Android Device Profile for Company Owned Devices
  • 20 Feb 2024
  • 12 読む分
  • PDF

Android Device Profile for Company Owned Devices

  • PDF

The content is currently unavailable in Ja - 日本語. You are viewing the default English version.
Article Summary

Device Profiles are an easy way to group your policies in one single entity, which can be applied to one or multiple devices. Depending upon the organization structure and policy levels, you can create one or more Device Profiles. Once a Device Profile is created, it can be applied to a Device Group or used to create a QR Code configuration for faster enrollments.

At a high level, Scalefusion's Device Profile offers the following policy controls,

  1. Mode: Scalefusion offers two modes of operation for the client. Please read our detailed guideon understanding the differences in the modes of operation. In a nutshell, these are,
    1. Kiosk Mode: In this mode, the device home screen, aka Launcher, is replaced with Scalefusion's custom launcher, thereby showing the users only the applications and browser shortcuts that are configured in the policy. It prevents users from accessing other applications.
    2. Agent Mode: In this mode, the device's home screen is not replaced. Scalefusion runs in the background as a silent agent and applies the policies. Note that this mode is best suited for EMM devices, that is, the devices enrolled via afw#mobilock.
  2. Application Policy: Use this section to control the applications that will be enabled in the Locked down mode. All other applications will be blocked.
  3. Browser Shortcuts: Use this section to choose the browser shortcuts (allowed websites) that will appear as shortcuts or are allowed to be opened via Scalefusion Browser.
  4. Passcode Settings: Use this section to set the passcode settings inside the Device Profile
  5. Branding and App Order on Scalefusion Homescreen: Choose a branding that will be applied to the device and arrange the applications on the home screen.
  6. Restrictions: A wide collection of control and security policies to better manage your devices.

In this document, we will see how to create a Kiosk profile and configure the various sections.

Creating a Corporate Profile

Follow these steps to create a corporate profile:

  1. From your Scalefusion dashboard, go to Device Profiles & Policies ➞ Device Profiles.
  2. Click on Create New Profile in the upper right corner.
  3. Select the Kiosk/Agenoption.
  4. Enter a name for the profile and an exit passcode. Click on the Submit button. You will be redirected to the Profile Creator view.
    Exit passcode helps you manually exit the Scalefusion client on the device in case the device loses connectivity, or you want to get access to the full device.
  5. The first section is SELECT APPS, and this section is used for the following,
    1. Select a Mode for the Scalefusion app: This sub-section lets you choose a mode of operation for the Scalefusion app. The options are,
      1. Set Scalefusion as Launcher: In this mode, Scalefusion replaces the home launcher of the device and shows a custom home screen. Any setting annotated by
      2. Set Scalefusion as Agent: In this mode, Scalefusion runs in the background and silently applies the policies. This allows the user to use the native/default launcher.
        In Agent Mode, the Application policy or the apps cannot be restricted from being used if the devices are not EMM managed (enrolled via afw#mobilock). To understand the difference between launcher and agent mode, please refer to our document here.
    2. Application Policy: Choose which applications are allowed to be used. For each application, you can additionally select the following 3 properties,
      1. Enabled: Select this option to allow the application to be used on the device.
      2. VisibleBy default, when you enable an application, it is visible. However, you can choose to hide the application. If the application is visible, then a shortcut icon will be placed on the Scalefusion home screen, whereas if it is hidden, it means that a shortcut will not be placed on the home screen, but this application can be invoked via other enabled applications.
        When Scalefusion is Set as Agent, then the visibility flag does not apply. Applications can either be enabled or disabled only.
      3. Allow Lock Task: This is a special flag that gives the capability of an Android app to pin itself to the screen for as long as it wants and achieve a dynamic single-app mode state.
        Note
        • For Android applications to use Allow Lock Task, they need to implement special code, as explained here. Scalefusion can only give those applications the required privileges to pin themselves without user interaction whenever they want.
        • Initially, when you have not enrolled in a device, you will see a limited set of applications to enable. As and when you enroll more devices, the list of applications will be populated based on all the applications across your devices.
    3. Add Application: In Kiosk mode, there are a few applications that do not open on the Android device as they are blocked under Scalefusion. Some apps also happen to be services or system apps, which cannot be allowed as well. If you try to search such apps in Device Profiles to enable, they are not even listed in the apps list because the applications that do not have a launcher icon do not appear in the device profile. As for eg. com.android.systemui
      In Scalefusion, there is a mechanism to identify such blocked apps on the device and add those apps through Scalefusion Dashboard via the Add Application feature, which unblocks/enables the apps. To learn more about how this can be achieved, please click here.
  6. The next section is the BROWSER SHORTCUTS section, where you can select the previously allowed websites. Users will be allowed to browse all the shortcuts that are allowed. However, the visibility of the shortcut depends upon the visibility flag of the Allowed Website. For all the visible websites, a shortcut will be created on the Scalefusion home screen.
    Use Device Profiles & Policies > Allowed Websites section to create and allow websites.

