Lockdown & Kiosk: Android Enterprise
Lockdown & Kiosk: Android Enterprise configuration disables certain features of Android Enterprise devices and creates an Allowlist of apps that will be available to users in kiosk mode.
This section contains the following topics:
Lockdown Settings
Setting |
Description |
---|---|
Name |
Enter a name that identifies this configuration. |
Description |
Enter a description that clarifies the purpose of this configuration. |
Choose Lockdown Type |
Select the type of lockdown settings you want to configure:
Only one type is allowed per configuration. The options displayed depend on the type you select. if a Work Managed Device (Device Owner) and a Managed Device with Work Profile on Company Owned Device configuration is distributed to the same device, the Managed Device with Work Profile takes precedence. |
Work Profile
Disable certain features on Android Enterprise devices.
Setting |
What To Do |
For Devices |
---|---|---|
Disable Screen Capture |
Select to turn off the ability to use the device's built-in screen capture feature. |
|
Disallow Apps Control |
Select to prevent a user from modifying applications in Settings or launchers. |
|
Disallow Config Credentials |
Select to prevent a user from configuring user credentials. |
|
Disallow Cross Profile Copy Paste |
Select to prevent copy/paste of information between profiles. |
|
Disallow Modify Accounts |
Select to prevent a user from adding or removing accounts. |
|
Disallow Outgoing Beam |
Select to prevent a user from using NFC to transfer the app data. |
|
Disallow Share Location |
Select to prevent a user from revealing the device location to apps. |
|
Disallow Debugging Features |
Select to disable debugging features on devices. By default, this option is turned on. |
|
Ensure Verify Apps |
Select to allow application verification features on devices. By default, this option is turned on. When this option is turned off, the device goes back to its default behavior which may vary from device to device. |
|
Disable Unknown Sources on Device |
Select to prevent the device from installing apps from unknown sources. This setting, to take effect on the device, is dependent on an expected Google Play update to enable this feature. |
|
Restrict Input Methods |
Select to restrict Allowlisted IME package names by designating a list of Allowlisted package names via the Package Name field. The devices will have both Allowlisted package input methods and the default system input methods available to use. The user can switch between default system input methods and Allowlisted packages input methods. For Android 10+, Allowlisting is applicable for IME apps on the work profile side only. For older Android versions, Allowlisting is applicable for IME apps device wide (both inside and outside the work profile). |
|
Restrict Accessibility Services |
Select to restrict accessibility services for work apps by designating a list of Allowlisted package names via the Package Name field. If there are no Allowlisted packages, then only system accessibility services will be allowed. |
|
Disable unknown sources inside work profile |
Select to disallow download from unknown sources within the work profile. |
|
Enable/Disable System Apps |
Select to enable and disable system applications to be deployed by designating two lists of package names via the System App Package Name fields. Use this feature to manage access to system applications that are not published in Google Play. Adding an app to the app catalog and also to a system apps list is not supported. |
|
Disable Caller ID |
Sets whether caller ID information from the work profile will be shown in the device for incoming calls. |
|
Disable Contact sharing via Bluetooth |
Select to prevent the device from sharing contacts with other devices via Bluetooth. |
|
Disable Contact sharing via Search |
Select to prevent the users from searching for work contacts from the personal phone dialer. |
|
Disallow auto-fill |
Select to disallow auto-fill |
|
Disallow work app notifications in personal profile |
Select to restrict work profile notifications. |
|
Disallow printing |
Select to restrict printing from all apps. |
|
Disallow share into Profile |
Select to prevent users from sharing personal data into a work profile on the device. |
|
Allow Access to work profile calendars |
Select any of the following options to allow all apps or select a set of apps on the personal side to access the calendar information present in the work profile:
The app on the personal side should implement specific APIs to be able to access shared calendar. |
|
Enable Cross profile Allowlisting of Apps |
Select the checkbox to enable users to share information from specific apps from within the work profile to the personal side of the device. In the Allowlisted Apps field, type the Package IDs of the apps to be Allowlisted, separated by commas. By default, this option is disabled. |
|
Enable 5G Network Slicing |
Select to provide a 5G network slicing option on work profile of the company-owned devices. By default, this option is disabled. |
|
Disallow Sharing Admin Configured Wi-Fi |
Select to prevent users from sharing Wi-Fi configurations set by the administrator. |
|
Work Managed Devices (Device Owner and kiosk mode settings)
Disable certain features on work managed devices (Device Owner) for Android 5.0+.
