- 12 Dec 2024
- 23 Minutes to read
- Print
- PDF
Android Device Profile Restrictions for Company Owned Devices
- Updated on 12 Dec 2024
- 23 Minutes to read
- Print
- PDF
As part of device policy controls, the Restrictions section offers a wide collection of control and security policies that let you control and manage your devices better.
This document explains all Restrictions offered under Scalefusion Dashboard that can be applied to managed Android Devices.
Before You Begin
- You must have a valid Scalefusion account
How to Access
Follow these steps to access the Restrictions section in a corporate profile:
- From your Scalefusion dashboard, go to Device Profiles & Policies ➞ Device Profiles.
- Click on Create New Profile in the upper right corner or edit an existing Android device profile.
- Select the Kiosk/Agent option.
- Enter a name for the profile and an exit passcode. Click on the Submit button. You will be redirected to the Profile Creator view.
- The last section is the Restrictions section. We explain below each of the controls in this section,
Device Settings
Volume Settings
This setting allows you to control the volume attributes of your devices.
Setting | Description |
Control Ringer Volume | Allows the user to control the device’s ringing volume. Choose one from the following options:
|
Control Music Volume | Allows the user to control the music volume of the device. Shows the same options as above to choose from. |
Control Alarm Volume | Allows the user to control the alarm volume of the device. Shows the same options as above to choose from. |
Display Settings
This setting allows you to manage the display attributes of your devices.
Setting | Description |
Screen Time Out Settings | Allows you to set idle screen timeout duration from the dropdown list. |
Power Button causes the display to sleep | If the screen time-out is set to Keep Always On, then an additional option can be used to define power button behavior. |
Enable Adaptive Brightness | Enabling this auto-adjusts the device brightness according to the surrounding lights. |
Allow changing of brightness | Allows the user to change the screen brightness of the device from either the 3 dots Menu on the Scalefusion home screen or the Notification center. |
Control device screen brightness | Use this option to enforce the default screen brightness. This will override user choice on the device, if any. |
Secure Settings
Configure additional security settings for your company-owned devices to get better control and provide an enhanced kiosk experience. To start configuring these settings, enable Override Global/Device Secure Settings,
Setting | Category | Description |
Allow users to do Factory Reset* | Device Management | Choose if the users are allowed to factory reset the device. On Samsung, Sony and LG, if disabled, then it prevents the user from factory resetting the device by using the ROM recovery method. For normal EMM devices, block the Factory Reset option in System Settings. |
Allow users to boot the device in Safe Mode* | Device Management | Choose if the users can use the power-off key and boot into safe mode. |
Allow users to power off the device | Device Management | Choose if the users are allowed to use the power-off button and switch off the device. |
Allow users to enable/disable the airplane mode | Settings Management | Choose if the users can control the Airplane mode from the power-off menu or from system settings. |
Disable Guest Mode | Settings Management | |
Allow System Error Dialogs | Settings Management | When this setting is turned on, the error dialogs will be visible to users for cases like app crashes. If turned Off, the error dialogs will be hidden. |
Allow Floating Windows | Settings Management |
|
Allow unknown sources* | App Management | Choose if the users are allowed to install Android applications from third-party apps or directly by downloading APK's. |
Allow App Uninstallation and Clear App Data | App Management | Choose if the users can uninstall and/or clear the application data of installed applications. |
Disallow User to set Wallpaper | Settings Management | Enable this setting if you want to restrict the users from changing wallpaper on EMM Managed and Samsung Knox-enabled devices. |
Set Lock Screen to None, if No PIN/password is set on the device | Settings Management | Sets the lock screen to None when the following conditions are met:
|
Disable Edge Screen | Settings Management | Disables access to Edge Screen from where you can quickly access your apps/features/contacts. |
Enable Double Tap to Wake | Settings Management | Wakes up the device from sleep mode on double-tap. This setting works on Wingman-supported devices. |
