Restrictions device policy

The Restrictions device policy allows or restricts certain features or functionality on user devices, such as the camera. You can also set security restrictions, as well as restrictions on media content and restrictions on the types of apps users can and cannot install. Most of the restriction settings default to On, or allows. The main exceptions are the iOS Security - Force feature and all Windows Tablet features, which default to Off, or restricts.

For Windows 10 RS2 Phone: After a Custom XML policy or Restrictions policy that disables Internet Explorer deploys to the phone, the browser remains enabled. To work around this issue, restart the phone. This is a third-party issue.

Tip:

Any option for which you select On means that the user can perform the operation or use the feature. For example:

Camera. If On, the user can use the camera on their device. If Off, the user cannot use the camera on their device.

Screen shots. If On, the user can take screen shots on their device. If Off, the user cannot take screen shots on their device.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

Image of Device Policy configuration screen

Some of the iOS restrictions options apply only to specific versions of iOS (and, where applicable, these versions are noted on the XenMobile console page). For example, the capability to allow or block AirDrop is only supported on devices running iOS 7 and later. The capability to allow or block Photo streams is supported on devices running iOS 5 and later. Also, some options only apply if the device is placed in supervised mode. For the steps on setting an iOS device to supervised mode, see To place an iOS device in Supervised mode by using the Apple Configurator.

  • Allow hardware controls
    • Camera: Allow users to use the camera on their devices.
      • FaceTime: Allow users to use FaceTime on their devices. This restriction is deprecated on unsupervised iOS 10 devices.
    • Screen shots: Allow users to take screen shots on their devices.
      • Allow the Classroom app to remotely observe student screens: If this restriction is unselected, an instructor can’t use the Classroom app to remotely observe student screens. The default setting is selected, an instructor can use the Classroom app to observe student screens. The setting for Allow the Classroom app to perform AirPlay and View Screen without prompting determines whether students receive a prompt to give the instructor permission. For supervised devices running iOS 9.3 (minimum version).
      • Allow the Classroom app to perform AirPlay and View Screen without prompting: If this restriction is selected, the instructor can perform AirPlay and View Screen on a student device, without prompting for permission. The default setting is unselected. For supervised devices running iOS 10.3 (minimum version).
    • Photo streams: Allow users to use MyPhotoStream to share photos through iCloud to all their iOS devices (iOS 5.0 and later).
    • Shared photo streams: Allow users to use iCloud Photo Sharing to share photos with coworkers, friends, and family (iOS 6.0 and later).
    • Voice dialing: Enables voice dialing on user devices.
    • Siri: Allows users to use Siri.
      • Allow while device is locked: Allow users to use Siri while their devices are locked.
      • Siri profanity filter: Enable the Siri profanity filter. The default is to restrict this feature, which means no profanity filtering is done.

        For more information about Siri and security, see Siri and dictation policies.

    • Installing apps: Allow users to install apps. This restriction is deprecated on unsupervised iOS 10 devices.
    • Allow global background fetch while roaming: Allow devices to automatically sync mail accounts to iCloud while the device is roaming. When Off, disables global background fetch activity when an iOS phone is roaming. Defaults to On.
  • Allow apps
    • iTunes Store: Allow users to access the iTunes Store. This restriction is deprecated on unsupervised iOS 10 devices.
    • In-app purchases: Allow users to make in-app purchases.
      • Require iTunes password for purchases: Require a password for in-app purchases. The default is to restrict this feature, which means no password is required for in-app purchases (iOS 5.0 and later).
    • Safari: Allow users to access Safari. This restriction is deprecated on unsupervised iOS 10 devices.
      • Autofill: Allow users to set up autofill for user names and passwords on Safari.
      • Force fraud warning: If this setting is enabled and users visit a suspected phishing website, Safari alerts users. The default is to restrict this feature, which means no warnings are issued.
      • Enable JavaScript: Allow JavaScript to run on Safari.
      • Block pop-ups: Block pop-ups while viewing websites. The default is to restrict this feature, which means pop-ups are not blocked.
    • Accept cookies: Set to what extent cookies are accepted. In the list, choose an option to allow or restrict cookies. The default option is Always, which allows all websites to save cookies in Safari. Other options are Current website only, Never, and From visited sites only.
    • Allow the Classroom app to remotely observe student screens: If this restriction is unselected, an instructor can’t use the Classroom app to observe student screens remotely. The default setting is selected, an instructor can use the Classroom app to observe student screens. The setting for Allow the Classroom app to perform AirPlay and View Screen without prompting determines whether students receive a prompt to give the instructor permission. For supervised devices running iOS 9.3 (minimum version).
    • Allow the Classroom app to perform AirPlay and View Screen without prompting: If this restriction is selected, the instructor can perform AirPlay and View Screen on a student device, without prompting for permission. The default setting is unselected. For supervised devices running iOS 10.3 (minimum version).
    • Allow the Classroom app to lock to an app and lock the device without prompting: If this restriction is set to On, the Classroom app automatically locks user devices to an app and locks the device, without prompting the users. The default setting is Off. For supervised devices running iOS 11 (minimum version).
    • Automatically join the Classroom app classes without prompting: If this restriction is set to On, the Classroom app automatically joins users to classes, without prompting the users. The default setting is Off. For supervised devices running iOS 11 (minimum version).
    • Allow AirPrint: If this restriction is set to Off, users can’t print with AirPrint. The default setting is On. When this restriction is On, these extra restrictions appear. For supervised devices running iOS 11 (minimum version).
      • Allow storage of AirPrint credentials in Keychain: If this restriction is unselected, the AirPrint user name and password aren’t stored in the Keychain. The default setting is selected. For supervised devices running iOS 11 (minimum version).
      • Allow discovery of AirPrint printers by using iBeacons: If this restriction is unselected, iBeacon discovery of AirPrint printers is disabled. Disabling discovery prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. The default setting is selected. For supervised devices running iOS 11 (minimum version).
      • Allow AirPrint only to destinations with trusted certificates: If this restriction is selected, users can use AirPrint to print only to destinations with trusted certificates. The default setting is unselected. For supervised devices running iOS 11 (minimum version).
    • Adding VPN configurations: If this restriction is set to Off, users can’t create VPN configurations. The default setting is On. For supervised devices running iOS 11 (minimum version).
    • Modifying cellular plan settings: If this restriction is set to Off, users can’t modify cellular plan settings. The default setting is On. For supervised devices running iOS 11 (minimum version).
    • Removing system apps: If this restriction is set to Off, users can’t remove system apps from their device. The default setting is On. For supervised devices running iOS 11 (minimum version).
    • Setting up new nearby devices: If this restriction is set to Off, users can’t set up new nearby devices. The default setting is On. For supervised devices running iOS 11 (minimum version).
  • Network - Allow iCloud actions