Setting |
Description |
---|---|
Disable Wi-Fi |
Select to turn off access to wireless LANs. |
Disable Wi-Fi Settings |
Select to turn off access to wireless settings. |
Disable Camera |
Select to turn off camera access. |
Disable Bluetooth (Android 8.0+) |
Select to turn off Bluetooth features. Use caution when using this option. Ivanti recommends against disabling audio because hands-free Bluetooth access is disabled. Legal requirements for hands-free use of devices while driving is becoming more widespread. |
Disallow Bluetooth Settings (Android 8.0+) |
Select to turn off access to Bluetooth settings. |
Disable Screen Capture |
Select to turn off the ability to use the device's built-in screen capture feature. |
Disable Network Reset |
Select to prevent resetting network. (Applicable to Android 7.0+ devices and not supported in Work Profile on Company Owned device mode). |
Mute Master Volume |
Select to mute master volume. |
Disallow Apps Control |
Select to prevent a user from modifying applications in Settings or launchers. |
Disallow Credentials |
Select to prevent a user from configuring user credentials. |
Disallow Emergency Broadcasts |
Select to prevent emergency broadcasts. |
Disallow Mobile Networks |
Select to turn off access to mobile networks. This cannot be disabled if Wi-Fi is disabled. |
Disallow Tethering |
Select to turn off tethering as an option for using the internet connection of one device to provide internet access to another device. |
Disallow VPN |
Select to turn off VPN connections. |
Disallow Factory Reset |
Select to prevent users from returning the device to factory defaults. |
Enable Factory Reset Protection |
Select to allow users from returning the device to factory defaults. You can optionally specify a list of authorized Google account IDs (an integer value) that can provision the device after factory reset or hover over the help icon to view help for retrieving authorized account IDs. |
Disallow Modify Accounts |
Select to prevent a user from adding or removing accounts. |
Disallow NFC (Outgoing Beam) |
Select to prevent a user from using NFC to transfer app data. |
Disallow Outgoing Calls |
Select to prevent a user from making outgoing calls. |
Disallow Safe Boot (Android 6.0+) |
Select to prevent a user from rebooting a device into safe boot mode. |
Disallow Share Location |
Select to prevent a user from revealing the device location to apps. |
Disallow Debugging Features |
Select to disable debugging features on devices. By default, this option is turned on. |
Ensure Verify Apps |
Select to allow application verification features on devices. By default, this option is turned on. When this option is turned off, the device goes back to its default behavior which may vary from device to device. |
Disallow SMS |
Select to prevent a user from sending and receiving SMS messages. |
Disallow Unmute Microphone |
Select to prevent a user from unmuting the device's microphone. |
Disallow Auto Time |
Select to prevent a user from enabling automatic time changes. |
Disallow Auto Time Zone |
Select to prevent a user from enabling automatic device time adjustment with time zone changes. |
Sync time with server (Android 9.0+) |
Select to allow devices to sync time with the Ivanti Neurons for MDM servers first time on registration and thereafter once every 24 hours after each check-in. This option will be available only if the Disable Auto-Time is selected. |
Set timezone (Android 9.0+) |
Specify timezone string in Olson Time Zone ID format (for example, Pacific/Midway). |
Disable Data Roaming |
Select to turn off data exchange while the device is roaming. |
Disable Wi-Fi Sleep |
Select to keep Wi-Fi on while the device is in Sleep mode. |
Restrict Input Methods |
Select to restrict Allowlisted IME package names by designating a list of Allowlisted package names via the Package Name field. The devices will have both Allowlisted package input methods and the default system input methods available to use. The user can switch between default system input methods and Allowlisted packages input methods. For Android 10+, Allowlisting is applicable for IME apps on the device side only. For older Android versions, Allowlisting is applicable for IME apps device wide. |
Restrict Accessibility Services |
Select to restrict accessibility services for work apps by designating a list of Allowlisted package names via the Package Name field. If there are no Allowlisted packages, then only system accessibility services will be allowed. |