Enable Lift to Wake | Settings Management | If this is enabled, then the display will turn on by simply lifting your device. This is supported on Wingman supported devices only. |
Prevent In-App Browsing | App Management | This setting blocks the Android Webview component, thereby blocking apps using it for in-app browsing. Please note this will work:
|
Disable the Emergency Call Menu on the Lock Screen | App Management | Disables the emergency call menu on the Lock screen on Lenovo devices |
Block Incoming MMS | App Management | Enabling this blocks incoming MMS on Knox-supported devices |
Allow Users to Change Screen Lock Type | App Management | The setting will allow/disallow the user from setting a lock screen Password on Lenovo devices (OS 10 & above). The user will not be able to access the lock screen password configuration in the Settings app. |
Allow users to use Home Key | Hardware & Navigation Keys | Choose if the users can use the Home button on Android devices. |
Allow users to use the Back Key. | Hardware & Navigation Keys | Choose if the users can use the Back button on Android devices. |
Allow users to use the app switch key. | Hardware & Navigation Keys | This setting can be used to block the Recent Key altogether. |
Configure Navigation Mode | Hardware & Navigation Keys | You can configure the navigation mode for devices by selecting one of the following options:
|
Allow Multi Window | Settings Management | Choose if users can use the multi-window feature on some phones/tablets. |
Allow MTP access | Storage Device Management | Choose if the user can access the media on the device via MTP protocol when connected to a device via a USB cable. |
Allow users to connect via USB cable | Storage Device Management | Choose if the users can connect the device via a USB cable and access the USB storage and other options. |
Allow USB Debugging mode | Storage Device Management | Choose if the users can use the USB Debugging feature when connected to a USB cable. |
Disable SD card usage | Storage Device Management | Disables the SD card usage on devices. Applicable on Lenovo and Knox enabled devices. |
Enforce SD card Encryption | Storage Device Management | Enabling this setting enforces encryption for the SD card on Knox-enabled devices. Place a shortcut on the home screen to prompt users: Place a shortcut on the home screen, which directly takes you to the Settings app, from where you can enforce encryption. This can be enabled only if SD card encryption is enforced. To enforce encryption:
|
Disallow Mount Physical Media | Storage Device Management | Enable this setting to restrict users from connecting external media devices (like USB, HHD) to devices.
|
Disable SIM card | Additional Settings | Disables SIM card on Lenovo devices |
Disable Accessibility Option in Navigation bar | Additional Settings | Disables accessibility option present in Navigation bar. This is applicable to Lenovo devices. |
Block Settings on Boot | Additional Settings | If this is enabled, users will not be allowed to access settings from the notification bar after the device is rebooted. Applicable on EMM Managed devices. |
Show Battery Percentage in Status Bar | Additional Settings | If this setting is enabled, battery percentage is displayed in Status bar on Wingman supported devices. |
Unlock Settings
An IT admin may need to unlock a device for a short duration for debugging or some other reasons. To maintain the security of the device even when it is unlocked, certain settings can be configured. Click here to learn about the settings and their configuration.
General Settings
These settings allow you to manage some general settings.
Timezone Settings
Setting | Category | Description |
Configure Automatic Network Time & Timezone | Timezone Settings | You can configure the time & timezone to be picked up by the device. There are three options to choose from:
|
Prevent users from changing date/time from Settings app | Timezone Settings | Blocks users from changing the date/time from the Settings app if they have access to Settings on the device. |
Allow users to set Date/Time from Scalefusion app | Timezone Settings | Provides an option for users to set the date/time manually inside the Scalefusion app. |
Allow Users to access “Timezone” inside the app | Timezone Settings | If this option is enabled then users can see an option in the Scalefusion menu to change the timezone. |
Choose Timezone configuration | Timezone Settings | Enforce a default timezone for the devices from a list of previously created TimeZone configurations. |
Set 24 hours format | Timezone Settings | Enable this to set the device time format to 24 hours.
