Product Documentation

Restrictions Device Policies

Oct 02, 2015

You can add a device policy in XenMobile to restrict certain features or functionality on users' devices, phones, tablets, and so on. You can configure the device restriction policy for the following platforms: iOS, Samsung SAFE, Samsung KNOX, Windows 8.1 tablets, Windows Phone 8.1, and Amazon. Each platform requires a different set of values, which are described in this article.

This device policy allows or restricts users from using certain features on their devices, such as the camera. You can also set security restrictions, as well as restrictions on media content and restrictions on the types of apps users can and cannot install. Most of the restriction settings default to ON, or allows. The main exceptions are the iOS Security - Force feature and all Windows 8.1 Tablet features, which default to OFF, or restricts.
Tip: Any option for which you select ON means that the user can perform the operation or use the feature. For example:
  • Camera. If ON, the user can use the camera on their device. If OFF, the user cannot use the camera on their device.
  • Screen shots. If ON, the user can take screen shots on their device. If OFF, the user cannot take screen shots on their device.

1. In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.

localized image

2. Click Add. The Add a New Policy page appears.

localized image

3. Click Restrictions. The Restrictions Policy information page appears.

localized image

4. In the Policy Information pane, type the following information:

  • Policy Name: Type a descriptive name for the policy.
  • Description: Type an optional description of the policy.

5. Under Platforms, select the platform or platforms you want to add. You can then change the policy information for each platform you selected. Click to restrict any of the features in the following sections, which changes the setting to OFF. Unless otherwise noted, the default setting is to enable the feature.

Configure iOS
Configure Samsung SAFE
Configure Samsung KNOX
Configure Windows Phone 8.1
Configure Windows 8.1 Tablet
Configure Amazon

When you finish setting the restrictions for a platform, refer to Step 6. for how to set that platform's deployment rules.

If you selected iOS, configure these settings

localized image

注意

Some of the iOS restrictions options apply only to specific versions of iOS (and, where applicable, these versions are noted on the XenMobile console page). For example, the ability to allow or block AirDrop is only supported on devices running iOS 7 and later, whereas the ability to allow or block Photo streams is supported on devices running iOS 5 and later. Also, some options only apply if the device is placed in supervised mode. For the steps on setting an iOS device to supervised mode, see To place an iOS device in Supervised mode by using the Apple Configurator.

  • Allow hardware controls
    • Camera: Allow users to use the camera on their devices.
      • FaceTime: Allow users to use FaceTime on their devices.
      • Screen shots: Allow users to take screen shots on their devices.
      • Photo streams: Allow users to use MyPhotoStream to share photos through iCloud to all their iOS devices (available in iOS 5.0 and later).
      • Shared photo streams: Allow users to use iCloud Photo Sharing to share photos with coworkers, friends, and family (available in iOS 6.0 and later).
      • Voice dialing: Enable voice dialing on users' devices.
      • Siri
        • Allow while device is locked: Allow users to use Siri while their devices are locked.
        • Siri profanity filter: Enable the Siri profanity filter. The default is to restrict this feature, which means no profanity filtering is done.
    • Installing apps: Allow users to install apps.
  • Allow apps
    • YouTube: Allow users to access content on YouTube.
    • iTunes Store: Allow users to access the iTunes Store.
    • In-app purchases: Allow users to make in-app purchases.
      • Require iTunes password for purchases: Require a password for in-app purchases. The default is to restrict this feature, which means no password is required for in-app purchases (available in iOS 5.0 and later).
    • Safari:
      • Autofill: Allow users to set up autofill for user names and passwords on Safari.
      • Force fraud warning: When enabled, Safari warns users when they visit a suspected phishing site. The default is to restrict this feature, which means no warnings are issued.
      • Enable JavaScript: Allow JavaScript to run on Safari.
      • Block pop-ups: Block pop-ups while viewing web sites. The default is to restrict this feature, which means pop-ups are not blocked.
    • Accept cookies: Set to what extent cookies are accepted. In the list, click an option to allow or restrict cookies. The default option is Always, which allows all sites to save cookies in Safari. Other options are Never and From visited sites only.
  • Network - Allow iCloud actions
    • Documents and data sync: Allow users to sync documents and data to iCloud (available in iOS 5.0 and later).
    • Device backup: Allow users to back up their devices to iCloud (available in iOS 5.0 and later).
    • Automatic sync while roaming: Allow devices to automatically sync mail accounts to iCloud while the device is roaming.
    • iCloud keychain: Allow users to store user names, passwords, WiFi network information, and credit card information in the iCloud Keychain (available in iOS 7.0 and later).
  • Security - Force

