Restrictions for Android (only for Work profile and Work managed devices)

Follow

This article shows how to configure and deploy restrictions to Android Enterprise devices.

Requirements:

When these requirements are met, administrators can create and deploy work profile restrictions to the devices. Navigate to Mobile management > Configuration profiles and start the Create configuration profile action from the page action menu. Select Android > Restrictions and define the desired configuration.

android_enterprise_restrictions.JPG

Application control

Default runtime permission policy

Specifies the default runtime permission policy for applications. For example, whether fine location access is automatically granted, denied or prompted from the device user. This has no effect on already granted or denied runtime permissions.

Application control

Specifies whether a user is allowed to modify applications in Settings or launchers. The following user actions will be denied when this restriction is enabled:

  • Uninstalling apps
  • Disabling apps
  • Clearing app caches
  • Clearing app data
  • Force stopping apps
  • Clearing app defaults

This restriction is supported in devices with Android 5.0 or newer.

Application uninstallation

Specifies whether a user is allowed to uninstall applications. This restriction is supported in devices with Android 4.3 or newer.

Disable application verification

Specifies whether a user is allowed to disable application verification. This restriction is supported in devices with Android 5.0 or newer.

Whitelisted system applications

Specifies a list of whitelisted system applications by their package name*. These are enabled in the work profile when deployed.

Blacklisted system applications

Specifies a list of blacklisted system applications by their package name*. These are enabled in the work profile when deployed. Requires Miradore Online Client version 2.6.5 or newer.

*NOTE: System apps package names you can find in the particular Device's view > Applications tab (see the screenshot below). Maybe you have to firstly enroll that device or similar device with the system apps to see all those package names or check those names from some another device's Application inventory.

Another way is try to search the desired app from Play Store. The app's package name is visible on the app's URL: e.g https://play.google.com/work/apps/details?id=com.android.chrome.

Unfortunately, we don't have any list of those package names.

Online-2018-02-02-12-05-52.png

 

Common restrictions

Autofill

Specifies whether the device user is allowed to use autofill features. This restriction is supported in devices with Android 8.0 or newer.

Bluetooth sharing

Specifies if outgoing bluetooth sharing is allowed on the device. This restriction is supported in devices with Android 8.0 or newer.

Camera

Specifies whether the device user is allowed to access the camera. This restriction is supported in devices with Android 4.0 or newer.

Credentials configuration

Specifies whether the device user is allowed to configure user credentials. This restriction is supported in devices with Android 4.3 or newer.

Debugging

Specifies whether the device user is allowed to enable or access debugging features. This restriction is enabled by default when a work profile is installed to the device. This restriction is supported in devices with Android 5.0 or newer.

Language configuration

Specifies whether the device user is allowed to configure/change the device language. This restriction is supported in devices with Android 9.0 or newer.

Location provider configuration

Specifies whether the device user is allowed to enable/disable location providers. This restriction is supported in devices with Android 9.0 or newer.

Location share

Specifies whether the device user is allowed to turn on location sharing. This restriction is supported in devices with Android 4.3 or newer.

NFC outgoing beam

Specifies whether the user is not allowed to use NFC to beam out data from apps. Supported in devices with Android 5.1 or newer.

Printing

Specifies whether the device user is allowed to print. This restriction is supported in devices with Android 9.0 or newer.

Screen capture

Specifies whether the device user is allowed to take screen shots. This restriction is supported in devices with Android 5.0 or newer.

System error dialogs

Specifies if system error dialogs for crashed or unresponsive apps are allowed and shown. When denied, the system will force stop the apps as if the user chooses the "close app" option on the UI. This restriction is supported in devices with Android 9.0 or newer.

User icon modification

Specifies whether the device user is allowed to change his/her user icon. This restriction is supported in devices with Android 7.0 or newer.

VPN configuration

Specifies whether the device user is allowed to configure VPN. This restriction is supported in devices with Android 5.0 or newer.

Wallpaper modification

Specifies whether the device user is allowed to change the device wallpaper. This restriction is supported in devices with Android 7.0 or newer.

Web links with parent applications

Specifies if parent profile applications can be used to open web links in managed work profile applications. For example, if Chrome on the primary user can be used to open web links received to the work profile email. This restriction is supported in devices with Android 6.0 or newer.

 

Device Owner 

Add managed profiles

Specifies whether the device user is allowed to add managed profiles. This restriction is supported in devices with Android 8.0 or newer.

Add users

Specifies whether the device user is allowed to add users. This restriction is supported in devices with Android 5.0 or newer.

Adjust volume

Specifies whether the device user is allowed to adjust volume. This restriction is supported in devices with Android 5.0 or newer.

Airplane mode

Specifies whether the device user is allowed to enable the airplane mode. This restriction is supported in devices with Android 9.0 or newer.

Ambient display

Specifies whether the device user is allowed to enable ambient display on the device. This restriction is supported in devices with Android 9.0 or newer.

Audio

Specifies whether the device audio is enabled. Set to denied to mute the audio. This restriction is supported in devices with Android 5.0 or newer.

Backup service

Specifies whether the backup and restore mechanisms are available on the device. This setting is denied by default. This restriction is supported in devices with Android 8.0 or newer.

Bluetooth

Specifies whether the use of bluetooth is allowed on the device. This restriction is supported in devices with Android 8.0 or newer.

Bluetooth configuration

Specifies whether the device user is allowed to configure bluetooth settings on the device. This restriction is supported in devices with Android 4.3 or newer.

Brightness configuration

Specifies whether the device user is allowed to change the device's screen brightness. This restriction is supported in devices with Android 9.0 or newer.

Cellural broadcast configuration

Specifies whether the device user is allowed to configure cellular emergency broadcast settings. This restriction is supported in devices with Android 5.0 or newer.

