Android Device Profile Restrictions for Company Owned Devices

As part of device policy controls, the Restrictions section offers a wide collection of control and security policies that let you control and manage your devices better.

This document explains all Restrictions offered under Scalefusion Dashboard that can be applied to managed Android Devices.

Before You Begin

You must have a valid Scalefusion account

How to Access

Follow these steps to access Restrictions section in a corporate profile:

  1. From your Scalefusion dashboard, go to Device Profiles & Policies ➞ Device Profiles.
  2. Click on Create New Profile in the upper right corner or edit an existing Android device profile.
  3. Select Kiosk/Agent option.
  4. Enter a name for the profile and an exit passcode. Click on the Submit button. You will be redirected to the Profile creator view.
  5. The last section is the Restrictions section. We explain below each of the controls in this section,

    Device Settings

    Volume Settings
    This setting allows you to control the volume attributes of your devices.

    Setting

    Description

    Control Ringer Volume

    Allows the user to control the device’s ringing volume.

    Control Music Volume

    Allows the user to control the music volume of the device.

    Display Settings
    This setting allows you to manage the display attributes of your devices.

    Setting

    Description

    Screen Time Out Settings

    Allows you to set idle screen timeout duration from the dropdown list.

    ⚠ This is a device specific feature and may not work on all devices.

    Power Button causes the display to sleep

    If the screen time out is set to Keep Always On, then an additional option that can be used to define power button behavior.

    Allow changing of brightness

    Allows the user to change the screen brightness of his device from either the 3 dots Menu on Scalefusion home screen or Notification centre.

    Control device screen brightness

    Use this option to enforce the default screen brightness. This will override user choice on the device if any.

    Secure Settings
    Configure additional security settings for your company owned devices to get better control and provide an enhanced kiosk experience. To start configuring these settings enable Override Global/Device Secure Settings,

    Setting

    Category

    Description

    Allow users to do Factory Reset*

    Security

    Choose if the user's are allowed to factory reset the device. On Samsung, Sony and LG, if disabled then it prevents the user's from factory resetting the device by using the ROM recovery method. For normal EMM devices, blocks the Factory Reset option in System Settings.

    Allow users to boot device in Safe Mode*

    Security

    Choose if the user's can use the power-off key and boot into safe mode.

    Allow users to power off the device

    Security

    Choose if the users are allowed to use the power-off button and switch off the device.

    Allow users to enable/disable the airplane mode

    Security

    Choose if the users can control the Airplane mode from the power-off menu or from system settings.

    Disable Guest Mode

    Security

    Allow unknown sources*

    Security

    Choose if the user's are allowed to install android applications from third party apps or directly by downloading apk's.

    Allow App Uninstallation and Clear App Data

    Security

    Choose if the user's can uninstall and/or clear the application data of installed applications.

    Disallow User to set Wallpaper

    Security

    Enable this setting if you want to restrict the users from changing wallpaper on EMM Managed and Samsung Knox enabled devices.

    This setting works when device is set in Kiosk or Agent mode.

    Set Lock Screen to None, if No PIN/password is set on device

    Security

    Sets the lock screen to None when following conditions are met:

    • The device supports Wingman
    • No Password Policy applied
    • No PIN/Password set from settings

    Prevent In-App Browsing

    Security

    This setting blocks the Android Webview component thereby blocking apps using it for in-app browsing. Please note this will work:

    • If Scalefusion browser is not enabled
    • URLs shortcuts have not been configured
    • Devices are EMM Managed

    Disable Emergency Call Menu on Lock Screen

    Security

    Disables the emergency call menu on Lock screen on Lenovo devices

    Allow users to use Home Key

    Hardware Keys

    Choose if the user's can use the Home button on the Android devices.

    Allow users to use Back Key.

    Hardware Keys

    Choose if the user's can use the Back button on the Android devices.

    Allow users to use the app switch key.

    Hardware Keys

    This setting can be used to block the Recent Key altogether.

    Allow Multi Window

    Quick Settings

    Choose if user's can use the multi-window feature on some phones/tablets.

    Allow MTP access

    USB Settings

    Choose if the user can access the media on the device via MTP protocol when connected with a device via USB cable.

