Category Filter

How to set up Android MDM Restrictions?

Restricting device functions and apps prevent unwanted distractions that the users might experience from their work. Not only this help denying access for users, but also for third-party apps from accessing resources and corporate data.

The availability of the restrictions provided here might differ based on the MDM plan you’ve subscribed to, the device model and the operating system the end-user is on. Some of the features listed here are built exclusively for Samsung Knox devices and LG’s GATE (Guarded Access to Enterprise) devices, which are marked alongside the policy listing.

Configuring Restrictions for Android Devices

To configure restrictions for an Android device,

  1. From your Hexnode portal, head on to Policies tab.
  2. Create a new policy by clicking on New Policy button or continue with an existing one.
  3. From Android, choose Restrictions or Advanced Restrictions. These are from where the restrictions can be set up.
Notes:

  • The restrictions under Advanced Restrictions are applicable for Samsung Knox, LG GATE, Kyocera business phones, and devices enrolled in Android Enterprise program.
  • Restrictions set for devices enrolled in Profile Owner mode are only applicable for the apps within the work container.

Basic Restrictions

Allow Device Functionality

Device Functions
Restrictions Description Supported Devices
Camera Prevents the users to access the camera app on the device. Camera usage is allowed by default. On Android 10+ devices, the restriction works only on devices enrolled in Android Enterprise program. Samsung Knox, LG GATE, Kyocera business phones, Android Enterprise – Device Owner, Android Enterprise – Profile Owner, Standard Android Devices.
USB Mass Storage Disables access to external mass storage devices. Allowed by default. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera business phones.
USB file transfer Blocks file transfer via USB entirely. USB file transfer is allowed by default. Samsung Knox Standard SDK 2.0 and up, Android Enterprise – Device Owner.
Home button Home button will not work if this option is unchecked. Home button can be used by default. Samsung Knox Standard SDK 2.0 and up.
Power Off Disabling this option prevents users from turning off the device. By default, it is permitted to turn the device off. Samsung Knox Standard SDK 3.0 and up.
Safe mode Prevents users from booting their devices into safe mode. Booting into safe mode is allowed by default. Samsung Knox 1.0 and up, Android Enterprise – Device Owner, Standard Android Devices running versions below 7.0.
Airplane mode Disallow the users to turn airplane mode on. Allowed by default. Samsung Knox 2.0 and up.
Lock screen shortcuts Uncheck this option to prevent users from placing app icons on the device’s lock screen. This option is enabled by default. Samsung Knox 1.0 and up.
Widgets on lock screen Prevents the user from adding widgets to the lock screen. Allowed by default. Samsung Knox 1.0 and up (below Android 5.0).
Screen Orientation Users can configure screen orientation of their choice on the device if User can choose option is selected. You can make your selection from the following options to enforce screen orientation on user’s device: · User can choose · Auto-rotate · Portrait · Left · Right · Invert Samsung Knox, LG GATE, Kyocera business phones, Standard Android Devices, Android Enterprise – Device Owner.
Screen Timeout Configure screen timeout for devices. Choose between – Never, Keep Current Settings, or set a time between 1-5, 10 or 15 minutes. Samsung Knox, LG GATE, Kyocera business phones, Standard Android Devices, Android Enterprise – Device Owner.

