Category filter

How to set up Android device Restrictions?

Setting up device and app restrictions features on the work managed devices reduces distractions and improves its security. Controlling the device settings and restricting access also prevents third-party apps from accessing corporate data and resources.

The availability of the device restrictions might differ based on the MDM plan you’ve subscribed to, the device make, and the operating system of the endpoint. Some of the features listed here are built exclusively for Samsung Knox devices, LG’s GATE (Guarded Access to Enterprise) devices, Kyocera business phones, and Android Enterprise enrolled devices.

Configuring Restrictions for Android devices

To configure Android device restrictions via the Hexnode UEM portal,

From your Hexnode portal, head on to the Policies tab.
Set up a new policy by clicking on the New Policy button or continue with an existing one.
Navigate to Android > Restrictions > Basic/Advanced. You can set up device restrictions from there.

Notes:

The Advanced Restrictions in Hexnode UEM lets you have enhanced control over Samsung Knox, LG GATE, Kyocera business phones and Android Enterprise enrolled devices.
Restrictions set up for devices enrolled in Profile Owner mode is only applicable for the apps within the work container.

Basic Restrictions

Basic restrictions for Android devices on Hexnode UEM

Allow Basic Device Functionality

Device Functions

Restrictions	Description	Supported Devices
Camera	Prevents the users to access the camera app on the device. Camera usage is allowed by default. On Android 10+ devices, the restriction works only on devices enrolled in Android Enterprise program.	Samsung Knox Standard SDK 2.0 and up, LG GATE, Kyocera business phones, Device Owner, Profile Owner, Standard Android Devices.
USB Mass Storage	Disables access to external mass storage devices. Allowed by default.	LG GATE, Samsung Knox Standard SDK 2.0 and up, Kyocera business phones.
USB file transfer	Blocks file transfer via USB entirely. USB file transfer is allowed by default.	Samsung Knox Standard SDK 2.0 and up, Android Enterprise – Device Owner.
Home button	Home button will not work if this option is unchecked. Home button can be used by default.	Samsung Knox Standard SDK 2.0 and up.
Power Off	Disabling this option prevents users from turning off the device. By default, it is permitted to turn the device off. Note: Unchecking this option will prevent the device from restarting after an OS update. Disabling this option will cause the Restart Device action to fail.	Samsung Knox Standard SDK 3.0 and up.
Safe mode	Disabling this option prevents users from booting their devices into safe mode. Provide a suitable password in the ‘Device password’ field. It is required for devices other than Samsung Knox or those enrolled in Android Enterprise as the Device Owner. Users will be prompted to enter this password when they try to enable Safe mode on their devices. Note: For Standard Android devices below version 7.0, the device password will be cleared on reboot, and the password given in the ‘Device Password’ field will be set as the device password.	Samsung Knox 1.0 and up, Android Enterprise – Device Owner, Standard Android Devices running versions below 7.0.
Airplane mode	Disallow the users to turn airplane mode on. Allowed by default.	Samsung Knox 2.0 and up, Android Enterprise – Device Owner (Android 9.0+).
Lock screen shortcuts	Uncheck this option to prevent users from placing app icons on the device’s lock screen. This option is enabled by default.	Samsung Knox 1.0 and up.
Widgets on lock screen	Prevents the user from adding widgets to the lock screen. Allowed by default.	Samsung Knox 1.0 and up.
Screen Orientation	Users can configure screen orientation of their choice on the device if User can choose option is selected. You can make your selection from the following options to enforce screen orientation on user’s device: · User can choose · Auto-rotate · Portrait · Left · Right · Invert	Samsung Knox, LG GATE, Kyocera business phones, Standard Android Devices, Android Enterprise – Device Owner.
Screen Timeout	Configure screen timeout for devices. Choose between – Never, Keep Current Settings, or set a time between 1-5, 10 or 15 minutes. Note: The restriction imposes a limit on the maximum screen timeout duration the user can choose at the device end. It doesn’t modify the currently selected value on the device unless it exceeds the configured limit.	Kyocera business phones, Samsung Knox, Standard Android Devices, LG GATE, Android Enterprise – Device Owner.

