Lockdown policy fields for Android Enterprise devices with Samsung Restrictions in Work Managed Device mode and Managed Device with Work Profile mode

These lockdown options are applied to Android Enterprise Samsung devices in the Work Managed Device mode and Managed Device with Work Profile (COPE) mode. You must select the Enable Samsung Restrictions check box in order to display the Samsung Restrictions drop-down menu.

Table 33.   Lockdown policy fields: Android Enterprise devices with Samsung Restrictions in Work Managed Device mode and Managed Device with Work Profile mode
Item Description Default Policy Setting

Android Browser

Enable or disable access to the Android browser.

Enable

Email Account Creation

Enable or disable the device user’s ability to configure an email account on the device.

Enable

Factory Reset

Enable or disable the ability for users to reset the device to factory defaults.

Enable

Google Backup

Enable or disable backup to Google servers.

Enable

Google Play

Enable or disable access to Google Play.

Enable

Incoming SMS

Enable or disable incoming SMS messages.

The user is not informed if SMS is blocked.

Enable

Outgoing SMS

Enable or disable outgoing MMS messages.

Enable

Incoming MMS

Enable or disable incoming MMS messages.

The user is not informed if MMS is blocked.

Enable

Outgoing MMS

Enable or disable outgoing MMS messages.

Enable

Make Passwords Visible

Select Enable to allow users to change the “Make Passwords Visible” setting on their device. Select Disable to prevent users from changing this setting and make password characters not visible.

Enable

Developer options

Enable or disable this option to make USB debugging available to developers on Samsung Knox devices.

Enable

OTA Upgrade

Enable or disable over-the-air upgrades of the device firmware.

Over-the-air upgrades require the device to be in recovery mode. Therefore, for devices to perform an over-the-air upgrade, enable both Recovery Mode and OTA Upgrade in the lockdown policy.

WARNING: Do not disable Setting Changes in the lockdown policy if OTA Upgrade is enabled. Disabling Setting Changes when OTA Upgrade is enabled can result in a non-functional device because setting changes are required for upgrade.

Enable

Recovery Mode

Enable or disable the device from entering Recovery Mode. Caution: use Disable with care. Disabling recovery mode on a device may make the device unrecoverable if there is an issue with the device’s operating system.

Enable

Roaming Voice Calls

Enable or disable voice calls while roaming.

Enable

Safe Mode

Enable or disable the user’s ability to reboot a Samsung Knox device into Safe Mode.

A device running in Safe mode is not protected by Ivanti EPMM, because only system apps run in Safe mode.

Enable

Setting Changes

Enable or disable the device user access to the settings app.

WARNING: Do not disable Setting Changes if OTA Upgrade is enabled. Disabling Setting Changes when OTA Upgrade is enabled can result in a non-functional device because setting changes are required for upgrade.

Enable

Tethering - Bluetooth

Enable or disable Bluetooth tethering.

Refer to “Bluetooth lockdown for Samsung Knox devices” in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

Enable

Tethering - USB

Enable or disable USB tethering.

Enable

Tethering - Wi-Fi

Enable or disable Wi-Fi tethering.

Enable

USB Media Player

Enable or disable the USB media player.

Enable

Manual Date Time Change

Enable or disable the ability to manually change the date and time.

Enable

Certificate Revocation Status (CRL) Check

Enable or disable the Certificate Revocation List (CRL) check for revocation of the server-certificate chain during the SSL mutual authentication process.

Disabled

Google Crash

Report

An administrator can use this API to enable or disable sending a crash report to Google. If disabled, all possible Google crash reports are blocked.

Enable

Google Accounts Auto-sync

Enable or disable Google accounts auto-sync.

Enable

Multi-user mode

Enable or disable the Multi-user mode.

Enable

New admin installation

Enable or disable new administrator installation.

Enable

Allow cellular data

Enable or disable the ability for users to use cellular data.

If you disable both cellular data and Wi-Fi on a device, Ivanti EPMM can no longer communicate with the device. The device may need a factory reset to restore functionality.

Enable

Allow USB HID Protocol

Enable or disable the USB Human Interface Device (HID) protocol.

Enable

Restricted Apps

List apps that you want to prevent from being installed or run on Samsung Knox devices.

Click + to add an application identifier (app ID) for the app. The app ID is case-sensitive. You can use the wild card character * to cover a set of apps, such as all apps from a particular vendor.

For example, com.abcdef.* restricts all application IDs beginning with com.abcdef.

However, to ensure that pre-existing apps get restricted, provide the complete app ID. Do not use a wild card character.

(empty)

Allowed Apps

List the apps that you that are exceptions to the apps covered by a wild card character in the Restricted Apps section.

Click + to add an application identifier (app ID) for the app. The app ID is case-sensitive.

(empty)

Turn Off Wi-Fi for SSIDs

Prevent Samsung Knox devices from accessing the Wi-Fi SSIDs listed in this section.

Click + to add an SSID. The SSID is case-sensitive.

Do not restrict Wi-Fi SSIDs that are configured for the device.

In Ivanti Mobile@Work 9.0.0.0 for Android, connection to SSIDs listed in this section can occur if the SSID is managed and Always Connect Device to Managed Wi-Fi is enabled.

(empty)

Lockdown policies