    • iCloud documents and data: Allow users to sync documents and data to iCloud (iOS 5.0 and later). This restriction is deprecated on unsupervised iOS 10 devices.
    • iCloud backup: Allow users to back up their devices to iCloud (iOS 5.0 and later).
    • iCloud keychain: Allow users to store passwords, WiFi network, credit card, and other information in the iCloud Keychain (iOS 7.0 and later).
    • Cloud photo library: Allow users to access their iCloud photo library (iOS 9.0 and later).
  • Security - Force

    The default is to restrict the following features, which means no security features are enabled.

    • Encrypted backups: Force backups to iCloud to be encrypted.
    • Limited ad tracking: Block targeted ad tracking (iOS 7.0 and later).
    • Passcode on first Airplay pairing: Require that AirPlay-enabled devices are verified with a one-time onscreen code before they can use AirPlay (iOS 7.0 and later).
    • Paired Apple Watch to use Wrist Detection: Require a paired Apple Watch to use Wrist Detection (iOS 8.2 and later).
    • Sharing managed documents using AirDrop: AirDrop access is a supervised option. Setting this option to On allows supervised devices to use AirDrop to share data and media with nearby iOS devices (iOS 9.0 and later).
  • Security - Allow

    • Accepting untrusted SSL certificates: Allow users to accept web sites’ untrusted SSL certificates (iOS 5.0 and later).
    • Automatic update to certificate trust settings: Allow trusted certificates to be updated automatically (iOS 7.0 and later).
    • Documents from managed apps in unmanaged apps: Allow users to move data from managed (corporate) apps to unmanaged (personal) apps.
    • Documents from unmanaged apps in managed apps: Allow users to move data from unmanaged (personal) apps to managed (corporate) apps.
    • Diagnostic submission to Apple: Allow anonymous diagnostic data about users’ devices to be sent to Apple.
    • Touch ID to unlock device: Allow users to use their fingerprints to unlock their devices (iOS 7.0 and later).
    • Passbook notifications when locked: Allow Passbook notifications to appear on the lock screen (iOS 6.0 and later).
    • Handoff: Allow users to transfer activities from one iOS device to another nearby iOS device (iOS 8.0 and later).
    • iCloud sync for managed apps: Allow users to sync managed apps to iCloud (iOS 8.0 and later).
    • Backup for enterprise books: Allow enterprise books to be backed up to iCloud (iOS 8.0 and later).
    • Notes and highlights sync for enterprise books: Allow notes and highlights users have added to enterprise books to be synced to iCloud (iOS 8.0 and later).
    • Enterprise app trust: Allow enterprise applications to be trusted (iOS 9.0 and later).
    • Internet results in Spotlight: Allow Spotlight to show search results from the Internet as well as the device (iOS 8.0 and later).
  • Supervised only settings - Allow

    These settings apply only to supervised devices. For the steps on setting an iOS device to supervised mode, see To place an iOS device in Supervised mode by using the Apple Configurator.

