Device Profile for Corporate Owned Android Devices

Device Profiles are an easy way to group your policies in one single entity, which they can be applied to one or multiple devices. Depending upon the organization structure and policy levels, you can create one or more Device Profiles. Once a Device Profile is created, it can be applied to a Device Group or used to create a QR Code configuration for faster enrollments.

At a high-level Scalefusion's Device Profile offers the following policy controls,

  1. Mode: Scalefusion offers two modes of operation for the client. Please read our detailed guide on understanding the differences the modes of operation. In a nut shell, these are,
    1. Kiosk Mode: In this mode, the device home screen aka Launcher is replaced with Scalefusion's custom launcher, thereby showing the users only the applications, browser shortcuts that are configured in policy. It prevents users from accessing other applications.
    2. Agent Mode: In this mode, the device home screen is not replaced. Scalefusion runs in the background as a silent agent and applies the policies. Note that this mode is best suited for EMM devices, that is the devices enrolled via afw#mobilock.
  2. Application Policy: Use this section to control the applications that will be enabled in the Locked down mode. All other applications will be blocked.
  3. Browser Shortcuts: Use this section to choose the browser shortcuts (whitelist websites) that will appear as shortcuts or are allowed to be opened via Scalefusion Browser.
  4. Branding and App Order on Scalefusion Homescreen: Choose a branding that will be applied to the device and arrange the applications on home screen.
  5. Restrictions: A wide collection of control and security policies to better manage your devices.

In this document we will see how to create a Kiosk profile and configure the various sections.

Before You Begin

✅ You must have a valid Scalefusion account.

Creating a Corporate Profile

Follow these steps to create a corporate profile:

  1. From your Scalefusion dashboard, go to Device Management ➞ Device Profiles.
  2. Click on Create New Profile in the upper right corner.
  3. Select Kiosk/Agent option.
  4. Enter a name for the profile and an exit passcode. Click on the Submit button. You will be redirected to the Profile creator view.
Exit passcode helps you manually exit Scalefusion client on the device, in case the device looses connectivity or you want to get access to the full device.
  1. The first section is SELECT APPS and this section is used for the following,
    1. Select a Mode for Scalefusion app: This sub-section lets you choose a mode of operation for Scalefusion app. The options are,
      1. Set Scalefusion as Launcher: In this mode, Scalefusion replaces the home launcher of the device and shows a custom home screen. Any setting annotated by
      2. Set Scalefusion as Agent: In this mode, Scalefusion runs in the background and silently applies the policies. This allows user to use the native/default launcher.
        In Agent Mode, the Application policy or the apps cannot be restricted from being used if the devices are not EMM managed (enrolled via afw#mobilock). To understand the difference between launcher and agent mode, please refer to our document here.
    2. Application Policy: Choose which applications are allowed to be used. For each application you can additionally select the following 3 properties,
      1. Enabled: Select this option to allow the application to be used on the device.
      2. Visible: By default when you enable an application, it is visible. However you can choose to hide the application. If the application is visible then a shortcut icon will be placed on Scalefusion homescreen, where as if it is hidden it means that a shortcut will not be placed on homescreen but this application can be invoked via other enabled applications.
        When Scalefusion is Set as Agent, then the visibility flag does not apply. Applications can either be enabled or disabled only.
      3. Allow Lock Task: This is a special flag that gives the capability to an Android app to pin itself to screen for as long as it wants and achieve dynamic single app mode state.
      For Android application to use Allow Lock Task, they need to implement special code as explained here. Scalefusion can only give those applications the required privileges to pin themselves without user interaction whenever they want.
      Initially when you have not enrolled a device, you will see a limited set of applications to enable. As and when you enroll more devices, the list of applications will be populated basing on all the applications across your devices.
  2. The next section is the BROWSER SHORTCUTS section, where you can select the previously whitelisted websites. User will be allowed to browse all the shortcuts that are allowed. However the visibility of the shortcut depends upon the visibility flag of the Whitelist Website. For all the visible websites a shortcut will be created on Scalefusion homescreen.
Use Device Management > Whitelist Websites section to create and whitelist websites.
  1. In the SELECT BRAND/APP ORDER section, apply a previously created brand and select the order of enabled applications. Click NEXT once done.
  2. Click on the Next button.
  3. From the Select Brand/ App Order, select a brand theme from the list. You can reorder the apps in your device by dragging the app or website icon in the virtual mobile screen.
    Application ordering applies only when Scalefusion is Set as Launcher. When Scalefusion is Set as Agent, then the app-ordering does not apply to the native launcher.
  4. The next section is the Kiosk/LauncherSettings section. This section, shows you only the settings that are applicable when Scalefusion is Set as Launcher. The settings are,
    1. Single App Mode: This section allows you to turn your Android tablets/phones into a kiosk that runs only one application always.

