Category filter
How to configure restrictions on devices enrolled in Android Enterprise?
Configuring various restrictions for Android Enterprise enabled devices helps you determine how the users can access these devices for enterprise requirements. Restrictions can be applied to devices enrolled in Android Enterprise program to allow/disallow device functionalities, network connections, app configurations etc. It helps enterprises to easily manage, restrict and secure BYOD and corporate-owned devices. Depending on the enrollment type – Profile Owner (BYOD) or Device Owner (Corporate-owned devices), these restrictions can be applied to work enrolled devices. To configure restrictions for Android Enterprise enabled devices, you need to,
- Navigate to Policies. Click on New Blank Policy to create a new policy or click on a policy name to edit an existing one.
- Name and describe your policy.
- Navigate to Android > Restrictions > Basic to set up basic device restrictions.
- Basic Restrictions are available with Hexnode UEM Pro plan onwards.
- Advanced Restrictions are available with Hexnode UEM Enterprise plans onwards.
You’ll have the following restrictions for limiting the functionalities of Android Enterprise enabled devices.
Restricting Basic Device Functionalities
| Restrictions | Description |
|---|---|
| Camera
(Device Owner, Profile Owner) |
Enable camera on your Android device. Disabling this option prevents access to camera. Allowed by default. On Android 10+ devices, the restriction works only on devices enrolled in Android Enterprise program. |
| USB file transfer
(Device Owner) |
Uncheck the option to disable file transfer via USB. |
| Safe mode
(Device Owner) |
If enabled, users will be prevented from rebooting their devices into safe mode. Note: Android doesn’t support disabling ‘Safe Mode’ on devices running Android 7 and up. |
| Airplane mode
(Device Owner) |
Enable the option to allow users to turn on Airplane mode. Supported on Android 9.0+ |
| Screen Orientation
(Device Owner) |
Configure screen orientation for devices. You can make your selection from the following options:
|
| Screen Timeout
(Device Owner) |
Configure the maximum time until the device screen locks after the user has stopped interacting with it. You can choose to keep the current settings or choose a time from 1, 2, 3, 4, 5, 10, and 15 minutes. |
Restricting Network Settings
| Restrictions | Description |
|---|---|
| Wi-Fi
(Device Owner, Profile Owner) |
Uncheck to disable Wi-Fi on the devices. Note: In legacy Android devices, Wi-Fi turns off automatically while trying to turn it on. On Samsung Knox devices, Wi-Fi gets disabled silently. On Android 10+ devices except Samsung Knox, users will be prompted to turn off Wi-Fi manually. On Android 10+ devices enrolled in Android Enterprise – Profile Owner mode, users will have to open Hexnode app to be prompted to turn off Wi-Fi. |
| Force Wi-Fi
(Works only when the option Wi-Fi is enabled) (Device Owner, Profile Owner) |
Enabling this option prevents the users from turning the Wi-Fi off. In Samsung Knox devices, users will not be able to turn off the Wi-Fi. In legacy Android devices, even if the users turn off the Wi-Fi, it will be turned back on automatically. On Android 10+ devices, users will be prompted to turn on Wi-Fi manually. On Android 10+ devices enrolled in Android Enterprise – Profile Owner mode, users will have open Hexnode app to be prompted to turn on Wi-Fi. |
| Bluetooth
(Device Owner, Profile Owner) |
Unchecking the option prevents the user from turning on the Bluetooth. In legacy Android devices, Bluetooth turns off automatically when the user tries to turns it on. By default, the users are allowed to use Bluetooth on their devices. |
| Force Bluetooth
(Works only when the option Bluetooth is enabled) |
Enabling this option prevents the users from turning the Bluetooth off. In Samsung Knox devices, users will not be able to turn off the Bluetooth. In General Android devices, even if the users turn off the Bluetooth, it will be turned back on automatically. |
| Tethering
(Device Owner) |
Tethering allows users to share their data connection with other devices. Disabling this option prevents tethering on the device. |
| Portable Wi-Fi hotspot
(Device Owner) |
The available restrictions for portable Wi-Fi hotspot settings are Users can choose, Always off, Always on.
Note: For ‘Always on’ option to work disable ‘Force Wi-Fi’. If ‘Always on’ option is set, users cannot connect to any Wi-Fi network. |
| Data Roaming
(Device Owner) |
Unchecking this option prevents data roaming over cellular network. It disallows users from turning on Data Roaming and use mobile data outside their home networks. Data roaming may incur additional charges. Data roaming is allowed by default. |
Location settings
| Restrictions | Description |
|---|---|
| GPS
(Device Owner) |
Disabling the option prevents the users from turning GPS on/off. GPS is allowed by default. |
| Force GPS to fetch location
(Device Owner (Android 9.0+)) |
Enabling this option enforces GPS to be always ON preventing the users from turning it OFF. Location services are forced by default.
Note:
|
Sync Settings
| Restrictions | Description |
|---|---|
| Backup service
(Device Owner) |
Disabling the option prevents user’s data from being backed-up to or restored from Google drive.
