Android Samsung Knox Container Settings

A Samsung Knox container configuration creates a secure container on Samsung Knox devices (API 4.0+). Apps in the Knox container cannot communicate with apps outside of the container. Data in the secure container cannot be sent outside of the container.

Sharing Bluetooth data from within the Knox Workspace is controlled by a device-level setting by the user. You must enable Bluetooth in the Lockdown policy by going to Policy & Configs > Policies > Lockdown and selecting the Bluetooth Enable radio button.

To configure the Samsung Knox Workspace mode:

  1. In the Admin Portal, go to Policies & Configs > Configurations >Add New > Android > Samsung KNOX Container. The New Samsung Knox Container Setting dialog box opens.
  2. In the Authentication section, enter the password rules and behavior you want to enforce.
  3. In the App Settings section, use the drop-downs to select settings for Browser, Exchange, and VPN in the container.

See Samsung Knox support for information about configuring Samsung Knox.

Use these settings to:

  • Specify requirements for the container password.
  • Specify which apps to install in the container.
  • Specify restrictions.
  • Select the Android Samsung browser configuration to use in the container.
  • Select the Exchange configuration to use in the container.
  • Select the VPN configuration to use in the container.

Make sure only one Samsung Knox container setting applies to each device.

Table 109.  Samsung Knox container settings




Enter brief text that identifies this group of Samsung Knox container settings.


Enter additional text that clarifies the purpose of this group of Samsung Knox container settings.


Enforce Multi-Factor Authentication

Select On to require the device user to enter both a password and a fingerprint to access the Samsung Knox container.

Therefore, the device user must create a fingerprint on the device.

The default is Off.

Enforcing multi-factor authentication requires the following on the device:

  • Ivanti Mobile@Work 9.1 for Android

  • Samsung Knox 2.2 or supported newer versions


Important: After multi-factor authentication has been enforced on a device, changing this setting to Off has no impact on the device. Multi-factor authentication is still enforced, as designed by Samsung.

Google Play Store

The default setting is Off. Select the On radio button to enable whitelisting Google accounts.

Whitelist Google Accounts

Enter the domains of accounts that can be added in the Knox container.

Allow Screen Capture

Select to allow user to take a screenshot to help with troubleshooting.

Allow Remote Control

Select to allow alternate provisioning of the Knox container.

Allow NFC

Select to allow enrollment of the device using the NFC bump.

Allow USB

Select to allow so that apps that need USB access function properly.

Install all CA certificates inside KNOX workspace

Select to deploy CA certificates inside and outside of the Knox container to secure traffic on apps inside the Work Profile mode with a self-signed or well-known certificate. If you deselect this option, CA certificates are only installed on the outside of the container and certificates installed on the inside of the container are removed.

Supported variables

You can use the following substitution variables in the Forbidden Strings field in the Samsung Knox Container Setting:

  • $EMAIL$
  • $USERID$
  • $NULL$

You can also enter strings, such as:

  • 12345
  • Example password

Samsung Knox Workspace support for Google Play

You can enable users to use Google Play inside the Samsung Knox Workspace. Account whitelisting is supported for Google Play Services account types. Other account types, such as accounts defined by an application such as Gmail or Facebook, are not exempted by this whitelist as they are of a different account type. Therefore, it is important to avoid whitelisting applications that can allow undesired accounts into the Knox Workspace.

Users are only permitted to download apps that are whitelisted for the Samsung Knox Container, but they are still able to browse the entire contents of the Google Play Store.

To enable Samsung Knox Workspace support for Google Play:

  1. In the Admin Portal, go to Policies & Configs > Configurations >Add New > Android > Samsung KNOX Container to open the New Samsung KNOX Container Settings dialog box.
  2. In the Restrictions section, select Google Play Store: On radio button to enable the Google Play Store. It is set to Off by default.
  3. Optionally, in the Whitelist Google Accounts field, select the Account check box to enter the domain URL or wildcard domain. This specifies which Google accounts or wildcard domains may be used inside the Knox Container.
  4. Save your changes.

Tunnel support in the Samsung Knox Workspace

You can configure Tunnel support on Android devices. For detailed information on support and setup for Tunnel in the Samsung Knox container, see the Ivanti Tunnel for Android Guide.

On-Demand Support for Samsung Knox VPN connections

You can enable On-Demand for Samsung Knox for VPN apps that support On-Demand connections.

On-Demand is not supported for container-wide VPN apps.

To enable On-Demand for Samsung Knox:

  1. In the Admin Portal, go to Policies & Configs > Configurations >Add New > VPN. The Add VPN Setting dialog box opens.
  2. In the Connection Type drop-down menu, select the Samsung KNOX IPSec check box. This is a VPN app that supports On-Demand.
  3. Enter the information for the Server, Username, and Password.
  4. Select the VPN on Demand check box.
  5. Select the Per-app VPN Yes radio button.
  6. Select Save.