Android Device Profile for Company Owned Devices

Device Profiles are an easy way to group your policies in one single entity, which they can be applied to one or multiple devices. Depending upon the organization structure and policy levels, you can create one or more Device Profiles. Once a Device Profile is created, it can be applied to a Device Group or used to create a QR Code configuration for faster enrollments.

At a high-level Scalefusion's Device Profile offers the following policy controls,

  1. Mode: Scalefusion offers two modes of operation for the client. Please read our detailed guide on understanding the differences the modes of operation. In a nut shell, these are,
    1. Kiosk Mode: In this mode, the device home screen aka Launcher is replaced with Scalefusion's custom launcher, thereby showing the users only the applications, browser shortcuts that are configured in policy. It prevents users from accessing other applications.
    2. Agent Mode: In this mode, the device home screen is not replaced. Scalefusion runs in the background as a silent agent and applies the policies. Note that this mode is best suited for EMM devices, that is the devices enrolled via afw#mobilock.
  2. Application Policy: Use this section to control the applications that will be enabled in the Locked down mode. All other applications will be blocked.
  3. Browser Shortcuts: Use this section to choose the browser shortcuts (whitelist websites) that will appear as shortcuts or are allowed to be opened via Scalefusion Browser.
  4. Branding and App Order on Scalefusion Homescreen: Choose a branding that will be applied to the device and arrange the applications on home screen.
  5. Restrictions: A wide collection of control and security policies to better manage your devices.

In this document we will see how to create a Kiosk profile and configure the various sections.

Before You Begin

✅ You must have a valid Scalefusion account.

Creating a Corporate Profile

Follow these steps to create a corporate profile:

  1. From your Scalefusion dashboard, go to Device Management ➞ Device Profiles.
  2. Click on Create New Profile in the upper right corner.
  3. Select Kiosk/Agent option.
  4. Enter a name for the profile and an exit passcode. Click on the Submit button. You will be redirected to the Profile creator view.
Exit passcode helps you manually exit Scalefusion client on the device, in case the device looses connectivity or you want to get access to the full device.
  1. The first section is SELECT APPS and this section is used for the following,
    1. Select a Mode for Scalefusion app: This sub-section lets you choose a mode of operation for Scalefusion app. The options are,
      1. Set Scalefusion as Launcher: In this mode, Scalefusion replaces the home launcher of the device and shows a custom home screen. Any setting annotated by
      2. Set Scalefusion as Agent: In this mode, Scalefusion runs in the background and silently applies the policies. This allows user to use the native/default launcher.
        In Agent Mode, the Application policy or the apps cannot be restricted from being used if the devices are not EMM managed (enrolled via afw#mobilock). To understand the difference between launcher and agent mode, please refer to our document here.
    2. Application Policy: Choose which applications are allowed to be used. For each application you can additionally select the following 3 properties,
      1. Enabled: Select this option to allow the application to be used on the device.
      2. Visible: By default when you enable an application, it is visible. However you can choose to hide the application. If the application is visible then a shortcut icon will be placed on Scalefusion homescreen, where as if it is hidden it means that a shortcut will not be placed on homescreen but this application can be invoked via other enabled applications.
        When Scalefusion is Set as Agent, then the visibility flag does not apply. Applications can either be enabled or disabled only.
      3. Allow Lock Task: This is a special flag that gives the capability to an Android app to pin itself to screen for as long as it wants and achieve dynamic single app mode state.
      For Android application to use Allow Lock Task, they need to implement special code as explained here. Scalefusion can only give those applications the required privileges to pin themselves without user interaction whenever they want.
      Initially when you have not enrolled a device, you will see a limited set of applications to enable. As and when you enroll more devices, the list of applications will be populated basing on all the applications across your devices.
  2. The next section is the BROWSER SHORTCUTS section, where you can select the previously whitelisted websites. User will be allowed to browse all the shortcuts that are allowed. However the visibility of the shortcut depends upon the visibility flag of the Whitelist Website. For all the visible websites a shortcut will be created on Scalefusion homescreen.
Use Device Management > Whitelist Websites section to create and whitelist websites.
  1. In the SELECT BRAND/APP ORDER section, apply a previously created brand and select the order of enabled applications. Click NEXT once done.
  2. Click on the Next button.
  3. From the Select Brand/ App Order, select a brand theme from the list. You can reorder the apps in your device by dragging the app or website icon in the virtual mobile screen.
    Application ordering applies only when Scalefusion is Set as Launcher. When Scalefusion is Set as Agent, then the app-ordering does not apply to the native launcher.
  4. The next section is the Kiosk/LauncherSettings section. This section, shows you only the settings that are applicable when Scalefusion is Set as Launcher. The settings are,
    1. Single App Mode: This section allows you to turn your Android tablets/phones into a kiosk that runs only one application always.

