Lockdown policies
| NOTE: | Lockdown policies do not apply to iOS or macOS devices. |
Lockdown policies specify which features should be disabled in the event that device access must be restricted. To create a lockdown policy, go to Policies & Configs > Policies > Add New > Lockdown. Some policy changes can prompt users to restart their device after the policy is applied to the device.
Extended lockdown policies for Android and Android enterprise devices are supported on Samsung Knox devices. Support for specific settings sometimes depends on the Android OS version, the Mobile@Work version, and the Samsung Knox API version on the device. Extended lockdown policies are also available for Android enterprise devices that are work managed devices. Refer to the MobileIron Core Device Management Guide for Android enterprise for details.
This section includes the following topics:
- General lockdown policy fields
- Lockdown policy fields for all Android devices and Android enterprise devices
- Lockdown policy fields for all Android enterprise devices
- Lockdown policy fields for Android enterprise devices in Work Profile mode and Managed Device with Work Profile mode
- Lockdown policy fields for Android enterprise devices in Work Profile mode and Managed Device with Work Profile mode
- Lockdown policy fields for Android enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode
- Lockdown policy fields for Android enterprise devices with Samsung Restrictions in Work Managed Device mode and Managed Device in Work Profile mode
- Lockdown policy fields for Samsung Knox devices in Device Admin mode
- When work profile accounts can be modified
- Lockdown policy fields for Windows devices
General lockdown policy fields
This section describes fields that are available for Android, Android enterprise, and Windows devices.
|
Item |
Description |
Default Policy Setting |
|||
|
Name |
Required. Enter a descriptive name for this policy. This is the text that will be displayed to identify this policy throughout the Admin Portal. This name must be unique within this policy type. Tip: Though using the same name for different policy types is allowed (e.g., Executive), consider keeping the names unique to ensure clearer log entries. |
Default Lockdown Policy |
|||
|
Status |
Select Active to turn on this policy. Select Inactive to turn off this policy. |
Active |
|||
|
Priority |
Specifies the priority of this custom policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is associated with a specific device. Select “Higher than” or “Lower than”, then select an existing policy from the drop-down list. For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”. See “Prioritizing policies” in the Device Management Guide for more information. Because this priority applies only to custom policies, this field is not enabled when you create the first custom policy of a given type. |
|
|||
|
Description |
Enter an explanation of the purpose of this policy. |
Default Lockdown Policy |
|||
|
Enable or disable access to Bluetooth features. You can enable both Audio and Data or just Audio. Caution: MobileIron recommends against disabling audio because hands-free Bluetooth access is disabled. Legal requirements for hands-free use of devices while driving is widespread.
|
Enable Audio & Data |
||||
|
Enable or disable camera access. |
Enable |
||||
|
When checked the Camera policy is considered enforced no matter the state of the camera. GPS location is not considered when user control is checked. |
Unchecked |
||||
|
NFC |
Enable or disable NFC (Near-field Communication) data exchange when the device touches another device. |
Enable |
|||
|
USB Mass Storage |
Enable or disable access to the device’s USB storage from a computer. |
Enable |
|||
|
Enable or disable access to the secure data card. |
Enable |
||||
|
Enable or disable access to wireless LANs. Caution: Disabling Wi-Fi on Wi-Fi-only devices is not recommended. A factory reset will be necessary to re-enable Wi-Fi on such devices.
|
Enable |
||||
|
Roaming Data |
Enable or disable access to data services while roaming. |
Enable |
|||
|
Copy / Paste |
Enable or disable access to copy / paste functionality. |
Enable |
|||
|
Screen Capture |
Note The Following:
Enable or disable screen capture. |
Enable |
|||
|
GPS |
If GPS User Control is disabled, specify whether GPS is enabled or disabled on the device. |
Enable |
|||
|
GPS User Control |
Enable or disable the device user’s ability to turn GPS on and off. |
Enable |
Lockdown policy fields for all Android devices and Android enterprise devices
These lockdown options apply to all Android devices and all Android enterprise devices.
|
Item |
Description |
Default Policy Setting |
|||
|
Lockscreen Widgets |
Enable or disable the ability to add widgets to the lockscreen. Placing widgets on the lockscreen means device users can perform tasks without unlocking the device.
