Category Filter

How to set up Android MDM Restrictions?

Restricting device functions and apps prevent unwanted distractions that the users might experience from their work. Not only this help denying access for users, but also for third-party apps from accessing resources and corporate data.

The availability of the restrictions provided here might differ based on the MDM plan you’ve subscribed to, the device make and the operating system the end-user is on. Some of the features listed here are built exclusively for Samsung Knox devices and LG’s GATE (Guarded Access to Enterprise) devices, which are marked alongside the policy listing.

Configuring Restrictions for Android Devices

To configure restrictions for an Android device,

  1. From your Hexnode portal, head on to Policies tab.
  2. Create a new policy by clicking on New Policy button or continue with an existing one.
  3. From Android, choose Restrictions or Advanced Restrictions. These are from where the restrictions can be set up.
Notes:

  • The restrictions under Advanced Restrictions are applicable for Samsung Knox devices. These features will not work on a normal/rooted Android device or a GATE-supported one.
  • Some of these restrictions are also applicable for devices enrolled in Android in the Enterprise(Android for Work) program.
  • Restrictions set for devices enrolled in Profile Owner mode are only applicable for the apps within the work container.

Basic Restrictions

Allow Device Functionality

Device Functions
Restrictions Description Supported Devices
Camera Allow users to access the camera app on the device. Camera usage is allowed by default. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner, Profile Owner,Generic Android Devices
USB Mass Storage Uncheck to disable access to external mass storage devices. Allowed by default. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera
USB file transfer Uncheck to block file transfer via USB entirely. Allowed by default. Samsung Knox Standard SDK 2.0 and up, Device Owner
Home button Home button will not work until you turn this option on. Home button can be used by default. Samsung Knox Standard SDK 2.0 and up, Device Owner on Samsung Knox
Power Off Turning this option off will restrict users from turning the device off. By default, it is permitted to turn the device off. Samsung Knox Standard SDK 3.0 and up, Device Owner on Samsung Knox
Safe mode Allow users to boot their devices into safe mode. Booting into safe mode is allowed by default. Samsung Knox 1.0 and up, Device Owner, Profile Owner, Generic Android Devices running versions below 7.0
Airplane mode Allow users to turn airplane mode on. Allowed by default. Samsung Knox 2.0 and up
Lock screen shortcuts Enable this option to allow users to place app icons on the device’s lock screen. This option is enabled by default. Samsung Knox 1.0 and up
Widgets on lock screen Allows the user to add widgets to the lock screen. Allowed by default. Samsung Knox 1.0 and up
Screen Orientation Configure screen orientation for devices. You can make your selection from the following options: · User can choose · Auto-rotate · Portrait · Left · Right · Invert Samsung Knox, LG GATE, Kyocera, Generic Android Devices, Device Owner
Screen Timeout Configure screen timeout for devices. Choose between – Never, Keep Current Settings, or set a time between 1-5, 10 or 15 minutes. Samsung Knox, LG GATE, Kyocera, Generic Android Devices, Device Owner