    • Erase all content and settings: Allow users to erase all content and settings from their devices (iOS 8.0 and later).
    • Configuring restrictions: Allow users to configure parental controls on their devices (iOS 8.0 and later).
    • Podcasts: Allow users to download and sync podcasts (iOS 8.0 and later).
    • Installing configuration profiles: Allow users to install a configuration profile other than that the one deployed by you (iOS 6.0 and later).
    • Fingerprint modification: Allow users to change or delete their Touch ID fingerprint (iOS 8.3 and later).
    • Installing apps from device: (iOS 9.0 and later).
    • Keyboard shortcuts: Allow users to create custom keyboard shortcuts for words or phrases that they use often (iOS 9.0 and later).
    • Paired Apple watch: Allow users to pair an Apple Watch to a supervised device (iOS 9.0 and later).
    • Passcode modification: Allow users to change the passcode on a supervised device (iOS 9.0 and later).
    • Device name modification: Allow users to change the name of their device.
    • Wallpaper modification: Allow user to change the wallpaper on their devices (iOS 9.0 and later).
    • Automatically downloading apps(iOS 9.0 and later).
    • AirDrop: Allow users to share photos, videos, websites, locations, and more with nearby iOS devices (iOS 7.0 and later).
    • iMessage: Allow users to text over Wi-Fi with iMessage (iOS 6.0 and later).
    • Siri user-generated content: Allow Siri to query user-generated content from the web. Consumers, not traditional journalists; produce user-generated content. For example, content found on Twitter or Facebook is user-generated. (iOS 7.0 and later).
    • iBooks: Allow users to use the iBooks app (iOS 6.0 and later).
    • Removing apps: Allow users to remove apps from their devices (iOS 7.0 and later).
    • Game Center: Allow users to play online games through Game Center on their devices (iOS 6.0 and later).
      • Add friends: Allow users to send a notification to a friend to play a game.
      • Multiplayer gaming: Allow users to start multiplayer game play on their devices.
    • Modifying account settings: Allow users to modify their device account settings (iOS 7.0 and later).
    • Modifying app cellular data settings: Allow users to modify how apps use cellular data (iOS 7.0 and later).
    • Modifying Find My Friends settings: Allow users to change their Find My Friends settings (iOS 7.0 and later).
    • Pairing with non-Configurator hosts: Allow admin to control to which devices a user device can pair. Disabling this setting prevents pairing except with the supervising host running the Apple Configurator. If no supervising host certificate is configured, all pairing is disabled (iOS 7.0 and later).
    • Predictive keyboards: Allow user devices to use the predictive keyboard for suggesting words as they type (iOS 8.1.3 and later). Disable this option in situations such as administering standardized tests where you do not want users to have access to suggested words.
    • Keyboard auto-corrections: Allow user devices to use keyboard autocorrect (iOS 8.1.3 and later). Disable this option in situations such as administering standardized tests where you do not want users to have access to autocorrect.
    • Keyboard spell-check: Allow user devices to use spell checking while typing (iOS 8.1.3 and later). Disable this option in situations such as administering standardized tests where you do not want users to have access to the spell-checker.
    • Definition lookup: Allow user devices to use definition look-up while typing (iOS 8.1.3 and later). Disable this option in situations such as administering standardized tests where you do not want users to be able to look up definitions as they type.
    • Single App bundle ID: Create a list of apps that are allowed to retain control over the device and prevent interaction with other apps or functions. To add an app, click Add, type an App name, and click Save. Repeat that process for each app you want to add.
    • News: Allow users to use the News app (iOS 9.0 and later).
    • Apple Music service: Allow users to use the Apple Music service (iOS 9.3 and later). If you don’t allow Apple Music service, the Music app runs in classic mode.
    • iTunes Radio: Allow users to use iTunes Radio (iOS 9.3 and later).
    • Notifications modification: Allow users to modify notification settings (iOS 9.3 and later).
    • Restricted App usage: Allow users to use all apps or to use or not use apps, based on the bundle IDs you provide (iOS 9.3 and later). Applies only to supervised devices.

      After you configure the Restrictions device policy to block some apps and then deploy the policy: If you later want to allow some or all of those apps, changing and deploying the Restrictions device policy doesn’t change the restrictions. In this case, iOS doesn’t apply the changes to the iOS profile. To proceed, use the Profile Removal policy to remove the iOS Profile and then deploy the updated Restrictions device policy.

      If you change this setting to Only allow some apps: Before deploying this policy, advise users of devices enrolled using Apple DEP to sign in to their Apple accounts from the Setup Assistant. Otherwise, users might have to disable two-faction authentication on their devices to sign in to their Apple accounts and access allowed apps.