Backup service is disabled by default. |
Choose Advanced from “Policies > Android > Restrictions” to set up additional restrictions for your Android Enterprise enabled devices.
Restricting advanced device functionalities
| Restrictions | Description |
|---|---|
| Microphone
(Device Owner, Profile Owner) |
If this option is unchecked, the microphone will be disabled. It prevents unmuting, and adjusting microphone volume while using any third-party apps, except phone calls. |
| Screen capture
(Device Owner, Profile Owner) |
Uncheck this option to disallow users from capturing a screenshot directly from their device or from Android Studio. In profile owner mode, screen capture is blocked only for those apps within the container |
| Copy contents between normal and work profiles
(Profile Owner) |
If disabled, users will not be allowed to copy contents between normal profile apps and work profile apps. |
| Users can adjust volume
(Device Owner, Profile Owner (Android 6.0+)) |
Unchecking this option prevents the users from adjusting device volume and also mutes the master volume on their devices even for the remote ring action. |
| Make a call
(Device Owner) |
Allow users to make calls from their devices. Disabling this option prevents outgoing calls from the devices. |
| Allow input methods
(Device Owner, Profile Owner (Android 10.0+)) |
Enabling this option allows all input methods, including third-party input apps. Disabling this option would allow only the system input methods. Enabling specific third-party input apps is also possible by specifying their package names in this restriction. If specific package names are mentioned in the associated policy, the user won’t be able to enable additional third-party input apps later on the device.
Note:
|
Display Settings
| Restrictions | Description |
|---|---|
| Hide Status Bar
(Device Owner) |
Hides the status bar (notification icons, network signal bar, time etc.) at the top of the handset screen. Hiding the status bar will deny access to the notifications bar and the quick settings tray. The status bar is shown by default. |
| Display dialogs/windows
(Device Owner) |
Block the dialogs/windows prompt on your Android Enterprise enabled devices by unchecking this option. It blocks the system overlays, alerts, errors, toast messages, incoming/outgoing calls, application overlays, Hexnode’s password prompt, broadcast message alerts, and floating kiosk peripheral settings icon. |
Advanced Security options
| Restrictions | Description |
|---|---|
| Setup Private DNS
(Device Owner (Android 10.0+)) |
Setup private DNS to encrypt DNS queries with TLS for improved security. The available options for setting up private DNS are Automatic and Private DNS provider hostname. The option Automatic is chosen by default if Setup Private DNS is enabled.
Note:
If the option Private DNS provider hostname is chosen, then the DNS server’s address should be specified.
|
| Allow user modification of Private DNS settings | Disabling this option will prevent the user from modifying the private DNS settings on the device end. This option is checked by default. |
Connectivity Settings
| Restrictions | Description |
|---|---|
| Beam from the device
(Device Owner, Profile Owner) |
Specifies if the user can use Near Field Communication (NFC) technology to beam out data from apps. Unchecking this option prevents using NFC to share data between devices. |
| Transfer data via Bluetooth
(Device Owner, Profile Owner) |
Enable the option to allow the device to transfer data over Bluetooth. Since Android Beam transfers data over a Bluetooth connection, turning this option off will also affect Android Beam transfers. Allowed by default. |
| Configure Bluetooth
(Device Owner) |
Disable the option prevents users from configuring Bluetooth and pair with other devices. |
| Configure cell broadcast
(Device Owner) |
Disallow users to turn on/off cell broadcasts on their devices by disabling the option. |
| Configure cellular network
(Device Owner, Profile Owner) |
Unchecking this option prevents users from configuring mobile network settings like Preferred Network Types, and Access Points on their devices. |
| Users can reset network settings
(Device Owner) |
Allow/disallow users to reset network settings on their devices. Enabling this option allows users to reset current cellular and Wi-Fi settings, VPN settings, Wi-Fi passwords, Bluetooth and so on. Disabling this option, disallows the users to reset network settings on their devices. Note: This feature works for Android devices running version 6 and above. |
| Configure Wi-Fi
(Device Owner, Profile Owner) |
Unchecking this option prevents users from creating or changing any Wi-Fi configurations. |
| Configure hotspot and tethering
(Device Owner) |
If this option is disabled, users cannot configure portable hotspot and tethering on their devices. |
Account related Settings
| Restrictions | Description |
|---|---|
| SMS Receive Messages Send Messages (Device Owner) |
If enabled, the device can send/receive all text messages sent to its user. Allowed by default. Blocking this feature will restrict the users from sending/receiving text messages to/from their devices. |
| Modify Accounts/Users
(Device Owner, Profile Owner) |
Allow users to add, delete and switch between Google accounts. Uncheck the option to disallow users to modify accounts and users. |
| Configure user credentials
(Device Owner, Profile Owner) |
Users will not be able to install/remove credentials (certificates) when this option is unchecked. |
Other Device Settings
| Restrictions | Description |
|---|---|
| USB debugging
(Device Owner) |
If enabled, users can use debugging feature on their devices. If disallowed users will not be able to turn it on/off. |
| Users can enable location sharing
(Device Owner, Profile Owner) |
This option allows users to enable real time location sharing with others. If this option is unchecked users can’t enable location sharing. |
| Factory reset
(Device Owner) |
Unchecking this option will prevent users from performing a factory reset from the device settings. Allowed by default.
