Android Enterprise Policy Settings Overview

Android Enterprise Policy Settings Overview #

This article will explain all of the native Android Enterprise policy settings available for use on Mambo. These settings can enable or disable features, enforce device security, install and run applications, configure network settings, and more.

Android Enterprise Management Types #

At its core, there are three Android Enterprise Management or solution types:

  • Work Profile: solution set intended for employee-owned devices (often referred to as BYOD) or company-owned devices used for work and personal use.
  • Fully Managed: solution set intended for company-owned devices.
  • Dedicated: solution set for company-owned devices that fulfill a single-use case such as digital signage, kiosk, or payment terminal.

For the purpose of this article, we will focus on Android Enterprise fully managed, dedicated, and corporate-owned work profile devices.

Note: some settings are not supported by each Android Enterprise management type.

Policy Components #

General #

  • The device will remain always on in these charging modes: the battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear Time before the device is locked for no activity so the device doesn’t lock itself while it stays on.
  • Enable changing device volume: Prevents users from changing the device’s volume and also mutes the main volume of the device.

Note: some devices and OSs might allow using the volume settings on the device.

  • Microphone will always be turned off on device: the device’s microphone will be disabled.
  • Enabled the easter egg in settings: whether the user is allowed to have fun.
  • Require automatic setting of device time: prevents users from manually setting the date and time. If Automatic time, date, and time zone is used, this setting is ignored.
  • Skip tutorials for system apps: apps will skip the user tutorial and other introductory hints on first start-up.
  • Automatic time, date and time zone: the date and time of the device will be configured automatically. Users will not be able to manually set the date or time.
    • Default
    • Manual
    • Enforced
  • Update system: controls how OS updates are applied.
    • Default:
    • Automatic
    • On selected schedule
    • Postpone
  • Message displayed on device lock screen: the device owner information to be shown on the lock screen
  • Add custom message for selected languages: Custom message for additional languages.
  • Freeze periods: an annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days.

Network #

  • Device WiFi networks: predefined WiFi networks which are saved to the device. The network name, SSID, network security type, and password are all required.
  • Default network proxy configuration on device: when configured, HTTP and HTTPS traffic, including most apps on the device, use the proxy you enter. This proxy setting is only a recommendation; it is possible some apps will not use the proxy.

For more information, please view setRecommendedGlobalProxy.

    • Host: the hostname or IP address of your proxy server. For example, servername.com or 127.0.0.1.
    • Port: the TCP port number used by your proxy server. For example, 8080.
    • PAC script URL: this is an autoconfiguration script. For example, https://proxy.proxyserver.com/proxy.pac.

For more information, please view this document (opens a non-Social Mobile/Mambo or Google site).

  • Global VPN configuration on device: select a VPN client which supports Always On. Your options are:
    • Cisco AnyConnect
    • F5 Access
    • Palo Alto Networks GlobalProtect
    • Pulse Secure
    • Custom
      • Enter the package name of the application in the Google Play Store.
    • If you’d like, toggle the option to block networking if VPN isn’t connected.

Note: the VPN client you choose must be installed on the device.

