How do you apply the right level of control when every customer faces a different risk environment?
Some organizations manage financed devices with strict security requirements, while others oversee enterprise fleets that prioritize day-to-day usability. These environments carry different risks, leading to varying levels of control across customer deployments.
Knox Guard already allows safeguards to scale with these needs, but managing specific permissions across diverse customers has become increasingly complex. To address this, we’re introducing Knox Guard tenant domains—a structured way to group customers by their use case so that specialized permissions can be applied with clarity, consistency, and tighter security.
Table of contents:
- Preparing for the required configuration of Knox Guard domains
- Understanding the Knox Guard domain categories
- How to get started with Knox Guard domains
- Purpose-built protection for every business
Preparing for the required configuration of Knox Guard domains
Starting with the 26.01 Knox Guard release, new and existing customers will be prompted to select a tenant domain. This selection determines which permissions and features are automatically enabled or recommended for your registered devices, ensuring that your environment is configured according to your operational needs.
Because domains define the governance model for your fleet, the selection can’t be changed after it’s set. As such, it’s important to choose the domain that best reflects with your organization’s risk profile, business model, and device management requirements.
Understanding the Knox Guard domain categories
Knox Guard currently supports four domains: Device Financing, Device Insurance, Enterprise, and Other. Each domain is defined by a set of mandatory, optional, and recommended features that reflect its operational use case and risk environment.
For the Other domain, all feature permissions will be determined in communication with your Samsung admin. Please contact us to obtain the appropriate permissions for your business.
Device Financing
The Device Financing domain is built for scenarios where devices are loaned or financed to end users. This includes financial institutions managing installment programs, as well as carriers offering subsidized devices tied to their own service plans.
Devices enrolled under this domain automatically receive a set of security policies designed to deter hacking and protect high-value assets. An additional set of security-hardening mechanisms will be available to select devices.* This configuration is known as Hardened Security mode.
Hardened Security mode is mandatory for device financing customers. Once applied to a device, it can’t be reversed. Existing customers will have the option to enable Hardened Security mode for eligible devices already in their accounts, but all new supported device uploads will have it enforced by default.
If you’d like to review the full set of qualifications and protections included in Hardened Security mode, visit our previous blog post for more details.
Device Insurance
The Device Insurance domain supports companies and device-protection providers focused on preventing data leakage and minimizing fraudulent insurance claims.
Customers in this domain can:
- remotely lock lost or stolen devices to prevent unauthorized access and information leakage.
- completely wipe device information when a locked device can’t be recovered.
- display insurance-specific messaging during Knox Guard enrollment.
Enterprise
The Enterprise domain supports organizations distributing corporate devices to employees for internal use.
Enterprise customers can:
- lock devices not returned after employee offboarding.
- wipe lost devices to protect sensitive business data.
Other
The Other domain allows customers with non-standard or highly specialized business needs to use Knox Guard outside of the predefined categories. Depending on your situation, a Samsung admin can enable the features required for your deployment .
How to get started with Knox Guard domains
For current Knox Guard users, the super admin of your tenant will be prompted to select a domain the first time they access the Knox Guard console after the 26.01 release. If you’re unsure of which domain to pick, you can exit the prompt and select at a later time.
New Knox Guard users will select their domain during the standard registration process.
Customers with a Pay-as-you-go (PAYG) tenant will be automatically assigned the Device Financing domain in the 26.01 release. This assignment is fixed and can’t be changed.
Customers with an Antitheft tenant won’t be impacted—you won’t need to select a domain, and can continue using Knox Guard as usual.
Purpose-built protection for every business
As organizations take on more diverse device use cases, having a security model that adapts to each environment becomes essential. Knox Guard domains can provide customers with the level of control, flexibility, and protection that matches their operational needs. As we roll out this feature, we will look to expand the policy and permission sets that better align with the nature of each domain to best support your business needs.
Whether you’re managing financed devices, safeguarding customer assets, or deploying corporate fleets, there’s a domain that suits your unique organization.
DISCLAIMERS
* This feature is only available on select devices released from the Samsung Galaxy S26 onward. The Galaxy A17 LTE is also supported.