Allow Network Settings

Network Restrictions

Restrictions	Description	Supported Devices
Wi-Fi	Uncheck to disable Wi-Fi on the devices. Note: On standard Android devices, Wi-Fi turns off automatically even if the user tries to turn it on. On Android 10+ devices except Samsung Knox, users will be prompted to turn off Wi-Fi manually. On Samsung Knox devices, Wi-Fi option gets disabled on the device. On Android 10+ devices enrolled in Android Enterprise- Profile Owner mode, the users will be prompted to turn-off Wi-Fi as they open the Hexnode MDM app.	LG GATE, Kyocera business phones, Android Enterprise – Device Owner, Android Enterprise – Profile Owner, Standard Android Devices, Samsung Knox Standard SDK 2.0 and up.
Force Wi-Fi (Works only when the option Wi-Fi is enabled)	Enabling this option restricts users to turn off the Wi-Fi. Note: On Samsung Knox devices, users will not be able to turn off the Wi-Fi. On standard Android devices, even if the users turn off the Wi-Fi, it will be turned back on automatically. On Android 10+ devices, users will be prompted to turn on Wi-Fi manually. On Android 10+ devices enrolled in Android Enterprise-Profile Owner mode, the users will be prompted to turn-off Wi-Fi as they open the Hexnode MDM app.	LG GATE, Kyocera business phones, Android Enterprise – Device Owner, Android Enterprise – Profile Owner, Standard Android Devices Samsung Knox Standard SDK 2.0 and up.
Bluetooth	Uncheck this option to restrict users to turn on Bluetooth. By default, the users are allowed to use Bluetooth on their devices.	Samsung Knox Standard SDK 2.0 and up, Kyocera business phones, Android Enterprise – Device Owner, Android Enterprise – Profile Owner, Standard Android Devices, LG GATE.
Force Bluetooth (Works only when the option Bluetooth is enabled)	Enabling this option restricts the users to turn off Bluetooth. On Samsung Knox devices, users will not be able to turn off Bluetooth. On standard Android devices, even if the users turn off Bluetooth, it will be turned back on automatically.	LG GATE, Samsung Knox Standard SDK 2.0 and up, Kyocera business phones, Android Enterprise – Device Owner, Android Enterprise – Profile Owner, Standard Android Devices.
Mobile data	Uncheck this option to prevent the use of mobile data. Mobile data is allowed by default.	Kyocera business phones, Samsung Knox Standard SDK 2.0 and up, LG GATE.
Tethering	Prevents tethering on devices. Tethering is allowed by default.	–
USB tethering (Unable to modify if Tethering is disallowed)	Uncheck this option to prevent users from sharing mobile data with other devices via USB. USB tethering is allowed by default.	Samsung Knox Standard SDK 2.0 and up.
Bluetooth tethering (Unable to modify if Tethering is disallowed)	Disallows the users to share their mobile data with other devices over Bluetooth if this option is selected. Bluetooth tethering is allowed by default.	Samsung Knox Standard SDK 2.0 and up.
Portable Wi-Fi hotspot (Unable to modify if Tethering is disallowed)	Select an option to tether the portable Wi-Fi hotspot: Users can choose, Always Off, and Always On. Note: Users cannot connect to any Wi-Fi network if Wi-Fi hotspot is set to ‘Always On’.	Samsung Knox Standard SDK 2.0 and up, Kyocera business phones, Android Enterprise – Device Owner and Standard Android Devices running versions below 8.0, LG GATE.
Data roaming	Uncheck this option to disallow users to turn on Data Roaming and use mobile data outside their home networks. Data roaming may incur additional charges. Data roaming is allowed by default.	Samsung Knox Standard SDK 1.0 and up, Android Enterprise – Device Owner.

Allow Location Settings

Location Settings

Restrictions	Description	Supported Devices
Mock location	Unchecking this option prevents users from turning on Mock locations which can be enabled from developer options. Enabling Mock location tricks the GPS with a fake location. By default, users are allowed to do so. Note: For Device owner mode, unchecking this option completely disables the entire developer options on the device.	LG GATE, Samsung Knox 1.0 and up, Kyocera business phones.
GPS	Unchecking this option disallows the users from turning GPS on/off. Allowed by default.	LG GATE, Samsung Knox 1.0 and up, Kyocera business phones, Android Enterprise Device Owner.
Force GPS to fetch location	Force GPS to be always ON. Users won’t be able to turn it OFF. Location services are forced by default. Note: This option can only be enabled if the GPS option is checked.	LG GATE, Samsung Knox, Kyocera business phones, Android Enterprise Device Owner(Android 9.0 and above).