  • If using a custom application, in order to install an application on the device, you need to:
    • Approve the VPN client app in the Google Play Store
    • Add the application to an “Applications” Policy Component
    • Add that Policy Component to a Policy
    • Sync that policy to your device
  • Default location mode on device: setting to determine device location.
    • Default:
    • User Choice: device user can determine the location type.
    • Location enforced: location is enabled and shared.
    • No location: location is disabled, and the device’s location is not tracked.
  • Enable bluetooth contact sharing on device: allows sharing and access to personally owned device contacts from another device, including a car, that is paired using Bluetooth. Enabling this setting may allow certain Bluetooth devices to cache work contacts upon first connection. Disabling this policy after an initial pairing/sync may not remove work contacts from a Bluetooth device.
  • Enable bluetooth configuration on device: shows the Bluetooth control on the Managed Home Screen, and allows users to pair devices over Bluetooth. Enabling this feature also turns on device location.
  • Enable cell broadcast configuration on device: a setting that handles emergency and non-emergency alerts (such as amber, presidential, and severe weather alerts) and presents the information to end-users based on carrier and regional regulations, as well as geolocation.
  • Enable mobile network configuration on device: allows users to configure mobile network-specific settings. For example, a user can opt to prioritize cellular traffic over a 5G network vs. 4G.
  • Enable tethering/hotspot configuration on device: prevents users from enabling tethering and access to portable hotspots on devices.
  • Enable VPN configuration on device: allows users to enable/disable the VPN, as well as configure any VPN settings.
  • Enable WiFi configuration on device: shows the WiFi control on the Managed Home Screen, and allows users to connect the device to different WiFi networks.

Note:

    • Recently, the Managed Home Screen API was updated to be compliant with the Google Play Store requirements. The following changes impact Wi-Fi configuration policies in the Managed Home Screen:
      • Users can’t enable or disable WiFi connections on devices. Users can switch between WiFi networks but can’t turn WiFi on or off.
      • If a WiFi network is password protected, then users must enter the password. After they enter the password, the configured network automatically connects. If they disconnect and then reconnect to the WiFi network, then users may need to enter the password again.
      • On Android 11 devices, when users connect to a network using the Managed Home Screen, they are prompted to consent. This prompt comes from Android and isn’t specific to the Managed Home Screen.
      • On Android 10 devices, when users connect to a network using the Managed Home Screen, a notification prompts them to consent. Users need access to the status bar and notifications to consent. The status bar and notifications are configured in the Kiosk Policy Component.
      • On Android 10 devices, when users connect to a password-protected WiFi network using the Managed Home Screen, they are prompted for the password. If the device is connected to an unstable network, then the WiFi network changes. This behavior happens even when users enter the correct password.
  • Enable network reset setting on device: allows users to reset the network configuration and reconfigure the settings.
  • Enable NFC sending data from apps on device: allows the use of the Near Field Communication (NFC) technology to beam data from apps.
  • Enable outgoing phone calls from device: grants the ability for users to make outbound calls. When disabled, users will be able to receive incoming calls, but outbound calls will be disabled.
  • Enable location sharing from device: allows users to share their geolocation within apps that are installed on the device.
  • Enable outgoing SMS from device: allows users to send outgoing SMS messages. When disabled, users will be able to receive incoming SMS messages, but outbound messages will be disabled.
  • Enable data roaming on device: allows data roaming over the cellular network.
  • Enable bluetooth on device: enables Bluetooth on the device. In order for users to configure Bluetooth settings, Enable Bluetooth configuration on the device must also be enabled.
  • Allow users to temporarily connect to a local WiFi network if no connection found on device boot, only until device policy is updated: allows users to turn on the network escape hatch feature. If a network connection is not established when the device boots, then the escape hatch asks to temporarily connect to a network and refresh the device policy. After applying the policy, the temporary network is forgotten, and the device continues booting. This feature connects devices to a network if:
    • There isn’t a suitable network in the last policy.
    • The device boots into an app in lock task mode.
    • Users are unable to reach the device settings.

Security #

  • Enable USB file transfer to and from device: allows users to transfer files to and from a device.
  • Enable creating windows besides app windows: allows for the following system UI to be displayed on the device’s screen:
    • Toasts: a toast provides simple feedback about an operation in a small popup, usually at the bottom of the screen.
    • Dialer activities: e.g., incoming calls and priority phone activities such as ongoing calls.
    • Android System alerts: any alerts, notifications, or system overlays.
  • Enable changing the device user icon: allows users to set or change their user icon on the device.
  • Enable changing the device wallpaper: allows users to set or change the wallpaper on the device.
  • Short message for functionalities disabled by admin: A short message (less than 200 characters) is displayed to a user in the settings application wherever functionality has been disabled by the admin.

