Android Device Profile for Company Owned Devices

Device Profiles are an easy way to group your policies in one single entity, which they can be applied to one or multiple devices. Depending upon the organization structure and policy levels, you can create one or more Device Profiles. Once a Device Profile is created, it can be applied to a Device Group or used to create a QR Code configuration for faster enrollments.

At a high-level Scalefusion's Device Profile offers the following policy controls,

1. Mode: Scalefusion offers two modes of operation for the client. Please read our detailed guide on understanding the differences the modes of operation. In a nut shell, these are,
   1. Kiosk Mode: In this mode, the device home screen aka Launcher is replaced with Scalefusion's custom launcher, thereby showing the users only the applications, browser shortcuts that are configured in policy. It prevents users from accessing other applications.
   2. Agent Mode: In this mode, the device home screen is not replaced. Scalefusion runs in the background as a silent agent and applies the policies. Note that this mode is best suited for EMM devices, that is the devices enrolled via afw#mobilock.
2. Application Policy: Use this section to control the applications that will be enabled in the Locked down mode. All other applications will be blocked.
3. Browser Shortcuts: Use this section to choose the browser shortcuts (allowed websites) that will appear as shortcuts or are allowed to be opened via Scalefusion Browser.
4. Passcode Settings: Use this section to set the passcode settings inside Device Profile
5. Branding and App Order on Scalefusion Homescreen: Choose a branding that will be applied to the device and arrange the applications on home screen.
6. Restrictions: A wide collection of control and security policies to better manage your devices.

In this document we will see how to create a Kiosk profile and configure the various sections.

Before You Begin

✅ You must have a valid Scalefusion account.

Creating a Corporate Profile

Follow these steps to create a corporate profile:

1. From your Scalefusion dashboard, go to Device Profiles & Policies ➞ Device Profiles.
2. Click on Create New Profile in the upper right corner.
3. Select Kiosk/Agent option.
4. Enter a name for the profile and an exit passcode. Click on the Submit button. You will be redirected to the Profile creator view.

   

1. The first section is SELECT APPS and this section is used for the following,
   1. Select a Mode for Scalefusion app: This sub-section lets you choose a mode of operation for Scalefusion app. The options are,
      1. Set Scalefusion as Launcher: In this mode, Scalefusion replaces the home launcher of the device and shows a custom home screen. Any setting annotated by
      2. Set Scalefusion as Agent: In this mode, Scalefusion runs in the background and silently applies the policies. This allows user to use the native/default launcher.

         

         In Agent Mode, the Application policy or the apps cannot be restricted from being used if the devices are not EMM managed (enrolled via afw#mobilock). To understand the difference between launcher and agent mode, please refer to our document here.
   2. Application Policy: Choose which applications are allowed to be used. For each application you can additionally select the following 3 properties,
      1. Enabled: Select this option to allow the application to be used on the device.
      2. Visible: By default when you enable an application, it is visible. However you can choose to hide the application. If the application is visible then a shortcut icon will be placed on Scalefusion homescreen, where as if it is hidden it means that a shortcut will not be placed on homescreen but this application can be invoked via other enabled applications.
         When Scalefusion is Set as Agent, then the visibility flag does not apply. Applications can either be enabled or disabled only.
      3. Allow Lock Task: This is a special flag that gives the capability to an Android app to pin itself to screen for as long as it wants and achieve dynamic single app mode state.
         
         For Android application to use Allow Lock Task, they need to implement special code as explained here. Scalefusion can only give those applications the required privileges to pin themselves without user interaction whenever they want.
         Initially when you have not enrolled a device, you will see a limited set of applications to enable. As and when you enroll more devices, the list of applications will be populated basing on all the applications across your devices.

   

   1. Add Application
      In Kiosk mode, there are few applications which do not open on the Android device as they are blocked under Scalefusion. Some apps also happen to be services or system apps which cannot be allowed as well. If you try to search such apps in Device Profiles to enable, they are not even listed in the apps list because the applications that do not have a launcher icon they do not appear in device profile. As for eg. com.android.systemui
      In Scalefusion, there is a mechanism to identify such blocked apps on the device and add those apps through Scalefusion Dashboard via Add Application feature which unblocks/enables the apps. To learn more on how this can be achieved, please click here.