Allow Basic Sync Settings

Sync Settings

Restrictions	Description	Supported Devices
Backup service	Unchecking this option prevents user’s data from being backed up to or restored from Google drive.	Android Enterprise Device Owner running Android 8.0+.

Basic Security Options

Security Options

Restrictions	Description	Supported Devices
Allow MDM administration removal	Unchecking this option prevents the removal of Hexnode MDM app from devices. Note: On LG GATE devices running android 7 and above, disabling this option restricts the removal of both Hexnode MDM and LG Service apps. On devices running Android 6 and below, disabling the option restricts only the removal of Hexnode MDM app and not the LG Service app.	Samsung Knox Standard SDK 2.0 and up, LG GATE.

Advanced Restrictions

Advanced restrictions for Android devices on Hexnode UEM

Allow Advanced Device Functionality

Device Functions

Restrictions	Description	Supported Devices
Microphone	If this option is unchecked, the microphone will be disabled while using any apps except phone calls. Microphone is allowed by default.	Android Enterprise – Device Owner, Samsung Knox Standard SDK 2.0 and up.
Screen capture	Unchecking this option prevents users from capturing the screen directly from their device or from Android Studio. Allowed by default. Note: Depending on the device model, Android version or enrollment method used, screen capture restriction works differently across the endpoints. For instance, On devices enrolled in Android Enterprise – Profile Owner mode, the screen capture is restricted only within the work apps. On Android 12+ devices enrolled in Android Enterprise – Profile Owner mode, a black screen is captured instead of the device screen.	Samsung Knox Standard SDK 2.0 and up, Android Enterprise – Profile Owner, Android Enterprise – Device Owner.
Clipboard	When you copy or cut a text on the system, it’ll go to the clipboard for temporary use. The text is pasted directly from the clipboard. So, disabling this option prevents using clipboard to Cut, Copy and Paste functions. Copying another piece of text will replace the previous one in the clipboard. Clipboard is enabled by default.	Samsung Knox Standard SDK 2.0 and up.
Copy contents between normal and work profiles	Allow users to copy contents from an app in normal profile to an app in work profile and vice-versa.	Android Enterprise – Profile Owner.
Share via other apps	Disable data sharing between apps using the share option on the device. Enabled by default.	Samsung Knox 1.0 and up.
Users can adjust volume	Prevents users from adjusting the device volume, if this option is unchecked.	Android Enterprise – Device Owner, Android Enterprise – Profile Owner on devices running Android version 6 and up.
Make a call	Users are allowed to make calls on their devices by default. Unchecking this option disallows outgoing calls.	Android Enterprise – Device Owner.
Receive calls	Unchecking the option disables incoming calls on the device, preventing the user from receiving any calls.	Samsung Knox
USB Host Storage	Allow users to connect an external USB device, such as an external hard disk or a flash drive on their devices. If disabled, it blocks all external USB devices (except those specified under the USB Exception list) from connecting to the devices. Enabled by default.	Samsung Knox 2.9+
USB Exception list	This setting works only if the option ‘USB Host Storage’ is disabled. You can select the type of USB storage devices that can connect to your Android devices. Any USB device classes not specified here will be blocked. The available USB device classes include: Audio: Speaker, microphone, sound card, MIDI CDC Data: Devices used together with USB Communication Device Class (CDC) Communication: Modem, Ethernet adapter, Wi-Fi adapter, RS-232 serial adapter Human Interface Device: Keyboard, mouse, joystick and other human-interface devices (HIDs) Mass Storage: USB Flash drive, memory card reader, digital camera, digital audio player, external drive Miscellaneous: ActiveSync device Still Image: Webcam, Scanner Vendor Specific: Devices that need vendor-specific drivers Wireless Controller: Bluetooth adapter, Microsoft RNDIS	Samsung Knox 2.9+
Allow input methods	Enabling this option allows all input methods, including third-party input apps. If the option is left unchecked, only the system input methods will be accessible. If the option is enabled, and specific package names for third-party input apps are provided, no additional third-party input apps can be enabled on the device end after associating the policy. Note: Ensure that the third-party input apps are installed on the device before associating the policy. The correct package name must be provided within in the restriction. To obtain the correct package name, follow these steps in Hexnode UEM.	Android Enterprise Profile Owner & Device Owner (Android 10+ devices)

Exception:

If a third-party input method is already enabled on the device via device settings manually, but a different app’s package name is added in the policy, the policy won’t disable the previously enabled input method. In other words, the user will be able to access both input methods.