Disable USB file transfer |
Select to disable USB file transfer. |
Disable external media |
Select to disable external media. |
Disable keyguard (no effect if PIN/Passcode is set) |
Select to disable the keyguard. This option has no effect if a password, PIN, or pattern is currently set. If a password, PIN or pattern is set after the keyguard is diabled, the keyguard stops being disabled. |
Keep screen on while connected to power. |
Select to keep the screen ON when connected to power. The screen may dim but does not turn off while the device is connected to a power source. This setting will only take effect only if auto-lock or inactivity timeout in the passcode configuration is not used to set a timeout. |
Disallow create windows |
Select to prevent apps from displaying certain types of overlay windows, such as alerts and toasts. |
Skip first use hints |
Select to enable the system recommendation for apps to skip the user tutorial and other introductory hints on first start-up. |
Disallow unknown sources on device |
Select to disallow user from installing apps from unknown sources. |
Set lock screen message (Android 7.0+) |
Select to set the lock screen message to be displayed on the device. Type the lock screen message (maximum of 256 characters) in the text field. By enabling this option, the user is blocked from setting the message in Settings and the message that is set by the admin is displayed to the user. If the admin does not provide any lock screen message after enabling 'Set lock screen message', the user is blocked from setting the message in Settings, but no message is displayed to the user. |
Set screen brightness |
Select to set brightness of your device's screen.
It is recommended to enable the "Disallow config brightness" option before setting the screen brightness of your device. |
Set screen timeout |
Select to set screen timeout duration (in seconds). It is recommended to enable the "Disallow config screen timeout" option before setting the screen brightness of your device. |
Set screen orientation |
Select to set screen orientation. You can set the screen orientation to 0, 90, 180, or 270 degrees from the drop down list. By default, this option is not selected. For Go app 89 and later versions, you must select this option and set the value to 0 to keep the device in Portrait mode in Kiosk. |
Enable/Disable System Apps |
Select to enable and disable system applications to be deployed by designating two lists of package names via the System App Package Name fields. Use this feature to manage access to system applications that are not published in Google Play. Adding an app to the App Catalog and also to a system apps list is not supported. |
Android 8.0+ |
|
Disallow auto-fill |
Select to disallow the user from using auto-fill services. |
Disallow Bluetooth Sharing |
Select to disallow the user from sharing outgoing bluetooth on the device. |
Disable backup service |
Select to disable the backup service. |
Android 9.0+ |
|
Disallow printing |
Select to disallow the user to print. |
Disallow airplane mode |
Select to disable airplane mode on the entire device. |
Disallow ambient display |
Select to disallow the ambient display for the user. |
Disallow config brightness |
Select to disallow the user from configuring the brightness. It is recommended to define the "Set screen brightness mode" mode before selecting this option. |
Disallow config date time |
Select to disallow date, time and timezone configuration. |
Disallow config location |
Select to disallow the user from disabling location providers. |
Disallow config screen timeout |
Select to disallow the user from changing screen off timeout. It is recommended to define the "Set screen timeout" value before selecting this option. |
Android 12.0+ |
|
Enable USB for charging only |
Select to enable the USB port for charging only. |
Android 13.0+ |
|
Set Minimum Required Wi-Fi Security |
Use this option to set minimum required Wi-Fi security:
All the existing devices that do not meet the minimum criteria will be disconnected. Device details will show the Minimum Required Wi-Fi Security level (if available) under the General > Wi-Fi Security Level. |
Disallow Sharing Admin Configured Wi-Fi |
Select to prevent users from sharing Wi-Fi configurations set by the administrator. |
Kiosk Mode Settings: Kiosk mode applies additional restrictions to the devices including limited access to apps via a customized launcher. |
|
Enable Kiosk Mode |
Select to configure kiosk mode on Android devices.