      

1. The next section is the BROWSER SHORTCUTS section, where you can select the previously allowed websites. User will be allowed to browse all the shortcuts that are allowed. However the visibility of the shortcut depends upon the visibility flag of the Allowed Website. For all the visible websites a shortcut will be created on Scalefusion homescreen.

   

1. Passcode Settings: You can set the passcode policy inside the device profiles. This provides the flexibility for the IT admins to define passcode policy of different complexities to devices in different profiles. To configure, Toggle on the button Override Global Password Policy, only then the passcode settings become configurable. Please visit here to learn about various passcode settings and how to configure them.
   The policy created here will override the global passcode settings and will be applied to the devices of this android profile.

   

2. In the SELECT BRAND/APP ORDER section, apply a previously created brand and select the order of enabled applications. Click NEXT once done.
3. Click on the Next button.
4. From the Select Brand/ App Order, select a brand theme from the list. You can reorder the apps in your device by dragging the app or website icon in the virtual mobile screen.
   Application ordering applies only when Scalefusion is Set as Launcher. When Scalefusion is Set as Agent, then the app-ordering does not apply to the native launcher.

1. The next section is the Kiosk/LauncherSettings section. This section, shows you only the settings that are applicable when Scalefusion is Set as Launcher. The settings are,
   
   1. Single App Mode: This section allows you to turn your Android tablets/phones into a kiosk that runs only one application always.

      Setting	Description
      Set Default Application	Choose an application from the list of enabled applications that will be set to run as the default app.
      Run All the time	You can set a delay time after which the app will start running. By default, the app is set to run all the time. To set a delay time, uncheck the Run All the time checkbox and enter the delay value (in seconds).
      Retain application state when an app is relaunched	Select this option to retain the application state when it relaunched due to an invariant user action that causes a blocked app to be opened like for example pressing the app switch key.
      Default Launch URL*	If you have selected Google Chrome or Scalefusion Browser to run as default, then additionally you can specify a URL that will be used as the launch page.
      Auto Refresh Interval*	If you have selected Google Chrome or Scalefusion Browser to run as default, then you can set a auto-refresh interval. This would force refresh the page after every given interval.

   To get a detailed understanding of setting up your device in Single App Mode, please click here
   1. Homescreen Settings: These setting allow you to customize Scalefusion Homescreen behavior.

      Setting	Description
      Hide the bottom navigation bar from screen	Hides the bottom navigation bar on the device. ⚠ This is a device specific feature and may not work on all models. Once disabled the users need to swipe up from the bottom of the screen to use Keyboard.
      Set device in Full screen mode	Sets the device in Full-screen mode where both the bottom navigation bar and the status bar at top is hidden. ⚠ This is a device specific feature and may not work on all models. Once disabled, users cannot use the Keyboard as well.
      Configure the options shown in 3-dots Menu	Allows you to control the visibility of the following options from the 3-dots menu inside Scalefusion. If unchecked, that particular option is not shown under 3-dots menu on device: Show Exit Show Admin Messages Show Diagnostics Show Blocked Apps Show Settings By default they are all checked, that is, visible There is a fallback mechanism in case you have unchecked Show Settings on Dashboard but still want to access on the device. Tap the 4 corners starting from top left corner in clockwise direction, you will get the Enter passcode dialog and upon entering it the Settings screen will display.
      Allows User’s to Clear App Data	Allows the user to clear application data by long tapping on the app shortcut on Scalefusion home screen. ⚠ This feature works only on devices where Scalefusion is enrolled via afw#mobilock and selected Samsung, Sony and LG devices.
      Allow User’s to Uninstall Application	Allows the user to uninstall applications from his device.

   2. Notification Centre (Experimental): When Scalefusion is set as the default launcher, it blocks the default notification bar completely. Hence Scalefusion provides a custom Notification centre to give a controlled access to notifications and other quick actions.
      How to Access Notification Centre on Device: For Android 8.0 and below, the Notification centre can be dragged from the top and from Android 8.0 and above the Notification centre can be made visible by a flick from left-bottom of the screen.

      Setting	Description
      Notification Centre	Enabling this option will allow the user to access the notifications by dragging it from the top screen.
      Change Orientation	Allows the user to change the device’s orientation.
      Flash Light	Allows the user to access the device's flashlight from the notification bar.
      View and Switch Between Recent applications	Allows the user to switch between recent apps.
      Kill Background Applications	Allows the user to kill apps running in the background.
      Allow USB Notifications	Enabling this option will allow the device to send a notification when a USB is connected.
      Flight Mode	Enabling this option will allow the user to turn on/off the flight mode from notification bar on the device. This setting is applicable on Lenovo, Samsung Knox (v2.7 and above) and Wingman supported devices.

