Android: Device functionality rules
Android
: Device functionality rulesName | Description | Activation Types | Default | Possible Values |
|---|---|---|---|---|
Disable camera | Specify whether the device camera is disabled. |
| Not selected | |
Allow Bluetooth configuration | Specify whether a user can configure Bluetooth settings and use Bluetooth technology in the Knox Workspace. On "Work and personal - full control (Samsung Knox)" devices, this rule takes effect only if the "Allow Bluetooth" rule in the "Knox MDM" category is set to Allow. |
| Selected | |
Allow Bluetooth | Specify whether the device can use Bluetooth technology. |
| Selected | |
Allow Bluetooth sharing | Specify whether a user can share content from the work profile over a Bluetooth connection. Depends on: Allow Bluetooth |
| Not selected | |
Allow Bluetooth A2DP | Specify whether a device can use the Bluetooth A2DP. A device can use the Bluetooth A2DP to stream audio files to another Bluetooth enabled device (for example, a headset). Applies only to devices that support Samsung Knox API level 2 and later. Depends on: Allow Bluetooth |
| Selected | |
Allow Bluetooth AVRCP | Specify whether a device can use the Bluetooth AVRCP. A device can use the Bluetooth AVRCP to allow a Bluetooth enabled device (for example, a headset) to control the device's media apps. Applies only to devices that support Samsung Knox API level 2 and later. Depends on: Allow Bluetooth |
| Selected | |
Allow Bluetooth HFP | Specify whether a device can use the Bluetooth HFP. A device can use the Bluetooth HFP to allow a Bluetooth enabled device (for example, a car kit or a headset) to access the Contacts and Phone apps on the device to make phone calls. Applies only to devices that support Samsung Knox API level 2 and later. Depends on: Allow Bluetooth |
| Selected | |
Allow Bluetooth HSP | Specify whether a device can use the Bluetooth HSP. A device can use the Bluetooth HSP to allow a Bluetooth headset to connect to the device. Applies only to devices that support Samsung Knox API level 2 and later. Depends on: Allow Bluetooth |
| Selected | |
Allow Bluetooth PBAP | Specify whether a device can exchange phone book contacts with other Bluetooth enabled devices using the Bluetooth PBAP. Applies only to devices that support Samsung Knox API level 2 and later. Depends on: Allow Bluetooth |
| Selected | |
Allow Bluetooth SPP | Specify whether a device can use the Bluetooth SPP. Applies only to devices that support Samsung Knox API level 2 and later. Depends on: Allow Bluetooth |
| Selected | |
Allow configuring mobile networks | Specify whether a user can configure mobile network settings on the device. This rule does not apply to Work and personal - full control and Work and personal - full control (Premium) activated devices running Android OS version 11 and later. |
| Selected | |
Allow changing Wi-Fi settings | Specify whether the user can change the settings in the work Wi-Fi profile. If this rule is not selected, the user can't change any settings in the profile, including their Wi-Fi connection credentials. Applies to Android Enterprise and Android Management devices. |
| Not selected | |
Allow changing Wi-Fi networks | Specify whether the user can set up connections to Wi-Fi networks other than the one specified by the Wi-Fi profile. Applies to Android Enterprise and Android Management devices. |
| Selected | |
Allow tethering configuration | Specify whether a user can configure tethering and mobile hotspots. |
| Selected | |
Allow tethering | Specify if a device can share mobile data with another device using USB, Wi-Fi, or Bluetooth. Applies only to devices that support Samsung Knox API level 2 and later. |
| Selected | |
Allow Bluetooth tethering | Specify if a device can share its mobile network connection with other devices using Bluetooth. If this rule is not selected, the user cannot change this setting on the device. Applies only to devices that support Samsung Knox API level 2 and later. Depends on: Allow tethering |
| Selected | |
Allow USB tethering | Specify if a device can share its mobile network connection with other devices using USB. If this rule is not selected, the user cannot change this setting on the device. Applies only to devices that support Samsung Knox API level 2 and later. Depends on: Allow tethering |
| Selected | |
Allow Wi-Fi tethering | Specify if a device can share its mobile network connection with other devices using Wi-Fi. If this rule is not selected, the user cannot change this setting on the device. Applies only to devices that support Samsung Knox API level 2 and later. Depends on: Allow tethering |
| Selected | |