Allow Network Settings

Network Restrictions
Restrictions Description Supported Devices
Wi-Fi Uncheck to disable Wi-Fi on the devices.
Note: In standard Android devices, Wi-Fi turns off automatically while trying to turn it on.
Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner, Profile Owner, Generic Android Devices
Force Wi-Fi (Works only when the option Wi-Fi is enabled) Enabling this option prevents the users from turning the Wi-Fi off. In Samsung Knox devices, users will not be able to turn off the Wi-Fi. In General Android devices, even if the users turn off the Wi-Fi, it will be turned back on automatically. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner, Profile Owner, Generic Android Devices
Bluetooth Allow/disallow turning Bluetooth on. By default, the users are allowed to use Bluetooth on their devices. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner, Profile Owner, Generic Android Devices
Force Bluetooth (Works only when the option Bluetooth is enabled) Enabling this option prevents the users from turning the bluetooth off. In Samsung Knox devices, users will not be able to turn off the bluetooth. In General Android devices, even if the users turn off the bluetooth, it will be turned back on automatically. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner, Profile Owner, Generic Android Devices
Mobile data Allow the use of mobile data by enabling this option. Allowed by default. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera
Tethering Allow users to turn on tethering on their devices. Allowed by default.
USB tethering
(Unable to modify if Tethering is disallowed)
Allow users to share mobile data with other devices via USB. USB tethering is allowed by default. Samsung Knox Standard SDK 2.0 and up
Bluetooth tethering
(Unable to modify if Tethering is disallowed)
Let the users share their mobile data with other devices over Bluetooth. Allowed by default. Samsung Knox Standard SDK 2.0 and up
Portable Wi-Fi hotspot
(Unable to modify if Tethering is disallowed)
Allow/Disallow users to configure Wi-Fi hotspots.
Note:Users cannot connect to any Wi-Fi network if Wi-Fi hotspot is set to’Always On’.
Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner and Generic Android Devices running versions below 8.0,
Data roaming Allow users to turn on Data Roaming and use mobile data outside their home networks. Data roaming may incur additional charges. Data roaming is allowed by default. Samsung Knox Standard SDK 1.0 and up, Device Owner

Allow Location Settings

Location Settings
Restrictions Description Supported Devices
Mock location Allow users to turn on Mock locations which can be enabled from developer options. Enabling Mock location tricks the GPS with a fake location. By default, users are allowed to do so.
Note:

For Device owner mode, unchecking this option completely disables the entire developer options on the device.

LG GATE, Samsung Knox Standard SDK 2.0 and up, Kyocera
Users can turn GPS on/off Allow users to turn GPS on/off. Allowed by default. LG GATE, Samsung Knox Standard SDK 3.0 and up, Kyocera
Force GPS to fetch location Force GPS to be always ON. Users won’t be able to turn it OFF. Location services are forced by default. LG GATE, Samsung Knox, Kyocera.

Allow Sync Settings

Sync Settings
Restrictions Description Supported Devices
Data backup Unchecking this option prevents user’s data from being backed up to or restored from Google drive. Android Enterprise Device Owner.

Security Options

Security Options
Restrictions Description Supported Devices
Allow MDM administration removal Disabling administration for Hexnode MDM app will cause Hexnode MDM to malfunction and enable Force Stop and Uninstall options for Hexnode MDM app. Allowed by default. Samsung Knox Standard SDK 2.0 and up, LG GATE

Advanced Restrictions

Allow Device Functionality

Device Functions
Restrictions Description Supported Devices
Microphone If this option is unchecked, the microphone will be disabled while using any apps except phone calls. Microphone is allowed by default. Samsung Knox Standard SDK 2.0 and up, Device Owner.
Screen capture Allow/disallow users from capturing a screenshot directly from their device or from Android Studio. Allowed by default. Samsung Knox Standard SDK 2.0 and up, Device Owner, Profile Owner
Clipboard When you copy or cut a text on the system, it’ll go to the clipboard for temporary use. The text is pasted directly from the clipboard. So, disabling clipboard will affect the Cut, Copy and Paste options. Copying another piece of text will replace the previous one in the clipboard. Clipboard is enabled by default. Samsung Knox Standard SDK 2.0 and up
Copy contents between normal and work profiles Allow users to copy contents to/from user profile to/from work profile. Profile Owner
Share via other apps Allow users to share files with other apps from “share via” list. Enabled by default. Samsung Knox 1.0 and up
Users can adjust volume Allow users to adjust volume on devices. Enabled by default. Disabling this option mutes the master volume, even for the remote ring action. Device Owner, Profile Owner on devices running Android version 6 and up
Make a call Allow users to make calls on their devices. Enabled by default. Device Owner
USB Host Storage Allow users to connect an external USB device, such as an external hard disk or a flash drive on their devices. If disabled, it blocks all external USB devices (except those specified under the USB Exception list) from connecting to the devices. Enabled by default. Samsung Knox 2.9+
USB Exception list This setting works only if the option ‘USB Host Storage’ is disabled. You can select the type of USB storage devices that can connect to your Android devices. Any USB device classes not specified here will be blocked. The available USB device classes include:
  • Audio: Speaker, microphone, sound card, MIDI
  • CDC Data: Devices used together with USB Communication Device Class (CDC)
  • Communication: Modem, Ethernet adapter, Wi-Fi adapter, RS-232 serial adapter
  • Human Interface Device: Keyboard, mouse, joystick and other human-interface devices (HIDs)
  • Mass Storage: USB Flash drive, memory card reader, digital camera, digital audio player, external drive
  • Miscellaneous: ActiveSync device
  • Still Image: Webcam, Scanner
  • Vendor Specific: Devices that need vendor-specific drivers
  • Wireless Controller: Bluetooth adapter, Microsoft RNDIS
Samsung Knox 2.9+

