pdf icon
Category Filter

Restrictions

Mobile Device Manager Plus allows administrators to create an Android Restriction profile to manage various aspects of device functionality effectively. The profile encompasses several key sections, including Device Functionality, Security, Sync and Storage, Applications, Browser Restrictions, Network and Roaming, Device Connectivity, Tethering, Location Settings, Phone, Date/Time Settings, Display Settings, and Miscellaneous. Within each of these sections, administrators can specify features to either allow or restrict during the profile creation process. For detailed information on each section, please refer to the Profile Description section below.

Only devices running Android 5.0 or above can be provisioned as Profile Owner or Device Owner.

Note:To view a detailed comparison of various policies supported with respect to specific OS version, click here.

Note For enhanced security, the admin can configure a kiosk profile to lockdown the device with specific apps and settings or blocklist unwanted apps in the Inventory. The admin can further ensure corporate security by ensuring only safe apps are installed by users on devices by configuring application settings for Corporate Owned devices and Workspace Security for BYOD devices.

FEATUREDESCRIPTIONKNOX-ENABLED SAMSUNGFULLY MANAGED WITH WORK PROFILENON-SAMSUNG
LEGACYWORK PROFILE ON PERSONALLY OWNEDFULLY MANAGED
DEVICE FUNCTIONALITY
Camera (Supported from Android 5.0) By disabling this, users will not be allowed to use the Camera on their devices. On restricting this, the Camera will remain restricted within the Knox container also.
Access Camera from Lock Screen (Supported from Android 5.0) By disabling this, the users are restricted from accessing the Camera from the lock screen of the device. This can be configured only when Camera is allowed on the device.

Note: For KNOX-enabled Samsung and legacy devices, this applies to devices running Android 5.0 or later versions.

Access Camera in Personal Space (Supported from Android 5.0) By disabling this, the users are restricted from accessing the Camera from the lock screen of the device. This can be configured only when Camera is allowed on the device.

Note: For KNOX-enabled Samsung and legacy devices, this applies to devices running Android 5.0 or later versions.

Video Recording (Supported from Android 5.0) By disabling this, users will not be able to record videos on their devices. Video Recording can be allowed only when Camera is allowed on the device.
Microphone By enabling this, users will be allowed to use the Microphone. If this is disabled, users can use the Microphone only for receiving and making calls. All other voice applications which require the Microphone usage will be restricted.
On restricting this on the device, the Microphone will remain restricted within the Knox container also.
Audio Recording (Supported from Android 5.0) By disabling this, users will not be able to record audios on their devices. Audio recording can be enabled only when the Microphone is enabled on the device.

Note: For Device Owner mode, there is no separate restriction available; restrictions apply when the Microphone is restricted.

Firmware Recovery (Samsung-only feature) By disabling this, users cannot perform firmware recovery on the device.
OS Upgrade (Samsung-only feature, supported from Android 5.0) By enabling this, users will be able to perform OS upgrades on their devices.
Screen Capture By disabling this, users will not be allowed to capture the screen on the devices.

Note: Since we are using Samsung API to apply the screen capture restriction, the API behavior changes from knox 3.8 and Samsung default apps like Launcher, SystemUI, Settings, Reminder, Calendar and Clock may not be disallowed to capture even if the restriction is applied.

Screen Capture from Personal Profile By disabling this, users will not be allowed to capture the screen on personal profiles of the device.
Smart Clip Mode (Samsung-only feature, supported from Android 5.0) By enabling this, users will be allowed to access smart clip mode on their devices.
S-Voice (Samsung-only feature, supported from Android 5.0 ) By disabling this, users will be unable to use the S-Voice feature on their devices. S-Voice can be enabled only when the Microphone is enabled on the device.
Add Accounts (Supported from 5.0) Enabling this will allow users to add email, exchange, LDAP, and Google accounts on managed devices.
Disabling this prevents users from adding any of these accounts. The account addition is prevented only after the restriction is applied to the devices and the accounts that were already present, are not affected.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

Enforce Storage Encryption (Supported from Android 5.0) All data stored in the internal memory of the device must be encrypted. Ensure your devices are charges up to 80% to begin the encryption process. This restriction is applied only if the device is secured through a passcode. If there is no passcode on the device, you can associate a Passcode policyfirst and then distribute the restrictions policy.