|
Enable Lock Task Mode |
Select to enable lock task mode on Android devices. When enabled, the devices can display keyguard, status bar and safe mode. This option is disabled by default. The following are the additional settings displayed when lock task mode is enabled for Android 9 or supported newer versions: Settings icon - Allows apps to have access to system functions that are dependent on the Device Settings app. Allowing Device Settings helps to avoid the Lock Task Mode violations in scenarios such as Bluetooth pairing from an app. It is recommended to keep this setting enabled for specific apps. System Info- Displays the date/time, connectivity, battery, and vibration mode on the status bar. This option is disabled by default. Keyguard(Enabled by default) - Enables the keyguard during lock task mode. Global Actions(Enabled by default) - Enables the menu that is displayed when the user long-presses the power button. If this option is disabled, the user may not be able to power off the device. Home button- Enables the home button. This option is disabled by default. When enabled, the following sub-options are displayed:
If Home Button option is not enabled, the user will not be able to use the multi window feature. |
Enter Kiosk automatically (on initial setup only) |
Select to automatically allow kiosk mode when the configuration is applied. |
Disable Quick Settings for Android 5 devices |
Select to disable Quick Settings in kiosk mode for devices running on Android 5. |
Disable Quick Settings for Android 6+ and all Samsung devices |
Select to disable Quick Settings in kiosk mode for Android Enterprise devices from version 6 through the most recently released version and for all Samsung devices. Disabling this setting does not block notification icons and sounds on the device. |
Allow User to Access Wi-Fi Settings |
Select to allow a user to change Wi-Fi settings and access preferred wireless networks. |
Allow User to Access Bluetooth Settings |
Select to allow a user to change the Bluetooth settings and pair additional Bluetooth devices. |
Allow User to Access Location Settings |
Select to allow a user access to the location settings. |
Allow User to Delay Application Updates |
Select to allow a user to delay application updates. |
Allow User to Access Date and Time Settings |
Select to allow a user to access date and time settings. |
Allow User to Access Mobile Network Settings |
Select to allow a user to access mobile network settings. |
Allow User to Select Language |
Select to allow the user to access language settings. |
Enable Shared Device |
In a shared device kiosk, the device is shared among multiple end users.This option enable a device for sharing while the device is in kiosk mode:
You can also logout end users from shared kiosk mode by clicking the Sign out Android enterprise kiosk option in the device details page. |
Allow FIDO Auth (Requires Google Chrome app on device) |
Select this option to use the FIDO-authentication for users when using the shared kiosk. Allow users to use FIDO-Keys for logging into the device. Google Chrome is the only supported browser and it must be available on the device for FIDO-authentication to be available in shared kiosk. |
Allow user to configure brightness and auto rotate |
Select to allow user to configure brightness and auto rotate. |
Enable Multi Window |
Select to allow the display of more than one app at the same time with Samsung devices(Device Owner kiosk). To allow multi window in lock task mode, the following lock task mode options should also be enabled:
|
Enable Inactivity Protection |
Select to enable the inactivity protection in Kiosk mode. If selected, the default value is 30 seconds until which the Kiosk screen will remain active. You can set any value between 30 and 3600. |
Kiosk Branding |
Select the default or custom branding options from the drop-down list. |
Kiosk Exit PIN |
Enter the 6-digit PIN that the user must type to exit the Kiosk mode. The PIN must have a minimum of 6 digits and a maximum of 10 digits. This PIN applies to all the devices in kiosk mode. Previously, the Kiosk PIN length was 4 digits. The user can continue to use the 4-digit PIN even after upgrading from a previous version to Ivanti Neurons for MDM 82. However, if there are any configuration changes, the PIN length must be set as per the new requirement (i.e., min 6 digits and max 10 digits). The Go app will protect the device against brute force attacks. For more information, see Go for Android documentation. |
Enable Single App launcher Kiosk |
Select to use the Kiosk mode to keep an app in foreground on GMS and non-GMS devices. You need to select an app from the App Catalog or enter a package ID. |
Create a Allowlist of apps: These apps will be available to users in kiosk Mode by adding apps to the allowed apps list. Drag and Drop to arrange the apps in the order they should appear in the kiosk Mode launcher. Adding an application to the list of allowed apps will not install the app on device. Be sure to distribute each app to the appropriate users and user groups in the App Catalog. |
|
Built-In Apps |
Click +Add to include listed native apps in the group of apps allowed in kiosk mode. Under settings for the Kiosk Mode Allowed Apps, the following options are available:
If you have disabled Dialer or Camera in Lockdown settings above, they cannot be added to the Allowed Apps list. |
App Catalog |
Click +Add to included listed apps from the app catalog in the group of apps allowed in kiosk Mode. |
Other Apps |
Click +Add to include the package name of an app that is not available on the Google Play Store. For Samsung devices, admins should Allowlist the following dialer/system packages to make them functional in Kiosk mode for enabling dialer functionality in Kiosk mode.
