Android Device Management Profiles
You can design a profile to impose policies and restrictions on the managed mobile device. The following profile specifications can be customized and stored in specific versions, to be associated with devices/groups at any point of time. These profiles are tailored for managing Android devices enrolled using Android Device Policy app.
Passcode
FEATURE | DESCRIPTION | ||||
---|---|---|---|---|---|
APPLY PASSCODE (Specify if you want the passcode to be applied to the whole device or only to the work profile container) |
|||||
Device | Passcode will be applied to the whole device. | ||||
Work profile (Applicable for devices running 7.0 or later versions) | Passcode will be applied only to the work profile container (created as the device is provisioned as Profile Owner). | ||||
CONFIGURE | |||||
Passcode requirements | You can select the conditions that need to be met when the users configure a passcode on devices. | ||||
Default passcode | You can enter the common passcode that must be enforced on the devices. The user cannot modify the passcode set. | ||||
Password removal | In the case of digital signage, organizations must set up the device without a passcode. Using this option, any existing passcode on the device can be removed and users can be prevented from manually configuring a passcode on these devices. Not applicable for devices running Android 11.0 or above Note: Password set by the user can not be removed from Samsung devices running Android 9.0 or above, enrolled via invite method |
||||
PASSCODE COMPLEXITY (Applicable only for devices running Android 12.0 and above) |
|||||
Low | A Pattern or PIN should be configured with repeating or ordered sequence (Example: 4444, 1234, 4321, 2468). | ||||
Medium | The passcode should contain a PIN with no repeating or ordered sequences (Example: 4444, 1234, 4321, 2468), alphabetic, or alphanumeric password with a length of at least 4 elements. | ||||
High | The passcode should contain a PIN with no repeating or ordered sequences (Example: 4444, 1234, 4321, 2468) and a length of at least 8 elements or alphabetic or alphanumeric passwords with a length of at least 6 elements. | ||||
FOR ANDROID 11.0 AND BELOW | |||||
Passcode should contain (Applicable when Passcode Requirements is selected) | You can define the minimum passcode type required or allowed to create a passcode. The increasing order of security in the passcode type is Simple value-> Numbers-> Alphabet-> Alphanumeric-> Complex Value. On choosing a minimum required passcode type for example, as 'Numbers', then the passcode that is set on the device can contain numbers, alphabets, alphanumeric characters or complex values. 'Simple Value (Pattern)' enables you to set patterns, pin or passwords for the device. Not applicable for devices running Android 11.0 or above On choosing 'Numbers', you can set either a pin or password for the device. The password can contain numbers, alphabets, alphanumeric or complex values. 'Alphabet' allows you to set only passwords for the device. The password can contain alphabets, alphanumeric or complex values. 'Alphanumeric' passcode allows you to set a password that contains both numbers and alphabets. Special characters can also be included. 'Complex Value' type of passcode enables you to set a password that contains alphabets, numbers and at least one special character. |
||||
Minimum passcode length (Cannot be configured if Minimum passcode requirement is pattern) |
You can define a minimum length for the passcode here. Applicable only for devices running Android 11.0 and below. | ||||
OTHER SETTINGS | |||||
Maximum number of failed attempts (Applicable when Passcode Requirements is selected) | Maximum number of failed attempts allowed can be specified. When the number of attempts exceeds, the device will be reset, completely wiping all the data in the device. | ||||
Strong Authentication timeout (Applicable only for devices running Android 8.0 and above) | After the Strong Authentication timeout period set by the admin, biometrics (such as fingerprint, face unlock) are turned off automatically. Users will be forced to unlock the device using strong authentication passcode (such as PIN or password). | ||||
Number of passcodes to be maintained in the history (Supported from Android 5.0 and applicable when Passcode Requirements is selected) | Total number of previous passcodes to be maintained, so that it cannot be reused. | ||||
Maximum passcode age (Supported from Android 5.0 and applicable when Passcode Requirements is selected) | User will be notified to reset the Passcode based on the days specified here | ||||
Smart Lock (Applicable when Passcode Requirements is selected) | Allow or restrict users from setting up Smart Lock on their devices, with which they can bypass the password prompt on the lock screen by configuring trust agents such as On-Body detection, Trusted places/devices/voice. | ||||
BIOMETRIC PASSCODES | |||||
Use Fingerprint as passcode | Allow/Restrict usage of fingerprints as device passcode | ||||
Use iris scanning as passcode | Allow/Restrict usage of iris scanning as device passcode | ||||
Use face scanning as passcode | Allow/Restrict usage of face scanning as device passcode |
Restrictions
FEATURE | DESCRIPTION |
---|---|
DEVICE FUNCTIONALITY | |
Add Accounts | Enabling this will allow users to add email, exchange, LDAP, and Google accounts on managed devices. Disabling this prevents users from adding any of these accounts. The account addition is prevented only after the restriction is applied to the devices and the accounts that were already present, are not affected. |
Screen Capture | By enabling this, users will be allowed to capture the screen on the devices. |
SECURITY | |
Installing Non-Market Apps | Allow/Restrict to install apps not listed on the Play Store. Restricting this disables Install apps from unknown sources settings, for app installation. |