    The default is to restrict the following features, which means none of the security features is enabled.

    • Encrypted backups: Force backups to iCloud to be encrypted.
    • Limited ad tracking: Block targeted ad tracking (available in iOS 7.0 and later).
    • Passcode on first Airplay pairing: Require that users' AirPlay-enabled devices be verified with a one-time onscreen code before they can use AirPlay (available in iOS 7.0 and later).
  • Security - Allow
    • Accepting untrusted SSL certificates: Allow users to accept web sites' untrusted SSL certificates (available in iOS 5.0 and later).
    • Automatic update to certificate trust settings: Allow trusted certificates to be updated automatically (available in iOS 7.0 and later).
    • Documents from managed apps in unmanaged apps: Allow users to move data from managed (corporate) apps to unmanaged (personal) apps.
    • Documents from unmanaged apps in managed apps: Allow users to move data from unmanaged (personal) apps to managed (corporate) apps.
    • Diagnostic submission to Apple: Allow anonymous diagnostic data about users' devices to be sent to Apple.
    • Touch ID to unlock device: Allow users to use their fingerprints to unlock their devices (available in iOS 7.0 and later).
    • Passbook notifications when locked: Allow Passbook notifications to appear on the lock screen (available in iOS 6.0 and later).
    • Handoff: Allow users to transfer activities from one iOS device to another nearby iOS device (available in iOS 8.0 and later).
    • iCloud sync for managed apps: Allow users to sync managed apps to iCloud (available in iOS 8.0 and later).
    • Backup for enterprise books: Allow enterprise books to be backed up to iCloud (available in iOS 8.0 and later).
    • Notes and highlights sync for enterprise books: Allow notes and highlights users have added to enterprise books to be synced to iCloud (available in iOS 8.0 and later).
  • Supervised only settings - Allow

    These settings apply only to supervised devices. For the steps on setting an iOS device to supervised mode, see To place an iOS device in Supervised mode by using the Apple Configurator.

