Android Samsung Knox Container Settings

A Samsung Knox container configuration creates a secure container on Samsung Knox devices (API 4.0+). Apps in the Knox container cannot communicate with apps outside of the container. Data in the secure container cannot be sent outside of the container.

Sharing Bluetooth data from within the Knox Workspace is controlled by a device-level setting by the user. You must enable Bluetooth in the Lockdown policy by going to Policy & Configs > Policies > Lockdown and selecting the Bluetooth Enable radio button.

To configure the Samsung Knox Workspace mode:

  1. In the Admin Portal, go to Policies & Configs > Configurations >Add New > Android > Samsung KNOX Container. The New Samsung Knox Container Setting dialog box opens.
  2. In the Authentication section, enter the password rules and behavior you want to enforce.
  3. In the App Settings section, use the drop-downs to select settings for Browser, Exchange, and VPN in the container.

See Samsung Knox support for information about configuring Samsung Knox.

Use these settings to:

  • Specify requirements for the container password.
  • Specify which apps to install in the container.
  • Specify restrictions.
  • Select the Android Samsung browser configuration to use in the container.
  • Select the Exchange configuration to use in the container.
  • Select the VPN configuration to use in the container.

Make sure only one Samsung Knox container setting applies to each device.

Table 103.  Samsung Knox container settings




Enter brief text that identifies this group of Samsung Knox container settings.


Enter additional text that clarifies the purpose of this group of Samsung Knox container settings.


Enforce Multi-Factor Authentication

Select On to require the device user to enter both a password and a fingerprint to access the Samsung Knox container.

Therefore, the device user must create a fingerprint on the device.

The default is Off.

Enforcing multi-factor authentication requires the following on the device:

  • Ivanti Mobile@Work 9.1 for Android

  • Samsung Knox 2.2 or supported newer versions


Important: After multi-factor authentication has been enforced on a device, changing this setting to Off has no impact on the device. Multi-factor authentication is still enforced, as designed by Samsung.

Password Type

Select the kind of password to require:

  • Simple: (Supported only on devices with Ivanti Mobile@Work 8.0 and Knox version 2.0).

  • Alphanumeric: Must include at least one alphabetic and one numeric character.

  • Complex: Must include at least one alphabetic, one numeric, and one special character (i.e., a symbol).

Min Password Length

Specify a minimum length for the password. Valid range is 4-16. The default value is 6.

Min Number of Complex Characters

Specify the minimum number of complex characters for the passcode. Valid range is 0-10.

For example, to require at least two complex characters in the passcode, enter 2.

Max Character

Specify a limit for the number of times a specific character can occur in the passcode.

For example, to prevent a specific character from occurring 3 or more times, enter 2.

Max Character Sequence Length

Specify a limit for the number of characters that can appear in sequence in a passcode.

For example, to prevent abc from occurring in a passcode, enter 2.

Max Numeric Sequence Length

Specify a limit for the number of numeric characters that can appear in sequence in a passcode.

For example, to prevent “123” from occurring in a passcode, enter 2.

Min Character Change Length

Specify a minimum number of characters that must change when the passcode is reset.

For example, to ensure that at least 2 characters change, enter 2.

Forbidden Strings

Specify any strings that must not be present in the passcode.

To add a string:

  1. Select + to add an entry.

  2. Select the “Name” placeholder in the new entry.

  3. Replace “Name” with the string you want to add.

For example, to prevent the passcode from including the user’s email address or last name, enter $EMAIL$, $LAST_NAME.

Use the tool tip to see a list of substitution variables you can use here.

Max Inactivity Timeout

Specify the idle time duration after which the lock should be enabled. If the password is set, the user is prompted for a password when unlocking the container.

Max Password Age

Specify the number of days after which the password expires.

Stored Password History

Specify the number of previous passwords that are stored and cannot be used when setting a new password.

Max Number of Failed Attempts

Specify the maximum number of failed password attempts to allow. When this number is exceeded, the Knox container is disabled.

Password Visible Option

Select Off to disable the “Make password visible” option.



Select the in-house apps to be installed in the container:

Select the + button.

Select an app from the Name list.

The Version and Identifier fields are filled in automatically.


Google Play Store

The default setting is Off. Select the On radio button to enable whitelisting Google accounts.

Whitelist Google Accounts

Enter the domains of accounts that can be added in the Knox container.

Allow Camera

Select to allow the device user or third-party apps to use the photo camera, video camera, and video telephony features.

If the camera is allowed in the Knox container restriction policy, but not allowed via the device lockdown policy, the camera does not function in the Knox container.

Allow Content Sharing (i.e., Share Via)

Select to allow use of the Share Via List, which is displayed in certain apps that share content with other apps.

Allow Email Account Creation

Select to allow the user to create email accounts. By default, this is unselected and end users cannot create email accounts in the Knox container.

Allow Non-Secure Keypad

Select to allow keyboards inside the container, regardless of whether they are pre-loaded or third-party keyboards.

Allow Samsung KNOX App Store

Select to allow device users to download apps from the Samsung Knox app store (

Allow Screen Capture

Select to allow user to take a screenshot to help with troubleshooting.

Allow Remote Control

Select to allow alternate provisioning of the Knox container.

Allow NFC

Select to allow enrollment of the device using the NFC bump.

Allow USB

Select to allow so that apps that need USB access function properly.

