Lockdown policy fields for all Android Enterprise devices

Whether a lockdown policy field applies to an Android Enterprise device depends on the Android Enterprise mode that the device is registered in. The modes—Work Managed Device mode, Managed Device with Work Profile (COPE) mode on Android devices versions 8-10, and Work Profile on Company Owned Devices Android versions 11 and later supported versions—are described in "Modes for Android Enterprise devices" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

Lockdown options in this section apply to all Android Enterprise devices in all modes. On personally owned devices, these options do not impact the personal side of the device.

Table 31.   Lockdown policy fields: Android enterprise (all modes)
Item Description Default Policy Setting

Allow screen capture

Allows screen capture of apps or data inside the Android Enterprise profile

Supported in Work Profile for Company Owned Device mode.

Selected

Allow the user to turn on location sharing

Allows device GPS location to be shared with Work apps.

Applicable to Android 6.0 and supported newer versions.

For important information about Android 10-specific Wi-Fi settings, See "Wi-Fi network priority for Android devices" in theIvanti EPMM Device Management Guide for Android and Android Enterprise devices.

Selected

Allow modification of applications in Settings or launchers

Allows user to change application settings such as clearing cache, deleting data, uninstalling, or force stopping apps in App settings screen.

Use “Block uninstall” option in App Catalog app details to prevent user from uninstalling the app.

Selected

Allow the user to configure user credentials

Allows user to change credentials in the Work profile, in Android Settings > Security > Trusted Credentials > Work.

Selected

Allow the user to create and modify accounts

Allows user to create or modify accounts in the Work profile, in Android Settings > Account.

For more information, see When work profile accounts can be modified.

Selected

Allow the user to transfer app data over NFC

Allows use of NFC to transfer app data.

Applicable to Android 6.0 and supported newer versions.

Selected

Google Play Auto-Update Policy

Determines the automatic update policy that Google Play Store uses to update apps on the device. On the device, you can view these options by opening the Google Play Store app and selecting Settings. The option in Google Play Store settings is named Auto-update apps.

The choices for this lockdown policy field are:

  • User Defined- The device user can set theAuto-update appssetting in Google Play Store.
  • Never - Google Play Store never automatically updates apps on the device.
  • Wi-Fi Only - Google Play Store automatically updates apps on the device but only using Wi-Fi, not cellular, connections.
  • Always - Google Play Store automatically updates apps on the device using either Wi-Fi or cellular connections.

The device user can change the Auto-update apps setting in Google Play Store only if you select User Defined on the lockdown policy.

The Google Play Auto-Update Policy value only takes effect when there are Android for enterprise apps assigned to a device.

User Defined

Enable system apps

Allows user access to the system apps that are enabled by the administrator. This could include the system phone and camera. This is useful when a device initially disables system apps and then the administrator wants to enable it. Enabling does not work if the package of the system app is not present in the configuration.

Because of Android limitations, in order to remove an app from the System Apps blacklist, it is not enough for the administrator to remove the application's package name from "Disabled system apps" list box in the Lockdown Policy. Due to Android limitations, the app's package name should also be listed in the "Enabled system apps" list box.

When removing an application from the system apps blacklist, the administrator needs to also add it to the whitelist. This ensures the blacklisted app becomes accessible.

Administrators need to be aware that there are consequences when changing system apps.

Not selected

Disable system apps

Prevents the user from using the system apps restricted by the administrator.

Because of Android limitations, in order to remove an app from the System Apps blacklist, it is not enough for the administrator to remove the application's package name from "Disabled system apps" list box in the Lockdown Policy. Due to Android limitations, the app's package name should also be listed in the "Enabled system apps" list box.

When removing an application from the system apps blacklist, the administrator needs to also add it to the whitelist. This ensures the blacklisted app becomes accessible.

Administrators need to be aware that there are consequences when changing system apps.

Not selected

Ensure Verify apps

Restricts the user from disabling the "Verify Apps" option in Android.

Selected

Restrict Input Methods

Leave blank to permit ONLY system input methods, and add specific package names to enable third-party input apps.

This does NOT apply to devices if users have already selected a third-party input app. This configuration only restricts new changes to the input method.

Not selected

Restrict accessibility services

Leave blank to permit ONLY system input methods, and add specific package names to enable third-party input apps.

This does NOT apply to devices if users have already selected a third-party accessibility service. This configuration only restricts new changes to the accessibility service.

Not selected

Lockdown policies