    • Internet results in Spotlight: Allow Spotlight to show search results from the Internet as well as the device (available in iOS 8.0 and later).
    • Erase all content and settings: Allow users to erase all content and settings from their devices (available in iOS 8.0 and later).
    • Configuring restrictions: Allow users to configure parental controls on their devices (available in iOS 8.0 and later).
    • Podcasts: Allow users to download and sync podcasts (available in iOS 8.0 and later).
    • Installing configuration profiles: Allow users to install a configuration profile other than that deployed by you (available in iOS 6.0 and later).
    • AirDrop: Allow users to share photos, videos, web sites, locations, and more with nearby iOS devices (available in iOS 7.0 and later).
    • iMessage: Allow users to text over Wi-Fi with iMessage (available in iOS 6.0 and later).
    • Siri user-generated content: Allow Siri to query user-generated content from the web. User-generated content is produced by consumers rather than by traditional journalists; for example, content found on Twitter or Facebook is user-generated. (available in iOS 7.0 and later).
    • iBooks: Allow users to use the iBooks app (available in iOS 6.0 and later).
    • Removing apps: Allow users to remove apps from their devices (available in iOS 7.0 and later).
    • Game Center: Allow users to play online games through Game Center on their devices (available in iOS 6.0 and later).
      • Add friends: Allow users to send a notification to a friend to play a game.
      • Multiplayer gaming: Allow users to initiate multiplayer game play on their devices.
    • Modifying account settings: Allow users to modify their device account settings (available in iOS 7.0 and later).
    • Modifying app cellular data settings: Allow users to modify how apps use cellular data (available in iOS 7.0 and later).
    • Modifying Find My Friends settings: Allow users to change their Find My Friends settings (available in iOS 7.0 and later).
    • Pairing with non-Configurator hosts: Allow admin to control to which devices a user's device can pair. Disabling this setting prevents pairing except with the supervising host running the Apple Configurator. If no supervising host certificate is configured, all pairing is disabled (available in iOS 7.0 and later).
    • Predictive keyboards: Allow users' devices to use the predictive keyboard for suggesting words as they type (available in iOS 8.1.3 and later). Disable this option in situations such as administering standardized tests where you do not want users to have access to suggested words.
    • Keyboard auto-corrections: Allow users' devices to use keyboard autocorrect (available in iOS 8.1.3 and later). Disable this option in situations such as administering standardized tests where you do not want users to have access to autocorrect.
    • Keyboard spell-check: Allow users' devices to use spell checking while typing (available in iOS 8.1.3 and later). Disable this option in situations such as administering standardized tests where you do not want users to have access to the spell-checker.
    • Definition lookup: Allow users' devices to use definition look-up while typing (available in iOS 8.1.3 and later). Disable this option in situations such as administering standardized tests where you do not want users to be able to look up definitions as they type.
    • Single App bundle ID: Create a list of apps that are allowed to retain control over the device and prevent interaction with other apps or functions.

      To add one or more apps, click Add and do the following:

a. App name: Enter an app name.

b. Click Save or Cancel.

c. Repeat steps a. and b. for each app you want to add.

Tip: To delete an existing app, hover over the line containing the app name and then click the trash can icon on the right-hand side. A confirmation dialog box appears. Click Delete to delete the listing or Cancelto keep the listing.
To edit an existing app, hover over the line containing the app name and then click the pen icon on the right-hand side. Make any changes to the listing and then click Save to save the changed listing or Cancel to leave the listing unchanged.

  • Security - Show in lock screen
    • Control Center: Allow access to Control Center on the lock screen, which lets users easily modify Airplane Mode, WiFi, Bluetooth, Do Not Disturb Mode, and Lock Rotation settings (available in iOS 7.0 and later).
    • Notification: Allow notifications on the lock screen (available in iOS 7.0 and later).
    • Today view: Allow Today View, which aggregates information such as the weather and the current day's calendar items, on the lock screen.
  • Media content - Allow
    • Explicit music, podcasts, and iTunes U material: Allow explicit material on users' devices.
    • Explicit sexual content in iBooks: Allow explicit material to be downloaded from iBooks (available in iOS 6.0 and later).
    • Ratings region: Set the region from which parental control ratings are obtained. In the list, click a country to set the ratings region. The default is United States.
    • Movies: Set whether movies are allowed on users' devices. If movies are allowed, optionally set the ratings level for movies. In the list, click an option to allow or restrict movies on the device. The default is Allow all movies.
    • TV Shows: Set whether TV shows are allowed on users' devices. If TV shows are allowed, optionally set the ratings level for TV shows. In the list, click an option to allow or restrict TV shows on the device. The default is Allow all TV Shows.
    • Apps: Set whether apps are allowed on users' devices. If apps are allowed, optionally set the ratings level for apps. In the list, click an option to allow or restrict apps on the device. The default is Allow all apps.
  • Policy Settings

    Next to Remove policy, click either Select date or Duration until removal (in days).

    If you click Select date, click the calendar to select the specific date for removal.

    In the Allow user to remove policy list, click AlwaysPassword required, or Never.

    If you click Password required, next to Removal password, type the necessary password.

localized image

If you selected Samsung SAFE, configure these settings

localized image

注意

 Some options are available only under specific Samsung Mobile Device Management (MDM) APIs; they are marked with the relevant version information.