See also: Block Fingerprint and Block SmartLock settings in the Device Management Guide for Android Devices. |
Enable |
|||
|
Microphone |
Enable or disable access by apps to the microphone. This feature does not impact voice calls. |
Enable |
|||
|
Always Connect Device to Managed Wi‑Fi |
When enabled, device will automatically connect to a managed Wi‑Fi if one is available. This prevents users from connecting to a nearby access point if a managed Wi‑Fi is available. If a managed Wi‑Fi is listed under Turn Off Wi-Fi for these SSIDs, enabling Always Connect Device to Managed Wi‑Fi will overrule that setting and will connect to the managed Wi‑Fi. |
Disable |
|||
|
Debugging (USB, work profile and managed device) |
Enable or disable the device user’s ability to enable debugging on the USB, work profile, and managed profile. |
Enable |
Lockdown policy fields for all Android enterprise devices
Whether a lockdown policy field applies to an Android enterprise device depends on the Android enterprise mode that the device is registered in. The modes -- Work Profile Mode, Work Managed Device Mode, and Managed Device with Work Profile Mode -- are described in "Modes for Android enterprise devices" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices.
Lockdown options in this section apply to all Android enterprise devices in all modes. On personally owned devices, these options do not impact the personal side of the device.
|
Item |
Description |
Default Policy Setting |
|||
|
Allow screen capture |
Allows screen capture of apps or data inside the Android enterprise profile |
Selected |
|||
|
Allow the user to turn on location sharing |
Allows device GPS location to be shared with Work apps. Supported on Android 5.1 through the most recently released version as supported by MobileIron. For important information about Android 10-specific Wi-Fi settings, See "Wi-Fi network priority for Android devices" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices. |
Selected |
|||
|
Allow modification of applications in Settings or launchers |
Allows user to change application settings such as clearing cache, deleting data, uninstalling, or force stopping apps in App settings screen. Note: use “Block uninstall” option in App Catalog app details to prevent user from uninstalling the app. |
Selected |
|||
|
Allow the user to configure user credentials |
Allows user to change credentials in the Work profile, in Android Settings > Security > Trusted Credentials > Work. |
Selected |
|||
|
Allow the user to create and modify accounts |
Allows user to create or modify accounts in the Work profile, in Android Settings > Account. For more information, see When work profile accounts can be modified. |
Selected |
|||
|
Allow the user to transfer app data over NFC |
Allows use of NFC to transfer app data. Supported on Android 5.1 through the most recently released version as supported by MobileIron. |
Selected |
|||
|
Google Play Auto-Update Policy |
Determines the automatic update policy that Google Play Store uses to update apps on the device. On the device, you can view these options by opening the Google Play Store app and selecting Settings. The option in Google Play Store settings is named Auto-update apps. The choices for this lockdown policy field are:
The device user can change the Auto-update apps setting in Google Play Store only if you select User Defined on the lockdown policy.
