Lockdown policy fields for Android Enterprise devices in Work Managed Device mode, Managed device with Work Profile mode, and Work Profile on Company Owned Device mode

Whether a lockdown policy field applies to an Android Enterprise device depends on the Android Enterprise mode that the device is registered in. The modes — Work Managed Device mode, Managed device with Work Profile (COPE) mode on Android devices versions 8-12, and Work Profile on Company Owned Devices mode Android version 12 and supported later versions— are described in "Modes for Android Enterprise devices" in Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

Lockdown options in this section apply to Android Enterprise devices in all the modes mentioned above, unless otherwise noted.

Table 31.   Lockdown policy fields: Android Enterprise in Work Profile on Company Owned Device mode
Item Description Default Policy Setting

Device Restrictions

Allow camera

Allows camera to function.

Not supported in Work Profile for Company Owned Device mode.

Enabled

Allow master volume un-mute

Allows the user to un-mute master volume. Note: volume is not muted by default.

Enabled

Allow microphone un-mute

Allows the user to un-mute microphone

Enabled

Allow automatic date & time

If checked, the user can change date and time.
If unchecked, user can make changes but system will reset the date and time automatically.

Enabled

Allow automatic timezone

Allows timezone to be set automatically. Note: the user can re-enable the ability to update time and timezone if this setting is disallowed.

Enabled

Allow safe boot of the device

Allows user to reboot the device into safe mode.

Enabled

Allow factory reset

Allows the user to initiate a factory reset of the device.

Applicable to Managed Device with Work Profile mode and Work Managed Device mode. Not supported in Work Profile for Company Owned Device mode.

Enabled

Allow the user to mount physical external media

Allows the user to mount external media such as SD cards or external drives.

Enabled

Allow the user to transfer files over USB

Allows user copy, paste, and transfer data and files using USB drives.

 

Enabled

Allow use of USB storage

Allows data to be stored on USB drives.

Applicable to Managed Device with Work Profile mode and Work Managed Device mode. Not supported in Work Profile for Company Owned Device mode.

Enabled

Keep device on while plugged in

Allows device to remain powered on when it is plugged in to a power source. When this field is enabled, the device does not go into sleep mode.

Disabled

Allow Keyguard (no effect if password or PIN is set)

Allows a keyguard, or lockscreen, on the device under the condition that the device has not been enabled using a PIN, password, or pattern.

Enabled

Allow backup service

Allows the user to backup and restore their devices using Google services on managed devices running Android 8.0 through the most recently released versions as supported by Ivanti EPMM.

Enabled

Allow install from unknown sources on the device

Allow installation of apps from untrusted sources in the personal profile. Unless this field is selected, the work profile never allows installation of apps from unknown sources.

Applicable to Work Managed Device mode. Not supported in Work Profile for Company Owned Device mode.

Disabled

Allow location settings modification

Allows device user to turn on/off location. Also, on some devices/OS versions, it allows the device user to control the accuracy of the device's location.

Supported in Work Profile for Company Owned Device mode.

Enabled

Configure Private DNS settings

Private DNS allows more privacy for device users than using public DNS servers. It provides a way for enterprises to secure device user activity and enterprise hostnames from being learnt by unwanted DNS servers. Private DNS allows devices to discover DNS over TLS and provide specific DNS server hostnames to prevent leaking of DNS resolution.

Devices will use DNS-over-TLS prior to attempting name resolution in cleartext. Selecting this box expands to display:

  • Off - Private DNS cannot be disabled from the Admin Portal. Device user can disable private DNS setting, if allowed to change the settings.

  • Opportunistic - The device will attempt to find a server that supports private DNS. If it cannot find one, it will fall back to non-private DNS (cleartext).

  • Use Specific DNS Server - enter the hostname of server that implements DNS over TLS (RFCC7858). This value cannot be empty. Once added, it can only be updated.

Applicable to: Android 10+ devices in Work Managed Device mode.

Disabled

Allow user to override Private DNS settings

The hostname of a server that implements DNS over TLS (RFC7858). This value cannot be empty.