      Setting

      Description

      Set Default Application

      Choose an application from the list of enabled applications that will be set to run as the default app.

      Run All the time

      You can set a delay time after which the app will start running. By default, the app is set to run all the time. To set a delay time, uncheck the Run All the time checkbox and enter the delay value (in seconds).

      Retain application state when an app is relaunched

      Select this option to retain the application state when it relaunched due to an invariant user action that causes a blocked app to be opened like for example pressing the app switch key.

      Default Launch URL*

      If you have selected Google Chrome or Scalefusion Browser to run as default, then additionally you can specify a URL that will be used as the launch page.

      Auto Refresh Interval*

      If you have selected Google Chrome or Scalefusion Browser to run as default, then you can set a auto-refresh interval. This would force refresh the page after every given interval.

    To get a detailed understanding of setting up your device in Single App Mode, please click here
    1. Homescreen Settings: These setting allow you to customize Scalefusion Homescreen behavior.

      Setting

      Description

      Hide the bottom navigation bar from screen

      Hides the bottom navigation bar on the device.

      ⚠ This is a device specific feature and may not work on all models. Once disabled the users need to swipe up from the bottom of the screen to use Keyboard.

      Set device in Full screen mode

      Sets the device in Full-screen mode where both the bottom navigation bar and the status bar at top is hidden.

      ⚠ This is a device specific feature and may not work on all models. Once disabled, users cannot use the Keyboard as well.

      Show Exit option

      Allows you to control the visibility of the Exit option from the settings menu of Scalefusion app.

      Allows User’s to Clear App Data

      Allows the user to clear application data by long tapping on the app shortcut on Scalefusion home screen.

      This feature works only on devices where Scalefusion is enrolled via afw#mobilock and selected Samsung, Sony and LG devices.

      Allow User’s to Uninstall Application

      Allows the user to uninstall applications from his device.

    2. Notification Centre (Experimental): When Scalefusion is set as the default launcher, it blocks the default notification bar completely. Hence Scalefusion provides a custom Notification centre to give a controlled access to notifications and other quick actions.
      How to Access Notification Centre on Device: For Android 8.0 and below, the Notification centre can be dragged from the top and from Android 8.0 and above the Notification centre can be made visible by a flick from left-bottom of the screen.

      Setting

      Description

      Notification Centre

      Enabling this option will allow the user to access the notifications by dragging it from the top screen.

      Change Orientation

      Allows the user to change the device’s orientation.

      Flash Light

      Allows the user to access the device's flashlight from the notification bar.

      View and Switch Between Recent applications

      Allows the user to switch between recent apps.

      Kill Background Applications

      Allows the user to kill apps running in the background.

      Allow USB Notifications

      Enabling this option will allow the device to send a notification when a USB is connected.

  5. The next section is the Restrictions section. This is collection of various policies that let you control and manage your devices better. We explain each of these sections below,
    1. Volume Settings: This setting allows you to control the volume attributes of your devices.

      Setting

      Description

      Control Ringer Volume

      Allows the user to control the device’s ringing volume.

      Control Music Volume

      Allows the user to control the music volume of the device.

    2. WiFi Settings: This setting allows you to manage the WiFi configuration of your devices.

      Setting

      Description

      Choose WiFi configuration

      Allows you to select and switch between Primary as well as additional Wifi configurations. 

