Android Device Profile Restrictions for Company Owned Devices
As part of device policy controls, the Restrictions section offers a wide collection of control and security policies that let you control and manage your devices better.
This document explains all Restrictions offered under Scalefusion Dashboard that can be applied to managed Android Devices.
Before You Begin
You must have a valid Scalefusion account
How to Access
Follow these steps to access Restrictions section in a corporate profile:
- From your Scalefusion dashboard, go to Device Profiles & Policies ➞ Device Profiles.
- Click on Create New Profile in the upper right corner or edit an existing Android device profile.
- Select Kiosk/Agent option.
- Enter a name for the profile and an exit passcode. Click on the Submit button. You will be redirected to the Profile creator view.
- The last section is the Restrictions section. We explain below each of the controls in this section,
Device Settings
Volume Settings
This setting allows you to control the volume attributes of your devices.Setting
Description
Control Ringer Volume
Allows the user to control the device’s ringing volume. Choose one from the following options:
- Never: If this is chosen, volume cannot be controlled by Dashboard. Users can set volume according to their requirement manually.
- Mute: Sets volume to 0 (no volume)
- Fix at Level: Shows a bar which you can drag to fix the volume level
- Specify Range: Drag on the bar to set volume range
Control Music Volume
Allows the user to control the music volume of the device. Shows same options as above to choose from.
Control Alarm Volume
Allows the user to control the alarm volume of the device. Shows same options as above to choose from.
Display Settings
This setting allows you to manage the display attributes of your devices.Setting
Description
Screen Time Out Settings
Allows you to set idle screen timeout duration from the dropdown list.
⚠ This is a device specific feature and may not work on all devices.
Power Button causes the display to sleep
If the screen time out is set to Keep Always On, then an additional option that can be used to define power button behavior.
Enable Adaptive Brightness
Enabling this auto-adjusts the device brightness according to the surrounding lights.
Allow changing of brightness
Allows the user to change the screen brightness of the device from either the 3 dots Menu on Scalefusion home screen or Notification centre.
Control device screen brightness
Use this option to enforce the default screen brightness. This will override user choice on the device if any.
At a time you can only enable one out of the three settings enable adaptive brightness or allow changing of brightness or Control device screen brightnessSecure Settings
Configure additional security settings for your company owned devices to get better control and provide an enhanced kiosk experience. To start configuring these settings enable Override Global/Device Secure Settings,Setting
Category
Description
Allow users to do Factory Reset*
Device Management
Choose if the user's are allowed to factory reset the device. On Samsung, Sony and LG, if disabled then it prevents the user's from factory resetting the device by using the ROM recovery method. For normal EMM devices, blocks the Factory Reset option in System Settings.
Allow users to boot device in Safe Mode*
Device Management
Choose if the user's can use the power-off key and boot into safe mode.
Allow users to power off the device
Device Management
Choose if the users are allowed to use the power-off button and switch off the device.
Enforce SD card Encryption
Device Management
Enabling this setting enforces encryption for the SD card on Knox enabled devices.
Password should be set on devices to be able to use this feature.- Place a shortcut on home screen to prompt users: Places a shortcut on the home screen which directly takes you to Settings app from where you can enforce encryption. This can be enabled only if SD card encryption is enforced.
To enforce encryption:
- Enable this setting on Dashboard.
- On the device, click on the shortcut icon on home screen.
- Encrypt the SD card.
Allow users to enable/disable the airplane mode
Settings Management
Choose if the users can control the Airplane mode from the power-off menu or from system settings.
Disable Guest Mode
Settings Management
Allow System Error Dialogs
Settings Management
- When this setting is turned on, the error dialogs will be visible to users for cases like app crashes. If turned Off, the error dialogs will be hidden.Applicable on EMM managed devices
Allow Floating Windows
Settings Management
- When this setting is turned On, floating app windows will be allowed on devices that support floating windows, for multi-tasking.
- After enabling, if you disable this setting, a confirmation box will come up
Allow unknown sources*
App Management
Choose if the user's are allowed to install android applications from third party apps or directly by downloading apk's.