  7. Passcode Settings: You can set the passcode policy inside the device profiles. This provides the flexibility for the IT admins to define passcode policies of different complexities to devices in different profiles. To configure, Toggle on the button Override Global Password Policy, only then the passcode settings become configurable. Please visit here to learn about various passcode settings and how to configure them.
    The policy created here will override the global passcode settings and will be applied to the devices of this Android profile.

  8. In the SELECT BRAND/APP ORDER section, apply a previously created brand and select the order of enabled applications. Click NEXT once done.
  9. Click on the Next button.
  10. From the Select Brand/ App Order, select a brand theme from the list. You can reorder the apps on your device by dragging the app or website icon on the virtual mobile screen.
    Application ordering applies only when Scalefusion is Set as Launcher. When Scalefusion is Set as Agent, then the app-ordering does not apply to the native launcher.
  11. The next section is the Kiosk/LauncherSettings section. This section shows you only the settings that are applicable when Scalefusion is Set as Launcher. The settings are,
    1. Single App Mode: This section allows you to turn your Android tablets/phones into a kiosk that runs only one application.
      SettingDescription
      Set Default ApplicationChoose an application from the list of enabled applications that will be set to run as the default app.
      Run All the timeYou can set a delay time, after which the app will start running. By default, the app is set to run all the time. To set a delay time, uncheck the Run All the time checkbox and enter the delay value (in seconds).
      Retain application state when an app is relaunchedSelect this option to retain the application state when it is relaunched due to an invariant user action that causes a blocked app to be opened, for example, by pressing the app switch key.
      Default Launch URL*If you have selected Google Chrome or Scalefusion Browser to run as default, then additionally, you can specify a URL that will be used as the launch page.
      Auto Refresh Interval*If you have selected Google Chrome or Scalefusion Browser to run as default, then you can set an auto-refresh interval. This would force refresh the page after every given interval.
    2. Homescreen Settings: These settings allow you to customize Scalefusion Homescreen behavior.
      SettingDescription
      Hide the bottom navigation bar from the screenHides the bottom navigation bar on the device.
      Set the device in Full-screen modeSets the device in Full-screen mode where both the bottom navigation bar and the status bar at the top are hidden.
      Configure the options shown in the 3-dot Menu

      allows you to control the visibility of the following options from the 3-dots menu inside Scalefusion. If unchecked, that particular option is not shown under the 3-dots menu on the device:

      • Show Exit
      • Show Admin Messages
      • Show Diagnostics
      • Show Blocked Apps
      • Show Settings

      By default, they are all checked, that is, visible

      Allows Users to Clear App DataAllows the user to clear application data by long tapping on the app shortcut on the Scalefusion home screen.
      Allow Users to Uninstall the ApplicationAllows the user to uninstall applications from his device.
      Allow Users to Clear App Data and Allow Users to uninstall Application.
      These 2 options are available in Agent mode as well.
    3. Notification Centre (Experimental): When Scalefusion is set as the default launcher, it blocks the default notification bar completely. Hence Scalefusion provides a custom Notification centre to give controlled access to notifications and other quick actions.
      How to Access Notification Centre on Device: For Android 8.0 and below, the Notification Center can be dragged from the top and from Android 8.0 and above, the Notification Center can be made visible by a flick from the left-bottom of the screen.
      SettingDescription
      Notification CentreEnabling this option will allow the user to access the notifications by dragging it from the top screen.
      Change OrientationAllows the user to change the device’s orientation.
      Flash LightAllows the user to access the device's flashlight from the notification bar.
      View and Switch Between Recent applicationsAllows the user to switch between recent apps.
      Kill Background ApplicationsAllows the user to kill apps running in the background.
      Allow USB NotificationsEnabling this option will allow the device to send a notification when a USB is connected.
      Flight ModeEnabling this option will allow the user to turn on/off the flight mode from the notification bar on the device.
  12. The next section is the Restrictions section. This is a collection of various policies that let you control and manage your devices better. Please visit here to learn about the restrictions section.

