Category Filter

How to restrict Android Enterprise enabled devices

Configuring various restrictions for Android Enterprise devices helps you determine how the users can access these devices for enterprise requirements. Restrictions can be applied to devices enrolled in Android Enterprise program to allow/disallow device functionalities, network connections, app configurations etc. It helps enterprises to easily manage BYOD and corporate-owned devices. Depending on the enrollment type – Profile Owner (BYOD) or Device Owner (Corporate-owned devices), these restrictions can be applied to enterprise devices. To configure restrictions for Android Enterprise enabled devices, you need to,

  1. Navigate to Policies. Click on New Blank Policy to create a new policy or click on a policy name to edit an existing one.
  2. Name and describe your policy.
  3. Choose Restrictions from Android to set up basic device restrictions.
  4. Restricting Basic Device Functionalities

    Allow Device Functionalities
    Restrictions Description
    Camera (Device Owner, Profile Owner) Enable camera on your Android device. Disabling this option prevents access to camera. Allowed by default. On Android 10+ devices, the restriction works only on devices enrolled in Android Enterprise program.
    USB file transfer (Device Owner) Uncheck the option to disable file transfer via USB.
    Safe mode (Device Owner) If enabled, users will be prevented from rebooting their devices into safe mode. Note: Android doesn’t support disabling ‘Safe Mode’ on devices running Android 7 and up.
    Airplane mode (Device Owner) Enable the option to allow users to turn on Airplane mode. Supported on Android 9.0+
    Screen Orientation (Device Owner) Configure screen orientation for devices. You can make your selection from the following options:
    • Users can choose
    • Auto Rotate
    • Portrait
    • Left
    • Right
    • Invert
    Screen Timeout (Device Owner) Configure the maximum time until the device screen locks after the user has stopped interacting with it. You can choose to keep the current settings or choose a time from 1, 2, 3, 4, 5, 10, and 15 minutes.

    Restricting Network Settings

    Allow Network Settings
    Restrictions Description
    Wi-Fi (Device Owner, Profile Owner) Uncheck to disable Wi-Fi on the devices. Note: In legacy Android devices, Wi-Fi turns off automatically while trying to turn it on. On Samsung Knox devices, Wi-Fi gets disabled silently. On Android 10+ devices except Samsung Knox, users will be prompted to turn off Wi-Fi manually. On Android 10+ devices enrolled in Android Enterprise – Profile Owner mode, users will have to open Hexnode app to be prompted to turn off Wi-Fi.
    Force Wi-Fi (Works only when the option Wi-Fi is enabled) (Device Owner, Profile Owner) Enabling this option prevents the users from turning the Wi-Fi off. In Samsung Knox devices, users will not be able to turn off the Wi-Fi. In legacy Android devices, even if the users turn off the Wi-Fi, it will be turned back on automatically. On Android 10+ devices, users will be prompted to turn on Wi-Fi manually. On Android 10+ devices enrolled in Android Enterprise – Profile Owner mode, users will have open Hexnode app to be prompted to turn on Wi-Fi.
    Bluetooth (Device Owner, Profile Owner) Unchecking the option prevents the user from turning on the Bluetooth. In legacy Android devices, Bluetooth turns off automatically when the user tries to turns it on. By default, the users are allowed to use Bluetooth on their devices.
    Force Bluetooth (Works only when the option Bluetooth is enabled)
    (Device Owner, Profile Owner)
    Enabling this option prevents the users from turning the Bluetooth off. In Samsung Knox devices, users will not be able to turn off the Bluetooth. In General Android devices, even if the users turn off the Bluetooth, it will be turned back on automatically.
    Tethering (Device Owner) Tethering allows users to share their data connection with other devices. Disabling this option prevents tethering on the device.
    Portable Wi-Fi hotspot
    (Device Owner)
    The available restrictions for portable Wi-Fi hotspot settings are Users can choose, Always off, Always on.