Note: in Mambo, you can select additional languages that will display on devices when those languages are set as the system default language.

  • Long message displayed on device administrators settings: A message typically found in the same place as a short message. When an option for “More Details” appears, the Long Support Message will be displayed.

Note: in Mambo, you can select additional languages that will display on devices when those languages are set as the system default language.

  • Features & actions on lock screen: the lock screen, often called the Keyguard, refers to the idle screen of a device when it is locked. You can configure settings to allow you to block access to the specified features on the device’s lock screen. Those include:
    • Enable camera: allow users to use the camera quick access gesture or camera button.
    • Show notifications: show all system and app notifications.
    • Enable fingerprint unlock: allow users to use their fingerprint to unlock the device.
    • Enable face unlock: allow users to use facial authentication to unlock the device.
    • Enable iris unlock: allow users to use their iris to unlock the device.
    • Allow trust agents on lock screen: Trust Agents often called Smart Lock, allows users to unlock devices via specific device states, trusted places, biometric scans, trusted devices, etc.
  • Enable remote input (e.g., notification text input): allows users to have access to text entry on the lock screen.
  • Set device encryption policy: allows you to create and enforce an encryption policy on the device for internal and external storage. You can select from the following options:
    • Default:
    • Encryption doesn’t require password on boot
    • Encryption requires password on boot
  • Security settings for apps from outside Google Play store: setting to control how non-Google Play Store app installations are handled.
    • Default:
    • Don’t allow installation
    • Allow in personal space of a work profile
    • Always allow
  • Handling of Google Play Protect verification: setting to control whether Google Play Protect is enabled. Google Play Protect scans apps installed on devices for malware before and after they are installed, helping to ensure that corporate data can’t be compromised by malicious apps. It will also prevent non-Play Store Apps from remaining on the device. You can select from the following options:
    • Default:
    • Enforce
    • User choice
  • Control access to developer settings: setting controls access to and the ability to enable Developer Settings such as Developer Options and Safe Boot. You can select from the following options:
    • Default:
    • Disabled
    • Enabled
  • Control of common criteria mode: setting controls security standards defined in the Common Criteria for Information Technology Security Evaluation. Enabling Common Criteria Mode increases certain security components on a device, including AES-GCM encryption of Bluetooth Long Term Keys, and Wi-Fi configuration stores. You can select from the following options:
    • Default:
    • Enabled
    • Disabled

WARNING: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enable this setting if required.

  • Password requirement policies: settings controlling the password requirements for devices. The following options must be configured:
    • Policy scope: whether this password requirement is intended for use on the device, a profile, or both.
    • Time before password reentry is required: the amount of time before a user will need to re-enter their password. You can select from the following options:
      • Custom: a custom amount of time (based on seconds)
      • Device default
    • Password quality: the password parameters and type. You can select from the following options:
      • No requirements: users are not forced to set or use a password to unlock their device.
      • Required, with no restrictions: users can use whatever password type they’d like.
      • Biometric: the device must be secured with a low-security biometric recognition technology, at minimum. This includes technologies that can recognize the identity of an individual that is roughly equivalent to a 3-digit PIN (false detection is less than 1 in 1,000).
      • Numeric: password must contain numeric characters.
      • Numeric without repeats or sequences: the password must contain numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
      • Alphabetic: the password must contain alphabetic (or symbol) characters.
      • Alphanumeric: the password must contain both numeric and alphabetic (or symbol) characters.
      • Custom: Create your own password policy.
  • Actions if the device isn’t compliant with policy: a rule that defines the actions to take if a device or work profile is not compliant with the policy setting. After configuring the policy trigger, you can set optional settings to block and or wipe the device after a specific number of days. You can also select to reserve factory reset protection.
  • Account types that can’t be managed by the user: Admins can define which account types cannot be configured or managed by device users.
  • Time before device is locked for no activity: the maximum time a user can set until the device locks. For example, if you set this setting to 10 minutes, then users can set the time from 15 seconds up to 10 minutes.
  • Minimum Android API level requirement for installed apps: the minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.

