Android Device Profile Restrictions for Company Owned Devices

As part of device policy controls, the Restrictions section offers a wide collection of control and security policies that let you control and manage your devices better.

This document explains all Restrictions offered under Scalefusion Dashboard that can be applied to managed Android Devices.

Before You Begin

You must have a valid Scalefusion account

How to Access

Follow these steps to access Restrictions section in a corporate profile:

  1. From your Scalefusion dashboard, go to Device Profiles & Policies ➞ Device Profiles.
  2. Click on Create New Profile in the upper right corner or edit an existing Android device profile.
  3. Select Kiosk/Agent option.
  4. Enter a name for the profile and an exit passcode. Click on the Submit button. You will be redirected to the Profile creator view.
  5. The last section is the Restrictions section. We explain below each of the controls in this section,
    1. Volume Settings: This setting allows you to control the volume attributes of your devices.

      Setting

      Description

      Control Ringer Volume

      Allows the user to control the device’s ringing volume.

      Control Music Volume

      Allows the user to control the music volume of the device.

    2. WiFi Settings: This setting allows you to manage the WiFi configuration of your devices.

      Setting

      Description

      Choose WiFi configuration

      Allows you to select and switch between Primary as well as additional Wifi configurations. 

      Since it is multiple Wi-Fi, users can Switch Wifi connection, between the available ones. Once Wi-fi is published on the device, it attempts to connect to the one with the strongest signal.

      Wifi Configurations can be created from Utilities > Wifi Settings

      Allow users to access “WiFi Connection” menu inside the app

      Enables access to the WiFi Connection menu from the Scalefusion application. If a Wifi configuration is applied then this menu cannot be used.

      This feature works only when Scalefusion is set as Launcher.

      Allows users to connect/disconnect from WiFi Network

      Allows the user to connect or disconnect a WiFi network from the Scalefusion application. If a Wifi configuration is applied then this menu cannot be used.

      This feature works only when Scalefusion is set as Launcher.

    3. Mobile Network: This setting allows you to manage the Mobile data configuration of your devices.
      All Hotspot related features work only on Android 7.0 and below devices.

    Setting

    Description

    Allow users to share/unshare from Hotspot Network

    Choose if the users are allowed to enable/disable the Hotspot state from the Scalefusion Notification centre. If this option is disabled, then user has no control over sharing/unsharing of hotspot

    As a result, if this option is disabled then notification centre will show hotspot tile but tapping on it will show message 'admin has disabled this feature'. If this option is enabled then tapping on hotspot tile in notification centre will turn on/off hotspot on device.

    This feature works only when Scalefusion is set as Launcher and Notification bar is enabled under Notification Centre.

    Display an icon on Homescreen

    Allows you to choose whether you want to display Mobile hotspot icon on Scalefusion app's homescreen

    Warn & Disconnect if max connections exceed

    Allows you to restrict maximum number of devices that can be connected to Hotspot. If you exceed this number, the hotspot connection stops, with a warning message on host device.

    Choose Hotspot configuration

    Allows you to choose a Hotspot configuration for your device. Once applied the devices will create a hotspot and share their internet.

    The hotspot configurations can be pre-defined on Dashboard through Android Utilities > Hotspot settings.

    Allow user to access “Mobile Data Settings” inside the app

    Enables the user to access mobile data options of the device, from inside Scalefusion app

    ⚠ This feature works only when Scalefusion is set as Launcher. This feature may not work on all the devices.

    1. Display Settings: This setting allows you to manage the display attributes of your devices.

      Setting

      Description

      Screen Time Out Settings

      Allows you to set idle screen timeout duration from the dropdown list.

      ⚠ This is a device specific feature and may not work on all devices.

      Power Button causes the display to sleep

      If the screen time out is set to Keep Always On, then an additional option that can be used to define power button behavior.

      Allow changing of brightness

      Allows the user to change the screen brightness of his device from either the 3 dots Menu on Scalefusion home screen or Notification centre.

      Control device screen brightness

      Use this option to enforce the default screen brightness. This will override user choice on the device if any.

    2. EMM Settings: These are the additional settings for your EMM managed devices that provide additional security and control. These settings also allows you to give your users access to System Settings in a controlled fashion if need be.
    Allowing these settings does not mean that user's will have access to these settings directly. You need to allow the selected applications like System Settings or others that allow modification to these settings. These are useful if you want to restrict and prevent other malicious apps from using them.

    Setting

    Category

    Description

    Allow Outgoing Phone Calls

    Communication

    Normally disabling the Phone app will achieve this, however there might be some apps that might attempt to make phone calls. This option lets you completely disable outgoing calls.

    Allow Send/Receive SMS

    Communication

    Normally disabling the default messaging app will achieve this, however there might be some apps that can send SMS discreetly. This option lets you completely block the SMS.

    Allow Bluetooth

    Communication

    Allows a user to connect to a Bluetooth device.

    ⚠ This feature is available only for OS version 8.0 and later.

    Allow Android Beam

    Communication

    Allows a user to share files through Android Beam.