Note:
|
| Read any connected physical external media
(Device Owner, Profile Owner) |
If disabled, users will be disallowed to mount external physical media on their devices. |
| Update date and time automatically
(Device Owner) |
If enabled, the device fetches date, time, and time zone automatically from the network. Disabling the option prevents users from changing the date or time on the device manually. |
| Set time zone automatically
(Device Owner) |
Allow users to choose whether the device can update the time zone automatically from the network. |
| Configure VPN
(Device Owner, Profile Owner(Android 6.0+)) |
Allow/Disallow users to configure VPNs on their devices. When disabled, network and data usage restrictions set under Android > Mobile Data Management won’t work. |
App based restrictions
| Restrictions | Description |
|---|---|
| Install apps
(Device Owner, Profile Owner) |
Disabling this option will block any apps from installing on the device. |
| Uninstall apps
(Device Owner, Profile Owner) |
To disallow a user from uninstalling any apps from the device, disable this option. |
| Control apps
(Device Owner, Profile Owner) |
Enabling this option allows users to modify applications in Settings or launchers. If this option is disabled, users can’t uninstall apps, disable apps, clear app data and cache, force stopping apps, clear app defaults and so on. |
| Verify apps before install
(Device Owner, Profile Owner) |
Enabling this option allows Google to verify the app content for any harmful behaviour before installation begins. If disallowed, Google app verification before installation will be prevented. |
| Install apps from unknown sources
(Device Owner, Profile Owner) |
Allow this option to enable users to turn on/off unknown sources option on their device. Disabling it will restrict users from turning on this option and hence blocks app installation from unknown sources.
Note:
|
| App Runtime Permissions
(Device Owner, Profile Owner) |
Set runtime permissions for app. You can grant, deny specific permissions or set default permissions for the app. |
| Parent profile app linking
(Device Owner, Profile Owner) |
Disabling this option prevents apps in the parent profile to handle web links from managed profile. Note: This feature works for Android devices running version 6 and above. |
| Allow cross-profile app communication
(Profile Owner (Android 11.0+)) |
Enable this option to allow data sharing between the personal and work profiles. However, the user must enable cross-profile data sharing option within the app settings on the device manually. If unchecked, the option to enable cross-profile communication within the app settings will be unavailable to the user.
Note:
Make sure the app is installed in both profiles and the correct package name is provided in the restriction. Follow these steps in Hexnode UEM to obtain the correct package name. Also, note that this restriction only applies to apps that support cross-profile communication.
|
Factory Reset Protection
| Restrictions | Description |
|---|---|
| Factory Reset Protection (Google Account Verification)
(Device Owner) |
FRP requires login using the google account previously set on the device if the device gets reset to factory settings. You can enable/disable FRP or choose default settings. When enabled you can add G Suite email address and Google+ profile ID to log into your devices in situations where you forget/don’t know the previously configured Google account credentials (More info.) |
Steps to fetch the package name of an application
To configure the following restrictions, Allow cross-profile app communication and Allow input methods, you must include the correct app package names in the restriction. If these package names are provided incorrectly, the restriction may not function as expected. There are two ways to fetch the app package name within Hexnode UEM. To fetch the correct app package names, follow the steps below in Hexnode UEM.
Method 1
- Navigate to the Apps tab.
- If the application is not yet added to the app inventory, first add the app to the app inventory.
- If it’s already added, search for the app for which you must specify the package name in the restriction.
- Ensure that the app’s platform is Android, as the same app may be available for multiple platforms.
- Click on the app to access detailed information about it.
- In the list of available details, the package name will be listed as the Identifier. Use this as the package name within the restriction.
Method 2
- If the application is already installed on the device, navigate to the Manage tab > Devices > Select the device to view the complete device management details.
- Within the device details page, navigate to the Applications tab.
- Now, ensure that the Identifier column is available. If the column is not present, you can add it by editing the columns available in the table.
- Next, search for the application and copy the identifier from the column for use in the policy.
Associate Restrictions with Android Enterprise enabled devices
Once you have set up your policy, you need to associate your policy with target devices.
If you haven’t saved your policy,
- Navigate to Policy Targets and click on +Add devices to add the devices you wish to associate the policy to.
- Click Save.
If you have saved your policy,
- Navigate to Manage > Devices.
- Select the devices and click on Actions > Associate Policy to associate the policy with target devices.
OR
- Navigate to “Policies”.
- Search and select the policy you wish to associate with the devices.
- Click Manage > Associate Targets.
- Select the devices you wish to associate the policy to. You can also associate the policy with devices groups, users, user groups and even domains.
- Click on Associate.