Create windows

Specifies whether the device user is allowed to create windows besides app windows. This restriction is supported in devices with Android 5.0 or newer.

Data roaming

Specifies whether it is allowed to enable data roaming on the device. This restriction is supported in devices with Android 7.0 or newer.

Date and time configuration

Specifies whether the device user is allowed to configure date, time or timezone settings on the device. This restriction is supported in devices with Android 9.0 or newer.

Factory reset

Specifies if factory reset is denied from the settings or using google device manager. Works only if manufacturer allows this functionality. This restriction is supported in devices with Android 5.0 or newer.

Fun

Specifies if a user is allowed to have fun. In some cases, the device owner may wish to prevent the user from experiencing amusement or joy while using the device. Controls whether the Easter egg game in Settings is disabled. This restriction is supported in devices with Android 6.0 or newer.

Mobile network configuration

Specifies whether the device user is allowed to configure mobile network settings. This restriction is supported in devices with Android 5.0 or newer.

Mount physical media

Specifies whether the device user is allowed to mount physical external media. This restriction is supported in devices with Android 5.0 or newer.

Network reset

Specifies whether the device user is allowed to reset network settings. This restriction is supported in devices with Android 6.0 or newer.

Outgoing calls

Specifies whether the device user is allowed to make outgoing phone calls. This restriction is supported in devices with Android 5.0 or newer.

Remove managed profiles

Specifies whether the device user is allowed to remove managed profiles from the device. This restriction is supported in devices with Android 8.0 or newer.

Remove users

Specifies whether the device user is allowed to remove users from the device. This restriction is supported in devices with Android 4.3 or newer.

Safe boot

Specifies whether the device user is allowed to reboot the device into safe boot mode. This restriction is supported in devices with Android 6.0 or newer.

Screen off timeout configuration

Specifies whether the device user is allowed to change the screen off timeout setting. This restriction is supported in devices with Android 9.0 or newer.

SMS

Specifies whether the device user is allowed to send or receive SMS messages. This restriction is supported in devices with Android 5.0 or newer.

Tethering configuration

Specifies whether the device user is allowed to configure tethering settings. This restriction is supported in devices with Android 5.0 or newer.

Unknown sources

Specifies whether the device user is allowed to enable the "Unknown sources" setting that allows the installation of apps from sources other than the Google Play Store. This restriction is supported in devices with Android 4.3 or newer. Notice that this setting works only when managing the device in device owner mode and it requires Miradore Online Client version 2.6.5 or newer.

Unmute microphone

Specifies whether the device user is allowed to unmute microphone. This restriction is supported in devices with Android 5.0 or newer.

USB file transfer

Specifies whether the device user is allowed to transfer files over USB. This restriction is supported in devices with Android 4.3 or newer.

User switch

Specifies if user switching is allowed on the device. This restriction is supported in devices with Android 9.0 or newer.

Wi-Fi configuration

Specifies whether the device user is allowed to configure Wi-Fi settings. This restriction is supported in devices with Android 4.3 or newer.

 

Profile owner

Cross-profile caller ID

Specifies whether the caller-ID information from the work profile will be shown in the private profile for incoming calls. This restriction is supported in devices with Android 5.0 or newer.

Cross-profile contact search

Specifies whether the contact search from the work profile will be shown in the private profile. This restriction is supported in devices with Android 7.0 or newer.

Cross-profile copy paste

Specifies whether the contents of the clipboard of this profile can be pasted to other profiles, e.g. outside of the work profile. Does not restrict whether the clipboard of other profiles can be pasted to this profile. This restriction is supported in devices with Android 5.0 or newer.

Bluetooth contact sharing

Specifies whether bluetooth devices can access enterprise contacts inside the work profile. This restriction is supported in devices with Android 6.0 or newer.

Share into work profile

Specifies whether the device user can share files, photos or data from the private profile into the work profile either by sending them or by picking up data within an app in the work profile. This restriction is supported in devices with Android 9.0 or newer.

Unified passcode

Specifies whether the work profile is allowed to have a unified lock screen challenge with the private profile. This restriction is supported in devices with Android 9.0 or newer.

 

Account management

Account modification

Specifies whether the device user is allowed to add and remove accounts, unless they are programmatically added by Authenticator. This restriction is supported in devices with Android 4.3 or newer.

Deny account management types

Specifies a list of account types that cannot be managed on the device or work profile. Users cannot add, remove or modify these account types.

In personal devices deploment scenario the restrictions only apply to the applications and services inside the created work profile since Miradore Online Client operates as the profile owner of the work data and has limited control outside of the work profile. In other words, Miradore Online Client is no longer the device administrator of the whole device. For example, if you deny the usage of camera, then camera application and features cannot be used in applications inside the work profile, but the camera application is available outside of the work profile.

In work managed devices deployment scenario the restrictions apply to the entire device since Miradore Online Client is the device owner of the device.

In addition to these restrictions, unknown sources are always disabled when work profile is enabled to an Android device or managed account is created. This means that if you want to deploy in-house applications, you must install them as private applications for the managed Google Play Enterprise. For more information about private apps, see Adding private managed Google Play applications.

Play Store for unmanaged accounts

Specifies whether device users are allowed to access the consumer version of Google Play store using their personal Google Accounts. When denied, device users can only access the managed Google Play store. This restrictions allows the device users to add their personal Google account to the device if they want to use other Google services with the personal account. See Restricting the use of personal Google accounts on Android devices for more.

 

More information:

About Android device management

How to configure managed Google Play Enterprise

How to enable work profile to Android devices

How to enroll work managed devices

Creating a configuration profile 

Deploying a configuration profile 

Removing deployed configuration profiles


Please send comments to contact@miradore.com.