Lockdown policies

Lockdown policies do not apply to iOS or macOS devices.

Lockdown policies specify which features should be disabled in the event that device access must be restricted. To create a lockdown policy, go to Policies & Configs > Policies > Add New > Lockdown. Some policy changes can prompt users to restart their device after the policy is applied to the device.

As part of a Lockdown policy, administrators can set a message on the Lock screen on company-owned Android devices. This informs the device holder who the owner of the device is. A maximum of 256 characters can be entered into the message.

Lock screen messages are applicable in the following modes:

  • Work Profile Managed Device

  • Managed Device with Work Profile

  • Work Profile for Company Owned Device

  • Work Managed Device - Non-GMS mode

Both device and user attributes (default and custom) can be used with the Lock screen message.

Extended lockdown policies for Android and Android Enterprise devices are supported on Samsung Knox devices. Support for specific settings sometimes depends on the Android OS version, the [email protected] version, and the Samsung Knox API version on the device. Extended lockdown policies are also available for Android Enterprise devices that are Work Managed Devices. Refer to the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices for details.

This section includes the following topics:

General lockdown policy fields

This section describes fields that are available for Android, Android enterprise, and Windows devices.

 

Table 28.  Lockdown policy fields: general
Item Description Default Policy Setting

Name

Required. Enter a descriptive name for this policy. This is the text that will be displayed to identify this policy throughout the Admin Portal. This name must be unique within this policy type.

Tip: Though using the same name for different policy types is allowed (e.g., Executive), consider keeping the names unique to ensure clearer log entries.

Default Lockdown Policy

Status

Select Active to turn on this policy. Select Inactive to turn off this policy.

Active

Priority

Specifies the priority of this custom policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is associated with a specific device. Select “Higher than” or “Lower than”, then select an existing policy from the drop-down list. For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”. See “Prioritizing policies” in the Device Management Guide for more information.

Because this priority applies only to custom policies, this field is not enabled when you create the first custom policy of a given type.

 

Description

Enter an explanation of the purpose of this policy.

Default Lockdown Policy

Bluetooth

Enable or disable access to Bluetooth features. You can enable both Audio and Data or just Audio.

Caution:Ivanti EPMM recommends against disabling audio because hands-free Bluetooth access is disabled. Legal requirements for hands-free use of devices while driving is widespread.

The Bluetooth settings are supported on Samsung Knox devices. However, enabling audio only is supported only with [email protected] 9.0.1.0-9.0.1.1. See “Bluetooth lockdown for Samsung Knox devices” in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices for more information.

Enable Audio & Data

Camera

Enable or disable camera access.

Enable

Camera User Control

When checked the Camera policy is considered enforced no matter the state of the camera. GPS location is not considered when user control is checked.

Unchecked

NFC

Enable or disable NFC (Near-field Communication) data exchange when the device touches another device.

Enable

USB Mass Storage

Enable or disable access to the device’s USB storage from a computer.

Enable

SD Card

Enable or disable access to the secure data card.

Enable

Wi-Fi

Enable or disable access to wireless LANs.

Caution: Disabling Wi-Fi on Wi-Fi-only devices is not recommended. A factory reset will be necessary to re-enable Wi-Fi on such devices.

Applicable to Managed Device with Work Profile mode and Work Managed Device mode.

Wi-Fi lockdown is supported on Samsung Knox devices.

Enable

Roaming Data

Enable or disable access to data services while roaming.

Enable

Copy / Paste

This feature is not supported on Windows Phone 8.1 devices.

Enable or disable access to copy / paste functionality.

Supported in:

  • Managed Device with Work Profile mode

  • Work Profile mode

Enabled

Screen Capture

This feature is supported on the following devices:

  • Windows Phone 8.1 and 10
  • Android version 6.0 (or supported newer versions) with Android enterprise

Enable or disable screen capture.

Not supported in Work Profile for Company Owned Device mode.

Enabled

GPS

If GPS User Control is disabled, specify whether GPS is enabled or disabled on the device.

Enable

GPS User Control

Enable or disable a user’s ability to control the GPS.

Enabled

Allow device to be on while plugged in

Enable user to keep the device on while it is plugged in

Disabled

Lockscreen Widgets

Enable lockscreen widgets.

Enabled

Maintenance window duration

Enable changes to the duration of the maintenance window.

Disabled

Maintenance window start time

Enable changes to the maintenance window start time.

Disabled

Maximum Work Profile Timeout

Enable changes to the maximum work profile timeout.

Disabled

NFC

Enable Near Field Communication (NFC).

Enabled

Microphone

Enable microphone.

Enabled

Restrict accessibility services

Enable restriction of accessibility services.

