Lockdown & Kiosk: Android Enterprise

Lockdown & Kiosk: Android Enterprise configuration disables certain features of Android Enterprise devices and creates an Allowlist of apps that will be available to users in kiosk mode.

This section contains the following topics:

Lockdown Settings
Work Profile
Work Managed Devices Lockdown Settings
Managed Devices with Work Profile (Android 8 -10) and Work Profile on Company Owned devices (Android 11+)

Lockdown Settings

Setting	Description
Name	Enter a name that identifies this configuration.
Description	Enter a description that clarifies the purpose of this configuration.
Choose Lockdown Type	Select the type of lockdown settings you want to configure: Work Profile Work Managed Devices (Device Owner and kiosk mode settings) Managed Device with Work Profile/Work Profile on Company Owned Device Lockdown Settings Work Profile on Company Owned Device Lockdown Settings is applicable only for Android 11+ devices. Only one type is allowed per configuration. The options displayed depend on the type you select. if a Work Managed Device (Device Owner) and a Managed Device with Work Profile on Company Owned Device configuration is distributed to the same device, the Managed Device with Work Profile takes precedence.

Setting

Description

Name

Enter a name that identifies this configuration.

Description

Enter a description that clarifies the purpose of this configuration.

Choose Lockdown Type

Select the type of lockdown settings you want to configure:

Work Profile
Work Managed Devices (Device Owner and kiosk mode settings)
Managed Device with Work Profile/Work Profile on Company Owned Device Lockdown Settings
Work Profile on Company Owned Device Lockdown Settings is applicable only for Android 11+ devices.

Only one type is allowed per configuration. The options displayed depend on the type you select.

if a Work Managed Device (Device Owner) and a Managed Device with Work Profile on Company Owned Device configuration is distributed to the same device, the Managed Device with Work Profile takes precedence.

Work Profile

Disable certain features on Android Enterprise devices.

Setting	What To Do	For Devices
Disable Screen Capture	Select to turn off the ability to use the device's built-in screen capture feature.	Android 5.0+
Disallow Apps Control	Select to prevent a user from modifying applications in Settings or launchers.	Android 5.0+
Disallow Config Credentials	Select to prevent a user from configuring user credentials.	Android 5.0+
Disallow Cross Profile Copy Paste	Select to prevent copy/paste of information between profiles.	Android 5.0+
Disallow Modify Accounts	Select to prevent a user from adding or removing accounts.	Android 5.0+
Disallow Outgoing Beam	Select to prevent a user from using NFC to transfer the app data.	Android 5.1+
Disallow Share Location	Select to prevent a user from revealing the device location to apps.	Android 5.0+
Disallow Debugging Features	Select to disable debugging features on devices. By default, this option is turned on.	Android 5.0+
Ensure Verify Apps	Select to allow application verification features on devices. By default, this option is turned on. When this option is turned off, the device goes back to its default behavior which may vary from device to device.	Android 5.0+
Disable Unknown Sources on Device	Select to prevent the device from installing apps from unknown sources. This setting, to take effect on the device, is dependent on an expected Google Play update to enable this feature.	Android 5.0+
Restrict Input Methods	Select to restrict Allowlisted IME package names by designating a list of Allowlisted package names via the Package Name field. The devices will have both Allowlisted package input methods and the default system input methods available to use. The user can switch between default system input methods and Allowlisted packages input methods. For Android 10+, Allowlisting is applicable for IME apps on the work profile side only. For older Android versions, Allowlisting is applicable for IME apps device wide (both inside and outside the work profile).	Android 5.0+
Restrict Accessibility Services	Select to restrict accessibility services for work apps by designating a list of Allowlisted package names via the Package Name field. If there are no Allowlisted packages, then only system accessibility services will be allowed.	Android 5.0+
Disable unknown sources inside work profile	Select to disallow download from unknown sources within the work profile.	Android 5.0+
Enable/Disable System Apps	Select to enable and disable system applications to be deployed by designating two lists of package names via the System App Package Name fields. Use this feature to manage access to system applications that are not published in Google Play. Adding an app to the app catalog and also to a system apps list is not supported.	Android 5.0+
Disable Caller ID	Sets whether caller ID information from the work profile will be shown in the device for incoming calls.	Android 6.0+
Disable Contact sharing via Bluetooth	Select to prevent the device from sharing contacts with other devices via Bluetooth.	Android 6.0+
Disable Contact sharing via Search	Select to prevent the users from searching for work contacts from the personal phone dialer.	Android 7.0+
Disallow auto-fill	Select to disallow auto-fill	Android 8.0+
Disallow work app notifications in personal profile	Select to restrict work profile notifications.	Android 8.0+
Disallow printing	Select to restrict printing from all apps.	Android 9.0+
Disallow share into Profile	Select to prevent users from sharing personal data into a work profile on the device.	Android 9.0+
Allow Access to work profile calendars	Select any of the following options to allow all apps or select a set of apps on the personal side to access the calendar information present in the work profile: All Apps on Personal Profile- allow all apps to access the calendar information present in the work profile Only the following apps on Personal Profile- In the text field below, enter the bundle IDs of the apps separated by a comma. Only these selected apps on the personal side will be allowed to access the calendar information present in the work profile. The app on the personal side should implement specific APIs to be able to access shared calendar.	Android 10.0+
Enable Cross profile Allowlisting of Apps	Select the checkbox to enable users to share information from specific apps from within the work profile to the personal side of the device. In the Allowlisted Apps field, type the Package IDs of the apps to be Allowlisted, separated by commas. By default, this option is disabled.	Android 11.0+
Enable 5G Network Slicing	Select to provide a 5G network slicing option on work profile of the company-owned devices. By default, this option is disabled.	Android 12.0+