|
User Defined |
|||
|
Enable system apps |
Allows user access to the system apps that are enabled by the administrator. This could include the system phone and camera. This is useful when a device initially disables system apps and then the administrator wants to enable it. Enabling does not work if the package of the system app is not present in the configuration. Note The Following: Because of Android limitations, in order to remove an app from the System Apps blacklist, it is not enough for the administrator to remove the application's package name from "Disabled system apps" list box in the Lockdown Policy. Due to Android limitations, the app's package name should also be listed in the "Enabled system apps" list box. When removing an application from the system apps blacklist, the administrator needs to also add it to the whitelist. This ensures the blacklisted app becomes accessible. Administrators need to be aware that there are consequences when changing system apps. |
Not selected |
|||
|
Disable system apps |
Prevents the user from using the system apps restricted by the administrator. Note The Following: Because of Android limitations, in order to remove an app from the System Apps blacklist, it is not enough for the administrator to remove the application's package name from "Disabled system apps" list box in the Lockdown Policy. Due to Android limitations, the app's package name should also be listed in the "Enabled system apps" list box. When removing an application from the system apps blacklist, the administrator needs to also add it to the whitelist. This ensures the blacklisted app becomes accessible. Administrators need to be aware that there are consequences when changing system apps. |
Not selected |
|||
|
Ensure Verify apps |
Restricts the user from disabling the "Verify Apps" option in Android. |
Selected |
|||
|
Restrict Input Methods |
Leave blank to permit ONLY system input methods, and add specific package names to enable third-party input apps. This does NOT apply to devices if users have already selected a third-party input app. This configuration only restricts new changes to the input method. |
Not selected |
|||
|
Restrict accessibility services |
Leave blank to permit ONLY system input methods, and add specific package names to enable third-party input apps. This does NOT apply to devices if users have already selected a third-party accessibility service. This configuration only restricts new changes to the accessibility service. |
Not selected |
Lockdown policy fields for Android enterprise devices in Work Profile mode and Managed Device with Work Profile mode
Whether a lockdown policy field applies to an Android enterprise device depends on the Android enterprise mode that the device is registered in. The modes -- Work Profile Mode, Work Managed Device Mode, and Managed Device with Work Profile Mode -- are described in "Modes for Android enterprise devices" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices.
Lockdown options in this section apply to Android enterprise devices in Work Profile mode.
|
Item |
Description |
Default Policy Setting |
|||
|
Allow copy and paste |
Allows copy and paste from apps inside the Android enterprise profile to apps outside the profile. |
Selected |
|||
|
Allow caller ID across profiles |
Allows caller ID to be visible to phone app in all profiles.
|
Selected |
|||
|
Allow work calendar sharing with personal profile |
Select to allow calendar sharing of work calendar information with the personal profile. This is so apps can display work events alongside personal events in device user's personal profile (for example calendar apps like Google calendar.) If the work event is tapped within the personal profile, a view of the event displays. Tapped again, it opens the event in the work calendar. Applicable to Managed devices with work profiles. |
Not selected |
|||
|
Allow contact search across profiles |
Allows personal space Contacts app sharing across the profile.
|
Selected |
|||
|
Allow contact sharing on Bluetooth devices. |
Allows the caller ID to be visible on another Bluetooth device such as your car’s Bluetooth screen.
|
Selected |
|||
|
Allow unknown sources in personal profile |
Allow installation of apps from untrusted sources in the personal profile. The work profile never allows installation of apps from unknown sources. |
Not selected |
|||
|
Android 8: Allow Auto-Fill |
Allows password autofill. |
Selected |
|||
|
Android 8: Allow work app notifications in personal profile |
When device user is in personal profile, notifications from Mobile@Work apps will display. |
Selected |
|||
|
Android 8: Allow Bluetooth Sharing |
Allows Bluetooth sharing with other devices. |
Selected |
|||
|
Android 9: Allow Printing |
Allows the printing of documents from Mobile@Work apps. |
Selected |
|||
|
Android 9: Allow Share into Profile |
Allows sharing from outside the Work Profile to inside the Work Profile |
Selected |
Lockdown policy fields for Samsung Knox Workspace (3.0) Android enterprise devices in Managed Device with Work Profile mode
The lockdown options in this section apply to Android enterprise devices in Work Profile mode and Managed device with Work Profile mode for Samsung Knox version 3.0. These lockdowns allow you to set a variety of restrictions, such as allowing Google accounts to auto sync, providing content sharing, and sharing of calendar information outside a container. You must select the Enable Samsung Workspace restrictions check box to display the following fields.