  • Diagnostic submission modification: Allow users to modify the diagnostic submission and app analytics settings in the Diagnostics & Usage pane in Settings (iOS 9.3.2 and later).
  • Bluetooth modification: Allow users to modify Bluetooth settings (iOS 10.0 and later).
  • Allow dictation: Supervised only. If this restriction is set to Off, dictation input is not allowed. The default setting is On. For iOS 10..3 and later.
  • Join only WiFi networks installed by a WiFi policy: Optional. Supervised only. If this restriction is set to On, the device can join WiFi networks only when they were set up through a configuration profile. The default setting is Off. For iOS 10.3 and later.
  • Allow the Classroom app to perform AirPlay and View Screen without prompting: If this restriction is selected, the instructor can perform AirPlay and View Screen on a student device, without prompting for permission. The default setting is unselected. For supervised devices running iOS 10.3 (minimum version).
  • Allow the Classroom app to lock to an app and lock the device without prompting: If this restriction is set to On, the Classroom app automatically locks user devices to an app and locks the device, without prompting the users. The default setting is Off. For supervised devices running iOS 11 (minimum version).
  • Automatically join the Classroom app classes without prompting: If this restriction is set to On, the Classroom app automatically joins users to classes, without prompting the users. The default setting is Off. For supervised devices running iOS 11 (minimum version).
  • Allow AirPrint: If this restriction is set to Off, users can’t print with AirPrint. The default setting is On. When this restriction is On, these extra restrictions appear. For supervised devices running iOS 11 (minimum version).
    • Allow storage of AirPrint credentials in Keychain: If this restriction is unselected, the AirPrint user name and password aren’t stored in the Keychain. The default setting is selected. For supervised devices running iOS 11 (minimum version).
    • Allow discovery of AirPrint printers by using iBeacons: If this restriction is unselected, iBeacon discovery of AirPrint printers is disabled. This prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. The default setting is selected. For supervised devices running iOS 11 (minimum version).
    • Allow AirPrint only to destinations with trusted certificates: If this restriction is selected, users can use AirPrint to print only to destinations with trusted certificates. The default setting is unselected. For supervised devices running iOS 11 (minimum version).
  • Adding VPN configurations: If this restriction is set to Off, users can’t create VPN configurations. The default setting is On. For supervised devices running iOS 11 (minimum version).
  • Modifying cellular plan settings: If this restriction is set to Off, users can’t modify cellular plan settings. The default setting is On.For supervised devices running iOS 11 (minimum version).
  • Removing system apps: If this restriction is set to Off, users can’t remove system apps from their device. The default setting is On. For supervised devices running iOS 11 (minimum version).
  • Setting up new nearby devices: If this restriction is set to Off, users can’t set up new nearby devices. The default setting is On. For supervised devices running iOS 11 (minimum version).
  • Security - Show in lock screen
    • Control Center: Allow access to Control Center on the lock screen, which lets users easily modify Airplane Mode, WiFi, Bluetooth, Do Not Disturb Mode, and Lock Rotation settings (iOS 7.0 and later).
    • Notification: Allow notifications on the lock screen (iOS 7.0 and later).
    • Today view: Allow Today View, which aggregates information such as the weather and the current day’s calendar items, on the lock screen.
  • Media content - Allow
    • Explicit music, podcasts, and iTunes U material: Allow explicit material on users’ devices.
    • Explicit sexual content in iBooks: Allow explicit material to be downloaded from iBooks (iOS 6.0 and later).
    • Ratings region: Set the region from which parental control ratings are obtained. In the list, click a country to set the ratings region. The default is United States.
    • Movies: Set whether movies are allowed on users’ devices. If movies are allowed, optionally set the ratings level for movies. In the list, click an option to allow or restrict movies on the device. The default is Allow all movies.
    • TV Shows: Set whether TV shows are allowed on users’ devices. If TV shows are allowed, optionally set the ratings level for TV shows. In the list, click an option to allow or restrict TV shows on the device. The default is Allow all TV Shows.
    • Apps: Set whether apps are allowed on users’ devices. If apps are allowed, optionally set the ratings level for apps. In the list, click an option to allow or restrict apps on the device. The default is Allow all apps.

