Android Enterprise Policy Configurations

Learn how to create a new Policy by following this link Create and Configure Policies

There are many different settings and configurations that you can apply, and the following eight sections will explain all of the Policy options available:

POLICY CATEGORIES

GENERAL SETTINGS

The general settings section of Android Enterprise policies allows you to configure
things like the device’s settings. The following items can be configured (if an
explanation is needed, it will be included):

  • Version: This is show the version number of the policy. Every change you
    make to a policy, increases the number by a factor of 1
  • Default Permission Policy: This setting defines the default permission policy
    for requests for runtime permissions. The possible values include:
    • Default: If the policy is left blank, it will use the default device setting
    • Prompt: Users are prompted to approve the permission
    • Grant: Permissions are automatically granted
    • Deny: Permissions are automatically denied
  • Location Mode: This setting allows you to select the permission policy for location services. The possible values include:
    • Default: If the policy is left blank, it will use the default device setting
    • High Accuracy: GPS is turned on and set to the most accurate setting
    • Sensors Only: This will activate the GPS only and will not utilize network-provided location
    • Battery Saving: This will limit the update frequency of the GPS to save battery
    • Off: GPS and location tracking will be turned off
    • App Auto Update Policy: This setting controls when automatic app updates can be applied. The possible values include:
      • Default: If the policy is left blank, it will use the default device setting
      • User Choice: The end user can control auto-updates
      • Never: Apps are never updated
      • WiFi Only: Apps are auto-updated over Wi-Fi only
      • Always: Apps are auto-updated at any time. Data charges may apply
    • Encryption Policy: This setting allows you to create and enforce an encryption policy on the device for internal and external storage. The possible values include:
      • Default: If the policy is left blank, it will use the default device setting
      • Enable Without Password
      • Enable With Password
      • Play Store Mode: This setting will allow you to whitelist and blacklist applications installed on the device. The possible values include:
        • Default: If the policy is left blank, it will default to Whitelist
        • Whitelist: Only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device
        • Blacklist: All apps are available and any app that should not be on the device should be explicitly marked as ‘Blocked’ in the applications policy
      • Screen Capture Disabled: Ability to screenshot is disabled
      • Camera Disabled: Camera app is disabled
      • Add User Disabled: The ability to add users is disabled
      • Adjust Volume Disabled: The ability to change volume is disabled
      • Factory Reset Disabled: Users cannot reset the device

        It is highly recommended the Factory Reset Disabled is turned on to prevent any undesired reset of your devices.

        • Install App Disabled: Users are not allowed to Install apps
        • Mount Physical Media Disabled: Users will not be able to use external media devices such as SD card or USB storage
        • Modify Accounts Disabled: Users will not be able to change any separate accounts
        • Uninstall Apps Disabled: This setting takes away the ability for the user to uninstall 
        • Keyguard Disabled: This setting will disable the device’s lock screen password requirements, allowing the device to auto-launch into an application
        • Bluetooth Contact Sharing Disabled: This setting with disable the ability to share contacts
        • Bluetooth Config Disabled: Bluetooth is disabled
        • Cell Broadcasts Config Disabled: Cell broadcasts is disabled
        • Credentials Config Disabled: Credentials disabled
        • Mobile Networks Config Disabled: Mobile data is turned off
        • Tethering Config Disabled: Tethering is disabled
        • VPN Config Disabled: VPN is disabled
        • Create Windows Disabled: This setting will prevent the following system UIs from being displayed:
          • Toasts
          • Phone activities (e.g. incoming calls) and priority phone activities (e.g. ongoing calls)
          • System alerts, system errors, and system overlays.
        • Network Reset Disabled: The ability to change Networks is taken away
        • Outgoing Beam Disabled: This setting will disable users from using NFC to beam out data from applications
        • Outgoing Calls Disabled: Ability to perform outgoing calls is taken away
        • Remove User Disabled: Share Location Disabled
        • SMS Disabled: This setting will take away the ability of SMS
        • Unmute Microphone Disabled: This setting takes away the ability to unmute the microphone on the device
        • USB File Transfer Disabled: This setting takes away the ability to transfer files
        • Ensure Verify Apps Enabled: This setting scans apps installed on devices for
          malware before and after they are installed, helping to ensure that corporate
          data can’t be compromised by malicious apps
        • Set User Icon Disabled: This setting will prevent end users from changing or
          setting their user icon of the device
        • Set Wallpaper Disabled: This disables the ability to change the wallpaper on the device
        • Data Roaming Disabled: Data Roaming function is disabled within the device
        • Network Escape Hatch Enabled: This setting will enable the escape hatch feature on your device. If a network connection is not established when a device boots, then the escape hatch asks to temporarily connect to a network and refresh the device policy. After applying the policy, the temporary network is forgotten and the device continues booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.
        • Bluetooth Disabled: Bluetooth function is disabled in the device
        • Install From Unknown Sources Allowed: This setting allows any source to be able to download material onto the device
        • Fun Disabled: Controls whether the Easter egg game in Settings is disabled
        • Auto Time Required: This setting will prevent end users from manually setting the date and time
        • Kiosk Custom Launcher Enabled: This setting replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. The status bar is disabled when this is set.

