Miradore Management Suite Portal

Support

Support

Knowledge base, self-service support

Restrictions for Android (only for Work profile and Work managed devices)

Follow

This article shows how to configure and deploy restrictions to Android Enterprise devices.

Requirements:

When these requirements are met, administrators can create and deploy work profile restrictions to the devices. Navigate to Mobile management > Configuration profiles and start the Create configuration profile action from the page action menu. Select Android > Restrictions and define the desired configuration.

android_enterprise_restrictions.JPG

Application control

Default runtime permission policy

Specifies the default runtime permission policy for applications. For example, whether fine location access is automatically granted, denied or prompted from the device user. This has no effect on already granted or denied runtime permissions.

Application control

Specifies whether a user is allowed to modify applications in Settings or launchers. The following user actions will be denied when this restriction is enabled:

  • Uninstalling apps
  • Disabling apps
  • Clearing app caches
  • Clearing app data
  • Force stopping apps
  • Clearing app defaults

Application uninstallation

Specifies whether a user is allowed to uninstall applications.

Disable application verification

Specifies whether a user is allowed to disable application verification.

Whitelisted system applications

Specifies a list of whitelisted system applications by their package name*. These are enabled in the work profile when deployed.

Blacklisted system applications

Specifies a list of blacklisted system applications by their package name*. These are enabled in the work profile when deployed. Requires Miradore Online Client version 2.6.5 or newer.

*NOTE: System apps package names you can find in the particular Device's view > Applications tab (see the screenshot below). Maybe you have to firstly enroll that device normally to see all those package names or check those names from some another device's Application inventory. Unfortunately, we don't have any list of those package names.

Online-2018-02-02-12-05-52.png

 

User restrictions

Account modification

Specifies whether a user is allowed to add and remove accounts, unless they are programmatically added by Authenticator.

Credentials configuration

Specifies whether a user is allowed to configure user credentials.

Cross-profile copy paste

Specifies whether the contents of the clipboard of this profile can be pasted to other profiles, e.g. outside of the work profile. Does not restrict whether the clipboard of other profiles can be pasted to this profile.

Debugging

Specifies whether a user is allowed to enable or access debugging features. This restriction is enabled by default when a work profile is installed to the device.

Location share

Specifies whether a user is allowed to turn on location sharing.

NFC outgoing beam

Specifies whether the user is not allowed to use NFC to beam out data from apps.

VPN configuration

Specifies whether a user is allowed to configure VPN.

 

Camera and audio

Camera

Specifies whether the user is allowed to access the camera.

Screen capture

Specifies whether the user is allowed to take screen shots.

Audio

Specifies whether audio is enabled. Set to denied to mute Audio.

 

Device Owner 

Add users

Specifies if a user is allowed to add users.

Adjust volume

Specifies if a user is allowed to adjust volume.

Audio

Specifies if audio is enabled. Set to denied to mute Audio.

Bluetooth configuration

Specifies if a user is allowed to configure bluetooth settings.

Cellural broadcast configuration

Specifies if a user is allowed to configure cellular emergency broadcast settings.

Create windows

Specifies if a user is allowed to create windows besides app windows.

Data roaming

Specifies if data roaming is allowed. Supported in Android 7 or newer.

Factory reset

Specifies if factory reset is denied from the settings or using google device manager. Works only if manufacturer allows this functionality.

Fun

Specifies if a user is allowed to have fun. In some cases, the device owner may wish to prevent the user from experiencing amusement or joy while using the device. Controls whether the Easter egg game in Settings is disabled. Supported in Android 6 or newer.

Mobile network configuration

Specifies if a user is allowed to configure mobile network settings.

Mount physical media

Specifies if a user is allowed to mount physical external media.

Network reset

Specifies if a user is allowed to reset network settings. Supported in Android 6 or newer.

Outgoing calls

Specifies if a user is allowed to make outgoing phone calls.

Remove users

Specifies if a user is allowed to remove users.

Safe boot

Specifies if a user is allowed to reboot the device into safe boot mode. Supported in Android 6 or newer.

SMS

Specifies if a user is allowed to send or receive SMS messages.

Tethering configuration

Specifies if a user is allowed to configure tethering settings.

Unmute microphone

Specifies if a user is allowed to unmute microphone.

USB file transfer

Specifies if a user is allowed to transfer files over USB.

Wi-Fi configuration

Specifies if a user is allowed to configure Wi-Fi settings.

 

Account Management

Account modification

Specifies if a user is allowed to add and remove accounts, unless they are programmatically added by Authenticator.

Deny account management types

Specifies a list of account types that cannot be managed on the device or work profile. Users cannot add, remove or modify these account types.

In personal devices deploment scenario the restrictions only apply to the applications and services inside the created work profile since Miradore Online client operates as the profile owner of the work data and has limited control outside of the work profile. In other words, Miradore Online client is no longer the device administrator of the whole device. For example, if you deny the usage of camera, then camera application and features cannot be used in applications inside the work profile, but the camera application is available outside of the work profile.

In work managed devices deployment scenario the restrictions apply to the entire device since Miradore Online client is the device owner of the device.

In addition to these restrictions, unknown sources are always disabled when work profile is enabled to an Android device or managed account is created. This means that if you want to deploy in-house applications, you must install them as private applications for the managed Google Play Enterprise. For more information about private apps, see Adding private managed Google Play applications.

 

 

 

 

 

More information:

About Android Enterprise Solution

How to configure managed Google Play Enterprise

How to enable work profile to Android devices

How to enroll work managed devices

Creating a configuration profile 

Deploying a configuration profile 

Removing deployed configuration profiles


Please send comments to [email protected].