Avalanche powered by Wavelink
This page refers to an older version of the product.View the current version of the User Guide.
Restrictions Payload (Android/iOS/Windows Phone)
A Restrictions payload disables specific applications or functionality on the device. Each device can only use one Restrictions payload. If there is more than one Restrictions payload applied to the folder the device is in, only the payload with the highest priority will be sent to the device. You can view the payloads that have been sent to the device by viewing device details.
When you are using a Restrictions payload, ensure you are not locking down functionality that is required for other operations. For example, watch for the following scenarios:
•Do not block the Settings application if you are using a Passcodes payload, since the user needs to access Settings in order to set or change a passcode.
•Ensure software payloads have been distributed and the desired apps have been installed on the device before you disallow installing apps.
•Ensure your white-listed apps are installed on the device before you apply a payload to enable whitelisting.
A Restrictions payload for Android offers the following options:
|
Payload Name |
The name of the payload. |
|
Allow installing apps |
Allows the user to install apps. Removing the check for this option does not prevent users from deleting apps on the device. Avalanche cannot prevent the removal of apps at the device level. |
|
Allow use of camera |
Allows the user to launch the camera application. |
|
Encrypt all personal data on your device (Android 3.0+) |
Encrypts the personal information saved on the device. This includes accounts, settings, apps, media, and other data saved to the internal phone storage media. This does not encrypt removable storage media such as an SD card. Enabling this option prompts the user to encrypt the device, but does not force encryption. The user is required to set a passcode before encrypting the device because the passcode is used to decrypt the information each time the device is unlocked. Depending on the device, encryption may not be a reversible action. |
|
Allow Settings Application |
Allows the user to access and change the Android device settings. |
|
Allow Web applications |
Allows the user to launch a Web browser. |
|
Allow Default Web browser |
Allows the user to launch the default Web browser. |
|
Allow Mail applications |
Allows the user to launch email applications. |
|
Allow use of YouTube |
Allows the user to use a YouTube application. |
|
Enable SAFE Restrictions |
Allows you to restrict specific actions on a Samsung SAFE device. When the payload is sent to devices, these options are applied only on Samsung SAFE devices. |
|
Allow uninstalling apps |
Allows the user to uninstall apps. |
|
Allow voice dialer |
Allows the user to dial using voice commands. |
|
Allow Play Store |
Allows the user to access the Google Play Store. |
|
Encrypt external SD card |
Allows the user to encrypt external SD cards on Samsung SAFE devices. The encryption process must be performed by users at the device level. To encrypt an external SD card on a device after deploying a restrictions payload with this option selected, launch the Settings app and navigate to Security > Encrypt external SD card. Tap Set screen lock type >Password and then set and confirm a password. This password is used to access data on the SD card, as well as decrypt the card. After setting the password, you are returned to the Encrypt external SD card screen and you must tap Continue and then enter the password to start the encryption process. When fully encrypted, a notification appears at the top of the screen. To decrypt an external SD card, this option must be deactivated in Avalanche and synced to the device. Once synced, launch the Settings app and navigate to the Encrypt external SD card screen. Tap Turn off and enter the password you set previously. Tap Apply and then wait for the SD card to be decrypted. A notification appears at the top of the screen when complete. For a demo on encrypting an external SD card on a device, see the video below.
|
|
App Lists |
Allows you to list specific applications that will be allowed or blocked on the device. When creating a Restrictions payload for Android devices, you can establish a list of blocked or approved apps for kiosk mode. A White List indicates the approved apps and prevents all other apps from launching. A Black List indicates apps not approved for use and redirects users to the home screen when an unapproved app is launched. If you create a White List, you must select a default home app from the Restrictions payload screen. Generally the home app is an app launcher that lists the available apps. After deploying the payload, tap the Home button on a device to launch the home app. Holding down the home button or navigating to a blocked app displays a dialog box that lists the available apps. To block or add a specific app, you can type the name and package details in the text boxes and click Add. Type the friendly name for the app in the Name text box, and the Android package name in the Package text box. For example, in order to block or add a Gmail app, type: Gmail com.google.android.gm You can also click Browse for more apps to search the Google Play Store for the name of the application — this will populate the name and package details. To delete an app from the list, enable the checkbox next to the name of the app and click Delete. In order for the device user to override app restrictions on the device, you must set a Smart Device Client Administrator Password from the System Settings screen in Avalanche. After setting the password and syncing the device, you can input the password on a device to disable app restrictions. To deactivate app restrictions, edit the original payload, disable Use App List, redeploy the payload, and sync the desired devices. Deploying white or blacklisting restrictions on a Samsung SAFE device will disable both hard and soft home keys and create a button that allows the user to navigate back to the home app. |
|
SAFE App Permission Control |
