Android Enterprise Policy Configurations

Looking For

Something Else?

SEARCH

Android - Agent

This category covers Moki's Agent/Device Administrator management solution.

IOS

This category covers Moki's iOS management solution.

Android Enterprise

This category covers Moki's Android Enterprise management solution.

BrightSign

This category covers Moki's BrightSign management solution.

FAQs

This category provides general FAQs about Moki's solutions.

News & Updates

This category provides news and updates.

Learn how to create a new Policy by following this link Create and Configure Policies

There are many different settings and configurations that you can apply, and the following eight sections will explain all of the Policy options available:

POLICY CATEGORIES

GENERAL SETTINGS

The general settings section of Android Enterprise policies allows you to configure
things like the device’s settings. The following items can be configured (if an
explanation is needed, it will be included):

  • Version: This is show the version number of the policy. Every change you
    make to a policy, increases the number by a factor of 1
  • Default Permission Policy: This setting defines the default permission policy
    for requests for runtime permissions. The possible values include:
    • Default: If the policy is left blank, it will use the default device setting
    • Prompt: Users are prompted to approve the permission
    • Grant: Permissions are automatically granted
    • Deny: Permissions are automatically denied
  • Location Mode: This setting allows you to select the permission policy for location services. The possible values include:
    • Default: If the policy is left blank, it will use the default device setting
    • High Accuracy: GPS is turned on and set to the most accurate setting
    • Sensors Only: This will activate the GPS only and will not utilize network-provided location
    • Battery Saving: This will limit the update frequency of the GPS to save battery
    • Off: GPS and location tracking will be turned off
  •  
  • App Auto Update Policy: This setting controls when automatic app updates can be applied. The possible values include:
    • Default: If the policy is left blank, it will use the default device setting
    • User Choice: The end user can control auto-updates
    • Never: Apps are never updated
    • WiFi Only: Apps are auto-updated over Wi-Fi only
    • Always: Apps are auto-updated at any time. Data charges may apply
  • Encryption Policy: This setting allows you to create and enforce an encryption policy on the device for internal and external storage. The possible values include:
    • Default: If the policy is left blank, it will use the default device setting
    • Enable Without Password
    • Enable With Password
  •  
  • Play Store Mode: This setting will allow you to whitelist and blacklist applications installed on the device. The possible values include:
    • Default: If the policy is left blank, it will default to Whitelist
    • Whitelist: Only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device
    • Blacklist: All apps are available and any app that should not be on the device should be explicitly marked as ‘Blocked’ in the applications policy
  • Screen Capture Disabled: Ability to screenshot is disabled
  • Camera Disabled: Camera app is disabled
  • Add User Disabled: The ability to add users is disabled
  • Adjust Volume Disabled: The ability to change volume is disabled
  • Factory Reset Disabled: Users cannot reset the device
 
  • Install App Disabled: Users are not allowed to Install apps
  • Mount Physical Media Disabled: Users will not be able to use external media devices such as SD card or USB storage
  • Modify Accounts Disabled: Users will not be able to change any separate accounts
  • Uninstall Apps Disabled: This setting takes away the ability for the user to uninstall
  • Keyguard Disabled: This setting will disable the device’s lock screen password requirements, allowing the device to auto-launch into an application
  • Bluetooth Contact Sharing Disabled: This setting with disable the ability to share contacts
  • Bluetooth Config Disabled: Bluetooth is disabled
  • Cell Broadcasts Config Disabled: Cell broadcasts is disabled
  • Credentials Config Disabled: Credentials disabled
  • Mobile Networks Config Disabled: Mobile data is turned off
  • VPN Config Disabled: VPN is disabled
  • Create Windows Disabled: This setting will prevent the following system UIs from being displayed:
    • Toasts
    • Phone activities (e.g. incoming calls) and priority phone activities (e.g. ongoing calls)
    • System alerts, system errors, and system overlays.
  • Network Reset Disabled: The ability to change Networks is taken away
  • Outgoing Beam Disabled: This setting will disable users from using NFC to beam out data from applications
  • Outgoing Calls Disabled: Ability to perform outgoing calls is taken away
  • Remove User Disabled: The ability to remove users is disabled
  • Share Location Disabled: Share Location Disabled
  • SMS Disabled: This setting will take away the ability of SMS
  • Unmute Microphone Disabled: This setting takes away the ability to unmute the microphone on the device
  • Ensure Verify Apps Enabled: This setting scans apps installed on devices for
    malware before and after they are installed, helping to ensure that corporate
    data can’t be compromised by malicious apps
  • Set User Icon Disabled: This setting will prevent end users from changing or
    setting their user icon of the device
  • Set Wallpaper Disabled: This disables the ability to change the wallpaper on the device
  • Data Roaming Disabled: Data Roaming function is disabled within the device
  • Network Escape Hatch Enabled: This setting will enable the escape hatch feature on your device. If a network connection is not established when a device boots, then the escape hatch asks to temporarily connect to a network and refresh the device policy. After applying the policy, the temporary network is forgotten and the device continues booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.
  • Bluetooth Disabled: Bluetooth function is disabled in the device
  • Fun Disabled: Controls whether the Easter egg game in Settings is disabled
  • Auto Time Required: This setting will prevent end users from manually setting the date and time
  • Kiosk Custom Launcher Enabled: This setting replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. The status bar is disabled when this is set.
 