Allow App Uninstallation and Clear App Data
App Management
Choose if the user's can uninstall and/or clear the application data of installed applications.
Disallow User to set Wallpaper
Settings Management
Enable this setting if you want to restrict the users from changing wallpaper on EMM Managed and Samsung Knox enabled devices.
This setting works when device is set in Kiosk or Agent mode.Set Lock Screen to None, if No PIN/password is set on device
Settings Management
Sets the lock screen to None when following conditions are met:
- The device supports Wingman
- No Password Policy applied
- No PIN/Password set from settings
Disable Edge Screen
Settings Management
Disables access to Edge Screen from where you can quickly access your apps/features/contacts.
Applicable on Knox devicesEnable Double Tap to Wake
Settings Management
Wakes up the device from sleep mode on double-tap. This setting works on Wingman supported devices.
This is an experimental feature and may not work on all devices.Block Settings on Boot
Settings Management
If this is enabled, users will not be allowed to access settings from the notification bar after device is rebooted.
This setting is applicable on EMM Managed devices with Android OS version 7 or above.Prevent In-App Browsing
App Management
This setting blocks the Android Webview component thereby blocking apps using it for in-app browsing. Please note this will work:
- If Scalefusion browser is not enabled
- URLs shortcuts have not been configured
- Devices are EMM Managed
Disable Emergency Call Menu on Lock Screen
App Management
Disables the emergency call menu on Lock screen on Lenovo devices
Block Incoming MMS
App Management
Enabling this blocks incoming MMS on Knox supported devices
Allow Users to change Screen Lock Type
App Management
The setting will allow/disallow the user from setting a lock screen Password on Lenovo devices (OS 10 & above). The user will not be able to access the lock screen password configuration in Settings app.
Allow users to use Home Key
Hardware Keys
Choose if the user's can use the Home button on the Android devices.
Allow users to use Back Key.
Hardware Keys
Choose if the user's can use the Back button on the Android devices.
Allow users to use the app switch key.
Hardware Keys
This setting can be used to block the Recent Key altogether.
Allow Multi Window
Settings Management
Choose if user's can use the multi-window feature on some phones/tablets.
Allow MTP access
USB Device Management
Choose if the user can access the media on the device via MTP protocol when connected with a device via USB cable.
Allow users to connect via USB cable
USB Device Management
Choose if the users can connect the device via USB cable and access the USB storage and other options.
Allow USB Debugging mode
USB Device Management
Choose if the users can use the USB Debugging feature when connected to a USB cable.
Disable SIM card
Additional Settings
Disables SIM card on Lenovo devices
Disable Accessibility Option in Navigation bar
Additional Settings
Disables accessibility option present in Navigation bar. This is applicable on Lenovo devices.
NOTE: Secure Settings can be controlled from Enterprise > Secure Settings section as well, however we recommend controlling this from Device Profile for uniformity and ease of management.Secure Settings can also be enforced using Wingman on non-EMM devices that support Wingman. For this navigate to Android Utilities > Global Settings and enable the flag Use Wingman to enforce secure settings on Kiosk DevicesUnlock Settings
An IT admin may need to unlock a device for a short duration for debugging or some other reasons. To maintain the security of the device even when it is unlocked, certain settings can be configured. Click here to learn about the settings and their configuration.General Settings
These settings allows you to manage some general settings.
Timezone SettingsSetting
Category
Description
Configure Automatic Network Time & Timezone
Timezone Settings
You can configure the time & timezone to be picked up by the device. There are three options to choose from:
- Enable: Forces the device to use network time only, if available. If this is enabled, the rest of the timezone settings cannot be configured.
- Disable: Disables the network based time
- Allow Users: Users get option to toggle this setting to on or off.
These are configurable on EMM managed, Lenovo and knox supported devices.Prevent users from changing date/time from Settings app
Timezone Settings
Blocks users from changing date/time from Settings app if they have access to Settings on device.