|
Disable Power Menu | Disable Power Menu | Enabling this setting hides the power off the menu when the user presses the Power button. Note this does not disable the Power off functionality completely but just hides the Power off menu. |
Lock Screen Orientation | Lock Screen Orientation | Enforce an orientation on your devices by selecting the following:
|
Wifi State | Network/Peripheral Settings | Choose if you want to enforce the Wi-Fi to be always On or Off. By default, it is set as None, and no policy is enforced. |
Bluetooth State | Network/Peripheral Settings | Choose if you want to enforce the Bluetooth to be always ON or OFF. By default, it is set as None, and no policy is enforced. |
Device Configuration | Device Configuration | Allows users to configure device properties like names and additional custom properties with the following settings:
|
Configure Language Settings | Configure language settings for devices with the following settings:
|
Permission Settings
Scalefusion requires some permissions to manage the devices properly. Choose what happens when permissions are missing and control additional permissions.
Setting | Description |
Enforce Exit Password to Complete Setup | Toggle on this option to enforce an exit password to be entered by the user for completing the setup |
Enforce Disable Assist App | If you select this, the Google Assist app will be disabled for the user |
Enforce Battery Optimization Exclusion permission | Battery Optimisations kill the apps and their processes in the background to optimize battery usage. However, to be able to apply all policies properly and secure the device, Scalefusion needs to be kept running in the background. Enabling this setting ensures the Scalefusion agent app runs in the background for longer times and excludes it from battery optimization. When this setting is enabled, a permission toggle is shown during enrollment that asks for battery optimization exclusion. |
Network & Location Settings
WiFi Settings
This setting allows you to manage the WiFi configuration of your devices.
Setting | Description |
Choose WiFi configuration | Allows you to select and switch between Primary as well as additional Wifi configurations. Since it is multiple Wi-Fi, users can Switch Wi-Fi connections between the available ones. Once Wi-Fi is published on the device, it attempts to connect to the one with the strongest signal. |
Allow Fallback if configured Wifis cannot be set | If enabled, it allows users to connect to a different Wifi if any of the configured Wifis cannot be connected. We show a list of possible wifis the user can connect to. |
Allow Users to Connect to Other Networks | This will allow users to change the Wi-Fi state to On/Off on the device. In the cases when the configured wifi is not working, devices with mobile data want to switch off the wifi so that mobile data can be used and the device stays connected and or can connect to any other available wifi network. |
Only If configured Wifis are not reachable post setup | Allow users to connect to a different Wifi if the configured Wifis is valid but not reachable. |
Allow Always | You can always allow or disallow users from changing the Wi-fi connections and Wi-fi state |
Allow users to access the “WiFi Connection” menu inside the app | Enables access to the WiFi Connection menu from the Scalefusion application. If a Wifi configuration is applied, then this menu cannot be used. |
Allows users to connect/disconnect from WiFi Network | Allows the user to connect or disconnect a WiFi network from the Scalefusion application. If a Wifi configuration is applied, then this menu cannot be used. |
Disable MAC Randomization | Enable this option to disable MAC randomization when device joins Wi-Fi network. Note:
|
Mobile Network
This setting allows you to manage the Mobile data configuration of your devices.
