This article shows how to configure and deploy restrictions to Android Enterprise devices.
Requirements:
- Enterprise Plan subscription or trial.
- Miradore Online Client 2.4.0 or newer installed to the devices.
- Devices are running Android 5.0 or newer. Notice that some restrictions require newer Android version.
- Work profile has been enabled to the target Android devices or
- Devices has been provisioned as work managed devices with device owner mode.
When these requirements are met, administrators can create and deploy work profile restrictions to the devices. Navigate to Mobile management > Configuration profiles and start the Create configuration profile action from the page action menu. Select Android > Restrictions and define the desired configuration.
Application control
Default runtime permission policy
Specifies the default runtime permission policy for applications. For example, whether fine location access is automatically granted, denied or prompted from the device user. This has no effect on already granted or denied runtime permissions.
Application control
Specifies whether a user is allowed to modify applications in Settings or launchers. The following user actions will be denied when this restriction is enabled:
- Uninstalling apps
- Disabling apps
- Clearing app caches
- Clearing app data
- Force stopping apps
- Clearing app defaults
This restriction is supported in devices with Android 5.0 or newer.
Application uninstallation
Specifies whether a user is allowed to uninstall applications. This restriction is supported in devices with Android 4.3 or newer.
Disable application verification
Specifies whether a user is allowed to disable application verification. This restriction is supported in devices with Android 5.0 or newer.
Whitelisted system applications
Specifies a list of whitelisted system applications by their package name*. These are enabled in the work profile when deployed.
Blacklisted system applications
Specifies a list of blacklisted system applications by their package name*. These are enabled in the work profile when deployed. Requires Miradore Online Client version 2.6.5 or newer.
*NOTE: System apps package names you can find in the particular Device's view > Applications tab (see the screenshot below). Maybe you have to firstly enroll that device or similar device with the system apps to see all those package names or check those names from some another device's Application inventory.
Another way is try to search the desired app from Play Store. The app's package name is visible on the app's URL: e.g https://play.google.com/work/apps/details?id=com.android.chrome.
Unfortunately, we don't have any list of those package names.
Common restrictions
Autofill
Specifies whether the device user is allowed to use autofill features. This restriction is supported in devices with Android 8.0 or newer.
Bluetooth sharing
Specifies if outgoing bluetooth sharing is allowed on the device. This restriction is supported in devices with Android 8.0 or newer.
Camera
Specifies whether the device user is allowed to access the camera. This restriction is supported in devices with Android 4.0 or newer.
Credentials configuration
Specifies whether the device user is allowed to configure user credentials. This restriction is supported in devices with Android 4.3 or newer.
Debugging
Specifies whether the device user is allowed to enable or access debugging features. This restriction is enabled by default when a work profile is installed to the device. This restriction is supported in devices with Android 5.0 or newer.
Language configuration
Specifies whether the device user is allowed to configure/change the device language. This restriction is supported in devices with Android 9.0 or newer.
Location provider configuration
Specifies whether the device user is allowed to enable/disable location providers. This restriction is supported in devices with Android 9.0 or newer.
Location share
Specifies whether the device user is allowed to turn on location sharing. This restriction is supported in devices with Android 4.3 or newer.
NFC outgoing beam
Specifies whether the user is not allowed to use NFC to beam out data from apps. Supported in devices with Android 5.1 or newer.
Printing
Specifies whether the device user is allowed to print. This restriction is supported in devices with Android 9.0 or newer.
Screen capture
Specifies whether the device user is allowed to take screen shots. This restriction is supported in devices with Android 5.0 or newer.
System error dialogs
Specifies if system error dialogs for crashed or unresponsive apps are allowed and shown. When denied, the system will force stop the apps as if the user chooses the "close app" option on the UI. This restriction is supported in devices with Android 9.0 or newer.
User icon modification
Specifies whether the device user is allowed to change his/her user icon. This restriction is supported in devices with Android 7.0 or newer.