macOS settings

Image of Device Policies configuration screen

  • Preferences
    • Restrict items in System Preferences: Allow or restrict user access to System Preferences. The default is Off, which allows users full access to System Preferences. If enabled, configure the following settings.
      • System Preference Pane: Select whether the settings you select are enabled or disabled. The default is to enable all settings, which are On by default.
        • Users & Groups
        • General
        • Accessibility
        • App Store
        • Software Update
        • Bluetooth
        • CDs & DVDs
        • Date & Time
        • Desktop & Screen Saver
        • Displays
        • Dock
        • Energy Saver
        • Extensions
        • FibreChannel
        • iCloud
        • Ink
        • Internet Accounts
        • Keyboard
        • Language & Text
        • Mission Control
        • Mouse
        • Network
        • Notifications
        • Parental Controls
        • Printers & Scanners
        • Profiles
        • Security & Privacy
        • Sharing
        • Sound
        • Diction & Speech
        • Spotlight
        • Startup Disk
        • Time Machine
        • Trackpad
        • Xsan
  • Apps
    • Allow use of Game Center: Allow users to play online games through Game Center. The default is On.
    • Allow adding Game Center friends: Allow users to send a notification to a friend to play a game. The default is On.
    • Allow multiplayer gaming: Allow users to initiate multiplayer game play. The default is On.
    • Allow Game Center account modification: Allow users to modify their Game Center account settings. The default is On.
    • Allow App Store adoption: Allow or restrict apps that preexist in OS X to be adopted by the App Store. The default is On.
    • Allow Safari Autofill: Allow Safari to automatically populate fields on websites with passwords, addresses, and other basic information that it has stored. The default is On.
    • Require admin password to install or update apps: Require an administrator password to install or update apps. The default is Off, which means no administrator password is required.
    • Restrict App Store to software update only: Restrict the App Store to updates only, which disables all tabs in the App Store except Updates. The default is Off, which allows full App Store access.
    • Restrict which apps are allowed to open: Restrict or allow apps users can use. The default is OFF, which allows all apps to be used. If enabled, configure the following settings:
      • Allowed Apps: Click Add, enter the name and bundle ID for an app allowed to launch, and then click Save. Repeat this step for each app allowed to launch.
      • Disallowed Folders: Click Add, type the file path to a folder to which you want to restrict user access (for example, /Applications/Utilities), and then click Save. Repeat this step for all folders you do not want users to be able to access.
      • Allowed folders: Click Add, type the file path to a folder to which you want to grant user access, and then click Save. Repeat this step for all folders you want users to be able to access.
  • Widgets
    • Allow only the following Dashboard widgets to run: Allow or restrict which Dashboard widgets, such as World Clock or Calculator, users are allowed to run. The default is Off, which allows users to run all widgets. If enabled, configure the following setting:
      • Allowed Widgets: Click Add, type the name and ID of a widget that is allowed to run, and then click Save. Repeat this step for each widget you want to run on the Dashboard.
  • Media
    • Allow AirDrop: Allow users to share photos, videos, web sites, locations, and more with nearby iOS devices.
  • Sharing
    • Automatically enable new sharing services: Select whether to automatically enable sharing services.
    • Mail: Select whether to allow a shared mailbox.
    • Facebook: Select whether to allow a shared Facebook account.
    • Video Services - Flickr, Vimeo, Tudou and Youku: Select whether to allow shared video services.
    • Add to Aperture: Select whether to allow shared ability to add to Aperture.
    • Sina Weibo: Select whether to allow a shared Sina Weibo microblogging account.
    • Twitter: Select whether to allow a shared Twitter account.
    • Messages: Select whether to allow shared access to messages.
    • Add to iPhoto: Select whether to allow shared ability to add to iPhoto.
    • Add to Reading List: Select whether to allow shared ability to add to Reading List.
    • AirDrop: Select whether to allow a shared AirDrop account.
  • Functionality
    • Lock desktop picture: Select whether users can change the desktop picture. The default is Off, which means users can change the desktop picture.
    • Allow use of camera: Select whether users can use the camera on their Macs. The default is Off, which means users cannot use the camera.
    • Allow Apple Music: Allow users to use the Apple Music service (macOS 10.12 and later). If you don’t allow Apple Music service, the Music app runs in classic mode. Applies only to supervised devices. Defaults to On.
    • Allow Spotlight Suggestions: Select whether users can use Spotlight Suggestions to search their Mac and to provide Spotlight Suggestions from the Internet, iTunes, and the App Store. The default is Off, which prevents users from using Spotlight Suggestions. For more information about Spotlight Suggestions, see Apple’s Spotlight Suggestions page.
    • Allow Look Up: Select whether users can look up the definitions of words with the context menu or the Spotlight search menu. The default is OFF, which prevents users from using Look Up on their Macs.
    • Allow use of iCloud password for local accounts: Select whether users can use their Apple ID and iCloud password to sign on to their Macs. Enabling this means that user will use only one ID and password for all login screens on their Macs. The default is On, which allows users to use their Apple ID and iCloud password to access their Macs.
    • Allow iCloud documents & data: Select whether to allow users to access documents and data stored on iCloud on their Macs. The default is Off, which prevents users from using iCloud documents and data on their Macs. For more information, see Apple’s iCloud documents and Data page.
      • Allow iCloud Desktop and Documents: (macOS 10.12.4 and later) The default is selected.
    • Allow iCloud Keychain Sync: Allow iCloud Keychain sync (macOS 10.12 and later). The default is On.
    • Allow iCloud Mail: Allow users to use iCloud Mail (macOS 10.12 and later). The default is On.
    • Allow iCloud Contacts: Allow users to use iCloud Contacts (macOS 10.12 and later). The default is On.
    • Allow iCloud Calendars: Allow users to use iCloud Calendars (macOS 10.12 and later). The default is On.
    • Allow iCloud Reminders: Allow users to use iCloud Reminders (macOS 10.12 and later). The default is On.
    • Allow iCloud Bookmarks: Allow users to sync with iCloud Bookmarks (macOS 10.12 and later). The default is On.
    • Allow iCloud Notes: Allow users to use Cloud Notes (macOS 10.12 and later). The default is On.
    • Allow iCloud Photos: If you change this setting to Off, any photos not fully downloaded from the iCloud Photo Library are removed from local device storage (macOS 10.12 and later). The default is On.
    • Allow Auto Unlock: For information about this option and Apple Watch, see http://www.imore.com/auto-unlock (macOS 10.12 and later). The default is On.
    • Allow Touch ID To Unlock Mac: (macOS 10.12.4 and later). The default is On.