Allow factory reset | Specify whether the user can reset the device to factory defaults. On BlackBerry Devices powered by Android, this rule also disables the Deactivate button in the BlackBerry UEM Client app. |
| Selected | |
Allow mounting physical media | Specify whether a user can mount physical media, such as SD cards and flash drives that support USB On-The-Go, to the device. |
| Selected | |
Allow outgoing calls | Specify if a user can place outgoing calls. If this rule is not selected, the device can only make emergency calls. All other outgoing calls are blocked. |
| Selected | |
Allow mobile data usage while roaming | Specify whether a user can use mobile data while roaming. If this rule is not selected, apps can't connect to the Internet over a wireless network when the device is roaming. |
| Selected | |
Allow SMS messages | Specify whether a user can send and receive SMS messages. |
| Selected | |
Default SMS app | Specify the package ID of the default SMS app. On devices with Work and personal - full control activations, the app must be a pre-installed system app. |
| ||
Set time automatically | Specify whether a device must set the date and time automatically. If this rule is selected, the user can't manually set the date and time. |
| Not selected | |
Obtain time zone from network | Specify whether the device obtains the time zone from the network. Depends on: Set time automatically |
| Use network |
|
Device time zone | Specify the time zone that the device uses in TZ identifier format. Depends on: Obtain time zone from network (not enabled) |
| Canada/Eastern | Time zone specified in standard TZ identifier format |
Default launcher | Specify the package ID of the launcher app that must be used on the device. For this rule to apply to the device, you must push the launcher app to the device. |
| ||
Allow user to boot into safe mode | Specifies if the user is not allowed to reboot the device into safe boot mode. In safe mode, all third-party apps are disabled, while those that are pre-installed continue to work. |
| Not selected | |
Allow microphone | Specify whether the microphone of a device can be turned on and is available to apps on the device. If this rule is not selected, the microphone is disabled for all services. If this rule is not selected, users and third-party apps cannot enable the microphone. This rule applies only to the recording microphone, not the phone app microphone on "Work and personal - full control (Samsung Knox)" devices, this rule takes effect only if the "Allow microphone" rule in the "Knox MDM" category is selected. |
| Selected | |
Stay awake when plugged in to AC charger | Specify whether the device stays awake when it is plugged in to an to AC charger. |
| Not selected | |
Stay awake when plugged in to a USB charger | Specify whether the device stays awake when it is plugged in to a USB charger. |
| Not selected | |
Stay awake when plugged in to a wireless charger | Specify whether the device stays awake when it is plugged in to a wireless charger. |
| Not selected | |
Allow user to configure screen timeout | Specify whether the user can configure the screen timeout period. |
| Allow User |
|
Screen timeout | Specify the period of user inactivity before the screen turns off. Depends on: Allow user to configure screen timeout (not enabled) |
| Minimum: 0 seconds Maximum: 86400 seconds | |
Allow user to configure screen brightness | Specify whether the user can configure the screen brightness. |
| Allow User |
|
Force adaptive brightness | Specify whether adaptive brightness is enabled on the device. Depends on: Allow user to configure screen brightness (not enabled) |
| Allow User |
|
Screen brightness | Specify the screen brightness level for the device. Depends on: Force adaptive brightness (not enabled) |
| Minimum: 0 Maximum: 255 | |
Allowed input methods | Specify whether the user can use any input method (for example, a keyboard), only the input methods provided by the device, or only the input methods provided by the device plus additional input methods you specify. For Android 9 and earlier, this rule applies to the entire device, not just the work profile. For Android 10 and later devices, this rule applies only to the work profile. If the user enables an input method before the rule is set, the rule will not take effect unless the enabled input method is in the allowed list. |
| All |
|
Input method packages | Specify the package ID for input method services (for example, keyboards) that the user can access in addition to those provided with the device by default. Depends on: Allowed input methods |
| ||
Allowed accessibility services | Specify the accessibility services that the user can access. By default the user can use any accessibility service. System accessibility services are always available to the user. This rule applies to the entire device, not just the work profile. |