Display Settings

Restrictions	Description	Supported Devices
Hide System Bars	Hides the system bars – the status bar, the navigation bar, and the settings toggles. They are shown on devices by default.	Samsung Knox
Hide Status Bar	Hides the status bar (notification icons, network signal bar, time etc.) at the top of the handset screen. Hiding the status bar will deny access to the notifications bar and the quick settings tray. The status bar is shown by default.	Samsung Knox 1.0 and up, Android Enterprise – Device Owner.
Hide Navigation Bar	Hides the on-screen navigation bar with the back, home and recent apps buttons. Other system bars will not be affected. The navigation bar is shown by default.	Samsung Knox 1.0 and up.
Split-screen mode	Disabling this option restricts the user from accessing the multi-window or split-screen feature on the device.	Samsung Knox
Display dialogs/windows	Unchecking this option blocks dialogs/windows for system overlays, alerts, toast messages, incoming/outgoing calls, and application overlays. It also blocks Hexnode’s password prompt, broadcast message alerts and floating kiosk peripheral settings icon.	Android Enterprise – Device Owner.
Keep Screen On while charging	Select the type of power source that can cause the device’s screen to stay on while plugged in. The available options include: On AC charger: The screen stays on when the device is plugged in using an AC charger. Note: This option may not work if the device is plugged in using an unsupported power supply. Make sure to use the supported device chargers for charging devices. On USB charger: The screen stays on if the device is charging via USB. On wireless charger: The device screen stays on while it is charging wirelessly. Notes: This restriction will not work if: The device screen is manually turned off. The ‘Auto-lock after’ option under Policies > Android > Password is enabled. The user disables the ‘Stay Awake’ option under ‘Developer options’. In this case, the policy will have to be pushed again for this feature to work.	Android Enterprise – Device Owner (Android 6.0+).

Allow Connectivity Options

Connectivity Options

Restrictions	Description	Supported Devices
NFC	If this option is disabled, NFC, Android Beam and S Beam are turned off, and users cannot perform operations that use Near Field Communication on devices that support it. NFC is enabled by default.	Samsung Knox Standard SDK 2.0 and up.
Android Beam	Disabling Android Beam will disable S Beam as well. Allowed by default.	Samsung Knox 1.0 and up.
Beam from the device	Unchecking this option disallows outgoing Android Beam. Allowed by default.	Android Enterprise – Device Owner, Android Enterprise -Profile Owner.
Transfer data via Bluetooth	Uncheck this option prevents the device from transferring data over a Bluetooth connection, turning this option off will also affect Android Beam transfers. Allowed by default.	Samsung Knox Standard SDK 2.0 and up, Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Configure Bluetooth	Disallows users to configure Bluetooth on their devices if this option is unchecked.	Android Enterprise – Device Owner.
Configure cell broadcast	Disabling this option will prevent users from configuring cell broadcasts. Allowed by default.	Android Enterprise – Device Owner.
Configure cellular network	If disabled, restricts users from configuring cellular network settings on their devices. Allowed by default.	Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Users can reset network settings	Users are allowed to reset network settings on their devices by default. Disabling this option disallows users to reset current cellular and Wi-Fi settings, VPN settings, Wi-Fi passwords and so on. Allowed by default Note: This feature works for Android devices running version 6 and above.	Android Enterprise – Device Owner.
Configure Wi-Fi	Unchecking this option prevents users from configuring Wi-Fi on their devices. Allowed by default.	Android Enterprise – Device Owner, Android Enterprise -Profile Owner.
Configure managed Wi-Fi profile	Unchecking this option prevents the user from modifying the managed Wi-Fi configurations pushed from Hexnode.	Android Enterprise – Device Owner
Configure hotspot and tethering	If this option is disabled, users can’t configure portable hotspot and tethering on their devices. Allowed by default. Warning: For Samsung Knox devices below Android 7.0, disabling the options Configure hotspot and tethering and Sync data in background may cause the device to be stuck in a boot loop.	Samsung Knox, Android Enterprise – Device Owner.