Note: the Version Code should be entered into the policy, not the App Version.

  • Enable screenshots on device: allows users to take screenshots on the device.
  • Enable camera on device: allows users to have access to and use the device’s camera.
  • Enable adding new users and profiles on device: allows users to add or create new users to a device.
  • Enable factory reset from device settings: allows the device to be factory reset via the Android Settings application.
  • Enable installing apps on device: allows users to install apps from the Google Play Store on the device. These apps are not listed in the Application Component and are installed without policy permission.
  • Enable uninstalling apps on device: allows users to uninstall applications from the device. If applications are required in the Application Component, they cannot be removed by the user.
  • Enable adding and removing accounts on device: allows users to add, remove, and or make changes to accounts on the device.
  • Enable keyguard on device (Always unlocked): allows the lock screen or Keyguard to be enabled on the device. When this is disabled, the device will boot straight to the desktop, which is ideal for some use cases.
  • Enable user credentials configuration on device: allows users to configure certificates assigned to devices.
  • Enable removing other users on device: allows users to remove other users from the device.
  • Enable mount of physical external media on device: allows users to use external media devices such as SD card or USB storage.
  • Personal usage policies:
    • Enable camera: allows the camera for personal use.
    • Enable screen capture: allows screenshots for personal use.
    • Maximum days work profile can stay off: the maximum number of days which a user can turn off the work profile.
    • Account types that can’t be managed by the user: account types that users can configure on the device. e.g., their personal Google account.

Application #

  • Default policy for Google Play Store: this setting will allow you to whitelist or blacklist applications installed on the device. You can select from the following options:
    • Default: when Default is selected, Only whitelisted apps will be used.
    • Only whitelisted apps: only applications listed in the Application Component will be available for use. All other applications will be removed.
    • Block blacklisted apps: apps that are not permitted for use. Any app that should not be on the device should be explicitly marked as ‘Blocked’ in the Application Component. These apps will be removed and blocked on the device.
  • How to handle app permission requests: a setting that defines the default permission policy for requests for runtime permissions. You can select from the following options:
    • Default: the default setting will prompt the user to accept the permission.
    • Prompt device user
    • Always grant permissions
    • Always deny permissions
  • Override individual permission requests: application permissions that are configured for each application. Once you select the permission, you can select from the following grant type options:
    • Default: the default setting will prompt the user to accept the permission.
    • Prompt: will prompt the end-user to grant permissions
    • Grant: will automatically grant permissions
    • Deny: will automatically deny permissions
  • Application-specific policies: settings to configure which applications are installed on the device. You can select individual applications from the Google Play Store or list applications by their package name. Once the application has been added, you can then select the ˅ button to configure additional settings. The following options are available:
    • Application enabled: whether the application is available for use.
    • Install type: the following options are available:
      • Default: unspecified. Defaults to Available.
      • Pre-installed: the app is automatically installed and can be removed by the user.
      • Installed: the app is automatically installed and cannot be removed by the user.
      • Blocked: the app is blocked and cannot be installed. If the app was installed under a previous policy, it will be uninstalled.
      • Available: the app is available for install but it is up to the user to perform the installation.
      • Required for setup: the app is automatically installed and cannot be removed by the user and will prevent setup from completion until installation is complete
      • Kiosk: the app is automatically installed in kiosk mode. This means that it is set as the preferred home intent and whitelisted for lock task mode. The device setup won’t complete until the app is installed. After installation, users will not be able to remove the app. You can only set this Install Type for one app per policy. When this is present in the policy, the status bar will be automatically disabled.
    • Scopes: additional permissions that you can grant the application.
    • App track IDs: IDs that can be used for analytics or other business needs.
    • Connected work and personal app:
      • Default: the default setting is disallowed.
      • Disallowed: users cannot connect work and personal apps.
      • Allowed: users can connect work and personal apps.
    • Default permission policy:
      • Default: the default setting is prompt.
      • Prompt
      • Grant
      • Deny
    • Auto update mode:
      • Default: the default setting is high priority and apps will update once an update is available.
      • Postponed: app updates will be postponed for 30 days.
      • High Priority: apps will update once an update is available.
    • Minimum app version code: minimum version allowed to be installed on a device. This is often used to force the device to update to a newer version immediately upon the release of an update.
    • Grant permissions:
      • Permission policy: select from the list of available permissions.
      • Grant type: select from the available options.
    • Personal usage policies: control how apps in the personal profile are handled.
      • Default: only whitelisted apps will be allowed for install on the device.
      • Only whitelisted apps: only apps listed in the policy are allowed to be installed. All others will be removed.
      • Block blacklisted apps: allows all apps to be installed, even if they are not explicitly listed in the policy. Only apps listed in the policy and classified as “Blocked” in the “Install Type” setting will be blocked or disabled on the device.
    • Applied to applications on the personal profile: allows admins to force policy settings to personal applications.

