1. Home
  2. Android for Work
  3. How to restrict Android in the Enterprise (Android for Work) enabled devices using Hexnode MDM

How to restrict Android in the Enterprise (Android for Work) enabled devices using Hexnode MDM

Policies allow or restrict access to various features and settings such as basic device settings, display settings, network and connectivity settings, app settings etc. on user devices.
To configure restrictions for an Android for Work enabled devices, you need to,

  1. Navigate to Policies. Click on New Policy to create a new policy or click on a policy name to edit an existing one.
  2. Name and describe your policy.
  3. Choose Restrictions from Android Settings to set up basic device restrictions.
  4. Restricting Basic Device Functionalities

    Allow Device Functionalities

    Restrictions Description
    Camera
    (Device Owner, Profile Owner)
    Enable camera on your Android device. Disabling this option will hide the camera icon from the menu and home screen. Allowed by default.
    Safe mode
    (Device Owner, Profile Owner)
    If enabled, allows users to boot their devices into safe mode.
    Note: Android doesn’t support disabling ‘Safe Mode’ on devices running Android 7 and up.
    Screen Orientation
    (Device Owner, Profile Owner)
    Configure screen orientation for devices. You can make your selection from the following options:

    • Users can choose
    • Auto Rotate
    • Portrait
    • Left
    • Right
    • Invert

    Restricting Network Settings

    Allow Network Settings
    Restrictions Description
    Bluetooth
    (Device Owner, Profile Owner)
    Allow/disallow turning Bluetooth on. By default, the users are allowed to use Bluetooth on their devices.
    Force Bluetooth (Works only when the option Bluetooth is enabled)
    (Device Owner, Profile Owner)
    Enabling this option prevents the users from turning the bluetooth off. In Samsung Knox devices, users will not be able to turn off the bluetooth. In General Android devices, even if the users turn off the bluetooth, it will be turned back on automatically.
    Data Roaming
    (Device Owner)
    Allow users to turn on Data Roaming and use mobile data outside their home networks. Data roaming may incur additional charges. Data roaming is allowed by default.


    Choose Advanced Restrictions from Android Settings to set up additional restrictions for your Android device.

    Restricting advanced device functionalities

    Allow Device Functionalities

    Restrictions Description
    Microphone
    (Device Owner)
    If this option is unchecked, the microphone will be disabled while using any apps except phone calls.
    Screen capture
    (Device Owner, Profile Owner)
    Allow/disallow users from capturing a screenshot directly from their device or from Android Studio. In profile owner mode, screen capture is blocked only for those apps within the container
    Copy contents between normal and work profiles
    (Profile Owner)
    Allow users to copy contents between user and work profiles.
    Users can adjust volume
    (Device Owner)
    Allow users to adjust volume on their devices.
    Make a call
    (Device Owner)
    Allow users to make calls from their devices.

    Restricting Display Settings

    Display Settings

    Restrictions Description
    Hide Status Bar
    (Device Owner)
    Hides the status bar (notification icons, network signal bar, time etc.) at the top of the handset screen. Hiding the status bar will deny access to the notifications bar and the quick settings tray. The status bar is shown by default.
    Display dialogs/windows
    (Device Owner)
    Block the dialogs/windows prompt on your Android enterprise enabled devices by unchecking this option. It blocks the system overlays, alerts, toast messages, incoming/outgoing calls, application overlays, Hexnode’s password prompt, broadcast message alerts, and floating kiosk peripheral settings icon.

    Restricting Connectivity Settings

    Allow Connectivity Settings

    Restrictions Description
    Beam from the device
    (Device Owner, Profile Owner)
    Specifies if the user can use NFC to beam out data from apps.
    Transfer data via bluetooth
    (Device Owner, Profile Owner)
    Allow the device to transfer data over Bluetooth. Since Android Beam transfers data over a Bluetooth connection, turning this option off will affect Android Beam transfers. Allowed by default.
    Configure Bluetooth
    (Device Owner)
    Allow/Disallow users to configure Bluetooth
    Configure cell broadcast
    (Device Owner)
    Allow/Disallow users to turn on/off cell broadcasts on their devices.
    Configure cellular network
    (Device Owner)
    Allow/Disallow users to configure cellular network settings on their devices.
    Users can reset network settings
    (Device Owner, Profile Owner)
    Allow/disallow users to reset network settings on their devices. Enabling this option allows users to reset current cellular and Wi-Fi settings, VPN settings, Wi-Fi passwords and so on.
    Note: This feature works for Android devices running version 6 and above.
    Configure Wi-Fi
    (Device Owner, Profile Owner)
    Allow/Disallow users to configure Wi-Fi on their devices.
    Configure hotspot and tethering
    (Device Owner)
    If this option is enabled, users can configure portable hotspot and tethering on their devices.