Allow Network Settings

Network Restrictions
Restrictions Description Supported Devices
Wi-Fi Uncheck to disable Wi-Fi on the devices. Note: On standard Android devices, Wi-Fi turns off automatically even if the user tries to turn it on. On Android 10+ devices except Samsung Knox, users will be prompted to turn off Wi-Fi manually. On Samsung Knox devices, Wi-Fi option gets disabled on the device. On Android 10+ devices enrolled in Android Enterprise- Profile Owner mode, the users will be prompted to turn-off Wi-Fi as they open the Hexnode MDM app. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera business phones, Android Enterprise – Device Owner, Android Enterprise – Profile Owner, Standard Android Devices.
Force Wi-Fi (Works only when the option Wi-Fi is enabled) Enabling this option restricts users to turn off the Wi-Fi. Note: On Samsung Knox devices, users will not be able to turn off the Wi-Fi. On standard Android devices, even if the users turn off the Wi-Fi, it will be turned back on automatically. On Android 10+ devices, users will be prompted to turn on Wi-Fi manually. On Android 10+ devices enrolled in Android Enterprise-Profile Owner mode, the users will be prompted to turn-off Wi-Fi as they open the Hexnode MDM app. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera business phones, Android Enterprise – Device Owner, Android Enterprise – Profile Owner, Standard Android Devices.
Bluetooth Uncheck this option to restrict users to turn on Bluetooth. By default, the users are allowed to use Bluetooth on their devices. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera business phones, Android Enterprise – Device Owner, Android Enterprise – Profile Owner, Standard Android Devices.
Force Bluetooth (Works only when the option Bluetooth is enabled) Enabling this option restricts the users to turn off Bluetooth. On Samsung Knox devices, users will not be able to turn off Bluetooth. On standard Android devices, even if the users turn off Bluetooth, it will be turned back on automatically. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera business phones, Android Enterprise – Device Owner, Android Enterprise – Profile Owner, Standard Android Devices.
Mobile data Uncheck this option to prevent the use of mobile data. Mobile data is allowed by default. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera business phones.
Tethering Prevents tethering on devices. Tethering is allowed by default.
USB tethering
(Unable to modify if Tethering is disallowed)
Uncheck this option to prevent users from sharing mobile data with other devices via USB. USB tethering is allowed by default. Samsung Knox Standard SDK 2.0 and up.
Bluetooth tethering
(Unable to modify if Tethering is disallowed)
Disallows the users to share their mobile data with other devices over Bluetooth if this option is selected. Bluetooth tethering is allowed by default. Samsung Knox Standard SDK 2.0 and up.
Portable Wi-Fi hotspot
(Unable to modify if Tethering is disallowed)
Select an option to tether the portable Wi-Fi hotspot: Users can choose, Always Off, and Always On.
Note: Users cannot connect to any Wi-Fi network if Wi-Fi hotspot is set to’Always On’.
Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera business phones, Android Enterprise – Device Owner and Standard Android Devices running versions below 8.0.
Data roaming Uncheck this option to disallow users to turn on Data Roaming and use mobile data outside their home networks. Data roaming may incur additional charges. Data roaming is allowed by default. Samsung Knox Standard SDK 1.0 and up, Android Enterprise – Device Owner.

Allow Location Settings

Location Settings
Restrictions Description Supported Devices
Mock location Unchecking this option prevents users from turning on Mock locations which can be enabled from developer options. Enabling Mock location tricks the GPS with a fake location. By default, users are allowed to do so.
Note:

For Device owner mode, unchecking this option completely disables the entire developer options on the device.

LG GATE, Samsung Knox Standard SDK 2.0 and up, Kyocera business phones.
GPS Unchecking this option disallows the users from turning GPS on/off. Allowed by default. LG GATE, Samsung Knox Standard SDK 3.0 and up, Kyocera business phones.
Force GPS to fetch location Force GPS to be always ON. Users won’t be able to turn it OFF. Location services are forced by default. LG GATE, Samsung Knox, Kyocera business phones.

Allow Sync Settings

Sync Settings
Restrictions Description Supported Devices
Data backup Unchecking this option prevents user’s data from being backed up to or restored from Google drive. Android Enterprise Device Owner running Android 8.0+.

Security Options

Security Options
Restrictions Description Supported Devices
Allow MDM administration removal Unchecking this option prevents the removal of Hexnode MDM app from devices.
Note: On LG GATE devices running android 7 and above, disabling this option restricts the removal of both Hexnode MDM and LG Service apps. On devices running Android 6 and below, disabling the option restricts only the removal of Hexnode MDM app and not the LG Service app.
Samsung Knox Standard SDK 2.0 and up, LG GATE.

