Lockdown policy fields for all Android Enterprise devices

Whether a lockdown policy field applies to an Android Enterprise device depends on the Android Enterprise mode that the device is registered in. The modes—Work Managed Device mode, Managed Device with Work Profile (COPE) mode on Android devices versions 8-10, and Work Profile on Company Owned Devices Android versions 11 and later supported versions—are described in "Modes for Android Enterprise devices" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

Lockdown options in this section apply to all Android Enterprise devices in all modes. On personally owned devices, these options do not impact the personal side of the device.

**Table 29.** Lockdown policy fields: Android enterprise (all modes)
Item	Description	Default Policy Setting
Allow screen capture	Allows screen capture of apps or data inside the Android Enterprise profile Supported in Work Profile on Company Owned Device mode.	Selected
Allow the user to turn on location sharing	Allows device GPS location to be shared with Work apps. Applicable to Android 6.0 and supported newer versions. For important information about Android 10-specific Wi-Fi settings, See "Wi-Fi network priority for Android devices" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.	Selected
Allow modification of applications in Settings or launchers	Allows user to change application settings such as clearing cache, deleting data, uninstalling, or force stopping apps in App settings screen. Use “Block uninstall” option in App Catalog app details to prevent user from uninstalling the app.	Selected
Allow the user to configure user credentials	Allows user to change credentials in the Work profile, in Android Settings > Security > Trusted Credentials > Work.	Selected
Allow the user to create and modify accounts	Allows user to create or modify accounts in the Work profile, in Android Settings > Account. For more information, see When work profile accounts can be modified.	Selected
Allow the user to transfer app data over NFC	Allows use of NFC to transfer app data. Applicable to Android 6.0 and supported newer versions.	Selected
Allow users to share admin configured Wi-Fi (Android 13+)	Deselect the check box to disallow device users to share the admin-configured Wi-Fi. Default setting is to allow it. Applicable to: Work Profile mode Work Managed Device mode Managed Device with Work Profile Work Profile on Company Owned Device mode Work Managed Device Non-GMS mode (AOSP)	Enabled
Google Play Auto-Update Policy	Determines the automatic update policy that Google Play Store uses to update apps on the device. On the device, you can view these options by opening the Google Play Store app and selecting Settings. The option in Google Play Store settings is named Auto-update apps. The choices for this lockdown policy field are: User Defined- The device user can set theAuto-update appssetting in Google Play Store. Never - Google Play Store never automatically updates apps on the device. Wi-Fi Only - Google Play Store automatically updates apps on the device but only using Wi-Fi, not cellular, connections. Always - Google Play Store automatically updates apps on the device using either Wi-Fi or cellular connections. The device user can change the Auto-update apps setting in Google Play Store only if you select User Defined on the lockdown policy. The Google Play Auto-Update Policy value only takes effect when there are Android for enterprise apps assigned to a device.	User Defined
Enable system apps	Allows user access to the system apps that are enabled by the administrator. This could include the system phone and camera. This is useful when a device initially disables system apps and then the administrator wants to enable it. Enabling does not work if the package of the system app is not present in the configuration. Because of Android limitations, in order to remove an app from the System Apps blacklist, it is not enough for the administrator to remove the application's package name from "Disabled system apps" list box in the Lockdown Policy. Due to Android limitations, the app's package name should also be listed in the "Enabled system apps" list box. When removing an application from the system apps blacklist, the administrator needs to also add it to the whitelist. This ensures the blacklisted app becomes accessible. Administrators need to be aware that there are consequences when changing system apps.	Not selected
Disable system apps	Prevents the user from using the system apps restricted by the administrator. Because of Android limitations, in order to remove an app from the System Apps blacklist, it is not enough for the administrator to remove the application's package name from "Disabled system apps" list box in the Lockdown Policy. Due to Android limitations, the app's package name should also be listed in the "Enabled system apps" list box. When removing an application from the system apps blacklist, the administrator needs to also add it to the whitelist. This ensures the blacklisted app becomes accessible. Administrators need to be aware that there are consequences when changing system apps.	Not selected
Ensure Verify apps	Restricts the user from disabling the "Verify Apps" option in Android.	Selected
Restrict Input Methods	Leave blank to permit ONLY system input methods, and add specific package names to enable third-party input apps. This does NOT apply to devices if users have already selected a third-party input app. This configuration only restricts new changes to the input method.	Not selected
Restrict accessibility services	Leave blank to permit ONLY system input methods, and add specific package names to enable third-party input apps. This does NOT apply to devices if users have already selected a third-party accessibility service. This configuration only restricts new changes to the accessibility service.	Not selected