| All |
|
Accessibility service packages | Specify the package IDs for additional accessibility services that the user can access. If you do not specify a package ID, users can only use the system services. System accessibility services are always available to the user. Depends on: Allowed accessibility services (Specified) |
| ||
Allow system error dialogs | Specify whether system error dialogs for crashed or unresponsive apps display on the device. If this rule is not selected, when an app stops or is unresponsive, the system will force-stop the app as if the user chose the "close app" option in the dialog box. A feedback report isn't collected because users can't provide explicit consent. |
| Selected | |
Force device to use Access Point Name profile settings | Specify whether the device must use the settings from an assigned Access Point Name profile to connect to a wireless network, or whether the user can select any Access Point Names on the device. |
| Not selected | |
Allow ambient display | Specify whether the user can enable ambient display on the device. Ambient display shows notifications on the lock screen when the device is locked. If Ambient display rule is disallowed, then 'Allow Accessibility services' should be limited to system. For Samsung devices, to disallow ambient display you must also set the "Allow accessibility services" rule to "System" or "Specified". |
| Selected | |
Allow airplane mode | Specify whether the user can enable airplane mode on the device. |
| Selected | |
Allow user to configure private DNS | Specify whether a user can configure private DNS, which uses TLS for DNS queries. |
| Allow User |
|
Use opportunistic private DNS | Specify whether the DNS queries will attempt TLS and fallback when not available. Depends on: Allow user to configure private DNS (not enabled) |
| Allow User |
|
Private DNS server | Specify the server address to use for private DNS queries. Depends on: Use opportunistic private DNS (not enabled) |
| ||
Allow date and time changes | Specify if a user can manually change the date and time setting on a device. Applies only to devices that support Samsung Knox API level 5 and later. |
| Selected | |
Force automatic time sync | Specify if the device must obtain the date and time automatically using NITZ. If this rule is not selected, the user can choose whether the device automatically syncs the date and time. Applies only to devices that support Samsung Knox API level 2 and later. Depends on: Allow date and time changes |
| Selected | |
Allow Built-in Samsung VPN | Specify if a user can use the build-in VPN functionality. If this rule is not selected, the user cannot open a VPN session, or access the VPN settings in the Settings app. Applies only to devices that support Samsung Knox API level 4 and later. |
| Selected | |
Allow NFC | Specify whether a device can use NFC. Applies only to devices that support Samsung Knox API level 11 and later and Samsung Knox version 2.4.0 and later. |
| Selected | |
Allow OTA updates | Specify if a device can update its OS using a Firmware Over-The-Air (FOTA) client (for example, Samsung Knox EMM or WebSync DM). If this rule is not selected, all wireless update requests (user-initiated, server-initiated, and system-initiated) are blocked. The user may see messages related to new OS updates but any attempt to update the OS fails. Applies only to devices that support Samsung Knox API level 5 and later. |
| Selected | |
Allow Wi-Fi | Specify whether a device can make Wi-Fi connections. After you deselect this rule and then reselect it, the device cannot use Wi-Fi until it is restarted. |
| Selected | |
Allow Wi-Fi Direct | Specify if a device can use Wi-Fi Direct. When this rule is selected, the device can make connections using Wi-Fi Direct. This rule also affects the S Beam feature on Samsung devices. Applies only to devices that support Samsung Knox API level 6 and later. |
| Selected | |
Allow WAP push while roaming | Specify if a device can receive WAP push messages when roaming. If this rule is not selected, the device cannot receive MMS messages when roaming and the user cannot change this setting on the device. This rule applies only when the device is roaming. |
| Selected | |
Allow automatic sync while roaming | Specify whether a device can synchronize data automatically while roaming. If this rule is not selected, a roaming device can synchronize data only when a user accesses an account and the user cannot change this setting on the device. This setting applies only when the device is roaming. |
| Selected | |
Allow voice calls while roaming | Specify if a device can make or receive voice calls while roaming. Applies only to devices that support Samsung Knox API level 5 and later. |