Note:

Both Android Beam and S Beam identify a device using NFC. Android Beam send files via Bluetooth whereas S Beam will transfer files with Wi-Fi Direct.

Advanced Security options

Security options

Minimum Wi-Fi security level – Set a minimum-security level to establish a Wi-fi connection on the device. Open is selected as default. The device will not connect to a network which is less secure than the value chosen here.

Warning:

Once the policy gets applied on the device, the current Wi-Fi connection will get disconnected immediately if it has a security level below the minimum level set in the policy.

Security Type	Supported Devices
WEP WPA/WPA2 PSK EAP- LEAP EAP-FAST EAP- PEAP EAP-TTLS EAP-TLS	All Samsung Knox versions.
FT- PSK EAP-PEAP-FT EAP-PEAP-CCKM EAP-TTLS-FT EAP-TTLS-CCKM EAP-TLS-FT EAP-TLS-CCKM	Knox 2.4+
EAP-LEAP-FT EAP-LEAP-CCKM EAP-FAST-FT EAP-FAST-CCKM EAP-PWD EAP-PWD-FT EAP-PWD-CCKM EAP-SIM EAP-SIM-FT EAP-SIM-CCKM EAP-AKA EAP-AKA-FT EAP-AKA-CCKM EAP-AKA’ EAP-AKA’-FT EAP-AKA’-CCKM	Knox 2.5+

Security Type

Supported Devices

WEP

WPA/WPA2 PSK

EAP- LEAP

EAP-FAST

EAP- PEAP

EAP-TTLS

EAP-TLS

All Samsung Knox versions.

FT- PSK

EAP-PEAP-FT

EAP-PEAP-CCKM

EAP-TTLS-FT

EAP-TTLS-CCKM

EAP-TLS-FT

EAP-TLS-CCKM

Knox 2.4+

EAP-LEAP-FT

EAP-LEAP-CCKM

EAP-FAST-FT

EAP-FAST-CCKM

EAP-PWD

EAP-PWD-FT

EAP-PWD-CCKM

EAP-SIM

EAP-SIM-FT

EAP-SIM-CCKM

EAP-AKA

EAP-AKA-FT

EAP-AKA-CCKM

EAP-AKA’

EAP-AKA’-FT

EAP-AKA’-CCKM

Knox 2.5+

Restrictions	Description	Supported Devices
Setup Private DNS	Configure private DNS to encrypt DNS queries with TLS for improved security. Once configured, the DNS queries will be encrypted when sent to the selected DNS server. This option is unchecked by default. Once checked, you have two options for configuring private DNS: *Automatic* and *Private DNS provider hostname. The option Automatic* is chosen by default if Setup Private DNS is enabled. It implies that the device will automatically use the private DNS server provided by your network or internet service provider (ISP). If you choose Private DNS provider hostname, provide the DNS server’s address as the hostname in the allocated field.	Android Enterprise Device Owner (Android 10+ devices)
Allow user modification of Private DNS settings	Unchecking this option will prevent the user from modifying the private DNS settings on the device end. This option is checked by default.

Allow Advanced Sync Settings

Limiting Data Sync

Restrictions	Description	Supported Devices
Sync data in background	Unchecking this option prevents the apps from auto-syncing data in the background. By default, users can toggle it on/off. Note: If this option is disabled, the device will go into Data Saver mode and the end-user will not be able to exit from it. Enable this option to allow the user to make changes to the Data Saver mode. Warning: For Samsung Knox devices below Android 7.0, disabling the options Configure hotspot and tethering and Sync data in background may cause the device to be stuck in a boot loop.	Samsung Knox Standard SDK 2.0 and up.
Sync data with Google account	Uncheck this option to disallow the Google apps on the device to sync data with the user’s Google Account. This includes contact, calendar, emails and everything Google except Play Store apps. Allowed by default.	Samsung Knox 2.0 and up.