Allows you to create a list of specific applications and assign restrictions or allowances on how an app interacts with other apps and can be used on a Samsung SAFE device. To add a specific app for management in this payload, you can type the name and package details in the text boxes and click Add. Type the friendly name for the app in the Name text box, and the Android package name in the Package text box. For example, in order to add restrictions to the Gmail app, type: Gmail com.google.android.gm You can also click Browse for more apps to search the Google Play Store for the name of the application — this will populate the name and package details. To delete an app from the list, enable the checkbox next to the name of the app and click Delete. Once you add an app, you can click the arrow on the left side of the row to expand and view available restrictions, which includes Install, Status Notification, Widget Install, and Force Stop. You can set more restrictions on an app-by-app basis by clicking the Add more restrictions button, which allows you to set any restriction listed on the SAFE Permission Blacklist tab. Options selected here will only apply to the app you're restricting. If an app requires use of an option you've restricted, the app will automatically close when launched and display an error message. If an open app asks for permission to access a restricted setting and the device user gives permission, this will also force the app to close. To set global restrictions, navigate to the SAFE Permission Blacklist tab. |
|
SAFE Permission Blacklist |
Allows you to globally restrict how all apps interact with each other and your Samsung SAFE device. Selecting a restriction prevents any apps on the device from performing the specified action. For example, if you select Read SMS, devices that receive this payload cannot open and view SMS messages. These restrictions can be set on an app-by-app basis from the Safe App Permission Control tab, though results may vary depending on the type of app. If an app requires use of an option you've restricted, the app will automatically close when launched and display an error message. If an app asks for permission to access a restricted setting and the device user gives permission, this will also force the app to close. |
The Restrictions payload for iOS offers the following options:
|
Payload Name |
The name of the payload. |
|
Allow installing apps |
Allows the user to install apps. Removing the check for this option does not prevent users from deleting apps on the device. Avalanche cannot prevent the removal of apps at the device level. |
|
Allow use of camera |
Allows the user to launch the camera application. |
|
Allow FaceTime |
Allows the user to place or receive FaceTime calls. |
|
Allow screen capture |
Allows the user to save a screenshot of the display. |
|
Allow automatic sync while roaming |
Allows the device to sync accounts automatically even when the device is roaming. |
|
Allow Siri |
Allows the user to use Siri, voice commands, or dictation. |
|
Allow Siri while locked |
Allows the user to use Siri without entering a passcode when the device is locked. |
|
Allow Siri querying user-generated content (Supervised only) |
Allows the user access to content in Siri added by other users. |
|
Allow voice dialing |
Allows the user to dial using a voice command. |
|
Allow Passbook while device locked |
Allows the device to display Passbook notifications while the device is locked. |
|
Allow In-App Purchase |
Allows the user to make purchases through installed apps. |
|
Force user to enter password for all purchases |
Forces the user to type in his iTunes Store account password each time he makes a purchase. |
|
Allow multiplayer gaming |
Allows the user to play multiplayer games in the Game Center. |
|
Allow adding Game Center friends |
Allows the user to add friends in the Game Center. |
|
Allow Control Center while locked |
Allows the user to swipe up to view the Control Center even when the device is locked. |
|
Allow Notification View while locked |
Allows the user to view notifications even when the device is locked. |
|
Allow Today view while locked |
Allows the user to swipe down to see the Today view even when the device is locked. |
|
Allow iBooks Store |
Allows the user to access the iBooks Store. |
|
Allow use of AirDrop |
Allows the user to access AirDrop. |
|
Allow account change |
Allows the user to change account settings. |
|
Allow cellular data usage for apps |
Allows apps on the device to use a cellular data connection. |
|
Allow use of iTunes Store |
Allows the user to access the iTunes Store. |
|
Allow use of YouTube |
Allows the user to open the YouTube app. |
|
Allow use of iTunes Store |
Allows the user to launch and use the iTunes store. |
|
Limit ad tracking |
Prevents the device's ID from being used for advertisement tracking. |
|
Allow Web browser |
Allows the user to launch Safari. When this option is disabled, the user will not be able to launch Safari, but will still be able to launch other Web browsers, such as Chrome. |
|
Enable autofill |
Allows the user to turn on Safari's autofill feature. |
|
Force fraud warning |
When the user visits a fraudulent or compromised web site, Safari displays a warning. |
|
Allow JavaScript |
Allows web pages that the user accesses using Safari to run JavaScript. |
|
Block pop-ups |
Sets Safari to block pop-up messages. |
|
Accept cookies |
Allows Safari to accept all cookies, reject all cookies, or accept cookies only from sites that are directly accessed. |
|
Allow change to Find My Friends (Supervised only) |
Allows applications to access Find My Friends. |
|
Allow explicit content |
Allows the user to see explicit music or video content in the iTunes Store. Explicit content is flagged by content providers. |
|
Ratings region |
The media region with the rating system the device should use in allowing content. |
|
Allowed content ratings |
Movies. The level of allowed content for movies. TV Shows. The level of allowed content for TV shows. Apps. The level of allowed content for apps. |
Kiosk Mode (Supervised device only)
|
Enable kiosk mode |
Also known as guided access, this option limits the device to only run the application specified. When kiosk mode is enabled, the device will only launch the app specified and will block other apps. To specify the app for kiosk mode, use the Apple ID. To exit kiosk mode, an administrator must modify the payload to turn off kiosk mode and update the device. Kiosk mode is only available for devices that are in Supervised mode. For more information, see your Apple documentation. |
