send invitation mail.
• Register the user on the Apple webpage.
• Remove and retire the VPP user from the Apple webpage.
• Grant the license by user ID
• Retrieve the license by user ID
• Insert VPP Application
Appendix 545
Lists of error codes
View the detailed information on error codes, including the descriptions of each error code. The list of
error codes below can be seen on both the user devices and the Admin Portal when an error occurs.
If an error occurs, refer to the error codes lists and contact the Knox Manage Technical Support if
necessary.
Client error codes

The error codes that may appear on the user devices while using Knox Manage are as follows:
Category Module Code Description
Self-signed Self-signed certificate either not installed or installed

A1010
Certificate incorrectly.
F100 Server information cannot be found.
Service F210 Tenant does not exist.

Provision F220 You did not agree to a user agreement.
F230 Tenant license period has expired.
The mobile Alias entered is different from the previously

B5015
provisioned value.
B2001 User ID is null.
B2002 User password is null.
B2003 Mobile Alias is null.

Client
B3001 The server address is not specified.
B3002 Server connection timeout occurred.
Provisioning B3003 Server connection exception occurred.
B3004 Server page error (HTTP error code) occurred.
B4001 Server internal error occurred.
B5002 Server GetPublicKey runtime error occurred.
B5003 Device information does not exist on the server.
B5004 Device is not registered on the server.
B5005 Device is disconnected.
B5010 Device has already been provisioned on the server.
Appendix 546
B5012 User ID cannot be found.
Device certification failed due to mismatch between the

B5013
Provisioning ID and password.
The maximum number of devices registrable to a user has

B5019
been exceeded.
Device
A1011 Issuing device certificate failed.
Certificate
Login failed due to receiving data in a wrong format from

A1004
the server.
A5001 User ID has been deleted.
A5003 Error is unknown.
C1001 Network error occurred.
C1003 Authentication failed due to a wrong ID or password.
C1004 User ID cannot be found.

Login
Device information or the registered device does not exist
C1005
Client on the server.
Device information does not match the registered

C1006
information on the server.
C1008 Device is disconnected.
C1009 Private Key does not exist on the server.
The mobile ID entered does not match the registered

C1011
mobile ID on the server.
Client Profile A3000 The client profile could not be received.
A1021 AppTunnel initialization was successful.
A1022 The parameter entered is incorrect.
AppTunnel A1023 The license information is incorrect.
A1024 AppTunnel initiation failed.
A1025 Network connection failed.
A3001 Push registration retry failed.

Push
A3002 Push registration failed.
Appendix 547
F3001 Message version is undefined.
App version registered on the Knox Manage Client does

F3002
not match.
App version registered on the Knox Manage Agent does

F3003
not match.
Client Agent F2001 Push Agent does not exist.
F2002 Push registration failed.
F2003 Push registration exception occurred.
F2004 Push registration timeout occurred.
F5014 Issuing device certificate failed.
B1001 Success
B1002 Device ID does not exist on the device.
B1003 SQLite error occurred.
B1004 Encryption error occurred.

Common B1005 Get Public Key error occurred.
The mobile Alias entered is different from the previously

B1006
provisioned value.
B1007 Description error occurred.
B1008 Key generation error occurred.
B2001 User ID is null.
B2002 User password is null.

Provisioning
B2003 Mobile Alias is null.
Library
B2004 Tenant ID does not exist.
Parameter
B2005 Server public key does not exist.
B2006 App name or version is null.
The parameter of the setProvisioningInfo () function is

B2007
omitted.
B3001 Server address is not specified.
B3002 Server connection timeout occurred.

Connection
B3003 Server connection exception occurred.
B3004 Server page error (HTTP error code) occurred.
B4001 Server internal error occurred.

Etc.
B4002 Unexpected exceptions occurred.
Appendix 548
B5001 Public Key does not exist on the server.
B5002 Server GetPublicKey runtime error occurred.
B5003 Device information does not exist on the server.
B5004 Device is not registered on the server.
B5006 Server provision runtime error occurred.
B5007 PrivateKey does not exist on the server.
B5008 Device status of the server cannot perform InitProvision.
B5009 Device to match for the InitProvisoin does not exist.
B5010 Device has been already provisioned on the server.
B5011 Server InitProvision runtime error occurred.
B5012 User ID cannot be found.

Provisioning Provision
Library Server Device certification failed due to the mismatch between
B5013
the ID and password.
B5014 Network communication error occurred.
B5015 The number of auto-enrolled devices has been exceeded.
B5016 Device ID is invalid.
B5017 License information load failed.
The maximum number of devices registrable to a user has

B5019
been exceeded.
The platform information sent from the device does not

B5020
match the information saved in the server.
The non-Wi-Fi only device has no MAC address and IMEI

B5021
information.
B5022 The Wi-Fi only device has no serial number information.
Appendix 549
C1002 Unknown error occurred.
Device authentication has failed.

C1003
Note Please check the ID or password.
User ID cannot be found.

C1004
Note Please check the user ID.
Login
C1005 No available device.
C1006 The user matching device cannot be found.
C1007 Password decryption failed.
C1008 Device is disconnected.
C1009 Device is unenrolled.
C1010 License is invalid.
D1001 Header parameter does not exist.
D1002 Compression failed.
D1003 Encryption failure.
D1004 Command is invalid.

Profile common
D1005 Version is invalid.
D1006 Device ID does not exist.
D1007 Invalid device ID.
D1008 Device ID lookup failed.
Appendix 550
D2001 Device command transmission failed.
D2002 App information lookup failed.
D2003 Knox ID lookup failed.
D2004 User ID does not exist.
D2005 App ID does not exist.
Device D2006 Package name does not exist.

Command
D2007 Knox ID parameter does not exist.
D2008 Knox Workspace ID does not exist.
D2009 App information does not exist.
D2010 Device command code is invalid.
The app to be installed is not included on either the

D2011
whitelist or blacklist (iOS only).

Profile homepage
D3002 Homepage information insertion failed.
bookmark D4002 Bookmark index does not exist.
D4003 Bookmark information insertion failed.
D5001 Device token update failed.
D5002 Profile information lookup failed.

update profile
D5004 Profile could not be created.
D5005 Final profile update time update failed.
D6001 Location and jailbreak information update failed.

client report
D6002 Report type is invalid.
Push D7001 Push magic data does not exist.
F1001 Provision failed.
F1002 Provision exception error occurred.

Agent Provision
F1003 Device ID is null.
F1004 RsaKey is null.
Appendix 551
F3001 Message version is not defined.
App version registered on the Knox Manage Client does

F3002
Enrollmentspec not match.
App version registered on the Knox Manage Agent does

F3003
not match.
F4001 Timeout
ActivateDpm
F4002 Disagree
F5001 Timeout
F5002 None
F5003 Parameter information does not exist.
F5004 Unknown
F5005 EML license is invalid.
F5006 License is terminated.

Update
F5007 Internal error occurred.
ElmLicense
F5008 Server internal error occurred.
F5009 Network is disconnected.
F5010 NetworkGeneral
Agent
F5011 UserDisagreesLicenseAgreement
F5012 InvalidPackageName
F5013 NotCurrentDate
F6001 Timeout
F6002 None
F6003 Parameter information does not exist.
F6004 Unknown
F6005 KLM license is invalid.
F6006 KLM license has expired.

Update
F6007 InvalidPackageName
KlmLicense
F6008 NotCurrentDate
F6011 Network is not disconnected.
F6012 NetworkGeneral
F6013 UserDisgreeesLicenseAgreement
Appendix 552
1500000 Request for the command more than three times.
1500001 MDM profile is not allocated.
Device with a corresponding device ID does not exist on

1500002
the device information table.
1500003 Profile cannot be created.
1500004 Authentication file cannot be found.
1500005 Authentication file cannot be read.
1500006 Check-in authentication failed.
1500007 Not iOS.
1500008 User is not activated.
1500010 Device is not an active (A) or provision (P) state.
1500011 UDID already exists.
1500013 Device ID pertinent to the tenant ID does not exist.
1500014 Send push failed.
Re-enrollment prevention.
Note Re-enrollment is prevented in case the

1500015
Agent (iOS) enrolled device is reenrolled due to a factory
reset.
Activation failed.
Note Activation failed due to an activation attempt

1500016
with a different mobile ID (device ID) using
the same tenant in the same device.
1500017 Profile signing failed.
Activation failed.