Install all CA certificates inside KNOX workspace

Select to deploy CA certificates inside and outside of the Knox container to secure traffic on apps inside the Work Profile mode with a self-signed or well-known certificate. If you deselect this option, CA certificates are only installed on the outside of the container and certificates installed on the inside of the container are removed.

App Settings


Specifies the Android Samsung Browser configuration to use in the Knox container. You need to create the Samsung Browser configuration separately. Otherwise, this list will be empty.


Specifies the Exchange configuration to use in the Knox container. You need to create the Exchange configuration separately. Otherwise, this list will be empty.


Specifies the VPN configuration to use for Samsung Knox IPsec in the container. You need to create the configuration separately. Otherwise, this list will be empty.

The Knox VPN client must be installed on the device before you push the Knox VPN configuration.

Download the Knox VPN client from the Samsung Knox portal:

or refer to general documentation at

  1. Go to Resources -> Tools (at the bottom) -> Download Knox VPN Client. To create a user ID in the Samsung Knox portal, an active Knox license key (trial or product) is required.

  2. Upload the Knox VPN client to the App Catalog.

  3. Create a new VPN configuration with Samsung Knox IPsec specified as the connection type (Policies & Configs > Configurations > Add New > VPN).

  4. Select the new VPN configuration in the Samsung Knox container (go to Policies & Configs > Configurations, then select Add New > Android > Samsung KNOX Container).

Supported variables

You can use the following substitution variables in the Forbidden Strings field in the Samsung Knox Container Setting:

  • $EMAIL$
  • $USERID$
  • $NULL$

You can also enter strings, such as:

  • 12345
  • Example password

Samsung Knox Dual Encryption (DualDAR) support

Using two layers of encryption, Dual Encryption (DualDAR) secures and protects sensitive data on devices - even when they are powered off or in an unauthenticated state. This reduces the possibility of enterprise work data becoming compromised. Samsung Knox includes a FIPS 140-2 certified encryption module within the inner layer. (FIPS (Federal Information Processing Standard Publication) 140-2 is a U.S. government computer security standard used to approve cryptographic modules.)

Within the workspace, there are two storage locations available to an app: Credential Encrypted (CE) storage and Device Encrypted (DE) storage. From an apps standpoint, the Workspace storage is DualDAR-protected and works as CE storage. For apps that do not have DualDAR protection, the Knox framework prevents any apps from writing data to any storage space.

DualDAR is applicable to Knox v3 on Android 8.0 or supported newer versions.

DualDAR is applicable to Android Enterprise:

  • Work Profile mode

  • Managed Device with Work Profile mode

  • Work Profile on Company Owned Device mode


  1. Edit the Android Enterprise configuration. The Android enterprise (all modes) Setting dialog box opens.

  2. Select the Enable DualDAR check box. By default, this check box is de-selected.

    DualDAR is only supported on Knox 3.3+ devices. DualDAR requires a special license that can be used instead of the Samsung General policy configurator.

  3. Enter the Knox License key into the Samsung DualDAR Version field.
  4. Select Save.

The Ivanti EPMM server will push the new Samsung DualDAR report to the device upon device registration. If enabled, the Ivanti Mobile@Work for Android client will report the Samsung DualDAR version in the Device Details > Samsung KNOX Version field. If not enabled or the device is in Device Owner mode, "unsupported" will display in the Samsung KNOX Version field.

Samsung Knox Workspace support for Google Play

You can enable users to use Google Play inside the Samsung Knox Workspace. Account whitelisting is supported for Google Play Services account types. Other account types, such as accounts defined by an application such as Gmail or Facebook, are not exempted by this whitelist as they are of a different account type. Therefore, it is important to avoid whitelisting applications that can allow undesired accounts into the Knox Workspace.

Users are only permitted to download apps that are whitelisted for the Samsung Knox Container, but they are still able to browse the entire contents of the Google Play Store.

To enable Samsung Knox Workspace support for Google Play:

  1. In the Admin Portal, go to Policies & Configs > Configurations >Add New > Android > Samsung KNOX Container to open the New Samsung KNOX Container Settings dialog box.
  2. In the Restrictions section, select Google Play Store: On radio button to enable the Google Play Store. It is set to Off by default.
  3. Optionally, in the Whitelist Google Accounts field, select the Account check box to enter the domain URL or wildcard domain. This specifies which Google accounts or wildcard domains may be used inside the Knox Container.
  4. Save your changes.

Tunnel support in the Samsung Knox Workspace

You can configure Tunnel support on Android devices. For detailed information on support and setup for Tunnel in the Samsung Knox container, see the Ivanti Tunnel for Android Guide.

On-Demand Support for Samsung Knox VPN connections

You can enable On-Demand for Samsung Knox for VPN apps that support On-Demand connections.

On-Demand is not supported for container-wide VPN apps.

To enable On-Demand for Samsung Knox:

  1. In the Admin Portal, go to Policies & Configs > Configurations >Add New > VPN. The Add VPN Setting dialog box opens.
  2. In the Connection Type drop-down menu, select the Samsung KNOX IPSec check box. This is a VPN app that supports On-Demand.
  3. Enter the information for the Server, Username, and Password.
  4. Select the VPN on Demand check box.
  5. Select the Per-app VPN Yes radio button.
  6. Select Save.