      Since it is multiple Wi-Fi, users can Switch Wifi connection, between the available ones. Once Wi-fi is published on the device, it attempts to connect to the one with the strongest signal.

      Wifi Configurations can be created from Utilities > Wifi Settings

      Allow users to access “WiFi Connection” menu inside the app

      Enables access to the WiFi Connection menu from the Scalefusion application. If a Wifi configuration is applied then this menu cannot be used.

      This feature works only when Scalefusion is set as Launcher.

      Allows users to connect/disconnect from WiFi Network

      Allows the user to connect or disconnect a WiFi network from the Scalefusion application. If a Wifi configuration is applied then this menu cannot be used.

      This feature works only when Scalefusion is set as Launcher.

    3. Mobile Network: This setting allows you to manage the Mobile data configuration of your devices.
      All Hotspot related features work only on Android 7.0 and below devices.

    Setting

    Description

    Allow users to share/unshare from Hotspot Network

    Choose if the users are allowed to enable/disable the Hotspot state from the Scalefusion Notification centre. If this option is disabled, then user has no control over sharing/unsharing of hotspot

    As a result, if this option is disabled then notification centre will show hotspot tile but tapping on it will show message 'admin has disabled this feature'. If this option is enabled then tapping on hotspot tile in notification centre will turn on/off hotspot on device.

    This feature works only when Scalefusion is set as Launcher and Notification bar is enabled under Notification Centre.

    Display an icon on Homescreen

    Allows you to choose whether you want to display Mobile hotspot icon on Scalefusion app's homescreen

    Warn & Disconnect if max connections exceed

    Allows you to restrict maximum number of devices that can be connected to Hotspot. If you exceed this number, the hotspot connection stops, with a warning message on host device.

    Choose Hotspot configuration

    Allows you to choose a Hotspot configuration for your device. Once applied the devices will create a hotspot and share their internet.

    The hotspot configurations can be pre-defined on Dashboard through Android Utilities > Hotspot settings.

    Allow user to access “Mobile Data Settings” inside the app

    Enables the user to access mobile data options of the device, from inside Scalefusion app

    ⚠ This feature works only when Scalefusion is set as Launcher. This feature may not work on all the devices.

    1. Display Settings: This setting allows you to manage the display attributes of your devices.

      Setting

      Description

      Screen Time Out Settings

      Allows you to set idle screen timeout duration from the dropdown list.

      ⚠ This is a device specific feature and may not work on all devices.

      Power Button causes the display to sleep

      If the screen time out is set to Keep Always On, then an additional option that can be used to define power button behavior.

      Allow changing of brightness

      Allows the user to change the screen brightness of his device from either the 3 dots Menu on Scalefusion home screen or Notification centre.

      Control device screen brightness

      Use this option to enforce the default screen brightness. This will override user choice on the device if any.

    2. EMM Settings: These are the additional settings for your EMM managed devices that provide additional security and control. These settings also allows you to give your users access to System Settings in a controlled fashion if need be.
    Allowing these settings does not mean that user's will have access to these settings directly. You need to allow the selected applications like System Settings or others that allow modification to these settings. These are useful if you want to restrict and prevent other malicious apps from using them.

    Setting

    Category

    Description

    Allow Outgoing Phone Calls

    Communication

    Normally disabling the Phone app will achieve this, however there might be some apps that might attempt to make phone calls. This option lets you completely disable outgoing calls.

    Allow Send/Receive SMS

    Communication

    Normally disabling the default messaging app will achieve this, however there might be some apps that can send SMS discreetly. This option lets you completely block the SMS.

    Allow Bluetooth

    Communication

    Allows a user to connect to a Bluetooth device.

    ⚠ This feature is available only for OS version 8.0 and later.

    Allow Android Beam

    Communication

    Allows a user to share files through Android Beam.

    Allow Adding Users

    User Management

    Choose if the user can add multiple users accounts on devices. This is useful to prevent creating new users immediately after boot or from system settings app.

    Allows Removing Users

    User Management

    Choose if user can remove the already created multiple user accounts.

