Android Device Profile Restrictions for Company Owned Devices
  • 28 Feb 2024
  • 21 Minutes to read
  • PDF

Android Device Profile Restrictions for Company Owned Devices

  • PDF

Article summary

As part of device policy controls, the Restrictions section offers a wide collection of control and security policies that let you control and manage your devices better.

This document explains all Restrictions offered under Scalefusion Dashboard that can be applied to managed Android Devices.

Before You Begin

  • You must have a valid Scalefusion account

How to Access

Follow these steps to access the Restrictions section in a corporate profile:

  1. From your Scalefusion dashboard, go to Device Profiles & Policies ➞ Device Profiles.
  2. Click on Create New Profile in the upper right corner or edit an existing Android device profile.
  3. Select the Kiosk/Agent option.
  4. Enter a name for the profile and an exit passcode. Click on the Submit button. You will be redirected to the Profile Creator view.
  5. The last section is the Restrictions section. We explain below each of the controls in this section,

Device Settings

Volume Settings

This setting allows you to control the volume attributes of your devices.

Control Ringer Volume

Allows the user to control the device’s ringing volume. Choose one from the following options:

  • Never: If this is chosen, volume cannot be controlled by the Dashboard. Users can set the volume according to their requirements manually.
  • Mute: Sets volume to 0 (no volume)
  • Fix at Level: This shows a bar that you can drag to fix the volume level
  • Specify Range: Drag on the bar to set the volume range
Control Music VolumeAllows the user to control the music volume of the device. Shows the same options as above to choose from.
Control Alarm VolumeAllows the user to control the alarm volume of the device. Shows the same options as above to choose from.

Display Settings

This setting allows you to manage the display attributes of your devices.

Screen Time Out SettingsAllows you to set idle screen timeout duration from the dropdown list.
Power Button causes the display to sleepIf the screen time-out is set to Keep Always On, then an additional option can be used to define power button behavior.
Enable Adaptive BrightnessEnabling this auto-adjusts the device brightness according to the surrounding lights.
Allow changing of brightnessAllows the user to change the screen brightness of the device from either the 3 dots Menu on the Scalefusion home screen or the Notification center.
Control device screen brightnessUse this option to enforce the default screen brightness. This will override user choice on the device, if any.

Secure Settings

Configure additional security settings for your company-owned devices to get better control and provide an enhanced kiosk experience. To start configuring these settings, enable Override Global/Device Secure Settings,

Allow users to do Factory Reset*Device ManagementChoose if the users are allowed to factory reset the device. On Samsung, Sony and LG, if disabled, then it prevents the user from factory resetting the device by using the ROM recovery method. For normal EMM devices, block the Factory Reset option in System Settings.
Allow users to boot the device in Safe Mode*Device ManagementChoose if the users can use the power-off key and boot into safe mode.
Allow users to power off the deviceDevice ManagementChoose if the users are allowed to use the power-off button and switch off the device.
Allow users to enable/disable the airplane modeSettings ManagementChoose if the users can control the Airplane mode from the power-off menu or from system settings.
Disable Guest ModeSettings Management
Allow System Error DialogsSettings ManagementWhen this setting is turned on, the error dialogs will be visible to users for cases like app crashes. If turned Off, the error dialogs will be hidden.
Allow Floating WindowsSettings Management
  • When this setting is turned On, floating app windows will be allowed on devices that support floating windows for multitasking.
  • After enabling, if you disable this setting, a confirmation box will come up
Allow unknown sources*App ManagementChoose if the users are allowed to install Android applications from third-party apps or directly by downloading APK's.
Allow App Uninstallation and Clear App DataApp ManagementChoose if the users can uninstall and/or clear the application data of installed applications.
Disallow User to set WallpaperSettings ManagementEnable this setting if you want to restrict the users from changing wallpaper on EMM Managed and Samsung Knox-enabled devices.