|
Kiosk Mode Allowed Apps |
Click X to remove an app from the group of apps allowed in kiosk mode. Drag and drop to change the order in which apps appear on kiosk devices. Add Folder - You can use this option to create a folder under this section and move one or more apps to this folder. You can create folders up to two levels. The apps that are copied to one folder cannot be copied to another. Only 25 apps are supported within a folder. |
For Samsung devices with Knox Standard 4.0 or higher, the multi-user feature is automatically locked down in kiosk mode.
Managed Devices with Work Profile
Disable certain features on managed device with work profile for Android 8.0+.
Certain features can be disabled for work profile on company owned devices (applicable for Android 11+ devices).
Setting |
Description |
---|---|
Managed Device Lockdown Settings |
|
Disable Wi-Fi |
Select to turn off access to wireless LANs.(Not applicable to Android 11+ devices) |
Disable Wi-Fi Settings |
Select to turn off access to wireless settings. |
Disable Camera |
Select to turn off camera access. |
Disable Bluetooth |
Select to turn off Bluetooth features. Use caution when using this option. Ivanti recommends against disabling audio because hands-free Bluetooth access is disabled. Legal requirements for hands-free use of devices while driving is becoming more widespread. |
Disallow Bluetooth Settings |
Select to turn off access to Bluetooth settings. |
Disable Network Reset |
Select to prevent resetting network (applicable to devices on Android 7.0 and later versions). |
Mute Master Volume |
Select to mute master volume. (Not applicable to Android 11+ devices) |
Disallow Emergency Broadcasts |
Select to prevent emergency broadcasts. |
Disallow Mobile Networks |
Select to turn off access to mobile networks. This cannot be disabled if Wi-Fi is disabled. |
Disallow Tethering |
Select to turn off tethering as an option for using the internet connection of one device to provide internet access to another device. |
Disallow VPN |
Select to turn off VPN connections. (Not applicable to Android 11+ devices) |
Disable Factory Reset |
Select to prevent users from returning the device to factory defaults. (Not applicable to Android 11+ devices) |
Enable Factory Reset Protection |
Select to allow users to return the device to factory defaults. You can optionally specify a list of authorized Google account IDs (an integer value) that can provision the device after factory reset or hover over the help icon to view help for retrieving authorized account IDs. |
Disallow Outgoing Calls |
Select to prevent a user from making outgoing calls. |
Disallow Safe Boot (Android 6.0+) |
Select to prevent a user from rebooting a device into safe boot mode. |
Disallow Debugging Features |
Select to disable debugging features on devices. By default, this option is turned on. |
Ensure Verify Apps |
Select to allow application verification features on devices. By default, this option is turned on. When this option is turned off, the device goes back to its default behavior which may vary from device to device. |
Disallow SMS |
Select to prevent a user from sending and receiving SMS messages. |
Disallow Unmute Microphone |
Select to prevent a user from unmuting the device's microphone. |
Disallow Auto Time |
Select to prevent a user from enabling automatic time changes. |
Disallow Auto Time Zone |
Select to prevent a user from enabling automatic device time adjustment with time zone changes. |
Disable Data Roaming |
Select to turn off data exchange while the device is roaming. |
Sync time with server (Android 9.0+) |
Select to allow devices to sync time with the Ivanti Neurons for MDM servers first time on registration and thereafter once every 24 hours after each check-in. This option will be available only if the Disable Auto-Time is selected. |
Set timezone (Android 9.0+) |
Specify timezone string in Olson Time Zone ID format (for example, Pacific/Midway). |
Disable Wi-Fi Sleep |
Select to keep Wi-Fi on while the device is in Sleep mode. (Not applicable to Android 11+ devices) |
Restrict Input Methods |
Select to restrict input methods for work apps by designating a list of Allowlisted package names via the Package Name field.(Not applicable to Android 11+ devices) The devices will have both Allowlisted package input methods and the default system input methods available to use. The user can switch between default system input methods and Allowlisted packages input methods. In Android 10+, the input methods are applicable only for the device side, else they are restricted to the entire device. |