    Allow Adding Google Account

    User Management

    Choose if user can add Google accounts. This is used to prevent accidental creation of account via other applications.

    ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps.

    Allow Adding/Deleting Accounts

    User Management

    Choose if user can add additional accounts like Outlook on their devices. This is used to prevent accidental creation of account via other applications.

    ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps.

    Allow Mobile Network Changes

    Network & Security

    Allows user to change mobile network settings if they have access to Settings app.

    Allow Tethering From All Sources

    Network & Security

    Allow users to enable Tethering via USB or Bluetooth.

    Allow WiFi Changes

    Network & Security

    Allow users to modify Wifi network from System Settings if they have access to.

    This may cause them to loose connectivity and hence it is suggested that you allow them to use Scalefusion's Wifi connection options as a fallback.

    Allow Screen Capture

    Network & Security

    Choose if the users are allowed to capture the screenshot of applications.

    Allow Camera

    Network & Security

    Choose if the default Camera is disabled and cannot be used by any application.

    Allow Disabling Application Verification

    Network & Security

    Choose if user's can disable Google Play Application Verification if they have access to managed play store.

    Allow Keyguard

    Keyguard

    Choose if the Keyguard/Lock screen is allowed.

    Allow Keyguard Camera

    Keyguard

    If the Keyguard is allowed, then control if Camera can be launched from lock screen.

    Allow Keyguard Notifications

    Keyguard

    If Keyguard is allowed, then control if the notifications should be displayed.

    Allow Keyguard Trust Agent State

    Keyguard

    If Keyguard is allowed, then control if users can pair the bluetooth devices as trust agents for auto-unlock.

    Allow Keyguard Unredacted Notifications

    Keyguard

    If Keyguard is allowed, then choose if unredacted notifications are allowed.

    Allow KeyguardFingerprint Sensor

    Keyguard

    If Keyguard is allowed, then choose if users can use the fingerprint scanner.

    Enable System Status Bar

    Agent Mode

    When Scalefusion is set as Agent, choose if the users can access the system status bar and notifications.

    This setting works only when Scalefusion is set as Agent.

    Hide Agent App from UI

    Agent Mode

    When Scalefusion is set as Agent, then you can choose if the Scalefusion app icon is hidden from the native launcher. Note that this does not prevent the app from appearing in System Settings > Apps list.

    This setting works only when Scalefusion is set as Agent.

    Restrict Apps

    Agent Mode

    When Scalefusion is set as Agent, you can control whether the application usage should be restricted or not. Basing on the applications that you have enabled, if this setting is true then only the selected applications are shown in the default launcher.

    This setting works only when Scalefusion is set as Agent.

    These settings will work only if your device is set up as an EMM device.
    1. VPN Settings: From the list of applications, you can select one app and mark it as Always On VPN with an additional flag to lock down the network. 
      This feature works only on EMM devices having OS7 and above versions, being setup using afw#mobilock or is setup as Device Owner.

    Setting

    Description

    Select an Always On VPN Application

    Simply select an application from the list which will be configured as an Always On VPN app

    Enable VPN Lockdown

    Once this is enabled, any failure of the VPN provider could break networking for all apps

    1. Compliance: When managing employee owned devices, it becomes imperative to make sure that the device adheres to compliance standards such as the device integrity, security and compatibility. 
      To mitigate such risks Scalefusion uses Google Safety Net Attestation API to check the device compliance. 
      SafetyNet examines software and hardware information on the device where the Work Apps are being used. This attestation helps Scalefusion to determine whether or not the particular device has been tampered with or otherwise modified. 
      Using Scalefusion's Device Profile for kiosk devices you can enforce stricter device compliance rules and the actions that need to be taken in the event of violation.

    Setting

    Description

    Validate using SafetyNet Attestation

    This SafetyNet API helps assess the security and compatibility of the Android devices that your users are using. You can choose between a Strict or a Moderate level for validations.

    Allow use of Rooted Devices

    Rooted devices are the devices which have super users. You can allow or disallow the use of rooted devices while creating a device profile and then enrolling it.