    Allow Adding Users

    User Management

    Choose if the user can add multiple users accounts on devices. This is useful to prevent creating new users immediately after boot or from system settings app.

    Allows Removing Users

    User Management

    Choose if user can remove the already created multiple user accounts.

    Allow Adding Google Account

    User Management

    Choose if user can add Google accounts. This is used to prevent accidental creation of account via other applications.

    ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps.

    Allow Adding/Deleting Accounts

    User Management

    Choose if user can add additional accounts like Outlook on their devices. This is used to prevent accidental creation of account via other applications.

    ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps.

    Allow Mobile Network Changes

    Network & Security

    Allows user to change mobile network settings if they have access to Settings app.

    Allow Tethering From All Sources

    Network & Security

    Allow users to enable Tethering via USB or Bluetooth.

    Allow WiFi Changes

    Network & Security

    Allow users to modify Wifi network from System Settings if they have access to.

    This may cause them to loose connectivity and hence it is suggested that you allow them to use Scalefusion's Wifi connection options as a fallback.

    Allow Screen Capture

    Network & Security

    Choose if the users are allowed to capture the screenshot of applications.

    Allow Camera

    Network & Security

    Choose if the default Camera is disabled and cannot be used by any application.

    Allow Disabling Application Verification

    Network & Security

    Choose if user's can disable Google Play Application Verification if they have access to managed play store.

    Allow Keyguard

    Keyguard

    Choose if the Keyguard/Lock screen is allowed.

    Allow Keyguard Camera

    Keyguard

    If the Keyguard is allowed, then control if Camera can be launched from lock screen.

    Allow Keyguard Notifications

    Keyguard

    If Keyguard is allowed, then control if the notifications should be displayed.

    Allow Keyguard Trust Agent State

    Keyguard

    If Keyguard is allowed, then control if users can pair the bluetooth devices as trust agents for auto-unlock.

    Allow Keyguard Unredacted Notifications

    Keyguard

    If Keyguard is allowed, then choose if unredacted notifications are allowed.

    Allow KeyguardFingerprint Sensor

    Keyguard

    If Keyguard is allowed, then choose if users can use the fingerprint scanner.

    Enable System Status Bar

    Agent Mode

    When Scalefusion is set as Agent, choose if the users can access the system status bar and notifications.

    This setting works only when Scalefusion is set as Agent.

    Hide Agent App from UI

    Agent Mode

    When Scalefusion is set as Agent, then you can choose if the Scalefusion app icon is hidden from the native launcher. Note that this does not prevent the app from appearing in System Settings > Apps list.

    This setting works only when Scalefusion is set as Agent.

    Restrict Apps

    Agent Mode

    When Scalefusion is set as Agent, you can control whether the application usage should be restricted or not. Basing on the applications that you have enabled, if this setting is true then only the selected applications are shown in the default launcher.

    This setting works only when Scalefusion is set as Agent.

    These settings will work only if your device is set up as an EMM device.
    1. VPN Settings: From the list of applications, you can select one app and mark it as Always On VPN with an additional flag to lock down the network. 
      This feature works only on EMM devices having OS7 and above versions, being setup using afw#mobilock or is setup as Device Owner.

    Setting

    Description

    Select an Always On VPN Application

    Simply select an application from the list which will be configured as an Always On VPN app

    Enable VPN Lockdown

    Once this is enabled, any failure of the VPN provider could break networking for all apps

    1. Compliance: When managing employee owned devices, it becomes imperative to make sure that the device adheres to compliance standards such as the device integrity, security and compatibility. 
      To mitigate such risks Scalefusion uses Google Safety Net Attestation API to check the device compliance. 
      SafetyNet examines software and hardware information on the device where the Work Apps are being used. This attestation helps Scalefusion to determine whether or not the particular device has been tampered with or otherwise modified. 
      Using Scalefusion's Device Profile for kiosk devices you can enforce stricter device compliance rules and the actions that need to be taken in the event of violation.

    Setting

    Description

    Validate using SafetyNet Attestation

    This SafetyNet API helps assess the security and compatibility of the Android devices that your users are using. You can choose between a Strict or a Moderate level for validations.

    Allow use of Rooted Devices

    Rooted devices are the devices which have super users. You can allow or disallow the use of rooted devices while creating a device profile and then enrolling it.

    Compliance Check Duration

    You can select how often the compliance check should be performed. By default it happens every 24 hrs

    Compliance Violation Action

    Choose the action that should be performed if any of the compliance rules are violated

    1. Secure Settings: Configure additional security settings for your company owned devices to get better control and provide an enhanced kiosk experience. To start configuring these settings enable Override Global/Device Secure Settings,

      Setting

      Category

      Description

      Allow users to do Factory Reset*

      Security

      Choose if the user's are allowed to factory reset the device. On Samsung, Sony and LG, if disabled then it prevents the user's from factory resetting the device by using the ROM recovery method. For normal EMM devices, blocks the Factory Reset option in System Settings.

      Allow users to boot device in Safe Mode*

      Security

      Choose if the user's can use the power-off key and boot into safe mode.

      Allow users to power off the device

      Security

      Choose if the users are allowed to use the power-off button and switch off the device.

