Custom Profile Support for Samsung Android Features

The Workspace ONE UEM Console uses Custom profiles to allow admins to push features and other settings to Android devices that are not supported through the Workspace ONE UEM console. The functions discussed in this article include all custom settings available for Samsung Android devices.


Using Custom Profiles 

The Custom Settings payload allows admins to enter their own XML into a profile and apply the profile to devices. Follow the steps below using the custom XML code found in this article.

  1. Configure the General profile and deployment options as desired.
  2. Navigate to the Custom Settings profile and select Configure.
  3. Add the associated XML below to theCustom Settings text box.
    1. This XML should contain the complete block of code as listed below, from <characteristic> to </characteristic>.
    2. Administrators should configure each setting from <true /> to <false /> as desired.
    3. If certificates are required, then configure a Certificate payload within the profile and reference the PayloadUUID in the Custom Settings payload.
  4. Select Save & Publish.

To use these custom profiles with Android enterprise Work Managed devices, please reference Configuring Samsung Settings in Android Enterprise.


Install Apps Outside of Knox Container 

Admins can choose where to deploy internal apps when using Knox Containers. By default, the app will install inside the container. The custom XML below allows admins to choose to install the app inside the container, outside, or in both locations. Modify the parts bolded text to the intended package ID and install location.

<characteristic type="" uuid="c7241dd6-07a5-4623-b6ed-d711661078d1">

  <parm name="packageId_flag" value="" />



_0 = Install on device side

_1 = Install inside container

_2 = Install on both sides


Allow Change Data Sync Policy

Use the below XML for more granular control of the Data Sync Policy for Knox Containers:

<characteristic type="" uuid="c0057ca5-da85-4cf8-b4c8-f6deabda50a3">

    <parm name="allowChangeDataSyncPolicy" value="True" />

    <parm name="exportDataOutOfContainer" value="False" />

    <parm name="syncContacts" value="True" />

    <parm name="syncNotifications" value="True" />

    <parm name="syncCalendar" value="False" />



Agent 7.0 Enhancements 

Application Restrictions inside and outside the Knox Container

  • Restrict clear app data
  • Restrict clear app cache
  • Restrict force stop of app


<characteristic type="" uuid="58606e25-1634-4615-8d4e-14d477099600">

   <parm name="allowClearDataForApps" value="False" />

   <parm name="ClearDataBlacklist" value="," />

   <parm name="allowClearCacheForApps" value="False" />

   <parm name="ClearCacheBlacklist" value="," />

   <parm name="allowForceStopForApps" value="False" />

   <parm name="ForceStopBlacklist" value="," />



<characteristic type="" uuid="58606e25-1634-4615-8d4e-14d477099600">

   <parm name="allowClearDataForApps" value="False" />

   <parm name="ClearDataBlacklist" value="," />

   <parm name="allowClearCacheForApps" value="False" />

   <parm name="ClearCacheBlacklist" value="," />

   <parm name="allowForceStopForApps" value="False" />

   <parm name="ForceStopBlacklist" value="," />



Agent 7.1 Enhancements

Proxy PAC file support for Cisco AnyConnect VPN (Knox Container)

The entire VPN payload XML must be copied into a custom settings payload with the bolded section included for Proxy PAC configuration.

<characteristic type="" uuid="ae53afb2-42d9-4ba9-ab73-abe5d5f2a7d7">

   <parm name="ConnectionName" value="VPN" />

   <parm name="ServerName" value="" />

   <parm name="ClientType" value="CISCO_ANYCONNECT" />

   <parm name="IsUserAuthRequired" value="True" />

   <parm name="Username" value="user" />

   <parm name="Advanced" value="False" />

   <parm name="VPNAssignment" value="1" />

   <parm name="VpnType" value="1" />

   <parm name="proxy" value="2" />

   <parm name="proxyPACURL" value="http://proxypacurl.pac" />



Whitelist apps to write to SD card from within the Knox container

<characteristic type="" uuid="58606e25-1634-4615-8d4e-14d477099600">

   <parm name="SDCardWhitelist" value="packagename1,packagename2,packagename3" />

   <parm name="EnableExternalStorage" value="true" />



Agent 7.2 Enhancements

Configure Pulse Secure VPN in the Knox container without user interaction

The entire VPN payload XML must be copied into a custom settings payload with the below section included for silent VPN configuration:

<parm name=" configureSilently" value="True" />


Agent 7.3 Enhancements

App Configurations inside Knox Container

Pre-defined configurations depend on the specific application. Modify the bolded sections to suit your app:

<characteristic type="" uuid="8aac143a-03b6-4bb7-a94d-079f5a8b6cf3">

<parm name="LIBDEFAULTS_DEFAULT_REALM" value="" type="String" />



Agent 8.1 Enhancements

Allow Iris Scanner, Allow Face Unlock - Device Passcode

<characteristic type="" uuid="9b9g84d9-689c-4e34-9b91-bd6dc7946423">

<parm name="enableIrisScannerAuthentication" value="False" />

<parm name="enableFaceUnlockAuthentication" value="False" />



Allow Iris Scanner - Knox Container Passcode

<characteristic type=""