1500018
with a same mobile ID (device ID) using the
same tenant in a different device.
1500020 Parameter information error.
1500024 Enrollment profile cannot be created.
1500029 App information lookup failed.
1500030 Device activation failed.
1500031 Device deactivation failed.
1500032 Token update failed.
Appendix 553
1500033 App installation is prohibited.
1500034 App installation failed.
Agent (iOS) 1500035 Whitelisted and blacklisted app lookup failed.
1500101 Unable to execute command now.
1500102 MDM command format is invalid.
Admin Portal access error codes

The error codes that may appear on the Admin Portal or the Knox Manage server while operating
Knox Manage are as follows:
Log in
Code Description Log path
session The account is already in use.
disable The account is locked.
accountDeleted Account access is not authorized based on the policy. emm.log
accountLocked Account access is not authorized based on the policy.
continousFailure The account is locked for 10 minutes.
Report
1101 Parameter is invalid.
1102 Data not found.
1103 Service is disabled.
1104 Internal reports cannot be modified. emm.log
1120 SQL exception.
1121 Datasource Pool not found.
1199 Runtime error occurred.
Appendix 554
Open API
-102 Null or Empty string.
-103 Null object.
-104 Not a number (integer).
-105 The number must be greater than %d.
-106 The number must be less than &d.
-107 The number must be between %d and %d.
-108 The string length must be greater than %d.
-109 The string length must be less than %d.
-110 The data must be in a %s format.
-111 The start-date should be before the end-date.
-112 The string should match %s.
-113 The subsequent strings should not contain or match %s.

emm.log
-114 The string is not equal to %s while being case-sensitive.
-115 The string is not equal to %s while being case-insensitive.
-116 The string is configured with whitespace or tab only.
-117 The string’s length must be greater than %d (bytes).
-200 The number of licenses has been exceeded.
-201 Duplicate data exists.
-202 There are no results.
-203 Relevant data has an error.
-204 Enrolled device exists.
-205 Cannot be found.
-206 Already registered to the selected group.
-999 Unknown error code.
Appendix 555
Certificate
3000 Certificate generation request failed.
3001 Certificate verification request failed. emm.log
3002 Client initialization failed.
3003 Certificate enrollment transaction failed.
3004 Certificate enrollment request failed.
3005 The maximum retries of certificate enrollment exceeded.
3006 Certificate enrollment failed.
3007 CRL request failed.
3008 CA chain request failed.
LEGO_ERR_0001 Provider load failed.
LEGO_ERR_1100 Wrong CA type.
LEGO_ERR_1101 CA type does not exist.
LEGO_ERR_1102 Root Certificate lookup data not found.
LEGO_ERR_1103 CA lookup data not found.
LEGO_ERR_1104 Managed CA does not exist.
LEGO_ERR_1105 CN and password are required for entry registration.
LEGO_ERR_1106 Ext CERT lookup data not found.

certlog.log
LEGO_ERR_1107 CERT lookup data not found.
LEGO_ERR_1108 Template lookup data not found.
LEGO_ERR_1109 Batch lookup data not found.
LEGO_ERR_1200 The certificate number does not exist.
LEGO_ERR_1201 CN information does not exist.
LEGO_ERR_1202 File storage path does not exist.
LEGO_ERR_1203 Entity ID does not exist.
CA information, CertProfileName, and, EndEntityProfile information

LEGO_ERR_1204
are required if the template ID does not exist.
LEGO_ERR_1205 The certificate to revoke does not exist.
LEGO_ERR_1206 Error occurred when saving certificate revoke information.
LEGO_ERR_1207 Error occurred while performing ReIssue.
LEGO_ERR_1208 Error occurred while saving ReNew information.
LEGO_ERR_1300 Template ID does not exist.
Appendix 556
LEGO_ERR_1301 Tenant ID does not exist.
LEGO_ERR_1302 Updated data not found on DB.
LEGO_ERR_1400 The certificate name already exists.
LEGO_ERR_1401 The tenant ID already exists.
LEGO_ERR_1500 CERT verification failed: Start date is after the current date.
LEGO_ERR_1501 CERT verification failed: Expiration date is before the current date.
LEGO_ERR_1502 CERT verification error: Error occurred when verifying CA root Init.
LEGO_ERR_1503 CERT verification error: Signature error occurred.
LEGO_ERR_1504 Lookup data not found.
LEGO_ERR_1505 Pkcs12 CERT import failed.
LEGO_ERR_1506 The CA Cert does not exist in the file.
LEGO_ERR_1900 Error occurred when creating a file.
LEGO_ERR_1901 File does not exist.
LEGO_ERR_2001 CRL creation failed.
LEGO_ERR_2002 CRL request creation failed.
LEGO_ERR_2003 CRL verification failed. certlog.log
LEGO_ERR_2004 CRL information on the last executed file does not exist.
LEGO_ERR_2005 CRL request for the last executed file failed.
LEGO_ERR_2006 Save CRL information failed.
LEGO_ERR_2101 CRL BATCH SCHEDULE addition failed.
LEGO_ERR_2102 CRL BATCH SCHEDULE information update failed.
LEGO_ERR_2103 CRL BATCH SCHEDULE deletion failed.
LEGO_ERR_3000 Scep message creation failed: Certificate request creation failed.
LEGO_ERR_3001 Scep message creation failed: Wrong trandsId.
LEGO_ERR_3002 Scep message creation failed: Wrong senderNonce.
LEGO_ERR_3003 Scep verification failed: Signer value does not exist.
LEGO_ERR_3004 Scep verification failed: Wrong digest algorithm.
LEGO_ERR_3005 Scep verification failed: Wrong CA signer.
LEGO_ERR_3006 Scep verification failed: Wrong signature certlog.log.
LEGO_ERR_3007 Scep verification failed: FailInfo is included in ScepRequestMessage
LEGO_ERR_3008 Scep verification failed: Wrong message type.
Appendix 557
Scep verification failed: pkiStatus does not exist in

LEGO_ERR_3009
ScepRequestMessage.
LEGO_ERR_3010 Scep verification failed: Success message does not exist.
LEGO_ERR_3011 Scep verification failed: Wrong Response status.
LEGO_ERR_3012 Scep verification failed: Wrong SenderNonce.
LEGO_ERR_3013 Scep verification failed: Wrong recipientNonce.
LEGO_ERR_3014 Scep verification failed: Wrong Transaction.
LEGO_ERR_3015 Scep connection failed: Wrong responseCode.
LEGO_ERR_3016 Scep connection failed: Wrong content type.
LEGO_ERR_3017 Scep connection failed: Response data does not exist.
LEGO_ERR_3018 Scep connection failed: Response byte conversion failed.
LEGO_ERR_4000 Cmp connection failed: HTTP connection failed.
LEGO_ERR_4001 Cmp connection failed: Wrong responseCode.
LEGO_ERR_4002 Cmp connection failed: Content type does not exist.
LEGO_ERR_4003 Cmp connection failed: Wrong Content type.
LEGO_ERR_5000 WebService connection verification failed.
LEGO_ERR_5001 WebService connection failed. certlog.log
LEGO_ERR_5002 Error occurred during FIND ENTITY.
LEGO_ERR_5003 Error occurred while chaining entity.
LEGO_ERR_5004 Error occurred while registering entity.
LEGO_ERR_5005 Entity is already registered.
LEGO_ERR_6000 Root CA conversion failed.
LEGO_ERR_6001 Root CA conversion failed: X509Certificate conversion failed.
LEGO_ERR_6002 Root CA conversion failed: Wrong algorithm.
LEGO_ERR_6003 Root Cert does not exist.
LEGO_ERR_8000 Certificate verification failed: PKIMeesage configuration failed.
LEGO_ERR_8001 Certificate verification failed: PKI Header configuration failed.
Certificate verification failed: Failure may be due to a wrong issuer

LEGO_ERR_8002
sign value or revoked certificate.
LEGO_ERR_8003 Certificate verification failed: Wrong senderNonce.
LEGO_ERR_8004 Certificate verification failed: Wrong transactionID.
LEGO_ERR_8005 Certificate verification failed: Wrong algorithm.
LEGO_ERR_8006 Certificate verification failed: Signature is unprotected.
Appendix 558
LEGO_ERR_8007 Certificate verification failed: Password is unprotected.
LEGO_ERR_8008 Certificate verification failed: Algorithm is invalid.
LEGO_ERR_8009 Certificate verification failed: CA signature is not verified.
LEGO_ERR_8010 Certificate verification failed: Wrong PBE hash.
LEGO_ERR_8011 Certificate verification failed: Signature verification failed.
LEGO_ERR_8012 Certificate configuration failed: PKIBody configuration failed.
LEGO_ERR_8013 Certificate configuration failed: CertRepMessage configuration failed.
LEGO_ERR_8014 Certificate configuration failed: CertResponse configuration failed.
LEGO_ERR_8015 Certificate configuration failed: CertReqId configuration failed.
LEGO_ERR_8016 Certificate configuration failed: PKIStatusInfo configuration failed.
LEGO_ERR_8017 Certificate configuration failed: Wrong Status Value.
LEGO_ERR_8018 Certificate configuration failed: CertifiedKeyPair configuration failed.
LEGO_ERR_8019 Certificate configuration failed: CertOrEnCert configuration failed.
Certificate configuration failed: X509CertificateStructure

LEGO_ERR_8020
configuration failed.
LEGO_ERR_8021 Certificate configuration failed: Certificate encoding failed.

