Android

: Security and privacy rules

Allow deleting users

Specify if the user can delete users from the device. If this rule is selected, the primary user can delete other users. Secondary users can only delete themselves.

Selected

Allow device backup

Specify whether the device can use the backup service. If the rule is not selected, the user can't backup or restore data on the device.

Not selected

Force SD card erase on device unmanage

If the SD card exists in the device it will be erased when the device is factory wiped as a result of being unmanaged.

Not selected

Allow users to deactivate devices from UEM Client

Specify whether the user can deactivate the device using the BlackBerry UEM client. If this rule is not selected, the Deactivate My Device button in the BlackBerry UEM Client is disabled.

Selected

Display owner information on lock screen

Specify the information that the device displays when the device is locked.

Send security logs to UEM

Specify whether the device synchronizes security logs with UEM. On Android 11 and later devices activated with Work and personal - full control, certain security logs are not visible (for example personal app launch events) or they are redacted (for example, details of physical volume mount events).

Not selected

Allow firmware recovery

Specify if a user can update the operating system of a device using download mode. Cannot be combined with Android update policy APIs.

Selected

Require SD card encryption

Specify if a device must encrypt all data on the external SD card. This rule requires the value of the "Password requirements" rule to be at least "Alphanumeric."

Not selected

Audit log outcomes

Specify whether the audit log records failures, successes, or both.

Applies only to devices that support Samsung Knox API level 6 and later.

All

Audit log severity level

Specify the minimum severity level of events added to the audit log. Events of the selected severity and higher are added to the log. For example, if you select "Error", Critical and Alert severity events are also logged.

Applies only to devices that support Samsung Knox API level 6 and later.

Critical

Allow cross profile copy and paste

Specify whether data that is copied to the clipboard can be pasted in a related profile.

Not Selected

Allow adding and removing accounts

Specify whether a user can add or remove user accounts, such as email accounts, on the device.

Selected

Allow additional Google accounts

Specify whether the user can add additional Google accounts to the work profile.

Depends on: Allow adding and removing accounts

Selected

Disallowed account types

Specify the types of accounts that cannot be added to the work profile. If no account types are specified, there is no restriction. For more information, see KB 46860.

Depends on: Allow adding and removing accounts

Allow screen capture

Specify if a user can take screen shots of the device.

Selected

Allow personal data in work profile

Specify whether files and data in the personal profile can be sent to the work profile or accessed from work apps.

Selected

Allow location requests in work profile to access Google Maps in personal profile

Specify whether location requests made in the work profile can use Google Maps in the personal profile to provide the location information.

Selected

Allow user to create work email from the personal profile

Specify whether a user can create an email from their work email account using a personal app.

Not Selected

Allow work profile to set alarms using the personal clock

Specify whether the user can set alarms from the work profile using the personal clock app.

Selected

Allow work apps to access images from the personal camera

Specify whether work apps can access images from the personal camera app.

Not Selected

Allow work apps to access video from the personal camera

Specify whether work apps can access video from the personal camera app.

Not Selected

Allow work apps to open the personal camera

Specify whether work apps can open the personal camera app.

Not Selected

Allow personal apps to play work media

Specify whether personal apps can play media stored in the work profile.

Not Selected

Allow sending bug reports

Specify whether the user can send bug reports from the device.

Selected

Send bug reports using the BlackBerry DDT app

Specify whether Android devices powered by BlackBerry must use the BlackBerry DDT app to send bug reports to BlackBerry.

Depends on: Allow sending bug reports

Not Selected

Allow transfer of work contacts using Bluetooth

Specify whether the device can use Bluetooth to send work contacts to another Bluetooth enabled device.

Not Selected

Allow lock screen features

Specify whether special features can be enabled on the device lock screen.

Selected

Allow camera on lock screen

Specify whether users can access the device camera on lock screen.

Depends on: Allow lock screen features

Selected

Allow notifications

Specify whether the device can display notifications on the lock screen.

Depends on: Allow lock screen features

Selected

Allow all notification content

Specify whether all notification content can appear on the lock screen or only the notification type.

Depends on: Allow lock screen features

Selected

Allow fingerprint authentication

Specify whether the user can unlock the device using a fingerprint.

Depends on: Allow lock screen features

Selected

Allow biometrics

Specify whether the user can use biometric authentication to unlock the device.