Work Managed Devices Lockdown Settings

Disable certain features on work managed devices (Device Owner) for Android 5.0+.

Setting	Description
Disable Wi-Fi	Select to turn off access to wireless LANs.
Disable Wi-Fi Settings	Select to turn off access to wireless settings.
Disable Camera	Select to turn off camera access.
Disable Bluetooth (Android 8.0+)	Select to turn off Bluetooth features. Use caution when using this option. Ivanti recommends against disabling audio because hands-free Bluetooth access is disabled. Legal requirements for hands-free use of devices while driving is becoming more widespread.
Disallow Bluetooth Settings (Android 8.0+)	Select to turn off access to Bluetooth settings.
Disable Screen Capture	Select to turn off the ability to use the device's built-in screen capture feature.
Mute Master Volume	Select to mute master volume.
Disallow Apps Control	Select to prevent a user from modifying applications in Settings or launchers.
Disallow Credentials	Select to prevent a user from configuring user credentials.
Disallow Emergency Broadcasts	Select to prevent emergency broadcasts.
Disallow Mobile Networks	Select to turn off access to mobile networks. This cannot be disabled if Wi-Fi is disabled.
Disallow Tethering	Select to turn off tethering as an option for using the internet connection of one device to provide internet access to another device.
Disallow VPN	Select to turn off VPN connections.
Disallow Factory Reset	Select to prevent users from returning the device to factory defaults.
Enable Factory Reset Protection	Select to allow users from returning the device to factory defaults. You can optionally specify a list of authorized Google account IDs (an integer value) that can provision the device after factory reset or hover over the help icon to view help for retrieving authorized account IDs.
Disallow Modify Accounts	Select to prevent a user from adding or removing accounts.
Disallow NFC (Outgoing Beam)	Select to prevent a user from using NFC to transfer app data.
Disallow Outgoing Calls	Select to prevent a user from making outgoing calls.
Disallow Safe Boot (Android 6.0+)	Select to prevent a user from rebooting a device into safe boot mode.
Disallow Share Location	Select to prevent a user from revealing the device location to apps.
Disallow Debugging Features	Select to disable debugging features on devices. By default, this option is turned on.
Ensure Verify Apps	Select to allow application verification features on devices. By default, this option is turned on. When this option is turned off, the device goes back to its default behavior which may vary from device to device.
Disallow SMS	Select to prevent a user from sending and receiving SMS messages.
Disallow Unmute Microphone	Select to prevent a user from unmuting the device's microphone.
Disallow Auto Time	Select to prevent a user from enabling automatic time changes.
Disallow Auto Time Zone	Select to prevent a user from enabling automatic device time adjustment with time zone changes.
Sync time with server (Android 9.0+)	Select to allow devices to sync time with the Ivanti Neurons for MDM servers first time on registration and thereafter once every 24 hours after each check-in. This option will be available only if the Disable Auto-Time is selected.
Set timezone (Android 9.0+)	Specify timezone string in Olson Time Zone ID format (for example, Pacific/Midway).
Disable Data Roaming	Select to turn off data exchange while the device is roaming.
Disable Wi-Fi Sleep	Select to keep Wi-Fi on while the device is in Sleep mode.
Restrict Input Methods	Select to restrict Allowlisted IME package names by designating a list of Allowlisted package names via the Package Name field. The devices will have both Allowlisted package input methods and the default system input methods available to use. The user can switch between default system input methods and Allowlisted packages input methods. For Android 10+, Allowlisting is applicable for IME apps on the device side only. For older Android versions, Allowlisting is applicable for IME apps device wide.
Restrict Accessibility Services	Select to restrict accessibility services for work apps by designating a list of Allowlisted package names via the Package Name field. If there are no Allowlisted packages, then only system accessibility services will be allowed.
Disable USB file transfer	Select to disable USB file transfer.
Disable external media	Select to disable external media.