      Setting

      Description

      Set Default Application

      Choose an application from the list of enabled applications that will be set to run as the default app.

      Run All the time

      You can set a delay time after which the app will start running. By default, the app is set to run all the time. To set a delay time, uncheck the Run All the time checkbox and enter the delay value (in seconds).

      Retain application state when an app is relaunched

      Select this option to retain the application state when it relaunched due to an invariant user action that causes a blocked app to be opened like for example pressing the app switch key.

      Default Launch URL*

      If you have selected Google Chrome or Scalefusion Browser to run as default, then additionally you can specify a URL that will be used as the launch page.

      Auto Refresh Interval*

      If you have selected Google Chrome or Scalefusion Browser to run as default, then you can set a auto-refresh interval. This would force refresh the page after every given interval.

    2. Homescreen Settings: These setting allow you to customize Scalefusion Homescreen behavior.

      Setting

      Description

      Hide the bottom navigation bar from screen

      Hides the bottom navigation bar on the device.

      ⚠ This is a device specific feature and may not work on all models. Once disabled the users need to swipe up from the bottom of the screen to use Keyboard.

      Set device in Full screen mode

      Sets the device in Full-screen mode where both the bottom navigation bar and the status bar at top is hidden.

      ⚠ This is a device specific feature and may not work on all models. Once disabled, users cannot use the Keyboard as well.

      Show Exit option

      Allows you to control the visibility of the Exit option from the settings menu of Scalefusion app.

      Allows User’s to Clear App Data

      Allows the user to clear application data by long tapping on the app shortcut on Scalefusion home screen.

      This feature works only on devices where Scalefusion is enrolled via afw#mobilock and selected Samsung, Sony and LG devices.

      Allow User’s to Uninstall Application

      Allows the user to uninstall applications from his device.

    3. Notification Centre (Experimental): When Scalefusion is set as the default launcher, it blocks the default notification bar completely. Hence Scalefusion provides a custom Notification centre to give a controlled access to notifications and other quick actions.
      How to Access Notification Centre on Device: For Android 8.0 and below, the Notification centre can be dragged from the top and from Android 8.0 and above the Notification centre can be made visible by a flick from left-bottom of the screen.

      Setting

      Description

      Notification Centre

      Enabling this option will allow the user to access the notifications by dragging it from the top screen.

      Change Orientation

      Allows the user to change the device’s orientation.

      Flash Light

      Allows the user to access the device's flashlight from the notification bar.

      View and Switch Between Recent applications

      Allows the user to switch between recent apps.

      Kill Background Applications

      Allows the user to kill apps running in the background.

      Allow USB Notifications

      Enabling this option will allow the device to send a notification when a USB is connected.

  5. The next section is the Restrictions section. This is collection of various policies that let you control and manage your devices better. We explain each of these sections below,
    1. Volume Settings: This setting allows you to control the volume attributes of your devices.

      Setting

      Description

      Control Ringer Volume

      Allows the user to control the device’s ringing volume.

      Control Music Volume

      Allows the user to control the music volume of the device.

    2. WiFi Settings: This setting allows you to manage the WiFi configuration of your devices.

      Setting

      Description

      Choose WiFi configuration

      Allows you to select and switch between Primary as well as additional Wifi configurations. 

      Since it is multiple Wi-Fi, users can Switch Wifi connection, between the available ones. Once Wi-fi is published on the device, it attempts to connect to the one with the strongest signal.

      Allow users to access “WiFi Connection” menu inside the app

      Enables access to the WiFi Connection menu from the Scalefusion application. If a Wifi configuration is applied then this menu cannot be used.