    Compliance Check Duration

    You can select how often the compliance check should be performed. By default it happens every 24 hrs

    Compliance Violation Action

    Choose the action that should be performed if any of the compliance rules are violated

    1. Secure Settings: Configure additional security settings for your company owned devices to get better control and provide an enhanced kiosk experience. To start configuring these settings enable Override Global/Device Secure Settings,

      Setting

      Category

      Description

      Allow users to do Factory Reset*

      Security

      Choose if the user's are allowed to factory reset the device. On Samsung, Sony and LG, if disabled then it prevents the user's from factory resetting the device by using the ROM recovery method. For normal EMM devices, blocks the Factory Reset option in System Settings.

      Allow users to boot device in Safe Mode*

      Security

      Choose if the user's can use the power-off key and boot into safe mode.

      Allow users to power off the device

      Security

      Choose if the users are allowed to use the power-off button and switch off the device.

      Allow users to enable/disable the airplane mode

      Security

      Choose if the users's can control the Airplane mode from the power-off menu or from system settings.

      Disable Guest Mode

      Security

      Allow unknown sources*

      Security

      Choose if the user's are allowed to install android applications from third party apps or directly by downloading apk's.

      Allow App Uninstallation and Clear App Data

      Security

      Choose if the user's can uninstall and/or clear the application data of installed applications.

      Allow users to use Home Key

      Hardware Keys

      Choose if the user's can use the Home button on the Android devices.

      Allow users to use Back Key.

      Hardware Keys

      Choose if the user's can use the Back button on the Android devices.

      Allow users to use the app switch key.

      Hardware Keys

      This setting can be used to block the Recent Key altogether.

      Allow Multi Window

      Quick Settings

      Choose if user's can use the multi-window feature on some phones/tablets.

      Allow MTP access

      USB Settings

      Choose if the user can access the media on the device via MTP protocol when connected with a device via USB cable.

      Allow users to connect via USB cable

      USB Settings

      Choose if the users can connect the device via USB cable and access the USB storage and other options.

      Allow USB Debugging mode

      USB Settings

      Choose if the users can use the USB Debugging feature when connected to a USB cable.

      System Update Policy*

      OS Update Settings

      Select a policy for Android OS Updates. The default is None. You choose between the following options,
      a. Postpone:
      The OS Upgrade will be postponed by 30 days.
      b. Automatic Install Update:
       The OS Upgrade will be automatically installed.
      c. Install within Maintenance Window:
      Choose an install window within which the OS update can be installed.

    NOTE: Secure Settings can be controlled from Enterprise > Secure Settings section as well, however we recommend controlling this from Device Profile for uniformity and ease of management.
    1. Exchange Settings: Use this setting to configure an Exchange account on the device. You can select a previously created exchange configuration. Please refer to our Exchange configuration document for details.
    Note: The GMail client is configured with the given configuration. Currently GMail app does not allow the exchange configuration to be unpublished. So if you want to un-publish at a later point, you would have to publish a dummy/invalid account to the devices.
    1. Permission Settings: Scalefusion requires some permissions to manage the devices properly. Choose what happens when permissions are missing and control additional permissions.

    Setting

    Description

    Enforce Exit Password to Complete Setup

    Toggle on this option to enforce an exit password to be entered by user for completing setup

    Enforce Disable Assist App

    If you select this, the Google assist app will be disabled for the user

    1. General Setting: These settings allows you to manage some general settings.

      Setting

      Description

      Allow Users to access “Timezone” inside the app

      If this option is enabled then user's can see an option in Scalefusion menu to change timezone.

      Choose Timezone configuration

      Enforce a default timezone for the devices from a list of previously created TimeZone configuration.

      Lock Screen Orientation

      Enforce an orientation on your tablet devices.

      ⚠ This is a device specific feature and the mileage may vary from OEM to OEM.

      Wifi State

      Choose if you want to enforce the Wifi to be always On or Off. By default it is set as None and no policy is enforced.

      Bluetooth State

      Choose if you want to enforce the Bluetooth to be always ON or OFF. by default it is set as None and no policy is enforced.

Once you have created a Kiosk/Agent Profile, it will start appearing in the list of device profiles with a small lock icon, indicating that this device profile is suitable for Kiosk devices.