VPN configuration
Specifies whether the device user is allowed to configure VPN. This restriction is supported in devices with Android 5.0 or newer.
Wallpaper modification
Specifies whether the device user is allowed to change the device wallpaper. This restriction is supported in devices with Android 7.0 or newer.
Web links with parent applications
Specifies if parent profile applications can be used to open web links in managed work profile applications. For example, if Chrome on the primary user can be used to open web links received to the work profile email. This restriction is supported in devices with Android 6.0 or newer.
Device Owner
Add managed profiles
Specifies whether the device user is allowed to add managed profiles. This restriction is supported in devices with Android 8.0 or newer.
Add users
Specifies whether the device user is allowed to add users. This restriction is supported in devices with Android 5.0 or newer.
Adjust volume
Specifies whether the device user is allowed to adjust volume. This restriction is supported in devices with Android 5.0 or newer.
Airplane mode
Specifies whether the device user is allowed to enable the airplane mode. This restriction is supported in devices with Android 9.0 or newer.
Ambient display
Specifies whether the device user is allowed to enable ambient display on the device. This restriction is supported in devices with Android 9.0 or newer.
Audio
Specifies whether the device audio is enabled. Set to denied to mute the audio. This restriction is supported in devices with Android 5.0 or newer.
Backup service
Specifies whether the backup and restore mechanisms are available on the device. This setting is denied by default. This restriction is supported in devices with Android 8.0 or newer.
Bluetooth
Specifies whether the use of bluetooth is allowed on the device. This restriction is supported in devices with Android 8.0 or newer.
Bluetooth configuration
Specifies whether the device user is allowed to configure bluetooth settings on the device. This restriction is supported in devices with Android 4.3 or newer.
Brightness configuration
Specifies whether the device user is allowed to change the device's screen brightness. This restriction is supported in devices with Android 9.0 or newer.
Cellural broadcast configuration
Specifies whether the device user is allowed to configure cellular emergency broadcast settings. This restriction is supported in devices with Android 5.0 or newer.
Create windows
Specifies whether the device user is allowed to create windows besides app windows. This restriction is supported in devices with Android 5.0 or newer.
Data roaming
Specifies whether it is allowed to enable data roaming on the device. This restriction is supported in devices with Android 7.0 or newer.
Date and time configuration
Specifies whether the device user is allowed to configure date, time or timezone settings on the device. This restriction is supported in devices with Android 9.0 or newer.
Factory reset
Specifies if factory reset is denied from the settings or using google device manager. Works only if manufacturer allows this functionality. This restriction is supported in devices with Android 5.0 or newer.
Fun
Specifies if a user is allowed to have fun. In some cases, the device owner may wish to prevent the user from experiencing amusement or joy while using the device. Controls whether the Easter egg game in Settings is disabled. This restriction is supported in devices with Android 6.0 or newer.
Mobile network configuration
Specifies whether the device user is allowed to configure mobile network settings. This restriction is supported in devices with Android 5.0 or newer.
Mount physical media
Specifies whether the device user is allowed to mount physical external media. This restriction is supported in devices with Android 5.0 or newer.
Network reset
Specifies whether the device user is allowed to reset network settings. This restriction is supported in devices with Android 6.0 or newer.
Outgoing calls
Specifies whether the device user is allowed to make outgoing phone calls. This restriction is supported in devices with Android 5.0 or newer.
Remove managed profiles
Specifies whether the device user is allowed to remove managed profiles from the device. This restriction is supported in devices with Android 8.0 or newer.
Remove users
Specifies whether the device user is allowed to remove users from the device. This restriction is supported in devices with Android 4.3 or newer.
Safe boot
Specifies whether the device user is allowed to reboot the device into safe boot mode. This restriction is supported in devices with Android 6.0 or newer.