Set Lock Screen to None, if No PIN/password is set on the device

Settings Management

Sets the lock screen to None when the following conditions are met:

  • The device supports Wingman
  • No Password Policy applied
  • No PIN/Password set from settings
Disable Edge ScreenSettings ManagementDisables access to Edge Screen from where you can quickly access your apps/features/contacts.
Enable Double Tap to WakeSettings ManagementWakes up the device from sleep mode on double-tap. This setting works on Wingman-supported devices.
Enable Lift to WakeSettings ManagementIf this is enabled, then the display will turn on by simply lifting your device.
This is supported on Wingman supported devices only. 

Prevent In-App BrowsingApp Management

This setting blocks the Android Webview component, thereby blocking apps using it for in-app browsing. Please note this will work:

  • If the Scalefusion browser is not enabled
  • URL shortcuts have not been configured
  • Devices are EMM Managed
Disable the Emergency Call Menu on the Lock ScreenApp ManagementDisables the emergency call menu on the Lock screen on Lenovo devices
Block Incoming MMSApp ManagementEnabling this blocks incoming MMS on Knox-supported devices
Allow Users to Change Screen Lock TypeApp ManagementThe setting will allow/disallow the user from setting a lock screen Password on Lenovo devices (OS 10 & above). The user will not be able to access the lock screen password configuration in the Settings app.
Allow users to use Home KeyHardware & Navigation KeysChoose if the users can use the Home button on Android devices.

Allow users to use the Back Key.

Hardware & Navigation KeysChoose if the users can use the Back button on Android devices.
Allow users to use the app switch key.Hardware & Navigation KeysThis setting can be used to block the Recent Key altogether.
Configure Navigation ModeHardware & Navigation KeysYou can configure the navigation mode for devices by selecting one of the following options:
  • No Policy: The default mode set on the device will apply.
  • 2-button Navigation: Home and Back keys will be available on the bottom bar.
  • 3-Button Navigation: Home, Back and App Overview keys will be available for navigation.
  • Gesture Mode: Navigation can be done with gestures
Important Points to Note:
  1. Navigation mode can be configured only for Wingman supported devices.
  2. 3-button or 2-button navigation mode is device and OS specific and hence may or may not be supported on all devices.
  3. If the settings Allow users to use Back / Home key are enabled, they will take precedence over navigation mode you have configured (if any).

Allow Multi Window

Settings ManagementChoose if users can use the multi-window feature on some phones/tablets.
Allow MTP accessStorage Device ManagementChoose if the user can access the media on the device via MTP protocol when connected to a device via a USB cable.
Allow users to connect via USB cable

Storage Device Management

Choose if the users can connect the device via a USB cable and access the USB storage and other options.
Allow USB Debugging modeStorage Device ManagementChoose if the users can use the USB Debugging feature when connected to a USB cable.
Disable SD card usageStorage Device ManagementDisables the SD card usage on devices. Applicable on Lenovo and Knox enabled devices.
Enforce SD card EncryptionStorage Device ManagementEnabling this setting enforces encryption for the SD card on Knox-enabled devices.

Place a shortcut on the home screen to prompt users: Place a shortcut on the home screen, which directly takes you to the Settings app, from where you can enforce encryption. This can be enabled only if SD card encryption is enforced.

To enforce encryption:

  • Enable this setting on the Dashboard.
  • On the device, click on the shortcut icon on the home screen.
  • Encrypt the SD card.

Disable SIM cardAdditional SettingsDisables SIM card on Lenovo devices
Disable Accessibility Option in Navigation barAdditional SettingsDisables accessibility option present in Navigation bar. This is applicable to Lenovo devices.
Block Settings on BootAdditional SettingsIf this is enabled, users will not be allowed to access settings from the notification bar after the device is rebooted. Applicable on EMM Managed devices.
Show Battery Percentage in Status BarAdditional SettingsIf this setting is enabled, battery percentage is displayed in Status bar on Wingman supported devices.
Secure Settings can be controlled from the Enterprise > Secure Settings section as well. However, we recommend controlling this from the Device Profile for uniformity and ease of management.
Secure Settings can also be enforced using Wingman on non-EMM devices that support Wingman. For this, navigate to Android Utilities > Global Settings and enable the flag Use Wingman to enforce secure settings on Kiosk Devices

Unlock Settings

An IT admin may need to unlock a device for a short duration for debugging or some other reasons. To maintain the security of the device even when it is unlocked, certain settings can be configured. Click here to learn about the settings and their configuration.