Disabled

Set Minimum Required Wi-Fi Security (Android 13+)

Use this option to set minimum required Wi-Fi security. This means the device's Wi-Fi must be set at the chosen level or higher. Below is the security hierarchy:

  1. No minimum security required - (default) allows all types of Wi-Fi networks.

  2. Personal Network Based Security - allows personal Wi-Fi network such as WEP, WPA/WPA2/WPA3, and more secure networks.

  3. Enterprise EAP Network Based Security - allows EAP protocol-based Wi-Fi network and more secure networks.

  4. Enterprise 192 Network Based Security - allows enterprise 192 protocol based Wi-Fi networks.

All the existing devices that do not meet the minimum criteria will be disconnected.

When this check box is disabled, no action is taken by the client. When enabled, the client sets the correct choice. If, after being enabled, the check box was disabled, then the client will return to the last known setting before the change was made.

To find out about existing Wi-Fi security level usage, use "Wi-Fi Security Level" in Device Details >Advanced Search. The security level is also listed under "Required Wi-Fi Security Level" in the Device Details page > Device tab.

Disabled

Allow Nearby Notifications Streaming

Notifications Streaming is sending notification data from pre-installed apps to nearby devices. By default, this field is not enabled. By selecting this check box, the administrator can set the value by choosing from the four options below. The selected value will display in the Device Details > Policies tab.

  • Not Controlled by Policy (default) - Indicates that nearby streaming is not controlled by policy, therefore device users can use the notification feature on their device, once device user enables it. Ivanti EPMM does not control this behavior.
  • Enabled - Device user is allowed to use this feature.
  • Disabled - Device user is not allowed to use this feature.
  • Enabled for Same Account - Only allowed on devices that have the same account present on both devices.

Once enabled, in the Device Details page > Policies >"Allow Nearby Notifications Streaming / (Managed Profile)" section, the status of the policy displays along with whether or not the device is in compliance.

Disabled

Set screen brightness

Select to set brightness of your device's screen.

  • Manual - Select to enter a number manually (0 to 255)

  • Adaptive - Select to allow the device to set the brightness

If the user is allowed to make changes, these settings will be reset to the administrator-defined settings on next check-in.

Applicable to:

  • Work Managed Device mode

  • Managed Device with Work Profile mode

  • Work Managed Device non-GMS mode (AOSP)

N/A

Set screen timeout

Select to enable and enter a value (in seconds). Screen timeout value will not have effect if its value is greater than Inactivity Timeout from passcode configuration.

If the user is allowed to make changes, these settings will be reset to the administrator-defined settings on next check-in.

Applicable to:

  • Work Managed Device mode

  • Managed Device with Work Profile mode

  • Work Managed Device non-GMS mode (AOSP)

N/A

Set screen orientation

Select to set screen orientation. You can set the screen orientation to 0, 90, 180, or 270 degrees from the drop down list.

Applicable to:

  • Work Managed Device mode

  • Managed Device with Work Profile mode

  • Work Managed Device non-GMS mode (AOSP)

N/A

Restrict input methods to system inputs

Allows the device user on their device / personal profile to use the system input. When the administrator enables this option, the device user cannot use any other external keyboards. Applicable to Android 12+ devices in Work Profile on Company Owned mode.

Disabled

Phone & Network Restrictions

Allow SMS

Allow the user to send and receive SMS messages.

Enabled

Allow outgoing calls

Allow user to place outgoing calls.

Enabled

Allow data roaming

Allow the use of data while user is traveling outside of data plan area. Note: the user can re-enable this feature from settings.

Enabled

Allow Wi-Fi

If Allow Wi-FI is:

  • Enabled (default), the device user can turn Wi-Fi on or off
  • Not enabled, the device user cannot turn Wi-Fi on

Applicable to Managed Device with Work Profile mode and Work Managed Device mode. Not supported in Work Profile for Company Owned Device mode.

Caution: Turning off Wi-Fi on a Wi-Fi only device will make the device unable to communicate with Ivanti EPMM or any network. A factory reset will be needed to restore Wi-Fi capability on the device.

Enabled

Allow Wi-Fi to be configured

Allows the user to configure Wi-Fi.

Enabled

Allow Wi-Fi sleep policy to be configured

Allows user to configure the Wi-Fi sleep policy. On a device, the user can re-enable this feature from Settings. For this field, the server policy settings are applied when the device checks into Ivanti EPMM. If the user modifies the Wi-Fi sleep policy on a device and then you, as the administrator, changes the "Allow Wi-Fi sleep policy to be configured" field, the user modifications for this field are overwritten by the lockdown policy that resides on the server when the device checks in.