Hotspot Settings
Setting | Description |
Display an icon on Homescreen | Allows you to choose whether you want to display the Mobile hotspot icon on the Scalefusion app's home screen that is used to indicate the current state of the Hotspot. |
Allow users to share/unshare from Hotspot Network | Choose if the users are allowed to enable/disable the Hotspot state from the Scalefusion Notification center. If this option is disabled, then the user has no control over the sharing/unsharing of hotspot As a result, if this option is disabled, then the notification center will show a hotspot tile, but tapping on it will show the message 'admin has disabled this feature'. If this option is enabled, then tapping on the hotspot tile in the notification center will turn the on/off hotspot on the device. |
Display an icon on Homescreen | Allows you to choose whether you want to display the Mobile hotspot icon on the Scalefusion app's home screen |
Warn & Disconnect if max connections exceed | Allows you to restrict maximum number of devices that can be connected to Hotspot. If you exceed this number, the hotspot connection stops, with a warning message on the host device. |
Choose Hotspot configuration | Allows you to choose a Hotspot configuration for your device. Once applied, the devices will create a hotspot and share their internet. |
Let users disconnect from Hotspot Config | Allows users to disconnect from the configured hotspot. Users can disconnect hotspot using the Scalefusion notification center widget or from the home screen shortcut. |
Turn On the Hotspot when the configuration changes | If this setting is enabled, the device auto-connects to the hotspot when a new hotspot configuration is created, or an existing one is updated. However, if this is disabled, the configuration just gets created/updated but does not auto-connect. |
Turn On the Hotspot if disconnected by the OS | Enabling this setting monitors the state of the Hotspot, and if it is auto-disconnected due to the device being idle, then it gets turned On |
Mobile Data Settings
Setting | Description |
Allow user to access “Mobile Data Settings” inside the app | If enabled, it allows the user to access the mobile data options of the device from inside the Scalefusion app |
Choose Mobile Data State | Choose what state the mobile data should be on the device from the following:
|
Choose Data Roaming State | Choose a state for Mobile Data roaming from the following:
|
Location Settings
Configure Location Settings on the device profile, which gets applied to the devices on which the profile is applied. To configure Location settings, toggle on the first setting, that is, Override Global Location Settings. This enables the other settings and makes them configurable. When applied, they override the settings that have been set through Location & Geofencing > Location Settings on the Dashboard.
Force GPS always off: Enforces GPS to be always off on Android devices which are EMM Managed, Wingman, Knox and Lenovo. If this setting is enabled, the rest of the settings are not configurable.
To learn more about Location Settings, visit the section Configure Location Settings
VPN Settings
From the list of applications, you can select one app and mark it as Always On VPN with an additional flag to lock down the network.
This feature works only on EMM devices having OS7 and above versions, being set up using afw#mobilock or being set up as Device Owner.
Setting | Description |
Select an Always On VPN Application | Simply select an application from the list that will be configured as an Always On VPN app |
Enable VPN Lockdown | Once this is enabled, any failure of the VPN provider could break networking for all apps |
Device Management
Application Management Settings
From this section, the admin can configure application management settings for Android devices that let them control the app usage. Click here to learn more about the settings and how to configure them.
EMM Settings
These are the additional settings for your EMM-managed devices that provide additional security and control. These settings also allow you to give your users access to System Settings in a controlled fashion if need be.
Setting | Category | Description |
Allow Outgoing Phone Calls | Communication | Normally disabling the Phone app will achieve this. However, there might be some apps that might attempt to make phone calls. This option lets you completely disable outgoing calls. |
Allow Send/Receive SMS | Communication | Normally disabling the default messaging app will achieve this. However, there might be some apps that can send SMS discreetly. This option lets you completely block the SMS. |
Allow Bluetooth | Communication | Allows a user to connect to a Bluetooth device. |
Allow Bluetooth Sharing | Communication | Allows data transfer via bluetooth on the devices. This setting can be configured when Allow Bluetooth is enabled. This is supported on devices having OS 8 and above. |
Allow Android Beam | Communication | Allows a user to share files through Android Beam. |
Allow Adding Users | User Management | Choose if the user can add multiple user accounts on devices. This is useful to prevent creating new users immediately after boot or from the system settings app. |
Allows Removing Users | User Management | Choose if the user can remove the already created multiple user accounts. |