General Settings

These settings allow you to manage some general settings.

Timezone Settings


Configure Automatic Network Time & Timezone

Timezone Settings

You can configure the time & timezone to be picked up by the device. There are three options to choose from:

  • Enable: Forces the device to use network time only, if available. If this is enabled, the rest of the timezone settings cannot be configured.
  • Disable: Disables the network-based time
  • Allow Users: Users get an option to toggle this setting to on or off.
Prevent users from changing date/time from Settings appTimezone SettingsBlocks users from changing the date/time from the Settings app if they have access to Settings on the device.
Allow users to set Date/Time from Scalefusion appTimezone SettingsProvides an option for users to set the date/time manually inside the Scalefusion app.
Allow Users to access “Timezone” inside the appTimezone SettingsIf this option is enabled then users can see an option in the Scalefusion menu to change the timezone.
Choose Timezone configurationTimezone SettingsEnforce a default timezone for the devices from a list of previously created TimeZone configurations.
Disable Power MenuDisable Power MenuEnabling this setting hides the power off the menu when the user presses the Power button. Note this does not disable the Power off functionality completely but just hides the Power off menu.
Lock Screen OrientationLock Screen Orientation

Enforce an orientation on your devices by selecting the following:

  • Select Orientation: Select either Portrait or Landscape
  • Select Form factors: Apply the orientation on tablets or all devices. Select one.
Wifi StateNetwork/Peripheral SettingsChoose if you want to enforce the Wi-Fi to be always On or Off. By default, it is set as None, and no policy is enforced.
Bluetooth StateNetwork/Peripheral SettingsChoose if you want to enforce the Bluetooth to be always ON or OFF. By default, it is set as None, and no policy is enforced.
Device ConfigurationDevice Configuration

Allows users to configure device properties like names and additional custom properties with the following settings:

  • Allow Users to Change the Name of Device: If this toggle is set to ON, then users can set the device name from the device.
  • Allow Users to enter values for Custom Properties: With this toggle on, you can select the custom properties that users should be shown on the device and select if they should be optional or required. Having set this, the custom fields that are allowed, users can set values for those custom fields (from the device).
Configure Language Settings

Configure language settings for devices with the following settings:

  • Allow Users to change Language: Choose this if you want to allow users to change language on the device
  • Select Default Language: Select the default language for the device

Permission Settings

Scalefusion requires some permissions to manage the devices properly. Choose what happens when permissions are missing and control additional permissions.

Enforce Exit Password to Complete SetupToggle on this option to enforce an exit password to be entered by the user for completing the setup
Enforce Disable Assist AppIf you select this, the Google Assist app will be disabled for the user
Enforce Battery Optimization Exclusion permission

Battery Optimisations kill the apps and their processes in the background to optimize battery usage. However, to be able to apply all policies properly and secure the device, Scalefusion needs to be kept running in the background.

Enabling this setting ensures the Scalefusion agent app runs in the background for longer times and excludes it from battery optimization.

When this setting is enabled, a permission toggle is shown during enrollment that asks for battery optimization exclusion.

Network & Location Settings

WiFi Settings

This setting allows you to manage the WiFi configuration of your devices.

Choose WiFi configuration

Allows you to select and switch between Primary as well as additional Wifi configurations. 

Since it is multiple Wi-Fi, users can Switch Wi-Fi connections between the available ones. Once Wi-Fi is published on the device, it attempts to connect to the one with the strongest signal.

Allow Fallback if configured Wifis cannot be setIf enabled, it allows users to connect to a different Wifi if any of the configured Wifis cannot be connected. We show a list of possible wifis the user can connect to.
Allow Fallback if configured Wifis are not reachable post-setupAllows users to connect to a different Wifi if the configured Wifis are valid but not reachable.
Allow users to access the “WiFi Connection” menu inside the appEnables access to the WiFi Connection menu from the Scalefusion application. If a Wifi configuration is applied, then this menu cannot be used.
Allows users to connect/disconnect from WiFi NetworkAllows the user to connect or disconnect a WiFi network from the Scalefusion application. If a Wifi configuration is applied, then this menu cannot be used.

