Lockdown policies
Lockdown policies do not apply to iOS
Lockdown policies specify which features should be disabled in the event that device access must be restricted. To create a lockdown policy, go to Policies & Configs > Policies > Add New > Lockdown. Some policy changes can prompt users to restart their device after the policy is applied to the device.
As part of a Lockdown policy, administrators can set a message on the Lock screen on company-owned Android devices. This informs the device holder who the owner of the device is. A maximum of 256 characters can be entered into the message.
Lock screen messages are applicable in the following modes:
-
Work Profile Managed Device
-
Managed Device with Work Profile
-
Work Profile on Company Owned Device
-
Work Managed Device-Non-GMS mode
Both device and user attributes (default and custom) can be used with the Lock screen message.
Extended lockdown policies for Android and Android Enterprise devices are supported on Samsung Knox devices. Support for specific settings sometimes depends on the Android OS version, the Ivanti Mobile@Work version, and the Samsung Knox API version on the device. Extended lockdown policies are also available for Android Enterprise devices that are Work Managed Devices. Refer to the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices for details.
This section includes the following topics:
- General lockdown policy fields
- When work profile accounts can be modified
- Lockdown policy fields for Windows devices
- Lockdown policy fields for all Android devices and Android Enterprise devices
- Lockdown policy fields for all Android Enterprise devices
- Lockdown policy fields for Android Enterprise devices in Work Profile mode
- Lockdown policy fields for Android Enterprise devices in Work Managed Device mode and Managed Device with Work Profile mode
- Lockdown policy fields for Android Enterprise devices in Work Managed Device mode, Managed device with Work Profile mode, and Work Profile on Company Owned Device mode
- Lockdown policy fields for Samsung Knox Workspace (3.0) Android Enterprise Managed Device with Work Profile mode
- Lockdown policy fields for Android Enterprise devices with Samsung Restrictions in Work Managed Device mode and Managed Device with Work Profile mode
- Lockdown policy fields for Samsung Knox devices in Device Admin mode
General lockdown policy fields
This section describes fields that are available for Android, Android enterprise
| Item | Description | Default Policy Setting |
|
Name |
Required. Enter a descriptive name for this policy. This is the text that will be displayed to identify this policy throughout the Admin Portal. This name must be unique within this policy type. Tip: Though using the same name for different policy types is allowed (e.g., Executive), consider keeping the names unique to ensure clearer log entries. |
Default Lockdown Policy |
|
Status |
Select Active to turn on this policy. Select Inactive to turn off this policy. |
Active |
|
Priority |
Specifies the priority of this custom policy relative to the other custom policies of the same type. This priority determines which policy is applied if more than one policy is associated with a specific device. Select “Higher than” or “Lower than”, then select an existing policy from the drop-down list. For example, to give Policy A a higher priority than Policy B, you would select “Higher than” and “Policy B”. See “Prioritizing policies” in the Device Management Guide for more information. Because this priority applies only to custom policies, this field is not enabled when you create the first custom policy of a given type. |
|
|
Description |
Enter an explanation of the purpose of this policy. |
Default Lockdown Policy |
|
Enable or disable access to Bluetooth features. You can enable both Audio and Data or just Audio. Caution: Ivanti recommends against disabling audio because hands-free Bluetooth access is disabled. Legal requirements for hands-free use of devices while driving is widespread. The Bluetooth settings are supported on Samsung Knox devices. However, enabling audio only is supported only with Ivanti Mobile@Work 9.0.1.0-9.0.1.1. See “Bluetooth lockdown for Samsung Knox devices” in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices for more information. |
Enable |
|
|
Enable or disable camera access. |
Enable |
|
|
When checked the Camera policy is considered enforced no matter the state of the camera. GPS location is not considered when user control is checked. |
Unchecked |
|
|
NFC |
Enable or disable NFC (Near-field Communication) data exchange when the device touches another device. |
Enable |
|
USB Mass Storage |
Enable or disable access to the device’s USB storage from a computer. |
Enable |
|
Enable or disable access to the secure data card. |
Enable |
|
|
Enable or disable access to wireless LANs. Caution: Disabling Wi-Fi on Wi-Fi-only devices is not recommended. A factory reset will be necessary to re-enable Wi-Fi on such devices. Applicable to Managed Device with Work Profile mode and Work Managed Device mode. Wi-Fi lockdown is supported on Samsung Knox devices. |
Enable |
|
|
Roaming Data |
Enable or disable access to data services while roaming. |
Enable |
|
Copy / Paste |
This feature is not supported on Windows Phone 8.1 devices. Enable or disable access to copy / paste functionality. Supported in:
|
Enabled |
|
Screen Capture |
This feature is supported on the following devices:
Enable or disable screen capture. Not supported in Work Profile on Company Owned Device mode. |
Enabled |
|
GPS |
If GPS User Control is disabled, specify whether GPS is enabled or disabled on the device. |
Enable |
|
GPS User Control |
Enable or disable a user’s ability to control the GPS. |
Enabled |
|
Allow device to be on while plugged in |
Enable user to keep the device on while it is plugged in |
Disabled |
|
Lockscreen Widgets |
Enable lockscreen widgets. |
Enabled |
|
Maintenance window duration |
Enable changes to the duration of the maintenance window. |
Disabled |
|
Maintenance window start time |
Enable changes to the maintenance window start time. |
Disabled |
|
Maximum Work Profile Timeout |
Enable changes to the maximum work profile timeout. |
Disabled |
|
NFC |
Enable Near Field Communication (NFC). |
Enabled |
|
Microphone |
Enable microphone. |
Enabled |
|
Restrict accessibility services |
Enable restriction of accessibility services. |
Disabled |
|
Restrict input methods |
Enable restriction of input methods. |
Disabled |
|
Allowed Samsung applications |
Enable allowed Samsung applications. |
Disabled |
When work profile accounts can be modified
One Android Enterprise setting in the lockdown policy is Allow the user to create and modify accounts. This setting applies only to work profile accounts. It does not impact personal accounts.
