Device Profile for Corporate Owned Android Devices

Device Profiles are an easy way to group your policies in one single entity, which they can be applied to one or multiple devices. Depending upon the organization structure and policy levels, you can create one or more Device Profiles. Once a Device Profile is created, it can be applied to a Device Group or used to create a QR Code configuration for faster enrollments.

At a high-level MobiLock's Device Profile offers the following policy controls,

  1. Mode: MobiLock offers two modes of operation for the client. Please read our detailed guide on understanding the differences the modes of operation. In a nut shell, these are,
    1. Kiosk Mode: In this mode, the device home screen aka Launcher is replaced with MobiLock's custom launcher, thereby showing the users only the applications, browser shortcuts that are configured in policy. It prevents users from accessing other applications.
    2. Agent Mode: In this mode, the device home screen is not replaced. MobiLock runs in the background as a silent agent and applies the policies. Note that this mode is best suited for EMM devices, that is the devices enrolled via afw#mobilock.
  2. Application Policy: Use this section to control the applications that will be enabled in the Locked down mode. All other applications will be blocked.
  3. Browser Shortcuts: Use this section to choose the browser shortcuts (whitelist websites) that will appear as shortcuts or are allowed to be opened via MobiLock Browser.
  4. Branding and App Order on MobiLock Homescreen: Choose a branding that will be applied to the device and arrange the applications on home screen.
  5. Restrictions: A wide collection of control and security policies to better manage your devices.

In this document we will see how to create a Kiosk profile and configure the various sections.

Before You Begin

✅ You must have a valid MobiLock Pro account.

Creating a Corporate Profile

Follow these steps to create a corporate profile:

  1. From your MobiLock dashboard, go to Device Management ➞ Device Profiles.
  2. Click on Create New Profile in the upper right corner.
  3. Select Kiosk/Agent option.
  4. Enter a name for the profile and an exit passcode. Click on the Submit button. You will be redirected to the Profile creator view.

Exit passcode helps you manually exit MobiLock client on the device, in case the device looses connectivity or you want to get access to the full device.
  1. The first section is SELECT APPS and this section is used for the following,
    1. Select a Mode for MobiLock client: This sub-section lets you choose a mode of operation for MobiLock client. The options are,
      1. Set MobiLock as Launcher: In this mode, MobiLock replaces the home launcher of the device and shows a custom home screen. Any setting annotated by
      2. Set MobiLock as Agent: In this mode, MobiLock runs in the background and silently applies the policies. This allows user to use the native/default launcher.

        In Agent Mode, the Application policy or the apps cannot be restricted from being used if the devices are not EMM managed (enrolled via afw#mobilock). To understand the difference between launcher and agent mode, please refer to our document here.
    2. Application Policy: Choose which applications are allowed to be used. For each application you can additionally select the following 3 properties,
      1. Enabled: Select this option to allow the application to be used on the device.
      2. Visible: By default when you enable an application, it is visible. However you can choose to hide the application. If the application is visible then a shortcut icon will be placed on MobiLock homescreen, where as if it is hidden it means that a shortcut will not be placed on homescreen but this application can be invoked via other enabled applications.
        When MobiLock is Set as Agent, then the visibility flag does not apply. Applications can either be enabled or disabled only.
      3. Allow Lock Task: This is a special flag that gives the capability to an Android app to pin itself to screen for as long as it wants and achieve dynamic single app mode state.
      For Android application to use Allow Lock Task, they need to implement special code as explained here. MobiLock can only give those applications the required privileges to pin themselves without user interaction whenever they want.
      Initially when you have not enrolled a device, you will see a limited set of applications to enable. As and when you enroll more devices, the list of applications will be populated basing on all the applications across your devices.
  2. The next section is the BROWSER SHORTCUTS section, where you can select the previously whitelisted websites. User will be allowed to browse all the shortcuts that are allowed. However the visibility of the shortcut depends upon the visibility flag of the Whitelist Website. For all the visible websites a shortcut will be created on MobiLock homescreen.

Use Device Management > Whitelist Websites section to create and whitelist websites.
  1. In the SELECT BRAND/APP ORDER section, apply a previously created brand and select the order of enabled applications. Click NEXT once done.
  2. Click on the Next button.
  3. From the Select Brand/ App Order, select a brand theme from the list. You can reorder the apps in your device by dragging the app or website icon in the virtual mobile screen.
    Application ordering applies only when MobiLock is Set as Launcher. When MobiLock is Set as Agent, then the app-ordering does not apply to the native launcher.
  4. The next section is the Kiosk/LauncherSettings section. This section, shows you only the settings that are applicable when MobiLock is Set as Launcher. The settings are,
    1. Single App Mode: This section allows you to turn your Android tablets/phones into a kiosk that runs only one application always.