            Note: applications configured via the “Application Control” section of this profile cannot be set to “Kiosk” under “Install Type” or the policy will fail to install.

            • Skip First Use Hints Enabled: This setting can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up
            • Private Key Selection Enabled: This setting allows showing UI on a device for an end user to choose a private key alias if there are no matching rules configured.
            • Google Play Protect Verify Apps: This setting controls whether Google Play Protect is enabled. Google Play Protect scans apps installed on devices for
              malware before and after they are installed, helping to ensure that corporate
              data can’t be compromised by malicious apps. It will also prevent non-Play Store Apps from remaining on the device. The following are setting options:
              • Force-enable app verification – Play Protect App Verification will be turned on
              • Allow user to choose enable app verification – User will be able to choose to turn on or off Play Protect App Verification
              • Unspecified – The Policy will not make any adjustments to the device setting

            NOTE: Google Play Protect Verify Apps replaced the deprecated Ensure Verify Apps Enabled Policy option

            • Developer Settings: This setting controls access to and the ability to enable Developer Settings: including Developer Options and Safe Boot. The following are setting options:
              • Disable all developer settings – Safe Boot and Developer Options will both be disabled, and will not be able to be enabled by a user on the device.
              • Allow all developer settings – Safe Boot and Developer Options will be allowed on the device, but a user can toggle Developer options off on the device
              • Unspecified – The Policy will not make any adjustments to the device setting

            NOTE: Developer Settings replaced the deprecated Debugging Features Allowed and Safe Boot Disabled Policy options

            • Common Criteria Mode: This setting controls security standards defined in the Common Criteria for Information Technology Security Evaluation. Enabling Common Criteria Mode increases certain security components on a device, including AES-GCM encryption of Bluetooth Long Term Keys, and Wi-Fi configuration stores.

            WARNING: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enable if required.

            REPORTING SETTINGS

            The following settings control the behavior of application reports.

            Note: battery percentage and some other reports will not be displayed in Moki unless they are enabled here.

            • Application Reports Enabled: This setting will allow reports to be
              generated, which show details of apps installed on the device
            • Device Settings Enabled: This setting enables reporting information about
              security-related device settings on devices
            • Software Info Enabled: This setting enables reporting of device software
            • Network Info Enabled: This setting enables reporting of device network
              information
            • Power Management Events Enabled: This setting enables reporting of
              power management events
            • Hardware Status Enabled: This setting enables hardware reporting to
              capture device hardware information

            APPLICATION CONTROL

            Application control allows you to limit application access on your devices. Before
            you can figure the policy, all applications that you would like to manage will need to
            be added to the “Apps” tab first (Learn how here). Once you have added all of your applications to
            the Apps tab, select the + on the “Add policy for an individual app” bar. Now, under
            the “General” section, you will configure what applications will do on your devices.
            The following options are configurable:

            • App: Select your application from the available list of apps.
            • Install Type:
              • Default: Unspecified. Defaults to Available
              • Pre-Installed: The app is automatically installed and can be removed
                by the user
              • Force Installed: The app is automatically installed and cannot be
                removed by the user
              • Blocked: The app is blocked and cannot be installed. If the app was
                installed under a previous policy, it will be uninstalled
              • Available: The app is available to install
              • Required For Setup: The app is automatically installed and cannot be
                removed by the user and will prevent setup from completion until
                installation is complete
              • Kiosk: The app is automatically installed in kiosk mode: it is set as the preferred home intent and whitelisted for lock task mode. Device setup won’t complete until the app is installed. After installation, users will not be able to remove the app. You can only set this Install Type for one app per policy. When this is present in the policy, status bar will be automatically disabled.
            • Managed Config: If you have an app configuration created, you can select it from this drop-down menu
            • Permissions: Default Permission Policy
              • Default: If no policy is specified for a permission at any level, then the prompt behavior is used by default
              • Prompt: Will prompt the end user to grant permissions
              • Grant: Will automatically grant permissions
              • Deny: Will automatically deny permissions

            Note: you can also grant permission for specific requests by selecting the +
            icon under Application Permission Grants. You can then select the permission and the policy for each individual permission

            • Minimum Version: Entering a minimum version allows to force the specified app to update immediately if it is below the minimum version on any devices assigned to the Policy. 

            NOTE: The Version Code should be entered here, not the app Version.

            • App Update Mode: Controls the auto-update mode for the app.
              • Default: The app is automatically updated with low priority to minimize the impact on the user.
                • The app is updated when all of the following constraints are met:
                  • The device is not actively used.
                  • The device is connected to an unmetered network.
                  • The device is charging.
                • The device is notified about a new update within 24 hours after it is published by the developer, after which the app is updated the next time the constraints above are met.

            NOTE: If the App Update Mode is left blank, the Default setting will be used. 

              • Postpone: The app’s automatic update will be postponed for a maximum of 90 days after the app becomes out of date.
                • 90 days after the app becomes out of date, the latest available version is installed automatically with low priority (see Default). After the app is updated it is not automatically updated again until 90 days after it becomes out of date again.
                • The user can still manually update the app from the Play Store at any time.
              • High Priority: The app is updated as soon as possible. No constraints are applied.
                • The device is notified immediately about a new update after it becomes available.

            PASSWORD REQUIREMENTS

            This section will cover the optional requirements that you can use to unlock a
            device. The following password requirement options are available:

            • Quality: The required password quality.
              • Default: There are no password requirements
              • Biometric Weak: The device must be secured with a low-security
                biometric recognition technology, at minimum. This includes
                technologies that can recognize the identity of an individual that are
                roughly equivalent to a 3-digit PIN (false detection is less than 1 in
                1,000)
              • Something: A password is required, but there are no restrictions on
                what the password must contain
              • Numeric: The password must contain numeric characters
              • Numeric Complex: The password must contain numeric characters
                with no repeating (4444) or ordered (1234, 4321, 2468) sequences
              • Alphabetic: The password must contain alphabetic (or symbol)
                characters
              • Alphanumeric: The password must contain both numeric and
                alphabetic (or symbol) characters
              • Complex: The password must meet the minimum requirements specified in password Minimum Length, password Minimum Letters, password Minimum Symbols, etc.
            • Minimum Length: The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password Quality is Numeric, Numeric Complex, Alphabetic, Alphanumeric, or Complex
            • History Length: The length of the password history. After setting this field, the user will not be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction
            • Maximum Failed Passwords For Wipe: Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction
            • Expiration Timeout: Password expiration timeout. Duration in days

             

            SYSTEM UPDATES

            The type of system update configuration.