Restrict Accessibility Services |
Select to restrict accessibility services for work apps by designating a list of Allowlisted package names via the Package Name field. If there are no Allowlisted packages, then only system accessibility services will be allowed. In Android 10+, the input methods are restricted to Work Apps only, else they are restricted to the entire device. |
Disable USB file transfer |
Select to disable USB file transfer. |
Disable external media |
Select to disable external media. |
Disallow Unknown Sources on device |
Select to prevent the device from installing apps from unknown sources. This setting, to take effect on the device, is dependent on an expected Google Play update to enable this feature. |
Set lock screen message (Android 7.0+) |
Select to set the lock screen message to be displayed on the device. Type the lock screen message (maximum of 256 characters) in the text field. By enabling this option, the user is blocked from setting the message in Settings and the message that is set by the admin is displayed to the user. If the admin does not provide any lock screen message after enabling 'Set lock screen message', the user is blocked from setting the message in Settings, but no message is displayed to the user. |
Set screen brightness |
Select to set brightness of your device's screen.
It is recommended to enable the "Disallow config brightness" option before setting the screen brightness of your device. If the user is allowed to make changes, these settings will be reset to the admin defined settings on next check-in. This setting is not supported on devices with Android 11 and later versions for Work Profile on Company Owned Device mode. |
Set screen timeout |
Select to set screen timeout duration (in seconds). It is recommended to enable the "Disallow config screen timeout" option before setting the screen brightness of your device. If the user is allowed to make changes, these settings will be reset to the admin defined settings on next check-in. This setting is not supported on devices with Android 11 and later versions for Work Profile on Company Owned Device mode. |
Set screen orientation |
Select to set screen orientation. You can set the screen orientation to 0, 90, 180, or 270 degrees from the drop down list. This setting is not supported on devices with Android 11 and later versions for Work Profile on Company Owned Device mode. |
Disallow auto-fill (Android 8.0+) |
Select to disallow auto fill. (Not applicable to Android 11+ devices) |
Disallow Bluetooth Sharing (Android 8.0+) |
Select to disallow the user from sharing outgoing bluetooth on the device. |
Disable backup service (Android 8.0+) |
Select to disable the backup service. (Not applicable to Android 11+ devices) |
Disallow printing (Android 9.0+) |
Select to restrict printing from all apps.(Not applicable to Android 11+ devices) |
Disallow airplane mode (Android 9.0+) |
Select to disable airplane mode on the entire device. |
Disallow ambient display (Android 9.0+) |
Select to disallow the ambient display for the user. (Not applicable to Android 11+ devices) |
Disallow config brightness (Android 9.0+) |
Select to disallow the user from configuring the brightness (Not applicable to Android 11+ devices). It is recommended to define the "Set screen brightness mode" before selecting this option. |
Disallow config date time (Android 9.0+) |
Select to disallow date, time and timezone configuration. |
Disallow config location (Android 9.0+) |
Select to disallow the user from disabling location providers. |
Disallow config screen timeout (Android 9.0+) |
Select to disallow the user from changing screen off timeout. (Not applicable to Android 11+ devices) It is recommended to set the "Set screen timeout" values before selecting this option. |
Disallow system error dialogs (Android 9.0+) |
Select to disallow system error dialogs.(Not applicable to Android 11+ devices) |
Disable Screen Capture (Android 11.0+) |
Select to turn off the ability to use the device's built-in screen capture feature. When selected, screen capture is disabled on the personal side of the device. |
Android 12.0+ |
|
Enable USB for charging only |
Select to enable the USB port for charging only. |
Android 13.0+ |
|
Set Minimum Required Wi-Fi Security |
Use this option to set minimum required Wi-Fi security:
All the existing devices that do not meet the minimum criteria will be disconnected. Device details will show the Minimum Required Wi-Fi Security level (if available) under the General > Wi-Fi Security Level. |
Disallow Sharing Admin Configured Wi-Fi |
