pdf icon
Category Filter

Restrictions

You can allow or restrict users to access various features of the device like Bluetooth, Camera, encrypting device data, etc.

Only devices running Android 5.0 or above can be provisioned as Profile Owner or Device Owner.

Note:To view a detailed comparison of various policies supported with respect to specific OS version, click here.

FEATURE DESCRIPTION KNOX-ENABLED SAMSUNG WORK PROFILE ON COMPANY OWNED DEVICES NON-SAMSUNG
LEGACY PROFILE OWNER DEVICE OWNER
DEVICE FUNCTIONALITY
Camera (Supported from Android 4.0) By disabling this, users will not be allowed to use the Camera on their devices. On restricting this, the Camera will remain restricted within the Knox container also.
Access Camera from Lock Screen (Supported from Android 4.0) By disabling this, the users are restricted from accessing the Camera from the lock screen of the device. This can be configured only when Camera is allowed on the device. Applicable for devices running 4.2 or later versions Applicable for devices running 4.2 or later versions
Video Recording (Supported from Android 4.2.2) By disabling this, users will not be able to record videos on their devices. Video Recording can be allowed only when Camera is allowed on the device.
Microphone By enabling this, users will be allowed to use the Microphone. If this is disabled, users can use the Microphone only for receiving and making calls. All other voice applications which require the Microphone usage will be restricted.
On restricting this on the device, the Microphone will remain restricted within the Knox container also.
Audio Recording (Supported from Android 4.2.2) By disabling this, users will not be able to record audios on their devices. Audio recording can be enabled only when the Microphone is enabled on the device. No separate restriction - Restricted when the Microphone is restricted
Firmware Recovery (Samsung-only feature) By disabling this, users cannot perform firmware recovery on the device.
OS Upgrade (Samsung-only feature, supported from Android 4.1) By enabling this, users will be able to perform OS upgrades on their devices.
Screen Capture By disabling this, users will not be allowed to capture the screen on the devices.

Note: Since we are using Samsung API to apply the screen capture restriction, the API behavior changes from knox 3.8 and Samsung default apps like Launcher, SystemUI, Settings, Reminder, Calendar and Clock may not be disallowed to capture even if the restriction is applied.

Smart Clip Mode (Samsung-only feature, supported from Android 5.0) By enabling this, users will be allowed to access smart clip mode on their devices.
S-Voice (Samsung-only feature, supported from Android 4.1 ) By disabling this, users will be unable to use the S-Voice feature on their devices. S-Voice can be enabled only when the Microphone is enabled on the device.
Add Accounts (Supported from 4.1) Enabling this will allow users to add email, exchange, LDAP, and Google accounts on managed devices.
Disabling this prevents users from adding any of these accounts. The account addition is prevented only after the restriction is applied to the devices and the accounts that were already present, are not affected.

Applied only to the Work Container
Enforce Storage Encryption (Supported from Android 4.0) All data stored in the internal memory of the device must be encrypted. Ensure your devices are charges up to 80% to begin the encryption process. This restriction is applied only if the device is secured through a passcode. If there is no passcode on the device, you can associate a Passcode policy first and then distribute the restrictions policy. Encrypted by default Encrypted by default
Enforce SD Card Encryption (Samsung-only feature, supported from Android 4.0) Encryption is forced on the SD Card. This restriction is applied only if the device is secured by a passcode. If there is no passcode on the device, you can associate a Passcode policy first and then distribute the restrictions policy.
SECURITY
Restore Factory Settings By restricting this, admins can prevent users from resetting devices to their factory settings. Admins can also prevent users from removing devices from management by performing a hard reset by restricting this and also configuring EFRP on the devices.
Lock Screen Notification Preference Configure how the notifications appear on the lock screen of the device. Either choose to show all content, hide sensitive content, or completely hide notifications. Applicable for devices running 5.0 or later versions
Applied only to the Work Container
Installing Non-Market apps Allow/Restrict to install apps not listed on the Play Store. Restricting this disables Install apps from unknown sources settings, for app installation. Restricted by default
Allow certificate based authentication for managed apps Allow/Restrict certificate based authentication for managed apps.
Applied only to the Work Container
Allow users to install or modify certificates Allow/Restrict users to install/modify certificates.
Applied only to the Work Container
Clipboard (Supported from Android 4.2.2) By enabling this, users will be allowed to use the Clipboard memory.
Applied only to the Work Container
Clipboard Share (Supported from Android 4.2.2) By enabling this, users can share the Clipboard content between different applications. This can be enabled only when Clipboard feature is enabled on the device. No separate restriction - Restricted when Clipboard is restricted