  • Allow hardware controls
    • Factory Reset: Allow users to do a factory reset on their devices.
    • Date Time Change: Allow users to change the date and time on their devices.
    • DOD reboot banner: Display a DoD approved system use notification message or banner when users' devices are restarted.
    • Settings changes: Allow users to change settings on their devices.
    • Backup: Allow users to back up application and system data on their devices.
    • Over The Air Upgrade: Allow users' devices to receive software updates wirelessly (MDM 3.0 and later).
    • Background data: Allow apps to sync data in the background.
    • Camera: Allow users to use the camera on their devices.
    • Clipboard: Allow users to copy data to the clipboard on their devices.
      • Clipboard share: Allow users to share clipboard content between their devices and a computer (MDM 4.0 and later).
    • Home key: Allow users to use the Home key on their devices.
    • Microphone: Allow users to use the microphone on their devices.
    • Mock location: Allow users to fake their GPS location.
    • NFC (Near Field Communication): Allow users to use NFC on their devices (MDM 3.0 and later).
    • Power off: Allow users to turn off their devices (MDM 3.0 and later).
    • Screenshot: Allow users to take screen shots on their devices.
    • SD card: Allow users to use an SD card, if available, with their devices.
    • Voice Dialer: Allow users to use the voice dialer on their devices (MDM 4.0 and later).
    • SBeam: Allow users to share content with others using NFC and Wi-Fi Direct (MDM 4.0 and later).
    • SVoice: Allow users to use the intelligent personal assistant and knowledge navigator on their devices (MDM 4.0 and later).
  • Allow apps
    • Browser: Allow users to use the web browser.
    • Youtube: Allow users to access YouTube.
    • Google Play/Marketplace: Allow users to access Google Play and the Google Apps Marketplace.
    • Allow Non-Google Play apps: Allow users to download apps from sites other than Google Play and the Google Apps Marketplace.
    • Stop system app: Allow users to disable pre-installed system apps (MDM 4.0 and later).
  • Network
    • Incoming Mms: Allow users to receive MMS messages.
    • Incoming Sms: Allow users to receive SMS messages.
    • Outgoing Mms: Allow users to send MMS messages.
    • Outgoing Sms: Allow users send SMS messages.
    • Bluetooth: Allow users to use Bluetooth.
      • Tethering: Allow users to share a mobile data connection with another device using their Bluetooth connection.
    • WiFi: Allow users to connect to WiFi networks.
      • Tethering: Allow users to share a mobile data connection with another device using their WiFi connection.
      • Direct: Allow users to connect directly to another device through their WiFi connection (MDM 4.0 and later).
      • State Change: Allow apps to change WiFi connectivity state.
    • Tethering: Allow users to share a mobile data connection with another device.
    • Cellular data: Allow users to use their cellular connection for data.
    • Allow roaming: Allow users to use cellular data while roaming. The default is OFF, which disables roaming on users' devices.
    • Only secure connections: Allow users to only use secure connections (MDM 4.0 and later).
    • Android beam: Allow users to send web pages, photos, videos, or other content from their devices to another device using NFC (MDM 4.0 and later).
    • Audio record: Allow users to record audio with their devices (MDM 4.0 and later).
    • Video record: Allow users to record video with their devices (MDM 4.0 and later).
    • Location services: Allow users to turn on GPS on their devices.
    • Limit by day (MB): Enter the number of MB of mobile data users can use each day. The default is 0, which disables this feature (MDM 4.0 and later).
    • Limit by week (MB): Enter the number of MB of mobile data users can use each week. The default is 0, which disables this feature (MDM 4.0 and later).
    • Limit by month (MB): Enter the number of MB of mobile data users can use each month. The default is 0, which disables this feature (MDM 4.0 and later).
  • Allow USB actions  Allow USB connection between users' devices and a computer.
    • Debugging: Allow debugging over USB.
    • Host storage: Allow users' devices to act as the USB host when a USB device connects to their devices. Users' devices then supply power to the USB device.
    • Mass storage: Allow transfer of large data files between users' devices and a computer over a USB connection.
    • Kies media player: Allow users to use the Samsung Kies tool to sync files between their devices and a computer.
    • Tethering: Allow users to share a mobile data connection with another device through a USB connection.