  • Skip First Use Hints Enabled: This setting can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up
  • Private Key Selection Enabled: This setting allows showing UI on a device for an end user to choose a private key alias if there are no matching rules configured.
  • Device Connectivity Management:
    • USB Data Access – Set what data can be transferred via USB port on the device.
      • Allow All Data Transfer = All types of USB data transfers are allowed
      • Disallow File Transfer = Transferring files over USB is disallowed. Other types of USB data connections, such as mouse and keyboard connection, are allowed.
      • Disallow Data Transfer = When set, all types of USB data transfers are prohibited. Supported for devices running Android 12 or above with USB HAL 1.3 or above. If the setting is not supported, Disallow File Transfer will be set. A Non-Compliance  is reported if the Android version is less than 12 or the device does not have USB HAL 1.3 or above.
    • Configure WiFi – Set whether users can change the WiFi settings on the device.
      • Allow Configuring WiFi = The user is allowed to configure Wi-Fi
      • Disallow Adding WiFi Config = Adding new Wi-Fi configurations is disallowed. The user is only able to switch between already configured networks. Supported on Android 13 and above, on fully managed devices and work profiles on company-owned devices. If the setting is not supported, Allow Configuting WiFi is set. A Non-Compliance is reported if the Android version is less than 13
      • Disallow Configuring WiFi = Disallows configuring Wi-Fi networks. Supported on fully managed devices and work profile on company-owned devices, on all supported API levels. For fully managed devices, setting this removes all configured networks and retains only the networks configured using Network Configurations section in the policy. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks
        • NOTE: If a network connection can’t be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see Network Escape Hatch Enabled).
    • WiFi Direct Settings – Allow or Disallow WiFi Direct
      • Allow WiFi Direct = The user is allowed to use Wi-Fi direct
      • Disallow WiFi Direct = The user is not allowed to use Wi-Fi direct. A Non-Compliance is reported if the Android version is less than 13
    • Tethering Settings – Set what type of tethering is allowed on the device
      • Allow All = Allows configuration and use of all forms of tethering
      • Disallow Wifi = Disallows the user from using Wi-Fi tethering. Supported on company-owned devices running Android 13 and above. If the setting is not supported, Allow All will be set. A Non-Compliance is reported if the Android version is less than 13
      • Disallow All = Disallows all forms of tethering. Supported on fully managed devices and work profile on company-owned devices, on all supported android versions
  • Untrusted Apps Policy:
    • Disallow Install = Default. Disallow untrusted app installs on entire device
    • Allow Install in Personal Profile Only = For devices with work profiles, allow untrusted app installs in the device’s personal profile only
    • Allow Install Device Wide = Allow untrusted app installs on entire device
  • Google Play Protect Verify Apps: This setting controls whether Google Play Protect is enabled. Google Play Protect scans apps installed on devices for
    malware before and after they are installed, helping to ensure that corporate
    data can’t be compromised by malicious apps. It will also prevent non-Play Store Apps from remaining on the device. The following are setting options:
    • Force-enable app verification – Play Protect App Verification will be turned on
    • Allow user to choose enable app verification – User will be able to choose to turn on or off Play Protect App Verification
    • Unspecified – The Policy will not make any adjustments to the device setting
 
