Lockdown policy fields for Android Enterprise devices in Work Profile for Company Owned Device mode

Whether a lockdown policy field applies to an Android Enterprise device depends on the Android Enterprise mode that the device is registered in. The modes — Work Managed Device mode, Managed device with Work Profile (COPE) mode on Android devices versions 8-10, and Work Profile on Company Owned Devices Android version 11 and supported later versions— are described in "Modes for Android Enterprise devices" in Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

Lockdown options in this section apply to Android Enterprise devices in Work Profile for Company Owned Device applicable to Android devices version 11 and supported later versions.

Table 34.   Lockdown policy fields: Android Enterprise in Work Profile for Company Owned Device mode
Item Description Default Policy Setting

Device Restrictions

Allow camera

Allows camera to function.

Not supported in Work Profile for Company Owned Device mode.

Enabled

Allow master volume un-mute

Allows the user to un-mute master volume. Note: volume is not muted by default.

Enabled

Allow microphone un-mute

Allows the user to un-mute microphone

Enabled

Allow automatic date & time

If checked, the user can change date and time.
If unchecked, user can make changes but system will reset the date and time automatically.

Enabled

Allow automatic timezone

Allows timezone to be set automatically. Note: the user can re-enable the ability to update time and timezone if this setting is disallowed.

Enabled

Allow safe boot of the device

Allows user to reboot the device into safe mode.

Enabled

Allow factory reset

Allows the user to initiate a factory reset of the device.

Applicable to Managed Device with Work Profile mode and Work Managed Device mode. Not supported in Work Profile for Company Owned Device mode.

Enabled

Allow the user to mount physical external media

Allows the user to mount external media such as SD cards or external drives.

Enabled

Allow the user to transfer files over USB

Allows user copy, paste, and transfer data and files using USB drives.

 

Enabled

Allow use of USB storage

Allows data to be stored on USB drives.

Applicable to Managed Device with Work Profile mode and Work Managed Device mode. Not supported in Work Profile for Company Owned Device mode.

Enabled

Keep device on while plugged in

Allows device to remain powered on when it is plugged in to a power source. When this field is enabled, the device does not go into sleep mode.

Disabled

Allow Keyguard (no effect if password or PIN is set)

Allows a keyguard, or lockscreen, on the device under the condition that the device has not been enabled using a PIN, password, or pattern.

Enabled

Allow backup service

Allows the user to backup and restore their devices using Google services on managed devices running Android 8.0 through the most recently released versions as supported by Ivanti.

Enabled

Allow install from unknown sources on the device

Allow installation of apps from untrusted sources in the personal profile. Unless this field is selected, the work profile never allows installation of apps from unknown sources.

Applicable to Work Managed Device mode. Not supported in Work Profile for Company Owned Device mode.

Disabled

Allow location settings modification

Allows device user to turn on/off location. Also, on some devices/OS versions, it allows the device user to control the accuracy of the device's location.

Supported in Work Profile for Company Owned Device mode.

Enabled

Phone & Network Restrictions

Allow SMS

Allow the user to send and receive SMS messages.

Enabled

Allow outgoing calls

Allow user to place outgoing calls.

Enabled

Allow data roaming

Allow the use of data while user is traveling outside of data plan area. Note: the user can re-enable this feature from settings.

Enabled

Allow Wi-Fi

If Allow Wi-FI is:

  • Enabled (default), the device user can turn Wi-Fi on or off
  • Not enabled, the device user cannot turn Wi-Fi on

Applicable to Managed Device with Work Profile mode and Work Managed Device mode. Not supported in Work Profile for Company Owned Device mode.

Caution: Turning off Wi-Fi on a Wi-Fi only device will make the device unable to communicate with Ivanti or any network. A factory reset will be needed to restore Wi-Fi capability on the device.

Enabled

Allow Wi-Fi to be configured

Allows the user to configure Wi-Fi.

Enabled

Allow Wi-Fi sleep policy to be configured

Allows user to configure the Wi-Fi sleep policy. On a device, the user can re-enable this feature from Settings. For this field, the server policy settings are applied when the device checks into Ivanti. If the user modifies the Wi-Fi sleep policy on a device and then you, as the administrator, changes the "Allow Wi-Fi sleep policy to be configured" field, the user modifications for this field are overwritten by the lockdown policy that resides on the server when the device checks in.

Enabled

Allow Bluetooth

If Allow Bluetooth is:

  • Enabled (default), the device user can turn Bluetooth on or off
  • Not enabled, the device user cannot turn Bluetooth on

Supported in Work Profile for Company Owned Device mode.

Enabled

Allow Bluetooth to be configured

Allows the user to configure Bluetooth on managed devices.

Enabled

Allow Bluetooth Outbound Sharing

Allows the user to share files using Bluetooth on managed devices running Android 8.0 through the most recently released versions as supported by Ivanti.

Enabled

Allow Emergency Broadcasts to be configured

Allows the user to configure Emergency Broadcasts.

Enabled

Allow mobile network to be configured

Allows the user to configure the mobile network.

Enabled

Allow tethering and mobile hotspots to be configured

Allows the user to configure tethering and hotspots.

Enabled

Allow VPN to be configured

Allows the user to configure VPN.

This setting must be enabled to allow the application of a managed VPN. As a workaround, enable Always-on VPN in Android Enterprise settings and select Tunnel as the App Identifier.

 

Enabled

Managed Device

Android 11:

Enable Common Criteria (CC) mode

Select to enable Common Criteria mode for Android 11 + devices.

If Common Criteria mode is turned off after being enabled previously, all existing Wi-Fi configurations will be lost.

Applicable to Managed Device with Work Profile mode and Work Profile on Company Owned Device mode.

Disabled

Android 12+:

Enable 5G Slicing

Administrators can set all app traffic through an enterprise 5G network slice. Instead of setting up slices through APNs, administrators can set devices to route the traffic from all apps in the work profile to an enterprise network slice through the UE Route Selection Policy (URSP) rules. Administrators can turn on or off Work Profile for Company Owned Devices app traffic routing to the enterprise network slice on a per-employee basis. In the Device Details page, the 5G Slicing status is indicated. Advanced searching on 5G is also part of this feature, as is making compliance rules.

Requires support from 5G service provider.

Disabled

Security Logging

Enable Security Logging on Android

When enabled, information is collected for security auditing purposes. These help administrators identify suspicious activity by remotely tracking device activity, including app launches, Android Debug Bridge (adb) activity, and screen unlocks. These logs become available to device administrators on demand. To protect the privacy of the user, some information (such as personal app launch events) are hidden, or redacted (for example, details of the physical volume mount events).

Disabled

Lockdown policies