Safe mode
(It is supported by Samsung, Profile Owner and Device Owner devices from Android 6.0)

By enabling this, users can boot device in Safe mode.
Developer Mode By enabling this, users can use developer options on the device. 
'Share via' list (Samsung-only feature, supported from Android 4.2.2) By enabling this, users will be allowed to use the share list on their devices.
Google Play Protect Google Play Protect regularly checks apps and the devices for any harmful behavior. 
Auto fill By enabling this option, users will be allowed to use Auto-Fill Settings.
SYNC AND STORAGE
Backup and restore data By enabling this option, users will be allowed to backup the device data and restore it.
Note: Backup services are disabled by default on Samsung devices enrolled as Device Owner or Profile Owner and for the restore option to work, Samsung Smart Switch app should be installed on the device.
Backup data in Google Server (Samsung-only feature) By enabling this option, users will be allowed to backup the device data like images, videos, etc. in the Google server.
Google Account Auto-Sync (Samsung-only feature, supported from Android 4.4) By enabling this option, users will be allowed to sync their Google Accounts on their devices.
Report Crash to Google (Samsung-only feature, supported from Android 4.1) By enabling this, crash reports will be sent to Google.
SD Card By enabling this, users will be allowed to use an SD Card on their devices.
Storing data in SD Card (Supported from Android 4.1) By enabling this, users will be allowed to store data on SD Cards of the devices. No separate restriction - Restricted when SD Card is restricted
Move apps to SD Card (Samsung-only feature, supported from Android 4.4) By enabling this, users will be able to move applications installed in device memory to the SD card.
USB By enabling this, users will be allowed to use USB on their devices.
Connections using USB By enabling this, users will be allowed to use USB to establish connections for debugging. No separate restriction - Restricted when USB is restricted
Connect a USB storage device By enabling this, users will be allowed to connect USB Storage devices. This can be enabled only when USB is enabled on a device. No separate restriction - Restricted when USB is restricted
APPLICATIONS
Users can install unapproved apps If installing unapproved apps is restricted, all apps previously installed by users get disabled and in the case of subsequent installations of unapproved apps, although the apps get downloaded and installed, the apps are automatically uninstalled. This ensures that, only those apps distributed via MDM are installed on the device. Once this restriction is removed, apps previously disabled get enabled automatically.
Note:
System pre-installed apps from other stores like Samsung Galaxy Store, Huawei, etc. will be automatically updated even if installing unapproved apps is restricted.