certlog.log
LEGO_ERR_8022 Certificate configuration failed: X509Certificate configuration failed.
LEGO_ERR_8023 Certificate configuration failed: SubjectDN is inconsistent.
LEGO_ERR_8024 Certificate configuration failed: IssuerDN is inconsistent.
LEGO_ERR_8025 Certificate configuration failed: X509Certificate verification failed.
LEGO_ERR_9000 Wrong URL information.
LEGO_ERR_9002 Http connection failed.
LEGO_ERR_9003 Response data from CA does not exist.
LEGO_ERR_9004 Wrong host information.
LEGO_ERR_9005 Socket connection failed.
LEGO_ERR_9006 HOST information does not exist.
LEGO_ERR_9007 Contingency occurred while converting ASN1 InputStream.
LEGO_ERR_9008 Contingency occurred while converting DER OutputStream.
LEGO_ERR_9009 Provider does not exist.
LEGO_ERR_9010 Algorithm does not exist.
LEGO_ERR_9011 X509Certificate conversion failed.
LEGO_ERR_9012 X509Certificate encoding failed.
Appendix 559
LEGO_ERR_9013 Error occurred while creating KeyStore.
LEGO_ERR_9014 Error occurred while converting class.
LEGO_ERR_9015 Contingency occurred while converting InputStream.
LEGO_ERR_9016 Keystore password is inconsistent.
LEGO_ERR_9017 Error occurred while creating SecretKey.
LEGO_ERR_9018 Revoke reason is undefined.
LEGO_ERR_9019 Error occurred while converting Object to byte.
LEGO_ERR_9020 Error occurred while converting byte to Object.
LEGO_ERR_9100 Certificate corresponding to the alias does not exist.
LEGO_ERR_9101 Error occurred while extracting KeyStore PrivateKey.
LEGO_ERR_9102 Error occurred while extracting KeyStore Certificate.
LEGO_ERR_9103 Error occurred while extracting KeyStore Aliases.
LEGO_ERR_9104 Error occurred while saving PKCS12-type KeyStore.

certlog.log
Contingency occurred while deleting KeyStore: KeyStore error
LEGO_ERR_9105
occurred.
LEGO_ERR_9106 Contingency occurred while deleting KeyStore: File does not exist.
Contingency occurred while deleting KeyStore: Error occurred while

LEGO_ERR_9107
restoring.
LEGO_ERR_9108 File InputStream is empty.
LEGO_ERR_9109 Error occurred while converting Object to Map.
LEGO_ERR_9110 Error occurred while converting Map to Object.
LEGO_ERR_9111 Batch type does not exist.
LEGO_ERR_9112 Template does not exist.
LEGO_ERR_9200 Compulsory input is missing: Serial number.
LEGO_ERR_9901 Encryption failed.
LEGO_ERR_9902 Decryption failed.
LEGO_ERR_999 Unexpected error occurred. Please contact the IT Administrator.
Appendix 560
CA certificate access test
Module Code Description Log path
ERROR_ROOT_CHAIN_TEST Root chain import failed.
ERROR_ROOT_CERT_PW Wrong certificate password.
ERROR_Android_ISSUE_TEST Issuing certificate failed. (Android)
ERROR_Android_KEY_ALG Key algorithm error. (Android)
ERROR_Android_DOMAIN Domain error. (Android)
ERROR_Android_CES_URL Webservice URL error. (Android)
ERROR_Android_CA_SERVER CA server settings error. (Android)
ERROR_Android_KERBEROS_REALM Kerberos settings error. (Android)
Certificate ERROR_Android_KEY_TABEL Keytab settings error. (Android)

emm.log
ADCS CA ERROR_Android_CERT Certificate error. (Android)
ERROR_iOS_ISSUE_TEST Issuing certificate failed. (iOS)
ERROR_iOS_KEY_ALG Key algorithm error. (iOS)
ERROR_iOS_DOMAIN Domain error. (iOS)
ERROR_iOS_CES_URL Web service URL error. (iOS)
ERROR_iOS_CA_SERVER CA server settings error. (iOS)
ERROR_iOS_KERBEROS_ REALM Kerberos settings error. (iOS)
ERROR_iOS_KEY_TABEL Keytab settings error. (iOS)
ERROR_iOS_CERT Certificate error. (iOS)
ERROR_ROOT_CHAIN_TEST Root chain import failed.
Certificate ERROR_ISSUE_TEST Issuing certificate failed.

emm.log
SCEP CA
ERROR_SCEP_MSGSIGN ERCERT_ Creating SCEP Message Signer
TEST certificate failed.
CONNECTION_FAIL Wrong Challenge URL.
CERTSRV_ADMIN_UNAUTHORIZED Wrong ID or password.
CERTSRV_ADMIN_URL_INVALID Wrong challenge URL.
Certificate NDES_NOT_PERMISSION Wrong domain.

emm.log
NDES CA Challenge password cannot be
NDES_CHALLENGE_NOT_FOUND found. Need to check NDES server
settings.
Challenge password cannot be

NDES_CHALLENGE_FAIL
found.
Appendix 561
Policy
0000000 Success.
9999999 Failure.
9000001 Component already exists.
9000002 Component ID and type are inconsistent.
9000003 Error occurred in mandatory parameter.
9000004 Component value already exits.
Common 9000005 MDM license is invalid. Console
9000006 Config type already exists.
9000007 VPN app ID already exists.
9000008 Special characters are not allowed.
9000009 The admin ID has not been approved.
9000010 DB service error.
9000011 URL information is invalid.
Appendix 562
2000000 OTC code is invalid.
2000001 This device platform does not support OTC.
2000002 Enter the OTC code.
2000003 Enter the device ID to transfer.
2000004 A device token for the iOS Agent does not exist.
2000005 Enter the Push App ID information.
2000006 OTC message creation failed.
2000008 Enter the OTC parameter information.
2000010 Push magic for iOS device does not exist. mdm_otc.
Common log, mdm.
2000011 UMP App ID is invalid. log
2000012 There is no device registered for the user.
2000013 There is no device to send OTC to the user.
2000014 Device token for iOS Client does not exist.
2000015 Device token for iOS Agent is invalid.
2000016 Device token for iOS Client is invalid.
2000017 Screen Lock OTC is not applicable.
2000018 Exception error occurred when handling OTC Enqueue.
2000019 Device tenant ID to transmit OTC does not exist.
Appendix 563
0100001 A profile applied to a device cannot be deleted.
0100002 Profile ID does not exist.
0100003 Visitor profile ID.
0100004 Profile component does not exist.
0100005 Profile element does not exist.
0103001 Hash value creation failed.
0103002 Hash value is inconsistent.
0103003 Profile type is inconsistent.
0103004 Reading profile file when importing failed.
0103005 Saving profile file when exporting failed.

Profile Console
0103006 File extension of the profile is inconsistent when importing.
0199001 Profile has not been assigned to a device.
0199002 Profile has not been assigned to a user.
0199003 Profile has not been assigned to an organization.
0199004 Profile has not been assigned to a group.
0199005 Device has not been assigned to a profile.
0199010 Group does not exist.
0199012 Profile has already been assigned to the group.
0199020 Organization does not exist.
0199022 Profile has already been assigned to the organization.
0210001 Knox Workspace Alias already exists.
The maximum number of Knox Workspaces to be created

Knox 0210002 Console
has been exceeded.
0210003 Knox Manage of this type cannot be created.
Appendix 564
0301500 Exceeded the priority of the event policy range.
0301501 Priority of the event policy deletion error.
0301502 Priority of the event policy already exists.
0301503 Profile event does not exist.
The priority of the event policy has been changed by other

EVENT 0301504 Console
users.
0301505 SIM card change event can be created only once.
0301506 Roaming event can be created only once.
0301507 Exception profile per user event can be created only once.
0320001 Event used as components cannot be deleted.
0410001 Only a Boolean value is allowed for this policy.
0410002 Only an integer value is allowed for this policy.
0410003 Exceeded the policy range.
0420001 Minimum value error occurred when comparing policies.

POLICY Console
0420002 Maximum value error occurred when comparing policies.
Exceeded the number of internal app policies.
0430001 Note The maximum number of policies is 15 for

each platform.
A certificate used in a profile.

0510000 Console
Note Deletion is prohibited.
CONFIGRATION A certificate for iOS use. mdm_ios_

0510001 agent.log,
Note Deletion is prohibited.
mdm.log
0530001 Not in an XML format. Console
2002000 [FCM] Server information does not exist.
2002001 [FCM] Authentication failed.
2002002 [FCM] Internal server error. mdm_otc.