  • Developer Settings: This setting controls access to and the ability to enable Developer Settings: including Developer Options and Safe Boot. The following are setting options:
    • Disable all developer settings – Safe Boot and Developer Options will both be disabled, and will not be able to be enabled by a user on the device.
    • Allow all developer settings – Safe Boot and Developer Options will be allowed on the device, but a user can toggle Developer options off on the device
    • Unspecified – The Policy will not make any adjustments to the device setting
  • Common Criteria Mode: This setting controls security standards defined in the Common Criteria for Information Technology Security Evaluation. Enabling Common Criteria Mode increases certain security components on a device, including AES-GCM encryption of Bluetooth Long Term Keys, and Wi-Fi configuration stores.

REPORTING SETTINGS

The following settings control the behavior of application reports.
  • Application Reports Enabled: This setting will allow reports to be generated, which show details of apps installed on the device
  • Device Settings Enabled: This setting enables reporting information about security-related device settings on devices
  • Software Info Enabled: This setting enables reporting of device software
  • Network Info Enabled: This setting enables reporting of device network information
  • Power Management Events Enabled: This setting enables reporting of power management events
  • Hardware Status Enabled: This setting enables hardware reporting to capture device hardware information

APPLICATION CONTROL

Application control allows you to limit application access on your devices. Before you can figure the policy, all applications that you would like to manage will need to be added to the “Apps” tab first (Learn how here). Once you have added all of your applications to the Apps tab, select the + on the “Add policy for an individual app” bar. Now, under the “General” section, you will configure what applications will do on your devices. The following options are configurable:
  • App: Select your application from the available list of apps.
  • Install Type:
    • Default: Unspecified. Defaults to Available
    • Pre-Installed: The app is automatically installed and can be removed by the user
    • Force Installed: The app is automatically installed and cannot be removed by the user
    • Blocked: The app is blocked and cannot be installed. If the app was installed under a previous policy, it will be uninstalled
    • Available: The app is available to install
    • Required For Setup: The app is automatically installed and cannot be removed by the user and will prevent setup from completion until installation is complete
    • Kiosk: The app is automatically installed in kiosk mode: it is set as the preferred home intent and whitelisted for lock task mode. Device setup won’t complete until the app is installed. After installation, users will not be able to remove the app. You can only set this Install Type for one app per policy. When this is present in the policy, status bar will be automatically disabled.
  • Managed Config: If you have an app configuration created, you can select it from this drop-down menu
  • Permissions: Default Permission Policy
    • Default: If no policy is specified for a permission at any level, then the prompt behavior is used by default
    • Prompt: Will prompt the end user to grant permissions
    • Grant: Will automatically grant permissions
    • Deny: Will automatically deny permissions
  • Minimum Version: Entering a minimum version allows to force the specified app to update immediately if it is below the minimum version on any devices assigned to the Policy. 
  • App Update Mode: Controls the auto-update mode for the app.
    • Default: The app is automatically updated with low priority to minimize the impact on the user.
      • The app is updated when all of the following constraints are met:
        • The device is not actively used.
        • The device is connected to an unmetered network.
        • The device is charging.
      • The device is notified about a new update within 24 hours after it is published by the developer, after which the app is updated the next time the constraints above are met.
  • Postpone: The app’s automatic update will be postponed for a maximum of 90 days after the app becomes out of date.
    • 90 days after the app becomes out of date, the latest available version is installed automatically with low priority (see Default). After the app is updated it is not automatically updated again until 90 days after it becomes out of date again.
    • The user can still manually update the app from the Play Store at any time.
    • High Priority: The app is updated as soon as possible. No constraints are applied.
      • The device is notified immediately about a new update after it becomes available.