Disable keyguard (no effect if PIN/Passcode is set)	Select to disable the keyguard. This option has no effect if a password, PIN, or pattern is currently set. If a password, PIN or pattern is set after the keyguard is diabled, the keyguard stops being disabled.
Keep screen on while connected to power.	Select to keep the screen ON when connected to power. The screen may dim but does not turn off while the device is connected to a power source. This setting will only take effect only if auto-lock or inactivity timeout in the passcode configuration is not used to set a timeout.
Disallow create windows	Select to prevent apps from displaying certain types of overlay windows, such as alerts and toasts.
Skip first use hints	Select to enable the system recommendation for apps to skip the user tutorial and other introductory hints on first start-up.
Disallow unknown sources on device	Select to disallow user from installing apps from unknown sources.
Set lock screen message (Android 7.0+)	Select to set the lock screen message to be displayed on the device. Type the lock screen message (maximum of 256 characters) in the text field. By enabling this option, the user is blocked from setting the message in Settings and the message that is set by the admin is displayed to the user. If the admin does not provide any lock screen message after enabling 'Set lock screen message', the user is blocked from setting the message in Settings, but no message is displayed to the user.
Set screen brightness	Select to set brightness of your device's screen. Manual - Select to enter a number manually (0 to 255) Adaptive - Select to allow the device to set the brightness It is recommended to enable the "Disallow config brightness" option before setting the screen brightness of your device.
Set screen timeout	Select to set screen timeout duration (in seconds). It is recommended to enable the "Disallow config screen timeout" option before setting the screen brightness of your device.
Set screen orientation	Select to set screen orientation. You can set the screen orientation to 0, 90, 180, or 270 degrees from the drop down list. By default, this option is not selected. For Go app 89 and later versions, you must select this option and set the value to 0 to keep the device in Portrait mode in Kiosk.
Enable/Disable System Apps	Select to enable and disable system applications to be deployed by designating two lists of package names via the System App Package Name fields. Use this feature to manage access to system applications that are not published in Google Play. Adding an app to the App Catalog and also to a system apps list is not supported.
Android 8.0+
Disallow auto-fill	Select to disallow the user from using auto-fill services.
Disallow Bluetooth Sharing	Select to disallow the user from sharing outgoing bluetooth on the device.
Disable backup service	Select to disable the backup service.
Android 9.0+
Disallow printing	Select to disallow the user to print.
Disallow airplane mode	Select to disable airplane mode on the entire device.
Disallow ambient display	Select to disallow the ambient display for the user.
Disallow config brightness	Select to disallow the user from configuring the brightness. It is recommended to define the "Set screen brightness mode" mode before selecting this option.
Disallow config date time	Select to disallow date, time and timezone configuration.
Disallow config location	Select to disallow the user from disabling location providers.
Disallow config screen timeout	Select to disallow the user from changing screen off timeout. It is recommended to define the "Set screen timeout" value before selecting this option.
Android 12.0+
Enable USB for charging only	Select to enable the USB port for charging only.
Android 13.0+
Set Minimum Required Wi-Fi Security	Use this option to set minimum required Wi-Fi security: No minimum security required – Select this option if no minimum security is required Personal Network Based Security – Select this option to block personal Wi-Fi networks such as WEP, WPA/WPA2/WPA3, etc. Enterprise EAP Network Based Security – Select this option to block EAP protocol-based Wi-Fi networks Enterprise 192 Network Based Security - Select this option to block EAP corporate-based Wi-Fi networks All the existing devices that do not meet the minimum criteria will be disconnected. Device details will show the Minimum Required Wi-Fi Security level (if available) under the General > Wi-Fi Security Level.
Kiosk Mode Settings: Kiosk mode applies additional restrictions to the devices including limited access to apps via a customized launcher.
