Lockdown policy fields for Android Enterprise devices in Work Profile mode

Whether a lockdown policy field applies to an Android Enterprise device depends on the Android Enterprise mode that the device is registered in. The modes—Work Managed Device mode, Managed Device with Work Profile (COPE) mode on Android devices versions 8-10, and Work Profile on Company Owned Devices Android versions 11 and later supported versions—are described in "Modes for Android Enterprise devices" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

Lockdown options in this section apply to Android Enterprise devices in Work Profile mode.

Table 32.   Lockdown policy fields: Android Enterprise in Work Profile mode
Item Description Default Policy Setting

Allow copy and paste

Allows copy and paste from apps inside the Android Enterprise profile to apps outside the profile.

Selected

Allow caller ID across profiles

Allows caller ID to be visible to phone app in all profiles.

When the caller ID is permitted across profiles, work contacts can be viewed by the personal apps for incoming calls. This applies to Android 6.0 through the most recently released versions as supported by Ivanti.

Selected

Allow work calendar sharing with personal profile

Select to allow calendar sharing of work calendar information with the personal profile. This is so apps can display work events alongside personal events in device user's personal profile (for example calendar apps like Google calendar.) If the work event is tapped within the personal profile, a view of the event displays. Tapped again, it opens the event in the work calendar. Applicable to Managed devices with work profiles.

Not selected

Allow contact search across profiles

Allows personal space Contacts app sharing across the profile.

This is supported on Android 7.0 devices through the most recently released version as supported by Ivanti.

Selected

Allow contact sharing on Bluetooth devices.

Allows the caller ID to be visible on another Bluetooth device such as your car’s Bluetooth screen.

This is supported on Android 6.0 devices through the most recently released version as supported by Ivanti.

Selected

Allow unknown sources in Personal and Work Profile

Allow installation of apps from untrusted sources in the Personal and Work Profile.

  • If checked, the user is allowed to install the app from an unknown source on both the personal and work profile of the device.

When this field is selected, the "Allow Unknown Sources in Work Profile" check box displays. Selecting it indicates to restrict the Allow Unknown Source setting to the Work Profile mode only. Use case: This allows third-party apps like games from outside the Google Play store to be installed in the personal profile.

  • If unchecked, the user is unable to install from an unknown source on either the personal or the work profile of the device.

Not selected

Android 8:

Allow Auto-Fill

Allows password autofill.

Selected

Allow work app notifications in personal profile

When device user is in personal profile, notifications from [email protected] apps will display.

Selected

Allow Bluetooth Sharing

Allows Bluetooth sharing with other devices.

Selected

Android 9: Allow Printing

Allows the printing of documents from [email protected] apps.

Selected

Allow Share into Profile

Allows sharing from outside the Work Profile to inside the Work Profile

Selected

Android 10:

Allow Bluetooth

Enable Bluetooth.

Enabled

Allow Camera

Enable camera.

Enabled

Allow Camera Control

Enable user control of camera.

Disabled

Allow Configure Managed App Updates

Enable configuration of managed app updates by setting a maintenance window.

Disabled

Allow Copy/Paste

Enable copying and pasting

Enabled

Android 11+: Allow Cross Profile WhiteListing Package Ids

Enable cross-profile whiteListing of package Ids

Disabled

Enable Debugging

Enable debugging for USB, work profile, and managed device.

Enabled

Enable Disabling of System Apps

Enable disabling of system apps.

Disabled

Enable Common Criteria mode

Enable the Common Criteria mode.

Disabled

Enable Cross profile whitelisting of Apps

Allows users to share information from specific apps from within the work profile to the personal side of the device. This allows data from the Work Profile container to share data to the exact same app that is located on the personal side.

Selecting + displays a list and you must add at least one app in order for this configuration to apply.

Not selected

Enable system apps

Enable system apps

Enabled

Enable Maximum Profile Timeout

Select to set a maximum time window the work profile can be turned off before Ivanti suspends personal apps on the device. You can set a time between 72 and 8760 hours. 8760 hours is one year of time.

Default value is set to 72 hrs if the option is selected.

The device user sees a message prompting to turn on the work profile to enable suspended apps. Available for Android 11+ devices in Work Profile on Company Owned Device.

Disabled

Android 11+:

Enable Cross profile whitelisting of Apps

Allows users to share information from specific apps from within the work profile to the personal side of the device. This allows data from the Work Profile container to share data to the exact same app that is located on the personal side.

Selecting + displays a list and you must add at least one app in order for this configuration to apply.

Not selected

Enable Maximum Profile Timeout

Select to set a maximum time window the work profile can be turned off before Ivanti suspends personal apps on the device. You can set a time between 72 and 8760 hours. 8760 hours is one year of time.

Default value is set to 72 hrs if the option is selected.

The device user sees a message prompting to turn on the work profile to enable suspended apps. Available for Android 11+ devices in Work Profile on Company Owned Device.

Disabled

Allow Bluetooth

Enable Bluetooth.

Enabled

Allow Camera

Enable camera.

Enabled

Allow Camera Control

Enable user control of camera.

Disabled

Allow Configure Managed App Updates

Enable configuration of managed app updates by setting a maintenance window.

Disabled

Allow Copy/Paste

Enable copying and pasting

Enabled

Enable Debugging

Enable debugging for USB, work profile, and managed device.

Enabled

Enable Disabling of System Apps

Enable disabling of system apps.

Disabled

Enable Common Criteria mode

Enable the Common Criteria mode.

Disabled

Enable Cross Profile Whitelisting

Enable cross profile whitelisting.

Disabled

Enable system apps

Enable system apps

Enabled

Android 12+:

Enable 5G Slicing

Administrators can set all app traffic through an enterprise 5G network slice. Instead of setting up slices through APNs, administrators can set devices to route the traffic from all apps in the work profile to an enterprise network slice through the UE Route Selection Policy (URSP) rules. Administrators can turn on or off Work Profile app traffic routing to the enterprise network slice on a per-employee basis. In the Device Details page, the 5G Slicing status is indicated. Advanced searching on 5G is also part of this feature, as is making compliance rules.

Requires support from 5G service provider.

Disabled

Managed Device

Android 11:

Enable Common Criteria (CC) mode

Select to enable Common Criteria mode for Android 11 + devices.

If Common Criteria mode is turned off after being enabled previously, all existing Wi-Fi configurations will be lost.

Applicable to Managed Device with Work Profile mode and Work Profile on Company Owned Device mode.

Disabled

Configure Private DNS settings

Private DNS allows more privacy for device users than using public DNS servers. It provides a way for enterprises to secure device user activity and enterprise hostnames from being learnt by unwanted DNS servers. Private DNS allows devices to discover DNS over TLS and provide specific DNS server hostnames to prevent leaking of DNS resolution.

Devices will use DNS-over-TLS prior to attempting name resolution in cleartext. Selecting this box expands to display:

  • Off - Private DNS cannot be disabled from the Admin Portal. Device user can disable private DNS setting, if allowed to change the settings.

  • Opportunistic - The device will attempt to find a server that supports private DNS. If it cannot find one, it will fall back to non-private DNS (cleartext).

  • Use Specific DNS Server - enter the hostname of server that implements DNS over TLS (RFCC7858). This value cannot be empty. Once added, it can only be updated.

Applicable to: Android 10+ devices in Work Managed Device mode.

Disabled

Allow user to override Private DNS settings

The hostname of a server that implements DNS over TLS (RFC7858). This value cannot be empty.

Disabled

Lockdown policies