    <parm name="enableIrisScannerAuthentication" value="False" />



Allow Lockscreen Shortcuts

<characteristic type="" uuid="80edc0ae-abed-4efa-89e5-fdc1834f4dbf">

    <parm name="allowLockScreenShortcut" value="False" />



Agent 8.2 Enhancements 

Allow fingerprint authentication inside the Knox Container:

<characteristic type="" uuid="8e7e6641-d5e2-47a8-842a-31e3780e9547">

    <parm name="enableFingerprintAuthentication" value="False" />



Agent 8.3 Enhancements

Samsung DeX Features

{Android Legacy characteristic}

​<characteristic type="" uuid="568bc89d-1df8-4ce9-a041-e5a24ac23123">

{Android Enterprise characteristic}

<characteristic type="" uuid="568bc89d-1df8-4ce9-a041-e5a24ac23123">

​   <parm name="dexCustomizationLicenseKey" value="KLM03-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX" />

​   <parm name="dexAddPackageToDisableList" value="com.waze,, com.airwatch.androidagent, com.facebook.katana," />

​   <parm name="dexRemovePackageFromDisableList" value="com.airwatch.intenttester" />

​   <parm name="dexLoadingLogoPath" value="/sdcard/mickey.jpg" />

​    <parm name="dexShortcut" value="2,6,com.airwatch.androidagent" />

​   <parm name="dexShortcut" value="2,7," />

​   <parm name="dexAllowScreenTimeoutChange" value="false" />

​   <parm name="dexSetScreenTimeout" value="120" />

​   <parm name="dexEnforceEthernetOnly" value="true" />



Universal Credential Management (UCM)

​<characteristic type="" uuid="385b3764-4c96-4f94-ab05-afcd589f5e53">

​   <parm name="enableBrowserAuth" value="False" />

​   <parm name="enableEmailAuth" value="False" />

​   <parm name="UcmLicense" value="KLM03-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX" />

​   <parm name="UcmWhiteListedApps" value="" />

​   <parm name="Vendor" value="Idemia" />

​   <parm name="VendorPackage" value="com.idemia.ucmagentservice" />



Allow NFC in Knox Container

​<characteristic type="" uuid="ecfec0c0-8656-4af6-b41b-3b9bdf6f268f">
    <parm name="allowNFC" value="True" />


Knox Per App VPN Blacklist

​Add the below to existing VPN profile (may have to copy full VPN payload into a separate custom settings profile):​

<parm name="VPNBlacklistApplications" value="app1,app2,app3" />


Hub 9.0 Enhancements 

Whitelist Apps for Doze Mode

​{Android Legacy}

<characteristic type="" uuid="80edc0ae-abed-4efa-89e5-fdc1834f4dbf">

     <parm name="DozeModeWhitelist" value=",," />



{Android Enterprise}

<characteristic type="" uuid="80edc0ae-abed-4efa-89e5-fdc1834f4dbf">

     <parm name="DozeModeWhitelist" value=",," />



Hub 9.0.1 Enhancements

Enable/Disable USB Functionality for Android Legacy Knox Container

<characteristic type="" uuid="58606e25-1634-4615-8d4e-14d477099600">

     <parm name="allowUsbHostStorage" value="True" />

     <parm name="allowUSBDebugging" value="True" />
     <parm name="allowUSBMediaPlayer" value="True" />

     <parm name="allowUSBTethering" value="True" />



Hub 19.03 Enhancements

Configure Deny All Firewall Rule with Protocol

<characteristic type="" uuid="672238e5-204c-468b-886d-f20eda9bea43">

  <parm name="ruleType" value="allow" />

 <parm name="hostname" value="*" />

 <parm name="port" value="53" />

 <parm name="portlocation" value="*" />

 <parm name="networkInterface" value="*" />

 <parm name="protocol" value="UDP" />

 <parm name="ruleType" value="deny" />

 <parm name="hostname" value="*" />

 <parm name="port" value="*" />

 <parm name="portlocation" value="*" />

 <parm name="networkInterface" value="*" />

 <parm name="protocol" value="*" />

 <parm name="packagename" value="*" />

<parm name="setDefaultVmwareWhitelist" value="true" />


Ensure the following:

  • Deny All network traffic with * for hostname and * for package name
  • Protocol can be *, UDP, or TCP
  • setDefaultVmwareWhitelist will keep all connectivity open for VMware applications without having to set an additional Allow rule
  • To use this policy with Android Legacy, use the characteristic type "”
  • Note: It is highly recommended to pair a Deny All rule with an Allow rule, otherwise the device may lose all connectivity and be unreachable.


Other Languages: 日本語

Have more questions? Submit a request


Article is closed for comments.