Restrictions

Description

Supported Devices

Sync data in background

Unchecking this option prevents the apps from auto-syncing data in the background. By default, users can toggle it on/off.

Note:

If this option is disabled, the device will go into Data Saver mode and the end-user will not be able to exit from it. Enable this option to allow the user to make changes to the Data Saver mode.

Warning:

For Samsung Knox devices below Android 7.0, disabling the options Configure hotspot and tethering and Sync data in background may cause the device to be stuck in a boot loop.

Samsung Knox Standard SDK 2.0 and up.

Sync data with Google account

Uncheck this option to disallow the Google apps on the device to sync data with the user’s Google Account. This includes contact, calendar, emails and everything Google except Play Store apps. Allowed by default.

Samsung Knox 2.0 and up.

Allow Account Settings

Account Settings

Restrictions	Description	Supported Devices
SMS	Uncheck to disable incoming and outgoing SMS.	Samsung Knox Standard SDK 3.0 and up, Android Enterprise – Device Owner.
Receive messages	If disabled, the device can’t retrieve the text messages sent to its user. Allowed by default.	Samsung Knox Standard SDK 3.0 and up.
Send messages	Blocking this feature will restrict the users from sending text messages from their Samsung devices. Allowed by default.	Samsung Knox Standard SDK 3.0 and up.
Modify Accounts/Users	If disabled, restricts users from adding, removing and switching between the users. For Android Enterprise enabled devices, this option allows the users to add, remove or switch between Google Accounts. Allowed by default.	Samsung Knox, Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Add Users	User will not be allowed to add other users if this option is unchecked. Allowed by default.	Samsung Knox
Remove Users	User will not be allowed to delete other users if this option is unchecked. Allowed by default.	Samsung Knox
Configure user credentials	Allow users to configure user credentials.	Android Enterprise – Device Owner, Android Enterprise – Profile Owner.

Allow Settings

Restrict Device Settings Modification

Notes:

Make sure you have the latest versions of the Hexnode MDM app or Hexnode for Work app installed on the devices.

Restrictions	Description	Supported Devices
Developer mode	Unchecking this option will disable developer mode. This will reset any manually-configured developer settings. Allowed by default.	Samsung Knox 2.0 and up.
USB debugging (If Developer mode is enabled)	If allowed, users can turn USB debugging on/off. If disallowed, users won’t be able to turn it back on. Allowed by default.	Samsung Knox Standard SDK 2.0, Android Enterprise – Device Owner.
Modify settings	Disabling this option blocks all future changes to the device settings, until this option is turned back on. By default, Settings can be modified.	Samsung Knox Standard SDK 2.0 and up.
Power saving mode	If disallowed the device won’t be able to switch to power saving mode. Allowed by default.	Samsung Knox 2.8 and up.
Users can enable location sharing	This option allows users to enable real time location sharing with others. Disabling this option prevents the user from turning on location sharing. Allowed by default.	Android Enterprise – Device Owner, Android Enterprise -Profile Owner
Factory Reset	Unchecking this option will prevent users from performing a factory reset from the device settings. Allowed by default. Note: Users would still be able to factory reset the device using hardware keys.	Android Enterprise -Device Owner
Advanced Factory Reset	Unchecking this option will prevent users from performing a factory reset from the device settings, via ADB or even the recovery mode. Warning: All system recovery options might be affected by disabling this option.	Samsung Knox 1.0+
Read any connected physical external media	Users are allowed to connect the devices to external physical media by default. Disabling the option prevents it.	Android Enterprise – Device Owner, Android Enterprise -Profile Owner.
Update date and time automatically	Allows automatic update of date, time and time zone on the device, if this option is selected. Allowed by default. This feature may not work on devices that do not support the option to set the time zone automatically.	Android Enterprise – Device Owner.
Set time zone automatically	Unchecking this option disallows users to choose whether the device can update the time zone automatically. Allowed by default. This feature may not work on devices that do not support the option to set the time zone automatically.	Android Enterprise – Device Owner.
Disable screen lock if the screen was turned off	If this option is enabled, the screen lock option (Settings > Security > Screen Lock) will be disabled on the device. Any unlock pattern, password, PIN on the device will get cleared. Disabled by default.	Samsung Knox 2.0 and up.
Configure VPN	Allows users to configure VPN. When disabled, network and data usage restrictions set under Android > Mobile Data Management won’t work.	Samsung Knox Standard SDK 2.2 and up, Android Enterprise – Device Owner, Android Enterprise – Profile Owner (6.0 and above).
Automatically power off a device when USB is detached	Enable this option to power off a device whenever a USB is detached from it. This will not work if ‘Power Off’ under Policy > Android > Restrictions > Basic is disabled. Notes: This option works only if: A KPE Premium license key is attached to the devices. Head on to General Settings > Knox Platform for Enterprise > Configure to select the key already added to the portal. The ‘Power Off’ option under Policy > Android > Restrictions is enabled.	Samsung Knox 2.8 and up.
Automatically power on a device when USB is connected	Check this option to automatically turn on the device when a USB is connected. Note: For this feature to work, Attach the KPE Premium license key to the devices. Head on to General Settings > Knox Platform for Enterprise > Configure to select the key already added to the portal. The devices should have Qualcomm and LSI chipsets. All other chipsets will exhibit inconsistent behavior.	Samsung Knox 2.6 and up.