Android settings

  • Camera: Allow users to use the camera on their devices. If Off, the camera is disabled. Defaults to On.

Android for Work settings

Image of Device Policies configuration screen

By default, the USB Debugging and Unknown Sources settings are disabled on a device when it is enrolled in Android for Work in work profile mode.

  • Debugging: Allows debugging over USB (Android 5.0 and later). Default is Off.
  • File transfer: Allows file transfers over USB (Android 5.0 and later). Default is Off.
  • Tethering: Allows users to configure portable hotspots and tether data (Android 5.0 and later). Default is Off.
  • Allow Non-Google Play apps: Allows the installation of apps from stores other than Google Play (Android 5.0 and later). Default is Off.
  • Allow copy and paste: Allows or prevents use of the clipboard to copy and paste between apps in the Android for Work profile and apps in the personal area (Android 5.0 and later). Default is Off.
  • Enable app verification: Enables the OS to scan apps to detect malicious behavior (Android 5.0 and later). Default is On.
  • Allow user control of application settings: Allows users to uninstall apps, disable apps, clear cache and data, force stop any app, and clear defaults (Android 5.0 and later). Default is Off.
  • Allow work profile contacts in device contacts: Shows contacts from the managed Android for Work profile in the parent profile, for incoming calls (Android 7.0 and later). Default is Off.

Samsung SAFE settings

Image of Device Policies configuration screen

Some options are available only under specific Samsung Mobile Device Management APIs. Those options are marked with the relevant version information.

  • Allow hardware controls
    • Enable ODE Trusted Boot Verification: Use ODE trusted boot verification to establish a chain of trust from the bootloader to the system image.
    • Allow Development Mode: Allow users to enable the developer settings on their devices.
    • Allow Emergency Call Only: Allow users to enable Emergency Call Only mode on their devices.
    • Allow Firmware Recovery: Allow users to recover the firmware on their devices.
    • Allow Fast Encryption: Allow encryption of only used memory space. This is in contrast to full disk encryption, which encrypts all data, including settings, application data, downloaded files and applications, media, and other files.
    • Common Criteria Mode: Place device into Common Criteria Mode. The Common Criteria configuration enforces stringent security processes.
    • Factory Reset: Allow users to do a factory reset on their devices.
    • Date Time Change: Allow users to change the date and time on their devices.
    • DOD reboot banner: Display a DoD approved system use notification message or banner when users’ devices are restarted.
    • Settings changes: Allow users to change settings on their devices.
    • Backup: Allow users to back up application and system data on their devices.
    • Over The Air Upgrade: Allow users’ devices to receive software updates wirelessly (MDM 3.0 and later).
    • Background data: Allow apps to sync data in the background.
    • Camera: Allow users to use the camera on their devices.
    • Clipboard: Allow users to copy data to the clipboard on their devices.
      • Clipboard share: Allow users to share clipboard content between their devices and a computer (MDM 4.0 and later).
    • Home key: Allow users to use the Home key on their devices.
    • Microphone: Allow users to use the microphone on their devices.
    • Mock location: Allow users to fake their GPS location.
    • NFC: Allow users to use NFC (Near Field Communication) on their devices (MDM 3.0 and later).
    • Power off: Allow users to turn off their devices (MDM 3.0 and later).
    • Screenshot: Allow users to take screen shots on their devices.
    • SD card: Allow users to use an SD card, if available, with their devices.
    • Voice Dialer: Allow users to use the voice dialer on their devices (MDM 4.0 and later).
    • SBeam: Allow users to share content with others using NFC and Wi-Fi Direct (MDM 4.0 and later).
    • SVoice: Allow users to use the intelligent personal assistant and knowledge navigator on their devices (MDM 4.0 and later).
    • Allow multiple users: Allow multiple users to use a device (MDM 4.0 and later). Defaults to Off.
  • Allow apps
    • Browser: Allow users to use the web browser.
    • Youtube: Allow users to access YouTube.
    • Google Play/Marketplace: Allow users to access Google Play and the Google Apps Marketplace.
    • Allow Non-Google Play apps: Allow users to download apps from sites other than Google Play and the Google Apps Marketplace. If On, a user can use the security settings on their device to trust apps from unknown sources.
    • Stop system app: Allow users to disable pre-installed system apps (MDM 4.0 and later).
    • Disable applications: If On, blocks a specified list of apps from running on Samsung SAFE devices.
  • Network
    • Incoming Mms: Allow users to receive MMS messages.
    • Incoming Sms: Allow users to receive SMS messages.
    • Outgoing Mms: Allow users to send MMS messages.
    • Outgoing Sms: Allow users send SMS messages.
    • User Add profiles Vpn:
    • Bluetooth: Allow users to use Bluetooth.
      • Tethering: Allow users to share a mobile data connection with another device using their Bluetooth connection.
    • WiFi: Allow users to connect to WiFi networks.
      • Tethering: Allow users to share a mobile data connection with another device using their WiFi connection.
      • Direct: Allow users to connect directly to another device through their WiFi connection (MDM 4.0 and later).
      • State Change: Allow apps to change WiFi connectivity state.
      • User Policy Changes: Allow users to change WiFi policies. If not selected, users can change only the WiFi user name and password. If selected, users can change all WiFi policies.
    • Tethering: Allow users to share a mobile data connection with another device.
    • Cellular data: Allow users to use their cellular connection for data.
    • Allow roaming: Allow users to use cellular data while roaming. The default is OFF, which disables roaming on users’ devices.
    • Only secure connections: Allow users to only use secure connections (MDM 4.0 and later).
    • Android beam: Allow users to send web pages, photos, videos, or other content from their devices to another device using NFC (MDM 4.0 and later).
    • Audio record: Allow users to record audio with their devices (MDM 4.0 and later).
    • Video record: Allow users to record video with their devices (MDM 4.0 and later).
    • Location services: Allow users to turn on GPS on their devices.
    • Limit by day (MB): Enter the number of MB of mobile data users can use each day. The default is 0, which disables this feature (MDM 4.0 and later).
    • Limit by week (MB): Enter the number of MB of mobile data users can use each week. The default is 0, which disables this feature (MDM 4.0 and later).
    • Limit by month (MB): Enter the number of MB of mobile data users can use each month. The default is 0, which disables this feature (MDM 4.0 and later).
  • Allow USB actions Allow USB connection between users’ devices and a computer.
    • Debugging: Allow debugging over USB.
    • Host storage: Allow users’ devices to act as the USB host when a USB device connects to their devices. Users’ devices then supply power to the USB device.
    • Mass storage: Allow transfer of large data files between users’ devices and a computer over a USB connection.
    • Kies media player: Allow users to use the Samsung Kies tool to sync files between their devices and a computer.
    • Tethering: Allow users to share a mobile data connection with another device through a USB connection.