2. The next section is the Restrictions section. This is collection of various policies that let you control and manage your devices better. Please visit here to learn about restrictions section.
   
   Once you have created a Kiosk/Agent Profile, it will start appearing in the list of device profiles with a small lock icon, indicating that this device profile is suitable for Kiosk devices.

Applying a Device Profile

Once you have the device profile ready, you can choose to create a QR Code/Enrollment Configurations, and all the devices that will use this QR Code to enroll will get this device profile. Also you can apply a Device Profile to a Device Group and all the devices in that group will get this device profile.

To update a profile on a device individually, then select the Device Profile in the device profile listing screen, click on the Publish button and select the Devices to apply.

Frequently Asked Questions

Question: What is the difference between Launcher mode and Agent Mode?

Answer: Our document on differences between launcher and agent mode explain it in detail. Please find the document here. Here is a brief,

• Launcher Mode: When Scalefusion is set as launcher mode, then it replaces the default home screen of the device and shows only the applications that are allowed along with the browser shortcuts. This is useful for both legacy forms of enrollment where afw#mobilock is not supported and the newer forms where afw#mobilock enrollment is supported.
• Agent Mode: When Scalefusion is set as agent, then it does not replace the default launcher. It silently runs in the background and applies the policies set in the default profile. This is NOT suitable for legacy devices, where it does not give you Application restrictions. However on devices enrolled via afw#mobilock, where Scalefusion is the device owner, it controls the applications and also gives a native experience.

Question: What will happen if we change the mode to Agent for a Device Profile that has a mix of EMM (afw#mobilock) and non-EMM devices?

Answer: We would advise against changing the mode of a Device Profile which has both EMM and non-EMM devices. In case of non-EMM devices, Scalefusion WILL NOT be able to apply application restriction policy, thereby allowing the users to use any of the installed applications.

Question: Do we need to give all the permissions when Scalefusion is set as Agent mode?

Answer: Yes for optimal policy enforcement, we advise that all the permissions are given when Scalefusion is set as agent.

Question: Can a device be switched between Agent and Launcher or vice-versa?

Answer: Yes, the mode change in the profile, causes the Scalefusion app to either run as agent or as launcher. However if the devices was setup in Agent mode, then while shifting to launcher mode, Scalefusion will ask for Default Launcher permission.

Question: We see that some sections are disabled or not-accessible when Agent Mode is selected?

Answer: This is because there are some features that do not work when Scalefusion is running as agent mode. Hence we have disabled the sections or these options from being accessed. When Scalefusion is set as Agent, the following settings are not accessible,

• Single App Mode
• Homescreen Settings
• Notification Centre Settings
• In-App Wifi Settings
• In-App Hotspot Settings
• In-App Mobile Network Settings

Question: We see that some sections are disabled or not-accessible when Launcher Mode is selected?

Answer: This is because there are some features that do not work when Scalefusion is running in Launcher mode. Hence we have disabled the sections or these options from being accessed. When Scalefusion is set as Launcher, the following settings are not accessible,

• Enable System Status Bar
• Hide Agent App from UI
• Restrict Apps

Question: Why is that on our devices we can see and use all the applications event though we have not selected them in Select Apps?

Answer: This might happen in the following conditions,

• If Scalefusion set as Agent Mode and the device is NOT enrolled via afw#mobilock (EMM managed), that is enrolled via legacy methods.
• If Scalefusion set as Agent Mode and the Restrictions > EMM Settings > Restrict Apps is not enabled.

Question: Why is that on some of our EMM managed devices we can see the Settings app?

Answer: On devices running Android 7.0 and above, we cannot completely hide Settings app due to the other dependancies. Hence we have disabled it.

Question: Why are the Enterprise APKs and/or Play for Work apps are not getting silently installed when the device is in Agent Mode?

Answer: When Scalefusion is set as Agent mode, it requires the Google Play Store app to be enabled for the Enterprise Apps and/or Play for Work apps to be installed. Make sure that Google Play Store app is enabled. You can enable the Google Play Store and use the Restrictions > Account Setting options of Device Profile to make sure that user does not add/remove the accounts.