Citrix Endpoint Management

Keyguard Management device policy

The Android keyguard manages the device and work challenge lock screens. This policy lets you manage features for Android Enterprise work profile keyguard and advanced device keyguard. You can control:

  • Keyguard management on work profile devices. You can specify the features available to users before they unlock the device keyguard and the work challenge keyguard. For example, by default users can use fingerprint unlock and view unredacted notifications on the lock screen.

  • Keyguard management on fully managed and dedicated devices. You can specify the features available, such as trust agents and secure camera, before they unlock the keyguard screen. Or, you can choose to disable all keyguard features.

  • Keyguard management on fully managed devices with work profiles. These devices were formerly known as COPE (corporate owned personally enabled) devices. You can use one Keyguard Management policy to apply separate settings to the device and the work profile.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Watch this video to learn more:

How to use Keyguard feature management with Citrix Endpoint Management and Android Enterprise

Android Enterprise settings

Device Policies configuration screen

  • Apply to COPE: Allows you to configure Keyguard Management device policy settings for fully managed devices with work profiles.

    When this setting is On, you can apply separate settings to the device and to the work profile on fully managed devices with work profiles.

    When this setting is Off, you can apply settings to work profile devices or fully managed devices. Settings you configure for work profiles only apply to work profile devices. Settings you configure for fully managed devices apply only to fully managed devices.

    Default is Off.

  • Work profile keyguard features: Controls whether the following features are available before a user unlocks the work profile keyguard (lock screen).
    • Disable trust agents: If Off, trust agents can operate on secure keyguard screens when a challenge is set on the work profile. Set to On to disable all trust agents on the work profile. Default is Off.
    • Disable biometric authentication: If Off, biometric authentication is available on secure keyguard screens when a challenge is set on the work profile. Set to On to disable biometric authentication on the work profile. This setting disables fingerprint unlock, face authentication, and iris authentication. Default is Off. For Android 9.0 and later.
    • Disable fingerprint unlock: If Off, fingerprint unlock is available on secure keyguard screens when a challenge is set on the work profile. Set to On to disable fingerprint unlock on the work profile. Default is Off.
    • Disable face authentication: If Off, face authentication is available on secure keyguard screens when a challenge is set on the work profile. Set to On to disable face authentication on the work profile. Default is Off. For Android 9.0 and later.
    • Disable iris authentication: If Off, iris authentication is available on secure keyguard screens when a challenge is set on the work profile. Set to On to disable iris authentication on the work profile. Default is Off. For Android 9.0 and later.
    • Disable unredacted notifications: If Off, both redacted and unredacted notifications appear on secure keyguard screens. Set to On to disable unredacted notifications and only show redacted notifications. Default is Off.
  • Fully managed device keyguard features: Controls whether the following features are available before a user unlocks the device keyguard (lock screen). These features apply to fully managed or dedicated devices.

    • Disable all keyguard features: If Off, all current and future keyguard customizations are available on the secure keyguard screens. Set to On to disable all keyguard customizations. Default is Off.
    • Disable trust agents: If Off, trust agents can operate on secure keyguard screens. Set to On to disable trust agents. Default is Off.
    • Disable biometric authentication: If Off, biometric authentication is available on secure keyguard screens when a challenge is set on the device. Set to On to disable biometric authentication on the device. The biometric authentication features disabled are fingerprint unlock, face authentication, and iris authentication. Default is Off. For Android 9.0 and later.
    • Disable fingerprint unlock: If Off, fingerprint unlock is available on secure keyguard screens when a challenge is set on the device. Set to On to disable fingerprint unlock on the device. Default is Off.
    • Disable face authentication: If Off, face authentication is available on secure keyguard screens when a challenge is set on the device. Set to On to disable face authentication on the device. Default is Off. For Android 9.0 and later.
    • Disable iris authentication: If Off, iris authentication is available on secure keyguard screens when a challenge is set on the device. Set to On to disable iris authentication on the device. Default is Off. For Android 9.0 and later.
    • Disable all notifications: If Off, all notifications appear on secure keyguard screens. Set to On to show all notifications. Default is Off.
    • Disable unredacted notifications: If Off, both redacted and unredacted notifications appear on secure keyguard screens. Set to On to disable unredacted notifications and only show redacted notifications. Default is Off.
    • Disable secure camera: If Off, secure camera is available on secure keyguard screens. Set to On to disable the secure camera. Default is Off.
Keyguard Management device policy