Applying a Device Profile

Once you have the device profile ready, you can choose to create a QR Code/Enrollment Configurations, and all the devices that will use this QR Code to enroll will get this device profile. Also you can apply a Device Profile to a Device Group and all the devices in that group will get this device profile.

To update a profile on a device individually, then select the Device Profile in the device profile listing screen, click on the Publish button and select the Devices to apply.

If a device profile has been removed from a device, it will still have the profile settings applied to it until you apply new settings.

Frequently Asked Questions

Question: What is the difference between Launcher mode and Agent Mode?

Answer: Our document on differences between launcher and agent mode explain it in detail. Please find the document here. Here is a brief,

  • Launcher Mode: When Scalefusion is set as launcher mode, then it replaces the default home screen of the device and shows only the applications that are allowed along with the browser shortcuts. This is useful for both legacy forms of enrollment where afw#mobilock is not supported and the newer forms where afw#mobilock enrollment is supported.
  • Agent Mode: When Scalefusion is set as agent, then it does not replace the default launcher. It silently runs in the background and applies the policies set in the default profile. This is NOT suitable for legacy devices, where it does not give you Application restrictions. However on devices enrolled via afw#mobilock, where Scalefusion is the device owner, it controls the applications and also gives a native experience.

Question: What will happen if we change the mode to Agent for a Device Profile that has a mix of EMM (afw#mobilock) and non-EMM devices?

Answer: We would advise against changing the mode of a Device Profile which has both EMM and non-EMM devices. In case of non-EMM devices, Scalefusion WILL NOT be able to apply application restriction policy, thereby allowing the users to use any of the installed applications.

Question: Do we need to give all the permissions when Scalefusion is set as Agent mode?

Answer: Yes for optimal policy enforcement, we advise that all the permissions are given when Scalefusion is set as agent.

Question: Can a device be switched between Agent and Launcher or vice-versa?

Answer: Yes, the mode change in the profile, causes the Scalefusion app to either run as agent or as launcher. However if the devices was setup in Agent mode, then while shifting to launcher mode, Scalefusion will ask for Default Launcher permission.

Question: We see that some sections are disabled or not-accessible when Agent Mode is selected?

Answer: This is because there are some features that do not work when Scalefusion is running as agent mode. Hence we have disabled the sections or these options from being accessed. When Scalefusion is set as Agent, the following settings are not accessible,

  • Single App Mode
  • Homescreen Settings
  • Notification Centre Settings
  • In-App Wifi Settings
  • In-App Hotspot Settings
  • In-App Mobile Network Settings

Question: We see that some sections are disabled or not-accessible when Launcher Mode is selected?

Answer: This is because there are some features that do not work when Scalefusion is running in Launcher mode. Hence we have disabled the sections or these options from being accessed. When Scalefusion is set as Launcher, the following settings are not accessible,

  • Enable System Status Bar
  • Hide Agent App from UI
  • Restrict Apps

Question: Why is that on our devices we can see and use all the applications event though we have not selected them in Select Apps?

Answer: This might happen in the following conditions,

  • If Scalefusion set as Agent Mode and the device is NOT enrolled via afw#mobilock (EMM managed), that is enrolled via legacy methods.
  • If Scalefusion set as Agent Mode and the Restrictions > EMM Settings > Restrict Apps is not enabled.

Question: Why is that on some of our EMM managed devices we can see the Settings app?

Answer: On devices running Android 7.0 and above, we cannot completely hide Settings app due to the other dependancies. Hence we have disabled it.

Question: Why are the Enterprise APKs and/or Play for Work apps are not getting silently installed when the device is in Agent Mode?

Answer: When Scalefusion is set as Agent mode, it requires the Google Play Store app to be enabled for the Enterprise Apps and/or Play for Work apps to be installed. Make sure that Google Play Store app is enabled. You can enable the Google Play Store and use the Restrictions > Account Setting options of Device Profile to make sure that user does not add/remove the accounts.


How did we do?


Powered by HelpDocs (opens in a new tab)