| NOTE: | The API s in the following table may require a Samsung Knox license. If you do not have a Samsung Knox license, these fields may not be supported. |
|
Item |
Description |
Default Policy Setting |
|
Whitelisted Google Accounts |
Allows you to whitelist specific Google Accounts. To add an account, click the + button and type in the name of the Google account. To delete a Google account, select the account and then click the - button. |
None |
|
Allow camera |
Allows the camera on the phone to function. |
Disabled |
|
Allow content sharing |
Allows content sharing |
Disabled |
|
Allow email account creation |
Allows the device user to create an email account. |
Disabled |
|
Allow NFC |
Enable or disable NFC (Near-field Communication) data exchange when the device touches another device. |
Disabled |
|
Allow USB |
Enable or disable the USB protocol. |
Disabled |
|
Allow New Admin Install |
Enable or disable the installation of another administration app from all sources, unless the app install is performed by the admin enforcing this policy. This policy can only be applied if there are no other administrators activated with the exception of Mobile@Work clients. |
Disabled |
|
Allow Google Accounts Auto Sync |
Enable or disable the ability of Google accounts to sync automatically. This option does not block the Google Play Store from updating installed apps. |
Disabled |
|
Enable Certificate Revocation Status (CRL) Check |
Enable or disable the Certificate Revocation List (CRL) check for revocation of the server-certificate chain during the SSL mutual authentication process. |
Disabled |
|
Allow sharing of calendar information outside container |
Enable or disable sharing of calendar information outside of the container. |
Disabled |
Lockdown policy fields for Android enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode
Whether a lockdown policy field applies to an Android enterprise device depends on the Android enterprise mode that the device is registered in. The modes—Work Profile Mode, Work Managed Device Mode, and Managed Device with Work Profile Mode—are described in "Modes for Android enterprise devices" in MobileIron Core Device Management Guide for Android and Android enterprise Devices.
Lockdown options in this section apply to Android enterprise devices in Work Managed Device mode and devices in Managed Device with Work Profile mode.
|
Item |
Description |
Default Policy Setting |
|||
|
Device Restrictions |
|||||
|
Allow camera |
Allows camera to function. |
Enabled |
|||
|
Allow master volume un-mute |
Allows the user to un-mute master volume. Note: volume is not muted by default. |
Enabled |
|||
|
Allow microphone un-mute |
Allows the user to un-mute microphone |
Enabled |
|||
|
Allow automatic date & time |
If checked, the user can change date and time. |
Enabled |
|||
|
Allow automatic timezone |
Allows timezone to be set automatically. Note: the user can re-enable the ability to update time and timezone if this setting is disallowed. |
Enabled |
|||
|
Allow safe boot of the device |
Allows user to reboot the device into safe mode. |
Enabled |
|||
|
Allow factory reset |
Allows the user to initiate a factory reset of the device. |
Enabled |
|||
|
Allow the user to mount physical external media |
Allows the user to mount external media such as SD cards or external drives. |
Enabled |
|||
|
Allow the user to transfer files over USB |
Allows user copy, paste, and transfer data and files using USB drives. |
Enabled |
|||
|
Allow use of USB storage |
Allows data to be stored on USB drives. |
Enabled |
|||
|
Keep device on while plugged in |
Allows device to remain powered on when it is plugged in to a power source. When this field is enabled, the device does not go into sleep mode. |
Disabled |
|||
|
Allow Keyguard (no effect if password or PIN is set) |
Allows a keyguard, or lockscreen, on the device under the condition that the device has not been enabled using a PIN, password, or pattern. |
Enabled |
|||
|
Allow backup service |
Allows the user to backup and restore their devices using Google services on managed devices running Android 8.0 through the most recently released versions as supported by MobileIron. |
Enabled |
|||
|
Phone & Network Restrictions |
|||||
|
Allow SMS |
Allow the user to send and receive SMS messages. |
Enabled |
|||
|
Allow outgoing calls |
Allow user to place outgoing calls. |