PASSWORD REQUIREMENTS

This section will cover the optional requirements that you can use to unlock a device. The following password requirement options are available:
  • Quality: The required password quality.
    • Default: There are no password requirements
    • Biometric Weak: The device must be secured with a low-security biometric recognition technology, at minimum. This includes technologies that can recognize the identity of an individual that are roughly equivalent to a 3-digit PIN (false detection is less than 1 in 1,000)
    • Something: A password is required, but there are no restrictions on what the password must contain
    • Numeric: The password must contain numeric characters
    • Numeric Complex: The password must contain numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences
    • Alphabetic: The password must contain alphabetic (or symbol) characters
    • Alphanumeric: The password must contain both numeric and alphabetic (or symbol) characters
    • Complex: The password must meet the minimum requirements specified in password Minimum Length, password Minimum Letters, password Minimum Symbols, etc.
  • Minimum Length: The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password Quality is Numeric, Numeric Complex, Alphabetic, Alphanumeric, or Complex
  • History Length: The length of the password history. After setting this field, the user will not be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction
  • Maximum Failed Passwords For Wipe: Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction
  • Expiration Timeout: Password expiration timeout. Duration in days

SYSTEM UPDATES

The type of system update configuration.
  • Default: Follow the default update behavior for the device, which typically requires the user to accept system updates
  • Automatic: Install automatically as soon as an update is available
  • Windowed: Install automatically within a daily maintenance window. This also configures Play apps to be updated within the window. This is strongly recommended for kiosk devices because this is the only way apps persistently pinned to the foreground can be updated by the Google Play Store
  • Postpone: Postpone automatic install up to a maximum of 30 days
  • Freeze Period: Set up a time window that repeats annually for a freeze period where no system updates will occur in. One Freeze Period can last no longer than 90 days. Multiple Freeze Periods must be separated by at least 60 days.

ENFORCEMENT RULES

A rule that defines the actions to take if a device or work profile is not compliant with the policy specified in setting name
  • Setting Name: The top-level policy to enforce. Define the actions to take if a device is not compliant with the specified setting. The following options are available:
    • Application Policies
    • Password Policies
    • Encryption Policies
  • Block After Days: Number of days the policy is non-compliant before the device is blocked. To block access immediately, set to 0. Block After Days must be less than Wipe After Days
  • Wipe After Days: Number of days the policy is non-compliant before the device is wiped. Wipe After Days must be greater than Block After Days
  • Preserve Data: Whether the factory-reset protection data is preserved on the device

NETWORK CONFIGURATIONS

Always-on VPN Connection – Configuration for an always-on VPN connection. Use VPN Config Disabled to prevent modification of this setting.
  • VPN App Package Name: Package name for the VPN app
  • Lockdown Enabled: Disallows networking when the VPN is not connected.

Recommended Global Proxy

  • Host: The host of the direct proxy.
  • Port: The port of the direct proxy.
  • PAC URI: The URI of the PAC script used to configure the proxy.
  • Excluded Hosts: For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.

WiFi Network Settings:

In order to save a WiFi network on your devices, select the green + button on the top-right. Once you have done this, you will be able to configure the WiFi network settings as desired Network
  • Name: User-friendly description of this connection. This name will not be used for referencing and may not be unique. Instead it may be used for describing the network to the user.
  • GUID: Unique identifier for this network connection, which exists to make it possible to update previously imported configurations. Must be a non-empty string. To generate or learn more about GUID you can go to Free Online GUID/UUID Generator
WiFi Settings
  • SSID: Enter the SSID (or network name) here.
  • Security: Property to access the decoded SSID of a network.
    • WEP-PSK
    • WPA-PSK
    • WPA-EAP- When applying this Security requirement you will have to fill out the following additional certificate fields.
  • Auto Connect: Indicating that the network should be connected to automatically when in range
  • SSID Hidden: Indicating if the SSID will be broadcast.

KEYGUARD FEATURES

Keyguard refers to the lock screen of the devices. These settings allow you to block access to the specified features on the device’s lock screen. Those features consist of:
  • All Features: Disable all features
  • Camera: Disable the camera on secure keyguard screens (e.g. PIN).
  • Unredacted Notifications: Disable unredacted notifications on secure keyguard screens.
  • Fingerprint Sensor: Disable fingerprint sensor on secure keyguard screens.
  • Face Authentication: Disable face authentication on secure keyguard screens.
  • Biometrics: Disable all biometric authentication on secure keyguard screens.
  • Notifications: Disable showing all notifications on secure keyguard screens.
  • Trust Agents: Ignore trust agent state on secure keyguard screens.
  • Remote Input: Disable text entry into notifications on secure keyguard screens.
  • Iris Authentication: Disable iris authentication on secure keyguard screens.