Enabled

Allow Bluetooth

If Allow Bluetooth is:

  • Enabled (default), the device user can turn Bluetooth on or off
  • Not enabled, the device user cannot turn Bluetooth on

Supported in Work Profile for Company Owned Device mode.

Enabled

Allow Bluetooth to be configured

Allows the user to configure Bluetooth on managed devices.

Enabled

Allow Bluetooth Outbound Sharing

Allows the user to share files using Bluetooth on managed devices running Android 8.0 through the most recently released versions as supported by Ivanti EPMM.

Enabled

Allow Emergency Broadcasts to be configured

Allows the user to configure Emergency Broadcasts.

Enabled

Allow mobile network to be configured

Allows the user to configure the mobile network.

Enabled

Allow tethering and mobile hotspots to be configured

Allows the user to configure tethering and hotspots.

Enabled

Allow VPN to be configured

Allows the user to configure VPN.

This setting must be enabled to allow the application of a managed VPN. As a workaround, enable Always-on VPN in Android Enterprise settings and select Tunnel as the App Identifier.

 

Enabled

Managed Device

Android 11:

Enable Common Criteria (CC) mode

Select to enable Common Criteria mode for Android 11 + devices.

If Common Criteria mode is turned off after being enabled previously, all existing Wi-Fi configurations will be lost.

Applicable to Managed Device with Work Profile mode and Work Profile on Company Owned Device mode.

Disabled

Configure Private DNS settings

Private DNS allows more privacy for device users than using public DNS servers. It provides a way for enterprises to secure device user activity and enterprise hostnames from being learnt by unwanted DNS servers. Private DNS allows devices to discover DNS over TLS and provide specific DNS server hostnames to prevent leaking of DNS resolution.

Devices will use DNS-over-TLS prior to attempting name resolution in cleartext. Selecting this box expands to display:

  • Off - Private DNS cannot be disabled from the Admin Portal. Device user can disable private DNS setting, if allowed to change the settings.

  • Opportunistic - The device will attempt to find a server that supports private DNS. If it cannot find one, it will fall back to non-private DNS (cleartext).

  • Use Specific DNS Server - enter the hostname of server that implements DNS over TLS (RFCC7858). This value cannot be empty. Once added, it can only be updated.

Applicable to: Android 10+ devices in Work Managed Device mode.

 

Allow user to override Private DNS settings

The hostname of a server that implements DNS over TLS (RFC7858). This value cannot be empty.

 

Android 12+:

Enable 5G Slicing

Administrators can set all app traffic through an enterprise 5G network slice. Instead of setting up slices through APNs, administrators can set devices to route the traffic from all apps in the work profile to an enterprise network slice through the UE Route Selection Policy (URSP) rules. Administrators can turn on or off Work Profile for Company Owned Devices app traffic routing to the enterprise network slice on a per-employee basis. In the Device Details page, the 5G Slicing status is indicated. Advanced searching on 5G is also part of this feature, as is making compliance rules.

Requires support from 5G service provider.

Disabled

Allow Nearby Notifications Streaming

Notifications Streaming is sending notification data from pre-installed apps to nearby devices. By default, this field is not enabled and will not show up in the Device Details > Policies tab. By selecting this check box, the administrator can set the value by choosing from the four options below. The selected value will display in the Device Details > Policies tab.

  • Not Controlled by Policy (default) - Indicates that nearby streaming is not controlled by policy, therefore device users can use the notification feature on their device, once device user enables it. Ivanti EPMM does not control this behavior.
  • Enabled - Device user is allowed to use this feature.
  • Disabled - Device user is not allowed to use this feature.
  • Enabled for Same Account - Only allowed on devices that have the same account present on both devices.

Once selected, in the Device Details page > Policies >"Allow Nearby Notifications Streaming / (Managed Profile)," section, the status of the policy and whether in compliance displays.

Disabled

Security Logging

Enable Security Logging on Android

When enabled, information is collected for security auditing purposes. These help administrators identify suspicious activity by remotely tracking device activity, including app launches, Android Debug Bridge (adb) activity, and screen unlocks. These logs become available to device administrators on demand. To protect the privacy of the user, some information (such as personal app launch events) are hidden, or redacted (for example, details of the physical volume mount events).

Disabled

Lockdown policies