Advanced Restrictions

Allow Device Functionality

Device Functions
Restrictions Description Supported Devices
Microphone If this option is unchecked, the microphone will be disabled while using any apps except phone calls. Microphone is allowed by default. Samsung Knox Standard SDK 2.0 and up, Android Enterprise – Device Owner.
Screen capture Unchecking this option prevents users from capturing a screenshot directly from their device or from Android Studio. Allowed by default. Samsung Knox Standard SDK 2.0 and up, Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Clipboard When you copy or cut a text on the system, it’ll go to the clipboard for temporary use. The text is pasted directly from the clipboard. So, disabling this option prevents using clipboard to Cut, Copy and Paste functions. Copying another piece of text will replace the previous one in the clipboard. Clipboard is enabled by default. Samsung Knox Standard SDK 2.0 and up.
Copy contents between normal and work profiles Allow users to copy contents from an app in normal profile to an app in work profile and vice-versa. Android Enterprise – Profile Owner.
Share via other apps Disable data sharing between apps using the share option on the device. Enabled by default. Samsung Knox 1.0 and up.
Users can adjust volume Prevents users from adjusting the device volume, if this option is unchecked. Android Enterprise – Device Owner, Android Enterprise – Profile Owner on devices running Android version 6 and up.
Make a call Users are allowed to make calls on their devices by default. Unchecking this option disallows outgoing calls. Android Enterprise – Device Owner.
Receive calls Unchecking the option disables incoming calls on the device, preventing the user from receiving any calls. Samsung Knox
USB Host Storage Allow users to connect an external USB device, such as an external hard disk or a flash drive on their devices. If disabled, it blocks all external USB devices (except those specified under the USB Exception list) from connecting to the devices. Enabled by default. Samsung Knox 2.9+
USB Exception list This setting works only if the option ‘USB Host Storage’ is disabled. You can select the type of USB storage devices that can connect to your Android devices. Any USB device classes not specified here will be blocked. The available USB device classes include:
  • Audio: Speaker, microphone, sound card, MIDI
  • CDC Data: Devices used together with USB Communication Device Class (CDC)
  • Communication: Modem, Ethernet adapter, Wi-Fi adapter, RS-232 serial adapter
  • Human Interface Device: Keyboard, mouse, joystick and other human-interface devices (HIDs)
  • Mass Storage: USB Flash drive, memory card reader, digital camera, digital audio player, external drive
  • Miscellaneous: ActiveSync device
  • Still Image: Webcam, Scanner
  • Vendor Specific: Devices that need vendor-specific drivers
  • Wireless Controller: Bluetooth adapter, Microsoft RNDIS
Samsung Knox 2.9+

Display Settings

Display Settings
Restrictions Description Supported Devices
Hide System Bars Hides the system bars – the status bar, the navigation bar, and the settings toggles. They are shown on devices by default. Samsung Knox
Hide Status Bar Hides the status bar (notification icons, network signal bar, time etc.) at the top of the handset screen. Hiding the status bar will deny access to the notifications bar and the quick settings tray. The status bar is shown by default. Samsung Knox 1.0 and up
Hide Navigation Bar Hides the on-screen navigation bar with the back, home and recent apps buttons. Other system bars will not be affected. The navigation bar is shown by default. Samsung Knox 1.0 and up.
Split-screen mode Disabling this option restricts the user from accessing the multi-window or split-screen feature on the device. Samsung Knox
Display dialogs/windows Unchecking this option blocks dialogs/windows for system overlays, alerts, toast messages, incoming/outgoing calls, and application overlays. It also blocks Hexnode’s password prompt, broadcast message alerts and floating kiosk peripheral settings icon. Android Enterprise – Device Owner.

Allow Connectivity Options

Connectivity Options
Restrictions Description Supported Devices
NFC If this option is disabled, NFC, Android Beam and S Beam are turned off, and users cannot perform operations that use Near Field Communication on devices that support it. NFC is enabled by default. Samsung Knox Standard SDK 2.0 and up.
Android Beam Disabling Android Beam will disable S Beam as well. Allowed by default. Samsung Knox 1.0 and up.
Beam from the device Unchecking this option disallows outgoing Android Beam. Allowed by default. Android Enterprise – Device Owner, Android Enterprise -Profile Owner.
Transfer data via Bluetooth Uncheck this option prevents the device from transferring data over a Bluetooth connection, turning this option off will also affect Android Beam transfers. Allowed by default. Samsung Knox Standard SDK 2.0 and up, Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Configure Bluetooth Disallows users to configure Bluetooth on their devices if this option is unchecked. Android Enterprise – Device Owner.
Configure cell broadcast Disabling this option will prevent users from configuring cell broadcasts. Allowed by default. Android Enterprise – Device Owner.
Configure cellular network If disabled, restricts users from configuring cellular network settings on their devices. Allowed by default. Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Users can reset network settings Users are allowed to reset network settings on their devices by default. Disabling this option disallows users to reset current cellular and Wi-Fi settings, VPN settings, Wi-Fi passwords and so on. Allowed by default
Note: This feature works for Android devices running version 6 and above.
Android Enterprise – Device Owner.
Configure Wi-Fi Unchecking this option prevents users from configuring Wi-Fi on their devices. Allowed by default. Android Enterprise – Device Owner, Android Enterprise -Profile Owner.
Configure hotspot and tethering If this option is disabled, users can’t configure portable hotspot and tethering on their devices. Allowed by default. Samsung Knox, Android Enterprise – Device Owner.