      Setting

      Description

      Set Default Application

      Choose an application from the list of enabled applications that will be set to run as the default app.

      Run All the time

      You can set a delay time after which the app will start running. By default, the app is set to run all the time. To set a delay time, uncheck the Run All the time checkbox and enter the delay value (in seconds).

      Retain application state when an app is relaunched

      Select this option to retain the application state when it relaunched due to an invariant user action that causes a blocked app to be opened like for example pressing the app switch key.

      Default Launch URL*

      If you have selected Google Chrome or MobiLock Browser to run as default, then additionally you can specify a URL that will be used as the launch page.

      Auto Refresh Interval*

      If you have selected Google Chrome or MobiLock Browser to run as default, then you can set a auto-refresh interval. This would force refresh the page after every given interval.

    2. Homescreen Settings: These setting allow you to customize MobiLock Homescreen behavior.

      Setting

      Description

      Hide the bottom navigation bar from screen

      Hides the bottom navigation bar on the device.

      ⚠ This is a device specific feature and may not work on all models. Once disabled the users need to swipe up from the bottom of the screen to use Keyboard.

      Set device in Full screen mode

      Sets the device in Full-screen mode where both the bottom navigation bar and the status bar at top is hidden.

      ⚠ This is a device specific feature and may not work on all models. Once disabled, users cannot use the Keyboard as well.

      Show Exit option

      Allows you to control the visibility of the Exit option from the settings menu of MobiLock app.

      Allows User’s to Clear App Data

      Allows the user to clear application data by long tapping on the app shortcut on MobiLock home screen.

      This feature works only on devices where MobiLock is enrolled via afw#mobilock and selected Samsung, Sony and LG devices.

      Allow User’s to Uninstall Application

      Allows the user to uninstall applications from his device.

    3. Notification Centre (Experimental): When MobiLock is set as the default launcher, it blocks the default notification bar completely. Hence MobiLock provides a custom Notification centre to give a controlled access to notifications and other quick actions.
      How to Access Notification Centre on Device: For Android 8.0 and below, the Notification centre can be dragged from the top and from Android 8.0 and above the Notification centre can be made visible by a flick from left-bottom of the screen.

      Setting

      Description

      Notification Centre

      Enabling this option will allow the user to access the notifications by dragging it from the top screen.

      Change Orientation

      Allows the user to change the device’s orientation.

      Flash Light

      Allows the user to access the device's flashlight from the notification bar.

      View and Switch Between Recent applications

      Allows the user to switch between recent apps.

      Kill Background Applications

      Allows the user to kill apps running in the background.

      Allow USB Notifications

      Enabling this option will allow the device to send a notification when a USB is connected.

  5. The next section is the Restrictions section. This is collection of various policies that let you control and manage your devices better. We explain each of these sections below,
    1. Volume Settings: This setting allows you to control the volume attributes of your devices.

      Setting

      Description

      Control Ringer Volume

      Allows the user to control the device’s ringing volume.

      Control Music Volume

      Allows the user to control the music volume of the device.

    2. WiFi Settings: This setting allows you to manage the WiFi configuration of your devices.

      Setting

      Description

      Choose WiFi configuration

      Allows you to choose a previously created WiFi configuration for your devices.

      ⚠ The devices will be locked to this Wifi and if the Wifi is not available then the devices will become unreachable.

      Allow users to access “WiFi Connection” menu inside the app

      Enables access to the WiFi Connection menu from the MobiLock application. If a Wifi configuration is applied then this menu cannot be used.

      This feature works only when MobiLock is set as Launcher.

      Allows users to connect/disconnect from WiFi Network

      Allows the user to connect or disconnect a WiFi network from  the MobiLock application. If a Wifi configuration is applied then this menu cannot be used.

      This feature works only when MobiLock is set as Launcher.

    3. Mobile Network: This setting allows you to manage the Mobile data configuration of your devices.

      Setting

      Description

      Allows the user to share/unshare from Hotspot Network

      Choose if the user's are allowed to enable/disable the Hotspot state from the MobiLock Notification centre.

      This feature works only when MobiLock is set as Launcher.

      Choose Hotspot configuration

      Allows you to choose a Hotspot configuration for your device. Once applied the devices will create a hotspot and share their internet.

      Allow user to access “Mobile Data Settings” inside the app

      Enables the user to access mobile data options of the device.

      ⚠ This feature works only when MobiLock is set as Launcher. This feature may not work on all the devices.

    4. Display Settings: This setting allows you to manage the display attributes of your devices.

      Setting

      Description

      Screen Time Out Settings

      Allows you to set idle screen timeout duration from the dropdown list.