Disabled

Restrict input methods

Enable restriction of input methods.

Disabled

Allowed Samsung applications

Enable allowed Samsung applications.

Disabled

When work profile accounts can be modified

One Android Enterprise setting in the lockdown policy is Allow the user to create and modify accounts. This setting applies only to work profile accounts. It does not impact personal accounts.

If this lockdown policy setting is selected, the device user or an Android Enterprise app can add, modify, or delete work profile accounts on the device in Settings > Accounts.

A four-hour time period begins after [email protected] receives a lockdown policy in which the setting Allow the user to create and modify accounts is not selected. During that time period, the device user and Android Enterprise apps on the device can continue to add, modify, and delete work profile accounts. After the time period ends, work profile accounts cannot be added, modified, or deleted. Therefore, during this time period, the Divide Productivity or Gmail app can add the account that you specify in the Configuration Choices section for the app in the App Catalog on the Admin Portal. Make sure that your device users launch the Divide Productivity or Gmail app within the four-hour time period.

Notes

  • Restarting a device does not restart the time period.

  • Changing settings in the Configuration Choices section for Divide Productivity and Gmail in the App Catalog on the Admin Portal will have no impact to the account settings on the device after the time period is over. An exception to this rule exists for two app configurations. You can change these app configurations at any time, and the account settings on the device will be updated. These two app configurations are:

    • Default email signature
    • Default sync window

Lockdown policy fields for Windows devices

These lockdown options are applied to Windows devices.

Table 29.   Lockdown policy fields: Windows
Item Description Default Policy Setting

Internet Sharing

Enable or disable Internet sharing.

Enable

Microsoft Store

Enable or disable access to the Windows Store.

You cannot deactivate this feature for Windows 10 Desktop devices.

Enable

Manual Email Set-up

Enable or disable ability to manually add an email account on the device.

Enable

VPN while Roaming

Enable or disable VPN when device is out of network.

Enable

Hotspot Discovery

Enable or disable Hotspot Discovery.

Enable

Microsoft Account

Enable or disable Microsoft SkyDrive or Live Account.

Enable

Save as of MS-Office

Enable or disable the Save As operation for a MS-Office document.

This feature is not supported on Windows Phone 8.1 or Windows 10 Desktop devices.

Enable

Browser

Enable or disable Internet Explorer.

The option does not have any impact on any other browsers installed from the Windows Store.

This feature is not supported on Windows Phone 8.1 devices.

Enable

Manual Wi-Fi Setup

Enable or disable ability to manually add a Wi-Fi setup.

This feature is not supported on Windows 10 Desktop devices.

Enable

Wi-Fi Sense Hotspots

Enable or disable the device to automatically connect to Wi-Fi Hotspots and friend social network.

Enable

Sharing Of MS-Office Files

Enable or disable sharing MS-Office files.

This feature is not supported on Windows Phone 8.1 devices.

Enable

Sync User Settings to Device(s)

Enable or disable the device to automatically sync user settings to the Windows device.

 

Enable

Action Center Notifications

Enable or disable Action Center notifications.

This feature is not supported on Windows Phone 8.1 devices.

Enable

Developer Unlock

Enable or disable Developer Unlock.

Enable

Search to Use Location

Enable or disable the Access to my location feature on the device. Disabling this feature impacts the Cortana and Bing.

Enable

Manual Root Certificate Installation

Enable or disable ability to manually install a root certificate on the device. If disabled, the device user cannot install a root certificate to the device.

This feature is not supported on Windows Phone 8.1 devices.

Enable

Store Images From Visual Search

Enable or disable the Visual Search option in Bing.

Enable

Voice Recording

Enable or disable voice recording in Cortana.

This feature is not supported on Windows Phone 8.1 devices.

Enable

Return Without Password

Enable or disable ability for the device user to set grace period for locking. If enabled, the device user can set the grace period for locking the device. If disabled, the Security policy sets the grace period, and the option is not available to the device user.

This feature is not supported on Windows Phone 8.1 devices.

Enable

Cortana

Enable or disable Cortana.

Enable

Block Browser Popups

Enable or disable to block popups in browsers.

Enable

Browser Password Manager

Enable or disable the use of a browser password manager.

Enable

MS Error Reporting

Provides full, enhanced, basic, or security level error reporting.

Full

Let Apps Run In Background

Allows administrators to turn off all applications running in the background to preserve battery usage on Windows devices that are on limited power or using cellular services.

User In Control

Windows Phone - Corporate Owned Devices Only

For Windows devices only.

Reset Phone

Enable or disable the device user's ability to reset the device to factory defaults.

Enable

MDM Un‑enrollment

Enable or disable the device user’s ability to remove the device from management by Ivanti.

Enable