Skip to content

Knox Premium restrictions configuration (Android device policy)

With the Knox Premium restrictions configuration you define restrictions for Samsung Knox devices. These restrictions apply to the device, not to the Knox container.

Requirement

To enforce the Knox Premium restrictions, you must register a Samsung Knox Premium license with Sophos Mobile.

Option Description
Allow firmware auto update options The device automatically checks for firmware updates. Users cannot change this in the device settings.
Enable ODE Trusted Boot verification The device decrypts the data partition on boot only if the binary and the kernel are official, i.e. if the device is not rooted.

If the check box is cleared, the device always decrypts the data partition on boot.

Prevent installation of another administrator app The installation of apps that require device administrator privileges is prevented. This does not affect apps that are installed by Sophos Mobile.
Prevent activation of another administration app The activation of device administrator privileges for apps is prevented.
Allow Common Criteria mode The Common Criteria mode (CC mode) of the device is turned on, ensuring that the device meets the security requirements stated by the Mobile Device Fundamentals Protection Profile (MDFPP).

CC mode is only used if the following additional requirements are met:

  • Device encryption is turned on.
  • Fast encryption is turned off.
  • External storage encryption is turned on.
  • The number of failed login attempts until device wipe is set.
  • Certificate revocation is turned on.
  • Password history is turned off.