Mobile Network

This setting allows you to manage the Mobile data configuration of your devices.

Hotspot Settings


Display an icon on Homescreen

Allows you to choose whether you want to display the Mobile hotspot icon on the Scalefusion app's home screen that is used to indicate the current state of the Hotspot.

Allow users to share/unshare from Hotspot Network

Choose if the users are allowed to enable/disable the Hotspot state from the Scalefusion Notification center. If this option is disabled, then the user has no control over the sharing/unsharing of hotspot

As a result, if this option is disabled, then the notification center will show a hotspot tile, but tapping on it will show the message 'admin has disabled this feature'. If this option is enabled, then tapping on the hotspot tile in the notification center will turn the on/off hotspot on the device.

Display an icon on HomescreenAllows you to choose whether you want to display the Mobile hotspot icon on the Scalefusion app's home screen
Warn & Disconnect if max connections exceedAllows you to restrict maximum number of devices that can be connected to Hotspot. If you exceed this number, the hotspot connection stops, with a warning message on the host device.
Choose Hotspot configurationAllows you to choose a Hotspot configuration for your device. Once applied, the devices will create a hotspot and share their internet.
Let users disconnect from Hotspot ConfigAllows users to disconnect from the configured hotspot. Users can disconnect hotspot using the Scalefusion notification center widget or from the home screen shortcut.
Turn On the Hotspot when the configuration changes

If this setting is enabled, the device auto-connects to the hotspot when a new hotspot configuration is created, or an existing one is updated.

However, if this is disabled, the configuration just gets created/updated but does not auto-connect.

Turn On the Hotspot if disconnected by the OSEnabling this setting monitors the state of the Hotspot, and if it is auto-disconnected due to the device being idle, then it gets turned On

Mobile Data Settings

Allow user to access “Mobile Data Settings” inside the appIf enabled, it allows the user to access the mobile data options of the device from inside the Scalefusion app
Choose Mobile Data State

Choose what state the mobile data should be on the device from the following:

  • None
  • Always Off
  • Always On
Choose Data Roaming State

Choose a state for Mobile Data roaming from the following:

  • None
  • Always OFF
  • Always-ON
  • Allow Users to Choose

Location Settings

Configure Location Settings on the device profile, which gets applied to the devices on which the profile is applied. To configure Location settings, toggle on the first setting, that is, Override Global Location Settings. This enables the other settings and makes them configurable. When applied, they override the settings that have been set through Location & Geofencing > Location Settings on the Dashboard.

Force GPS always off: Enforces GPS to be always off on Android devices which are EMM Managed, Wingman, Knox and Lenovo. If this setting is enabled, the rest of the settings are not configurable.

To learn more about Location Settings, visit the section Configure Location Settings

VPN Settings

From the list of applications, you can select one app and mark it as Always On VPN with an additional flag to lock down the network. 

This feature works only on EMM devices having OS7 and above versions, being set up using afw#mobilock or being set up as Device Owner.

Select an Always On VPN ApplicationSimply select an application from the list that will be configured as an Always On VPN app
Enable VPN LockdownOnce this is enabled, any failure of the VPN provider could break networking for all apps

Device Management

Application Management Settings

From this section, the admin can configure application management settings for Android devices that let them control the app usage. Click here to learn more about the settings and how to configure them.

EMM Settings

These are the additional settings for your EMM-managed devices that provide additional security and control. These settings also allow you to give your users access to System Settings in a controlled fashion if need be.