            • Default: Follow the default update behavior for the device, which typically
              requires the user to accept system updates
            • Automatic: Install automatically as soon as an update is available
            • Windowed: Install automatically within a daily maintenance window. This
              also configures Play apps to be updated within the window. This is strongly
              recommended for kiosk devices because this is the only way apps
              persistently pinned to the foreground can be updated by the Google
              Play Store
            • Postpone: Postpone automatic install up to a maximum of 30 days
            • Freeze Period: Set up a time window that repeats annually for a freeze period where no system updates will occur in. One Freeze Period can last no longer than 90 days. Multiple Freeze Periods must be separated by at least 60 days.

            ENFORCEMENT RULES

            A rule that defines the actions to take if a device or work profile is not compliant
            with the policy specified in setting name

            • Setting Name: The top-level policy to enforce. Define the actions to
              take if a device is not compliant with the specified setting. The
              following options are available:
              • Application Policies
              • Password Policies
              • Encryption Policies
            • Block After Days: Number of days the policy is non-compliant before the device is blocked. To block access immediately, set to 0. Block After Days must be less than Wipe After Days
            • Wipe After Days: Number of days the policy is non-compliant before the device is wiped. Wipe After Days must be greater than Block After Days
            • Preserve Data: Whether the factory-reset protection data is preserved on the device

            NETWORK CONFIGURATIONS

            Always-on VPN Connection – Configuration for an always-on VPN connection. Use VPN Config Disabled to prevent modification of this setting.

            • VPN App Package Name: Package name for the VPN app
            • Lockdown Enabled: Disallows networking when the VPN is not connected.

            Recommended Global Proxy

            • Host: The host of the direct proxy.
            • Port: The port of the direct proxy.
            • PAC URI: The URI of the PAC script used to configure the proxy.
            • Excluded Hosts: For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.

            WiFi Network Settings:

            In order to save a WiFi network on your devices, select the green + button on the top-right. Once you have done this, you will be able to configure the WiFi network settings as desired

            Network

            • Name: User-friendly description of this connection. This name will not be used for referencing and may not be unique. Instead it may be used for describing the network to the user.
            • GUID: Unique identifier for this network connection, which exists to make it possible to update previously imported configurations. Must be a non-empty string. To generate or learn more about GUID you can go to Free Online GUID/UUID Generator

            WiFi Settings

            • SSID: Enter the SSID (or network name) here.
            • Security: Property to access the decoded SSID of a network.
            • Auto Connect: Indicating that the network should be connected to automatically when in range
            • SSID Hidden: Indicating if the SSID will be broadcast.

            KEYGUARD FEATURES  

            Keyguard refers to the lock screen of the devices. These settings allow you to block access to the specified features on the device’s lock screen. Those features consist of:

            • All Features: Disable all features 
            • Camera: Disable the camera on secure keyguard screens (e.g. PIN).
            • Unredacted Notifications: Disable unredacted notifications on secure keyguard screens.
            • Fingerprint Sensor: Disable fingerprint sensor on secure keyguard screens.
            • Face Authentication: Disable face authentication on secure keyguard screens.
            • Biometrics: Disable all biometric authentication on secure keyguard screens.
            • Notifications: Disable showing all notifications on secure keyguard screens.
            • Trust Agents: Ignore trust agent state on secure keyguard screens.
            • Remote Input: Disable text entry into notifications on secure keyguard screens.
            • Iris Authentication: Disable iris authentication on secure keyguard screens.

            KIOSK CUSTOMIZATION

            Additional device configurations available when using the “Kiosk Custom Launcher”, or using a single app with an Install Type of “Kiosk” (App Lock)

            NOTE: Kiosk Customization will not work if the app set with an Install Type of “Kiosk” is a custom launcher app.