Display Settings

Display Settings
Restrictions Description Supported Devices
Hide System Bars Hides the system bars – the status bar and the navigation bar. Both are shown by default. Samsung Knox
Hide Status Bar Hides the status bar (notification icons, network signal bar, time etc.) at the top of the handset screen. Hiding the status bar will deny access to the notifications bar and the quick settings tray. The status bar is shown by default. Samsung Knox 1.0 and up
Hide Navigation Bar Hides the on-screen navigation bar with the back, home and recent apps buttons, on Android 4.0+ handsets that don’t have the hardware counterparts for navigating through the system. The navigation bar is shown by default. Samsung Knox 1.0 and up
Split-screen mode Disabling this option restricts the user from accessing the multi-window or split-screen feature on the device. Samsung Knox
Display dialogs/windows Unchecking this option blocks dialogs/windows for system overlays, alerts, toast messages, incoming/outgoing calls, and application overlays. It also blocks Hexnode’s password prompt, broadcast message alerts and floating kiosk peripheral settings icon. Device Owner

Allow Connectivity Options

Connectivity Options
Restrictions Description Supported Devices
NFC If this option is disabled, NFC, Android Beam and S Beam are turned off and users cannot turn them on. NFC is enabled by default. Samsung Knox Standard SDK 2.0 and up
Android Beam Disabling Android Beam will disable S Beam as well. Allowed by default. Samsung Knox 1.0 and up
Beam from the device Specifies if the user can use NFC to beam out data from apps. Allowed by default. Device Owner, Profile Owner
Transfer data via Bluetooth Allow the device to transfer data over Bluetooth. Since Android Beam transfers data over a Bluetooth connection, turning this option off will affect Android Beam transfers. Allowed by default. Samsung Knox Standard SDK 2.0 and up, Device Owner, Profile Owner
Configure Bluetooth Allow users to configure bluetooth on their devices. Device Owner
Configure cell broadcast Enable users to configure cell broadcasts. Allowed by default. Device Owner
Configure cellular network If disabled, restricts users from configuring cellular network settings on their devices. Allowed by default. Device Owner, Profile Owner
Users can reset network settings Allow/disallow users to reset network settings on their devices. Enabling this option allows users to reset current cellular and Wi-Fi settings, VPN settings, Wi-Fi passwords and so on. Allowed by default
Note: This feature works for Android devices running version 6 and above.
Device Owner
Configure Wi-Fi Allow/Disallow users to configure Wi-Fi on their devices. Allowed by default. Device Owner, Profile Owner
Configure hotspot and tethering If this option is enabled, users can configure portable hotspot and tethering on their devices. Allowed by default. Samsung Knox, Device Owner

Note:

Both Android Beam and S Beam identify a device using NFC. Android Beam send files via Bluetooth whereas S Beam will transfer files with WiFi Direct.

Security options

Security options

Minimum Wi-Fi security level on Android – Set a minimum-security level to establish a Wi-fi connection on the device. Open is selected as default.