Google Play Protect | Google Play Protect regularly checks apps and the devices for any harmful behavior. |
Lock Screen Notification Preference | Configure how the notifications appear on the lock screen of the device. Either choose to show all content, hide sensitive content, or completely hide notifications. |
Allow users to install or modify certificates | Allow/Restrict users to install or modify certificates |
APPLICATIONS | |
Install Apps | If installing unapproved apps is restricted, all apps previously installed by users get disabled and in the case of subsequent installations of unapproved apps, although the apps get downloaded and installed, the apps are automatically uninstalled. This ensures that, only those apps distributed via MDM are installed on the device. Once this restriction is removed, apps previously disabled get enabled automatically. Note: System pre-installed apps from other stores like Samsung Galaxy Store, Huawei, etc. will be automatically updated even if installing unapproved apps is restricted. |
Uninstall Apps | By enabling this, users will be allowed to uninstall applications from the device. Note: Despite this setting, apps silently installed on devices cannot be uninstalled by users. |
Global App Permission Policy | Configuring this ensures you can choose to automatically deny/allow permissions for apps present on the device. In case if Auto-deny is chosen, for some apps such as Camera, the app will be disabled and the user will not be prompted to accept the permission. While in other apps such as Phone, a display message will be shown notifying the user of the denied access. Optionally, you can also leave it to the user. |
Workspace Security
FEATURE | DESCRIPTION |
---|---|
Share documents from unmanaged apps to Work Profile | Specify if users can share or access documents stored in unmanaged apps to apps installed on the Work Profile. |
Clipboard | Specify if clipboard sharing is allowed between apps in Work Profile and unmanaged apps. |
Allow native Phone app to view contact details in the Work Profile | Specify if managed incoming/outgoing caller details can be viewed in native Phone app. |
Allow the app(s) to be connected between work and personal space | Allow/Restrict data sharing between work and personal space for same apps. This allows the users to sync their corporate events and tasks with personal apps and view them together. This way, employees don't miss their important tasks and events scheduled.
|
Learn more about securing corporate data.
Wi-Fi
FEATURE | DESCRIPTION |
---|---|
Wireless Network identification | Specify the name of your Wi-Fi network |
Automatically join network | Enabling this option, will allow the device to automatically join the Wi-Fi network |
Security type | Choose the security type as None/WEP/WPA/WPA2 PSK/ 802.1x EAP |
Password (Can be configured only if Security type is configured) |
Specify the Password if you have chosen the security type as WEP / WPA/WPA2 PSK |
EAP Method (Can be configured only if Security type is '802.1x EAP') |
If you have chosen the security type as 802.1x EAP, then you need to specify the type of authentication as PEAP/TLS/TTLS |
Phase 2 Authentication (Can be configured only if Security type is '802.1x EAP') |
Specify the Phase 2 Authentication type as PAP/MSCHAPV2 |
Domain Name (Can be configured only if Security type is '802.1x EAP') |
Specify the domain name of the authentication server that verifies the Wi-Fi credentials. Applicable only for devices running Android 6.0 and above. |
Identity | Using %UserName% will fetch the appropriate user name mapped with the device. You can also specify a user name if you wanted to distribute this profile to one device. If you distribute a profile by providing a user name to more than one device, then all the devices will try to establish Wi-Fi connectivity with the same user name. |
Anonymous Identity | If you do not want to disclose the user name mapped with the device, while establishing the Wi-Fi connection then you can use anonymous user name. Anonymous user name will use a dummy, anonymous identity to establish the connection |
CA Certificate (Supported from Android 6.0) | Choose the existing Global Certificate or add a Global certificate to authenticate the device in order to establish the Wi-Fi connectivity. This will work only if the Wi-Fi certificate is configured in the Wi-Fi server. User specific certificates will be supported soon |
Identity Certificate | Specify the ceritificate to be used for Certificate-based authentication(CBA). |
Note:
- Ensure the SSID, password and the security type are correctly specified.
- If a device is already connected to a particular Wi-Fi connection, it cannot be re-configured using a Wi-Fi policy.
- If the distributed Wi-Fi configuration isn't working properly, try adding it manually on the Android device and ensure the correctness of the configuration. If you're able to add manually but not through MDM, contact MDM Support(MDM-support@manageengine.com).
VPN
FEATURE | DESCRIPTION |
---|---|
Connection type | Specify the VPN type, to be provisioned on the device. |
Always On VPN | Enabling Always On VPN helps maintain a persistent connection between the managed devices and their organizational network, without the need for the users to manually connect to the VPN every time. |
Note:
The selected VPN app needs to be added to the App Repository and setup using Managed App Configuration.
Certificate
The managed device must have a passcode set, for Certificate to be installed in the device.
Profile Specification | Description |
---|---|
Certificate File | The file to be pushed to the managed devices |
Password | This optional parameter must be entered if the certificate is password protected |
- The certificates are added only if the certificate files are not corrupt and the correct password is provided in case of password-protected certificates.
- On certificate expiry, upload the renewed certificate as a new certificate in the profile and then push it to the managed devices.
Jump To