Note: For Profile Owner and Device Owner modes, encryption is enabled by default.

Enforce SD Card Encryption (Samsung-only feature, supported from Android 5.0) Encryption is forced on the SD Card. This restriction is applied only if the device is secured by a passcode. If there is no passcode on the device, you can associate a Passcode policy first and then distribute the restrictions policy.
SECURITY
Restore Factory Settings By restricting this, admins can prevent users from resetting devices to their factory settings. Admins can also prevent users from removing devices from management by performing a hard reset by restricting this and also configuring EFRP on the devices.
Lock Screen Notification Preference Configure how the notifications appear on the lock screen of the device. Either choose to show all content, hide sensitive content, or completely hide notifications.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container and For KNOX-enabled Samsung, this applies to devices running Android 5.0 or later versions.

Installing Non-Market apps Allow/Restrict to install apps not listed on the Play Store. Restricting this disables Install apps from unknown sourcessettings, for app installation.

Note: For Profile Owner mode, restrictions are applied by default.

Allow certificate based authentication for managed apps Allow/Restrict certificate based authentication for managed apps.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

Allow users to install or modify certificates Allow/Restrict users to install/modify certificates.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

Clipboard (Supported from Android 5.0) By enabling this, users will be allowed to use the Clipboard memory.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

Clipboard Share (Supported from Android 5.0) By enabling this, users can share the Clipboard content between different applications. This can be enabled only when Clipboard feature is enabled on the device.

Note: For Profile Owner mode, there is no separate restriction; restrictions apply when the Clipboard is restricted.

Safe mode
(It is supported by Samsung, Profile Owner and Device Owner devices from Android 6.0)

By enabling this, users can boot device in Safe mode.
Developer Mode By enabling this, users can use developer options on the device.
'Share via' list (Samsung-only feature, supported from Android 5.0) By enabling this, users will be allowed to use the share list on their devices.
Google Play Protect Google Play Protect regularly checks apps and the devices for any harmful behavior. 
Auto fill By enabling this option, users will be allowed to use Auto-Fill Settings.
SYNC AND STORAGE
Google Account Auto-Sync (Samsung-only feature, supported from Android 5.0) By enabling this option, users will be allowed to sync their Google Accounts on their devices.
Report Crash to Google (Samsung-only feature, supported from Android 5.0) By enabling this, crash reports will be sent to Google.
SD Card By enabling this, users will be allowed to use an SD Card on their devices. For non-Samsung devices: This restriction only blocks new SD card mounts; existing mounts are unaffected. For Samsung devices: This restriction applies to both newly inserted and already mounted SD cards.
Storing data in SD Card (Supported from Android 5.0) By enabling this, users will be allowed to store data on SD Cards of the devices.

Note: For Device Owner mode, there is no separate restriction; restrictions apply when the SD Card is restricted.

Move apps to SD Card (Samsung-only feature, supported from Android 5.0) By enabling this, users will be able to move applications installed in device memory to the SD card.
USB By enabling this, users will be allowed to use USB on their devices.
Connections using USB By enabling this, users will be allowed to use USB to establish connections for debugging.

Note: For Device Owner mode, there is no separate restriction; restrictions apply when USB is restricted.

Connect a USB storage device By enabling this, users will be allowed to connect USB Storage devices. This can be enabled only when USB is enabled on a device.

Note: For Device Owner mode, there is no separate restriction; restrictions apply when USB is restricted.