      ⚠ This is a device specific feature and may not work on all devices.

      Power Button causes the display to sleep

      If the screen time out is set to Keep Always On, then an additional option that can be used to define power button behavior.

      Allow changing of brightness

      Allows the user to change the screen brightness of his device from either the 3 dots Menu on MobiLock home screen or Notification centre.

      Control device screen brightness

      Use this option to enforce the default screen brightness. This will override user choice on the device if any.

    5. EMM Settings: These are the additional settings for your EMM managed devices that provide additional security and control. These settings also allows you to give your users access to System Settings in a controlled fashion if need be.
    Allowing these settings does not mean that user's will have access to these settings directly. You need to allow the selected applications like System Settings or others that allow modification to these settings. These are useful if you want to restrict and prevent other malicious apps from using them.

    Setting

    Category

    Description

    Allow Outgoing Phone Calls

    Communication

    Normally disabling the Phone app will achieve this, however there might be some apps that might attempt to make phone calls. This option lets you completely disable outgoing calls.

    Allow Send/Receive SMS

    Communication

    Normally disabling the default messaging app will achieve this, however there might be some apps that can send SMS discreetly. This option lets you completely block the SMS.

    Allow Bluetooth

    Communication

    Allows a user to connect to a Bluetooth device.

    ⚠ This feature is available only for OS version 8.0 and later.

    Allow Android Beam

    Communication

    Allows a user to share files through Android Beam.

    Allow Adding Users

    User Management

    Choose if the user can add multiple users accounts on devices. This is useful to prevent creating new users immediately after boot or from system settings app.

    Allows Removing Users

    User Management

    Choose if user can remove the already created multiple user accounts.

    Allow Adding Google Account

    User Management

    Choose if user can add Google accounts. This is used to prevent accidental creation of account via other applications.

    ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps.

    Allow Adding/Deleting Accounts

    User Management

    Choose if user can add additional accounts like Outlook on their devices. This is used to prevent accidental creation of account via other applications.

    ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps.

    Allow Mobile Network Changes

    Network & Security

    Allows user to change mobile network settings if they have access to Settings app.

    Allow Tethering From All Sources

    Network & Security

    Allow users to enable Tethering via USB or Bluetooth.

    Allow WiFi Changes

    Network & Security

    Allow users to modify Wifi network from System Settings if they have access to.

    This may cause them to loose connectivity and hence it is suggested that you allow them to use MobiLock's Wifi connection options as a fallback.

    Allow Screen Capture

    Network & Security

    Choose if the users are allowed to capture the screenshot of applications.

    Allow Camera

    Network & Security

    Choose if the default Camera is disabled and cannot be used by any application.

    Allow Disabling Application Verification

    Network & Security

    Choose if user's can disable Google Play Application Verification if they have access to managed play store.

    Allow Keyguard

    Keyguard

    Choose if the Keyguard/Lock screen is allowed.

    Allow Keyguard Camera

    Keyguard

    If the Keyguard is allowed, then control if Camera can be launched from lock screen.

    Allow Keyguard Notifications

    Keyguard

    If Keyguard is allowed, then control if the notifications should be displayed.

    Allow Keyguard Trust Agent State

    Keyguard

    If Keyguard is allowed, then control if users can pair the bluetooth devices as trust agents for auto-unlock.

    Allow Keyguard Unredacted Notifications

    Keyguard

    If Keyguard is allowed, then choose if unredacted notifications are allowed.

    Allow KeyguardFingerprint Sensor

    Keyguard

    If Keyguard is allowed, then choose if users can use the fingerprint scanner.

    Enable System Status Bar

    Agent Mode

    When MobiLock is set as Agent, choose if the users can access the system status bar and notifications.

    This setting works only when MobiLock is set as Agent.

    Hide Agent App from UI

    Agent Mode

    When MobiLock is set as Agent, then you can choose if the MobiLock app icon is hidden from the native launcher. Note that this does not prevent the app from appearing in System Settings > Apps list.

    This setting works only when MobiLock is set as Agent.

    Restrict Apps

    Agent Mode

    When MobiLock is set as Agent, you can control whether the application usage should be restricted or not. Basing on the applications that you have enabled, if this setting is true then only the selected applications are shown in the default launcher.

    This setting works only when MobiLock is set as Agent.

    These settings will work only if your device is set up as an EMM device.
    1. Exchange Settings: Use this setting to configure an Exchange account on the device. You can select a previously created exchange configuration. Please refer to our Exchange configuration document for details.
    Note: The GMail client is configured with the given configuration. Currently GMail app does not allow the exchange configuration to be unpublished. So if you want to un-publish at a later point, you would have to publish a dummy/invalid account to the devices.
    1. General Setting: These settings allows you to manage some general settings.