      This feature works only when Scalefusion is set as Launcher.

      Allows users to connect/disconnect from WiFi Network

      Allows the user to connect or disconnect a WiFi network from the Scalefusion application. If a Wifi configuration is applied then this menu cannot be used.

      This feature works only when Scalefusion is set as Launcher.

    3. Mobile Network: This setting allows you to manage the Mobile data configuration of your devices.

      Setting

      Description

      Allows the user to share/unshare from Hotspot Network

      Choose if the user's are allowed to enable/disable the Hotspot state from the Scalefusion Notification centre.

      This feature works only when Scalefusion is set as Launcher.

      Choose Hotspot configuration

      Allows you to choose a Hotspot configuration for your device. Once applied the devices will create a hotspot and share their internet.

      Allow user to access “Mobile Data Settings” inside the app

      Enables the user to access mobile data options of the device.

      ⚠ This feature works only when Scalefusion is set as Launcher. This feature may not work on all the devices.

    4. Display Settings: This setting allows you to manage the display attributes of your devices.

      Setting

      Description

      Screen Time Out Settings

      Allows you to set idle screen timeout duration from the dropdown list.

      ⚠ This is a device specific feature and may not work on all devices.

      Power Button causes the display to sleep

      If the screen time out is set to Keep Always On, then an additional option that can be used to define power button behavior.

      Allow changing of brightness

      Allows the user to change the screen brightness of his device from either the 3 dots Menu on Scalefusion home screen or Notification centre.

      Control device screen brightness

      Use this option to enforce the default screen brightness. This will override user choice on the device if any.

    5. EMM Settings: These are the additional settings for your EMM managed devices that provide additional security and control. These settings also allows you to give your users access to System Settings in a controlled fashion if need be.
    Allowing these settings does not mean that user's will have access to these settings directly. You need to allow the selected applications like System Settings or others that allow modification to these settings. These are useful if you want to restrict and prevent other malicious apps from using them.

    Setting

    Category

    Description

    Allow Outgoing Phone Calls

    Communication

    Normally disabling the Phone app will achieve this, however there might be some apps that might attempt to make phone calls. This option lets you completely disable outgoing calls.

    Allow Send/Receive SMS

    Communication

    Normally disabling the default messaging app will achieve this, however there might be some apps that can send SMS discreetly. This option lets you completely block the SMS.

    Allow Bluetooth

    Communication

    Allows a user to connect to a Bluetooth device.

    ⚠ This feature is available only for OS version 8.0 and later.

    Allow Android Beam

    Communication

    Allows a user to share files through Android Beam.

    Allow Adding Users

    User Management

    Choose if the user can add multiple users accounts on devices. This is useful to prevent creating new users immediately after boot or from system settings app.

    Allows Removing Users

    User Management

    Choose if user can remove the already created multiple user accounts.

    Allow Adding Google Account

    User Management

    Choose if user can add Google accounts. This is used to prevent accidental creation of account via other applications.

    ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps.

    Allow Adding/Deleting Accounts

    User Management

    Choose if user can add additional accounts like Outlook on their devices. This is used to prevent accidental creation of account via other applications.

    ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps.

    Allow Mobile Network Changes

    Network & Security

    Allows user to change mobile network settings if they have access to Settings app.

    Allow Tethering From All Sources

    Network & Security

    Allow users to enable Tethering via USB or Bluetooth.

    Allow WiFi Changes

    Network & Security

    Allow users to modify Wifi network from System Settings if they have access to.

    This may cause them to loose connectivity and hence it is suggested that you allow them to use Scalefusion's Wifi connection options as a fallback.

    Allow Screen Capture

    Network & Security

    Choose if the users are allowed to capture the screenshot of applications.

    Allow Camera

    Network & Security

    Choose if the default Camera is disabled and cannot be used by any application.

    Allow Disabling Application Verification

    Network & Security

    Choose if user's can disable Google Play Application Verification if they have access to managed play store.

    Allow Keyguard

    Keyguard

    Choose if the Keyguard/Lock screen is allowed.

    Allow Keyguard Camera

    Keyguard

    If the Keyguard is allowed, then control if Camera can be launched from lock screen.