Enabled |
|||
|
Allow data roaming |
Allow the use of data while user is traveling outside of data plan area. Note: the user can re-enable this feature from settings. |
Enabled |
|||
|
Allow Wi-Fi |
If Allow Wi-FI is:
Caution: Turning off Wi-Fi on a Wi-Fi only device will make the device unable to communicate with MobileIron Core or any network. A factory reset will be needed to restore Wi-Fi capability on the device. |
Enabled |
|||
|
Allow Wi-Fi to be configured |
Allows the user to configure Wi-Fi. |
Enabled |
|||
|
Allow Wi-Fi sleep policy to be configured |
Allows user to configure the Wi-Fi sleep policy. On a device, the user can re-enable this feature from Settings. For this field, the server policy settings are applied when the device checks into Core. If the user modifies the Wi-Fi sleep policy on a device and then you, as the admin, change the "Allow Wi-Fi sleep policy to be configured" field, the user modifications for this field are overwritten by the lockdown policy that resides on the server when the device checks in. |
Enabled |
|||
|
Allow Bluetooth |
If Allow Bluetooth is:
|
Enabled |
|||
|
Allow Bluetooth to be configured |
Allows the user to configure Bluetooth on managed devices. |
Enabled |
|||
|
Allow Bluetooth Outbound Sharing |
Allows the user to share files using Bluetooth on managed devices running Android 8.0 through the most recently released versions as supported by MobileIron. |
Enabled |
|||
|
Allow Emergency Broadcasts to be configured |
Allows the user to configure Emergency Broadcasts. |
Enabled |
|||
|
Allow mobile network to be configured |
Allows the user to configure the mobile network. |
Enabled |
|||
|
Allow tethering and mobile hotspots to be configured |
Allows the user to configure tethering and hotspots. |
Enabled |
|||
|
Allow VPN to be configured |
Allows the user to configure VPN.
|
Enabled |
|||
Lockdown policy fields for Android enterprise devices with Samsung Restrictions in Work Managed Device mode and Managed Device in Work Profile mode
These lockdown options are applied to Android enterprise Samsung devices in both the Work Managed Device mode and the Managed Device in Work Profile mode. You must select the Enable Samsung Restrictions checkbox in order to display the Samsung Restrictions drop-down menu.
|
Item |
Description |
Default Policy Setting |
|||
|
Android Browser |
Enable or disable access to the Android browser. |
Enable |
|||
|
Email Account Creation |
Enable or disable the device user’s ability to configure an email account on the device. |
Enable |
|||
|
Factory Reset |
Enable or disable the ability for users to reset the device to factory defaults. |
Enable |
|||
|
Google Backup |
Enable or disable backup to Google servers. |
Enable |
|||
|
Google Play |
Enable or disable access to Google Play. |
Enable |
|||
|
Incoming SMS |
Enable or disable incoming SMS messages. The user is not informed if SMS is blocked. |
Enable |
|||
|
Outgoing SMS |
Enable or disable outgoing MMS messages. |
Enable |
|||
|
Incoming MMS |
Enable or disable incoming MMS messages. The user is not informed if MMS is blocked. |
Enable |
|||
|
Outgoing MMS |
Enable or disable outgoing MMS messages. |
Enable |
|||
|
Make Passwords Visible |
Select Enable to allow users to change the “Make Passwords Visible” setting on their device. Select Disable to prevent users from changing this setting and make password characters not visible. |
Enable |
|||
|
Developer options |
Enable or disable this option to make USB debugging available to developers on Samsung Knox devices. |
Enable |
|||
|
OTA Upgrade |
Enable or disable over-the-air upgrades of the device firmware. Over-the-air upgrades require the device to be in recovery mode. Therefore, for devices to perform an over-the-air upgrade, enable both Recovery Mode and OTA Upgrade in the lockdown policy.
|
Enable |
|||
|
Recovery Mode |
Enable or disable the device from entering Recovery Mode. Caution: use Disable with care. Disabling recovery mode on a device may make the device unrecoverable if there is an issue with the device’s operating system. |
Enable |
|||
|
Roaming Voice Calls |
Enable or disable voice calls while roaming. |
Enable |
|||
|
Safe Mode |
Enable or disable the user’s ability to reboot a Samsung Knox device into Safe Mode.
|
Enable |
|||
|
Setting Changes |
Enable or disable the device user access to the settings app.