    Allow users to connect via USB cable

    USB Settings

    Choose if the users can connect the device via USB cable and access the USB storage and other options.

    Allow USB Debugging mode

    USB Settings

    Choose if the users can use the USB Debugging feature when connected to a USB cable.

    System Update Policy*

    OS Update Settings

    Select a policy for Android OS Updates. The default is None. You choose between the following options,

    NOTE: Secure Settings can be controlled from Enterprise > Secure Settings section as well, however we recommend controlling this from Device Profile for uniformity and ease of management.
    Secure Settings can also be enforced using Wingman on non-EMM devices that support Wingman. For this navigate to Android Utilities > Global Settings and enable the flag Use Wingman to enforce secure settings on Kiosk Devices
    General Settings
    These settings allows you to manage some general settings.

    Setting

    Description

    Allow Users to access “Timezone” inside the app

    If this option is enabled then user's can see an option in Scalefusion menu to change timezone.

    Choose Timezone configuration

    Enforce a default timezone for the devices from a list of previously created TimeZone configuration.

    Disable Power Menu

    Enabling this setting hides the power off menu when user presses on the Power button. Note this does not disable the Power off functionality completely but just hides the Power off menu.

    This setting may not work consistently on Android OS v9.0 and above.

    Lock Screen Orientation

    Enforce an orientation on your devices by selecting the following:

    Select Orientation: Select either Portrait or Landscape

    Select Form factors: Apply the orientation on tablets or all devices. Select one.

    You cannot enable the Change Orientation feature from Notification centre if you configure orientation from this setting

    ⚠ This is a device specific feature and the mileage may vary from OEM to OEM.

    Wifi State

    Choose if you want to enforce the Wifi to be always On or Off. By default it is set as None and no policy is enforced.

    Bluetooth State

    Choose if you want to enforce the Bluetooth to be always ON or OFF. by default it is set as None and no policy is enforced.

    Device Configuration

    Allows users to configure device properties like names and additional custom properties with the following settings:

    • Allow Users to Change the Name of Device: If this toggle is set to ON, then users can set the device name from the device.
    • Allow Users to enter values for Custom Properties: With this toggle on, you can select the custom properties that users should be shown on the device and select if they should be optional or required. Having set this, the custom fields that are allowed, users can set values for those custom fields (from the device).

    Configure Language Settings

    Configure language settings for devices with the following settings:

    • Allow Users to change Language: Choose this if you want to allow users to change language on device
    • Select Default Language: Select the default language for the device
    These settings are configurable for Samsung Knox and Wingman supported devices.
    Permission Settings
    Scalefusion requires some permissions to manage the devices properly. Choose what happens when permissions are missing and control additional permissions.

    Setting

    Description

    Enforce Exit Password to Complete Setup

    Toggle on this option to enforce an exit password to be entered by user for completing setup

    Enforce Disable Assist App

    If you select this, the Google assist app will be disabled for the user

    Enforce Battery Optimization Exclusion permission

    Battery Optimisations kill the apps and its process in background to optimize battery usage. However, to be able to apply all policies properly and secure the device, Scalefusion needs to be kept running in background.

    Enabling this setting ensures Scalefusion agent app to run in background for longer times and excludes it from battery optimization.

    When this setting is enabled, a permission toggle is shown during enrollment that asks for battery optimization exclusion.

    This permission is applicable only when Scalefusion app is installed from Application Management > Scalefusion Apps. It won't be included when Scalefusion is installed from PlayStore.

    Network & Location Settings

    WiFi Settings
    This setting allows you to manage the WiFi configuration of your devices.

    Setting

    Description

    Choose WiFi configuration

    Allows you to select and switch between Primary as well as additional Wifi configurations. 

    Since it is multiple Wi-Fi, users can Switch Wifi connection, between the available ones. Once Wi-fi is published on the device, it attempts to connect to the one with the strongest signal.

    Wifi Configurations can be created from Utilities > Wifi Settings

    Allow users to access “WiFi Connection” menu inside the app

    Enables access to the WiFi Connection menu from the Scalefusion application. If a Wifi configuration is applied then this menu cannot be used.

    This feature works only when Scalefusion is set as Launcher.