Allowing these settings does not mean that users will have access to these settings directly. You need to allow the selected applications like System Settings or others that allow modification to these settings. These are useful if you want to restrict and prevent other malicious apps from using them.
Allow Outgoing Phone CallsCommunicationNormally disabling the Phone app will achieve this. However, there might be some apps that might attempt to make phone calls. This option lets you completely disable outgoing calls.
Allow Send/Receive SMSCommunicationNormally disabling the default messaging app will achieve this. However, there might be some apps that can send SMS discreetly. This option lets you completely block the SMS.
Allow BluetoothCommunicationAllows a user to connect to a Bluetooth device.
Allow Android BeamCommunicationAllows a user to share files through Android Beam.
Allow Adding UsersUser ManagementChoose if the user can add multiple user accounts on devices. This is useful to prevent creating new users immediately after boot or from the system settings app.
Allows Removing UsersUser ManagementChoose if the user can remove the already created multiple user accounts.
Allow Adding Google AccountUser ManagementChoose if the user can add Google accounts. This is used to prevent accidental creation of accounts via other applications.
Allow Adding/Deleting AccountsUser ManagementChoose if the user can add additional accounts like Outlook on their devices. This is used to prevent accidental creation of accounts via other applications.
Allow Backup & RestoreUser ManagementEnabling this setting allows users to back up data to their Google account and restore the backed-up information to the original device or to some other Android device.
Allow Mobile Network ChangesNetwork & SecurityAllows users to change mobile network settings if they have access to the Settings app.
Allow Tethering From All SourcesNetwork & SecurityAllow users to enable Tethering via USB or Bluetooth.
Allow WiFi ChangesNetwork & Security

Allow users to modify the Wi-Fi network from System Settings if they have access to it.

This may cause them to lose connectivity, and hence it is suggested that you allow them to use Scalefusion's Wi-Fi connection options as a fallback.

Allow WiFi State ChangeNetwork & SecurityThis will prevent the WiFi from turning off while enabling the airplane mode.
This is supported on OS 13+

Allow Screen CaptureNetwork & SecurityChoose if the users are allowed to capture the screenshots of applications.
Allow CameraNetwork & SecurityChoose if the default Camera is disabled and cannot be used by any application.
Allow Disabling Application VerificationNetwork & SecurityChoose if users can disable Google Play Application Verification if they have access to the managed Play Store.
Allow Installing & Managing CertificatesNetwork & SecurityIf enabled, users can install and manage certificates manually on the device. 
Allow KeyguardKeyguardChoose if the Keyguard/Lock screen is allowed.
Allow Keyguard CameraKeyguardIf the Keyguard is allowed, then control if the Camera can be launched from the lock screen.
Allow Keyguard NotificationsKeyguardIf Keyguard is allowed, then control if the notifications should be displayed.
Allow Keyguard Trust Agent StateKeyguardIf Keyguard is allowed, then control if users can pair the Bluetooth devices as trust agents for auto-unlock.
Allow Keyguard Unredacted NotificationsKeyguardIf Keyguard is allowed, then choose if unredacted notifications are allowed.
Allow KeyguardFingerprint SensorKeyguardIf Keyguard is allowed, then choose if users can use the fingerprint scanner.
Enable System Status BarAgent ModeWhen Scalefusion is set as Agent, choose if the users can access the system status bar and notifications.
Hide Agent App from UIAgent ModeWhen Scalefusion is set as Agent, then you can choose if the Scalefusion app icon is hidden from the native launcher. Note that this does not prevent the app from appearing in System Settings > Apps list.
Restrict AppsAgent ModeWhen Scalefusion is set as Agent, you can control whether the application usage should be restricted or not. Based on the applications that you have enabled, if this setting is true, then only the selected applications are shown in the default launcher.
Enable Notification / Status BarNotification bar settings

Configure the following notification bar settings under this:

  • Enable Notification / Status bar: When enabled, the following settings are configurable:
    • Allow Access to Notifications and Quick Action Tiles: You can access notifications and quick actions
    • Allow access only to Notifications(on OS version 9.0 and above): You can only access notifications.
    • Block Power Off Menu (on OS version 9.0 and above): Blocks the power off menu on the device, and you cannot switch off the device.
  • Disable System Info on Status bar(on OS version 9.0 and above): This disables the display of system info, such as wifi, battery information etc., on the status bar.
These settings will work only if your device is set up as an EMM device.


When managing company-owned devices, it becomes imperative to make sure that the device adheres to compliance standards such as device integrity, security and compatibility. 

To mitigate such risks, Scalefusion uses Google Play Protect API to check device compliance. 