Screen off timeout configuration
Specifies whether the device user is allowed to change the screen off timeout setting. This restriction is supported in devices with Android 9.0 or newer.
SMS
Specifies whether the device user is allowed to send or receive SMS messages. This restriction is supported in devices with Android 5.0 or newer.
Tethering configuration
Specifies whether the device user is allowed to configure tethering settings. This restriction is supported in devices with Android 5.0 or newer.
Unknown sources
Specifies whether the device user is allowed to enable the "Unknown sources" setting that allows the installation of apps from sources other than the Google Play Store. This restriction is supported in devices with Android 4.3 or newer. Notice that this setting works only when managing the device in device owner mode and it requires Miradore Online Client version 2.6.5 or newer.
Unmute microphone
Specifies whether the device user is allowed to unmute microphone. This restriction is supported in devices with Android 5.0 or newer.
USB file transfer
Specifies whether the device user is allowed to transfer files over USB. This restriction is supported in devices with Android 4.3 or newer.
User switch
Specifies if user switching is allowed on the device. This restriction is supported in devices with Android 9.0 or newer.
Wi-Fi configuration
Specifies whether the device user is allowed to configure Wi-Fi settings. This restriction is supported in devices with Android 4.3 or newer.
Profile owner
Cross-profile caller ID
Specifies whether the caller-ID information from the work profile will be shown in the private profile for incoming calls. This restriction is supported in devices with Android 5.0 or newer.
Cross-profile contact search
Specifies whether the contact search from the work profile will be shown in the private profile. This restriction is supported in devices with Android 7.0 or newer.
Cross-profile copy paste
Specifies whether the contents of the clipboard of this profile can be pasted to other profiles, e.g. outside of the work profile. Does not restrict whether the clipboard of other profiles can be pasted to this profile. This restriction is supported in devices with Android 5.0 or newer.
Bluetooth contact sharing
Specifies whether bluetooth devices can access enterprise contacts inside the work profile. This restriction is supported in devices with Android 6.0 or newer.
Share into work profile
Specifies whether the device user can share files, photos or data from the private profile into the work profile either by sending them or by picking up data within an app in the work profile. This restriction is supported in devices with Android 9.0 or newer.
Unified passcode
Specifies whether the work profile is allowed to have a unified lock screen challenge with the private profile. This restriction is supported in devices with Android 9.0 or newer.
Account management
Account modification
Specifies whether the device user is allowed to add and remove accounts, unless they are programmatically added by Authenticator. This restriction is supported in devices with Android 4.3 or newer.
Deny account management types
Specifies a list of account types that cannot be managed on the device or work profile. Users cannot add, remove or modify these account types.
In personal devices deploment scenario the restrictions only apply to the applications and services inside the created work profile since Miradore Online Client operates as the profile owner of the work data and has limited control outside of the work profile. In other words, Miradore Online Client is no longer the device administrator of the whole device. For example, if you deny the usage of camera, then camera application and features cannot be used in applications inside the work profile, but the camera application is available outside of the work profile.
In work managed devices deployment scenario the restrictions apply to the entire device since Miradore Online Client is the device owner of the device.
In addition to these restrictions, unknown sources are always disabled when work profile is enabled to an Android device or managed account is created. This means that if you want to deploy in-house applications, you must install them as private applications for the managed Google Play Enterprise. For more information about private apps, see Adding private managed Google Play applications.
Play Store for unmanaged accounts
Specifies whether device users are allowed to access the consumer version of Google Play store using their personal Google Accounts. When denied, device users can only access the managed Google Play store. This restrictions allows the device users to add their personal Google account to the device if they want to use other Google services with the personal account. See Restricting the use of personal Google accounts on Android devices for more.
More information:
About Android device management
How to configure managed Google Play Enterprise
How to enable work profile to Android devices
How to enroll work managed devices
Creating a configuration profile
Deploying a configuration profile
Removing deployed configuration profiles
Please send comments to contact@miradore.com.