FCM Push log, mdm.
2002003 [FCM] Service outage. log
2002004 [FCM] Too many messages sent at a time (1000).
2002005 [FCM] Too many messages sent to one device (100).
Appendix 565
2002006 [FCM] Missing device registration ID.
2002007 [FCM] Invalid device registration ID.
[FCM] Mismatch between the registered sender ID and

2002008
device ID.
2002009 [FCM] Cancel device registration or alarm use.
[FCM] Exceeded the maximum transmission message

2002010
length (4KB). mdm_otc.
FCM Push 2002011 [FCM] Missing sender ID. log, mdm.
log
2002012 [FCM] Message transmission error (FCM server error).
2002013 [FCM] Message format error (FCM server error).
2002014 [FCM] Invalid message TTL.
2002015 [FCM] Push key does not exist.
2002016 [FCM] Internal exception occurred.
2002017 [FCM] Unknown error.
2003000 [APNS] Server information does not exist.
2003001 [APNS] Internal processing error.
2003002 [APNS] Missing token.
2003003 [APNS] Missing topic in the certificate.
2003004 [APNS] Missing message.
2003005 [APNS] Token size error.
2003006 [APNS] Topic size error.
[APNS] Exceeded the maximum transmission message mdm_otc.

2003007
APNS Push length. log, mdm.
2003008 [APNS] Invalid token. log
2003009 [APNS] Server down.
2003010 [APNS] Protocol error.
2003011 [APNS] Internal exception occurred.
2003012 [APNS] Unknown error.
2003013 [APNS] Payload creation error.
2003014 [APNS] Agent push key does not exist.
2003015 [APNS] Client push key does not exist.
Appendix 566
2004000 [WNS] No server information.
2004001 [WNS] Invalid request.
2004002 [WNS] Invalid token.
[WNS] Requested channel does not have the permission to

2004003
send.
2004004 [WNS] Invalid channel.
2004005 [WNS] Invalid http method.
2004006 [WNS] Load exceeded.
2004007 [WNS] Channel expired.
2004008 [WNS] Exceeded the maximum message length (5 KB). mdm_otc.

WNS Push log, mdm.
2004009 [WNS] Internal server error. log
2004010 [WNS] Service outage.
2004011 [WNS] Internal exception occurred.
2004012 [WNS] Unknown error.
2004013 [WNS] Push key does not exist.
[WNS] Device channel URL information does not exist, but

2004014 the queue information is created in the command queue to
be processed later.
[WNS] WNS server information does not exist, but the

2004015 queue information is created in the command queue to be
processes later.
1500000 Request for the command more than ten times.
1500001 MDM profile assigned does not exist.
Device with a corresponding device ID does not exist on

1500002
the device information table.
1500004 Certificate file cannot be found.

mdm_ios_
iOS MDM 1500005 Certificate file cannot be read. agent.log,
1500006 Check-in authentication failed. mdm.log
1500007 Not iOS.
1500008 User is not activated.
1500010 Device is not in an active (A) or provision (P) state.
1500011 Device cannot be updated. UDID already exists.
1500013 Device ID pertinent to the tenant ID does not exist.
Appendix 567
1500014 Send push failed.
Re-enrollment prevention.
Note Re-enrollment is prevented in case the

1500015
enrolled device is re-enrolled due to a factory
reset.
Activation failed.

1500016
with a different mobile ID (device ID) using the
same tenant in the same device.
1500017 Profile signing failed.
Activation failed.

1500018
with a same mobile ID (device ID) using the
mdm_ios_
same tenant in a different device.
iOS MDM agent.log,
mdm.log
1500020 Parameter information error.
1500024 Enrollment profile cannot be created.
1500029 App information lookup failed.
1500030 Device activation failed.
1500031 Device deactivation failed.
1500032 Token update failed.
1500033 App installation is prohibited.
1500034 App installation failed.
1500035 Whitelisted and blacklisted app lookup failed.
Unable to fetch the app info from the app auto- delete
1500036
property sync when deactivated.
1500101 Unable to execute command now.
1500102 MDM command format is invalid.
Appendix 568
1900000 Profile cannot be copied.
1900001 Profile cannot be changed to JSON string.

mdm.log
1900004 Profile code invalid.
1900005 Profile type is invalid.
1901000 Category for settings in general area is invalid.
1901001 Category for settings in Knox Workspace area is invalid.
1901010 Information required by a device cannot be checked.
1901011 Request message from a device cannot be parsed.
1901012 EMM Agent request message cannot be checked.
1901013 Undefined command code.
1901014 Error occurred when creating file.
1901015 Version of the requested protocol is invalid.
1901016 A request message from a device cannot be checked.
Android MDM 1901017 ELM license and Knox license cannot be found.
1901018 Tenant ID cannot be found.
1901019 Command parameter is invalid.
EMM Client and EMM Agent app information cannot be mdm_

1901020
found. android_
agent.log,
mdm.log
1901022 Profile assigned to a device cannot be found.
1901024 Device status cannot be updated.
Device status cannot be updated

1901025
(UpdateDeviceInformation Command).
1901026 Error occurred when processing KeepaliveRequest.
1901027 Error occurred when processing LockDeviceRequest.
1901028 Error occurred when processing UnlockDeviceRequest.
Error occurred when processing

1901029
LocknoxContainerRequest.
1901030 Error occurred when processing InstallKnoxAppRrrequest.
1901031 Error occurred when processing UninstallKnoxAppRequest.
Appendix 569

1901032
RemoveKnoxAppInternalDataRequest.
1901033 Error occurred when processing StartKnoxAppRequest.
1901034 Error occurred when processing StopKnoxAppRequest.
Result of the EMM Agent message is not successful and

1901035
cannot be processed.
1901036 Result of a message from EMM Agent cannot be checked.
1901037 Parameter of EnrollmentSpecRequest is not appropriate.
1901038 Error occurred when processing InstallAppRequest.
1901039 Error occurred when processing TriggerRequest.
1901040 Error occurred when processing handlingReportRequest.
1901041 Error occurred when processing ResetPasswordRequest.

1901042
ResetExternalSdCardRequest.

1901043
AuthorizeExternalSDCardRequest.
1901044 Error occurred when processing WipeDeviceRequest. mdm_

android_
Android MDM 1901045 Error occurred when processing RebootDeviceRequest.
agent.log,
1901046 Error occurred when processing PowerOffDeviceRequest. mdm.log
1901047 Error occurred when processing UninstallAppRequest.

1901048
RemoveAppInternalDataRequest.
1901049 Error occurred when processing StartAppRequest.
1901050 Error occurred when processing StopAppRequest.
1901051 Error occurred when processing AppInfoRequest.

1901052
UnlockKnoxContainerRequest.

1901053
ResetKnoxContainerPasswordRequest.

1901054
RemoveKnoxContainerRequest.
1901055 Error occurred when processing StartCCModeRequest.
1901056 Error occurred when processing StopCCModeRequest.
1901057 EMM Agent profile does not exist.
1901058 Requested app information cannot be found.
Appendix 570
1901059 App file not found at path.
Keepalive information cannot be imported (Included in

1901060
Settings).
1901061 Requested Knox app information cannot be found.
1901062 Knox file not found at path.
1901063 Error occurred when processing InstallAppRequest.
Basic device information cannot be searched with a device

1901064
ID.
1901065 Device is not activated.
1901066 Device status cannot be checked.
1901067 System app information cannot be found.
1901068 EMM Agent app information cannot be found.
1901069 Error occurred when processing UpdateAgentRequest.
1901070 Device status is neither provisioned nor activated.
1901071 File path cannot be imported.
1901072 App ID in command parameter does not exist.

mdm_
1901073 Package name in command parameter does not exist. android_
Android MDM
agent.log,
1901074 Device status is not provisioned.
mdm.log
1901075 Device status cannot be changed to unmanaged.
1901076 Device status cannot be changed to managed.
1901077 Device has already been activated.
1901079 Offline deactivation code cannot be updated.
1901080 Error occurred when processing LockEasRequest.
1901081 Error occurred when processing UnlockEasRequest.
1901082 Status of device is neither Activated nor Disconnected.
Data is invalid (InvalidCommandData as shown in the

1901083
result of a policy).

1901084
GetAttestationNonceRequest.

1901085
VerifyAttestationDataRequest.
1901086 Attestation server address cannot be found.
1901087 Attestation API key cannot be found.
1901088 Attestation Parameter is invalid.
Appendix 571
1901090 EMM Client app information cannot be found.
1901091 EMM Agent app information cannot be found.
1901092 Error occurred when processing AuthorizeSimRequest.
Error occurred when handling

1901093
UpdateUnenrollCodeRequest.
1901094 Device status is disconnected.
1901095 Error occurred when processing EnableAppRequest.
1901096 Error occurred when processing DisableAppRequest.
1901097 Failed to decrypt the ELM license.