    Note: For ‘Always on’ option to work disable ‘Force Wi-Fi’. If ‘Always on’ option is set, users cannot connect to any Wi-Fi network.

    Data Roaming (Device Owner) Unchecking this option prevents data roaming over cellular network. It disallows users from turning on Data Roaming and use mobile data outside their home networks. Data roaming may incur additional charges. Data roaming is allowed by default.

    Restricting Sync Settings

    Allow Sync Settings
    Restrictions Description
    Backup service (Device Owner) Disabling the option prevents user’s data from being backed-up to or restored from Google drive.

    Backup service is disabled by default.


    Choose Advanced Restrictions from Android Settings to set up additional restrictions for your Android device.

    Restricting advanced device functionalities

    Allow Device Functionalities
    Restrictions Description
    Microphone (Device Owner, Profile Owner) If this option is unchecked, the microphone will be disabled. It prevents unmuting, and adjusting microphone volume while using any third-party apps, except phone calls.
    Screen capture (Device Owner, Profile Owner) Uncheck this option to disallow users from capturing a screenshot directly from their device or from Android Studio. In profile owner mode, screen capture is blocked only for those apps within the container
    Copy contents between normal and work profiles (Profile Owner) If disabled, users will not be allowed to copy contents between normal profile apps and work profile apps.
    Users can adjust volume (Device Owner, Profile Owner (Android 6.0+)) Unchecking this option prevents the users from adjusting device volume and also mutes the master volume on their devices even for the remote ring action.
    Make a call (Device Owner) Allow users to make calls from their devices. Disabling this option prevents outgoing calls from the devices.

    Restricting Display Settings

    Display Settings
    Restrictions Description
    Hide Status Bar (Device Owner) Hides the status bar (notification icons, network signal bar, time etc.) at the top of the handset screen. Hiding the status bar will deny access to the notifications bar and the quick settings tray. The status bar is shown by default.
    Display dialogs/windows
    (Device Owner)
    Block the dialogs/windows prompt on your Android Enterprise enabled devices by unchecking this option. It blocks the system overlays, alerts, errors, toast messages, incoming/outgoing calls, application overlays, Hexnode’s password prompt, broadcast message alerts, and floating kiosk peripheral settings icon.

    Restricting Connectivity Settings

    Allow Connectivity Settings
    Restrictions Description
    Beam from the device (Device Owner, Profile Owner) Specifies if the user can use Near Field Communication (NFC) technology to beam out data from apps. Unchecking this option prevents using NFC to share data between devices.
    Transfer data via bluetooth (Device Owner, Profile Owner) Enable the option to allow the device to transfer data over Bluetooth. Since Android Beam transfers data over a Bluetooth connection, turning this option off will also affect Android Beam transfers. Allowed by default.
    Configure Bluetooth (Device Owner) Disable the option prevents users from configuring Bluetooth and pair with other devices.
    Configure cell broadcast (Device Owner) Disallow users to turn on/off cell broadcasts on their devices by disabling the option.
    Configure cellular network (Device Owner, Profile Owner) Unchecking this option prevents users from configuring mobile network settings like Preferred Network Types, and Access Points on their devices.
    Users can reset network settings (Device Owner) Allow/disallow users to reset network settings on their devices. Enabling this option allows users to reset current cellular and Wi-Fi settings, VPN settings, Wi-Fi passwords, Bluetooth and so on. Disabling this option, disallows the users to reset network settings on their devices.
    Note: This feature works for Android devices running version 6 and above.
    Configure Wi-Fi (Device Owner, Profile Owner) Unchecking this option prevents users from creating or changing any Wi-Fi configurations.
    Configure hotspot and tethering (Device Owner) If this option is disabled, users cannot configure portable hotspot and tethering on their devices.

