Miradore Management Suite Portal



Knowledge base, self-service support

Restrictions for Android (only for Work profile and Work managed devices)


This article shows how to configure and deploy restrictions to Android Enterprise devices.


When these requirements are met, administrators can create and deploy work profile restrictions to the devices. Navigate to Mobile management > Configuration profiles and start the Create configuration profile action from the page action menu. Select Android > Restrictions and define the desired configuration.

Application control

Default runtime permission policy

Specifies the default runtime permission policy for applications. For example, whether fine location access is automatically granted, denied or prompted from the device user. This has no effect on already granted or denied runtime permissions.

Application control

Specifies whether a user is allowed to modify applications in Settings or launchers. The following user actions will be denied when this restriction is enabled:

  • Uninstalling apps
  • Disabling apps
  • Clearing app caches
  • Clearing app data
  • Force stopping apps
  • Clearing app defaults

Application uninstallation

Specifies whether a user is allowed to uninstall applications.

Disable application verification

Specifies whether a user is allowed to disable application verification.

Allowed system applications

Specifies a list of allowed system applications by their package name. Allowed system applications are added to the work profile when deployed.


User restrictions

Account modification

Specifies whether a user is allowed to add and remove accounts, unless they are programmatically added by Authenticator.

Credentials configuration

Specifies whether a user is allowed to configure user credentials.

Cross-profile copy paste

Specifies whether the contents of the clipboard of this profile can be pasted to other profiles, e.g. outside of the work profile. Does not restrict whether the clipboard of other profiles can be pasted to this profile.


Specifies whether a user is allowed to enable or access debugging features. This restriction is enabled by default when a work profile is installed to the device.

Location share

Specifies whether a user is allowed to turn on location sharing.

NFC outgoing beam

Specifies whether the user is not allowed to use NFC to beam out data from apps.

VPN configuration

Specifies whether a user is allowed to configure VPN.


Camera and audio


Specifies whether the user is allowed to access the camera.

Screen capture

Specifies whether the user is allowed to take screen shots.


Specifies whether audio is enabled. Set to denied to mute Audio.


In personal devices deploment scenario the restrictions only apply to the applications and services inside the created work profile since Miradore Online client operates as the profile owner of the work data and has limited control outside of the work profile. In other words, Miradore Online client is no longer the device administrator of the whole device. For example, if you deny the usage of camera, then camera application and features cannot be used in applications inside the work profile, but the camera application is available outside of the work profile.

In work managed devices deployment scenario the restrictions apply to the entire device since Miradore Online client is the device owner of the device.

In addition to these restrictions, unknown sources are always disabled when work profile is enabled to an Android device or managed account is created. This means that if you want to deploy in-house applications, you must install them as private applications for the managed Google Play Enterprise. For more information about private apps, see Adding private managed Google Play applications.






More information:

About Android Enterprise Solution

How to configure managed Google Play Enterprise

How to enable work profile to Android devices

How to enroll work managed devices

Creating a configuration profile 

Deploying a configuration profile 

Removing deployed configuration profiles

Please send comments to contact@miradore.com.