APPLICATIONS
Users can install only approved apps This restriction lets the admin grant access to install all the applications or restricts to install apps only distributed from the MDM app repository. If this restriction is configured as Yes, then the user will be able to install only admin approved apps. All apps previously installed by users gets disabled, and in the case of subsequent installations of unapproved apps, although the apps get downloaded and installed, the apps are automatically uninstalled. Once this restriction is removed, apps previously disabled gets enabled automatically If No is chosen, then a sub-condition will be shown where the admin can choose whether the user can access all apps under Managed Google Play or only admin approved apps.

Note: Restricting the option Users can install unapproved apps for an Android device will also prevent the installation of Non-Market apps, even if the profiles settings in the MDM console allowed for "Non-Market apps." For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

Allow access to all apps under Managed Google Play In case Managed Google Play is configured in the server, the admin can still restrict the access to either all apps under Managed Google Play or only admin approved apps.
  1. In case access is given to all apps, Admin distributed apps will be listed under the Work Apps tab in Play Store
  2. The apps available under the Work Apps tab can be arranged catering to the needs of the organization by customizing the Play Store

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

Uninstalling apps (Supported from Android 5.0) By enabling this, users will be allowed to uninstall applications from the device. Note: Despite this setting, apps silently installed on devices cannot be uninstalled by users.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

Stop system apps (Samsung-only feature, supported from Android 5.0) By enabling this, users can stop the system apps present in their devices.
Application notification mode (Samsung-only feature, supported from Android 5.0) By enabling this, the user can choose to allow or restrict app notification If restricted the app notifications would be disabled.
Global App Permission policy Configuring this ensures you can choose to automatically deny/allow permissions for apps present on the device. In case if Auto-deny is chosen, for some apps such as Camera, the app will be disabled and the user will not be prompted to accept the permission. While in other apps such as Phone, a display message will be shown notifying the user of the denied access. Optionally, you can also leave it to the user.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

BROWSER (Applicable only for Google Chrome in legacy)
Android browser By enabling this option, the users will not be able to use any web browsers on the device.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

Fraud warning settings By enabling this, users will be allowed to use Fraud Warning Settings on the device.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

Pop-ups By enabling this, user Pop-Ups will be enabled on the device.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

JavaScript By enabling this, users will be allowed to use applications running on Java scripts.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

Auto-fill By enabling this option, users will be allowed to use Auto-Fill Settings.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

Cookies By enabling this option, users will be allowed to use Cookies Settings on the device.

Note: For Work Profile on Company-Owned Devices, restrictions apply only to the Work Container.

NETWORK AND ROAMING
Airplane Mode (supported for Samsung and devices running Android 9.0 and above) If this is restricted, users will be unable to use airplane mode on their devices.
Background data (Samsung-only feature) If Allow is chosen, users will be able to disable the background data whereas background data will be enabled by default. (This profile does not get applied automatically and the user has to accept this profile)
Data Saver Mode (Samsung-only feature) Enable this option to reduce data usage by preventing apps from sending or receiving data in the background.
Wi-Fi If 'User Controlled' is chosen, users will be allowed to disable or enable Wi-Fi on the device.
If Wi-Fi is Always On on the device, users will not have permission to disable it.
Note: This is not supported for corporate Samsung devices running Android 10.0 or above enrolled via invites.
If Wi-Fi is Always Off on the device, users will not have permission to enable it. The managed devices will be out of network connectivity and even the MDM server cannot reach the device until cellular data is enabled on the device. 
Wi-Fi Direct (Samsung-only feature - Supported from Android 5.0) By enabling this, users will be allowed to access Wi-Fi Direct on their devices.
Connecting to Wi-Fi, only if distributed via MDM (Supported from Android 5.0 to 9.0) Restrict/Allow users to connect to Wi-Fi networks only if Wi-Fi configurations have been distributed as a profile via MDM. If no Wi-Fi profile has been configured via MDM, the device can connect to other Wi-Fi networks. Also, if the Wi-Fi SSID has been changed, then the profile must be modified to include the new SSID and then re-distributed to the device, for continued management.
Restrict users from connecting to unsecure public Wi-Fi networks: By restricting this, users will not be able to connect their devices with public or unsecure Wi-Fi network connections which are not protected with a password.
Allow users to configure VPN (Supported from Android 5.0) Users are restricted from configuring VPN on devices, apart from any VPN configurations distributed through the MDM server. If this restriction is enabled on Samsung devices (running on OS 5.0 and above), any VPN configured by the user gets deleted.
Roaming data (Samsung-only feature) If you have allowed this, users can choose to allow or disallow roaming data on the device. Else, this setting will be disabled and greyed out in the device.
Sync data while Roaming (Samsung-only feature) By enabling this, users will be allowed to use Sync feature while roaming.
Roaming Push (Samsung-only feature) By enabling this, data will be pushed to devices even if they are in roaming.
Voice Call while Roaming (Samsung-only feature, supported from Android 5.0) By enabling this, users will be allowed to receive/make voice calls during roaming.
DEVICE CONNECTIONS
NFC By enabling this, users can utilize Near Field Communication (NFC).

