Lockdown policy fields for Android Enterprise devices in Work Profile mode
Whether a lockdown policy field applies to an Android Enterprise device depends on the Android Enterprise mode that the device is registered in. The modes —Work Managed Device mode, Managed Device with Work Profile (COPE) mode on Android devices versions 8-10, and Work Profile on Company Owned Devices Android versions 11 and later supported versions—are described in "Modes for Android Enterprise devices" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
Lockdown options in this section apply to Android Enterprise devices in Work Profile mode.
| Item | Description | Default Policy Setting |
|
Allow copy and paste |
Allows copy and paste from apps inside the Android Enterprise profile to apps outside the profile. |
Selected |
|
Allow caller ID across profiles |
Allows caller ID to be visible to phone app in all profiles. When the caller ID is permitted across profiles, work contacts can be viewed by the personal apps for incoming calls. This applies to Android 6.0 through the most recently released versions as supported by Ivanti. |
Selected |
|
Allow work calendar sharing with personal profile |
Select to allow calendar sharing of work calendar information with the personal profile. This is so apps can display work events alongside personal events in device user's personal profile (for example calendar apps like Google calendar.) If the work event is tapped within the personal profile, a view of the event displays. Tapped again, it opens the event in the work calendar. Applicable to Managed devices with work profiles. |
Not selected |
|
Allow contact search across profiles |
Allows personal space Contacts app sharing across the profile. This is supported on Android 7.0 devices through the most recently released version as supported by Ivanti. |
Selected |
|
Allow Bluetooth |
Enable Bluetooth. |
Enabled |
|
Allow contact sharing on Bluetooth devices. |
Allows the caller ID to be visible on another Bluetooth device such as your car’s Bluetooth screen. This is supported on Android 6.0 devices through the most recently released version as supported by Ivanti. |
Selected |
|
Allow unknown sources in Personal and Work Profile |
Allow installation of apps from untrusted sources in the Personal and Work Profile.
When this field is selected, the "Allow Unknown Sources in Work Profile" check box displays. Selecting it indicates to restrict the Allow Unknown Source setting to the Work Profile mode only. Use case: This allows third-party apps like games from outside the Google Play store to be installed in the personal profile.
|
Not selected |
|
Android 8: Allow Auto-Fill |
Allows password autofill. |
Selected |
|
Allow work app notifications in personal profile |
When device user is in personal profile, notifications from Ivanti [email protected] apps will display. |
Selected |
|
Android 9: Allow Printing |
Allows the printing of documents from Ivanti [email protected] apps. |
Selected |
|
Allow Share into Profile |
Allows sharing from outside the Work Profile to inside the Work Profile |
Selected |
|
Android 10: Allow Camera |
Enable camera. |
Enabled |
|
Allow Camera Control |
Enable user control of camera. |
Disabled |
|
Allow Configure Managed App Updates |
Enable configuration of managed app updates by setting a maintenance window. |
Disabled |
|
Android 11+: Allow Cross Profile WhiteListing Package Ids |
Enable cross-profile whiteListing of package Ids |
Disabled |
|
Enable Debugging |
Enable debugging for USB, work profile, and managed device. |
Enabled |
|
Enable Disabling of System Apps |
Enable disabling of system apps. |
Disabled |
|
Enable Common Criteria mode |
Enable the Common Criteria mode. |
Disabled |
|
Enable Cross profile whitelisting of Apps |
Allows users to share information from specific apps from within the work profile to the personal side of the device. This allows data from the Work Profile container to share data to the exact same app that is located on the personal side. Selecting + displays a list and you must add at least one app in order for this configuration to apply. |
Not selected |
|
Enable system apps |
Enable system apps |
Enabled |
|
Enable Maximum Profile Timeout |
Select to set a maximum time window the work profile can be turned off before Ivanti suspends personal apps on the device. You can set a time between 72 and 8760 hours. 8760 hours is one year of time. Default value is set to 72 hrs if the option is selected. The device user sees a message prompting to turn on the work profile to enable suspended apps. Available for Android 11+ devices in Work Profile on Company Owned Device. |
Disabled |
|
Android 12+: Enable 5G Slicing |
Administrators can set all app traffic through an enterprise 5G network slice. Instead of setting up slices through APNs, administrators can set devices to route the traffic from all apps in the work profile to an enterprise network slice through the UE Route Selection Policy (URSP) rules. Administrators can turn on or off Work Profile app traffic routing to the enterprise network slice on a per-employee basis. In the Device Details page, the 5G Slicing status is indicated. Advanced searching on 5G is also part of this feature, as is making compliance rules. Requires support from 5G service provider. |
Disabled |
|
Allow Nearby Notifications Streaming |
Notifications Streaming is sending notification data from pre-installed apps to nearby devices. By default, this field is not enabled. By selecting this check box, the administrator can set the value by choosing from the four options below. The selected value will display in the Device Details > Policies tab.
Once enabled, in the Device Details page > Policies >"Allow Nearby Notifications Streaming / (Managed Profile)" section, the status of the policy displays along with whether or not the device is in compliance. |
Disabled |