If you selected Samsung KNOX, configure these settings

localized image

注意

These options are available only under Samsung KNOX Premium (KNOX 2.0).

  • Move Apps To Container: Allow users to move apps between the KNOX container and the personal area on their devices.
  • Enforce Multifactor Authentication: Users must use a fingerprint and one other authentication method, such as password or PIN, to open their devices.
  • Enable ODE Trusted Boot Verification: Use ODE trusted boot verification to establish a chain of trust from the bootloader to the system image.
  • Common Criteria Mode: Place device into Common Criteria Mode. The Common Criteria configuration enforces stringent security processes.
  • Enable TIMA Key store: Enable TIMA KeyStore. The TIMA KeyStore provides TrustZone-based secure key storage for the symmetric keys. RSA key pairs and certificates are routed to the default key store provider for storage.
  • Enforce Auth For Container: Use separate, and different, authentication to open the KNOX container from that used to unlock the device.
  • Share List: Allow users to share content between apps in the Share Via list.
  • Enable Audit Log: Enable creation of event audit logs for forensic analysis of a device.
  • Use Secure Keypad: Force users to use a secure keyboard inside the KNOX container.
  • Enable Google Apps: Allow users to download apps from Google Mobile Services into the KNOX container.
  • Authentication Smart Card Browser:

If you selected Windows Phone 8.1, configure these settings

localized image
  • WiFi Settings
    • Allow WiFi: Allow a device to connect to a WiFI network.
    • Allow Internet sharing: Allow a device to share its internet connection with other devices by turning it into a WiFi hotspot.
    • Allow auto-connect to WiFi Sense hotspots: Allow a device to connect automatically to WiFi Sense hotspots. Location services must be enabled for this option to work. For more information about WiFi Sense, see the Windows Phone WiFi Sense FAQ.
    • Allow hotspot reporting: Allow device to report the hotspots to which it connects.
    • Allow manual configuration: Allow users to manually configure WiFi connections.
  • Connectivity
    • Allow NFC (Near Field Communication): Allow device to communicate with an NFC tag or another NFC-enabled transmitting device.
    • Allow bluetooth: Allow device to connect through Bluetooth.
    • Allow VPN over cellular: Allow the device to connect over VPN to a cellular network.
    • Allow VPN over cellular while roaming: Allow the device to connect over VPN when the device roams over cellular networks.
    • Allow USB connection: Allow a desktop to access a device's storage through a USB connection.
    • Allow cellular data roaming: Allow users to use cellular data while roaming.
  • Accounts
    • Allow Microsoft account connection: Allow the device to use a Microsoft account for non-email related connection authentication and services.
    • Allow non-Microsoft email: Allow user to add non-Microsoft email accounts.
  • Search
    • Allow search to use location: Allow searches to use the device's location service.
    • Filter adult content: Allow adult content. The default is OFF, which means adult content is not filtered.
    • Allow Bing Vision to store images: Allow Bing Vision to store images captured when performing Bing Vision searches.
  • System
    • Allow storage card: Allow the device to use a storage card.
    • Allow location services: Allow location services.
    • Allow use of camera: Allow users to use their device's camera.
    • Telemetry: In the list, click an option to allow or restrict the device from sending telemetry information. The default is Allowed. Other options are Not allowed andAllowed, except for secondary data request.
  • Security
    • Allow manual root certificate installation: Allow users to manually install a root certificate.
    • Require device encryption: Require device encryption. Note that after encryption is enabled on a device, it cannot be disabled. The default is OFF.
    • Allow copy and paste: Allow users to copy and paste data on their devices.
    • Allow screen capture: Allow users to create screen captures on their devices.
    • Allow voice recording: Allow users to use voice recording on their devices.
    • Allow Save As of Office files: Allow users to save Office files with Save As.
    • Allow action center notifications: Allow Action Center notifications on the device's lock screen.
    • Allow Cortana: Allow users access to Cortana, the intelligent personal assistant and knowledge navigator.
    • Allow sync of device settings: Allow users to sync settings between Windows Phone 8.1 devices when roaming.
  • Apps
    • Allow store access: Allow users to access the Microsoft Store.
    • Allow developer unlock: Allow users to register their devices with Microsoft and develop or install apps that are not in the Windows Phone app store.
    • Allow web browser access: Allow Internet Explorer on the device.