    Allow Keyguard Notifications

    Keyguard

    If Keyguard is allowed, then control if the notifications should be displayed.

    Allow Keyguard Trust Agent State

    Keyguard

    If Keyguard is allowed, then control if users can pair the bluetooth devices as trust agents for auto-unlock.

    Allow Keyguard Unredacted Notifications

    Keyguard

    If Keyguard is allowed, then choose if unredacted notifications are allowed.

    Allow KeyguardFingerprint Sensor

    Keyguard

    If Keyguard is allowed, then choose if users can use the fingerprint scanner.

    Enable System Status Bar

    Agent Mode

    When Scalefusion is set as Agent, choose if the users can access the system status bar and notifications.

    This setting works only when Scalefusion is set as Agent.

    Hide Agent App from UI

    Agent Mode

    When Scalefusion is set as Agent, then you can choose if the Scalefusion app icon is hidden from the native launcher. Note that this does not prevent the app from appearing in System Settings > Apps list.

    This setting works only when Scalefusion is set as Agent.

    Restrict Apps

    Agent Mode

    When Scalefusion is set as Agent, you can control whether the application usage should be restricted or not. Basing on the applications that you have enabled, if this setting is true then only the selected applications are shown in the default launcher.

    This setting works only when Scalefusion is set as Agent.

    These settings will work only if your device is set up as an EMM device.
    1. VPN Settings: From the list of applications, you can select one app and mark it as Always On VPN with an additional flag to lock down the network. 
      This feature works only on EMM devices having OS7 and above versions, being setup using afw#mobilock or is setup as Device Owner.

    Setting

    Description

    Select an Always On VPN Application

    Simply select an application from the list which will be configured as an Always On VPN app

    Enable VPN Lockdown

    Once this is enabled, any failure of the VPN provider could break networking for all apps

    1. Compliance: When managing employee owned devices, it becomes imperative to make sure that the device adheres to compliance standards such as the device integrity, security and compatibility. 
      To mitigate such risks Scalefusion uses Google Safety Net Attestation API to check the device compliance. 
      SafetyNet examines software and hardware information on the device where the Work Apps are being used. This attestation helps Scalefusion to determine whether or not the particular device has been tampered with or otherwise modified. 
      Using Scalefusion's Device Profile for kiosk devices you can enforce stricter device compliance rules and the actions that need to be taken in the event of violation.

    Setting

    Description

    Validate using SafetyNet Attestation

    This SafetyNet API helps assess the security and compatibility of the Android devices that your users are using. You can choose between a Strict or a Moderate level for validations.

    Allow use of Rooted Devices

    Rooted devices are the devices which have super users. You can allow or disallow the use of rooted devices while creating a device profile and then enrolling it.

    Compliance Check Duration

    You can select how often the compliance check should be performed. By default it happens every 24 hrs

    Compliance Violation Action

    Choose the action that should be performed if any of the compliance rules are violated

    1. Exchange Settings: Use this setting to configure an Exchange account on the device. You can select a previously created exchange configuration. Please refer to our Exchange configuration document for details.
    Note: The GMail client is configured with the given configuration. Currently GMail app does not allow the exchange configuration to be unpublished. So if you want to un-publish at a later point, you would have to publish a dummy/invalid account to the devices.
    1. Permission Settings: Scalefusion requires some permissions to manage the devices properly. Choose what happens when permissions are missing and control additional permissions.

    Setting

    Description

    Enforce Exit Password to Complete Setup

    Toggle on this option to enforce an exit password to be entered by user for completing setup

    Enforce Disable Assist App

    If you select this, the Google assist app will be disabled for the user

    1. General Setting: These settings allows you to manage some general settings.

      Setting

      Description

      Allow Users to access “Timezone” inside the app

      If this option is enabled then user's can see an option in Scalefusion menu to change timezone.

      Choose Timezone configuration

      Enforce a default timezone for the devices from a list of previously created TimeZone configuration.

      Lock Screen Orientation

      Enforce an orientation on your tablet devices.

      ⚠ This is a device specific feature and the mileage may vary from OEM to OEM.

      Wifi State

      Choose if you want to enforce the Wifi to be always On or Off. By default it is set as None and no policy is enforced.

