If you have been working with OEMConfig in Intune for Samsung devices you might have seen that there are some specific policies that says “Premium Features” on them when looking through the list of settings.
https://www.samsungknox.com/en/solutions/it-solutions/knox-platform-for-enterprise
How to claim your 2 year free license
Go to https://www.samsungknox.com/ and login if you have an existing account. If you don’t have an existing account you need to create it (which is free). Once created it usually takes a couple of days before it gets approved by your local Samsung branch. There’s a manual review process that goes on behind the scenes at Samsung which takes a couple of days but I have never encountered any problems with it or that it gets denied.
In the Knox portal, find the section that’s called “Knox Platform for Enterprise”. Hover the mouse over it and click on “Generate” to generate your free license key that’s valid for 2 years.
The key get generated and you can find over over at “Licenses” -> “Commercial Keys” and look for the one that’s called Knox Platform for Enterprise Premium
Creating a Premium policy that removes the Bluetooth toggle on a device
Create a new OEMConfig in Intune by navigating to Devices -> Android -> Configuration Profiles -> Create Profile and select Android Enterprise as platform and Profile type is OEMConfig
Read more about OEMConfig in Intune here:
https://docs.microsoft.com/en-us/mem/intune/configuration/android-oem-configuration-overview
Start with giving your Profile a name and enter the KPE Premium license key you generated from the Knox portal. Once that’s done click on Configure on the setting Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)
Note.
For testing purposes I recommend enabling Debug Mode as well, this will enable the KSP app on the device which will show you information on the configuration you tried to apply to the device.
configure the following settings:
“Enable device policy controls” to True
And scroll down to the Device Settings (Premium) and click Configure
configure the following settings:
“Enable devices settings controls” to True
“Hide Settings Bluetooth” to True
And click on “Review + save”
Once saved, assign it to your group of users or devices
Under “Policies received” we can find information about which settings have been applied.
Here’s an before and after shot on the device
Before
After
What happens if you don’t have a license
If you don’t specify a valid license in your configuration
On the device and in the Knox Service Plugin (KSP) you’ll see something like this:
Package: com.google.android.apps.work.clouddpc
Result: Completed with errors
And under configuration results
Device Settings (Premium)
Message: [Permission error occured. Please check your license key has necessarry privileges and tr again.]
[13009][Permission com.samsuing.android.knox.permissions.KNOX_CUSTOM_SETTING, com.samsung.android.knox.permission.KNOX_CUSTOM_SYSTEM missing]
And of course the bluetooth setting is still available for the device.
That’s it for now, Don’t forget to follow me on twitter @timmyitdotcom
Like the look of that we working with COPE at the moment and my problem is I see security settings wanting a samsung and google account setting up, this can get messy and confusing hopefully this will enable me somewhere to adjust that.
Any idea on what happens after the two years or how to extend it?
For me the licenses have been renew automatically for another 2 years. When I created this article they were valid until 2024 and they have since then been renewed without me doing anything until 2026.
Hi Timmy, this is really helpful, thanks! I’m struggling with the screen lockout time applying. When I configure it in Intune I get two red exclamation marks against the screen timeout setting and disabling adaptive brightness and setting it to the brightest setting. I assume I have to enable something else, but I have got Enable Device Customization set to true and Enable device restriction controls also set to true. Is there another setting that needs enabling?
Hi Phil, Screen lockout and adaptive brightness are 2 different things and I just want to point that out.
Here’s Samsungs documentation on the screen lockout https://docs.samsungknox.com/admin/knox-manage/kbas/kba-412-how-to-configure-screen-timeouts-knox-manage/
https://docs.samsungknox.com/admin/knox-manage/configure/profile/configure-profile-policies/android-enterprise-policies/
First make sure that you have a device that is running a Knox version that supports this feature. If its an older device it might not have the capability.
Here’s some of my settings I have configured which is working just fine (Cant post screenshots in the comments so I can only post raw text):
Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)
Enable device policy controls
true
Application management policies
Enable application management controls
true
Enable permission controls
true
Device and Settings customization profile (Premium)
Configure values in settings menu
Configure a setting menu item
Name of the Setting item
Display > Adaptive brightness
Set value for the setting
Use specified value
Specify value
255
Configure a setting menu item 1
Name of the Setting item
Display > Adaptive brightness
Set value for the setting
Off
Allow end-user modification of this setting
true
Configure to hide settings
false
Configure a setting menu item 2
Name of the Setting item
Display > Screen timeout
Set value for the setting
Use specified value
Specify value
43200000
Allow end-user modification of this setting
true
Configure to hide settings
false
You legend! I think it was this section I was missing:-
Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)
Enable device policy controls
true
Application management policies
Enable application management controls
true
Enable permission controls
true
I’ve added those and it has now taken the settings properly. Thank you so much for your help.
Perfect! Great to here that it helped
Hey folks,
unfortunately i got the same issue as Phil described before.
I’ve gone through all the hints mentioned here and tested the exact same configuration posted by Timmy.
Even though I still get the red exclamation mark next to those settings .
Any other ideas of what I could be missing?
How do I get a 2 year free license?
Did you follow the guide in the post?
It keep sending me to the Knox admin portal. Where I can only ask for a 90day trial knox suite enterprise plan.
Hi, I’ve followed your instructions and for some reason I am getting and error with “Profile name(version:
Message [12006] “Profile name(version)” couldn’t be set to “”. Fatal error occurred. No policies have been received appRestrictions is empty”