Android Enterprise Policy Configurations

How to configure Policies in Android Enterprise

There are a lot of different settings and configurations that you can apply, and the following six sections will explain all of the Policy options available:

POLICY CATEGORIES

policy configurations

 

GENERAL SETTINGS

The general settings section of Android Enterprise policies allows you to configure
things like the device’s settings. The following items can be configured (if an
explanation is needed, it will be included):

  • Version: This is show the version number of the policy. Every change you
    make to a policy, increases the number by a factor of 1
  • Default Permission Policy: This setting defines the default permission policy
    for requests for runtime permissions. The possible values include:
    • Default: If the policy is left blank, it will use the default device setting
    • Prompt: Users are prompted to approve the permission
    • Grant: Permissions are automatically granted
    • Deny: Permissions are automatically denied
  • Location Mode: This setting allows you to select the permission policy for location services. The possible values include:
    • Default: If the policy is left blank, it will use the default device setting
    • High Accuracy: GPS is turned on and set to the most accurate setting
    • Sensors Only: This will activate the GPS only and will not utilize network-provided location
    • Battery Saving: This will limit the update frequency of the GPS to save battery
    • Off: GPS and location tracking will be turned off
  • App Auto Update Policy: This setting controls when automatic app updates can be applied. The possible values include:
    • Default:If the policy is left blank, it will use the default device setting
    • User Choice: The end user can control auto-updates
    • Never: Apps are never updated
    • WiFi Only: Apps are auto-updated over Wi-Fi only
    • Always: Apps are auto-updated at any time. Data charges may apply
  • Encryption Policy:This setting allows you to create and enforce an encryption policy on the device for internal and external storage. The possible values include:
    • Default: If the policy is left blank, it will use the default device setting
    • Enable Without Password
    • Enable With Password
  • Play Store Mode: This setting will allow you to whitelist and blacklist applications installed on the device. The possible values include:
    • Default: If the policy is left blank, it will default to Whitelist
    • Whitelist: Only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device
    • Blacklist: All apps are available and any app that should not be on the device should be explicitly marked as 'Blocked' in the applications policy
  • Screen Capture Disabled: Ability to screenshot is disabled
  • Camera Disabled: Camera app is disabled
  • Add User Disabled: The ability to add users is disabled
  • Adjust Volume Disabled: The ability to change volume is disabled
  • Factory Reset Disabled: Users can not reset the device

NOTE: It is highly recommended the Factory Reset Disabled is turned on to prevent any undesired reset of your devices.

  • Install App Disabled: Users are not allowed to Install apps
  • Mount Physical Media Disabled: Users will not be able to use external media devices such as SD card or USB storage
  • Modify Accounts Disabled: Users will not be able to change any separate accounts
  • Safe Boot Disabled: This setting is disabled when adopted
  • Uninstall Apps Disabled: This setting takes away the ability for the user to uninstall 
  • Keyguard Disabled: This setting will disable the device’s lock screen password requirements, allowing the device to auto-launch into an application
  • Bluetooth Contact Sharing Disabled: This setting with disable the ability to share contacts
  • Bluetooth Config Disabled: Bluetooth is disabled
  • Cell Broadcasts Config Disabled: Cell broadcasts is disabled
  • Credentials Config Disabled: Credentials disabled
  • Mobile Networks Config Disabled: Mobile data is turned off
  • Tethering Config Disabled: Tethering is disabled
  • VPN Config Disabled: VPN is disabled
  • Create Windows Disabled: This setting will prevent a window from being created and launched when users use multi-window
  • Network Reset Disabled: The ability to change Networks is taken away
  • Outgoing Beam Disabled: This setting will disable users from using NFC to beam out data from applications
  • Outgoing Calls Disabled: Ability to perform outgoing calls is taken away
  • Remove User Disabled: Share Location Disabled
  • SMS Disabled: This setting will take away the ability of SMS
  • Unmute Microphone Disabled: This setting takes away the ability to unmute the microphone on the device
  • USB File Transfer Disabled: This setting takes away the ability to transfer files
  • Ensure Verify Apps Enabled: This setting scans apps installed on devices for
    malware before and after they are installed, helping to ensure that corporate
    data can't be compromised by malicious apps
  • Set User Icon Disabled: This setting will prevent end users from changing or
    setting their user icon of the device
  • Set Wallpaper Disabled: This disables the ability to change the wallpaper on the device
  • Data Roaming Disabled: Data Roaming function is disabled within the device
    • There is not a suitable network in the last policy
    • The device boots into an app in lock task mode
    • The user is unable to reach the device settings. Network Escape Hatch Enabled: This setting will enable the escape hatch feature on your device. If a network connection is not established when a device boots, then the escape hatch asks to temporarily connect to a network and refresh the device policy. After applying the policy, the temporary network is forgotten and the device continues booting. 
  • Bluetooth Disabled: Bluetooth function is disabled in the device
  • Install From Unknown Sources Allowed: This setting allows any source to be able to download material onto the device
  • Debugging Features Allowed: This setting allows the device to be searched and fixed of any issues within the device itself
  • Fun Disabled: Controls whether the Easter egg game in Settings is disabled
  • Auto Time Required: This setting will prevent end users from manually setting the date and time
  • Kiosk Custom Launcher Enabled: This setting replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. The status bar is disabled when this is set. Note: applications configured via the “Application Control” section of this profile cannot be set to “Kiosk” under “Install Type” or the policy will fail to install.
  • Skip First Use Hints Enabled: This setting can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up
  • Private Key Selection Enabled: This setting allows showing UI on a device for an end user to choose a private key alias if there are no matching rules configured.