Once you have created a Kiosk/Agent Profile, it will start appearing in the list of device profiles with a small lock icon, indicating that this device profile is suitable for Kiosk devices.

Applying a Device Profile

Once you have the device profile ready, you can choose to create a QR Code/Enrollment Configurations, and all the devices that will use this QR Code to enroll will get this device profile. Also, you can apply a Device Profile to a Device Group, and all the devices in that group will get this device profile.

To update a profile on a device individually, select the Device Profile in the device profile listing screen, click on the Publish button and select the Devices to apply.

Note:
  • If a device profile has been removed from a device, it will still have the profile settings applied to it until you apply new settings.
  • The FileDock and Remote Cast & Control applications will not be auto-published to a Device Profile/Device Group (newly created or otherwise) even if it is enabled in the Device Profile > Select Apps section. You will need to publish it on the said Profile by navigating to Application Management > Scalefusion Apps > select FileDock/Remote Cast & Control application and click on Publish.

Frequently Asked Questions

Question: What is the difference between Launcher mode and Agent Mode?

Answer: Our document on the differences between launcher and agent mode explains it in detail. Please find the document here. Here is a brief,

  • Launcher Mode: When Scalefusion is set as launcher mode, it replaces the default home screen of the device and shows only the applications that are allowed along with the browser shortcuts. This is useful for both legacy forms of enrollment where afw#mobilock is not supported and the newer forms where afw#mobilock enrollment is supported.
  • Agent Mode: When Scalefusion is set as an agent, it does not replace the default launcher. It silently runs in the background and applies the policies set in the default profile. This is NOT suitable for legacy devices, where it does not give you Application restrictions. However, on devices enrolled via afw#mobilock, where Scalefusion is the device owner, it controls the applications and also gives a native experience.

Question: What will happen if we change the mode to Agent for a Device Profile that has a mix of EMM (afw#mobilock) and non-EMM devices?

Answer: We would advise against changing the mode of a Device Profile, which has both EMM and non-EMM devices. In the case of non-EMM devices, Scalefusion WILL NOT be able to apply an application restriction policy, thereby allowing the users to use any of the installed applications.

Question: Do we need to give all the permissions when Scalefusion is set as Agent mode?

Answer: Yes, for optimal policy enforcement, we advise that all the permissions are given when Scalefusion is set as an agent.

Question: Can a device be switched between Agent and Launcher or vice-versa?

Answer: Yes, the mode change in the profile causes the Scalefusion app to either run as an agent or as a launcher. However, if the devices were set up in Agent mode, then while shifting to launcher mode, Scalefusion will ask for Default Launcher permission.

Question: We see that some sections are disabled or not accessible when Agent Mode is selected.

Answer: This is because there are some features that do not work when Scalefusion is running in agent mode. Hence we have disabled the sections or these options from being accessed. When Scalefusion is set as Agent, the following settings are not accessible,

  • Single App Mode
  • Homescreen Settings
  • Notification Centre Settings
  • In-App Wifi Settings
  • In-App Hotspot Settings
  • In-App Mobile Network Settings

Question: We see that some sections are disabled or not accessible when Launcher Mode is selected.

Answer: This is because there are some features that do not work when Scalefusion is running in Launcher mode. Hence we have disabled the sections or these options from being accessed. When Scalefusion is set as Launcher, the following settings are not accessible,

  • Enable System Status Bar
  • Hide Agent App from UI
  • Restrict Apps

Question: Why is it that on our devices, we can see and use all the applications even though we have not selected them in Select Apps?

Answer: This might happen in the following conditions,

  • If Scalefusion is set as Agent Mode and the device is NOT enrolled via afw#mobilock (EMM managed), that is enrolled via legacy methods.
  • If Scalefusion is set as Agent Mode and the Restrictions > EMM Settings > Restrict Apps is not enabled.

Question: Why is it that on some of our EMM-managed devices, we can see the Settings app?

Answer: On devices running Android 7.0 and above, we cannot completely hide the Settings app due to the other dependencies. Hence we have disabled it.

Question: Why are the Enterprise APKs and/or Play for Work apps not getting silently installed when the device is in Agent Mode?

Answer: When Scalefusion is set as Agent mode, it requires the Google Play Store app to be enabled for the Enterprise Apps and/or Play for Work apps to be installed. Make sure that the Google Play Store app is enabled. You can enable the Google Play Store and use the Restrictions > Account Setting options of Device Profile to make sure that the user does not add/remove the accounts.


この記事は役に立ちましたか?