| Selected | |
Allow SD card | Specify if a device can access an SD card. If this rule is not selected, read and write access to the SD card is blocked. Applies only to devices that support Samsung Knox API level 2 and later. |
| Selected | |
Allow data on mobile network | Specify if a device can use a mobile network connection. If this rule is not selected, the device cannot use the SIM data connection. Applies only to devices that support Samsung Knox API level 2 and later. |
| Selected | |
Allow users to add new Wi-Fi networks | Specify whether users can add new Wi-Fi profiles to the device. If this rule is not selected, users can only use the work Wi-Fi profiles that you configure. Applies only to devices that support Samsung Knox API level 4 and later. |
| Selected | |
Force Bluetooth discoverable mode | Specify whether Bluetooth discoverable mode is enabled on the device. If this rule is selected the device is always available for incoming Bluetooth connection requests. If this rule is not selected and the user turns on Bluetooth, the device is not visible to other devices. Applies only to devices that support Samsung Knox API level 2 and later. |
| Selected | |
Disallowed Wi-Fi SSIDs | Specify the list of Wi-Fi SSIDs that you want to prevent devices from connecting to. These can be used to block SSIDs added by the carrier, user, etc. Applies only to devices that support Samsung Knox API level 4 and later. |
| ||
Allow Android Beam | Specify whether users can use Android Beam or S Beam to send contact information, web bookmarks, and other data to a nearby device. Applies only to devices that support Samsung Knox API level 6 and later. |
| Selected | |
Allow Media Transfer Protocol (MTP) | Specify if a device can use MTP. Because Android supports USB file transfer through MTP only, you can use this rule to block any kind of file transfer through USB. Picture Transfer Protocol (PTP) is a subset of MTP and is also affected by this rule. Applies only to devices that support Samsung Knox API level 2 and later. |
| Selected | |
Allow USB host storage | Specify if a device can use USB host storage using USB OTG. If this rule is selected, a user can connect any pen drive (portable USB storage), external HD, or SD card reader, and it is mounted as a storage drive on the device. If this rule is not selected, a user cannot mount any external storage device. Applies only to devices that support Samsung Knox API level 6 and later. |
| Selected | |
Allow user-configured VPN in workspace | Specify whether the user can configure a VPN profile in the work profile. This rule or the "Force always-on VPN" IT policy rule must be selected to allow the device to use BlackBerry Secure Connect Plus. |
| Selected | |
Allow USB file transfer | Specify whether a user can transfer files to and from the device over a USB connection. For 'Work and Personal - Full Control' activation types, USB file transfers are allowed only in the personal perimeter. |
| Selected | |
Allow cross profile caller ID | Specify whether caller ID information from the managed profile will be shown in the parent profile for incoming calls. |
| Selected | |
Allow searching work contacts from personal apps | Specify whether users can search work contacts from apps that are not in the work profile. |
| Selected | |
Allowed cross-profile widgets | Specify the package IDs for widget providers that can be available to users in the parent profile. If you do not specify any widgets, no widgets are available. The user can add allowed widgets to a widget host running under the parent profile, for example the home screen. A package may have more than one provider component, where each component provides a different widget type. |
| ||
Allowed system apps | Specify the package IDs for the system apps that are installed in the work profile. If you remove apps from this list, the apps are deleted from the work profile on users' devices. |
| ||
Force always-on VPN | Specify whether a VPN connection is always available for work data. |
| Not Selected | |
Use BlackBerry Secure Connect Plus for VPN connection | Specify whether BlackBerry Secure Connect Plus provides the VPN connection that is always available. Depends on: Force always-on VPN |
| Use BSCP |
|
VPN app package ID | Specify the package ID for the VPN app that is always available. Depends on: Use BlackBerry Secure Connect Plus for VPN connection (not enabled) |
| ||
