1. Home
  2. Android
  3. How to set up Android MDM Restrictions using Hexnode MDM?

How to set up Android MDM Restrictions using Hexnode MDM?

Restricting device functions and apps prevent unwanted distractions that the users might experience from their work. Not only this help denying access for users, but also for third-party apps from accessing resources and corporate data.

The availability of the restrictions provided here might differ based on the MDM plan you’ve subscribed to, the device make and the operating system the end-user is on. Some of the features listed here are built exclusively for Samsung Knox devices and LG’s GATE (Guarded Access to Enterprise) devices, which are marked alongside the policy listing.

Configuring Restrictions for Android Devices

To configure restrictions for an Android device,

  1. From your Hexnode portal, head on to Policies tab.
  2. Create a new policy by clicking on New Policy button, or continue with an existing one.
  3. From Android , choose Restrictions or Advanced Restrictions. These are from where the restrictions can be set up.
Notes:

  • The restrictions under Advanced Restrictions are applicable for Samsung Knox devices. These features will not work on a normal/rooted Android device or a GATE-supported one.
  • Some of these restrictions are also applicable for devices enrolled in Android in the Enterprise(Android for Work) program.
  • Restrictions set for devices enrolled in Profile Owner mode are only applicable for the apps within the work container.

Basic Restrictions

Allow Device Functionality

Device Functions

Restrictions Description Supported Devices
Camera Allow users to access the camera app on the device. Camera usage is allowed by default. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner, Profile Owner,Generic Android Devices
USB Mass Storage Uncheck to disable access to external mass storage devices. Allowed by default. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera
USB file transfer Uncheck to block file transfer via USB entirely. Allowed by default. Samsung Knox Standard SDK 2.0 and up
Home button Home button will not work until you turn this option on. Home button can be used by default. Samsung Knox Standard SDK 2.0 and up, Device Owner on Samsung Knox
Power Off Turning this option off will restrict users from turning the device off. By default, it is permitted to turn the device off. Samsung Knox Standard SDK 3.0 and up, Device Owner on Samsung Knox
Safe mode Allow users to boot their devices into safe mode. Booting into safe mode is allowed by default. Samsung Knox 1.0 and up, Device Owner, Profile Owner, Generic Android Devices running versions below 7.0
Airplane mode Allow users to turn airplane mode on. Allowed by default. Samsung Knox 2.0 and up
Lock screen shortcuts Enable this option to allow users to place app icons on the device’s lock screen. This option is enabled by default. Samsung Knox 1.0 and up
Widgets on lock screen Allows the user to add widgets to the lock screen. Allowed by default. Samsung Knox 1.0 and up
Screen Orientation Configure screen orientation for devices. You can make your selection from the following options: · User can choose · Auto-rotate · Portrait · Left · Right · Invert Samsung Knox, LG GATE, Kyocera, Generic Android Devices, Device Owner
Screen Timeout Configure screen timeout for devices. Choose between – Never, Keep Current Settings, or set a time between 1-5, 10 or 15 minutes. Samsung Knox, LG GATE, Kyocera, Generic Android Devices, Device Owner