    Allows users to connect/disconnect from WiFi Network

    Allows the user to connect or disconnect a WiFi network from the Scalefusion application. If a Wifi configuration is applied then this menu cannot be used.

    This feature works only when Scalefusion is set as Launcher.

Mobile Network

This setting allows you to manage the Mobile data configuration of your devices.

Hotspot Settings

Setting

Description

Display an icon on Homescreen

Allows you to choose whether you want to display Mobile hotspot icon on Scalefusion app's homescreen that is used to indicate the current state of Hotspot.

Allow users to share/unshare from Hotspot Network

Choose if the users are allowed to enable/disable the Hotspot state from the Scalefusion Notification centre. If this option is disabled, then user has no control over sharing/unsharing of hotspot

As a result, if this option is disabled then notification centre will show hotspot tile but tapping on it will show message 'admin has disabled this feature'. If this option is enabled then tapping on hotspot tile in notification centre will turn on/off hotspot on device.

This feature works only when Scalefusion is set as Launcher and Notification bar is enabled under Notification Centre.

Display an icon on Homescreen

Allows you to choose whether you want to display Mobile hotspot icon on Scalefusion app's homescreen

Warn & Disconnect if max connections exceed

Allows you to restrict maximum number of devices that can be connected to Hotspot. If you exceed this number, the hotspot connection stops, with a warning message on host device.

Choose Hotspot configuration

Allows you to choose a Hotspot configuration for your device. Once applied the devices will create a hotspot and share their internet.

The hotspot configurations can be pre-defined on Dashboard through Android Utilities > Hotspot settings.

Let users disconnect from Hotspot Config

Allows users to disconnect from the configured hotspot. Users can disconnect hotspot using the Scalefusion notification centre widget or from home screen shortcut.

Turn On the Hotspot when the configuration changes

If this setting is enabled, the device auto-connects to the hotspot when a new hotspot configuration is created or an existing one is updated.

However, if this is disabled, the configuration just gets created / updated but does not auto-connect.

Turn On the Hotspot if disconnected by OS

Enabling this setting monitors the state of Hotspot and if it is auto-disconnected due to device being idle, then it gets turned On

Mobile Data Settings

Setting

Description

Allow user to access “Mobile Data Settings” inside the app

If enabled, it allows the user to access mobile data options of the device, from inside Scalefusion app

Choose Mobile Data State

Choose what state the mobile data should be on the device, from the following:

  • None
  • Always Off
  • Always On

This setting works on Lenovo, Knox and Wingman supported devices and overrides user access to Mobile Data setting on the devices.

Choose Data Roaming State

Choose a state for Mobile Data roaming, from the following:

  • None
  • Always OFF
  • Always ON
  • Allow User to Choose

This setting works on EMM Managed, Knox and Wingman supported devices.

This is an experimental feature and may not work on all the devices.

Location Settings

Configure Location Settings on the device profile which get applied to the devices on which the profile is applied. To configure Location settings, toggle on the first setting that is, Override Global Location Settings. This enables the other settings and makes them configurable. When applied, they override the settings which have been set through Location & Geofencing > Location Settings on Dashboard.

Force GPS always off: Enforces GPS to be always off on Android devices which are EMM Managed, Wingman, Knox and Lenovo. If this setting is enabled, the rest of the settings are not configurable. This feature is applicable on kiosk devices (agent and launcher mode) but not on BYOD devices

To learn more about Location Settings, visit the section Configure Location Settings

VPN Settings

From the list of applications, you can select one app and mark it as Always On VPN with an additional flag to lock down the network. 

This feature works only on EMM devices having OS7 and above versions, being setup using afw#mobilock or is setup as Device Owner.

Setting

Description

Select an Always On VPN Application

Simply select an application from the list which will be configured as an Always On VPN app

Enable VPN Lockdown

Once this is enabled, any failure of the VPN provider could break networking for all apps

Device Management

Application Management Settings

From this section admin can configure application management settings for EMM managed devices that lets them control the catalog features.

Setting

Description

Google Play for Work App Settings

Force Application Install on Publish

If this flag is enabled, it silently attempts an install of the app (when published) on device else just adds it to managed playstore.

