Lockdown policy fields for Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode

Whether a lockdown policy field applies to an Android Enterprise device depends on the Android Enterprise mode that the device is registered in. The modes — Work Managed Device mode, Managed Device with Work Profile (COPE) mode on Android devices versions 8-10, and Work Profile on Company Owned Devices Android versions 11 and later supported versions— are described in "Modes for Android Enterprise devices" in Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

Lockdown options in this section apply to Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile (COPE) mode on Android devices versions 8-10.

**Table 42.** Lockdown policy fields: Android Enterprise in Work Managed Device mode and Managed Device with Work Profile mode
Item	Description	Default Policy Setting
Device Restrictions
Allow camera	Allows camera to function.	Enabled
Allow master volume un-mute	Allows the user to un-mute master volume. Note: volume is not muted by default.	Enabled
Allow microphone un-mute	Allows the user to un-mute microphone	Enabled
Allow automatic date & time	If checked, the user can change date and time. If unchecked, user can make changes but system will reset the date and time automatically.	Enabled
Allow automatic timezone	Allows timezone to be set automatically. Note: the user can re-enable the ability to update time and timezone if this setting is disallowed.	Enabled
Allow safe boot of the device	Allows user to reboot the device into safe mode.	Enabled
Allow factory reset	Allows the user to initiate a factory reset of the device.	Enabled
Allow the user to mount physical external media	Allows the user to mount external media such as SD cards or external drives.	Enabled
Allow the user to transfer files over USB	Allows user copy, paste, and transfer data and files using USB drives.	Enabled
Allow use of USB storage	Allows data to be stored on USB drives.	Enabled
Keep device on while plugged in	Allows device to remain powered on when it is plugged in to a power source. When this field is enabled, the device does not go into sleep mode.	Disabled
Allow Keyguard (no effect if password or PIN is set)	Allows a keyguard, or lockscreen, on the device under the condition that the device has not been enabled using a PIN, password, or pattern.	Enabled
Allow backup service	Allows the user to backup and restore their devices using Google services on managed devices running Android 8.0 through the most recently released versions as supported by Ivanti.	Enabled
Allow install from unknown sources on the device	Allows administrator to enable installation of apps from unknown sources to device. Unless this field is selected, the work profile never allows installation of apps from unknown sources.	Disabled
Allow location settings modification	Allows device user to turn on/off location. Also, on some devices/OS versions, it allows the device user to control the accuracy of the device's location. Supported in Work Profile on Company Owned Device mode.	Enabled
Configure Private DNS settings	Private DNS allows more privacy for device users than using public DNS servers. It provides a way for enterprises to secure device user activity and enterprise hostnames from being learnt by unwanted DNS servers. Private DNS allows devices to discover DNS over TLS and provide specific DNS server hostnames to prevent leaking of DNS resolution. Devices will use DNS-over-TLS prior to attempting name resolution in cleartext. Selecting this box expands to display: Off - Private DNS cannot be disabled from the Admin Portal. Device user can disable private DNS setting, if allowed to change the settings. Opportunistic - The device will attempt to find a server that supports private DNS. If it cannot find one, it will fall back to non-private DNS (cleartext). Use Specific DNS Server - enter the hostname of server that implements DNS over TLS (RFCC7858). This value cannot be empty. Once added, it can only be updated. Applicable to: Android 10+ devices in Work Managed Device mode.	Disabled
Allow user to override Private DNS settings	The hostname of a server that implements DNS over TLS (RFC7858). This value cannot be empty.	Disabled
Set Minimum Required Wi-Fi Security (Android 13+)	Use this option to set minimum required Wi-Fi security. This means the device's Wi-Fi must be set at the chosen level or higher. Below is the security hierarchy: No minimum security required - (default) allows all types of Wi-Fi networks. Personal Network Based Security - allows personal Wi-Fi network such as WEP, WPA/WPA2/WPA3, and more secure networks. Enterprise EAP Network Based Security - allows EAP protocol-based Wi-Fi network and more secure networks. Enterprise 192 Network Based Security - allows enterprise 192 protocol based Wi-Fi networks. All the existing devices that do not meet the minimum criteria will be disconnected. When this check box is disabled, no action is taken by the client. When enabled, the client sets the correct choice. If, after being enabled, the check box was disabled, then the client will return to the last known setting before the change was made. To find out about existing Wi-Fi security level usage, use "Wi-Fi Security Level" in Device Details >Advanced Search. The security level is also listed under "Required Wi-Fi Security Level" in the Device Details page > Device tab.	Disabled