Warning:

Once the policy gets applied on the device, the current Wi-Fi connection will get disconnected immediately if it has a security level below the minimum level set in the policy.

Security Type Supported Devices
WEP

WPA/WPA2 PSK

EAP- LEAP

EAP-FAST

EAP- PEAP

EAP-TTLS

EAP-TLS

All Samsung Knox versions.
FT- PSK

EAP-PEAP-FT

EAP-PEAP-CCKM

EAP-TTLS-FT

EAP-TTLS-CCKM

EAP-TLS-FT

EAP-TLS-CCKM

Knox 2.4+
EAP-LEAP-FT

EAP-LEAP-CCKM

EAP-FAST-FT

EAP-FAST-CCKM

EAP-PWD

EAP-PWD-FT

EAP-PWD-CCKM

EAP-SIM

EAP-SIM-FT

EAP-SIM-CCKM

EAP-AKA

EAP-AKA-FT

EAP-AKA-CCKM

EAP-AKA’

EAP-AKA’-FT

EAP-AKA’-CCKM

Knox 2.5+

Allow Sync Settings

Limiting Data Sync
Restrictions Description Supported Devices
Sync data in background Unchecking this option prevents the apps from auto-syncing data in the background. Allowed by default. Samsung Knox Standard SDK 2.0 and up
Sync data with Google account This will allow the device to sync data with the user’s Google Account. This includes contact, calendar, emails and everything Google except Play Store apps. Allowed by default. Samsung Knox 2.0 and up

Allow Account Settings

Account Settings
Restrictions Description Supported Devices
SMS Uncheck to disable incoming and outgoing SMS. Samsung Knox Standard SDK 3.0 and up, Device Owner
Receive messages If enabled, the device can retrieve all text messages sent to its user. Allowed by default. Samsung Knox Standard SDK 3.0 and up
Send messages Blocking this feature will restrict the users from sending text messages from their Samsung devices. Allowed by default. Samsung Knox Standard SDK 3.0 and up
Modify Accounts/Users If disabled, restricts users from adding, removing and switching between the users. For Android Enterprise enabled devices, this option allows the users to add, remove or switch between Google Accounts. Allowed by default. Samsung Knox, Device Owner, Profile Owner
Add Users If enabled, allows a user to add other users. Allowed by default. Samsung Knox
Remove Users If enabled, allows a user to delete other users. Allowed by default. Samsung Knox
Configure user credentials Allow users to configure user credentials. Device Owner, Profile Owner

Allow Settings

Restrict Device Settings Modification
Restrictions Description Supported Devices
Developer mode Unchecking this option will disable developer mode. This will reset any manually-configured developer settings. Allowed by default. Samsung Knox 2.0 and up
USB debugging
(If Developer mode is enabled)
Allow/disallow users to turn on USB Debugging. Allowed by default. Samsung Knox Standard SDK 2.0, Device Owner
Modify settings Disabling this option blocks all future changes to the device settings, until this option is turned back on. By default, Settings can be modified. Samsung Knox Standard SDK 2.0 and up
Power saving mode Allows users to turn power saver on. Power saver mode will reduce battery draining by restricting background data and location services, reducing brightness and disabling UI animations. Allowed by default. Samsung Knox 2.8 and up
Users can enable location sharing This option allows users to enable real time location sharing with others. Allowed by default. Device Owner, Profile Owner
Factory reset Allow users to reset their device to factory settings. Samsung Knox Standard SDK 2.0, Device Owner
Read any connected physical external media Allow users to connect the devices to external physical media. Allowed by default. Device Owner, Profile Owner
Update date and time automatically Allow automatic update of date and time on the device.Allowed by default. Device Owner
Set time zone automatically Allows to automatically update the time zone the device is in. Allowed by default. Device Owner
Disable screen lock if the screen was turned off If this option is enabled, you will not be asked to unlock your screen, usually with a pin or password, each time you turn on your device.Disabled by default. Samsung Knox 2.0 and up
Configure VPN Allows users to configure VPN. When disabled, network and data usage restrictions set under Android > Mobile Data Management won’t work. Samsung Knox Standard SDK 2.2 and up, Device Owner, Profile Owner(6.0 and above)
Automatically power off a device when USB is detached Enable this option to power off a device whenever a USB is detached from it. This will not work if ‘Power Off’ under Policy > Android > Restriction is disabled.
Notes:


This option works only if:

  • A KPE Premium license key is attached to the devices. Head on to General Settings > Knox Platform for Enterprise > Configure to select the key already added to the portal.
  • The ‘Power Off’ option under Policy > Android > Restrictions is enabled.

Samsung Knox 2.8+
Automatically power on a device when USB is connected Check this option to automatically turn on the device when a USB is connected.
Note:


This option works only if:

  • A KPE Premium license key is attached to the devices. Head on to General Settings > Knox Platform for Enterprise > Configure to select the key already added to the portal.

Samsung Knox 2.6+

Allow App Settings

App-based Restrictions
Restrictions Description Supported Devices
Install apps Disabling this option will block any apps from installing on the device. Allowed by default. Samsung Knox Standard SDK 2.0, Device Owner, Profile Owner
Uninstall apps To disallow a user from uninstalling any apps from the device, disable this option. Allowed by default. Samsung Knox Standard SDK 2.2, Device Owner, Profile Owner
Control apps Enabling this option allows users to modify applications in Settings or launchers. If this option is enabled, users can uninstall apps, disable apps, clear app data and cache, force stopping apps, clear app defaults and so on. Device Owner, Profile Owner
Google Play Store Unchecking this option will hide Google Play Store’s icon from the user’s device. Allowed by default. Samsung Knox Standard SDK 2.0 and up
Verify apps before install  If disallowed, it prevents app verification before installation.Enabling this option allows Google to verify the app content for any harmful behaviour before installation begins. Device Owner, Profile Owner
Install apps from unknown sources If allowed, it enables the users to install apps from Play Store and other sources. Samsung Knox Standard SDK 2.0, Device Owner, Profile Owner
App Runtime Permissions Set runtime permissions for app. You can grant, deny specific permissions or set default permissions for the app. Device Owner, Profile Owner
Parent profile app linking Allow apps in the parent profile to handle web links from managed profile.
Note: This feature works for Android devices running version 6 and above.
Device Owner, Profile Owner

Factory Reset Protection (Google Account Verification)

Google Factory Reset Protection (FRP) is a security feature enabled by default on devices running Android v5.1+, designed to prevent the use of devices if it gets reset to factory settings without your permission. If you have a Google account set on your device and your device is reset, the device remains unusable until you log in using the Google account previously set on your device.
Default’ option takes the default device settings for FRP.
Bypass Factory Reset Protection‘ enforces the Google account verification step. Add G Suite email address and/or Google Plus Profile IDs to log in to your devices in situations where you forget/do not know the previously configured Google account credentials. Integrate your G Suite account with the Hexnode MDM server to add the accounts to the list.
Disable Factory Reset Protection‘ lets you skip the Google account verification step. When asked to enter the Google account credentials, the user can skip the verification by clicking SKIP.

How to Apply the Restrictions to Devices/Groups?

If you haven’t saved the policy yet,

  1. Proceed to the Policy Targets.
  2. Click on + Add Devices, search and select all devices to which the policy is to be applied.
  3. Press OK button to finish adding devices.

Missed a device? No worries. Click on + Add Devices again and you can add more of them.

To associate the policies to a device group instead, select Device Groups from the left pane under Policy Targets, and follow the above instructions. You can associate the policy to users or user groups from the same pane.

If you’ve saved the policy and you’re taken to the page which displays the policy list,

  1. Check a policy.
  2. From Manage, select Associate Targets.
  3. Add as many devices as you need.