Configure Application Visibility in Managed Google Play Store

The app's visibility on Managed Google Play Store can be controlled with this setting. Following are the options to choose from:

  • All Approved: All Play for Work apps are shown on device when PlayStore app is enabled
  • Published: Only Published apps will be shown on device and not all others. Hence, only the applications that have been explicitly published to this profile will be visible on device.
  • Full Access to Play Store: In Agent mode, this setting allows users to access Full Google Play Store and install any application without adding their personal account. Please note they cannot add/purchase paid applications.

Configure Application Restrictions for Agent Mode:

Restrict applications to only the configured applications in profile

When this setting is enabled it restricts the apps shown on default launcher to only the apps configured in the Select Apps sections. If disabled, it allows all applications including the apps that users can install from Google Play Store.

EMM Settings

These are the additional settings for your EMM managed devices that provide additional security and control. These settings also allows you to give your users access to System Settings in a controlled fashion if need be.

Allowing these settings does not mean that user's will have access to these settings directly. You need to allow the selected applications like System Settings or others that allow modification to these settings. These are useful if you want to restrict and prevent other malicious apps from using them.

Setting

Category

Description

Allow Outgoing Phone Calls

Communication

Normally disabling the Phone app will achieve this, however there might be some apps that might attempt to make phone calls. This option lets you completely disable outgoing calls.

Allow Send/Receive SMS

Communication

Normally disabling the default messaging app will achieve this, however there might be some apps that can send SMS discreetly. This option lets you completely block the SMS.

Allow Bluetooth

Communication

Allows a user to connect to a Bluetooth device.

⚠ This feature is available only for OS version 8.0 and later.

Allow Android Beam

Communication

Allows a user to share files through Android Beam.

Allow Adding Users

User Management

Choose if the user can add multiple users accounts on devices. This is useful to prevent creating new users immediately after boot or from system settings app.

Allows Removing Users

User Management

Choose if user can remove the already created multiple user accounts.

Allow Adding Google Account

User Management

Choose if user can add Google accounts. This is used to prevent accidental creation of account via other applications.

ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps.

Allow Adding/Deleting Accounts

User Management

Choose if user can add additional accounts like Outlook on their devices. This is used to prevent accidental creation of account via other applications.

ⓘ Allowing this does not mean user can add accounts directly without allowing the relevant apps.

Allow Backup & Restore

User Management

Enabling this setting allows users to backup data to their google account and restore the backed up information to the original device or to some other Android device.

This feature works on Android devices with OS 8 and above

Allow Mobile Network Changes

Network & Security

Allows user to change mobile network settings if they have access to Settings app.

Allow Tethering From All Sources

Network & Security

Allow users to enable Tethering via USB or Bluetooth.

Allow WiFi Changes

Network & Security

Allow users to modify Wifi network from System Settings if they have access to.

This may cause them to loose connectivity and hence it is suggested that you allow them to use Scalefusion's Wifi connection options as a fallback.

Allow Screen Capture

Network & Security

Choose if the users are allowed to capture the screenshot of applications.

Allow Camera

Network & Security

Choose if the default Camera is disabled and cannot be used by any application.

Allow Disabling Application Verification

Network & Security

Choose if user's can disable Google Play Application Verification if they have access to managed play store.

Allow Keyguard

Keyguard

Choose if the Keyguard/Lock screen is allowed.

Allow Keyguard Camera

Keyguard

If the Keyguard is allowed, then control if Camera can be launched from lock screen.

Allow Keyguard Notifications

Keyguard

If Keyguard is allowed, then control if the notifications should be displayed.

Allow Keyguard Trust Agent State

Keyguard

If Keyguard is allowed, then control if users can pair the bluetooth devices as trust agents for auto-unlock.

Allow Keyguard Unredacted Notifications

Keyguard

If Keyguard is allowed, then choose if unredacted notifications are allowed.

Allow KeyguardFingerprint Sensor

Keyguard

If Keyguard is allowed, then choose if users can use the fingerprint scanner.

Enable System Status Bar

Agent Mode

When Scalefusion is set as Agent, choose if the users can access the system status bar and notifications.

This setting works only when Scalefusion is set as Agent.

Hide Agent App from UI

Agent Mode

When Scalefusion is set as Agent, then you can choose if the Scalefusion app icon is hidden from the native launcher. Note that this does not prevent the app from appearing in System Settings > Apps list.