1901098
ReportPolicyViolationRequest.
1901099 AndroidForWork app information cannot be found.
1901100 AndroidForWork app file not found in path.
1901101 Error occurred when processing InstallAfwAppRequest.
1901102 Error occurred when processing UninstallAfwAppRequest.
1901103 Device status cannot be changed to disconnected. mdm_

android_
Android MDM 1901104 Failed to check if the device already exists. agent.log,
mdm.log
The information of a device activated with the same
1901105
equipment already exists.
1901106 Error occurred when processing UpdateDiagnosisRequest.
Unable to find the app auto-delete settings information

1901107
when deactivated.
1901108 Unable to fetch the next command.
1901109 Failed to create the command message.
1901110 Failed to delete the command.
1901111 MDM old protocol communication usage.
Error occurred when processing the Update Device

1901112
Inventory (request).
Error occurred when processing the Update App Inventory

1901113
(request).
Error occurred when processing the Update Current

1901114
Location Inventory (request).
Error occurred when processing the Update Audit Inventory

1901115
(request).
Appendix 572
Error occurred when processing the Update Log Inventory

1901116
(request).
1901117 Content ID does not exist in the requested parameter.
1901118 Content information cannot be found.
Error occurred when processing the download content

1901119 mdm_
request.
android_
Android MDM
Error occurred when processing the Update Device and agent.log,
1901120
App Inventory (request). mdm.log
1901121 Model number does not exist in the requested parameter.
1901122 Customer code does not exist in the requested parameter.
1901123 Permitted firmware version cannot be found.
1901124 Permitted firmware version does not exist.
1600000 Information on the parameter of Header does not exist.
1600001 Compression failed.
1600002 Encryption failed.
1600003 The command does not exist.
1600004 Invalid version.
1600005 The device ID does not exist on the server.
1600006 Invalid device ID. (not A.P)
1600010 Failed to check the device ID DB.
1601001 OTC transfer failed.
1601002 Failed to check the application DB.

mdm_ai_
Client 1601003 Failed to check the Knox ID DB. client.log,
1601004 Client ID does not exist in the request parameter. mdm.log
1601005 App ID does not exist in request parameter.
1601006 Package name does not exist in the request parameter.
1601007 Knox ID does not exist in the request parameter.
Knox Workspace ID matching the parameter Knox ID does

1601008
not exist.
App information corresponding to the parameter App ID

1601009
does not exist.
1601010 Invalid OTC code.
1601011 Application is not included in the whitelist/blacklist.
1601012 profileId cannot be found in AndroidForWork.
Appendix 573
1601020 User ID does not exist in the request parameter.
1601021 Inserting webpage information failed.
1601022 User ID does not exist in request parameter.
1601023 Bookmark index does not exist in request parameter.
1601024 Failed to insert bookmark information DB.
1601030 Failed to update the device token DB update.
1601031 Failed to check the profile DB.
1601032 Failed to check the app information DB.
1601033 Failed to create profile.
Failed to update DB for the time of the last update of

1601034
profile.
1601035 Failed to check the app information DB.
1601036 Failed to update the EMM Client package information.
Failed to update DB related to location and jailbreak

1601040 mdm_ai_
information, etc.
Client client.log,
1601041 Invalid report type. mdm.log
1601060 Device ID does not exist.
1601061 It has not been activated (A).
1601062 It has not been deactivated (I).
1601063 Visitor Profile cannot be created.
1601064 Profile to enable deleting visitor profiles cannot be created.
1601065 Failed to delete visitor profile.
1601066 Failed to check device.
1601070 Failed in Knox CheckEnrollment.
1601080 Failed to fetch the command.
1601081 Failed to delete the command.
1601082 No more commands.
1601083 Failed to create the command message.
1601090 Unable to get the INI configuration file.
Appendix 574
1700001 Failed to obtain server key.
1700002 Decryption failed.
1700003 Encryption failed.
1700004 There is no HTTP body.
1700005 A value not supported by HTTP header has been entered.
1700006 Compulsory factor in EMM Message has not been entered.
1700007 Protocol version not available.
1700008 Failed to check device information.
1700009 The device has not been activated.
Kiosk 1700010 Failed to check app information. mdm.log
1700011 This OTC code is not available.
1700012 OTC transfer failed.
1700013 Failed to check Kiosk Launcher information.
1700014 Kiosk Launcher cannot be created through Wizard.
1700015 Failed to check the current time.
1700016 Compression failed.
1700017 Failed to cancel compression.
1700018 Failed to create EMM Message.
1700019 Failed to transfer HTTP Response.
Appendix 575
1001 There is no Public Key on the server.
1002 Error in server GetPublicKey Runtime.
1003 There is no device information on the server.
1004 There is no device registered to the server.
1005 The device has been Disconnected.
1008 Error in server provision runtime

mdm_
Provision 1009 There is no Private Key on the server. provision.
log
1011 The status of the server does not allow initProvision.
1018 There is no device matching for InitProvision.
1019 A device has already been provisioned on the server.
1021 Error in server InitProvision Runtime.
1022 User ID cannot be found.
1023 Authentication failed due to inconsistent ID or password.
1024 Network communication error.
The number of devices automatically registered has been

1025
exceeded.
1026 The value of the device ID is not valid.
1031 Failed to read license information.
1032 The device has been disconnected.
The number of devices allowed to be registered for each

1033
user has been exceeded.
The platform information transferred from the device does

1034
not match the platform information stored in the server. mdm_
Provision The device is not exclusively for Wi-Fi, but it does not have provision.
1035 log
a Mac address and IMEI information.
The device is exclusively for Wi-Fi and does not have serial
1036
number information.
1037 Mac address information is missing for a Windows device.
1038 ProvisionIdentifier is duplicated for the Windows device.
When there is no device activated by the same

1039 ProvisionIdentifier in the general area when attempting
Knox Provisioning.
1040 User information is not available during Knox provisioning.
1041 The KME devices do not match.
Appendix 576
AppWrapper error codes
The error codes that may appear while using the AppWrapper on Android or iOS are as follows:
Android App
Code Definition Description
0 SUCCESS Wrapping successful.
EMM SDK is included in the apk file

SUCCESS + 1 EMM_SDK_EXIST
when in EMM check mode.
EMM SDK is excluded in the apk file

SUCCESS + 2 EMM_SDK_NOT_EXIST
when in EMM check mode.
Original apk file to wrap not found in

-1000 SRC_APK_NOT_EXIST
path.
The tmp folder required for a redex

SRC_APK_NOT_EXIST -1 TMP_DIR_NOT_EXIST
process does not exist.
KeyStore file for signing not found in

SRC_APK_NOT_EXIST -2 KEYSTORE_FILE_NOT_EXIST
path.
sdsemm.dex file does not exist in the

SRC_APK_NOT_EXIST -3 DEX_FILE_NOT_EXIST
Wrapper installed folder.
SO lib folder for INI Push use not

SRC_APK_NOT_EXIST -4 SO_LIB_DIR_NOT_EXIST
found in path.
FRAMEWORK_RES_FILE_NOT_ resource_framework.arsc file not

SRC_APK_NOT_EXIST -5
EXIST found in path.
EMM SDK is included in the apk file

SRC_APK_NOT_EXIST -6 EMM_SDK_ALREADY_INCLUDED
to wrap.
Signing failed for the wrapped apk

SRC_APK_NOT_EXIST -7 SIGNING_FAILED
file.
The apk file has a record of

SRC_APK_NOT_EXIST
APPWRAPPER_VER_CHECK being wrapped with an identical
-10
AppWrapper version.
-99999 UNKNOWN
Appendix 577
iOS App
Code Definition Description
0 SUCCESS Wrapping successful.
Original IPA file to wrap not found in

-1000 SRC_APK_NOT_EXIST
path.
EMM SDK is included in the IPA file

SRC_APK_NOT_EXIST -6 EMM_SDK_ALREADY_INCLUDED
to wrap.
Signing failed for the wrapped IPA

SRC_APK_NOT_EXIST -7 SIGNING_FAILED
file.
The IPA file has a record of being

SRC_APK_NOT_EXIST
APPWRAPPER_VER_CHECK wrapped with an identical version of
-10
App Wrapper.
SRC_APK_NOT_EXIST Provisioning profile for app signing

PROVISIONFILE_NOT_EXIST
-11 not found in path.
The entered app bundle ID does not

SRC_APK_NOT_EXIST
BUNDLEID_NOT_MATCHED match the app ID of the provisioning
-12
profile.
The entered prefix value of the

SRC_APK_NOT_EXIST keychain group does not match
KEYCHAIN_NOT_MATCHED
-13 the prefix value of the provisioning
profile.
-99999 UNKOWN
Appendix 578
List of Open API
View the detailed information on Open API, including the descriptions of each method.
Method URL Description
/emm/oapi/device/ Queries the GPS information of

selectDeviceLocation
selectDeviceLocation/ the device.
/emm/oapi/device/ Queries the device information of

selectDevicesByUser
selectDevicesByUser/ the users.
Queries the device detailed

selectDeviceInfo /emm/oapi/device/selectDeviceInfo/
information.
Queries the device information

selectDeviceList /emm/oapi/device/selectDeviceList/
list.
/emm/oapi/device/ Assigns a device to a profile

insertDeviceToProfileGroup
insertDeviceToProfileGroup/ group.
/emm/oapi/device/
insertMalwareApp Inserts a malware application.
insertMalwareApp/
deleteDeviceFromProfile /emm/oapi/device/ Deletes the device from the