Lock Screen Customizations

Lock screen restrictions

Notes:

Lock Screen customizations are supported only on devices with a secured lock screen (Devices protected by a PIN, pattern or password lock).
To customize the lock screen, the device should be updated with the latest version of the Hexnode For Work app.

Restrictions	Description	Supported Devices
Lock Screen Camera	Uncheck this option to disable camera and face unlock feature on a secured lock screen. Notes: Face unlock configured through trust agents for smart lock may not be disabled even if this option is unchecked. Enabling or disabling this feature will have no effect, if Camera under Policies > Android > Restrictions > Basic is disabled. This feature will have no effect on Samsung Knox devices, if Lock screen shortcuts under Policies > Android > Restrictions > Basic is disabled.	Android Enterprise Device Owner (Android v5.0 & later).
Trust Agents for Smart Lock	If disabled, this would prevent trusted agents like device connected via Bluetooth, NFC, etc. from unlocking the device.	Android Enterprise Device Owner (Android v5.0 & later), Android Enterprise Profile Owner (Android v6.0 & later).
Lock Screen Notifications	If disabled, notifications will not be shown on the secured lock screen.	Android Enterprise Device Owner (Android v5.0 & later).
Unredacted Notifications	If disabled, only redacted notifications will be shown on the locked screen. Redacted notifications are sensitive notifications with contents hidden on the lock screen. This feature can only be enabled if Lock Screen Notifications is enabled.	Android Enterprise Profile Owner (Android v6.0 & later), Android Enterprise Device Owner (Android v5.0 & later).
Fingerprint Unlock	If unchecked, fingerprint unlock will be disabled on a secured lock screen.	Android Enterprise – Device Owner (Android v5.0 & later), Android Enterprise Profile Owner (Android v6.0 & later).
Iris Scanner	Uncheck to disable iris scanner feature on the secured lock screen.	Android Enterprise Device & Profile Owner (Android v9.0 & later).
Face Unlock	If unchecked, users cannot unlock the device via the face unlock feature. Notes: Even if this option is disabled, Face unlock configured through trust agents for smart lock may not be disabled. If Camera under Policies > Android > Restrictions > Basic is disabled, enabling or disabling this feature will have no effect.	Android Enterprise Device & Profile Owner (Android v9.0 & later).