Depends on: Allow lock screen features

Selected

Allow facial recognition

Specify whether the user can unlock the device using face recognition.

Depends on: Allow lock screen features

Selected

Allow iris authentication

Specify whether the user can unlock the device using an iris scan.

Depends on: Allow lock screen features

Selected

Allow trust agents for Google Smart Lock

Specify whether trust agents can unlock the device using Google Smart Lock.

Depends on: Allow lock screen features

Selected

Allow Google NFC trust agent

Specify if NFC can be used to unlock the device using Google Smart Lock.

Depends on: Allow trust agents for Google Smart Lock

Selected

Allow tags with basic authentication to unlock the device

Specify if NFC tags that authenticate using the tag ID can be used to unlock the device using Google Smart Lock.

Depends on: Allow Google NFC trust agent

Selected

Allow secure NFC tags to unlock the device

Specify if NFC tags that use challenge-response authentication can be used to unlock the device using Google Smart Lock.

Depends on: Allow Google NFC trust agent

Selected

Allow Google Bluetooth trust agent

Specify if Bluetooth can be used to unlock the device using Google Smart Lock.

Depends on: Allow trust agents for Google Smart Lock

Selected

Allow Google places trust agent

Specify if places can be used to unlock the device using Google Smart Lock.

Depends on: Allow trust agents for Google Smart Lock

Selected

Allow custom places

Specify if a user can trust places other than Home.

Depends on: Allow Google places trust agent

Selected

Allow Google Face trust agent

Specify if face image can be used to unlock the device using Google Smart Lock.

Depends on: Allow trust agents for Google Smart Lock

Not Selected

Allow Google Voice trust agent

Specify if voice can be used to unlock the device using Google Smart Lock.

Depends on: Allow trust agents for Google Smart Lock

Selected

Allow Google On-body trust agent

Specify if On-body can be used to unlock the device.

Depends on: Allow trust agents for Google Smart Lock

Selected

Trust agent inactivity timeout

Specify Device inactivity timeout in minutes. When a device is in an idle state for a certain period of time, Google Smart Lock trust agents will be revoked.

Depends on: Allow trust agents for Google Smart Lock

240 minutes

Allow obtaining device location

Specify if work apps can obtain location of device. This policy will supersede any location profile assigned to the user.

Selected

Allow transfer of work data using NFC

Specify whether the device can send work data to another device using NFC.

Selected

Allowed notification listeners

Specify which personal apps can intercept notifications from other apps.

System only

Allow autofill

Specify whether the device can save user-entered form data to automatically fill future forms.

Selected

Allow user to add certificates to the work profile certificate store

Specify whether the user can add trusted certificate authorities and client certificates to the work profile certificate store.

Not Selected

Allow AI assistant to use screen content

Specify if the AI assistant on the device can use capture screen content.

Selected

Allow AI to offer suggestions based on screen content

Specify if the AI assistant will provide selection suggestions based on screen content.

Depends on: Allow AI assistant to use screen content

Selected

Allow Circle to Search

Specify if Circle to Search functionality is enabled in the work profile.

Minimum OS version: 15.0

Selected

Limit length of time work profile can be turned off

Specify whether users must turn on the work profile after a specified time limit to continue using the device. If the work profile is turned off longer than the specified time period, personal apps are disabled and the device displays a notification.

Not Selected

Maximum off-time

Specify the maximum number of hours that the user can keep the work profile turned off.

Depends on: Limit length of time work profile can be turned off

259200 seconds (3 days)

Require certificate revocation (CRL) check for apps

Specify if apps must check for revoked certificates in the server certificate chain when opening SSL connections in the work profile. This rule applies only to apps that use the standard Java SSL sockets and TrustManager implementation (including most native apps), but does not apply to third-party browsers. The certificate revocation check uses CRLs from the CRL distribution point listed in the certificates. If the "Require OCSP check" rule is selected, apps first check for certificate revocation using OCSP. If OCSP fails, then apps check the CRLs.

This rule applies only to Samsung devices

Not Selected

Require OCSP check for apps

Specify if apps must use OCSP before using CRLs to check for revoked certificates when opening SSL connections in the work profile. The OCSP check uses the OCSP response server in the "Authority Information Access" extension in the certificate.

This rule applies only to Samsung devices.

Depends on: Require certificate revocation (CRL) check for apps

Not Selected

Validate end-user installed certificates

Specify whether the device validates certificates installed by end users. If one of the validation checks (for example, certification path, expiration date, or revocation status) fails, the device blocks the installation of the certificate.