Group deleteDeviceFromProfileGroup profile group.
sendDeviceControlFor /emm/oapi/mdm/
Updates the profiles currently
UpdateProfile (tenantId, commonOTCServiceWrapper/
assigned to the device.
deviceId) sendDeviceControlForUpdateProfile
sendDeviceControlFor /emm/oapi/mdm/
Deletes the data of the relevant
DeleteAppData (tenantId, commonOTCServiceWrapper/sendD
app from the device.
deviceId,<Application list>) eviceControlForDeleteAppData
/emm/oapi/device/ Queries the device detailed

selectDeviceInfoByMobileId
selectDeviceInfoByMobileId/ information by mobile ID.
/emm/oapi/device/ Queries the device information

selectDeviceListByEmpNos
selectDeviceListByEmpNos/ list by employee number.
/emm/oapi/device/ Queries the information about

selectDeviceInfoByImei
selectDeviceInfoByImei the device using its IMEI.
Queries the information about

selectDeviceInfo /emm/oapi/device/
the device using its serial
BySerialNumber selectDeviceInfoBySerialNumber
number.
Appendix 579
Queries a list of apps on the

device:
• For an Android device, this

/emm/oapi/device/ queries a list of all apps
selectDeviceAppList
selectDeviceAppList installed on the device.
• For an iOS device, this queries
a list of all apps excluding the
preloaded apps.
deleteDeviceFrom /emm/oapi/device/ Deletes a device from the

DeviceGroup deleteDeviceFromDeviceGroup devices group.
selectDeviceLocation /emm/oapi/device/ Queries the location history of

History selectDeviceLocationHistory the device.
/emm/oapi/device/ Queries the connection status of

checkDeviceConnection
checkDeviceConnection the device through SA.
/emm/oapi/mdm/
sendDeviceControl commonOTCServiceWrapper/ Sends a device control to a
ForUserDefinedEvent sendDeviceControlForUser device for user-defined events.
DefinedEvent/
/emm/oapi/mdm/
Returns messages of the device
getDeviceControlResult commonOTCServiceWrapper/
control process.
getDeviceControlResult/
/emm/oapi/mdm/
Sends a device control to flush
sendDeviceControl commonOTCServiceWrapper/
the command queue in the EMM
ForAgentFlushQueue sendDeviceControlForAgent
server.
FlushQueue/
/emm/oapi/mdm/
Sends a device control to
sendDeviceControlForAgent commonOTCServiceWrapper/
several devices for flushing the
FlushQueueToMultiDevices sendDeviceControlForAgent
command queues.
FlushQueueToMultiDevices/
/emm/oapi/mdm/
sendDeviceControl Sends a device control to wipe a
commonOTCServiceWrapper/
ForFactoryReset device.
sendDeviceControlForFactoryReset/
/emm/oapi/mdm/
sendDeviceControl Sends a device control to get the
ForGPSInfo location of a device.
sendDeviceControlForGPSInfo/
/emm/oapi/mdm/
Sends a device control to remove
sendDeviceControlFor commonOTCServiceWrapper/
the whole Knox Workspace on
RemoveAllKNOX sendDeviceControlForRemove
the device.
AllKnox/
/emm/oapi/mdm/
sendDeviceControl Sends a device control to
ForUnEnrollment deactivate the device.
sendDeviceControlForUnEnrollment/
Appendix 580
/emm/oapi/mdm/
sendDeviceControl Sends a device control to lock a
ForLockDevice device.
sendDeviceControlForLockDevice/
/emm/oapi/mdm/
sendDeviceControl commonOTCServiceWrapper/ Sends a device control to unlock
ForUnLockDevice sendDeviceControlForUnLock a device.
Device/
/emm/oapi/mdm/
Sends a device control to a
sendDeviceControl commonOTCServiceWrapper/
device for triggering the user-
ForUserDefinedEvent sendDeviceControlForUser
defined event policies.
DefinedEvent/
/emm/oapi/mdm/
Sends a device control to several
sendDeviceControlForUser commonOTCServiceWrapper/
devices for the user-defined
DefinedEventToMultiDevices sendDeviceControlForUser
event policies.
DefinedEventToMultiDevices/

devices for the user-defined
/emm/oapi/mdm/ event policies.
sendDeviceControlForUser
DefinedEventToMulti Note This API does not
sendDeviceControlForUser
DevicesNR return a command ID
DefinedEventToMultiDevicesNR/
as a result of sending
a device control.
/emm/oapi/mdm/ Sends a device control to a

sendDeviceControl
commonOTCServiceWrapper/ device for triggering the gate
ForGateEvent
sendDeviceControlForGateEvent/ event policies.
/emm/oapi/mdm/
sendDeviceControlForUser commonOTCServiceWrapper/
multiple devices for user-defined
DefinedEventToMultiDevices sendDeviceControlForUserDefined
events.
EventToMultiDevices/
/emm/oapi/mdm/
sendDeviceControlForGate commonOTCServiceWrapper/ Sends a device control to
EventToMultiDevices sendDeviceControlForGateEvent multiple devices for gate events.
ToMultiDevices/
/emm/oapi/mdm/
sendDeviceControlForUser Sends a device control to
DefinedEvent multiple devices for user-defined
sendDeviceControlForUserDefined
ToMultiDevicesNR events (no response).
EventToMultiDevicesNR/
/emm/oapi/mdm/
sendDeviceControlForGate commonOTCServiceWrapper/
multiple devices for gate events
EventToMultiDevicesNR sendDeviceControlForGateEvent
(no response).
ToMultiDevicesNR/
Appendix 581
/emm/oapi/mdm/
devices for the gate event
EventToMultiDevices sendDeviceControlForGate
policies.
EventToMultiDevices/

devices for the gate event
policies.
Note • This API does not

return a command
ID as a result of
/emm/oapi/mdm/
sending a device
control.
EventToMultiDevicesNR sendDeviceControlForGate
EventToMultiDevicesNR/ • For Android
devices, this API
is faster than “/
sendDevice
ControlForGate
EventToMulti
Devices
/emm/oapi/mdm/ Sends a device control to

sendDeviceControl
commonOTCServiceWrapper/ a device for requesting the
ForKeepalive
sendDeviceControlForKeepalive/ Keepalive service.
/emm/oapi/mdm/ Sends a device control to a

sendDeviceControl
commonOTCServiceWrapper/ device for viewing the device
ForDeviceInfo
sendDeviceControlForDeviceInfo/ information.
/emm/oapi/mdm/
a device to flush the agent
FlushQueue sendDeviceControlForAgentFlush
command queue.
Queue/
/emm/oapi/mdm/
multiple devices to flush the
FlushQueueToMultiDevices sendDeviceControlForAgentFlush
agent command queue.
QueueToMultiDevices/
Receives the events information

/emm/oapi/mdm/
of a device. The returned
getUserDefinedEvent profileServiceWrapper/
information includes the meta
InformationOfDevice getUserDefinedEventInformation
data of each event which is
OfDevice/
applied to the device.
insertDevice /emm/oapi/user/createDevice/ Creates the devices.
insertUser /emm/oapi/user/createUser/ Creates the users.
Appendix 582
Purges the users.
Note The users to be

purgeUser /emm/oapi/user/purgeUser/ purged should not
have any activated
mobile devices.
activateUser /emm/oapi/user/activateUser/ Activates the users.
deactivateUser /emm/oapi/user/deactivateUser/ Deactivates the users.
updateUser /emm/oapi/user/updateUser/ Updates the users.
deleteDevice /emm/oapi/user/deleteDevice/ Deletes the devices.
updatePassword /emm/oapi/user/updatePassword/ Updates the user password
selectUserWithID /emm/oapi/user/selectUserWithID Selects the user with the ID.
selectUsers /emm/oapi/user/selectUsers Selects the users.
/emm/oapi/mdm/ Receives a list of phone

getCommandQueued commandQueueServiceWrapper/ numbers which have unresolved
DevicesForAndroidAgent getCommandQueuedDevices commands in the command
ForAndroidAgent/ queue.
/emm/oapi/mdm/ Queries the command queue

getCommandQueue
commandQueueServiceWrapper/ that has not been sending a
NoSendCnt
getCommandQueueNoSendCnt/ device control to the devices.
/emm/oapi/mdm/
getUserDefinedEvent profileServiceWrapper/ Queries the user-defined events
InformationOfDevice getUserDefinedEventInformation allocated to the devices.
OfDevice/
/emm/oapi/mdm/
Queries the payload UUID of iOS
getIOSPayloadUUIDList profileServiceWrapper/
devices.
getIOSPayloadUUIDList
/emm/oapi/message/
selectSMSQueueList Queries the SMS queue list.
selectSMSQueueList/
/emm/oapi/message/ Updates the SMS queue

updateSMSQueue
updateSMSQueue/ information.
/emm/oapi/message/ Deletes the SMS queue

deleteSMSQueue
deleteSMSQueue/ information.
authenticate /emm/oapi/auth/authenticate Authenticates the user.
Queries the validity of the