Enable Kiosk Mode	Select to configure kiosk mode on Android devices. When a user logs into the Shared Kiosk mode and logs out, the user name remains available with Go client for future logins. In shared Kiosk mode, the Go client preserves recently used seven user names. The shared kiosk mode supports IDP Authentication now. So, if Ivanti Neurons for MDM is configured with IDP, then the Shared Kiosk mode can be used with IDP Authentication.
Enable Lock Task Mode	Select to enable lock task mode on Android devices. When enabled, the devices can display keyguard, status bar and safe mode. This option is disabled by default. The following are the additional settings displayed when lock task mode is enabled for Android 9 or supported newer versions: Settings icon - Allows apps to have access to system functions that are dependent on the Device Settings app. Allowing Device Settings helps to avoid the Lock Task Mode violations in scenarios such as Bluetooth pairing from an app. It is recommended to keep this setting enabled for specific apps. System Info- Displays the date/time, connectivity, battery, and vibration mode on the status bar. This option is disabled by default. Keyguard(Enabled by default) - Enables the keyguard during lock task mode. Global Actions(Enabled by default) - Enables the menu that is displayed when the user long-presses the power button. If this option is disabled, the user may not be able to power off the device. Home button- Enables the home button. This option is disabled by default. When enabled, the following sub-options are displayed: Overview Button(Disabled by default) - Enables the Overview button and the Overview screen during lock task mode Notifications(Disabled by default) - Enables notifications during lock task mode. This includes notification icons on the status bar, heads-up notifications, and the expandable notification shade. If Home Button option is not enabled, the user will not be able to use the multi window feature.
Enter Kiosk automatically (on initial setup only)	Select to automatically allow kiosk mode when the configuration is applied.
Disable Quick Settings for Android 5 devices	Select to disable Quick Settings in kiosk mode for devices running on Android 5.
Disable Quick Settings for Android 6+ and all Samsung devices	Select to disable Quick Settings in kiosk mode for Android Enterprise devices from version 6 through the most recently released version and for all Samsung devices. Disabling this setting does not block notification icons and sounds on the device.
Allow User to Access Wi-Fi Settings	Select to allow a user to change Wi-Fi settings and access preferred wireless networks.
Allow User to Access Bluetooth Settings	Select to allow a user to change the Bluetooth settings and pair additional Bluetooth devices.
Allow User to Access Location Settings	Select to allow a user access to the location settings.
Allow User to Delay Application Updates	Select to allow a user to delay application updates.
Allow User to Access Date and Time Settings	Select to allow a user to access date and time settings.
Allow User to Access Mobile Network Settings	Select to allow a user to access mobile network settings.
Allow User to Select Language	Select to allow the user to access language settings.
Enable Shared Device	In a shared device kiosk, the device is shared among multiple end users.This option enable a device for sharing while the device is in kiosk mode: Enable Login: This option is for a kiosk admin user. When a device is configured with this option, the user login screen will be displayed, allowing an end user to log in to the shared device kiosk. Enable Login option will be visible if and only if user is created as Android Enterprise Device Account user (staging user). SelectUse domain substitutionand enter the domain appropriately. This option checks the username for domain suffix. If the domain suffix is missing, the system automatically appends the domain suffix to the username. Enable Logout: When a device is configured with this option, the logged in end user will have access to the Allowlisted apps. This user can see the option to log out, but cannot exit kiosk. When a user logs out of the shared device kiosk, another user can login to the shared device kiosk and view the apps as configured by the admin. Apps appear with a Recycle icon, which is used for enforcing reinstallation of an app on every login. This option can be used for those apps that are locally cache data. User can exit kiosk mode if admin provides the exit kiosk PIN. Timeout: Specify the timeout duration in hours. For example, when the timeout duration is configured for 2 hours and the end user fails to logout of the shared device kiosk, the logout action will be automatically performed on the device after 2 hours. The Timeout field is displayed only when the Enable Logout option is selected and it is optional. You can also logout end users from shared kiosk mode by clicking the Sign out Android enterprise kiosk option in the device details page.