This rule applies only to Samsung devices.

Not Selected

Allow "Share via" list

Specify whether a work app can display the "Share via" list to allow a user to share content across work apps in the work profile.

Selected

Allow screenshots in the work profile to be stored in the personal profile

Specify whether screenshots taken in the work profile can be saved in the personal profile.

This rule applies only to devices running Android OS 13.0.0 and later, but does not apply to devices running Android OS 15.0.0 and later.

Applies only to devices that support Samsung Knox API level 36 and later.

Minimum OS version: 13.0.0

Not Selected

Allow work files in the personal profile

Specify whether a user can move files from the work profile to the personal profile on a device.

This rule does not apply to devices running Android OS 13 and later.

Applies only to devices that support Samsung Knox API level 11 and later.

Minimum OS version: 13.0.0

Not Selected

Allow personal files in the work profile

Specify whether a user can move files from the personal profile to the work profile on a device.

This rule does not apply to devices running Android OS 13 and later.

Applies only to devices that support Samsung Knox API level 11 and later.

Minimum OS version: 13.0.0

Not Selected

Enable work and personal data synchronization

Specify if apps can synchronize data between the work profile and the personal profile.

This rule does not apply to devices running Android OS 13 and later.

Not Selected

Allow personal calendar data in the work profile

Specify whether the calendar app can import personal calendar data into the work profile.

This rule does not apply to devices running Android OS 13 and later.

Applies only to devices that support Samsung Knox API level 11 and later.

Depends on: Enable work and personal data synchronization

Not Selected

Allow work calendar data in the personal profile

Specify whether the calendar app can export work calendar from the work profile into the personal profile.

This rule does not apply to devices running Android OS 13 and later.

Applies only to devices that support Samsung Knox API level 11 and later.

Depends on: Enable work and personal data synchronization

Not Selected

Allow contact synchronization

Specify whether the contacts app can synchronize contact data between the Knox Workspace and the personal space.

Depends on: Enable work and personal data synchronization

Not Selected

Allow calendar synchronization

Specify whether the calendar app can synchronize calendar data between the Knox Workspace and the personal space.

Depends on: Enable work and personal data synchronization

Not Selected

Allow user modification of "Show notification content" setting

Specify whether a user can change the "Show notification content" setting on a device. This setting determines whether the device displays reduced information about work notifications in the personal profile.

This rule does not apply to devices running Android OS 13 and later.

Applies only to devices that support Samsung Knox API level 11 and later.

Depends on: Enable work and personal data synchronization

Not Selected

Require fast encryption

Specify if a device must use fast encryption mode only.

Work and personal - full control (Samsung Knox)

Not Selected

Allow screen capture (DDMS)

Specify if a user can take screenshots. If this rule is not selected, users also cannot take screenshots using the Dalvik Debug Monitor Server (DDMS).

Work and personal - full control (Samsung Knox)

Selected

Allow factory reset

Specify if a user can perform a factory reset on a device.

Work and personal - full control (Samsung Knox)

Selected

Allow users to deactivate devices

Specify whether the user can deactivate the device and wipe all work data.

Work and personal - full control (Samsung Knox)

Selected

Data wipe on deactivation

Specify what data is deleted from the device when it is deactivated.

Work and personal - full control (Samsung Knox)

Delete work space

Allow screen capture in Knox Workspace

Specify whether a user can take screenshots in the Knox Workspace.

Selected

Allow work files into the personal space

Specify whether a user can move work files from the Knox Workspace to the personal space on a device.

Selected

Allow non-secure keypad

Specify whether a user can use a non-secure keypad in the Knox Workspace.

Selected

Allow personal files in the Knox Workspace

Specify whether a user can move files from the personal space to the Knox Workspace on a device.

Not Selected

Enable Trusted Boot verification

Specify whether Trusted Boot verifies the OS and kernel before decrypting the Knox Workspace.

If this rule is selected and the device OS or kernel is compromised, the Knox warranty bit is fused and the user can no longer access or create a Knox Workspace.

If this rule is selected, the device restarts for the rule to take effect.

Work and personal - full control (Samsung Knox)

Not Selected

Allow USB access for apps in Knox Workspace

Specify whether apps in Knox Workspace can read and write data to a USB storage device.

Not Selected