    Restricting Account related Settings

    Allow Account Settings
    Restrictions Description
    SMS
    Receive Messages
    Send Messages
    (Device Owner)
    If enabled, the device can send/receive all text messages sent to its user. Allowed by default. Blocking this feature will restrict the users from sending/receiving text messages to/from their devices.
    Modify Accounts/Users
    (Device Owner, Profile Owner)
    Allow users to add, delete and switch between Google accounts. Uncheck the option to disallow users to modify accounts and users.
    Configure user credentials
    (Device Owner, Profile Owner)
    Users will not be able to install/remove credentials (certificates) when this option is unchecked.

    Restricting Other Device Settings

    Allow Settings
    Restrictions Description
    USB debugging
    (Device Owner)
    If enabled, users can use debugging feature on their devices. If disallowed users will not be able to turn it on/off.
    Users can enable location sharing
    (Device Owner, Profile Owner)
    This option allows users to enable real time location sharing with others. If this option is unchecked users can’t enable location sharing.
    Factory reset
    (Device Owner)
    Users will not be able to reset their device to factory settings, if this option is unchecked.
    Read any connected physical external media
    (Device Owner, Profile Owner)
    If disabled, users will be disallowed to mount external physical media on their devices.
    Update date and time automatically
    (Device Owner)
    If enabled, the device fetches date, time, and time zone automatically from the network. Disabling the option prevents users from changing the date or time on the device manually.
    Set time zone automatically
    (Device Owner)
    Allow users to choose whether the device can update the time zone automatically from the network.
    Configure VPN
    (Device Owner, Profile Owner(Android 6.0+))
    Allow/Disallow users to configure VPNs on their devices. When disabled, network and data usage restrictions set under Android > Mobile Data Management won’t work.

    App based restrictions

    Allow App Settings
    Restrictions Description
    Install apps
    (Device Owner, Profile Owner)
    Disabling this option will block any apps from installing on the device.
    Uninstall apps
    (Device Owner, Profile Owner)
    To disallow a user from uninstalling any apps from the device, disable this option.
    Control apps
    (Device Owner, Profile Owner)
    Enabling this option allows users to modify applications in Settings or launchers. If this option is disabled, users can’t uninstall apps, disable apps, clear app data and cache, force stopping apps, clear app defaults and so on.
    Verify apps before install
    (Device Owner, Profile Owner)
    Enabling this option allows Google to verify the app content for any harmful behaviour before installation begins. If disallowed, Google app verification before installation will be prevented.
    Install apps from unknown sources
    (Device Owner, Profile Owner)
    Allow this option to enable users to turn on/off unknown sources option on their device. Disabling it will restrict users from turning on this option and hence blocks app installation from unknown sources.
    App Runtime Permissions
    (Device Owner, Profile Owner)
    Set runtime permissions for app. You can grant, deny specific permissions or set default permissions for the app.
    Parent profile app linking
    (Device Owner, Profile Owner)
    Disabling this option prevents apps in the parent profile to handle web links from managed profile.
    Note: This feature works for Android devices running version 6 and above.

    Factory Reset Protection

    Factory Reset Protection
    Restrictions Description
    Factory Reset Protection (Google Account Verification)
    (Device Owner)
    FRP requires login using the google account previously set on the device if the device gets reset to factory settings. You can enable/disable FRP or choose default settings. When enabled you can add G Suite email address and Google+ profile ID to log into your devices in situations where you forget/don’t know the previously configured Google account credentials (More info.)

Associate policy with Target devices

Once you have set up your policy, you need to associate your policy with target devices.

If you haven’t saved your policy,

  1. Navigate to Policy Targets and click on +Add devices to add the devices you wish to associate the policy to.
  2. Click Save.

If you have saved your policy,

  1. Navigate to Manage > Devices.
  2. Select the devices and click on Actions > Associate Policy to associate the policy with target devices.

OR

  1. Navigate to Policies.
  2. Search and select the policy you wish to associate with the devices.
  3. Click Manage > Associate Targets.
  4. Select the devices you wish to associate the policy to. You can also associate the policy with devices groups, users, user groups and even domains.
  5. Click on Associate.