|
Disable Autolock |
Prevents the device from locking automatically. |
|
Disable device rotation |
Disables the display from changing orientation when the device is rotated. |
|
Disable ringer switch |
Disables any functionality associated with the ringer switch. |
|
Disable sleep/wake button |
Disables any functionality associated with the sleep/wake button. |
|
Disable touch |
Disables the touch functionality of the screen. |
|
Disable volume button |
Disables any functionality of the volume button. |
|
Allow Assistive Touch |
Allows the user to use Assistive Touch features to make the device more accessible. This option is for users who have problems touching the screen or pressing buttons. |
|
Allow Assistive Touch adjustment |
Allows the user to configure Assistive Touch options. |
|
Allow invert colors |
Allows the user to invert the colors on the screen. |
|
Allow user to adjust color inverting |
Allows the user to configure color inversion options. |
|
Allow mono audio |
Allows the user to switch the audio output to mono. |
|
Allow Speak Selection |
Allows the user to select text and use the Speak Selection feature for text-to-speech. |
|
Allow VoiceOver |
Allows the user to use VoiceOver features to make the device more accessible. This option is for users who need audible presentation of screen materials or menus. |
|
Allow user to adjust VoiceOver |
Allows the user to configure VoiceOver options. |
|
Allow zoom |
Allows the user to use zoom features. |
|
Allow user to change zoom |
Allows the user to change the zoom settings. |
|
Autonomous permitted App IDs to run |
Allows apps identified by the bundle IDs to enter Single App Mode. This option only applies if you have apps that have the ability to enter Single App Mode. Avalanche does not make apps enter Single App Mode, it only allows the app to do it. |
|
Allow backup |
Allows the user to back up the device using iCloud. |
|
Allow document Sync |
Allows the user to store documents in iCloud. |
|
Allow Photo Stream |
Allows the user to use Photo Stream. If Photo Stream is disabled after the device user has shared photos using Photo Stream, photos already shared will be removed. |
|
Allow shared photo streams |
Allows the user to share his photo stream and view others' photo streams. |
|
Allow unlocking by Touch ID |
Allows the user to use Touch ID to unlock the device. |
|
Allow Host Pairing |
Allows the device to pair with computers other than the computer used to put the device in Supervised mode. |
|
Allow diagnostic data to be sent to Apple |
Allows the device to send diagnostic data to Apple. |
|
Allow user to accept untrusted certificates |
Allows the user to accept TLS certificates that can't be verified. This setting is enforced for Safari, Mail, Contacts, and Calendar. |
|
Allow open from managed to unmanaged Apps/Accounts |
Allows the user to switch to unmanaged applications or accounts from a managed app or account. For example, if the email app is managed but the browser app is not, the user would be allowed to click on a link in an email that launches the browser. |
|
Allow open from unmanaged to managed Apps/Accounts |
Allows the user to switch to managed applications or accounts from an unmanaged app or account. For example, if the email app is managed but the browser app is not, the user would be allowed to click on a link on a web page that launches the email app. |
|
Allow Over-The-Air PKI Updates |
Allows public key infrastructure updates. If this option is not enabled, you may experience issues with any application that depends on certificates, including Internet browsers. |
|
Allow interaction while install config profile (Supervised only) |
Allows the administrator to send down configuration profiles silently, without user interaction. |
|
Force encrypted backups |
Forces the user to encrypt any backups using iTunes. |
For some of the options in a Restrictions payload for iOS, the device must be manually configured to be in Supervised mode using Apple Configurator. For information on Supervised mode, see your Apple documentation.
A restrictions payload for Windows Embedded Handheld and Windows Phone 8.1 devices offers the following options:
|
Allow Unenrollment |
Allows the user to manually unenroll the Avalanche profile at the device level. When this option isn't selected, users cannot remove the profile at the device level except by performing the following tasks in Avalanche: •Selective wipe •Selective wipe + delete •Factory reset (this can also be done at the device level) |
|
Allow installing apps |
Allows the user to install apps. When disabled, the Windows App Store is disabled at the device level. Removing the check for this option does not prevent users from deleting apps on the device. Avalanche cannot prevent the removal of apps at the device level. |
|
App Lists |
Allows you to list specific applications that are allowed for use on the device. When creating a Restrictions payload for Windows Embedded Handheld and Windows Phone 8.1 devices, you can establish a list of approved apps for use at the device-level. This white list indicates any approved apps and prevents all other apps, apart from system apps, from launching. To add a specific app, you can type the name and package details in the text boxes and click Add. Type the friendly name for the app in the Name text box, and the package name in the Package text box. For example, in order to block or add the OneDrive app, type: OneDrive ad543082-80ec-45bb-aa02-ffe7f4182ba8 You can also click Browse for more apps to search the Windows Phone App Store for the name of the application — this will populate the name and package details. To delete an app from the list, enable the checkbox next to the name of the app and click Delete. App restrictions cannot be overridden at the device level. To deactivate app restrictions, edit the original payload, disable Use App List, and redeploy the payload. |
This page refers to an older version of the product.View the current version of the User Guide.
The topic was:
Inaccurate
Incomplete
Not what I expected
Other
Copyright © 2017, Ivanti. All rights reserved.