Allow Network Settings

Network Restrictions

Restrictions Description Supported Devices
Wi-Fi Uncheck to disable Wi-Fi on the devices.
Note: In standard Android devices, Wi-Fi turns off automatically while trying to turn it on.
Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner, Profile Owner, Generic Android Devices
Force Wi-Fi (Works only when the option Wi-Fi is enabled) Enabling this option prevents the users from turning the Wi-Fi off. In Samsung Knox devices, users will not be able to turn off the Wi-Fi. In General Android devices, even if the users turn off the Wi-Fi, it will be turned back on automatically. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner, Profile Owner, Generic Android Devices
Bluetooth Allow/disallow turning Bluetooth on. By default, the users are allowed to use Bluetooth on their devices. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner, Profile Owner, Generic Android Devices
Force Bluetooth (Works only when the option Bluetooth is enabled) Enabling this option prevents the users from turning the bluetooth off. In Samsung Knox devices, users will not be able to turn off the bluetooth. In General Android devices, even if the users turn off the bluetooth, it will be turned back on automatically. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner, Profile Owner, Generic Android Devices
Mobile data Allow the use of mobile data by enabling this option. Allowed by default. Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera
Tethering Allow users to turn on tethering on their devices. Allowed by default.
USB tethering
(Unable to modify if Tethering is disallowed)
Allow users to share mobile data with other devices via USB. USB tethering is allowed by default. Samsung Knox Standard SDK 2.0 and up
Bluetooth tethering
(Unable to modify if Tethering is disallowed)
Let the users share their mobile data with other devices over Bluetooth. Allowed by default. Samsung Knox Standard SDK 2.0 and up
Portable Wi-Fi hotspot
(Unable to modify if Tethering is disallowed)
Allow/Disallow users to configure Wi-Fi hotspots.
Note:Users cannot connect to any Wi-Fi network if Wi-Fi hotspot is set to’Always On’.
Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera, Device Owner and Generic Android Devices running versions below 8.0,
Data roaming Allow users to turn on Data Roaming and use mobile data outside their home networks. Data roaming may incur additional charges. Data roaming is allowed by default. Samsung Knox Standard SDK 1.0 and up, Device Owner

Allow Location Settings

Location Settings

Restrictions Description Supported Devices
Mock location Allow users to turn on Mock locations which can be enabled from developer options. Enabling Mock location tricks the GPS with a fake location. By default, users are allowed to do so.

Note:

For Device owner mode, unchecking this option completely disables the entire developer options on the device.

LG GATE, Samsung Knox Standard SDK 2.0 and up, Kyocera
Users can turn GPS on/off Allow users to turn GPS on/off. Allowed by default. LG GATE, Samsung Knox Standard SDK 3.0 and up, Kyocera
Force GPS to fetch location Force GPS to be always ON. Users won’t be able to turn it OFF. Location services are forced by default. LG GATE, Samsung Knox, Kyocera.

Security Options

Security Options

Restrictions Description Supported Devices
Allow MDM administration removal Disabling administration for Hexnode MDM app will cause Hexnode MDM to malfunction and enable Force Stop and Uninstall options for Hexnode MDM app. Allowed by default. Samsung Knox Standard SDK 2.0 and up, LG GATE

Advanced Restrictions

Allow Device Functionality

Device Functions

Restrictions Description Supported Devices
Microphone If this option is unchecked, the microphone will be disabled while using any apps except phone calls. Microphone is allowed by default. Samsung Knox Standard SDK 2.0 and up, Device Owner.
Screen capture Allow/disallow users from capturing a screenshot directly from their device or from Android Studio. Allowed by default. Samsung Knox Standard SDK 2.0 and up, Device Owner, Profile Owner
Clipboard When you copy or cut a text on the system, it’ll go to the clipboard for temporary use. The text is pasted directly from the clipboard. So, disabling clipboard will affect the Cut, Copy and Paste options. Copying another piece of text will replace the previous one in the clipboard. Clipboard is enabled by default. Samsung Knox Standard SDK 2.0 and up
Copy contents between normal and work profiles Allow users to copy contents to/from user profile to/from work profile. Profile Owner
Share via other apps Allow users to share files with other apps from “share via” list. Enabled by default. Samsung Knox 1.0 and up
Users can adjust volume Allow users to adjust volume on devices. Enabled by default. Disabling this option mutes the master volume, even for the remote ring action. Device Owner, Profile Owner on devices running Android version 6 and up
Make a call Allow users to make calls on their devices. Enabled by default. Device Owner

Display Settings

Display Settings

Restrictions Description Supported Devices
Hide System Bars Hides the system bars – the status bar and the navigation bar. Both are shown by default. Samsung Knox
Hide Status Bar Hides the status bar (notification icons, network signal bar, time etc.) at the top of the handset screen. Hiding the status bar will deny access to the notifications bar and the quick settings tray. The status bar is shown by default. Samsung Knox 1.0 and up
Hide Navigation Bar Hides the on-screen navigation bar with the back, home and recent apps buttons, on Android 4.0+ handsets that don’t have the hardware counterparts for navigating through the system. The navigation bar is shown by default. Samsung Knox 1.0 and up
Split-screen mode Disabling this option restricts the user from accessing the multi-window or split-screen feature on the device. Samsung Knox
Display dialogs/windows Unchecking this option blocks dialogs/windows for system overlays, alerts, toast messages, incoming/outgoing calls, and application overlays. It also blocks Hexnode’s password prompt, broadcast message alerts and floating kiosk peripheral settings icon. Device Owner