|
Enable |
|||
|
Tethering - Bluetooth |
Enable or disable Bluetooth tethering. Refer to “Bluetooth lockdown for Samsung Knox devices” in the MobileIron Core Device Management Guidefor Android Devices. |
Enable |
|||
|
Tethering - USB |
Enable or disable USB tethering. |
Enable |
|||
|
Tethering - Wi-Fi |
Enable or disable Wi-Fi tethering. |
Enable |
|||
|
USB Media Player |
Enable or disable the USB media player. |
Enable |
|||
|
Manual Date Time Change |
Enable or disable the ability to manually change the date and time. |
Enable |
|||
|
Certificate Revocation Status (CRL) Check |
Enable or disable the Certificate Revocation List (CRL) check for revocation of the server-certificate chain during the SSL mutual authentication process. |
Disabled |
|||
|
Google Crash Report |
An administrator can use this API to enable or disable sending a crash report to Google. If disabled, all possible Google crash reports are blocked. |
Enable |
|||
|
Google Accounts Auto-sync |
Enable or disable Google accounts auto-sync. |
Enable |
|||
|
Multi-user mode |
Enable or disable the Multi-user mode. |
Enable |
|||
|
New admin installation |
Enable or disable new admin installation. |
Enable |
|||
|
Allow cellular data |
Enable or disable the ability for users to use cellular data.
|
Enable |
|||
|
Allow USB HID Protocol |
Enable or disable the USB Human Interface Device (HID) protocol. |
Enable |
|||
|
Restricted Apps |
List apps that you want to prevent from being installed or run on Samsung Knox devices. Click + to add an application identifier (app ID) for the app. The app ID is case-sensitive. You can use the wild card character * to cover a set of apps, such as all apps from a particular vendor. For example, com.abcdef.* restricts all application IDs beginning with com.abcdef. However, to ensure that pre-existing apps get restricted, provide the complete app ID. Do not use a wild card character. |
(empty) |
|||
|
Allowed Apps |
List the apps that you that are exceptions to the apps covered by a wild card character in the Restricted Apps section. Click + to add an application identifier (app ID) for the app. The app ID is case-sensitive. |
(empty) |
|||
|
Turn Off Wi-Fi for SSIDs |
Prevent Samsung Knox devices from accessing the Wi-Fi SSIDs listed in this section. Click + to add an SSID. The SSID is case-sensitive.
In Mobile@Work 9.0.0.0 for Android, connection to SSIDs listed in this section can occur if the SSID is managed and Always Connect Device to Managed Wi-Fi is enabled. |
(empty) |
Lockdown policy fields for Samsung Knox devices in Device Admin mode
These lockdown options are applied to Samsung Knox devices in Device Admin mode.
|
Item |
Description |
Default Policy Setting |
|||
|
Android Browser |
Enable or disable access to the Android browser. |
Enable |
|||
|
Email Account Creation |
Enable or disable the device user’s ability to configure an email account on the device. |
Enable |
|||
|
Cellular Data |
Enable or disable the ability for users to use cellular data.
|
Enable |
|||
|
Factory Reset |
Enable or disable the ability for users to reset the device to factory defaults. |
Enable |
|||
|
Google Backup |
Enable or disable backup to Google servers. |
Enable |
|||
|
Google Play |
Enable or disable access to Google Play. |
Enable |
|||
|
Incoming MMS |
Enable or disable incoming MMS messages. The user is not informed if MMS is blocked. |
Enable |
|||
|
Incoming SMS |
Enable or disable incoming SMS messages. The user is not informed if SMS is blocked. |
Enable |
|||
|
Make Passwords Visible |
Select Enable to allow users to change the “Make Passwords Visible” setting on their device. Select Disable to prevent users from changing this setting and make password characters not visible. |
Enable |
|||
|
Developer options |
Enable or disable this option to make USB debugging available to developers on Samsung Knox devices. |
Enable |
|||
|
Management Removal |
Enable or disable the device user’s ability to remove the Samsung DM Agent from Android devices. |
Enable |
|||
|
OTA Upgrade |
Enable or disable over-the-air upgrades of the device firmware. Over-the-air upgrades require the device to be in recovery mode. Therefore, for devices to perform an over-the-air upgrade, enable both Recovery Mode and OTA Upgrade in the lockdown policy.