This is configurable on EMM managed and knox supported devices with Android OS 9 and above.Allow users to set Date/Time from Scalefusion app
Timezone Settings
Provides an option to users to set the date/time manually inside Scalefusion app.
This is configurable on EMM managed, Lenovo and knox supported devices.Allow Users to access “Timezone” inside the app
Timezone Settings
If this option is enabled then user's can see an option in Scalefusion menu to change timezone.
Choose Timezone configuration
Timezone Settings
Enforce a default timezone for the devices from a list of previously created TimeZone configuration.
Disable Power Menu
Disable Power Menu
Enabling this setting hides the power off menu when user presses on the Power button. Note this does not disable the Power off functionality completely but just hides the Power off menu.
This setting may not work consistently on Android OS v9.0 and above.Lock Screen Orientation
Lock Screen Orientation
Enforce an orientation on your devices by selecting the following:
Select Orientation: Select either Portrait or Landscape
Select Form factors: Apply the orientation on tablets or all devices. Select one.
You cannot enable the Change Orientation feature from Notification centre if you configure orientation from this setting⚠ This is a device specific feature and the mileage may vary from OEM to OEM.
Wifi State
Network/Peripheral Settings
Choose if you want to enforce the Wifi to be always On or Off. By default it is set as None and no policy is enforced.
Bluetooth State
Network/Peripheral Settings
Choose if you want to enforce the Bluetooth to be always ON or OFF. by default it is set as None and no policy is enforced.
Device Configuration
Device Configuration
Allows users to configure device properties like names and additional custom properties with the following settings:
- Allow Users to Change the Name of Device: If this toggle is set to ON, then users can set the device name from the device.
- Allow Users to enter values for Custom Properties: With this toggle on, you can select the custom properties that users should be shown on the device and select if they should be optional or required. Having set this, the custom fields that are allowed, users can set values for those custom fields (from the device).
Configure Language Settings
Configure language settings for devices with the following settings:
- Allow Users to change Language: Choose this if you want to allow users to change language on device
- Select Default Language: Select the default language for the device
These settings are configurable for Samsung Knox and Wingman supported devices.Permission Settings
Scalefusion requires some permissions to manage the devices properly. Choose what happens when permissions are missing and control additional permissions.Setting
Description
Enforce Exit Password to Complete Setup
Toggle on this option to enforce an exit password to be entered by user for completing setup
Enforce Disable Assist App
If you select this, the Google assist app will be disabled for the user
Enforce Battery Optimization Exclusion permission
Battery Optimisations kill the apps and its process in background to optimize battery usage. However, to be able to apply all policies properly and secure the device, Scalefusion needs to be kept running in background.
Enabling this setting ensures Scalefusion agent app to run in background for longer times and excludes it from battery optimization.
When this setting is enabled, a permission toggle is shown during enrollment that asks for battery optimization exclusion.
This permission is applicable only when Scalefusion app is installed from Application Management > Scalefusion Apps. It won't be included when Scalefusion is installed from PlayStore.Network & Location Settings
WiFi Settings
This setting allows you to manage the WiFi configuration of your devices.Setting
Description
Choose WiFi configuration
Allows you to select and switch between Primary as well as additional Wifi configurations.
Since it is multiple Wi-Fi, users can Switch Wifi connection, between the available ones. Once Wi-fi is published on the device, it attempts to connect to the one with the strongest signal.
Wifi Configurations can be created from Device Profiles & Policies > All Configurations > Global Settings > Wifi SettingsAllow Fallback if configured Wifis cannot be setup
If enabled, it allows users to connect to a different Wifi if any of the configured Wifis cannot be connected. We show a list of possible wifis the user can connect to.
Allow Fallback if configured Wifis are not reachable post setup
Allows users to connect to a different Wifi if the configured Wifis are valid but not reachable.
Allow users to access “WiFi Connection” menu inside the app
Enables access to the WiFi Connection menu from the Scalefusion application. If a Wifi configuration is applied then this menu cannot be used.
⚠ This feature works only when Scalefusion is set as Launcher.