Select to prevent users from sharing Wi-Fi configurations set by the administrator. |
Work Profile Lockdown Settings |
|
Disable Screen Capture |
Select to turn off the ability to use the device's built-in screen capture feature. |
Disallow Apps Control |
Select to prevent a user from modifying applications in Settings or launchers. |
Disallow Config Credentials |
Select to prevent a user from configuring user credentials. |
Disallow Cross Profile Copy Paste |
Select to prevent copy/paste of information between profiles. |
Disallow Modify Accounts |
Select to prevent a user from adding or removing accounts. |
Disallow NFC (Outgoing Beam) (Android 5.1+) |
Select to prevent a user from using NFC to transfer app data. |
Disallow Share Location |
Select to prevent websites and apps from prompting the device user to share device location. |
Disallow Debugging Features |
Select to disable debugging features on devices. By default, this option is turned on. |
Ensure Verify Apps |
Select to allow application verification features on devices. By default, this option is turned on. When this option is turned off, the device goes back to its default behavior which may vary from device to device. |
Disable unknown sources inside work profile |
Select to disallow download from unknown sources within the work profile. |
Enable/Disable System Apps |
Select to enable and disable system applications to be deployed by designating two lists of package names via the System App Package Name fields. Use this feature to manage access to system applications that are not published in Google Play. Adding an app to the app catalog and also to a system apps list is not supported. |
Disable Caller ID (Android 6.0+) |
Sets whether caller ID information from the work profile will be shown in the device for incoming calls. |
Disable Contact sharing via Bluetooth (Android 6.0+) |
Select to prevent the device from sharing contacts with other devices via Bluetooth. |
Disable Contact sharing via Search (Android 7.0+) |
Select to prevent the users from searching for work contacts from the personal phone dialer. |
Disallow auto-fill (Android 8.0+) |
Select to disallow auto fill. (Not applicable to Android 11+ devices) |
Disallow work app notifications in personal profile (Android 8.0+) |
Select to restrict work profile notifications. |
Disallow printing (Android 9.0+) |
Select to restrict the printing from all apps. (Not applicable to Android 11+ devices) |
Disallow share into Profile (Android 9.0+) |
Select to prevent users from sharing personal data into a work profile on the device. |
Restrict input methods (Android 10.0+) |
Select to restrict Allowlisted IME package names by designating a list of Allowlisted package names via the Package Name field (Not applicable to Android 11+ devices). The devices will have both Allowlisted package input methods and the default system input methods available to use. The user can switch between default system input methods and Allowlisted packages input methods. The input methods will apply for IME apps installed on the work profile side. Even if the apps installed on the device side are Allowlisted for this lockdown, those will not be available for apps to use on the work profile side. |
Allow Access to work profile calendars (Android 10.0+) |
Select any of the following options to allow all apps or select a set of apps on the personal side to access the calendar information present in the work profile :
The app on the personal side should implement specific APIs to be able to access shared calendar. |
Enable Cross profile Allowlisting of Apps (Android 11.0+) |
Select the checkbox to enable users to share information from specific apps from within the work profile to the personal side of the device. In the Allowlisted Apps field, type the Package IDs of the apps to be Allowlisted, separated by commas. By default, this option is disabled. |
Enable Maximum Profile Timeout (Android 11.0+) |
Select to set a maximum time window the work profile can be turned off before Ivanti Neurons for MDM suspends personal apps on the device. You can set a time between 72 and 8760 hours. 8760 hours is one year of time. Default value is set to 72 hrs if the option is selected. The device user sees a message prompting to turn on the work profile to enable suspended apps. Available for Android 11+ devices in Work Profile on Company Owned Device. |
Enable 5G Network Slicing (Android 12.0+) |
Select to provide a 5G network slicing option on Work-Profile of the company-owned devices. By default, this option is disabled. |
For more information, see How to create a configuration