If you selected Windows 8.1 Tablet, configure these settings

localized image

注意

The default for the following settings is OFF.

  • Network
    • Roaming data: Allow users to use cellular data while roaming.
  • Security
    • User account control: Set the level of notification users receive when apps try to make changes to devices. In the list, click an option to set what kind of notification users receive. The default is Always notify, which means any change dims the device's screen and triggers a notice that requires users to respond before they can continue. Other options are Notify app changesNotify app changes (no dim), and Never notify.
    • Enable Windows error reporting: Allows Windows Error Reporting to report device problems to Microsoft.
    • Enable smart screen: Enable Windows SmartScreen to check downloaded files and web content within apps for malicious software and potentially unsafe web content.
  • Other
    • Enterprise client sync product's URL enable: Enable enterprise client sync on the device.
    • Enterprise client sync product's URL: When Enterprise client sync product's URL enabledis ON, type a valid URL address.

If you selected Amazon, configure these settings.

localized image
  • Allow hardware controls
    • Factory reset: Allow users to do a factory reset on their devices
    • Profiles: Allow users to change the hardware profile on their devices.
  • Allow apps
    • Non-Amazon Appstore apps: Allow users to install non-Amazon Appstore apps on their devices.
    • Social networks: Allow users to access social networks from their devices.
  • Network
    • Bluetooth: Allow users to use Bluetooth.
    • WiFi switch: Allow apps to change WiFi connectivity state.
    • WiFi settings: Allow users to change WiFi settings.
    • Cellular data: Allow users to use their cellular connection for data.
    • Roaming data: Allow users to use cellular data while roaming.
    • Location services: Allow users to use GPS.
  • USB actions:
    • Debugging: Allow users' devices to connect through USB to a computer for debugging.

6. Expand Deployment Rules and then configure the following settings. The Base tab appears by default.

localized image
  • In the lists, click options to determine when the policy should be deployed.
    • You can choose to deploy the policy when all conditions are met or when any conditions are met. The default option is All.
    • Click New Rule to define the conditions.
    • In the lists, click the conditions, such as Device ownership and BYOD, as shown in the preceding figure.
    • Click New Rule again if you want to add more conditions. You can add as many conditions as you would like.
    • Click the Advanced tab to combine the rules with Boolean options. The conditions you chose on the Base tab appear.
localized image
  • You can use more advanced Boolean logic to combine, edit, or add rules.
    • Click ANDOR, or NOT.
    • In the lists that appear, choose the conditions that you want to add to the rule and then click the Plus sign (+) on the right-hand side to add the condition to the rule.
      At any time, you can click to select a condition and then click EDIT to change the condition or Delete to remove the condition.
    • Click New Rule again if you want to add more conditions.

In this example, the device ownership must be BYOD, the device local encryption must be True, and the device mobile country code cannot be only Andorra.

localized image

7. After you finish configuring the settings for one or more platforms, click Next and the Restrictions Policy assignment page appears.

8. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list to which you want to assign the policy. The groups you select appear in the Delivery groups to receive app assignment list.

localized image

9. Expand Deployment Schedule and then configure the following settings:

  • Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON. If you choose OFF, no other options need to be configured.
  • Next to Deployment schedule, click Now or Later. The default option is Now.
  • If you click Later, click the calendar icon and then select the date and time for deployment.
  • Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
  • Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.

Note:

This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.

The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.

localized image

10. Click Save to save the policy.