      Allow users to enable/disable the airplane mode

      Security

      Choose if the users's can control the Airplane mode from the power-off menu or from system settings.

      Disable Guest Mode

      Security

      Allow unknown sources*

      Security

      Choose if the user's are allowed to install android applications from third party apps or directly by downloading apk's.

      Allow App Uninstallation and Clear App Data

      Security

      Choose if the user's can uninstall and/or clear the application data of installed applications.

      Allow users to use Home Key

      Hardware Keys

      Choose if the user's can use the Home button on the Android devices.

      Allow users to use Back Key.

      Hardware Keys

      Choose if the user's can use the Back button on the Android devices.

      Allow users to use the app switch key.

      Hardware Keys

      This setting can be used to block the Recent Key altogether.

      Allow Multi Window

      Quick Settings

      Choose if user's can use the multi-window feature on some phones/tablets.

      Allow MTP access

      USB Settings

      Choose if the user can access the media on the device via MTP protocol when connected with a device via USB cable.

      Allow users to connect via USB cable

      USB Settings

      Choose if the users can connect the device via USB cable and access the USB storage and other options.

      Allow USB Debugging mode

      USB Settings

      Choose if the users can use the USB Debugging feature when connected to a USB cable.

      System Update Policy*

      OS Update Settings

      Select a policy for Android OS Updates. The default is None. You choose between the following options,
      a. Postpone:
      The OS Upgrade will be postponed by 30 days.
      b. Automatic Install Update:
       The OS Upgrade will be automatically installed.
      c. Install within Maintenance Window:
      Choose an install window within which the OS update can be installed.

    NOTE: Secure Settings can be controlled from Enterprise > Secure Settings section as well, however we recommend controlling this from Device Profile for uniformity and ease of management.
    Secure Settings can also be enforced using Wingman on non-EMM devices that support Wingman. For this navigate to Android Utilities > Global Settings and enable the flag Use Wingman to enforce secure settings on Kiosk Devices
    1. Exchange Settings: Use this setting to configure an Exchange account on the device. You can select a previously created exchange configuration. Please refer to our Exchange configuration document for details.
      Note: The GMail client is configured with the given configuration. Currently GMail app does not allow the exchange configuration to be unpublished. So if you want to un-publish at a later point, you would have to publish a dummy/invalid account to the devices.
    2. Application Management Settings: From this section admin can configure application management settings for EMM managed devices that lets them control the catalog features.

      Setting

      Description

      Google Play for Work App Settings

      Force Application Install on Publish

      If this flag is enabled, it silently attempts an install of the app (when published) on device else just adds it to managed playstore.

      Configure Application Visibility in Managed Google Play Store

      The app's visibility on Managed Google Play Store can be controlled with this setting. There are two options to choose from:

      • All Approved: All Play for Work apps are shown on device when PlayStore app is enabled
      • Published: Only Published apps will be shown on device and not all others. Hence, only the applications that have been explicitly published to this profile will be visible on device.

      Configure Application Restrictions for Agent Mode:

      Restrict applications to only the configured applications in profile

      When this setting is enabled it restricts the apps shown on default launcher to only the apps configured in the Select Apps sections. If disabled, it allows all applications including the apps that users can install from Google Play Store.

    1. Permission Settings: Scalefusion requires some permissions to manage the devices properly. Choose what happens when permissions are missing and control additional permissions.

    Setting

    Description

    Enforce Exit Password to Complete Setup

    Toggle on this option to enforce an exit password to be entered by user for completing setup

    Enforce Disable Assist App

    If you select this, the Google assist app will be disabled for the user

    1. Access Conditions: There might be some applications that distract users while driving. Scalefusion has provision to control the access to applications based on device speed. With Speed Based Access configurations under Access Conditions, admin can block such applications once users have reached a specified speed limit thus making driving a seamless experience.
      Please refer to the document for Speed based Locking of apps to know how it can be done.
    1. General Settings: These settings allows you to manage some general settings.

      Setting

      Description

      Allow Users to access “Timezone” inside the app

      If this option is enabled then user's can see an option in Scalefusion menu to change timezone.

      Choose Timezone configuration

      Enforce a default timezone for the devices from a list of previously created TimeZone configuration.

      Lock Screen Orientation

      Enforce an orientation on your tablet devices.

      ⚠ This is a device specific feature and the mileage may vary from OEM to OEM.

      Wifi State

      Choose if you want to enforce the Wifi to be always On or Off. By default it is set as None and no policy is enforced.

      Bluetooth State

      Choose if you want to enforce the Bluetooth to be always ON or OFF. by default it is set as None and no policy is enforced.

      Device Configuration

      Allows users to configure device properties like names and additional custom properties with the following settings:

      • Allow Users to Change the Name of Device: If this toggle is set to ON, then users can set the device name from the device.
      • Allow Users to enter values for Custom Properties: With this toggle on, you can select the custom properties that users should be shown on the device and select if they should be optional or required. Having set this, the custom fields that are allowed, users can set values for those custom fields (from the device).


How did we do?


Powered by HelpDocs (opens in a new tab)