Lockdown policy fields for Android Enterprise devices with Samsung Restrictions in Work Managed Device mode and Managed Device with Work Profile mode
These lockdown options are applied to Android Enterprise Samsung devices in the Work Managed Device mode and Managed Device with Work Profile (COPE) mode. You must select the Enable Samsung Restrictions check box in order to display the Samsung Restrictions drop-down menu.
| Item | Description | Default Policy Setting |
|
Android Browser |
Enable or disable access to the Android browser. |
Enable |
|
Email Account Creation |
Enable or disable the device user’s ability to configure an email account on the device. |
Enable |
|
Factory Reset |
Enable or disable the ability for users to reset the device to factory defaults. |
Enable |
|
Google Backup |
Enable or disable backup to Google servers. |
Enable |
|
Google Play |
Enable or disable access to Google Play. |
Enable |
|
Incoming SMS |
Enable or disable incoming SMS messages. The user is not informed if SMS is blocked. |
Enable |
|
Outgoing SMS |
Enable or disable outgoing MMS messages. |
Enable |
|
Incoming MMS |
Enable or disable incoming MMS messages. The user is not informed if MMS is blocked. |
Enable |
|
Outgoing MMS |
Enable or disable outgoing MMS messages. |
Enable |
|
Make Passwords Visible |
Select Enable to allow users to change the “Make Passwords Visible” setting on their device. Select Disable to prevent users from changing this setting and make password characters not visible. |
Enable |
|
Developer options |
Enable or disable this option to make USB debugging available to developers on Samsung Knox devices. |
Enable |
|
OTA Upgrade |
Enable or disable over-the-air upgrades of the device firmware. Over-the-air upgrades require the device to be in recovery mode. Therefore, for devices to perform an over-the-air upgrade, enable both Recovery Mode and OTA Upgrade in the lockdown policy. WARNING: Do not disable Setting Changes in the lockdown policy if OTA Upgrade is enabled. Disabling Setting Changes when OTA Upgrade is enabled can result in a non-functional device because setting changes are required for upgrade. |
Enable |
|
Recovery Mode |
Enable or disable the device from entering Recovery Mode. Caution: use Disable with care. Disabling recovery mode on a device may make the device unrecoverable if there is an issue with the device’s operating system. |
Enable |
|
Roaming Voice Calls |
Enable or disable voice calls while roaming. |
Enable |
|
Safe Mode |
Enable or disable the user’s ability to reboot a Samsung Knox device into Safe Mode. A device running in Safe mode is not protected by Ivanti EPMM, because only system apps run in Safe mode. |
Enable |
|
Setting Changes |
Enable or disable the device user access to the settings app. WARNING: Do not disable Setting Changes if OTA Upgrade is enabled. Disabling Setting Changes when OTA Upgrade is enabled can result in a non-functional device because setting changes are required for upgrade. |
Enable |
|
Tethering - Bluetooth |
Enable or disable Bluetooth tethering. Refer to “Bluetooth lockdown for Samsung Knox devices” in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices. |
Enable |
|
Tethering - USB |
Enable or disable USB tethering. |
Enable |
|
Tethering - Wi-Fi |
Enable or disable Wi-Fi tethering. |
Enable |
|
USB Media Player |
Enable or disable the USB media player. |
Enable |
|
Manual Date Time Change |
Enable or disable the ability to manually change the date and time. |
Enable |
|
Certificate Revocation Status (CRL) Check |
Enable or disable the Certificate Revocation List (CRL) check for revocation of the server-certificate chain during the SSL mutual authentication process. |
Disabled |
|
Google Crash Report |
An administrator can use this API to enable or disable sending a crash report to Google. If disabled, all possible Google crash reports are blocked. |
Enable |
|
Google Accounts Auto-sync |
Enable or disable Google accounts auto-sync. |
Enable |
|
Multi-user mode |
Enable or disable the Multi-user mode. |
Enable |
|
New admin installation |
Enable or disable new administrator installation. |
Enable |
|
Allow cellular data |
Enable or disable the ability for users to use cellular data. If you disable both cellular data and Wi-Fi on a device, Ivanti EPMM can no longer communicate with the device. The device may need a factory reset to restore functionality. |
Enable |
|
Allow USB HID Protocol |
Enable or disable the USB Human Interface Device (HID) protocol. |
Enable |
|
Restricted Apps |
List apps that you want to prevent from being installed or run on Samsung Knox devices. Click + to add an application identifier (app ID) for the app. The app ID is case-sensitive. You can use the wild card character * to cover a set of apps, such as all apps from a particular vendor. For example, com.abcdef.* restricts all application IDs beginning with com.abcdef. However, to ensure that pre-existing apps get restricted, provide the complete app ID. Do not use a wild card character. |
(empty) |
|
Allowed Apps |
List the apps that you that are exceptions to the apps covered by a wild card character in the Restricted Apps section. Click + to add an application identifier (app ID) for the app. The app ID is case-sensitive. |
(empty) |
|
Turn Off Wi-Fi for SSIDs |
Prevent Samsung Knox devices from accessing the Wi-Fi SSIDs listed in this section. Click + to add an SSID. The SSID is case-sensitive. Do not restrict Wi-Fi SSIDs that are configured for the device. In Ivanti Mobile@Work 9.0.0.0 for Android, connection to SSIDs listed in this section can occur if the SSID is managed and Always Connect Device to Managed Wi-Fi is enabled. |
(empty) |