Applied only to the Work Container
Uninstalling apps (Supported from Android 4.1) By enabling this, users will be allowed to uninstall applications from the device. Note: Despite this setting, apps silently installed on devices cannot be uninstalled by users.
Applied only to the Work Container
Stop system apps (Samsung-only feature, supported from Android 4.2.2) By enabling this, users can stop the system apps present in their devices.
Application notification mode (Samsung-only feature, supported from Android 4.1) By enabling this, the user can choose to allow or restrict app notification If restricted the app notifications would be disabled.
YouTube By enabling this, users will be allowed to access Youtube from the device.
Gmail By enabling this, users will be allowed to access Gmail on their devices.
S-Finder (Samsung-only feature, supported from Android 4.3) By enabling this, users will be allowed to use "S Finder" to search for Apps and settings on the device. This is applicable only for Samsung Knox devices.
Global App Permission policy Configuring this ensures you can choose to automatically deny/allow permissions for apps present on the device. In case if Auto-deny is chosen, for some apps such as Camera, the app will be disabled and the user will not be prompted to accept the permission. While in other apps such as Phone, a display message will be shown notifying the user of the denied access. Optionally, you can also leave it to the user.
Applied only to the Work Container
BROWSER (Applicable only for Google Chrome in legacy)
Android browser By enabling this option, the users will not be able to use any web browsers on the device.
Applied only to the Work Container
Fraud warning settings By enabling this, users will be allowed to use Fraud Warning Settings on the device.
Applied only to the Work Container
Pop-ups By enabling this, user Pop-Ups will be enabled on the device.
Applied only to the Work Container
JavaScript By enabling this, users will be allowed to use applications running on Java scripts.
Applied only to the Work Container
Auto-fill By enabling this option, users will be allowed to use Auto-Fill Settings.
Applied only to the Work Container
Cookies By enabling this option, users will be allowed to use Cookies Settings on the device.
Applied only to the Work Container
NETWORK AND ROAMING
Airplane Mode (supported for Samsung and devices running Android 9.0 and above) If this is restricted, users will be unable to use airplane mode on their devices.
Background data (Samsung-only feature) If Allow is chosen, users will be able to disable the background data whereas background data will be enabled by default. (This profile does not get applied automatically and the user has to accept this profile)
Data Saver Mode (Samsung-only feature) Enable this option to reduce data usage by preventing apps from sending or receiving data in the background.
Wi-Fi If 'User Controlled' is chosen, users will be allowed to disable or enable Wi-Fi on the device.
If Wi-Fi is Always On on the device, users will not have permission to disable it.
Note: This is not supported for corporate Samsung devices running Android 10.0 or above enrolled via invites.
If Wi-Fi is Always Off on the device, users will not have permission to enable it. The managed devices will be out of network connectivity and even the MDM server cannot reach the device until cellular data is enabled on the device. 
Wi-Fi Direct (Samsung-only feature - Supported from Android 4.2.2) By enabling this, users will be allowed to access Wi-Fi Direct on their devices.
Connecting to Wi-Fi, only if distributed via MDM (Supported from Android 2.3 to 9.0) Restrict/Allow users to connect to Wi-Fi networks only if Wi-Fi configurations have been distributed as a profile via MDM. If no Wi-Fi has been configured via MDM, enabling this ensures, the device connects only to the secure Wi-Fi network configured using MDM. If restricted, the device will not connect to any network, due to which it cannot communicate to the MDM server. Also, if the Wi-Fi SSID has been changed, then the profile must be modified to include the new SSID and then re-distributed to the device, for continued management.
Note: In non-Samsung devices running Android 10.0 or later, once the Wi-Fi profile is distributed, the users will be prompted to connect to the Wi-Fi. In Device Owner devices, the users will be prompted continuously until they connect to the Wi-Fi. While in Profile Owner devices, the users will only be prompted 5 times.
Restrict users from connecting to unsecure public Wi-Fi networks: By restricting this, users will not be able to connect their devices with public or unsecure Wi-Fi network connections which are not protected with a password.
Allow users to configure VPN (Supported from Android 4.1) Users are restricted from configuring VPN on devices, apart from any VPN configurations distributed through the MDM server. If this restriction is enabled on Samsung devices (running on OS 4.3 and above), any VPN configured by the user gets deleted.
Roaming always on By allowing this, roaming is always set to on and cannot be turned off by the user. Else, this can be user-controlled.
Roaming data (Samsung-only feature) If you have allowed this, users can choose to allow or disallow roaming data on the device. Else, this setting will be disabled and greyed out in the device.
Sync data while Roaming (Samsung-only feature) By enabling this, users will be allowed to use Sync feature while roaming.
Roaming Push (Samsung-only feature) By enabling this, data will be pushed to devices even if they are in roaming.
Voice Call while Roaming (Samsung-only feature, supported from Android 4.1) By enabling this, users will be allowed to receive/make voice calls during roaming.
DEVICE CONNECTIONS
NFC By enabling this, users can utilize Near Field Communication (NFC).
Android Beam (Supported from Android 4.2.2) By enabling this, users can utilize Android Beam to transfer data to other supported devices.
Applied only to the Work Profile
Restricted by default
S Beam (Samsung-only feature, supported up to Android 4.2.2) By enabling this, users can utilize S Beam to share files with other supported devices.
Bluetooth By enabling this, users will be allowed to use Bluetooth in their devices.
Bluetooth discovery (Samsung-only feature) By enabling this, users can allow other devices to detect and connect to their devices.
Bluetooth pairing (Samsung-only feature) By enabling this, users will be allowed to pair their devices with other devices to enable data transfer.
Make outgoing calls using Bluetooth (Samsung-only feature) By enabling this, users will be allowed to place outgoing calls using Bluetooth.