Allow Connectivity Options

Connectivity Options

Restrictions Description Supported Devices
NFC If this option is disabled, NFC, Android Beam and S Beam are turned off and users cannot turn them on. NFC is enabled by default. Samsung Knox Standard SDK 2.0 and up
Android Beam Disabling Android Beam will disable S Beam as well. Allowed by default. Samsung Knox 1.0 and up
Beam from the device Specifies if the user can use NFC to beam out data from apps. Allowed by default. Device Owner, Profile Owner
Transfer data via Bluetooth Allow the device to transfer data over Bluetooth. Since Android Beam transfers data over a Bluetooth connection, turning this option off will affect Android Beam transfers. Allowed by default. Samsung Knox Standard SDK 2.0 and up, Device Owner, Profile Owner
Configure Bluetooth Allow users to configure bluetooth on their devices. Device Owner
Configure cell broadcast Enable users to configure cell broadcasts. Allowed by default. Device Owner
Configure cellular network If disabled, restricts users from configuring cellular network settings on their devices. Allowed by default. Device Owner, Profile Owner
Users can reset network settings Allow/disallow users to reset network settings on their devices. Enabling this option allows users to reset current cellular and Wi-Fi settings, VPN settings, Wi-Fi passwords and so on. Allowed by default
Note: This feature works for Android devices running version 6 and above.
Device Owner
Configure Wi-Fi Allow/Disallow users to configure Wi-Fi on their devices. Allowed by default. Device Owner, Profile Owner
Configure hotspot and tethering If this option is enabled, users can configure portable hotspot and tethering on their devices. Allowed by default. Samsung Knox, Device Owner

Note:

Both Android Beam and S Beam identify a device using NFC. Android Beam send files via Bluetooth whereas S Beam will transfer files with WiFi Direct.

Allow Sync Settings

Limiting Data Sync

Restrictions Description Supported Devices
Sync data in background Unchecking this option prevents the apps from auto-syncing data in the background. Allowed by default. Samsung Knox Standard SDK 2.0 and up
Sync data with Google account This will allow the device to sync data with the user’s Google Account. This includes contact, calendar, emails and everything Google except Play Store apps. Allowed by default. Samsung Knox 2.0 and up

Allow Account Settings

Account Settings

Restrictions Description Supported Devices
SMS Uncheck to disable incoming and outgoing SMS. Samsung Knox Standard SDK 3.0 and up, Device Owner
Receive messages If enabled, the device can retrieve all text messages sent to its user. Allowed by default. Samsung Knox Standard SDK 3.0 and up
Send messages Blocking this feature will restrict the users from sending text messages from their Samsung devices. Allowed by default. Samsung Knox Standard SDK 3.0 and up
Modify Accounts/Users If disabled, restricts users from adding, removing and switching between the users. For Android Enterprise enabled devices, this option allows the users to add, remove or switch between Google Accounts. Allowed by default. Samsung Knox, Device Owner, Profile Owner
Add Users If enabled, allows a user to add other users. Allowed by default. Samsung Knox
Remove Users If enabled, allows a user to delete other users. Allowed by default. Samsung Knox
Configure user credentials Allow users to configure user credentials. Device Owner, Profile Owner

