Lockdown policy fields for Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode

Whether a lockdown policy field applies to an Android Enterprise device depends on the Android Enterprise mode that the device is registered in. The modes — Work Managed Device mode, Managed Device with Work Profile (COPE) mode on Android devices versions 8-10, and Work Profile on Company Owned Devices Android versions 11 and later supported versions— are described in "Modes for Android Enterprise devices" in Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

Lockdown options in this section apply to Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile (COPE) mode on Android devices versions 8-10.

Table 33.   Lockdown policy fields: Android Enterprise in Work Managed Device mode and Managed Device with Work Profile mode
Item Description Default Policy Setting

Device Restrictions

Allow camera

Allows camera to function.

Enabled

Allow master volume un-mute

Allows the user to un-mute master volume. Note: volume is not muted by default.

Enabled

Allow microphone un-mute

Allows the user to un-mute microphone

Enabled

Allow automatic date & time

If checked, the user can change date and time.
If unchecked, user can make changes but system will reset the date and time automatically.

Enabled

Allow automatic timezone

Allows timezone to be set automatically. Note: the user can re-enable the ability to update time and timezone if this setting is disallowed.

Enabled

Allow safe boot of the device

Allows user to reboot the device into safe mode.

Enabled

Allow factory reset

Allows the user to initiate a factory reset of the device.

Enabled

Allow the user to mount physical external media

Allows the user to mount external media such as SD cards or external drives.

Enabled

Allow the user to transfer files over USB

Allows user copy, paste, and transfer data and files using USB drives.

Enabled

Allow use of USB storage

Allows data to be stored on USB drives.

Enabled

Keep device on while plugged in

Allows device to remain powered on when it is plugged in to a power source. When this field is enabled, the device does not go into sleep mode.

Disabled

Allow Keyguard (no effect if password or PIN is set)

Allows a keyguard, or lockscreen, on the device under the condition that the device has not been enabled using a PIN, password, or pattern.

Enabled

Allow backup service

Allows the user to backup and restore their devices using Google services on managed devices running Android 8.0 through the most recently released versions as supported by Ivanti.

Enabled

Allow install from unknown sources on the device

Allows administrator to enable installation of apps from unknown sources to device. Unless this field is selected, the work profile never allows installation of apps from unknown sources.

Disabled

Phone & Network Restrictions

Allow SMS

Allow the user to send and receive SMS messages.

Enabled

Allow outgoing calls

Allow user to place outgoing calls.

Enabled

Allow data roaming

Allow the use of data while user is traveling outside of data plan area. Note: the user can re-enable this feature from settings.

Enabled

Allow Wi-Fi

If Allow Wi-FI is:

  • enabled (default), the device user can turn Wi-Fi on or off
  • not enabled, the device user cannot turn Wi-Fi on

Caution: Turning off Wi-Fi on a Wi-Fi only device will make the device unable to communicate with Ivanti or any network. A factory reset will be needed to restore Wi-Fi capability on the device.

Enabled

Allow Wi-Fi to be configured

Allows the user to configure Wi-Fi.

Enabled

Allow Wi-Fi sleep policy to be configured

Allows user to configure the Wi-Fi sleep policy. On a device, the user can re-enable this feature from Settings. For this field, the server policy settings are applied when the device checks into Ivanti. If the user modifies the Wi-Fi sleep policy on a device and then you, as the administrator, change the "Allow Wi-Fi sleep policy to be configured" field, the user modifications for this field are overwritten by the lockdown policy that resides on the server when the device checks in.

Enabled

Allow Bluetooth

If Allow Bluetooth is:

  • enabled (default), the device user can turn Bluetooth on or off
  • not enabled, the device user cannot turn Bluetooth on

Enabled

Allow Bluetooth to be configured

Allows the user to configure Bluetooth on managed devices.

Enabled

Allow Bluetooth Outbound Sharing

Allows the user to share files using Bluetooth on managed devices running Android 8.0 through the most recently released versions as supported by Ivanti.

Enabled

Allow Emergency Broadcasts to be configured

Allows the user to configure Emergency Broadcasts.

Enabled

Allow mobile network to be configured

Allows the user to configure the mobile network.

Enabled

Allow tethering and mobile hotspots to be configured

Allows the user to configure tethering and hotspots.

Enabled

Allow VPN to be configured

Allows the user to configure VPN.

This setting must be enabled to allow the application of a managed VPN. As a workaround, enable Always-on VPN in Android Enterprise settings and select Tunnel as the App Identifier.

 

Enabled

Managed Device

Android 11:

Enable Common Criteria (CC) mode

Select to enable Common Criteria mode for Android 11 + devices.

If Common Criteria mode is turned off after being enabled previously, all existing Wi-Fi configurations will be lost.

Applicable to Managed Device with Work Profile mode and Work Profile on Company Owned Device mode.

Disabled

Lockdown policies