|
Enable |
|||
|
Outgoing MMS |
Enable or disable outgoing MMS messages. |
Enable |
|||
|
Outgoing SMS |
Enable or disable outgoing SMS messages. |
Enable |
|||
|
Recovery Mode |
Enable or disable the device from entering Recovery Mode. Caution: use Disable with care. Disabling recovery mode on a device may make the device unrecoverable if there is an issue with the device’s operating system. |
Enable |
|||
|
Roaming Voice Calls |
Enable or disable voice calls while roaming. |
Enable |
|||
|
Safe Mode |
Enable or disable the user’s ability to reboot a Samsung Knox device into Safe Mode.
|
Enable |
|||
|
Setting Changes |
Enable or disable the device user access to the settings app.
|
Enable |
|||
|
Tethering - Bluetooth |
Enable or disable Bluetooth tethering. Refer to “Bluetooth lockdown for Samsung Knox devices” in the MobileIron Core Device Management Guide for Android Devices. |
Enable |
|||
|
Tethering - USB |
Enable or disable USB tethering. |
Enable |
|||
|
Tethering - Wi-Fi |
Enable or disable Wi-Fi tethering. |
Enable |
|||
|
Unknown Sources |
Enable or disable installation of apps from sources other than Google Play. |
Enable |
|||
|
USB Media Player |
Enable or disable the USB media player. |
Enable |
|||
|
YouTube App |
Enable or disable access to YouTube App. |
Enable |
|||
|
Manual Date Time Change |
Enable or disable the ability to manually change the date and time. |
Enable |
|||
|
Certificate Revocation Status (CRL) Check |
Enable or disable the Certificate Revocation List (CRL) check for revocation of the server-certificate chain during the SSL mutual authentication process. |
Disable |
|||
|
Google Crash Report |
An administrator can use this API to enable or disable sending a crash report to Google. If disabled, all possible Google crash reports are blocked. |
Enable |
|||
|
Google Accounts Auto-sync |
Enable or disable Google accounts auto-sync. |
Enable |
|||
|
Multi-user mode |
Enable or disable the Multi-user mode |
Enable |
|||
|
New admin installation |
Enable or disable new admin installation |
Enable |
|||
|
Allow USB HID Protocol |
Enable or disable the USB Human Interface Device (HID) protocol. |
Enable |
|||
|
Restricted Apps |
List apps that you want to prevent from being installed or run on Samsung Knox devices. Click + to add an application identifier (app ID) for the app. The app ID is case-sensitive. You can use the wild card character * to cover a set of apps, such as all apps from a particular vendor. For example, com.abcdef.* restricts all application IDs beginning with com.abcdef. However, to ensure that pre-existing apps get restricted, provide the complete app ID. Do not use a wild card character. |
(empty) |
|||
|
Allowed Apps |
List the apps that you that are exceptions to the apps covered by a wild card character in the Restricted Apps section. Click + to add an application identifier (app ID) for the app. The app ID is case-sensitive. |
(empty) |
|||
|
Turn Off Wi-Fi for these SSIDs |
Prevent Samsung Knox devices from accessing the Wi-Fi SSIDs listed in this section. Click + to add an SSID. The SSID is case-sensitive.
In Mobile@Work 9.0.0.0 for Android, connection to SSIDs listed in this section can occur if the SSID is managed and Always Connect Device to Managed Wi-Fi is enabled. |
(empty) |
When work profile accounts can be modified
One Android enterprise setting in the lockdown policy is Allow the user to create and modify accounts. This setting applies only to work profile accounts. It does not impact personal accounts.
If this lockdown policy setting is selected, the device user or an Android enterprise app can add, modify, or delete work profile accounts on the device in Settings > Accounts.