Allow Adding Google Account | User Management | Choose if the user can add Google accounts. This is used to prevent accidental creation of accounts via other applications. |
Allow Adding/Deleting Accounts | User Management | Choose if the user can add additional accounts like Outlook on their devices. This is used to prevent accidental creation of accounts via other applications. |
Allow Backup & Restore | User Management | Enabling this setting allows users to back up data to their Google account and restore the backed-up information to the original device or to some other Android device. |
Allow Mobile Network Changes | Network & Security | Allows users to change mobile network settings if they have access to the Settings app. |
Allow Tethering From All Sources | Network & Security | Allow users to enable Tethering via USB or Bluetooth. |
Allow WiFi Changes | Network & Security | Allow users to modify the Wi-Fi network from System Settings if they have access to it. This may cause them to lose connectivity, and hence it is suggested that you allow them to use Scalefusion's Wi-Fi connection options as a fallback. |
Allow WiFi State Change | Network & Security | This will prevent the WiFi from turning off while enabling the airplane mode. This is supported on OS 13+ |
Allow Screen Capture | Network & Security | Choose if the users are allowed to capture the screenshots of applications. |
Allow Camera | Network & Security | Choose if the default Camera is disabled and cannot be used by any application. |
Allow Disabling Application Verification | Network & Security | Choose if users can disable Google Play Application Verification if they have access to the managed Play Store. |
Allow Installing & Managing Certificates | Network & Security | If enabled, users can install and manage certificates manually on the device. |
Allow Keyguard | Keyguard | Choose if the Keyguard/Lock screen is allowed. |
Allow Keyguard Camera | Keyguard | If the Keyguard is allowed, then control if the Camera can be launched from the lock screen. |
Allow Keyguard Notifications | Keyguard | If Keyguard is allowed, then control if the notifications should be displayed. |
Allow Keyguard Trust Agent State | Keyguard | If Keyguard is allowed, then control if users can pair the Bluetooth devices as trust agents for auto-unlock. |
Allow Keyguard Unredacted Notifications | Keyguard | If Keyguard is allowed, then choose if unredacted notifications are allowed. |
Allow KeyguardFingerprint Sensor | Keyguard | If Keyguard is allowed, then choose if users can use the fingerprint scanner. |
Enable System Status Bar | Agent Mode | When Scalefusion is set as Agent, choose if the users can access the system status bar and notifications. |
Hide Agent App from UI | Agent Mode | When Scalefusion is set as Agent, then you can choose if the Scalefusion app icon is hidden from the native launcher. Note that this does not prevent the app from appearing in System Settings > Apps list. |
Restrict Apps | Agent Mode | When Scalefusion is set as Agent, you can control whether the application usage should be restricted or not. Based on the applications that you have enabled, if this setting is true, then only the selected applications are shown in the default launcher. |
Enable Notification / Status Bar | Notification bar settings | Configure the following notification bar settings under this:
|
Allow Printing | Security Settings | Disable this option to restrict the users from printing documents, photos, files, etc. from apps on the devices. This is supported on device having OS 9 and above. |
Compliance
When managing company-owned devices, it becomes imperative to make sure that the device adheres to compliance standards such as device integrity, security and compatibility.
To mitigate such risks, Scalefusion uses Google Play Protect API to check device compliance.
Google Play Protect examines software and hardware information on the device where the Work Apps are being used. This attestation helps Scalefusion to determine whether or not the particular device has been tampered with or otherwise modified.
Using Scalefusion's Device Profile for kiosk devices, you can enforce stricter device compliance rules and the actions that need to be taken in the event of a violation.
Setting | Description |
Validate using Google Play Protect | The Google Play Protect API helps assess the security and compatibility of the Android devices that your users are using. You can choose between a Strict or a Moderate level for validations. |
Allow use of Rooted Devices | Rooted devices are the devices that have super users. You can allow or disallow the use of rooted devices while creating a device profile and then enrolling it. |
Compliance Check Duration | You can select how often the compliance check should be performed. By default, it happens every 24 hrs |
Compliance Violation Action | Choose the action that should be performed if any of the compliance rules are violated:
|
Access Conditions
There might be some applications that distract users while driving. Scalefusion has a provision to control the access to applications based on device speed. With Speed-Based Access configurations under Access Conditions, the admin can block such applications once users have reached a specified speed limit, thus making driving a seamless experience.
