If you wish to use Work Profile in the policy, click Enable work profile in a current policy.

Main work profile settings

Mark the checkbox next to: Enable Samsung KNOX API in work profile to use KNOX API.

If you select that option, additional features will be displayed:

Parameter

Description

Work profile settings

KNOX license

In order to active KNOX in the policy – proper KNOX license key must be provided. KNOX license can be added/changed/removed by using plus/minus icons next to the license key field.

Enable attestation

If set, an additional operation for Samsung KNOX attestation process will be added to the queue and will check the device’s software integrity before creating the KNOX container. 

Main work profile settings

Work profile components

In the next tab you can configure Policy components. Available components are Applications and Configurations.

NOTE: You can only choose from apps that were previously added to FAMOC. Process of adding apps is described here.

You can decide which apps will be installed with the policy by clicking Select application.

Policy components

Select apps by clicking the checkbox next to its name. To confirm your choice click the Select button in the bottom right corner.

 

Applications selection

Selected applications will be installed in the Work Profile container while applying the policy on the device and will be marked with the briefcase icon.

Icons in Work profile

When the policy assigned to a device is changed, the new policy will be applied and new list of application will be installed. When selecting the application, it is possible to specify number of installation retries (in case an application installation is cancelled by user, FAMOC will retry the operation). Possible options:

  • Installation obligatory (default option) – if installation is canceled, it will be applied every next day.

  • One installation attempt – if installation is canceled, it will not be retried.

  • Several installation attempts – installation will be retried specified number of times.


Policy components can be set in custom installation order using down/up arrows in Order column. By default, each item is installed in a sequence (next item starts when previous has been successfully installed). It is possible to mark an item as independent (Independent column), which means the next action starts independently of the previous action, not waiting for its success report.

Select Ignore failure to execute the next action if the previous one failed.

To add configuration to the policy click the Select configuration button. Popup with configuration list will appear.

Configuration can be set for: 

  • Peak – configuration will be applied in peak

  • Off-peak – configuration will be applied in off-peak

  • Always – configuration will be applied always


In the Work profile restrictions tab admin can configure:

  • Enable/Disable USB debugging – allows or blocks the possibility to install applications through ADB to the work profile. If disabled, application will be installed only in the private part of the device.

  • Enable unknown sources – allows or blocks the possibility to install applications through .apk files to the Work Profile. The policy will not be active on Android 5.0 devices (installation 
    of .apk is blocked).

  • Block screen capture in application, which run in work profile to prevent from sharing data with that method.

  • Disable accounts modification - blocks the possibility to add, edit or delete an account.

  • Disable camera - block the possibility to use camera.

  • Disable cross profile copy-paste

  • Disable application control

  • Disable one lock code - block the possibility to use one lock code for the device and Work Profile.

  • Allow moving apps to work profile


Enabled applications

In this section Admin can enable Google system applications in the work profile to be automatically accessible for users after profile activation. Enabled applications on the device may be different as some Android versions (especially branded versions) may not include all listed system applications. The admin can change the list of enabled applications and hide them according to needs. Default applications, which are always visible after profile activation are FAMOC Base Agent and managed Google Store.

Enabled applications

Applications permissions


In this tab you can set global permission policy and set exceptions for specific apps.


Runtime permission policy – setting responsible for behavior of applications, which asks for specific permission during its work. You can set three values:

  • Managed by user – default value, the user will be asked to give apps access to functions, which require specific permission. The user also will be able to change permissions for application.

  • Allow – applications, which ask for permission, will have it granted automatically and the user will not be able to change it.

  • Deny – applications, which ask for permission, will have it denied automatically and user will not be able to change it.


Applications permissions tab