REPORTING SETTINGS

The following settings control the behavior of application reports.

Note: battery percentage and some other reports will not be displayed in Moki unless they are enabled here.

  • Application Reports Enabled: This setting will allow reports to be
    generated, which show details of apps installed on the device
  • Device Settings Enabled: This setting enables reporting information about
    security-related device settings on devices
  • Software Info Enabled: This setting enables reporting of device software
  • Network Info Enabled: This setting enables reporting of device network
    information
  • Power Management Events Enabled: This setting enables reporting of
    power management events
  • Hardware Status Enabled: This setting enables hardware reporting to
    capture device hardware information

APPLICATION CONTROL

Application control allows you to limit application access on your devices. Before
you can figure the policy, all applications that you would like to manage will need to
be added to the “Apps” tab first. Once you have added all of your applications to
the Apps tab, select the + on the “Add policy for an individual app” bar. Now, under
the “General” section, you will configure what applications will do on your devices.
The following options are configurable:

  • App: Select your application from the available list of apps.
  • Install Type:
    • Default: Unspecified. Defaults to Available
    • Pre-Installed: The app is automatically installed and can be removed
      by the user
    • Force Installed: The app is automatically installed and cannot be
      removed by the user
    • Blocked: The app is blocked and cannot be installed. If the app was
      installed under a previous policy, it will be uninstalled
    • Available: The app is available to install
    • Required For Setup: The app is automatically installed and cannot be
      removed by the user and will prevent setup from completion until
      installation is complete
  • Kiosk:The app is automatically installed in kiosk mode: it is set as the preferred home intent and whitelisted for lock task mode. Device setup won't complete until the app is installed. After installation, users will not be able to remove the app. You can only set this Install Type for one app per policy. When this is present in the policy, status bar will be automatically disabled.
  • Managed Config: If you have an app configuration created, you can select it from this drop-down menu
  • Permissions: Default Permission Policy
    • Default: If no policy is specified for a permission at any level, then the prompt behavior is used by default
    • Prompt: Will prompt the end user to grant permissions
    • Grant: Will automatically grant permissions
    • Deny: Will automatically deny permissions

Note: you can also grant permission for specific requests by selecting the +
icon under “Grants.” You can then select the permission and the policy for
each individual permission

PASSWORD REQUIREMENTS

This section will cover the optional requirements that you can use to unlock a
device. The following password requirement options are available:

  • Quality: The required password quality.
    • Default: There are no password requirements
    • Biometric Weak: The device must be secured with a low-security
      biometric recognition technology, at minimum. This includes
      technologies that can recognize the identity of an individual that are
      roughly equivalent to a 3-digit PIN (false detection is less than 1 in
      1,000)
    • Something: A password is required, but there are no restrictions on
      what the password must contain
    • Numeric: The password must contain numeric characters
    • Numeric Complex: The password must contain numeric characters
      with no repeating (4444) or ordered (1234, 4321, 2468) sequences
    • Alphabetic: The password must contain alphabetic (or symbol)
      characters
    • Alphanumeric: The password must contain both numeric and
      alphabetic (or symbol) characters
    • Complex: The password must meet the minimum requirements specified in password Minimum Length, password Minimum Letters, password Minimum Symbols, etc
  • Minimum Length: The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password Quality is Numeric, Numeric Complex, Alphabetic, Alphanumeric, or Complex
  • History Length: The length of the password history. After setting this field, the user will not be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction
  • Maximum Failed Passwords For Wipe: Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction
  • Expiration Timeout: Password expiration timeout. Duration in days

SYSTEM UPDATES

The type of system update configuration.

  • Default: Follow the default update behavior for the device, which typically
    requires the user to accept system updates
  • Automatic: Install automatically as soon as an update is available
  • Windowed: Install automatically within a daily maintenance window. This
    also configures Play apps to be updated within the window. This is strongly
    recommended for kiosk devices because this is the only way apps
    persistently pinned to the foreground can be updated by the Google
    Play Store
  • Postpone: Postpone automatic install up to a maximum of 30 days

ENFORCEMENT RULES

A rule that defines the actions to take if a device or work profile is not compliant
with the policy specified in setting name

  • Setting Name: The top-level policy to enforce. Define the actions to
    take if a device is not compliant with the specified setting. The
    following options are available:
    • Application Policies
    • Password Policies
    • Encryption Policies
  • Block After Days: Number of days the policy is non-compliant before the device is blocked. To block access immediately, set to 0. Block After Days must be less than Wipe After Days
  • Wipe After Days: Number of days the policy is non-compliant before the device is wiped. Wipe After Days must be greater than Block After Days
  • Preserve Data: Whether the factory-reset protection data is preserved on the device

KIOSK CUSTOMIZATION

Define action buttons and Status Bar availability when in multi-app Kiosk Mode, or single app Kiosk (App Lock)