This article shows how to configure and deploy restrictions to Android Enterprise devices.
- Enterprise Plan subscription or trial.
- Managed Google Play Enterprise has been configured.
- Miradore Online client 2.4.0 or newer installed to the devices.
- Devices are running Android 5.0 or newer.
- Work profile has been enabled to the target Android devices or
- Devices has been provisioned as work managed devices with device owner mode.
When these requirements are met, administrators can create and deploy work profile restrictions to the devices. Navigate to Mobile management > Configuration profiles and start the Create configuration profile action from the page action menu. Select Android > Restrictions and define the desired configuration.
Default runtime permission policy
Specifies the default runtime permission policy for applications. For example, whether fine location access is automatically granted, denied or prompted from the device user. This has no effect on already granted or denied runtime permissions.
Specifies whether a user is allowed to modify applications in Settings or launchers. The following user actions will be denied when this restriction is enabled:
- Uninstalling apps
- Disabling apps
- Clearing app caches
- Clearing app data
- Force stopping apps
- Clearing app defaults
Specifies whether a user is allowed to uninstall applications.
Disable application verification
Specifies whether a user is allowed to disable application verification.
Allowed system applications
Specifies a list of allowed system applications by their package name. Allowed system applications are added to the work profile when deployed.
Specifies whether a user is allowed to add and remove accounts, unless they are programmatically added by Authenticator.
Specifies whether a user is allowed to configure user credentials.
Cross-profile copy paste
Specifies whether the contents of the clipboard of this profile can be pasted to other profiles, e.g. outside of the work profile. Does not restrict whether the clipboard of other profiles can be pasted to this profile.
Specifies whether a user is allowed to enable or access debugging features. This restriction is enabled by default when a work profile is installed to the device.
Specifies whether a user is allowed to turn on location sharing.
NFC outgoing beam
Specifies whether the user is not allowed to use NFC to beam out data from apps.
Specifies whether a user is allowed to configure VPN.
Camera and audio
Specifies whether the user is allowed to access the camera.
Specifies whether the user is allowed to take screen shots.
Specifies whether audio is enabled. Set to denied to mute Audio.
In personal devices deploment scenario the restrictions only apply to the applications and services inside the created work profile since Miradore Online client operates as the profile owner of the work data and has limited control outside of the work profile. In other words, Miradore Online client is no longer the device administrator of the whole device. For example, if you deny the usage of camera, then camera application and features cannot be used in applications inside the work profile, but the camera application is available outside of the work profile.
In work managed devices deployment scenario the restrictions apply to the entire device since Miradore Online client is the device owner of the device.
In addition to these restrictions, unknown sources are always disabled when work profile is enabled to an Android device or managed account is created. This means that if you want to deploy in-house applications, you must install them as private applications for the managed Google Play Enterprise. After enrolling the managed Google Play accounts enterprise, publish the in-house app with the same Google account at Google Play developer console, and restrict the availability only to users of the enrolled enterprise.
After publishing the application at developer console, it will be visible in the list of approved applications for the managed Google Play Accounts enterprise.
Please send comments to firstname.lastname@example.org.