Allow FIDO Auth (Requires Google Chrome app on device)	Select this option to use the FIDO-authentication for users when using the shared kiosk. Allow users to use FIDO-Keys for logging into the device. Google Chrome is the only supported browser and it must be available on the device for FIDO-authentication to be available in shared kiosk.
Allow user to configure brightness and auto rotate	Select to allow user to configure brightness and auto rotate.
Enable Multi Window	Select to allow the display of more than one app at the same time with Samsung devices(Device Owner kiosk). To allow multi window in lock task mode, the following lock task mode options should also be enabled: Home Button Overview Button
Kiosk Branding	Select the default or custom branding options from the drop-down list.
Kiosk Exit PIN	Enter the 6-digit PIN that the user must type to exit the Kiosk mode. The PIN must have a minimum of 6 digits and a maximum of 10 digits. This PIN applies to all the devices in kiosk mode. Previously, the Kiosk PIN length was 4 digits. The user can continue to use the 4-digit PIN even after upgrading from a previous version to Ivanti Neurons for MDM 82. However, if there are any configuration changes, the PIN length must be set as per the new requirement (i.e., min 6 digits and max 10 digits). The Go app will protect the device against brute force attacks. For more information, see Go for Android documentation.
Create a Allowlist of apps: These apps will be available to users in kiosk Mode by adding apps to the allowed apps list. Drag and Drop to arrange the apps in the order they should appear in the kiosk Mode launcher. Adding an application to the list of allowed apps will not install the app on device. Be sure to distribute each app to the appropriate users and user groups in the App Catalog.
Built-In Apps	Click +Add to include listed native apps in the group of apps allowed in kiosk mode. Under settings for the Kiosk Mode Allowed Apps, the following options are available: Clear app user data: Enabling this option lets all the application data to be automatically cleared without any prompts when the user logs out of the kiosk. Select Enable Shared Device in the Kiosk mode settings for this option to be available with the applications. App data is not cleared for Google Chrome and webview package even if they are added in the app Allowlist with clear user data enabled. This is because Kiosk might crash if app data is cleared for these 2 packages. App data is not cleared for System apps for which app launcher is not available (both inside and outside kiosk). Make hidden: Enabling this option lets the application to be accessible by other apps but is not available in the Kiosk launcher. If you have disabled Dialer or Camera in Lockdown settings above, they cannot be added to the Allowed Apps list.
App Catalog	Click +Add to included listed apps from the app catalog in the group of apps allowed in kiosk Mode.
Other Apps	Click +Add to include the package name of an app that is not available on the Google Play Store. For Samsung devices, admins should Allowlist the following dialer/system packages to make them functional in Kiosk mode for enabling dialer functionality in Kiosk mode. Call – com.samsung.android.incallui Phone – com.samsung.android.dialer (should be Allowlisted and the admin should select hide option for this package to avoid issues with two dialer options for the user) Call – com.sec.phone Call Setting – com.samsung.android.app.telephonyui Assisted Dialing – com.sec.providers.assisteddialing Call Log Backup / Restore – com.android.calllogbackup Dialer Storage – com.android.providers.telephony Phone – com.android.server.telecom Phone – com.android.phone Smart Call – com.samsung.android.smartcallprovider WiFi Calling – com.sec.unifiedwfc
Kiosk Mode Allowed Apps	Click X to remove an app from the group of apps allowed in kiosk mode. Drag and drop to change the order in which apps appear on kiosk devices.