      Setting

      Description

      Allow Users to access “Timezone” inside the app

      If this option is enabled then user's can see an option in MobiLock menu to change timezone.

      Choose Timezone configuration

      Enforce a default timezone for the devices from a list of previously created TimeZone configuration.

      Lock Screen Orientation

      Enforce an orientation on your tablet devices.

      ⚠ This is a device specific feature and the mileage may vary from OEM to OEM.

      Wifi State

      Choose if you want to enforce the Wifi to be always On or Off. By default it is set as None and no policy is enforced.

      Bluetooth State

      Choose if you want to enforce the Bluetooth to be always ON or OFF. by default it is set as None and no policy is enforced.

Once you have created a Kiosk/Agent Profile, it will start appearing in the list of device profiles with a small lock icon, indicating that this device profile is suitable for Kiosk devices.

Applying a Device Profile

Once you have the device profile ready, you can choose to create a QR Code/Enrollment Configurations, and all the devices that will use this QR Code to enroll will get this device profile. Also you can apply a Device Profile to a Device Group and all the devices in that group will get this device profile.

To update a profile on a device individually, then select the Device Profile in the device profile listing screen, click on the Publish button and select the Devices to apply.

Frequently Asked Questions

Question: What is the difference between Launcher mode and Agent Mode?

Answer: Our document on differences between launcher and agent mode explain it in detail. Please find the document here. Here is a brief,

  • Launcher Mode: When MobiLock is set as launcher mode, then it replaces the default home screen of the device and shows only the applications that are allowed along with the browser shortcuts. This is useful for both legacy forms of enrollment where afw#mobilock is not supported and the newer forms where afw#mobilock enrollment is supported.
  • Agent Mode: When MobiLock is set as agent, then it does not replace the default launcher. It silently runs in the background and applies the policies set in the default profile. This is NOT suitable for legacy devices, where it does not give you Application restrictions. However on devices enrolled via afw#mobilock, where MobiLock is the device owner, it controls the applications and also gives a native experience.

Question: What will happen if we change the mode to Agent for a Device Profile that has a mix of EMM (afw#mobilock) and non-EMM devices?

Answer: We would advise against changing the mode of a Device Profile which has both EMM and non-EMM devices. In case of non-EMM devices, MobiLock WILL NOT be able to apply application restriction policy, thereby allowing the users to use any of the installed applications.

Question: Do we need to give all the permissions when MobiLock is set as Agent mode?

Answer: Yes for optimal policy enforcement, we advise that all the permissions are given when MobiLock is set as agent.

Question: Can a device be switched between Agent and Launcher or vice-versa?

Answer: Yes, the mode change in the profile, causes the MobiLock client to either run as agent or as launcher. However if the devices was setup in Agent mode, then while shifting to launcher mode, MobiLock will ask for Default Launcher permission.

Question: We see that some sections are disabled or not-accessible when Agent Mode is selected?

Answer: This is because there are some features that do not work when MobiLock is running as agent mode. Hence we have disabled the sections or these options from being accessed. When MobiLock is set as Agent, the following settings are not accessible,

  • Single App Mode
  • Homescreen Settings
  • Notification Centre Settings
  • In-App Wifi Settings
  • In-App Hotspot Settings
  • In-App Mobile Network Settings

Question: We see that some sections are disabled or not-accessible when Launcher Mode is selected?

Answer: This is because there are some features that do not work when MobiLock is running in Launcher mode. Hence we have disabled the sections or these options from being accessed. When MobiLock is set as Launcher, the following settings are not accessible,

  • Enable System Status Bar
  • Hide Agent App from UI
  • Restrict Apps

Question: Why is that on our devices we can see and use all the applications event though we have not selected them in Select Apps?

Answer: This might happen in the following conditions,

  • If MobiLock set as Agent Mode and the device is NOT enrolled via afw#mobilock (EMM managed), that is enrolled via legacy methods.
  • If MobiLock set as Agent Mode and the Restrictions > EMM Settings > Restrict Apps is not enabled.

Question: Why is that on some of our EMM managed devices we can see the Settings app?

Answer: On devices running Android 7.0 and above, we cannot completely hide Settings app due to the other dependancies. Hence we have disabled it.

Question: Why are the Enterprise APKs and/or Play for Work apps are not getting silently installed when the device is in Agent Mode?

Answer: When MobiLock is set as Agent mode, it requires the Google Play Store app to be enabled for the Enterprise Apps and/or Play for Work apps to be installed. Make sure that Google Play Store app is enabled. You can enable the Google Play Store and use the Restrictions > Account Setting options of Device Profile to make sure that user does not add/remove the accounts.


How did we do?