Force work apps to only use VPN | Specify whether all work apps, including the BlackBerry UEM Client and Google Play must use the specified VPN app. In this case you must open ports in the firewall to allow BlackBerry UEM Client to communicate with the BlackBerry Infrastructure through BlackBerry UEM. The VPN app must be correctly configured on the device before this rule is applied. If it is not, the device can't send and receive device management communications from BlackBerry UEM and may not be able to obtain the needed configuration to allow the VPN app to function. For BSCP, UEM Client ensures the configuration is applied before enabling this rule. Depends on: Force always-on VPN |
| Selected | |
Work apps exempt from VPN | Specify the package IDs of work apps that are not required to send data over the VPN connection when "Force work apps to only use VPN" is selected. Depends on: Force always-on VPN |
| ||
Allow Android system windows | Specify whether Android devices can display windows other than app windows; for example, windows for toasts, system error messages, and phone calls. |
| Selected | |
Allow users to modify apps in Android Settings | Specify whether users can modify apps in Settings or launchers. If this rule is not selected, users can't uninstall apps, disable apps, clear app caches, clear app data, force apps to stop, or clear app defaults from the device Settings or launchers. |
| Selected | |
Allow printing | Specify whether the user can print files using the device OS print functionality. This rule does not block sharing files to apps that can send files to a printer. |
| Selected | |
Allow user to configure location | Specify whether the user can turn the location feature on or off. |
| Selected | |
Allow audio recording | Specify whether a device can record audio in the work profile. If this rule is not selected, the user can still make calls and use audio streaming using the device microphone. This rule applies to phone calls, voice recognition, and VoIP. If an app declares a use type and does something else, then this rule cannot block the app. If you deselect this rule, any ongoing audio recording is interrupted. Video recording is still allowed if no audio recording is attempted. Applies only to devices that support Samsung Knox API level 6 and later. |
| Selected | |
Allow Google auto-sync | Specify if Google accounts and apps can sync automatically. This rule does not block Google Play from updating installed apps. Users can still manually sync from some apps, including Gmail. Applies only to devices that support Samsung Knox MDM version 5.0.0 and later. |
| Selected | |
Allow video recording | Specify if a device can record video. If this rule is not selected, the camera is still available so that a user can take pictures and use video streaming. If you deselect this rule, any ongoing video recording is interrupted. Applies only to devices that support Samsung Knox API level 6 and later. |
| Selected | |
Allow sending crash reports to Google | Specify if the user can send crash reports to Google. Applies only to devices that support Samsung Knox API level 5 and later. |
| Selected | |
Allow camera | Specify whether a user can use the camera. Applies only to devices that support Samsung Knox API level 11 and later. |
| Selected | |
Allow data on mobile network | Specify if a device can use a mobile network connection. If this rule is not selected, the device cannot use the SIM data connection. | Work and personal - full control (Samsung Knox) | Selected | |
Allow users to modify Wi-Fi profile settings | Specify if a user can modify work Wi-Fi profile settings such as static IP configuration, proxy settings, or security type. When this rule is not selected, the user can modify only the username, anonymous identity, password, and WEP keys of a work Wi-Fi profile. When this rule is not selected, the user cannot remove the work Wi-Fi profile. If this rule is selected, the user can modify all work Wi-Fi profile settings and also delete it. | Work and personal - full control (Samsung Knox) | Selected | |
Allow users to add Wi-Fi networks | Specify whether users can add new Wi-Fi profiles to the device. If this rule is not selected, users can only use the work Wi-Fi profiles that you configure. | Work and personal - full control (Samsung Knox) | Selected | |
Allow users to modify the Settings app | Specify if a user is allowed to make changes to the Settings app. If this rule is not selected, the user cannot make changes to system preferences. | Work and personal - full control (Samsung Knox) | Selected | |
Allow VPN | Specify if a user can use the native VPN functionality. If this rule is not selected, the user cannot open a VPN session, or access the VPN settings in the Settings app. | Work and personal - full control (Samsung Knox) | Selected | |
Allow multiple user accounts | Specify if multiple user accounts can be created on the device. | Work and personal - full control (Samsung Knox) | Not selected | |
Allow adding email accounts | Specify if the user can add work email accounts to the device. |
| Selected |