Lockdown policy fields for Android Enterprise devices in Work Profile mode

Whether a lockdown policy field applies to an Android Enterprise device depends on the Android Enterprise mode that the device is registered in. The modes —Work Managed Device mode, Managed Device with Work Profile (COPE) mode on Android devices versions 8-10, and Work Profile on Company Owned Devices Android versions 11 and later supported versions—are described in "Modes for Android Enterprise devices" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

Lockdown options in this section apply to Android Enterprise devices in Work Profile mode.

Table 30.   Lockdown policy fields: Android Enterprise in Work Profile mode
Item Description Default Policy Setting

Allow copy and paste

Allows copy and paste from apps inside the Android Enterprise profile to apps outside the profile.


Allow caller ID across profiles

Allows caller ID to be visible to phone app in all profiles.

When the caller ID is permitted across profiles, work contacts can be viewed by the personal apps for incoming calls. This applies to Android 6.0 through the most recently released versions as supported by Ivanti EPMM.


Allow work calendar sharing with personal profile

Select to allow calendar sharing of work calendar information with the personal profile. This is so apps can display work events alongside personal events in device user's personal profile (for example calendar apps like Google calendar.) If the work event is tapped within the personal profile, a view of the event displays. Tapped again, it opens the event in the work calendar. Applicable to Managed devices with work profiles.

Not selected

Allow contact search across profiles

Allows personal space Contacts app sharing across the profile.

This is supported on Android 7.0 devices through the most recently released version as supported by Ivanti EPMM.


Allow Bluetooth

Enable Bluetooth.


Allow contact sharing on Bluetooth devices.

Allows the caller ID to be visible on another Bluetooth device such as your car’s Bluetooth screen.

This is supported on Android 6.0 devices through the most recently released version as supported by Ivanti EPMM.


Allow unknown sources in Personal and Work Profile

Allow installation of apps from untrusted sources in the Personal and Work Profile.

  • If checked, the user is allowed to install the app from an unknown source on both the personal and work profile of the device.

When this field is selected, the "Allow Unknown Sources in Work Profile" check box displays. Selecting it indicates to restrict the Allow Unknown Source setting to the Work Profile mode only. Use case: This allows third-party apps like games from outside the Google Play store to be installed in the personal profile.

  • If unchecked, the user is unable to install from an unknown source on either the personal or the work profile of the device.

Not selected

Android 8:

Allow Auto-Fill

Allows password autofill.


Allow work app notifications in personal profile

When device user is in personal profile, notifications from Ivanti Mobile@Work apps will display.


Android 9: Allow Printing

Allows the printing of documents from Ivanti Mobile@Work apps.


Allow Share into Profile

Allows sharing from outside the Work Profile to inside the Work Profile


Android 10: Allow Camera

Enable camera.


Allow Camera Control

Enable user control of camera.


Allow Configure Managed App Updates

Enable configuration of managed app updates by setting a maintenance window.


Android 11+: Allow Cross Profile WhiteListing Package Ids

Enable cross-profile whiteListing of package Ids


Enable Debugging

Enable debugging for USB, work profile, and managed device.


Enable Disabling of System Apps

Enable disabling of system apps.


Enable Common Criteria mode

Enable the Common Criteria mode.


Enable Cross profile whitelisting of Apps

Allows users to share information from specific apps from within the work profile to the personal side of the device. This allows data from the Work Profile container to share data to the exact same app that is located on the personal side.

Selecting + displays a list and you must add at least one app in order for this configuration to apply.

Not selected

Enable system apps

Enable system apps


Enable Maximum Profile Timeout

Select to set a maximum time window the work profile can be turned off before Ivanti EPMM suspends personal apps on the device. You can set a time between 72 and 8760 hours. 8760 hours is one year of time.

Default value is set to 72 hrs if the option is selected.

The device user sees a message prompting to turn on the work profile to enable suspended apps. Available for Android 11+ devices in Work Profile on Company Owned Device.


Android 12+:

Enable 5G Slicing

Administrators can set all app traffic through an enterprise 5G network slice. Instead of setting up slices through APNs, administrators can set devices to route the traffic from all apps in the work profile to an enterprise network slice through the UE Route Selection Policy (URSP) rules. Administrators can turn on or off Work Profile app traffic routing to the enterprise network slice on a per-employee basis. In the Device Details page, the 5G Slicing status is indicated. Advanced searching on 5G is also part of this feature, as is making compliance rules.

Requires support from 5G service provider.


Allow Nearby Notifications Streaming

Notifications Streaming is sending notification data from pre-installed apps to nearby devices. By default, this field is not enabled. By selecting this check box, the administrator can set the value by choosing from the four options below. The selected value will display in the Device Details > Policies tab.

  • Not Controlled by Policy (default) - Indicates that nearby streaming is not controlled by policy, therefore device users can use the notification feature on their device, once device user enables it. Ivanti EPMM does not control this behavior.
  • Enabled - Device user is allowed to use this feature.
  • Disabled - Device user is not allowed to use this feature.
  • Enabled for Same Account - Only allowed on devices that have the same account present on both devices.

Once enabled, in the Device Details page > Policies >"Allow Nearby Notifications Streaming / (Managed Profile)" section, the status of the policy displays along with whether or not the device is in compliance.


Lockdown policies