Note:For DEVICE OWNER, the device will display a policy violation message, prompting the user to enable/disable the NFC setting as specified in the profile.

Android Beam (Supported from Android 5.0) By enabling this, users can utilize Android Beam to transfer data to other supported devices.

Note: For Profile Owner mode, restrictions are applied by default and For Work Profile on company-owned devices, restrictions are applied only to the Work Profile.

S Beam (Samsung-only feature, supported up to Android 5.0) By enabling this, users can utilize S Beam to share files with other supported devices.
Bluetooth By enabling this, users will be allowed to use Bluetooth in their devices.
Bluetooth discovery (Samsung-only feature) By enabling this, users can allow other devices to detect and connect to their devices.
Bluetooth pairing (Samsung-only feature) By enabling this, users will be allowed to pair their devices with other devices to enable data transfer.
Make outgoing calls using Bluetooth (Samsung-only feature) By enabling this, users will be allowed to place outgoing calls using Bluetooth.
Connect to Laptop/Desktop via Bluetooth (Samsung-only feature) By enabling this, users can connect their devices to desktops/laptops using Bluetooth.
Data transfer via Bluetooth (Samsung-only feature) By enabling this, users will be allowed to transfer data from their devices to other devices using Bluetooth.
Printing (Supported from Android 9.0) By enabling this, users will be allowed to use bluetooth printers through their devices.
TETHERING
Tethering Disabling this, restricts managed devices from tethering with other devices, for sharing the cellular network.
Bluetooth Tethering By enabling this, users will be allowed to share Internet connection via Bluetooth with other devices. This can be enabled only when Bluetooth is enabled on a device.

Note: For Device-Owner, there are no separate restrictions. Tethering is restricted only when Tethering is specifically restricted.

Wi-Fi Tethering By enabling this, users will be allowed to share Internet connection via Wi-Fi with other devices. This can be enabled only when Wi-Fi and Wi-fi Direct are enabled on the device.

Note: For Device-Owner, there are no separate restrictions. Tethering is restricted only when Tethering is specifically restricted.

USB Tethering By enabling this, users will be allowed to share Internet connection via USB with other devices. This can be enabled only when USB is enabled on the device.

Note: For Device-Owner, there are no separate restrictions. Tethering is restricted only when Tethering is specifically restricted.

LOCATION SERVICES
Location Services (Supported in legacy from OS 5.0) When set as Always On, Location Services is forcefully enabled (Location Tracking can be highly accurate when Location Services are set to Always On only for devices running OS below 9). Even if users turn it Off, it automatically reverts to On state. This is applicable for Always Off option as well. In case, you configure it as User Controlled, device users can enable/disable it as per their needs.
Mock location (Samsung-only feature) Allow/Restrict users from showing falsifying location data.
Google Maps By enabling this, users can utilize Google Maps.
PHONE
SMS (Supported from Android 5.0 in Samsung devices) By disabling this, users will not be able to use Short Messaging Service(SMS) in the managed devices.
Incoming SMS (Supported up to Android 5.0 in Samsung devices) By disabling this, users will not be able to receive any incoming message on their devices.