Samsung KNOX settings

Image of Device Policies configuration screen

These options are available only under Samsung KNOX Premium (KNOX 2.0).

  • Allow Use of Camera: Allow users to use the camera on their devices.
  • Allow Revocation Check: Enable checking for revoked certificates.
  • Move Apps To Container: Allow users to move apps between the KNOX container and the personal area on their devices.
  • Enforce Multifactor Authentication: Users must use a fingerprint and one other authentication method, such as password or PIN, to open their devices.
  • Enable TIMA Key store: The TIMA KeyStore provides TrustZone-based secure key storage for the symmetric keys. RSA key pairs and certificates are routed to the default key store provider for storage.
  • Enforce Auth For Container: Use separate, and different, authentication to open the KNOX container from that used to unlock the device.
  • Share List: Allow users to share content between apps in the Share Via list.
  • Enable Audit Log: Enable creation of event audit logs for forensic analysis of a device.
  • Use Secure Keypad: Force users to use a secure keyboard inside the KNOX container.
  • Enable Google Apps: Allow users to download apps from Google Mobile Services into the KNOX container.
  • Authentication Smart Card Browser: Enable browser authentication on devices equipped with a smart card reader.

Windows Phone and Windows Desktop/Tablet settings

Image of Device Policies configuration screen

  • WiFi Settings
    • Allow WiFi: Allow a device to connect to a WiFI network. Windows Phone only.
    • Allow Internet sharing: Allow a device to share its internet connection with other devices by turning it into a WiFi hotspot.
    • Allow auto-connect to WiFi Sense hotspots: Allow a device to connect automatically to WiFi Sense hotspots. Location services must be enabled for this option to work. For more information about WiFi Sense, see the Windows Phone WiFi Sense FAQ.
    • Allow manual configuration: Allow users to manually configure WiFi connections. Windows Phone only.
  • Connectivity
    • Allow NFC: Allow device to communicate with an NFC (Near Field Communication) tag or another NFC-enabled transmitting device. Windows Phone only.
    • Allow bluetooth: Allow device to connect through Bluetooth. Windows Phone only.
    • Allow VPN over cellular: Allow the device to connect over VPN to a cellular network.
    • Allow VPN over cellular while roaming: Allow the device to connect over VPN when the device roams over cellular networks.
    • Allow USB connection: Allow a desktop to access a device’s storage through a USB connection. Windows Phone only.
    • Allow cellular data roaming: Allow users to use cellular data while roaming.
  • Accounts
    • Allow Microsoft account connection: Allow the device to use a Microsoft account for non-email related connection authentication and services.
    • Allow non-Microsoft email: Allow user to add non-Microsoft email accounts.
  • Search: Windows Phone only.
    • Allow search to use location: Allow searches to use the device’s location service.
    • Filter adult content: Allow adult content. The default is Off, which means adult content is not filtered.
    • Allow Bing Vision to store images: Allow Bing Vision to store images captured when performing Bing Vision searches.
  • System
    • Allow storage card: Allow the device to use a storage card.
    • Telemetry: In the list, click an option to allow or restrict the device from sending telemetry information. The default is Allowed. Other options are Not allowed and Allowed, except for secondary data request.
    • Allow location services: Allow location services.
    • Allow preview of internal builds: Allow users to preview Microsoft internal builds.
  • Camera: Windows Desktop/Tablet only
    • Allow use of camera: Allow users to use their device camera.
  • Bluetooth: Windows Desktop/Tablet only
    • Allow discoverable mode: Allow Bluetooth devices to find the local device.
    • Local device name: A name for the local device.
  • Security: Windows Phone only