Note:

Both Android Beam and S Beam identify a device using NFC. Android Beam send files via Bluetooth whereas S Beam will transfer files with Wi-Fi Direct.

Security options

Security options

Minimum Wi-Fi security level – Set a minimum-security level to establish a Wi-fi connection on the device. Open is selected as default. The device will not connect to a network which is less secure than the value chosen here.

Warning:

Once the policy gets applied on the device, the current Wi-Fi connection will get disconnected immediately if it has a security level below the minimum level set in the policy.

Security Type Supported Devices
WEP

WPA/WPA2 PSK

EAP- LEAP

EAP-FAST

EAP- PEAP

EAP-TTLS

EAP-TLS

All Samsung Knox versions.
FT- PSK

EAP-PEAP-FT

EAP-PEAP-CCKM

EAP-TTLS-FT

EAP-TTLS-CCKM

EAP-TLS-FT

EAP-TLS-CCKM

Knox 2.4+
EAP-LEAP-FT

EAP-LEAP-CCKM

EAP-FAST-FT

EAP-FAST-CCKM

EAP-PWD

EAP-PWD-FT

EAP-PWD-CCKM

EAP-SIM

EAP-SIM-FT

EAP-SIM-CCKM

EAP-AKA

EAP-AKA-FT

EAP-AKA-CCKM

EAP-AKA’

EAP-AKA’-FT

EAP-AKA’-CCKM

Knox 2.5+

Allow Sync Settings

Limiting Data Sync
Restrictions Description Supported Devices
Sync data in background Unchecking this option prevents the apps from auto-syncing data in the background. By default, users can toggle it on/off. Samsung Knox Standard SDK 2.0 and up.
Sync data with Google account Uncheck this option to disallow the Google apps on the device to sync data with the user’s Google Account. This includes contact, calendar, emails and everything Google except Play Store apps. Allowed by default. Samsung Knox 2.0 and up.

Allow Account Settings

Account Settings
Restrictions Description Supported Devices
SMS Uncheck to disable incoming and outgoing SMS. Samsung Knox Standard SDK 3.0 and up, Android Enterprise – Device Owner.
Receive messages If disabled, the device can’t retrieve the text messages sent to its user. Allowed by default. Samsung Knox Standard SDK 3.0 and up.
Send messages Blocking this feature will restrict the users from sending text messages from their Samsung devices. Allowed by default. Samsung Knox Standard SDK 3.0 and up.
Modify Accounts/Users If disabled, restricts users from adding, removing and switching between the users. For Android Enterprise enabled devices, this option allows the users to add, remove or switch between Google Accounts. Allowed by default. Samsung Knox, Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Add Users User will not be allowed to add other users if this option is unchecked. Allowed by default. Samsung Knox
Remove Users User will not be allowed to delete other users if this option is unchecked. Allowed by default. Samsung Knox
Configure user credentials Allow users to configure user credentials. Android Enterprise – Device Owner, Android Enterprise – Profile Owner.

Allow Settings

Restrict Device Settings Modification
Restrictions Description Supported Devices
Developer mode Unchecking this option will disable developer mode. This will reset any manually-configured developer settings. Allowed by default. Samsung Knox 2.0 and up.
USB debugging
(If Developer mode is enabled)
If allowed, users can turn USB debugging on/off. If disallowed, users won’t be able to turn it back on. Allowed by default. Samsung Knox Standard SDK 2.0, Android Enterprise – Device Owner.
Modify settings Disabling this option blocks all future changes to the device settings, until this option is turned back on. By default, Settings can be modified. Samsung Knox Standard SDK 2.0 and up.
Power saving mode If disallowed the device won’t be able to switch to power saving mode. Allowed by default. Samsung Knox 2.8 and up.
Users can enable location sharing This option allows users to enable real time location sharing with others. Disabling this option prevents the user from turning on location sharing. Allowed by default. Android Enterprise – Device Owner, Android Enterprise -Profile Owner
Factory reset Allow users to reset their device to factory settings. Unchecking the option prevents factory reset. Allowed by default. Samsung Knox Standard SDK 2.0, Android Enterprise -Device Owner.
Read any connected physical external media Users are allowed to connect the devices to external physical media by default. Disabling the option prevents it. Android Enterprise – Device Owner, Android Enterprise -Profile Owner.
Update date and time automatically Allows automatic update of date, time and time zone on the device, if this option is selected. Allowed by default. Android Enterprise – Device Owner.
Set time zone automatically Unchecking this option disallows users to choose whether the device can update the time zone automatically. Allowed by default. Android Enterprise – Device Owner.
Disable screen lock if the screen was turned off If this option is enabled, the screen lock option (Settings > Security > Screen Lock) will be disabled on the device. Any unlock pattern, password, PIN on the device will get cleared. Disabled by default. Samsung Knox 2.0 and up.
Configure VPN Allows users to configure VPN. When disabled, network and data usage restrictions set under Android > Mobile Data Management won’t work. Samsung Knox Standard SDK 2.2 and up, Android Enterprise – Device Owner, Android Enterprise – Profile Owner(6.0 and above).
Automatically power off a device when USB is detached Enable this option to power off a device whenever a USB is detached from it. This will not work if ‘Power Off’ under Policy > Android > Restriction is disabled.
Notes:


This option works only if:

  • A KPE Premium license key is attached to the devices. Head on to General Settings > Knox Platform for Enterprise > Configure to select the key already added to the portal.
  • The ‘Power Off’ option under Policy > Android > Restrictions is enabled.

Samsung Knox 2.8+, Hexnode MDM 11.8.3 and Hexnode for Work 7.8.3.
Automatically power on a device when USB is connected Check this option to automatically turn on the device when a USB is connected.
Note:


This option works only if:

  • A KPE Premium license key is attached to the devices. Head on to General Settings > Knox Platform for Enterprise > Configure to select the key already added to the portal.

Samsung Knox 2.6+, Hexnode MDM 11.8.3 and Hexnode for Work 7.8.3.

Allow App Settings

App-based Restrictions
Restrictions Description Supported Devices
Install apps Disabling this option will block any apps from installing on the device. Allowed by default. Samsung Knox Standard SDK 2.0, Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Uninstall apps To disallow a user from uninstalling any apps from the device, disable this option. Allowed by default. Samsung Knox Standard SDK 2.2, Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Control apps Enabling this option allows users to modify applications in Settings or launchers. If this option is disabled, users can’t uninstall apps, disable apps, clear app data and cache, force stopping apps, clear app defaults and so on. Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Google Play Store Unchecking this option will hide Google Play Store’s icon from the user’s device. Allowed by default. Samsung Knox Standard SDK 2.0 and up.
Verify apps before install  Enabling this option allows Google to verify the app content for any harmful behaviour before installation begins. If disallowed, it prevents Google app verification before installation. Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Install apps from unknown sources If allowed, it enables the users to install apps from Play Store and other sources. Unchecking this option will block app installation from unknown sources and users can’t turn it back on from the device. Samsung Knox Standard SDK 2.0, Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
App Runtime Permissions Set runtime permissions for apps. You can grant, deny specific permissions or, set default permissions for the app.
Note:


The app runtime permissions can only be granted on Android 10 or later devices.

Android Enterprise – Device Owner, Android Enterprise -Profile Owner.
Parent profile app linking Disabling this option prevents apps in the parent profile to handle web links from managed profile.
Note: This feature works for Android devices running version 6 and above.
Android Enterprise – Device Owner, Android Enterprise – Profile Owner.

Factory Reset Protection (Google Account Verification)

Google Factory Reset Protection (FRP) is a security feature enabled by default on devices running Android v5.1+, designed to prevent the use of devices if it gets reset to factory settings without your permission. If you have a Google account set on your device and your device is reset, the device remains unusable until you log in using the Google account previously set on your device.
Default’ option takes the default device settings for FRP.
Bypass Factory Reset Protection‘ enforces the Google account verification step. Add G Suite email address and/or Google Plus Profile IDs to log in to your devices in situations where you forget/do not know the previously configured Google account credentials. Integrate your G Suite account with the Hexnode MDM server to add the accounts to the list.
Disable Factory Reset Protection‘ lets you skip the Google account verification step. When asked to enter the Google account credentials, the user can skip the verification by clicking SKIP.

How to Apply the Restrictions to Devices/Groups?

If you haven’t saved the policy yet,

  1. Proceed to the Policy Targets.
  2. Click on + Add Devices, search and select all devices to which the policy is to be applied.
  3. Press OK button to finish adding devices.

Missed a device? No worries. Click on + Add Devices again and you can add more of them.

To associate the policies with a device group instead, select Device Groups from the left pane under Policy Targets, and follow the above instructions. You can associate the policy to users or user groups from the same pane.

If you’ve saved the policy and you’re taken to the page which displays the policy list,

  1. Check a policy.
  2. From Manage, select Associate Targets.
  3. Add as many devices as you need.