This setting works only when Scalefusion is set as Agent.

Restrict Apps

Agent Mode

When Scalefusion is set as Agent, you can control whether the application usage should be restricted or not. Basing on the applications that you have enabled, if this setting is true then only the selected applications are shown in the default launcher.

This setting works only when Scalefusion is set as Agent.

Enable Default Notification Bar

Notification bar settings

Configure following notification bar settings under this:

  1. Enable Notification bar: When enabled the following settings are configurable:
    1. Allow Access to Notifications and Quick Action Tiles: You can access notifications and quick actions
    2. Allow access Only to Notifications (on OS version 9.0 and above): You can only access notifications.
      If this setting is enabled, then you cannot Allow Access to Notifications and Quick Action Tiles
    3. Block Power Off Menu (on OS version 9.0 and above): Blocks the power off menu on device and you cannot switch off the device.
      You can either block power off menu or allow access to notifications and quick action tiles.
  2. Hide Notification Bar: Enabling this hides the notification bar. This feature works on Samsung Knox and Lenovo
    If this setting is enabled, the Enable notification bar and subsequent settings get disabled.
These settings will work only if your device is set up as an EMM device.

Compliance

When managing employee owned devices, it becomes imperative to make sure that the device adheres to compliance standards such as the device integrity, security and compatibility. 

To mitigate such risks Scalefusion uses Google Safety Net Attestation API to check the device compliance. 

SafetyNet examines software and hardware information on the device where the Work Apps are being used. This attestation helps Scalefusion to determine whether or not the particular device has been tampered with or otherwise modified. 

Using Scalefusion's Device Profile for kiosk devices you can enforce stricter device compliance rules and the actions that need to be taken in the event of violation.

Setting

Description

Validate using SafetyNet Attestation

This SafetyNet API helps assess the security and compatibility of the Android devices that your users are using. You can choose between a Strict or a Moderate level for validations.

Allow use of Rooted Devices

Rooted devices are the devices which have super users. You can allow or disallow the use of rooted devices while creating a device profile and then enrolling it.

Compliance Check Duration

You can select how often the compliance check should be performed. By default it happens every 24 hrs

Compliance Violation Action

Choose the action that should be performed if any of the compliance rules are violated

Access Conditions

There might be some applications that distract users while driving. Scalefusion has provision to control the access to applications based on device speed. With Speed Based Access configurations under Access Conditions, admin can block such applications once users have reached a specified speed limit thus making driving a seamless experience.

Please refer to the document for Speed based Locking of apps to know how it can be done.

Exchange Settings

Use this setting to configure an Exchange account on the device. You can select a previously created exchange configuration. Please refer to our Exchange configuration document for details.

Note: The GMail client is configured with the given configuration. Currently GMail app does not allow the exchange configuration to be unpublished. So if you want to un-publish at a later point, you would have to publish a dummy/invalid account to the devices.

Dev Tools

Developer API

In the Developer API section of Device profile an MDM SDK is provided that can be used in your enterprise apps to get the device information and perform a wide variety of actions (like launching wifi screen, toggle mobile data, toggle hotspot etc.) locally on device. Visit here for more details.

Advance Settings

Advance Settings

This section can be used to configure settings for specific devices mainly Lenovo and Samsung Knox

Setting

Description

Applicable on

Automatic Power ON/OFF

Enable / disable the following options to automatically power on/off a device when USB charger is connected or removed respectively:

  • Power on a device when USB charger is connected
  • Power off a device when USB charger is removed
  • Power On: Lenovo, Samsung Knox (v2.6 and above)
  • Power Off: Samsung Knox (v2.8 and above)
On Samsung Knox devices, Power On feature is compatible with Qualcomm & LSI chipset ONLY. With other chipsets it may not work consistently. Refer here for more details

Schedule Power ON/OFF time

With this setting enabled you can set time for switching on and switching off the device. Select the following:

  • TimeZone: Select the timezone which has to be followed for device to power on or power off
  • Device Power On Time
  • Device Power Off Time

Lenovo

On certain Lenovo models, this policy may not work or when applied, it cannot be removed from them.


How did we do?


Powered by HelpDocs (opens in a new tab)