Allows users to connect/disconnect from WiFi Network
Allows the user to connect or disconnect a WiFi network from the Scalefusion application. If a Wifi configuration is applied then this menu cannot be used.
⚠ This feature works only when Scalefusion is set as Launcher.
Mobile Network
This setting allows you to manage the Mobile data configuration of your devices.
Hotspot Settings
Setting | Description |
Display an icon on Homescreen | Allows you to choose whether you want to display Mobile hotspot icon on Scalefusion app's homescreen that is used to indicate the current state of Hotspot. |
Allow users to share/unshare from Hotspot Network | Choose if the users are allowed to enable/disable the Hotspot state from the Scalefusion Notification centre. If this option is disabled, then user has no control over sharing/unsharing of hotspot As a result, if this option is disabled then notification centre will show hotspot tile but tapping on it will show message 'admin has disabled this feature'. If this option is enabled then tapping on hotspot tile in notification centre will turn on/off hotspot on device. ⚠ This feature works only when Scalefusion is set as Launcher and Notification bar is enabled under Notification Centre. |
Display an icon on Homescreen | Allows you to choose whether you want to display Mobile hotspot icon on Scalefusion app's homescreen |
Warn & Disconnect if max connections exceed | Allows you to restrict maximum number of devices that can be connected to Hotspot. If you exceed this number, the hotspot connection stops, with a warning message on host device. |
Choose Hotspot configuration | Allows you to choose a Hotspot configuration for your device. Once applied the devices will create a hotspot and share their internet. The hotspot configurations can be pre-defined on Dashboard through Device Profiles & Policies > All Configurations > Android utilities > Hotspot Settings |
Let users disconnect from Hotspot Config | Allows users to disconnect from the configured hotspot. Users can disconnect hotspot using the Scalefusion notification centre widget or from home screen shortcut. |
Turn On the Hotspot when the configuration changes | If this setting is enabled, the device auto-connects to the hotspot when a new hotspot configuration is created or an existing one is updated. However, if this is disabled, the configuration just gets created / updated but does not auto-connect. |
Turn On the Hotspot if disconnected by OS | Enabling this setting monitors the state of Hotspot and if it is auto-disconnected due to device being idle, then it gets turned On |
Mobile Data Settings
Setting | Description |
Allow user to access “Mobile Data Settings” inside the app | If enabled, it allows the user to access mobile data options of the device, from inside Scalefusion app |
Choose Mobile Data State | Choose what state the mobile data should be on the device, from the following:
This setting works on Lenovo, Knox and Wingman supported devices and overrides user access to Mobile Data setting on the devices. |
Choose Data Roaming State | Choose a state for Mobile Data roaming, from the following:
This setting works on EMM Managed, Knox and Wingman supported devices. This is an experimental feature and may not work on all the devices. |
Location Settings
Configure Location Settings on the device profile which get applied to the devices on which the profile is applied. To configure Location settings, toggle on the first setting that is, Override Global Location Settings. This enables the other settings and makes them configurable. When applied, they override the settings which have been set through Location & Geofencing > Location Settings on Dashboard.
Force GPS always off: Enforces GPS to be always off on Android devices which are EMM Managed, Wingman, Knox and Lenovo. If this setting is enabled, the rest of the settings are not configurable.
To learn more about Location Settings, visit the section Configure Location Settings

VPN Settings
From the list of applications, you can select one app and mark it as Always On VPN with an additional flag to lock down the network.
This feature works only on EMM devices having OS7 and above versions, being setup using afw#mobilock or is setup as Device Owner.
Setting | Description |
Select an Always On VPN Application | Simply select an application from the list which will be configured as an Always On VPN app |
Enable VPN Lockdown | Once this is enabled, any failure of the VPN provider could break networking for all apps |
Device Management
Application Management Settings
From this section admin can configure application management settings for EMM managed devices that lets them control the catalog features.
