Hardened Security mode
Last updated January 28th, 2026
When devices enroll in the Device Financing domain, a unique set of security hardening mechanisms and policies are applied by default to deter hacking. This is referred to as Hardened Security mode.
Hardened Security mode is mandatory for device financing customers, and can’t be reversed once applied to a device. In addition, these devices can’t be added to a non-financing customer’s tenant if they’ve previously been enrolled in the Device Financing domain, even after device management is complete. However, they can be re-enrolled into any financing domain.
To activate Knox Guard after re-enrolling a device with hardened security architecture, device users must navigate to guard.samsungknox.com on a browser on their device. For more information, see How to re-enroll devices in Knox Guard.
Once Hardened Security mode is applied, the device automatically restarts.
Supported devices
Knox Guard Hardened Security mode is supported on devices with hardened security architecture. This includes the Samsung Galaxy S26 and all subsequent device releases1. The Galaxy A17 LTE is also supported as an exception.
To use the security hardening features available through Hardened Security mode, devices must enroll in a financing domain.
Security features
The following security features are enabled for financed devices running Hardened Security mode:
| Security Feature | Description |
|---|---|
| Default lock | Ensures the device is locked when an error occurs. |
| Hacking lock | A system for detecting potentially malicious behavior and locking in the event it's discovered. |
| Multi-layer lock | Devices are secured on multiple layers, ensuring that a compromise at one point won't impact other locking components. |
| Date and time settings block | Devices leverage automatic date and time settings. Users can't configure the device's date and time. |
Key features
Default lock
Default lock is automatically enabled and non-configurable for devices in Hardened Security mode.
Default lock is a security hardening mechanism that ensures the device locks when an error occurs. When Default lock engages, all restrictions on the device are enforced. In addition, all policies applied to the device are voided and must be refreshed by pushing a new device policy.
Hacking lock
Hacking lock is automatically enabled and non-configurable for devices in Hardened Security mode.
Hacking lock is a security mechanism that prevents evasion of Knox Guard restrictions. When Hacking lock engages, the device applies the Default lock mechanism and locks. The device’s lock screen then displays an error code indicating the device was locked due to a hacking lock.
For more information on how to resolve any errors you may encounter, see the Knox Guard troubleshooting guide.
Multi-layer lock
Mult-layer lock is automatically enabled for devices in Hardened Security mode.
Multi-layer lock is a security hardening feature that employs multiple locking points across different levels of system privilege and components in the device software stack. For example, devices can be locked at the bootloader layer, while function restrictions can be applied on a different layer.
This architecture ensures that a compromise at one point doesn’t directly affect other locking components, increasing the complexity required to fully compromise Knox Guard.
Function restrictions
On Knox Guard activated devices, camera and performance restrictions can be enabled in multiple ways:
- Function restrictions are automatically activated when the Default lock mechanism triggers. This provides additional security in the instance where an anomaly or device tampering is detected.
- If you have a Knox Guard Advanced license, you can manually apply function restrictions to devices as desired. This allows you to encourage payments by limiting the performance of your devices.
User experience with Hardened Security mode
Enrollment screen
Figure 1 - Knox Guard enrollment screen.
When a device enrolls into Hardened Security mode, an enrollment screen displays to users (Figure 1).
Your company's name and applicable restrictions always display on the enrollment screen. You can also optionally configure your enrollment screen settings to display your contact information.
Once Hardened Security mode is applied, the device automatically restarts. For more information on how to configure your enrollment screen settings, see Enrollment management.
Toast message
Two different types of toast messages can display to users.
When restrictions are applied, users receive a prompt notifying them that restriction(s) are now active on their device (Figure 2). The service provider's name and logo also display in the notification.
For device financing customers, when a persistent enrollment notification tapping the notification displays a list of restrictions applied to the device (see Restriction itemization).
Figure 2 - Toast message for applied restrictions.
Restriction itemization
Figure 3 - Restriction itemization in the Settings menu.
Device users can view a description of the restrictions applied to their device (Figure 3). Users simply need to navigate to the Settings app on their device and click About phone > Knox Guard.
For device financing customers, if a persistent enrollment notification has been set, device users can also view this list by tapping the persistent toast message displayed in their device's notification panel.
Multi-layer lock
Devices can be locked on multiple layers. For example, camera and performance restrictions can be applied on one layer, while the Boot lock is applied on a separate layer.
When the Boot lock is engaged due to device firmware tampering, a security error displays to users (Figure 4, left). Once an admin applies function restrictions to a device, or a device is restricted due to tampering, you can check the applied restrictions in the Settings menu (Figure 4, right).
Figure 4 - Boot lock security error (left). Applied security restrictions (right).
Enable Hardened Security mode
Hardened Security mode is mandatory for device financing customers. When enrolling into the Device Financing domain, you’ll be able to select whether or not you’d like to apply this feature to all eligible devices already in your account.
You can choose either:
- Apply Hardened Security mode to all eligible devices currently in your account.
- Don’t apply Hardened Security mode to eligible devices currently in your account. You can also apply Hardened Security mode to your devices at a later date on the Policies page.
Regardless of which option you choose, once you’ve enrolled into the Device Financing domain, Hardened Security mode is automatically applied to all new eligible device uploads. This setting isn’t configurable.
Apply the Hardened Security mode policy
If you chose not to apply Hardened Security mode to eligible devices in your account when enrolling in the Device Financing domain, your tenant’s super admin can still enable this feature at a later date.
To apply Hardened Security mode to all remaining supported devices:
-
Navigate to the Policies page.
-
Under SETTINGS, click HARDENED SECURITY MODE.
-
On the Apply hardened security mode page, review the listed features and restrictions. Once you’re ready to proceed, check the box to confirm you’d like to apply Hardened Security mode to all remaining eligible devices in your account.
-
Click APPLY.
Once Hardened Security mode is enabled, devices will automatically restart and device users must review an enrollment screen outlining the newly applied restrictions before they can continue using their device.
-
Devices released prior to the Galaxy S26, other than the Galaxy A17 LTE, are unable to leverage or upgrade to Hardened Security mode. ↩︎
On this page
Is this page helpful?