Connect to Laptop/Desktop via Bluetooth (Samsung-only feature) By enabling this, users can connect their devices to desktops/laptops using Bluetooth.
Data transfer via Bluetooth (Samsung-only feature) By enabling this, users will be allowed to transfer data from their devices to other devices using Bluetooth.
Printing (Supported from Android 9.0) By enabling this, users will be allowed to use bluetooth printers through their devices.
TETHERING
Tethering Disabling this, restricts managed devices from tethering with other devices, for sharing the cellular network.
Bluetooth Tethering By enabling this, users will be allowed to share Internet connection via Bluetooth with other devices. This can be enabled only when Bluetooth is enabled on a device. No separate restriction - Restricted when Tethering is restricted
Wi-Fi Tethering By enabling this, users will be allowed to share Internet connection via Wi-Fi with other devices. This can be enabled only when Wi-Fi and Wi-fi Direct are enabled on the device. No separate restriction - Restricted when Tethering is restricted
USB Tethering By enabling this, users will be allowed to share Internet connection via USB with other devices. This can be enabled only when USB is enabled on the device. No separate restriction - Restricted when Tethering is restricted
LOCATION SERVICES
Location Services (Supported in legacy from OS 4.1) When set as Always On, Location Services is forcefully enabled (Location Tracking can be highly accurate when Location Services are set to Always On only for devices running OS below 9). Even if users turn it Off, it automatically reverts to On state. This is applicable for Always Off option as well. In case, you configure it as User Controlled, device users can enable/disable it as per their needs.
Mock location (Samsung-only feature) Allow/Restrict users from showing falsifying location data.
Google Maps By enabling this, users can utilize Google Maps.
PHONE
SMS (Supported from Android 4.1 in Samsung devices) By disabling this, users will not be able to use Short Messaging Service(SMS) in the managed devices.
Incoming SMS (Supported up to Android 4.1 in Samsung devices) By disabling this, users will not be able to receive any incoming message on their devices. No separate restriction - Restricted when SMS is restricted
Outgoing SMS (Supported from Android 4.1 in Samsung devices) By disabling this, users will not be able to send any outgoing message from their devices. No separate restriction - Restricted when SMS is restricted
MMS (Supported from Android 4.1 in Samsung devices) By disabling this, users will not be able to use Multimedia Messaging Service (MMS) in the managed devices. No separate restriction - Restricted when SMS is restricted
Incoming MMS (Supported from Android 4.1 in Samsung devices) By disabling this, users will not be able to receive any incoming MMS to their devices. No separate restriction - Restricted when SMS is restricted
Outgoing MMS (Supported from Android 4.1 in Samsung devices) By disabling this, users will not be able to send any outgoing MMS from their devices No separate restriction - Restricted when SMS is restricted
Call (Samsung-only feature) If disabled, users cannot make/receive calls.
Incoming Call (Samsung-only feature) By disabling this, users will not be able to receive any incoming calls on their devices. Even when it is allowed, incoming calls will work only when the Microphone is enabled on the device.
Outgoing Call By disabling this, users will not be able to place any outgoing calls on their devices. Even when it is allowed, outgoing calls will work only when the Microphone is on the device.
DATE/TIME SETTINGS
Set device time (Supported from Android 9.0 and above) You can set the device time either based on network provider's time or set up manually. Note: If the incorrect time is displayed, then try connecting to a different network and check the Wifi router.
Timezone (Supported from Android 9.0 and above) If you have enabled the device time to be set manually, then you can choose the desired timezone from the dropdown.
Modify date/time settings (Supported from Android 9.0 and above) Restricting this prevents the users from modifying date/time settings such as time format, date format, etc.
Modify date/time (Supported from Android 4.3 in Samsung devices) Restricting this prevents the users from modifying the date/time already set on the device.
DISPLAY SETTINGS (Supported from Android 9.0)
Screen Timeout The duration(between 5 and 1800 seconds) of inactivity, after which the device goes to sleep.
Note: Screen Timeout duration cannot be higher than Maximum idle time allowed before auto-lock configured in Passcode profile.
Modify Screen Timeout Settings Disabling this, ensures the screen timeout configured above or on the device cannot be modified.
Brightness Provide the level of brightness to be configured on the device.
Modify Brightness Settings Disabling this, ensures the brightness configured above or on the device cannot be modified.
Ambient Display Enable/Disable displaying details such as the time, date, etc, on the device lock screen, when it is in sleep.  
MISCELLANEOUS
Add user (Supported from Android 4.4.2 in Samsung devices)
Note: In Device Owner devices, adding users is restricted by default because management of primary user is only possible.
Disabling this, will restrict creating multiple users on the device. 
Turn the device off, using Power button (Samsung-only feature, supported from Android 4.1) By disabling this, users will not be able to turn off their devices using the Power Button.
Background process limit (Samsung-only feature, supported up to Android 4.2.2) By enabling this, the background processes running on the device can be enabled/disabled by the user. If disabled, then the background process limit is set to maximum.
Terminating app on exiting (Samsung-only feature, supported from Android 4.2.2) This setting(Dont keep activities) is restricted in the device by default. If you choose to allow this, users can prefer to enable or disable them.
Modify default device settings (Samsung-only feature) By enabling this, the device can be restored to the default settings.
Air Command (Samsung-only feature, supported from Android 4.4.4) Enabling this will allow users to the access featues related to S Pen, such as Notepad, virtual keyboard, Memo, etc. This is applicable only for Samsung Knox devices.
Smart View (Samsung-only feature, supported from Android 4.4.4) Enabling this allows users to view multimedia content present on the device, on a Samsung smart TV. 

 

 

Jump To