For Samsung devices with Knox Standard 4.0 or higher, the multi-user feature is automatically locked down in kiosk mode.

Managed Devices with Work Profile

Disable certain features on managed device with work profile for Android 8.0+.

Certain features can be disabled for work profile on company owned devices (applicable for Android 11+ devices).

Setting	Description
Managed Device Lockdown Settings
Disable Wi-Fi	Select to turn off access to wireless LANs.(Not applicable to Android 11+ devices)
Disable Wi-Fi Settings	Select to turn off access to wireless settings.
Disable Camera	Select to turn off camera access.
Disable Bluetooth	Select to turn off Bluetooth features. Use caution when using this option. Ivanti recommends against disabling audio because hands-free Bluetooth access is disabled. Legal requirements for hands-free use of devices while driving is becoming more widespread.
Disallow Bluetooth Settings	Select to turn off access to Bluetooth settings.
Mute Master Volume	Select to mute master volume. (Not applicable to Android 11+ devices)
Disallow Emergency Broadcasts	Select to prevent emergency broadcasts.
Disallow Mobile Networks	Select to turn off access to mobile networks. This cannot be disabled if Wi-Fi is disabled.
Disallow Tethering	Select to turn off tethering as an option for using the internet connection of one device to provide internet access to another device.
Disallow VPN	Select to turn off VPN connections. (Not applicable to Android 11+ devices)
Disable Factory Reset	Select to prevent users from returning the device to factory defaults. (Not applicable to Android 11+ devices)
Enable Factory Reset Protection	Select to allow users to return the device to factory defaults. You can optionally specify a list of authorized Google account IDs (an integer value) that can provision the device after factory reset or hover over the help icon to view help for retrieving authorized account IDs.
Disallow Outgoing Calls	Select to prevent a user from making outgoing calls.
Disallow Safe Boot (Android 6.0+)	Select to prevent a user from rebooting a device into safe boot mode.
Disallow Debugging Features	Select to disable debugging features on devices. By default, this option is turned on.
Ensure Verify Apps	Select to allow application verification features on devices. By default, this option is turned on. When this option is turned off, the device goes back to its default behavior which may vary from device to device.
Disallow SMS	Select to prevent a user from sending and receiving SMS messages.
Disallow Unmute Microphone	Select to prevent a user from unmuting the device's microphone.
Disallow Auto Time	Select to prevent a user from enabling automatic time changes.
Disallow Auto Time Zone	Select to prevent a user from enabling automatic device time adjustment with time zone changes.
Disable Data Roaming	Select to turn off data exchange while the device is roaming.
Sync time with server (Android 9.0+)	Select to allow devices to sync time with the Ivanti Neurons for MDM servers first time on registration and thereafter once every 24 hours after each check-in. This option will be available only if the Disable Auto-Time is selected.
Set timezone (Android 9.0+)	Specify timezone string in Olson Time Zone ID format (for example, Pacific/Midway).
Disable Wi-Fi Sleep	Select to keep Wi-Fi on while the device is in Sleep mode. (Not applicable to Android 11+ devices)
Restrict Input Methods	Select to restrict input methods for work apps by designating a list of Allowlisted package names via the Package Name field.(Not applicable to Android 11+ devices) The devices will have both Allowlisted package input methods and the default system input methods available to use. The user can switch between default system input methods and Allowlisted packages input methods. In Android 10+, the input methods are applicable only for the device side, else they are restricted to the entire device.
Restrict Accessibility Services	Select to restrict accessibility services for work apps by designating a list of Allowlisted package names via the Package Name field. If there are no Allowlisted packages, then only system accessibility services will be allowed. In Android 10+, the input methods are restricted to Work Apps only, else they are restricted to the entire device.
Disable USB file transfer	Select to disable USB file transfer.
Disable external media	Select to disable external media.
Disallow Unknown Sources on device	Select to prevent the device from installing apps from unknown sources. This setting, to take effect on the device, is dependent on an expected Google Play update to enable this feature.
