How to set up Android MDM Restrictions using Hexnode MDM?

Restricting device functions and apps prevent unwanted distractions that the users might experience from their work. Not only this help denying access for users, but also for third-party apps from accessing resources and corporate data.

The availability of the restrictions provided here might differ based on the MDM plan you’ve subscribed to, the device make and the Operating System the end-user is on. Some of the features listed here are built exclusively for KNOX/SAFE (Samsung for Enterprise) devices and LG’s GATE (Guarded Access to Enterprise) devices, which are marked alongside the policy listing.

How to Configure Restrictions for Android Devices?

To configure restrictions for an Android device,

  1. From your Hexnode MDM portal, head on to Policies tab.
  2. Create a new policy by clicking on New Policy button, or continue with an existing one.
  3. From Android Settings, choose Restrictions or Advanced Restrictions. These are from where the restrictions can be set up.

Note: All restrictions under Advanced Restrictions section are meant for SAFE devices only. These features will not work on a normal/rooted Android device or a GATE-supported one.

Restricing Basic Device Functions

Restrictions Description
Allow use of camera Enable camera on an Android device. Disabling this option will hide the camera icon from the menu and home screen. Camera is enabled by default.
Allow USB Data transfer Allow the device to transfer data to another system via USB (say, to a computer when connected via a USB cable). By default, data transfer via USB can be done.
Allow USB Host Mode Users can connect a portable USB storage device or a card reader to the device’s USB port.
Allowed by default.
Enable Home button
(KNOX 2.0 and up)
Home button will not work until you turn this option on. Home button can be used by default.
Allow Power Off
(KNOX 3.0 and up)
Turning this option off will restrict users from turning the device off. By default, it is permitted to turn the device off.
Allow Safe Mode
(KNOX 4.0 and up)
Allow users to boot their devices into safe mode. Booting into safe mode is allowed by default.
Allow Airplane Mode
(KNOX 4.0 and up)
Allow users to turn airplane mode on. Allowed by default.
Allow Lock screen shortcuts
(KNOX 4.0 and up)
Enable this option to allow users to place app icons on the device’s lock screen. This option is enabled by default.
Allow Lock screen widgets
(KNOX 4.0 and up)
Allows the user to add widgets to the lock screen. Allowed by default.

Network Restrictions

Restrictions Description
Allow WiFi
(GATE devices only)
Disabling this option will block users from turning WiFi on. Allowed by default.
Allow Bluetooth
(GATE devices only)
Allow/disallow turning Bluetooth on. By default, the users are allowed to use Bluetooth on their devices.
Allow Mobile Data
(GATE devices only)
Allow the use of mobile data by enabling this option. Allowed by default.
Allow Tethering
(KNOX 2.0 and up)
Allow users to turn on tethering on their devices. Allowed by default.
Allow USB Tethering
(KNOX 2.0 and up, unable to modify if tethering is disallowed)
Allow users to share mobile data with other devices via USB. USB tethering is allowed by default.
Allow WiFi Tethering
(KNOX 2.0 and up, unable to modify if tethering is disallowed)
Allow/disallow users to share mobile data with other devices over WiFi network. Allowed by default.
Allow Bluetooth Tethering
(KNOX 2.0 and up, unable to modify if tethering is disallowed)
Let the users share their mobile data with other devices over Bluetooth. Allowed by default.

Restricting Basic Device Functions for SAFE Devices

Restrictions Description
Allow Microphone
(KNOX 2.0 and up)
If this option is unchecked, the microphone will be disabled while using any apps except phone calls. Microphone is allowed by default.
Allow Screen Capture
(KNOX 2.0 and up)
Allow/disallow users from capturing a screenshot directly from their device or from Android Studio. Allowed by default.
Allow Clipboard
(KNOX 2.0 and up)
When you copy or cut a text on the system, it’ll go to the clipboard for temporary use. The text is pasted directly from the clipboard. So, disabling clipboard will affect the Cut, Copy and Paste options. Copying another piece of text will replace the previous one in the clipboard. Clipboard is enabled by default.
Allow Share via other apps
(KNOX 4.0 and up)
Allow users to share files with other apps from “share via” list. Enabled by default.

Hiding System Bars on SAFE

Restrictions Description
Modify System Bars Unlocks the options to disable the system bar, including status and navigation bars. Status and navigation bar visibility cannot be modified by default.
Hide Status Bar
(KNOX 4.0 and up, available if system bar modification is enabled)
Hides status bar (notification icons, network signal bar, time etc.). Hiding the status bar will deny access to the notification bar and the buttons to turn WiFi, Location and other options on/off. The status bar is shown by default.
Hide Navigation Bar
(KNOX 4.0 and up, available if system bar modification is enabled)
The navigation bar will be disabled if this option is checked. Navigation bar include back, home and recent apps buttons. By default, the navigation bar is shown.