    Allow Account Settings

    Restrictions Description
    SMS
    Receive Messages
    Send Messages
    (Device Owner)
    If enabled, the device can send/receive all text messages sent to its user. Allowed by default. Blocking this feature will restrict the users from sending/receiving text messages to/from their devices.
    Modify Accounts/Users
    (Device Owner, Profile Owner)
    Allow users to add, delete and switch between Google accounts.
    Configure user credentials
    (Device Owner, Profile Owner)
    Allow user to configure user credentials.

    Restricting Other Device Settings

    Allow Settings

    Restrictions Description
    USB debugging
    (Device Owner)
    If enabled, allows Android device to communicate with a PC running Android SDK via USB.
    Users can enable location sharing
    (Device Owner, Profile Owner)
    This option allows users to enable real time location sharing with others.
    Factory reset
    (Device Owner)
    Allow users to reset their device to factory settings.
    Read any connected physical external media
    (Device Owner, Profile Owner)
    Allow users to connect the devices to external physical media.
    Update date and time automatically
    (Device Owner)
    Allow automatic update of date and time on the device.
    Set time zone automatically
    (Device Owner)
    Allows to automatically update the time zone the device is in.
    Configure VPN
    (Device Owner, Profile Owner)
    Allow/Disallow users to configure VPNs on their devices.

    App based restrictions

    Allow App Settings

    Restrictions Description
    Install apps
    (Device Owner, Profile Owner)
    Disabling this option will block any apps from installing on the device.
    Uninstall apps
    (Device Owner, Profile Owner)
    To disallow a user from uninstalling any apps from the device, disable this option.
    Control apps
    (Device Owner, Profile Owner)
    Enabling this option allows users to modify applications in Settings or launchers. If this option is enabled, users can uninstall apps, disable apps, clear app data and cache, force stopping apps, clear app defaults and so on.
    Verify apps before install
    (Device Owner, Profile Owner)
    Enabling this option allows Google to verify the app content for any harmful behavior before installation begins.
    Install apps from unknown sources
    (Device Owner, Profile Owner)
    Allow this option to enable users to turn on/off unknown sources option on their device. Disabling it will restrict users from turning on this option and block the installation from unknown sources.
    App Runtime Permissions
    (Device Owner, Profile Owner)
    Set runtime permissions for app. You can grant, deny specific permissions or set default permissions for the app.
    Parent profile app linking
    (Device Owner, Profile Owner)
    Allow apps in the parent profile to handle web links from managed profile.
    Note: This feature works for Android devices running version 6 and above.

    Factory Reset Protection

    Factory Reset Protection
    Restrictions Description
    Factory Reset Protection (Google Account Verification)
    (Device Owner)
    FRP requires login using the google account previously set on the device if the device gets reset to factory settings. You can enable/disable FRP or choose default settings. When enabled you can add G Suite email address and Google+ profile ID to log into your devices in situations where you forget/don’t know the previously configured Google account credentials (More info.)

Associate policy to Target devices

Once you have set up your policy, you need to associate your policy to target devices.

If you haven’t saved your policy,

  1. Navigate to Policy Targets and click on +Add devices to add the devices you wish to associate the policy to.
  2. Click Save.

If you have saved your policy,

  1. Navigate to Management > Devices.
  2. Select the devices and click on Manage > Associate Policy to associate the policy to target devices.

OR

  1. Navigate to Policies.
  2. Search and select the policy you wish to associate the devices to.
  3. Click Manage > Associate Targets.
  4. Select the devices you wish to associate the policy to. You can also associate the policy to devices groups, users, user groups and even domains.
  5. Click on Associate.
  •  
  •  
  •  
  •  
  •  

Was this article helpful?

Related Articles

Leave a Comment