Set lock screen message (Android 7.0+)	Select to set the lock screen message to be displayed on the device. Type the lock screen message (maximum of 256 characters) in the text field. By enabling this option, the user is blocked from setting the message in Settings and the message that is set by the admin is displayed to the user. If the admin does not provide any lock screen message after enabling 'Set lock screen message', the user is blocked from setting the message in Settings, but no message is displayed to the user.
Set screen brightness	Select to set brightness of your device's screen. Manual - Select to enter a number manually (0 to 255) Adaptive - Select to allow the device to set the brightness It is recommended to enable the "Disallow config brightness" option before setting the screen brightness of your device. If the user is allowed to make changes, these settings will be reset to the admin defined settings on next check-in. This setting is not supported on devices with Android 11 and later versions for Work Profile on Company Owned Device mode.
Set screen timeout	Select to set screen timeout duration (in seconds). It is recommended to enable the "Disallow config screen timeout" option before setting the screen brightness of your device. If the user is allowed to make changes, these settings will be reset to the admin defined settings on next check-in. This setting is not supported on devices with Android 11 and later versions for Work Profile on Company Owned Device mode.
Set screen orientation	Select to set screen orientation. You can set the screen orientation to 0, 90, 180, or 270 degrees from the drop down list. This setting is not supported on devices with Android 11 and later versions for Work Profile on Company Owned Device mode.
Disallow auto-fill (Android 8.0+)	Select to disallow auto fill. (Not applicable to Android 11+ devices)
Disallow Bluetooth Sharing (Android 8.0+)	Select to disallow the user from sharing outgoing bluetooth on the device.
Disable backup service (Android 8.0+)	Select to disable the backup service. (Not applicable to Android 11+ devices)
Disallow printing (Android 9.0+)	Select to restrict printing from all apps.(Not applicable to Android 11+ devices)
Disallow airplane mode (Android 9.0+)	Select to disable airplane mode on the entire device.
Disallow ambient display (Android 9.0+)	Select to disallow the ambient display for the user. (Not applicable to Android 11+ devices)
Disallow config brightness (Android 9.0+)	Select to disallow the user from configuring the brightness (Not applicable to Android 11+ devices). It is recommended to define the "Set screen brightness mode" before selecting this option.
Disallow config date time (Android 9.0+)	Select to disallow date, time and timezone configuration.
Disallow config location (Android 9.0+)	Select to disallow the user from disabling location providers.
Disallow config screen timeout (Android 9.0+)	Select to disallow the user from changing screen off timeout. (Not applicable to Android 11+ devices) It is recommended to set the "Set screen timeout" values before selecting this option.
Disallow system error dialogs (Android 9.0+)	Select to disallow system error dialogs.(Not applicable to Android 11+ devices)
Disable Screen Capture (Android 11.0+)	Select to turn off the ability to use the device's built-in screen capture feature. When selected, screen capture is disabled on the personal side of the device.
Android 12.0+
Enable USB for charging only	Select to enable the USB port for charging only.
Android 13.0+
Set Minimum Required Wi-Fi Security	Use this option to set minimum required Wi-Fi security: No minimum security required – Select this option if no minimum security is required Personal Network Based Security – Select this option to block personal Wi-Fi networks such as WEP, WPA/WPA2/WPA3, etc. Enterprise EAP Network Based Security – Select this option to block EAP protocol-based Wi-Fi networks Enterprise 192 Network Based Security - Select this option to block EAP corporate-based Wi-Fi networks All the existing devices that do not meet the minimum criteria will be disconnected. Device details will show the Minimum Required Wi-Fi Security level (if available) under the General > Wi-Fi Security Level.
Work Profile Lockdown Settings
Disable Screen Capture	Select to turn off the ability to use the device's built-in screen capture feature.
Disallow Apps Control	Select to prevent a user from modifying applications in Settings or launchers.