Kiosk #

Please note that these additional Kiosk Component settings are only activated when an application in the Applications Component is set to “Kiosk” as the install type. 

  • Replace home screen with a launcher only displaying configured applications: a setting that replaces the home screen with a launcher that locks down the device and displays only the apps listed in the Applications Component. Apps appear on a single page in alphabetical order and the status bar is disabled.
  • Block device actions for kiosks (Example: power button press): additional settings that can be configured when devices are put into kiosk mode.
    • Power Button
      • Default: the default setting is Available.
      • Available
      • Blocked
    • System Errors (Example: App not responding)
      • Default: the default setting is Displayed.
      • Displayed
      • Not displayed
    • System Navigation
      • Allowed
      • Blocked
      • Allow home button only
    • Status Bar
      • Default: the default setting is Enabled.
      • Enabled
      • Disabled
      • Only show system info (Example: Battery)
    • Device Settings
      • Default: the default setting is Enabled.
      • Enabled
      • Disabled

Advanced #

  • Default activity to manage specified intents: A default activity for handling intents that match a particular intent filter.
    • Receiver App: the activity that should be the default intent handler. This should be an Android component name, e.g. android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent.
    • Intent actions: the intent actions to match in the filter. If any actions are included in the filter, then an intent’s action must be one of those values for it to match. If no actions are included, the intent action is ignored.
    • Intent categories: the intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent.
  • Only permit input methods provided by these apps: allows you to configure pre-approved keyboards or input methods.
  • Whitelisted accessibility services by application: allows you to configure pre-approved accessibility services.
  • Whitelisted emails that can use their Google account to factory reset devices: Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won’t provide factory reset protection.
  • Rule set for automatically selecting a private key and certificate to authenticate device to servers: rules for automatically choosing a private key and certificate to authenticate the device to a server. The rules are ordered by increasing precedence, so if an outgoing request matches more than one rule, the last rule defines which private key to use. The following settings must be configured as well:
    • Outgoing URL request to match: the URL pattern to match against the URL of the outgoing request. The pattern may contain an asterisk (*) wildcards. Any URL is matched if unspecified.
    • Key alias: the alias of the private key to be used.
    • Apps subject to this rule: the package names for which outgoing requests are subject to this rule. If no package names are specified, then the rule applies to all packages. For each package name listed, the rule applies to that package and all other packages that share the same Android UID. The SHA256 hash of the signing key signatures of each package name will be verified against those provided by the Google Play Store.
  • Allow device users to select a private key if none match from above rules: allows users to choose a private key alias if there are no matching rules configured in the policy.

If you need any assistance or if you have any questions, please contact Mambo support at support@mambomobility.com.