    • Allow manual root certificate installation: Allow users to manually install a root certificate.
    • Require device encryption: Require device encryption. Note that after encryption is enabled on a device, it cannot be disabled. The default is Off.
    • Allow copy and paste: Allow users to copy and paste data on their devices.
    • Allow screen capture: Allow users to create screen captures on their devices.
    • Allow voice recording: Allow users to use voice recording on their devices.
    • Allow Save As of Office files: Allow users to save Office files with Save As.
    • Allow action center notifications: Allow Action Center notifications on the device lock screen.
    • Allow Cortana: Allow users access to Cortana, the intelligent personal assistant and knowledge navigator.
    • Allow sync of device settings: Allow users to sync settings between Windows Phone 8.1 devices when roaming.
  • Experience: Windows Desktop/Tablet only
    • Allow Cortana: Allow users access to Cortana, the intelligent personal assistant and knowledge navigator.
    • Allow device discovery: Allow network discovery of the device.
    • Allow manual MDM unenrollment: Allow users to manually unenroll their device from XenMobile MDM.
    • Allow sync of device settings: Allow users to sync settings between Windows 10 devices when roaming.
  • Above Lock: Windows Desktop/Tablet only
    • Allow toasts: Allow toast notifications on the lock screen. Windows Desktop/Tablet only
  • Apps
    • Allow store access: Allow users to access the Microsoft Store. Windows Phone only.
    • Allow developer unlock: Allow users to register their devices with Microsoft and develop or install apps that are not in the Windows Phone app store. Windows Phone only.
    • Allow web browser access: Allow Internet Explorer on the device. Windows Phone only.
    • Allow appstore auto update: Allow apps from the app store to automatically update. Windows Desktop/Tablet only.
  • Privacy: Windows Desktop/Tablet only
    • Allow input personalization: Allows the input personalization service to run, to improve predictive inputs such as pen and touch keyboard, based on what a user types.
  • Settings: Windows Desktop/Tablet only.
    • Allow auto play: Allows users to change Auto Play settings.
    • Allow data sense: Allows users to change Data Sense settings.
    • Allow date time: Allows users to change date and time settings.
    • Allow language: Allows users to change language settings.
    • Allow power sleep: Allows users to change power and sleep settings.
    • Allow region: Allows users to change region settings.
    • Allow sign-in options: Allows users to change signin settings.
    • Allow workplace: Allows users to change workplace settings.
    • Allow your account: Allows users to change account settings.

Amazon settings

Image of Device Policies configuration screen

  • Allow hardware controls
    • Factory reset: Allow users to do a factory reset on their devices
    • Profiles: Allow users to change the hardware profile on their devices.
  • Allow apps
    • Non-Amazon Appstore apps: Allow users to install non-Amazon Appstore apps on their devices.
    • Social networks: Allow users to access social networks from their devices.
  • Network
    • Bluetooth: Allow users to use Bluetooth.
    • WiFi switch: Allow apps to change WiFi connectivity state.
    • WiFi settings: Allow users to change WiFi settings.
    • Cellular data: Allow users to use their cellular connection for data.
    • Roaming data: Allow users to use cellular data while roaming.
    • Location services: Allow users to use GPS.
  • USB actions:
    • Debugging: Allow users’ devices to connect through USB to a computer for debugging.

Windows Mobile/CE settings

Image of Device Policies configuration screen

  • Bluetooth/infrared beaming (Obex): Enable OBEX (OBject EXchange protocol) over Bluetooth or infrared to exchange data between devices.
  • Camera: Enable the camera on user devices.
  • WiFi switch: Allow users to switch WiFi networks.
  • Bluetooth: Enable Bluetooth on users’ devices.