            • Power Button Actions: Controls actions available when the power button is long-pressed (held down)
              • Available: When this setting is selected, if the Power button is long-pressed, a user will be given the option to power off the device, or restart the device.
              • Blocked: When this setting is selected, if the Power button is long-pressed, nothing will happen.
            • System Navigation: Controls access to the Home and Recent Apps buttons
              • Enabled: Both the Home and Recent Apps buttons will be enabled
              • Disabled: Both the Home and Recent Apps buttons will be disabled.
              • Home Button Only: Only the Home button will be enabled. The Recent Apps button will be disabled.
            • Device Settings: Controls whether the Device Settings can be accessed
              • Enabled: Device Settings can be accessed from any location there is a link to Device Settings
              • Blocked: Device Settings access is blocked from any location there is a link to Device Settings
            • System Error Warnings: Controls whether system error dialogs for crashed or unresponsive apps are blocked
              • Enabled: System error dialogs for crashed and unresponsive apps will be displayed on the device
              • Muted: System error dialogs for crashed and unresponsive apps will be blocked from displaying on the device

            NOTE: When System Error Warnings are Muted, the system will force-stop the app as if the user chooses the “close app” option on the UI.

            • Status Bar: Controls whether system info in the top-info bar and notifications are disabled
              • System Info Enabled: All system info and notifications are enabled and accessible in the top-info menu bar
              • System Info Disabled: All system info and notifications are disabled and access to the top-info menu bar is blocked
              • System Info Only: System info, such as time, battery level, WiFi and cellular data signal strength, will be visible in the top-info menu bar. However, notifications and the swipe-down feature will be disabled

            STAY ON MODES

            Allows a user to set the device screen to always stay on, and never sleep, as long as it is plugged in and charging with one of the selected charging methods

            NOTE: When using this setting, it is recommended to clear Max Time To Lock so that the device doesn’t lock itself while it stays on.

            • AC:  Device screen will stay on while charging using an AC charger.
            • USB:  Device screen will stay on while charging using a USB port power source.
            • Wireless:  Device screen will stay on while charging using a wireless power source

            USER FACING MESSAGES

            • Short Support Message:  A message displayed to the user in the settings screen wherever functionality has been disabled by the admin

            NOTE: If the message is longer than 200 characters it may be truncated

            • Long Support Message: Typically used in the same place as a Short Support Message when there is an option for “more details,” the Long Support Message will display
            • Device Owner Lock Screen Info: Message that will display on the lock screen of the device. Could be used to display the device owner info

            SETUP ACTIONS

            Allows you to require the launch and configuration of an app during device enrollment and setup. You can specify one app to be launched during device enrollment and setup. This app must return RESULT_OK to signal completion and allow the remaining device setup and enrollment to complete.

            • Title: Title of the action. Will be displayed to the user on the device during setup
            • Description: Description of the action needed. Will be displayed to the user on the device during setup
            • Launch App (Package Name): The Package Name of the app required to launch and configure during device enrollment and setup

            PRIVATE KEY RULES

            Rules for automatically choosing a private key and certificate to authenticate the device to a server.
            The rules are ordered by increasing precedence, so if an outgoing request matches more than one rule, the last rule defines which private key to use.

            • URL Pattern:  The URL pattern to match against the URL of the outgoing request. The pattern may contain asterisk (*) wildcards. Any URL is matched if unspecified
            • Package Names:  The package names for which outgoing requests are subject to this rule. If no package names are specified, then the rule applies to all packages. For each package name listed, the rule applies to that package and all other packages that shared the same Android UID. The SHA256 hash of the signing key signatures of each package name will be verified against those provided by Play
            • Private Key Alias:  The alias of the private key to be used.

            INTENT HANDLER ACTIVITIES

            A default activity for handling intents that match a particular intent filter.

            NOTE: To set up a kiosk, use Install Type to KIOSK rather than use persistent preferred activities.

            • Receiver Activity:  The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent
            • Actions:  The intent actions to match in the filter. If any actions are included in the filter, then an intent’s action must be one of those values for it to match. If no actions are included, the intent action is ignored
            • Categories:  The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent

             

             

            See Moki in Action

            Request a Demo today with by phone, email, or just fill out the form

            Contact Us