Allow Settings

Restrict Device Settings Modification

Restrictions Description Supported Devices
Developer mode Unchecking this option will disable developer mode. This will reset any manually-configured developer settings. Allowed by default. Samsung Knox 2.0 and up
USB debugging
(If Developer mode is enabled)
Allow/disallow users to turn on USB Debugging. Allowed by default. Samsung Knox Standard SDK 2.0, Device Owner
Modify settings Disabling this option blocks all future changes to the device settings, until this option is turned back on. By default, Settings can be modified. Samsung Knox Standard SDK 2.0 and up
Power saving mode Allows users to turn power saver on. Power saver mode will reduce battery draining by restricting background data and location services, reducing brightness and disabling UI animations. Allowed by default. Samsung Knox 2.8 and up
Users can enable location sharing This option allows users to enable real time location sharing with others. Allowed by default. Device Owner, Profile Owner
Factory reset Allow users to reset their device to factory settings. Samsung Knox Standard SDK 2.0, Device Owner
Read any connected physical external media Allow users to connect the devices to external physical media. Allowed by default. Device Owner, Profile Owner
Update date and time automatically Allow automatic update of date and time on the device.Allowed by default. Device Owner
Set time zone automatically Allows to automatically update the time zone the device is in. Allowed by default. Device Owner
Disable screen lock if the screen was turned off If this option is enabled, you will not be asked to unlock your screen, usually with a pin or password, each time you turn on your device.Disabled by default. Samsung Knox 2.0 and up
Configure VPN Allows users to configure VPN. When disabled, network and data usage restrictions set under Android > Mobile Data Management won’t work. Samsung Knox Standard SDK 2.2 and up, Device Owner, Profile Owner(6.0 and above)

Allow App Settings

App-based Restrictions

Restrictions Description Supported Devices
Install apps Disabling this option will block any apps from installing on the device. Allowed by default. Samsung Knox Standard SDK 2.0, Device Owner, Profile Owner
Uninstall apps To disallow a user from uninstalling any apps from the device, disable this option. Allowed by default. Samsung Knox Standard SDK 2.2, Device Owner, Profile Owner
Control apps Enabling this option allows users to modify applications in Settings or launchers. If this option is enabled, users can uninstall apps, disable apps, clear app data and cache, force stopping apps, clear app defaults and so on. Device Owner, Profile Owner
Google Play Store Unchecking this option will hide Google Play Store’s icon from the user’s device. Allowed by default. Samsung Knox Standard SDK 2.0 and up
Verify apps before install  If disallowed, it prevents app verification before installation.Enabling this option allows Google to verify the app content for any harmful behaviour before installation begins. Device Owner, Profile Owner
Install apps from unknown sources If allowed, it enables the users to install apps from Play Store and other sources. Samsung Knox Standard SDK 2.0, Device Owner, Profile Owner
App Runtime Permissions Set runtime permissions for app. You can grant, deny specific permissions or set default permissions for the app. Device Owner, Profile Owner
Parent profile app linking Allow apps in the parent profile to handle web links from managed profile.
Note: This feature works for Android devices running version 6 and above.
Device Owner, Profile Owner

Factory Reset Protection (Google Account Verification)

Google Factory Reset Protection (FRP) is a security feature enabled by default on devices running Android v5.1+, designed to prevent the use of devices if it gets reset to factory settings without your permission. If you have a Google account set on your device and your device is reset, the device remains unusable until you log in using the Google account previously set on your device.
Default’ option takes the default device settings for FRP.
Bypass Factory Reset Protection‘ enforces the Google account verification step. Add G Suite email address and/or Google Plus Profile IDs to log in to your devices in situations where you forget/do not know the previously configured Google account credentials. Integrate your G Suite account with the Hexnode MDM server to add the accounts to the list.
Disable Factory Reset Protection‘ lets you skip the Google account verification step. When asked to enter the Google account credentials, the user can skip the verification by clicking SKIP.

How to Apply the Restrictions to Devices/Groups?

If you haven’t saved the policy yet,

  1. Proceed to the Policy Targets.
  2. Click on + Add Devices, search and select all devices to which the policy is to be applied.
  3. Press OK button to finish adding devices.

Missed a device? No worries. Click on + Add Devices again and you can add more of them.

To associate the policies to a device group instead, select Device Groups from the left pane under Policy Targets, and follow the above instructions. You can associate the policy to users or user groups from the same pane.

If you’ve saved the policy and you’re taken to the page which displays the policy list,

  1. Check a policy.
  2. From Manage, select Associate Targets.
  3. Add as many devices as you need.
  •  
  •  
  •  
  •  
  •  

Was this article helpful?

Related Articles

Leave a Comment