Hexnode policy management – General FAQs
- 1. Can a user revoke the passcode policy forced on the mobile device through an MDM?
- 2. What is the Grace period for device lock and Auto lock for device?
- 3. Can you restrict a user from changing the date and time settings on an iOS device using an UEM?
- 4. How can you restrict the Settings app on a managed device?
- 5. How can you distribute contacts to an iOS device using Hexnode UEM?
- 6. What are the advantages of pre-configuring Wi-Fi, email and other settings in Hexnode UEM?
- 7. How to put the phone/dialer app in Android kiosk mode?
- 8. How does the Restrictions policy work on an iOS device?
- 9. Can I deploy different policies as different profiles?
- 10. What will happen if I apply two policies: one restricting a particular function and the other enabling the same function?
1. Can a user revoke the passcode policy forced on the mobile device through an MDM?
A passcode policy forced on the device via Hexnode UEM cannot be revoked by the user. Once a passcode policy is applied on the device, the options to remove the same are disabled on the managed device. The password can only be removed by disenrolling the device, or disassociating the policy.
2. What is the Grace period for device lock and Auto lock for device?
Auto lock locks the device automatically after a specified amount of time. The Grace period for device lock is the time limit before a device can be unlocked without a passcode.
3. Can you restrict a user from changing the date and time settings on an iOS device using an UEM?
The users can be restricted from changing the date and time settings on the iOS devices by enabling the Force Automatic Date and Time restriction under Policies > iOS > Advanced Restrictions > Allow Security and Privacy Settings. This restriction is applicable only to devices running iOS 12 and later. Another possible way is to set the device in single app kiosk mode thus locking the device to a specific app and allowing only those functionalities that are enabled via the Hexnode console.
4. How can you restrict the Settings app on a managed device?
- For iOS devices, it is not possible to disable or hide the Settings app. However, the device can be locked down under Single App Kiosk to restrict the user from accessing the Settings app.
- For Android devices, the users can be prevented from modifying the device settings by disabling Modify Settings restriction under Policies > New Policy > Android > Advanced Restrictions > Allow Settings. This restriction is supported only on Samsung-Knox enabled devices.
- In case of Android Enterprise-enabled devices, the Settings app can be blocked by blacklisting the same via policy.
5. How can you distribute contacts to an iOS device using Hexnode UEM?
Distributing and syncing contacts can be accomplished on managed iOS devices via CardDAV.
6. What are the advantages of pre-configuring Wi-Fi, email and other settings in Hexnode UEM?
Remotely pre-configuring Wi-Fi, VPN, Email, Exchange ActiveSync, and other settings for multi-platform devices using a single management console is highly convenient.
A policy with the required configurations can be simply created by navigating to Policies > New Policy > New Blank Policy. Provide a suitable policy name and set up the required configurations before saving the policy.
These pre-configured policies can be associated with the target entities at any time. The policy can be assigned to users, devices, groups or domains. If a policy is targeted to a group or domain, it will get attached to all the devices owned by the member users. Similarly, if the policy is associated with a user, it will affect all the devices owned by that user.
Hexnode also has a set of pre-configured policies called policy templates. These templates are tailor-made to meet your use cases. You can copy these pre-configured templates to policies and directly associate them with target entities. You can also edit these templates after copying them to policies.
7. How to put the phone/dialer app in Android kiosk mode?
To lock the phone/contacts/dialer app in kiosk mode, add the app in the single or multi-app kiosk mode. You can also add this app as a background app if you do not want the user to see the app icon on the kiosk home screen. Say, for example, on a mobile kiosk allocated to a taxicab; the driver should only be allowed to call the customers using the device. However, if you have enabled the phone app in the foreground, the driver can utilize this application without any restrictions. When the phone app is locked as a background app, the call can only be initiated if invoked by a foreground app.
To whitelist the app, go to Policies > New Policy > Kiosk Lockdown > Android Kiosk Lockdown > Single App/ Multi App/ Background Apps, configure the policy and associate it with target entities.
Android devices make use of device-specific package names for the apps. For example, com.samsung.android.incallui, com.samsung.android.contacts, com.android.contacts, com.android.dialer, com.android.incallui, etc. So, make sure to whitelist apps with the same package name as that on your device.
8. How does the Restrictions policy work on an iOS device?
The restriction policy applied to a device ensures device security and protection against vulnerable attacks. When multiple policies are applied to the device, the most restrictive one gains higher priority. For example, two policies- one to Disable the Camera and the other to Enable the Camera- are applied on the same device. In such a case, the most restrictive policy will be applied on the device which is “Disable Camera”.
Similarly, if two contradictory policies are pushed to the same device as mentioned below,
- One policy to turn Wi-Fi on & restrict camera usage.
- One policy to turn Wi-Fi on & allow camera usage.
The effectiveness of both the policies will be analysed and applied to the device thus disabling both Wi-Fi and camera.
9. Can I deploy different policies as different profiles?
You can deploy different policies to the devices. However, you cannot determine how the policies are split into profiles. If a policy has settings that apply to both the user and the device, it will be shown under User Profiles and Device Profiles. For example, consider a policy that restricts the device camera, Game Center and includes a Wi-Fi configuration profile. It will be shown under User Profiles and Device Profiles after it is applied to the devices. The Device Profile will contain the settings related to the camera and Wi-Fi profile. The User Profile will show the settings associated with Game Center.
10. What will happen if I apply two policies: one restricting a particular function and the other enabling the same function?
That particular function will be restricted. Hexnode always applies the more restrictive policy among the policies involved. For example, consider a policy that restricts a function (say Function X) and enables a function (say Function Y) and another policy that allows Function X and restricts Function Y. In that case, both functions will be restricted. Hexnode evaluates both the policies and applies the more restrictive setting from both the policies.