Disallow Config Credentials	Select to prevent a user from configuring user credentials.
Disallow Cross Profile Copy Paste	Select to prevent copy/paste of information between profiles.
Disallow Modify Accounts	Select to prevent a user from adding or removing accounts.
Disallow NFC (Outgoing Beam) (Android 5.1+)	Select to prevent a user from using NFC to transfer app data.
Disallow Share Location	Select to prevent websites and apps from prompting the device user to share device location.
Disallow Debugging Features	Select to disable debugging features on devices. By default, this option is turned on.
Ensure Verify Apps	Select to allow application verification features on devices. By default, this option is turned on. When this option is turned off, the device goes back to its default behavior which may vary from device to device.
Disable unknown sources inside work profile	Select to disallow download from unknown sources within the work profile.
Enable/Disable System Apps	Select to enable and disable system applications to be deployed by designating two lists of package names via the System App Package Name fields. Use this feature to manage access to system applications that are not published in Google Play. Adding an app to the app catalog and also to a system apps list is not supported.
Disable Caller ID (Android 6.0+)	Sets whether caller ID information from the work profile will be shown in the device for incoming calls.
Disable Contact sharing via Bluetooth (Android 6.0+)	Select to prevent the device from sharing contacts with other devices via Bluetooth.
Disable Contact sharing via Search (Android 7.0+)	Select to prevent the users from searching for work contacts from the personal phone dialer.
Disallow auto-fill (Android 8.0+)	Select to disallow auto fill. (Not applicable to Android 11+ devices)
Disallow work app notifications in personal profile (Android 8.0+)	Select to restrict work profile notifications.
Disallow printing (Android 9.0+)	Select to restrict the printing from all apps. (Not applicable to Android 11+ devices)
Disallow share into Profile (Android 9.0+)	Select to prevent users from sharing personal data into a work profile on the device.
Restrict input methods (Android 10.0+)	Select to restrict Allowlisted IME package names by designating a list of Allowlisted package names via the Package Name field (Not applicable to Android 11+ devices). The devices will have both Allowlisted package input methods and the default system input methods available to use. The user can switch between default system input methods and Allowlisted packages input methods. The input methods will apply for IME apps installed on the work profile side. Even if the apps installed on the device side are Allowlisted for this lockdown, those will not be available for apps to use on the work profile side.
Allow Access to work profile calendars (Android 10.0+)	Select any of the following options to allow all apps or select a set of apps on the personal side to access the calendar information present in the work profile : All Apps on Personal Profile- allow all apps to access calendar information present in the work profile Only the following apps on Personal Profile- In the text field below, enter the bundle IDs of the apps separated by a comma. Only these selected apps on the personal side will be allowed to access the calendar information present in the work profile. The app on the personal side should implement specific APIs to be able to access shared calendar.
Enable Cross profile Allowlisting of Apps (Android 11.0+)	Select the checkbox to enable users to share information from specific apps from within the work profile to the personal side of the device. In the Allowlisted Apps field, type the Package IDs of the apps to be Allowlisted, separated by commas. By default, this option is disabled.
Enable Maximum Profile Timeout (Android 11.0+)	Select to set a maximum time window the work profile can be turned off before Ivanti Neurons for MDM suspends personal apps on the device. You can set a time between 72 and 8760 hours. 8760 hours is one year of time. Default value is set to 72 hrs if the option is selected. The device user sees a message prompting to turn on the work profile to enable suspended apps. Available for Android 11+ devices in Work Profile on Company Owned Device.
Enable 5G Network Slicing (Android 12.0+)	Select to provide a 5G network slicing option on Work-Profile of the company-owned devices. By default, this option is disabled.

For more information, see How to create a configuration