isLicenseValid /emm/oapi/license/isLicenseValid
license.
write /emm/oapi/audit/write/ Writes an audit log.
selectGroups /emm/oapi/group/selectGroups Queries the groups.
Appendix 583
selectGroupUnits /emm/oapi/group/selectGroupUnits Queries the groups in detail.
selectGroupUsers /emm/oapi/group/selectGroupUsers Queries the list of group users.
Checks for duplicate group

countGroup /emm/oapi/group/countGroup
names.
insertGroup /emm/oapi/group/insertGroup Creates a user or a device group.
deleteGroup /emm/oapi/group/deleteGroup Deletes a group.
Adds a member (user or device)

insertGroupEntity /emm/oapi/group/insertGroupEntity
to a group.
Deletes a member (user or

deleteGroupUnits /emm/oapi/group/deleteGroupUnits
device) from a group.
/emm/oapi/group/ Queries the list of groups

selectGroupDevices
selectGroupDevices devices.
create /emm/oapi/org/create Creates an organization.
delete /emm/oapi/org/delete Deletes the organization.
Updates the organization

update /emm/oapi/org/update
information.
Adds the users to a specific

addMembers /emm/oapi/org/addMembers organization when changing the
organization.
selectList /emm/oapi/org/selectList Queries a list of organizations.
Queries the organization in

select /emm/oapi/org/select
detail.
Queries a list of users in a

selectUsers /emm/oapi/org/selectUsers
specific organization.
Queries a list of devices in a

selectDevices /emm/oapi/org/selectDevices
specific organization.
emm/oapi/mdm/ Sends the device command

sendDeviceControl
commonOTCServiceWrapper/ to devices to update user
ForUserInfo
sendDeviceControlForUserInfo information.
emm/oapi/mdm/
Sends the device command to
multi devices to update user
UserInfoToMultiDevices sendDeviceControlForUserInfo
information.
ToMultiDevices
emm/oapi/mdm/
This API sends a Device Control
to reset screen or container pass
ResetPassword sendDeviceControlForReset
word on a device.
Password
Appendix 584
emm/oapi/mdm/
sendDeviceControl This API sends a Device Control
ForRunApp to run an application on a device.
sendDeviceControlForRunApp
/emm/oapi/mdm/
Resets the screen lock or
sendDeviceControlForReset commonOTCServiceWrapper/
container lock password of an
Password sendDeviceControlForReset
Android device.
Password
/emm/oapi/mdm/ Queries the list of the

getCommandQueued commandQueueServiceWrapper/ Android devices that have an
DevicesForAndroidAgent getCommandQueuedDevicesFor unprocessed agent command
AndroidAgent/ queue.
Appendix 585
Glossary
Use the following glossary to understand terms and abbreviations used in this manual.
A
No. Terminology Definition
Active Directory is a directory service implementation that provides functions

like authentication and authorization. It supports the Lightweight Directory
Active Directory Access Protocol (LDAP).
1
(AD)
For more information, see Lightweight Directory Access Protocol (LDAP) and
AD/LDAP Sync Services.
Through the AD/LDAP sync services, administrators can sync and use the
AD/LDAP Sync information of a company's existing users, groups, and organizations with Knox
2 Manage.
Services
For more information, see Lightweight Directory Access Protocol (LDAP).
Android Legacy devices are devices that were released under Android versions
3 Android Legacy
earlier than 5.0. and do not support work profiles.
Android
4 Android Enterprise is a Google-led program for enterprise devices and services.
Enterprise (AE)
Using Knox Manage's App Wrapper, administrators can simply insert code to
add security policy control functions, such as copying and pasting text, screen
lock and screen capture, to internal applications, without having to modify
5 App Wrapper the source code. The App Wrapper function is only available on Android and
For more information, see Android Legacy and Android Enterprise (AE).
Apple Push Apple Push Notification service (APNs) helps facilitate sending commands to
6 Notification iOS devices through Apple's push notifications.
service (APNs) For more information, see iOS.
Application The Application Programming Interface enables the construction of Application

7 Programming software and facilitates the communication between other software
Interface (API) components.
Often referred to as an app, a mobile application is a software program

8 Applications
designed for mobile devices to perform specific tasks.
Area is a space within the device that administrators can have a control over.
Administrators can install applications or configure device settings for the
9 Area selected area. The area types differ based on the device platform.
For more information, see General area, Knox Workspace area, Work area, and
Personal area.
Appendix 586
Attestation is a process that verifies the integrity of a device. It can check if

a device has been rooted or if it is running unauthorized firmware. All Knox
devices, beginning with the Galaxy Note 3, support attestation. Devices older
10 Attestation than Galaxy Note 3 do not support attestation.
For more information, see Compromised App and Cyclic Redundancy Check
(CRC).
Audit defines tasks and records that occur while operating Knox Manage as
events. Comprehensive information about device activities are recorded as
11 Audit audit logs, audit events, and audit targets.
For more information, see Level and Fail Level.
B
The relevant value for the sync service in Knox Manage. Identifies the base
distinguished name which serves as the starting point of the sync service query.
1 Base DN The default value is supported but you can supply a custom base distinguished
name if you want to run the query from a different starting point.
For more information, see Sync services.
C
The Certificate Authority (CA) is an authority that generates certificates

for authentication services. Administrators can select a certificate for
Certificate authentication when using the network, such as Wi-Fi, VPN, Exchange, APN, and
1
Authority (CA) so on.
For more information, see Certificates.
Certificate Certificate Signing Request file (CSR) contains basic information such as
2 Signing Request common name, organization name, or country, for the Certificate Authority in
(CSR) order to apply for a digital identity certificate.
Applications, which use public key technology, issue and manage certificates to
enhance security. Knox Manage uses external certificates for network services
3 Certificates such as WI-FI, VPN, Exchange, and APNs.
For more information, see Apple Push Notification service (APNs) and Virtual
Private Network (VPN).
A Common Name (CN) value. It identifies a host domain name associated with
4 CN value
a certificate.
Appendix 587
When the hash value (CRC) of an application registered in the Admin Portal
Compromised differs from the one installed on the device, it is displayed as a compromised
5 app. This is only checked when the administrators uploads an installation file.
App
For more information, see Attestation and Cyclic Redundancy Check (CRC).
Corporate-
Owned Corporate-Owned Personally Enabled (COPE) is a business strategy in which an
6
Personally organization provides computing devices to its employees for work purposes.
Enabled (COPE)
Credential Storage (CS) is the place where trusted certificates can be stored.
Credential This also requires installation.
7
Storage (CS)
For more information, see Certificates.
A Cyclic Redundancy Check determines the integrity of data sent by apps. A

CRC examines the check value used, in order to ensure that there are no errors
Cyclic in data sent through a network, etc., and then sends it along with the data. It is
8 Redundancy only applicable to Android devices.
Check (CRC)
For more information, see Android Enterprise (AE), Attestation, and
Compromised App.
D
Device Apple's Device Enrollment Program (DEP) allows a large number of iOS devices
1 Enrollment to be quickly and easily enrolled in Knox Manage through Knox Portal.
Program (DEP) For more information, see iOS.
Device Owner is a mode that is provided on a Fully Managed device. It manages

Device Owner the overall device settings and connectivity, including the factory reset feature.
2
(DO)
For more information, see Fully Managed.
Samsung’s interface device, DeX, gives mobile devices a desktop-like

3 DeX experience. DeX mode on Knox Manage allows users to control apps according
to the application execution blacklist.
Appendix 588
E
Enterprise Knox E-FOTA (Enterprise Firmware-Over-The-Air) is a license service that

Firmware- provides wireless firmware upgrades for devices. E-FOTA supports SAMSUNG
1 Galaxy devices with Android 7.0 (Nougat) or higher.
Over-The-Air
(E-FOTA) For more information, see Android Legacy and Android Enterprise (AE).
Enterprise
Enterprise Mobility Management (EMM) is a solution that can be implemented
Mobility
2 at every layer from devices and; application to data and operates security
Management
through a single console regardless of OS.
(EMM)
Exchange ActiveSync is a synchronization protocol that enables mobile device

Exchange users to access email, calendar, contacts, and tasks from their organization's
3 Exchange server.
ActiveSync
For more information, see Sync services.
F
Information provided in the audit event list. Refers to a failed audit event
1 Fail Level severity.
For more information, see Viewing audits.
Fully Managed device contains only work applications and work data.
2 Fully Managed Administrators can fully control the whole area of the device.
For more information, see Device Owner (DO).
G
Area where Knox Workspace is not installed and cannot be controlled by the
1 General area
administrators.
Group is a unit to apply policies and settings on devices or to manage

2 Group
application authorities on Knox Manage.
Appendix 589
I
IMEI
(International International Mobile Equipment Identity (IMEI) is the numerical identifier for
1 Mobile every mobile device that is used for differentiating each device from one
Equipment another.
Identity)
iOS is a mobile operation system created by Apple Inc. This system is

2 iOS
specifically developed for Apple-manufactured devices.
K
Keepalive regularly checks the connection status between a device and the
1 Keepalive Knox Manage server. If a device is lost or disconnected from the server,
Keepalive provides tighter security.
Kiosk is a user interface software that protects the application by limiting