Allow Nearby Notifications Streaming	Notifications Streaming is sending notification data from pre-installed apps to nearby devices. By default, this field is not enabled. By selecting this check box, the administrator can set the value by choosing from the four options below. The selected value will display in the Device Details > Policies tab. Not Controlled by Policy (default) - Indicates that nearby streaming is not controlled by policy, therefore device users can use the notification feature on their device, once device user enables it. Ivanti EPMM does not control this behavior. Enabled - Device user is allowed to use this feature. Disabled - Device user is not allowed to use this feature. Enabled for Same Account - Only allowed on devices that have the same account present on both devices. Once enabled, in the Device Details page > Policies >"Allow Nearby Notifications Streaming / (Managed Profile)" section, the status of the policy displays along with whether or not the device is in compliance.	Disabled
Set screen brightness	Select to set brightness of your device's screen. Manual - Select to enter a number manually (0 to 255) Adaptive - Select to allow the device to set the brightness If the user is allowed to make changes, these settings will be reset to the administrator-defined settings on next check-in. Applicable to: Work Managed Device mode Managed Device with Work Profile mode Work Managed Device non-GMS mode (AOSP)	N/A
Set screen timeout	Select to enable and enter a value (in seconds). Screen timeout value will not have effect if its value is greater than Inactivity Timeout from passcode configuration. If the user is allowed to make changes, these settings will be reset to the administrator-defined settings on next check-in. Applicable to: Work Managed Device mode Managed Device with Work Profile mode Work Managed Device non-GMS mode (AOSP)	N/A
Set screen orientation	Select to set screen orientation. You can set the screen orientation to 0, 90, 180, or 270 degrees from the drop down list. Applicable to: Work Managed Device mode Managed Device with Work Profile mode Work Managed Device non-GMS mode (AOSP)	N/A
Phone & Network Restrictions
Allow SMS	Allow the user to send and receive SMS messages.	Enabled
Allow outgoing calls	Allow user to place outgoing calls.	Enabled
Allow data roaming	Allow the use of data while user is traveling outside of data plan area. Note: the user can re-enable this feature from settings.	Enabled
Allow Wi-Fi	If Allow Wi-FI is: enabled (default), the device user can turn Wi-Fi on or off not enabled, the device user cannot turn Wi-Fi on Caution: Turning off Wi-Fi on a Wi-Fi only device will make the device unable to communicate with Ivanti or any network. A factory reset will be needed to restore Wi-Fi capability on the device.	Enabled
Allow Wi-Fi to be configured	Allows the user to configure Wi-Fi.	Enabled
Allow Wi-Fi sleep policy to be configured	Allows user to configure the Wi-Fi sleep policy. On a device, the user can re-enable this feature from Settings. For this field, the server policy settings are applied when the device checks into Ivanti. If the user modifies the Wi-Fi sleep policy on a device and then you, as the administrator, change the "Allow Wi-Fi sleep policy to be configured" field, the user modifications for this field are overwritten by the lockdown policy that resides on the server when the device checks in.	Enabled
Allow Bluetooth	If Allow Bluetooth is: enabled (default), the device user can turn Bluetooth on or off not enabled, the device user cannot turn Bluetooth on	Enabled
Allow Bluetooth to be configured	Allows the user to configure Bluetooth on managed devices.	Enabled
Allow Bluetooth Outbound Sharing	Allows the user to share files using Bluetooth on managed devices running Android 8.0 through the most recently released versions as supported by Ivanti.	Enabled
Allow Emergency Broadcasts to be configured	Allows the user to configure Emergency Broadcasts.	Enabled
Allow mobile network to be configured	Allows the user to configure the mobile network.	Enabled
Allow tethering and mobile hotspots to be configured	Allows the user to configure tethering and hotspots.	Enabled
Allow VPN to be configured	Allows the user to configure VPN. This setting must be enabled to allow the application of a managed VPN. As a workaround, enable Always-on VPN in Android Enterprise settings and select Tunnel as the App Identifier.	Enabled
Managed Device
Android 11: Enable Common Criteria (CC) mode	Select to enable Common Criteria mode for Android 11 + devices. If Common Criteria mode is turned off after being enabled previously, all existing Wi-Fi configurations will be lost. Applicable to Managed Device with Work Profile mode and Work Profile on Company Owned Device mode.	Disabled
Configure Private DNS settings	Private DNS allows more privacy for device users than using public DNS servers. It provides a way for enterprises to secure device user activity and enterprise hostnames from being learnt by unwanted DNS servers. Private DNS allows devices to discover DNS over TLS and provide specific DNS server hostnames to prevent leaking of DNS resolution. Devices will use DNS-over-TLS prior to attempting name resolution in cleartext. Selecting this box expands to display: Off - Private DNS cannot be disabled from the Admin Portal. Device user can disable private DNS setting, if allowed to change the settings. Opportunistic - The device will attempt to find a server that supports private DNS. If it cannot find one, it will fall back to non-private DNS (cleartext). Use Specific DNS Server - Enter the hostname of server that implements DNS over TLS (RFCC7858). This value cannot be empty. Once added, it can only be updated. Applicable to: Android 10+ devices in Work Managed Device mode.	Disabled
Allow user to override Private DNS settings	The hostname of a server that implements DNS over TLS (RFC7858). This value cannot be empty.	Disabled