A four-hour time period begins after Mobile@Work receives a lockdown policy in which the setting Allow the user to create and modify accounts is not selected. During that time period, the device user and Android enterprise apps on the device can continue to add, modify, and delete work profile accounts. After the time period ends, work profile accounts cannot be added, modified, or deleted. Therefore, during this time period, the Divide Productivity or Gmail app can add the account that you specify in the Configuration Choices section for the app in the App Catalog on the Admin Portal. Make sure that your device users launch the Divide Productivity or Gmail app within the four-hour time period.
Note The Following:
- Restarting a device does not restart the time period.
-
Changing settings in the Configuration Choices section for Divide Productivity and Gmail in the App Catalog on the Admin Portal will have no impact to the account settings on the device after the time period is over. An exception to this rule exists for two app configurations. You can change these app configurations at any time, and the account settings on the device will be updated. These two app configurations are:
- default email signature
- default sync window
Lockdown policy fields for Windows devices
These lockdown options are applied to Windows devices.
|
Item |
Description |
Default Policy Setting |
|||
|
Internet Sharing |
Enable or disable Internet sharing. |
Enable |
|||
|
Microsoft Store |
Enable or disable access to the Windows Store.
|
Enable |
|||
|
Manual Email Set-up |
Enable or disable ability to manually add an email account on the device. |
Enable |
|||
|
VPN while Roaming |
Enable or disable VPN when device is out of network. |
Enable |
|||
|
Hotspot Discovery |
Enable or disable Hotspot Discovery. |
Enable |
|||
|
Microsoft Account |
Enable or disable Microsoft SkyDrive or Live Account. |
Enable |
|||
|
Save as of MS-Office |
Enable or disable the Save As operation for a MS-Office document.
|
Enable |
|||
|
Browser |
Enable or disable Internet Explorer. The option does not have any impact on any other browsers installed from the Windows Store.
|
Enable |
|||
|
Manual Wi-Fi Setup |
Enable or disable ability to manually add a Wi-Fi setup. |
Enable |
|||
|
Wi-Fi Sense Hotspots |
Enable or disable the device to automatically connect to Wi-Fi Hotspots and friend social network. |
Enable |
|||
|
Sharing Of MS-Office Files |
Enable or disable sharing MS-Office files.
|
Enable |
|||
|
Sync User Settings to Device(s) |
Enable or disable the device to automatically sync user settings to the Windows device.
|
Enable |
|||
|
Action Center Notifications |
Enable or disable Action Center notifications.
|
Enable |
|||
|
Developer Unlock |
Enable or disable Developer Unlock. |
Enable |
|||
|
Search to Use Location |
Enable or disable the Access to my location feature on the device. Disabling this feature impacts the Cortana and Bing. |
Enable |
|||
|
Manual Root Certificate Installation |
Enable or disable ability to manually install a root certificate on the device. If disabled, the device user cannot install a root certificate to the device.
|
Enable |
|||
|
Store Images From Visual Search |
Enable or disable the Visual Search option in Bing. |
Enable |
|||
|
Voice Recording |
Enable or disable voice recording in Cortana.
|
Enable |
|||
|
Return Without Password |
Enable or disable ability for the device user to set grace period for locking. If enabled, the device user can set the grace period for locking the device. If disabled, the Security policy sets the grace period, and the option is not available to the device user.
|
Enable |
|||
|
Cortana |
Enable or disable Cortana. |
Enable |
|||
|
Block Browser Popups |
Enable or disable to block popups in browsers. |
Enable |
|||
|
Browser Password Manager |
Enable or disable the use of a browser password manager. |
Enable |
|||
|
MS Error Reporting |
Provides full, enhanced, basic, or security level error reporting. |
Full |
|||
|
Let Apps Run In Background |
Allows administrators to turn off all applications running in the background to preserve battery usage on Windows devices that are on limited power or using cellular services. |
User In Control |
|||
|
Windows Phone - Corporate Owned Devices Only For Windows devices only. |
|||||
|
Reset Phone |
Enable or disable the device user's ability to reset the device to factory defaults. |
Enable |
|||
|
MDM Un-enrollment |
Enable or disable the device user’s ability to remove the device from management by MobileIron Core. |
Enable |
|||