Note: For Device-Owner, there are no separate restrictions. The device is restricted when SMS functionality is restricted.

Outgoing SMS (Supported from Android 5.0 in Samsung devices) By disabling this, users will not be able to send any outgoing message from their devices.

Note: For Device-Owner, there are no separate restrictions. The device is restricted when SMS functionality is restricted.

MMS (Supported from Android 5.0 in Samsung devices) By disabling this, users will not be able to use Multimedia Messaging Service (MMS) in the managed devices.

Note: For Device-Owner, there are no separate restrictions. The device is restricted when SMS functionality is restricted.

Incoming MMS (Supported from Android 5.0 in Samsung devices) By disabling this, users will not be able to receive any incoming MMS to their devices.

Note: For Device-Owner, there are no separate restrictions. The device is restricted when SMS functionality is restricted.

Outgoing MMS (Supported from Android 5.0 in Samsung devices) By disabling this, users will not be able to send any outgoing MMS from their devices

Note: For Device-Owner, there are no separate restrictions. The device is restricted when SMS functionality is restricted.

Call (Samsung-only feature) If disabled, users cannot make/receive calls.
Incoming Call (Samsung-only feature) By disabling this, users will not be able to receive any incoming calls on their devices. Even when it is allowed, incoming calls will work only when the Microphone is enabled on the device.
Outgoing Call By disabling this, users will not be able to place any outgoing calls on their devices. Even when it is allowed, outgoing calls will work only when the Microphone is on the device.
DATE/TIME SETTINGS
Set device time (Supported from Android 9.0 and above) You can set the device time either based on network provider's time or set up manually. Note: If the incorrect time is displayed, then try connecting to a different network and check the Wifi router.
Timezone (Supported from Android 9.0 and above) If you have enabled the device time to be set manually, then you can choose the desired timezone from the dropdown.
Modify date/time settings (Supported from Android 9.0 and above) Restricting this prevents the users from modifying date/time settings such as time format, date format, etc.
Modify date/time (Supported from Android 5.0 in Samsung devices) Restricting this prevents the users from modifying the date/time already set on the device.
DISPLAY SETTINGS (Supported from Android 9.0)
Screen Timeout The duration(between 5 and 1800 seconds) of inactivity, after which the device goes to sleep.
Note: Screen Timeout duration cannot be higher than Maximum idle time allowed before auto-lock configured in Passcode profile.
Modify Screen Timeout Settings Disabling this, ensures the screen timeout configured above or on the device cannot be modified.
Brightness Provide the level of brightness to be configured on the device.
Modify Brightness Settings Disabling this, ensures the brightness configured above or on the device cannot be modified.
Ambient Display Enable/Disable displaying details such as the time, date, etc, on the device lock screen, when it is in sleep.
MISCELLANEOUS
Turn the device off, using Power button (Samsung-only feature, supported from Android 5.0) By disabling this, users will not be able to turn off their devices using the Power Button.
Background process limit (Samsung-only feature, supported up to Android 5.0) By enabling this, the background processes running on the device can be enabled/disabled by the user. If disabled, then the background process limit is set to maximum.
Terminating app on exiting (Samsung-only feature, supported from Android 5.0) This setting(Dont keep activities) is restricted in the device by default. If you choose to allow this, users can prefer to enable or disable them.
Modify default device settings (Samsung-only feature) Restricts access to the Settings app and Quick Settings panel modifications.
Air Command (Samsung-only feature, supported from Android 5.0) Enabling this will allow users to the access featues related to S Pen, such as Notepad, virtual keyboard, Memo, etc. This is applicable only for Samsung Knox devices.
Smart View (Samsung-only feature, supported from Android 5.0) Enabling this allows users to view multimedia content present on the device, on a Samsung smart TV. 

 

 

Jump To