Allow App Settings

App-based Restrictions

Restrictions	Description	Supported Devices
Install apps	Disabling this option will block any apps from installing on the device. Allowed by default.	Samsung Knox Standard SDK 2.0, Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Uninstall apps	To disallow a user from uninstalling any apps from the device, disable this option. Allowed by default.	Samsung Knox Standard SDK 2.2, Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Control apps	Enabling this option allows users to modify applications in Settings or launchers. If this option is disabled, users can’t uninstall apps, disable apps, clear app data and cache, force stopping apps, clear app defaults and so on.	Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Google Play Store	Unchecking this option will hide Google Play Store’s icon from the user’s device. Allowed by default.	Samsung Knox Standard SDK 2.0 and up.
Verify apps before install	Enabling this option allows Google to verify the app content for any harmful behaviour before installation begins. If disallowed, it prevents Google app verification before installation.	Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Install apps from unknown sources	If allowed, it enables the users to install apps from Play Store and other sources. Unchecking this option will block app installation from unknown sources and users can’t turn it back on from the device. Note: App installation and updates initiated from the Hexnode portal will remain unaffected.	Samsung Knox Standard SDK 2.0, Android Enterprise – Profile Owner, Android Enterprise – Device Owner.
App Runtime Permissions	Set runtime permissions for apps. You can grant, deny specific permissions or, set default permissions for the app. Note: The app runtime permissions can only be granted on Android 10 or later devices.	Android Enterprise – Device Owner, Android Enterprise -Profile Owner.
Parent profile app linking	Disabling this option prevents apps in the parent profile to handle web links from managed profile. Note: This feature works for Android devices running version 6 and above.	Android Enterprise – Device Owner, Android Enterprise – Profile Owner.
Allow cross-profile app communication	Enable this option to allow data sharing between the personal and work profiles. Check the option and enter the app’s package name(s) that require cross-profile communication privileges. Make sure the app is installed in both profiles. Once the restriction is applied, the user must enable cross-profile data sharing within the app settings on the device manually. If unchecked, the option to enable cross-profile communication within the app settings will be unavailable to the user. Notes: This restriction only applies to apps that support cross-profile communication. The correct package name must be provided within the restriction. To obtain the correct package name, follow these steps in Hexnode UEM. If you need to grant cross-profile communication access to multiple apps, add the package names separated by commas in the provided field.	Android Enterprise Profile Owner (Android 11+ devices)

Exception:

When the Web Content Filtering policy is applied, VPN and tethering/hotspot functionalities on Samsung Knox devices may have conflicts.

Factory Reset Protection (Google Account Verification)

Google Factory Reset Protection (FRP) is a security feature enabled by default on devices running Android v5.1+, designed to prevent the use of devices if it gets reset to factory settings without your permission. If you have a Google account set on your device and your device is reset, the device remains unusable until you log in using the Google account previously set on your device.
‘Default’ option takes the default device settings for FRP.
‘Bypass Factory Reset Protection‘ enforces the Google account verification step. Add G Suite email address and/or Google Plus Profile IDs to log in to your devices in situations where you forget/do not know the previously configured Google account credentials. Integrate your G Suite account with the Hexnode MDM server to add the accounts to the list.
‘Disable Factory Reset Protection‘ lets you skip the Google account verification step. When asked to enter the Google account credentials, the user can skip the verification by clicking SKIP.

Steps to fetch the package name of an application

To configure the following restrictions, Allow cross-profile app communication and Allow input methods, you must include the correct app package names in the restriction. If these package names are provided incorrectly, the restriction may not function as expected. There are two ways to fetch the app package name within Hexnode UEM. To fetch the correct app package names, follow the steps below in Hexnode UEM.

Method 1

Navigate to the Apps tab.
If the application is not yet added to the app inventory, first add the app to the app inventory.
If it’s already added, search for the app for which you must specify the package name in the restriction.
Ensure that the app’s platform is Android, as the same app may be available for multiple platforms.
Click on the app to access detailed information about it.
In the list of available details, the package name will be listed as the Identifier. Use this as the package name within the restriction.

Method 2

If the application is already installed on the device, navigate to the Manage tab > Devices > Select the device to view the complete device management details.
Within the device details page, navigate to the Applications tab.
Now, ensure that the Identifier column is available. If the column is not present, you can add it by editing the columns available in the table.
Next, search for the application and copy the identifier from the column for use in the policy.

How to Apply the Restrictions to Devices/Groups?

If you haven’t saved the policy yet,

Proceed to the Policy Targets.
Click on + Add Devices, search and select all devices to which the policy is to be applied.
Press OK button to finish adding devices.

Missed a device? No worries. Click on + Add Devices again and you can add more of them.

To associate the policies with a device group instead, select Device Groups from the left pane under Policy Targets, and follow the above instructions. You can associate the policy with users, user groups, or domains from the same pane.

If you’ve saved the policy and you’re taken to the page which displays the policy list,

Check a policy.
From Manage, select Associate Targets.
Add as many devices as you need.

Need more help?

Raise a Ticket

Ask Community

Chat With us