Setting | Description |
Google Play for Work App Settings Force Application Install on Publish | If this flag is enabled, it silently attempts an install of the app (when published) on device else just adds it to managed playstore. |
Configure Application Visibility in Managed Google Play Store | The app's visibility on Managed Google Play Store can be controlled with this setting. Following are the options to choose from:
|
Configure Application Restrictions for Agent Mode: Restrict applications to only the configured applications in profile | When this setting is enabled it restricts the apps shown on default launcher to only the apps configured in the Select Apps sections. If disabled, it allows all applications including the apps that users can install from Google Play Store. |
EMM Settings
These are the additional settings for your EMM managed devices that provide additional security and control. These settings also allows you to give your users access to System Settings in a controlled fashion if need be.
Setting | Category | Description |
Allow Outgoing Phone Calls | Communication | Normally disabling the Phone app will achieve this, however there might be some apps that might attempt to make phone calls. This option lets you completely disable outgoing calls. |
Allow Send/Receive SMS | Communication | Normally disabling the default messaging app will achieve this, however there might be some apps that can send SMS discreetly. This option lets you completely block the SMS. |
Allow Bluetooth | Communication | Allows a user to connect to a Bluetooth device. ⚠ This feature is available only for OS version 8.0 and later. |
Allow Android Beam | Communication | Allows a user to share files through Android Beam. |
Allow Adding Users | User Management | Choose if the user can add multiple users accounts on devices. This is useful to prevent creating new users immediately after boot or from system settings app. |
Allows Removing Users | User Management | Choose if user can remove the already created multiple user accounts. |
Allow Adding Google Account | User Management | Choose if user can add Google accounts. This is used to prevent accidental creation of account via other applications. ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps. |
Allow Adding/Deleting Accounts | User Management | Choose if user can add additional accounts like Outlook on their devices. This is used to prevent accidental creation of account via other applications. ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps. |
Allow Backup & Restore | User Management | Enabling this setting allows users to backup data to their google account and restore the backed up information to the original device or to some other Android device. This feature works on Android devices with OS 8 and above |
Allow Mobile Network Changes | Network & Security | Allows user to change mobile network settings if they have access to Settings app. |
Allow Tethering From All Sources | Network & Security | Allow users to enable Tethering via USB or Bluetooth. |
Allow WiFi Changes | Network & Security | Allow users to modify Wifi network from System Settings if they have access to. This may cause them to loose connectivity and hence it is suggested that you allow them to use Scalefusion's Wifi connection options as a fallback. |
Allow Screen Capture | Network & Security | Choose if the users are allowed to capture the screenshot of applications. |
Allow Camera | Network & Security | Choose if the default Camera is disabled and cannot be used by any application. |
Allow Disabling Application Verification | Network & Security | Choose if user's can disable Google Play Application Verification if they have access to managed play store. |
Allow Keyguard | Keyguard | Choose if the Keyguard/Lock screen is allowed. |
Allow Keyguard Camera | Keyguard | If the Keyguard is allowed, then control if Camera can be launched from lock screen. |
Allow Keyguard Notifications | Keyguard | If Keyguard is allowed, then control if the notifications should be displayed. |
Allow Keyguard Trust Agent State | Keyguard | If Keyguard is allowed, then control if users can pair the bluetooth devices as trust agents for auto-unlock. |
Allow Keyguard Unredacted Notifications | Keyguard | If Keyguard is allowed, then choose if unredacted notifications are allowed. |
Allow KeyguardFingerprint Sensor | Keyguard | If Keyguard is allowed, then choose if users can use the fingerprint scanner. |
Enable System Status Bar | Agent Mode | When Scalefusion is set as Agent, choose if the users can access the system status bar and notifications. ⚠ This setting works only when Scalefusion is set as Agent. |
Hide Agent App from UI | Agent Mode | When Scalefusion is set as Agent, then you can choose if the Scalefusion app icon is hidden from the native launcher. Note that this does not prevent the app from appearing in System Settings > Apps list. ⚠ This setting works only when Scalefusion is set as Agent. |
Restrict Apps | Agent Mode | When Scalefusion is set as Agent, you can control whether the application usage should be restricted or not. Basing on the applications that you have enabled, if this setting is true then only the selected applications are shown in the default launcher. ⚠ This setting works only when Scalefusion is set as Agent. |
Enable Notification / Status Bar | Notification bar settings | Configure following notification bar settings under this:
|
Compliance
When managing company owned devices, it becomes imperative to make sure that the device adheres to compliance standards such as the device integrity, security and compatibility.