Kiosk
2 users from administrative activities. Examples of Kiosk software implemented
(software)
products are automated check-in systems and pay-per-use computers.
Kiosk applications allow devices to be used in Kiosk mode. When a Kiosk

application is installed on an Android device, the user cannot access the
device's Settings, and can only open the Kiosk application or browsers specified
Kiosk by the administrators. Knox Manage provides features that are used to develop,
3 install and control kiosk applications so that devices can be used as kiosk
applications
devices.
For more information, see Android Legacy, Android Enterprise (AE), and Knox
Manage (KM).
A Kiosk Browser allows users to have partial or limited access. For example, it
is used in situations when only a certain URL needs to be connected to, such
4 Kiosk Browser
as notices on a company's website. The web browser for the Kiosk Browser is
provided by Knox Manage by default.
Kiosk mode provides a variety of extended options to lock down or configure

5 Kiosk Mode user’s devices according to the business needs. It is often used to create a
single purpose device.
Knox Manage is a Samsung proprietary cloud-based EMM (Enterprise Mobility

Management) solution that provides a list of security features in the form of
Knox Manage both hardware and software. Knox Manage enables businesses and personal
6 content to coexist on the same handset. A Knox Manage license is required to
(KM)
use Knox Manage services.
For more information, see Enterprise Mobility Management (EMM) and License.
Appendix 590
Knox Mobile
Samsung's Knox Mobile Enrollment (KME) is the quickest and most automated
7 Enrollment
way to bulk enroll a large number of Android devices.
(KME)
Knox Knox Workspace (KWS) is a licensed service that provides a defense-grade dual
8 Workspace persona container service on one device.
(KWS) For more information, see License.
Knox Area where Knox Workspace is installed and can be controlled by the
9
Workspace area administrators.
L
Information that indicates the degree of success or failure on the audit event
1 Level list.
For more information, see Viewing audits.
Knox Manage licenses can be categorized into three types: Knox Manage (KM),
Knox Workspace (KWS), and E-FOTA.
2 License
For more information, see Knox Manage (KM), Knox Workspace (KWS), and
Enterprise Firmware-Over-The-Air (E-FOTA).
Lightweight
Directory Lightweight Directory Access Protocol (LDAP) is a service that provides access
3
Access Protocol and manages the client's directory-based information.
(LDAP)
M
Master data is the information that is necessary for the operation of Knox
1 Master data
Manage, such as the user's position, security level, and site.
Knox Manage's Mobile Admin supports administrators with a convenient

2 Mobile Admin overview of the service history in a mobile environment and provide essential
device management features.
Mobile Mobile Application Management is a type of a security management that allows

Application administrators to assign and deploy the applications and policies for each
3
Management application in the application management profile to a specific organization or
(MAM) a group.
Appendix 591
Mobile
Contents A content management strategy that is capable of storing and delivering
4
Management content and services to mobile devices.
(MCM)
Mobile Device Mobile Device Management (MDM) is a software that enables administrators to
5 Management immediately assign and deploy the device policies or device settings for each
(MDM) platform in the device management profile to a specific organization or group.
O
One Time
1 Password One Time Password.
(OTP)
Unit to configure policies for a user device or to manage application authority in

2 Organization Knox Manage.
For more information, see Knox Manage (KM).
P
Area where Work Profile in not installed and cannot be controlled by the
1 Personal area administrators.
For more information, see Work Profile.
Profile is a set of policies containing device configurations and settings.

2 Profile Profiles allow you to control device functions and install the Wi-Fi, VPN, and
Exchange settings of your company on user devices.
Profile Owner is a mode that adds a Work Profile on a personal device. It

Profile Owner manages device settings and connectivity only within the work area.
3
(PO)
For more information, see Work area and Work Profile.
Appendix 592
R
When an Android device user requests support, the administrator can share
Remote Support the user's device screen through the Remote Support Viewer (RS Viewer); and
1 Viewer (RS remotely perform tasks on a given screen. Administrators can also support
Viewer) multiple users remotely at the same time.
For more information, see Android Legacy and Android Enterprise (AE).
S
Samsung Knox Manage Cloud Connector is a service that creates a secure

channel for data transfers between the enterprise system and the Knox Manage
Samsung Knox cloud server. SCC facilitates the connection between the user information in a
Manage Cloud client's AD/LDAP with the CA's certificate on a user's device, and ensures the
1
Connector safety of the connection.
(SCC)
For more information, see AD/LDAP Sync Services and Certificate Authority
(CA).
Samsung
License SLM manages the entire lifecycle of Knox licenses including ordering, license
2
Management generation, activation tracking, validation, and quantity checking.
System (SLM)
Samsung Enterprise Gateway (SEG) is a cloud-based facility which assists in a

Samsung variety of operations between the Mobile Device Management (MDM) and user
3 Enterprise devices such as registering profiles and enrolling devices.
Gateway (SEG)
For more information, see Mobile Device Management (MDM).
A stand-alone device refers to a device that can function independently without

Stand-alone
4 integrating with other hardware. A copy machine is an example of a stand-alone
device
device.
Administrators can connect directory services with Knox Manage in order to

sync user, organization, and group information. Registered sync services can be
5 Sync services operated automatically.
For more information, see Base DN and AD/LDAP Sync Services.
Appendix 593
U
Universal MDM Client (UCM) is pre-installed on Samsung devices and acts as a

Universal MDM substitute for proprietary Mobile Device Management (MDM) client software.
1
Client (UMC)
For more information, see Mobile Device Management (MDM).
V
Virtual Private A Virtual Private Network (VPN) is a mechanism for creating a secure
1
Network (VPN) connection among devices or networks.
Apple's Volume Purchase Program is a service that purchases and deploys

Volume public applications that are used in an organization or company, and then
2 Purchase efficiently deploy them to a large number of iOS devices at once.
Program (VPP)
For more information, see iOS.
VPP Applications distributed through Apple's Volume Purchase Program (VPP).

3
applications For more information, see Volume Purchase Program (VPP).
W
Area where Work Profile is installed and can be controlled by the administrators.
1 Work area
For more information, see Work Profile.
Work Profile device contains personal areas, work applications, and work data.
2 Work Profile Administrators can only control the work area of the device.
For more information, see Profile Owner (PO) and Work area.
Appendix 594

SAMSUNG Knox Manage 20.2 Administrator Guide

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SAMSUNG Knox Manage 20.2 Administrator Guide

Caricato da

Copyright:

Formati disponibili

Knox Manage

Solution version 20.2

Published: February 2020

Introducing Samsung Knox Setting an APNs certificate (iOS only)

Managing user accounts 51

Starting up email and SMS

users via email 54

Following the step-by-step guide 35 Applying the latest profiles to organizations 64

Assigning and distributing content to Enrolling devices 100

Syncing user information with AD/LDAP 78 Viewing device logs 145

Device Distributing content 151

Controlling devices in Knox Manage 391

Creating a Single App Kiosk 373 Advanced

9 Setting a directory connector

Installing the RS Viewer 387

Managing Open API 423 Configuring the Keepalive settings 463

Configuring Microsoft Exchange 447

Setting the dashboard 475

Setting Viewing reports

Viewing audits 494

Managing alerts 501

Viewing the device log 503

Lists of error codes 546

List of Open API 579

This chapter explains the following topics:

→→ Knox Manage components

Introducing Samsung Knox Manage 9

No. Name Description

An application installed on Android, iOS, and Windows

3 Knox Manage server Knox Manage cloud server

Transfers data securely between the client’s enterprise

Imports the client’s directory-based user information. For

Generates certificates for authentication when using a

Introducing Samsung Knox Manage 10

Quick troubleshooting via Knox Manage Remote Support

Optimal management of OS versions using E-FOTA

Knox Manage enables wireless firmware management via Enterprise Firmware-Over-The-

Integrated management of Android Enterprise devices

Optimized Knox Manage Admin Portal

Support of differentiated Samsung Knox

Introducing Samsung Knox Manage 11

Bulk device enrollment and application assignment

Easy initial setup with the Getting Started guide

Strong data protection

• Two-factor authentication is supported through applications and communication based on

Storage of device analysis data

Direct Boot enabled

Introducing Samsung Knox Manage 12

OS Microsoft Windows XP or higher

• Google Chrome version 41 or higher

Android Enterprise Android 6.0 (Marshmallow) or higher

Android Legacy Android 5.0 (Lollipop) or higher

User’s device iOS iOS 9.0 or higher

A desktop computer on which Microsoft Windows 10

English, Portuguese, Spanish, French, German, Italian,

Note • Online help in the Admin Portal is only available in English.

Introducing Samsung Knox Manage 13

No. Name Description

No. Name Description

Introducing Samsung Knox Manage 14

Click to customize more settings.

Click next to the account ID to view more menus.

Introducing Samsung Knox Manage 15

Manage internal or public applications in Knox Manage. Assign applications to