If this lockdown policy setting is selected, the device user or an Android Enterprise app can add, modify, or delete work profile accounts on the device in Settings > Accounts.
A four-hour time period begins after Ivanti Mobile@Work receives a lockdown policy in which the setting Allow the user to create and modify accounts is not selected. During that time period, the device user and Android Enterprise apps on the device can continue to add, modify, and delete work profile accounts. After the time period ends, work profile accounts cannot be added, modified, or deleted. Therefore, during this time period, the Divide Productivity or Gmail app can add the account that you specify in the Configuration Choices section for the app in the App Catalog on the Admin Portal. Make sure that your device users launch the Divide Productivity or Gmail app within the four-hour time period.
Notes
-
Restarting a device does not restart the time period.
-
Changing settings in the Configuration Choices section for Divide Productivity and Gmail in the App Catalog on the Admin Portal will have no impact to the account settings on the device after the time period is over. An exception to this rule exists for two app configurations. You can change these app configurations at any time, and the account settings on the device will be updated. These two app configurations are:
- Default email signature
- Default sync window
Lockdown policy fields for Windows devices
These lockdown options are applied to Windows devices.
| Item | Description | Default Policy Setting |
|
Internet Sharing |
Enable or disable Internet sharing. |
Enable |
|
Microsoft Store |
Enable or disable access to the Windows Store. You cannot deactivate this feature for Windows 10 Desktop devices. |
Enable |
|
Manual Email Set-up |
Enable or disable ability to manually add an email account on the device. |
Enable |
|
VPN while Roaming |
Enable or disable VPN when device is out of network. |
Enable |
|
Hotspot Discovery |
Enable or disable Hotspot Discovery. |
Enable |
|
Microsoft Account |
Enable or disable Microsoft SkyDrive or Live Account. |
Enable |
|
Save as of MS-Office |
Enable or disable the Save As operation for a MS-Office document. This feature is not supported on Windows Phone 8.1 or Windows 10 Desktop devices. |
Enable |
|
Browser |
Enable or disable Internet Explorer. The option does not have any impact on any other browsers installed from the Windows Store. This feature is not supported on Windows Phone 8.1 devices. |
Enable |
|
Manual Wi-Fi Setup |
Enable or disable ability to manually add a Wi-Fi setup. This feature is not supported on Windows 10 Desktop devices. |
Enable |
|
Wi-Fi Sense Hotspots |
Enable or disable the device to automatically connect to Wi-Fi Hotspots and friend social network. |
Enable |
|
Sharing Of MS-Office Files |
Enable or disable sharing MS-Office files. This feature is not supported on Windows Phone 8.1 devices. |
Enable |
|
Sync User Settings to Device(s) |
Enable or disable the device to automatically sync user settings to the Windows device.
|
Enable |
|
Action Center Notifications |
Enable or disable Action Center notifications. This feature is not supported on Windows Phone 8.1 devices. |
Enable |
|
Developer Unlock |
Enable or disable Developer Unlock. |
Enable |
|
Search to Use Location |
Enable or disable the Access to my location feature on the device. Disabling this feature impacts the Cortana and Bing. |
Enable |
|
Manual Root Certificate Installation |
Enable or disable ability to manually install a root certificate on the device. If disabled, the device user cannot install a root certificate to the device. This feature is not supported on Windows Phone 8.1 devices. |
Enable |
|
Store Images From Visual Search |
Enable or disable the Visual Search option in Bing. |
Enable |
|
Voice Recording |
Enable or disable voice recording in Cortana. This feature is not supported on Windows Phone 8.1 devices. |
Enable |
|
Return Without Password |
Enable or disable ability for the device user to set grace period for locking. If enabled, the device user can set the grace period for locking the device. If disabled, the Security policy sets the grace period, and the option is not available to the device user. This feature is not supported on Windows Phone 8.1 devices. |
Enable |
|
Cortana |
Enable or disable Cortana. |
Enable |
|
Block Browser Popups |
Enable or disable to block popups in browsers. |
Enable |
|
Browser Password Manager |
Enable or disable the use of a browser password manager. |
Enable |
|
MS Error Reporting |
Provides full, enhanced, basic, or security level error reporting. |
Full |
|
Let Apps Run In Background |
Allows administrators to turn off all applications running in the background to preserve battery usage on Windows devices that are on limited power or using cellular services. |
User In Control |
|
Windows Phone - Corporate Owned Devices Only
For Windows devices only. |
||
|
Reset Phone |
Enable or disable the device user's ability to reset the device to factory defaults. |
Enable |
|
MDM Un‑enrollment |
Enable or disable the device user’s ability to remove the device from management by Ivanti EPMM. |
Enable |