To mitigate such risks Scalefusion uses Google Play Protect API to check the device compliance.
Google Play Protect examines software and hardware information on the device where the Work Apps are being used. This attestation helps Scalefusion to determine whether or not the particular device has been tampered with or otherwise modified.
Using Scalefusion's Device Profile for kiosk devices you can enforce stricter device compliance rules and the actions that need to be taken in the event of violation.
Setting | Description |
Validate using Google Play Protect | The Google Play Protect API helps assess the security and compatibility of the Android devices that your users are using. You can choose between a Strict or a Moderate level for validations. Devices should be EMM Managed |
Allow use of Rooted Devices | Rooted devices are the devices which have super users. You can allow or disallow the use of rooted devices while creating a device profile and then enrolling it. |
Compliance Check Duration | You can select how often the compliance check should be performed. By default it happens every 24 hrs |
Compliance Violation Action | Choose the action that should be performed if any of the compliance rules are violated:
|
Access Conditions
There might be some applications that distract users while driving. Scalefusion has provision to control the access to applications based on device speed. With Speed Based Access configurations under Access Conditions, admin can block such applications once users have reached a specified speed limit thus making driving a seamless experience.
Please refer to the document for Speed based Locking of apps to know how it can be done.
Exchange Settings
Use this setting to configure an Exchange account on the device. You can select a previously created exchange configuration. Please refer to our Exchange configuration document for details.
Dev Tools
Developer API
In the Developer API section of Device profile an MDM SDK is provided that can be used in your enterprise apps to get the device information and perform a wide variety of actions (like launching wifi screen, toggle mobile data, toggle hotspot etc.) locally on device. Visit here for more details.
Advance Settings
Schedule Power On/Off Settings
This section can be used to configure settings for specific devices mainly Lenovo and Samsung Knox
Setting | Description | Applicable on |
Automatic Power ON/OFF | Enable / disable the following options to automatically power on/off a device when USB charger is connected or removed respectively:
|
On Samsung Knox devices, Power On feature is compatible with Qualcomm & LSI chipset ONLY. With other chipsets it may not work consistently. Refer here for more details |
Schedule Power ON/OFF time | With this setting enabled you can set time for switching on and switching off the device. Select the following:
| Lenovo. Power Off is supported on Knox and Wingman devices also. On certain Lenovo models, this policy may not work or when applied, it cannot be removed from them. |
SIM Binding Settings
SIM cards can be bound with the IMEI number of devices to prevent the device's misuse. Click here to learn the SIM binding settings and how you can configure them.
Configure Support Messages
IT admins can configure support messages that appear on the settings screen when user tries to access any functionality/feature that is blocked or restricted. Both long and/or short messages can be configured. To configure,
- Toggle on the setting Configure Support Messages
- In the text area, enter message. The maximum length of the message is 4096 characters. However, for a short message, if the message length is greater than 200 characters, the message is truncated on the device.
- IT admins can enter the message in their preferred language.
- This is how the message will appear on the device screen.
OS Update Settings
You can select a policy for installing Android OS Updates. Click here to learn about all the settings.
Run Commands
With Run Commands, IT admins can configure additional triggers to execute Remote Commands whenever that event occurs (run at install, schedule at a specific time etc.) and even when the devices are offline. Click here to learn more.
OEM Configurations
OEM Configurations section displays the collection for OEM specific Configuration applications aka OEM Config apps. The applications are developed by Original Equipment Manufacturers (OEM) that are purpose built to give you fine grain control on their devices. These applications let you remotely configure additional proprietary settings of the device via these applications that are not possible otherwise.
Using the OEM Configuration section, you can configure these directly from the profile and also view the status of the deployment as a quick action item. Please refer to this document on how to setup these policies.