      Bluetooth State

      Choose if you want to enforce the Bluetooth to be always ON or OFF. by default it is set as None and no policy is enforced.

Once you have created a Kiosk/Agent Profile, it will start appearing in the list of device profiles with a small lock icon, indicating that this device profile is suitable for Kiosk devices.

Applying a Device Profile

Once you have the device profile ready, you can choose to create a QR Code/Enrollment Configurations, and all the devices that will use this QR Code to enroll will get this device profile. Also you can apply a Device Profile to a Device Group and all the devices in that group will get this device profile.

To update a profile on a device individually, then select the Device Profile in the device profile listing screen, click on the Publish button and select the Devices to apply.

Frequently Asked Questions

Question: What is the difference between Launcher mode and Agent Mode?

Answer: Our document on differences between launcher and agent mode explain it in detail. Please find the document here. Here is a brief,

  • Launcher Mode: When Scalefusion is set as launcher mode, then it replaces the default home screen of the device and shows only the applications that are allowed along with the browser shortcuts. This is useful for both legacy forms of enrollment where afw#mobilock is not supported and the newer forms where afw#mobilock enrollment is supported.
  • Agent Mode: When Scalefusion is set as agent, then it does not replace the default launcher. It silently runs in the background and applies the policies set in the default profile. This is NOT suitable for legacy devices, where it does not give you Application restrictions. However on devices enrolled via afw#mobilock, where Scalefusion is the device owner, it controls the applications and also gives a native experience.

Question: What will happen if we change the mode to Agent for a Device Profile that has a mix of EMM (afw#mobilock) and non-EMM devices?

Answer: We would advise against changing the mode of a Device Profile which has both EMM and non-EMM devices. In case of non-EMM devices, Scalefusion WILL NOT be able to apply application restriction policy, thereby allowing the users to use any of the installed applications.

Question: Do we need to give all the permissions when Scalefusion is set as Agent mode?

Answer: Yes for optimal policy enforcement, we advise that all the permissions are given when Scalefusion is set as agent.

Question: Can a device be switched between Agent and Launcher or vice-versa?

Answer: Yes, the mode change in the profile, causes the Scalefusion app to either run as agent or as launcher. However if the devices was setup in Agent mode, then while shifting to launcher mode, Scalefusion will ask for Default Launcher permission.

Question: We see that some sections are disabled or not-accessible when Agent Mode is selected?

Answer: This is because there are some features that do not work when Scalefusion is running as agent mode. Hence we have disabled the sections or these options from being accessed. When Scalefusion is set as Agent, the following settings are not accessible,

  • Single App Mode
  • Homescreen Settings
  • Notification Centre Settings
  • In-App Wifi Settings
  • In-App Hotspot Settings
  • In-App Mobile Network Settings

Question: We see that some sections are disabled or not-accessible when Launcher Mode is selected?

Answer: This is because there are some features that do not work when Scalefusion is running in Launcher mode. Hence we have disabled the sections or these options from being accessed. When Scalefusion is set as Launcher, the following settings are not accessible,

  • Enable System Status Bar
  • Hide Agent App from UI
  • Restrict Apps

Question: Why is that on our devices we can see and use all the applications event though we have not selected them in Select Apps?

Answer: This might happen in the following conditions,

  • If Scalefusion set as Agent Mode and the device is NOT enrolled via afw#mobilock (EMM managed), that is enrolled via legacy methods.
  • If Scalefusion set as Agent Mode and the Restrictions > EMM Settings > Restrict Apps is not enabled.

Question: Why is that on some of our EMM managed devices we can see the Settings app?

Answer: On devices running Android 7.0 and above, we cannot completely hide Settings app due to the other dependancies. Hence we have disabled it.

Question: Why are the Enterprise APKs and/or Play for Work apps are not getting silently installed when the device is in Agent Mode?

Answer: When Scalefusion is set as Agent mode, it requires the Google Play Store app to be enabled for the Enterprise Apps and/or Play for Work apps to be installed. Make sure that Google Play Store app is enabled. You can enable the Google Play Store and use the Restrictions > Account Setting options of Device Profile to make sure that user does not add/remove the accounts.


How did we do?


Powered by HelpDocs