Google Play Protect examines software and hardware information on the device where the Work Apps are being used. This attestation helps Scalefusion to determine whether or not the particular device has been tampered with or otherwise modified. 

Using Scalefusion's Device Profile for kiosk devices, you can enforce stricter device compliance rules and the actions that need to be taken in the event of a violation.

Validate using Google Play ProtectThe Google Play Protect API helps assess the security and compatibility of the Android devices that your users are using. You can choose between a Strict or a Moderate level for validations.
Allow use of Rooted DevicesRooted devices are the devices that have super users. You can allow or disallow the use of rooted devices while creating a device profile and then enrolling it.
Compliance Check DurationYou can select how often the compliance check should be performed. By default, it happens every 24 hrs
Compliance Violation Action

Choose the action that should be performed if any of the compliance rules are violated:

  • No Action: No restrictions will be applied
  • Disable Device Usage: Use this option to disable the device usage but keep its data if a violation is detected later.

Access Conditions

There might be some applications that distract users while driving. Scalefusion has a provision to control the access to applications based on device speed. With Speed-Based Access configurations under Access Conditions, the admin can block such applications once users have reached a specified speed limit, thus making driving a seamless experience.

Please refer to the document for Speed-based Locking of apps to know how it can be done.

Exchange Settings

Use this setting to configure an Exchange account on the device. You can select a previously created exchange configuration. Please refer to our Exchange configuration document for details.

Dev Tools

Developer API

In the Developer API section of the Device profile, an MDM SDK is provided that can be used in your enterprise apps to get the device information and perform a wide variety of actions (like launching the wifi screen, toggling mobile data, toggling hotspot etc.) locally on the device. Visit here for more details.

Advance Settings

Schedule Power On/Off Settings

This section can be used to configure settings for specific devices, mainly Lenovo and Samsung Knox

SettingDescriptionApplicable on
Automatic Power ON/OFF

Enable/disable the following options to automatically power on/off a device when the USB charger is connected or removed respectively:

  • Power on a device when a USB charger is connected
  • Power off a device when the USB charger is removed
  • Power On: Lenovo, Samsung Knox (v2.6 and above)
  • Power Off: Samsung Knox (v2.8 and above)
Schedule Power ON/OFF time

With this setting enabled, you can set a time for switching on and switching off the device. Select the following:

  • TimeZone: Select the timezone that has to be followed for the device to power on or power off
  • Device Power On Time
  • Device Power Off Time
Lenovo. Power Off is supported on Knox and Wingman devices also.

SIM Binding Settings

SIM cards can be bound with the IMEI number of devices to prevent the device's misuse. Click here to learn the SIM binding settings and how you can configure them.

App Delegation

IT administrators now have the capability to assign additional privileges, such as Certificate Management, app permission management, and the ability to prevent uninstalls, to their third-party application(s). To know more, click here.

Configure Support Messages

IT admins can configure support messages that appear on the settings screen when a user tries to access any functionality/feature that is blocked or restricted. Both long and/or short messages can be configured. To configure,

  1. Toggle on the setting Configure Support Messages
  2. In the text area, enter the message. The maximum length of the message is 4096 characters. However, for a short message, if the message length is greater than 200 characters, the message is truncated on the device.
  3. IT admins can enter the message in their preferred language.
  4. This is how the message will appear on the device screen.

OS Update Settings

You can select a policy for installing Android OS Updates. Click here to learn about all the settings.

Run Commands

With Run Commands, IT admins can configure additional triggers to execute Remote Commands whenever that event occurs (run at install, schedule at a specific time etc.) and even when the devices are offline. Click here to learn more.

OEM Configurations

The OEM Configurations section displays the collection for OEM-specific Configuration applications, aka OEM Config apps. The applications are developed by Original Equipment Manufacturers (OEM) and are purpose-built to give you fine-grain control on their devices. These applications let you remotely configure additional proprietary settings of the device via these applications that are not possible otherwise.

Using the OEM Configuration section, you can configure these directly from the profile and also view the status of the deployment as a quick action item. Please refer to this document on how to set up these policies.

Was this article helpful?