Setting Up Restrictions on Data Transfer via NFC

Restrictions Description
Allow NFC
(KNOX 2.0 and up)
If this option is disabled, NFC, Android Beam and S Beam are turned off and users cannot turn them on. NFC is enabled by default.
Allow Android Beam
(KNOX 4.0 and up)
Disabling Android Beam will disable S Beam as well. Allowed by default.
Allow Bluetooth Data Transfer Allow the device to transfer data over Bluetooth. Since Android Beam transfers data over a Bluetooth connection, turning this option off will affect Android Beam transfers. Allowed by default.

Note: Both Android Beam and S Beam identify a device using NFC. Android Beam send files via Bluetooth whereas S Beam will transfer files with WiFi Direct.

Limiting Data Sync on SAFE

Restrictions Description
Allow Background Data Disable to stop apps from using data in the background. Allowed by default.
Allow Google Accounts Auto sync
(KNOX 5.0 and up)
This will allow the device to sync data with the user’s Google Account. This includes contact, calendar, emails and everything Google except Play Store apps. Allowed by default.

Blocking Incoming/Outgoing Text Messages

Restrictions Description
Allow Incoming SMS messages
(KNOX 3.0 and up)
If enabled, the device can retrieve all text messages sent to its user. Allowed by default.
Allow Outgoing SMS messages
(KNOX 3.0 and up)
Blocking this feature will restrict the users from sending text messages from their Samsung devices. Allowed by default.

Denying Users to Modify Device Settings

Restrictions Description
Allow Developer Mode
(KNOX 5.0 and up)
Unchecking this option will disable developer mode. This will reset any manually-configured developer settings. Allowed by default.
Allow USB Debugging
(If developer mode is enabled)
Allow/disallow users to turn on USB Debugging. Allowed by default.
Allow Force Close Background Apps Allow users to enable the option to close all background apps when left. This will lift off all the activities related to that app from the memory. This option is disabled by default.
Allow Modify Settings
(KNOX 2.0 and up)
Disabling this option blocks all future changes to the device settings, until this option is turned back on. By default, Settings can be modified.
Allow Power Saving Mode
(KNOX 5.8 and up)
Allows users to turn power saver on. Power saver mode will reduce battery draining by restricting background data and location services, reducing brightness and disabling UI animations. Allowed by default.

Apps-based Restrictions

Restrictions Description
Allow App Install Disabling this option will block any apps from installing on the device. Allowed by default.
Allow App Uninstall To disallow a user from uninstalling any apps from the device, disable this option. Allowed by default.
Allow Google Play Store Unchecking this option will hide Google Play Store’s icon from the user’s device. Allowed by default.

Other Restrictions

Restrictions Description
Allow Mock Locations
(GATE and SAFE only)
Allow users to turn GPS on/off. By default, users are allowed to do so.
Allow GPS Location
(GATE and SAFE only)
Allow users to turn GPS on/off. Allowed by default.
Force GPS Location
(GATE and SAFE only)
Force GPS to be always ON. Users won’t be able to turn it OFF. Location services are forced by default.
Allow data roaming Allow users to turn on Data Roaming and use mobile data outside their home networks. Data roaming may incur additional charges. Data roaming is allowed by default.
Enforce device encryption Encrypt the data stored on the device with a password/decryption key. With device encryption turned on, if the device is locked, the data on your device’s internal storage can’t be accessed even if you hook it up to a computer. Encryption will be disabled by default.
Allow MDM administration removal
(GATE and SAFE only)
Disabling administration for Hexnode MDM app will cause Hexnode MDM to malfunction and enable Force Stop and Uninstall options for Hexnode MDM app. Allowed by default.

How to Apply the Restrictions to Devices/Groups?

If you haven’t saved the policy yet,

  1. Proceed to the Policy Targets.
  2. Click on + Add Devices, search and select all devices to which the policy is to be applied.
  3. Press OK button to finish adding devices.

Missed a device? No worries. Click on + Add Devices again and you can add more of them.

To associate the policies to a device group instead, select Device Groups from the left pane under Policy Targets, and follow the above instructions. You can associate the policy to users or user groups from the same pane.

If you’ve saved the policy and you’re taken to the page which displays the policy list,

  1. Check a policy.
  2. From Manage, select Associate Targets.
  3. Add as many devices as you need.
    •  
    •  
    •  
    •  
    •  
Desktop or Mobile, Hexnode MDM Got You Covered!
FREE 30-DAY TRIAL