Please refer to the document for Speed-based Locking of apps to know how it can be done.
Exchange Settings
Use this setting to configure an Exchange account on the device. You can select a previously created exchange configuration. Please refer to our Exchange configuration document for details.
Dev Tools
Developer API
In the Developer API section of the Device profile, an MDM SDK is provided that can be used in your enterprise apps to get the device information and perform a wide variety of actions (like launching the wifi screen, toggling mobile data, toggling hotspot etc.) locally on the device. Visit here for more details.
Advance Settings
A. Schedule Power On/Off Settings
This section can be used to configure settings for specific devices, mainly Lenovo and Samsung Knox
Setting | Description | Applicable on |
Automatic Power ON/OFF | Enable/disable the following options to automatically power on/off a device when the USB charger is connected or removed respectively:
|
|
Schedule Power ON/OFF time | With this setting enabled, you can set a time for switching on and switching off the device. Select the following:
| Lenovo. Power Off is supported on Knox and Wingman devices also. |
B. SIM Binding Settings
SIM cards can be bound with the IMEI number of devices to prevent the device's misuse. Click here to learn the SIM binding settings and how you can configure them.
C. App Delegation
IT administrators now have the capability to assign additional privileges, such as Certificate Management, app permission management, and the ability to prevent uninstalls, to their third-party application(s). To know more, click here.
D. General Settings
- Font Settings: With this you can configure the Font size on the devices. This feature will work on Company-owned devices having OS 6 and above.
- None: This will follow the settings that are set at the device level.
- Allow Users To Adjust Font: This option will allow users to adjust the device font size from the 3-dots menu. This will work if Scalefusion is "Set as Launcher" and "Set as Agent". The size options available are- Small, Normal, Large, Largest.
- Configure Font Size: Alternatively, you can set a font size using this option from the dashboard. The size options available are- Small, Normal, Large, Largest.
- Battery Saver Settings: This setting will help you to improve the battery health of your devices. This feature is supported on Lenovo CSDK supported and Wingman supported devices only.
- Enable Battery Charge Limit: This option enables the battery protection mode on the devices. If the battery protection is On in the device and this option is toggled Off in the Profile, then the battery protection will be turned Off on the device; and vice versa.
- Enable Battery Charge Limit: This option enables the battery protection mode on the devices. If the battery protection is On in the device and this option is toggled Off in the Profile, then the battery protection will be turned Off on the device; and vice versa.
Configure Support Messages
IT admins can configure support messages that appear on the settings screen when a user tries to access any functionality/feature that is blocked or restricted. Both long and/or short messages can be configured. To configure,
- Toggle on the setting Configure Support Messages
- In the text area, enter the message. The maximum length of the message is 4096 characters. However, for a short message, if the message length is greater than 200 characters, the message is truncated on the device.
- IT admins can enter the message in their preferred language.
- This is how the message will appear on the device screen.
OS Update Settings
You can select a policy for installing Android OS Updates. Click here to learn about all the settings.
Run Commands
With Run Commands, IT admins can configure additional triggers to execute Remote Commands whenever that event occurs (run at install, schedule at a specific time etc.) and even when the devices are offline. Click here to learn more.
OEM Configurations
The OEM Configurations section displays the collection for OEM-specific Configuration applications, aka OEM Config apps. The applications are developed by Original Equipment Manufacturers (OEM) and are purpose-built to give you fine-grain control on their devices. These applications let you remotely configure additional proprietary settings of the device via these applications that are not possible otherwise.
Using the OEM Configuration section, you can configure these directly from the profile and also view the status of the deployment as a quick action item. Please refer to this document on how to set up these policies.