KIOSK CUSTOMIZATION

Additional device configurations available when using the “Kiosk Custom Launcher”, or using a single app with an Install Type of “Kiosk” (App Lock)
  • Power Button Actions: Controls actions available when the power button is long-pressed (held down)
    • Available: When this setting is selected, if the Power button is long-pressed, a user will be given the option to power off the device, or restart the device.
    • Blocked: When this setting is selected, if the Power button is long-pressed, nothing will happen.
  • System Navigation: Controls access to the Home and Recent Apps buttons
    • Enabled: Both the Home and Recent Apps buttons will be enabled
    • Disabled: Both the Home and Recent Apps buttons will be disabled.
    • Home Button Only: Only the Home button will be enabled. The Recent Apps button will be disabled.
  • Device Settings: Controls whether the Device Settings can be accessed
    • Enabled: Device Settings can be accessed from any location there is a link to Device Settings
    • Blocked: Device Settings access is blocked from any location there is a link to Device Settings
  • System Error Warnings: Controls whether system error dialogs for crashed or unresponsive apps are blocked
    • Enabled: System error dialogs for crashed and unresponsive apps will be displayed on the device
    • Muted: System error dialogs for crashed and unresponsive apps will be blocked from displaying on the device
  • Status Bar: Controls whether system info in the top-info bar and notifications are disabled
    • System Info Enabled: All system info and notifications are enabled and accessible in the top-info menu bar
    • System Info Disabled: All system info and notifications are disabled and access to the top-info menu bar is blocked
    • System Info Only: System info, such as time, battery level, WiFi and cellular data signal strength, will be visible in the top-info menu bar. However, notifications and the swipe-down feature will be disabled

STAY ON MODES

Allows a user to set the device screen to always stay on, and never sleep, as long as it is plugged in and charging with one of the selected charging methods
  • AC:  Device screen will stay on while charging using an AC charger.
  • USB:  Device screen will stay on while charging using a USB port power source.
  • Wireless:  Device screen will stay on while charging using a wireless power source

USER FACING MESSAGES

  • Short Support Message:  A message displayed to the user in the settings screen wherever functionality has been disabled by the admin
  • Long Support Message: Typically used in the same place as a Short Support Message when there is an option for “more details,” the Long Support Message will display
  • Device Owner Lock Screen Info: Message that will display on the lock screen of the device. Could be used to display the device owner info

SETUP ACTIONS

Allows you to require the launch and configuration of an app during device enrollment and setup. You can specify one app to be launched during device enrollment and setup. This app must return RESULT_OK to signal completion and allow the remaining device setup and enrollment to complete.
  • Title: Title of the action. Will be displayed to the user on the device during setup
  • Description: Description of the action needed. Will be displayed to the user on the device during setup
  • Launch App (Package Name): The Package Name of the app required to launch and configure during device enrollment and setup

PRIVATE KEY RULES

Rules for automatically choosing a private key and certificate to authenticate the device to a server. The rules are ordered by increasing precedence, so if an outgoing request matches more than one rule, the last rule defines which private key to use.
  • URL Pattern:  The URL pattern to match against the URL of the outgoing request. The pattern may contain asterisk (*) wildcards. Any URL is matched if unspecified
  • Package Names:  The package names for which outgoing requests are subject to this rule. If no package names are specified, then the rule applies to all packages. For each package name listed, the rule applies to that package and all other packages that shared the same Android UID. The SHA256 hash of the signing key signatures of each package name will be verified against those provided by Play
  • Private Key Alias:  The alias of the private key to be used.

INTENT HANDLER ACTIVITIES

A default activity for handling intents that match a particular intent filter.
  • Receiver Activity:  The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent
  • Actions:  The intent actions to match in the filter. If any actions are included in the filter, then an intent’s action must be one of those values for it to match. If no actions are included, the intent action is ignored
  • Categories:  The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent

Submit a Ticket

Contact us by email, or just fill out the form

Skip to content