Restrictions
You can allow or restrict users to access various features of the device like Bluetooth, Camera, encrypting device data, etc.
Only devices running Android 5.0 or above can be provisioned as Profile Owner or Device Owner.
Note:To view a detailed comparison of various policies supported with respect to specific OS version, click here.
Note For enhanced security, the admin can configure a kiosk profile to lockdown the device with specific apps and settings or blocklist unwanted apps in the Inventory. The admin can further ensure corporate security by ensuring only safe apps are installed by users on devices by configuring application settings for Corporate Owned devices and Workspace Security for BYOD devices.
FEATURE | DESCRIPTION | KNOX-ENABLED SAMSUNG | WORK PROFILE ON COMPANY OWNED DEVICES | NON-SAMSUNG | ||
---|---|---|---|---|---|---|
LEGACY | PROFILE OWNER | DEVICE OWNER | ||||
DEVICE FUNCTIONALITY | ||||||
Camera (Supported from Android 5.0) | By disabling this, users will not be allowed to use the Camera on their devices. On restricting this, the Camera will remain restricted within the Knox container also. | |||||
Access Camera from Lock Screen (Supported from Android 5.0) | By disabling this, the users are restricted from accessing the Camera from the lock screen of the device. This can be configured only when Camera is allowed on the device. | Applicable for devices running 5.0 or later versions | Applicable for devices running 5.0 or later versions | |||
Video Recording (Supported from Android 5.0) | By disabling this, users will not be able to record videos on their devices. Video Recording can be allowed only when Camera is allowed on the device. | |||||
Microphone | By enabling this, users will be allowed to use the Microphone. If this is disabled, users can use the Microphone only for receiving and making calls. All other voice applications which require the Microphone usage will be restricted. On restricting this on the device, the Microphone will remain restricted within the Knox container also. |
|||||
Audio Recording (Supported from Android 5.0) | By disabling this, users will not be able to record audios on their devices. Audio recording can be enabled only when the Microphone is enabled on the device. | No separate restriction - Restricted when the Microphone is restricted | ||||
Firmware Recovery (Samsung-only feature) | By disabling this, users cannot perform firmware recovery on the device. | |||||
OS Upgrade (Samsung-only feature, supported from Android 5.0) | By enabling this, users will be able to perform OS upgrades on their devices. | |||||
Screen Capture | By disabling this, users will not be allowed to capture the screen on the devices. | Note: Since we are using Samsung API to apply the screen capture restriction, the API behavior changes from knox 3.8 and Samsung default apps like Launcher, SystemUI, Settings, Reminder, Calendar and Clock may not be disallowed to capture even if the restriction is applied. |
||||
Smart Clip Mode (Samsung-only feature, supported from Android 5.0) | By enabling this, users will be allowed to access smart clip mode on their devices. | |||||
S-Voice (Samsung-only feature, supported from Android 5.0 ) | By disabling this, users will be unable to use the S-Voice feature on their devices. S-Voice can be enabled only when the Microphone is enabled on the device. | |||||
Add Accounts (Supported from 5.0) | Enabling this will allow users to add email, exchange, LDAP, and Google accounts on managed devices. Disabling this prevents users from adding any of these accounts. The account addition is prevented only after the restriction is applied to the devices and the accounts that were already present, are not affected. |
Applied only to the Work Container |
||||
Enforce Storage Encryption (Supported from Android 5.0) | All data stored in the internal memory of the device must be encrypted. Ensure your devices are charges up to 80% to begin the encryption process. This restriction is applied only if the device is secured through a passcode. If there is no passcode on the device, you can associate a Passcode policy first and then distribute the restrictions policy. | Encrypted by default | Encrypted by default | |||
Enforce SD Card Encryption (Samsung-only feature, supported from Android 5.0) | Encryption is forced on the SD Card. This restriction is applied only if the device is secured by a passcode. If there is no passcode on the device, you can associate a Passcode policy first and then distribute the restrictions policy. | |||||
SECURITY | ||||||
Restore Factory Settings | By restricting this, admins can prevent users from resetting devices to their factory settings. Admins can also prevent users from removing devices from management by performing a hard reset by restricting this and also configuring EFRP on the devices. | |||||
Lock Screen Notification Preference | Configure how the notifications appear on the lock screen of the device. Either choose to show all content, hide sensitive content, or completely hide notifications. | Applicable for devices running 5.0 or later versions | Applied only to the Work Container |
|||
Installing Non-Market apps | Allow/Restrict to install apps not listed on the Play Store. Restricting this disables Install apps from unknown sources settings, for app installation. | Restricted by default | ||||
Allow certificate based authentication for managed apps | Allow/Restrict certificate based authentication for managed apps. | Applied only to the Work Container |
||||
Allow users to install or modify certificates | Allow/Restrict users to install/modify certificates. | Applied only to the Work Container |
||||
Clipboard (Supported from Android 5.0) | By enabling this, users will be allowed to use the Clipboard memory. | Applied only to the Work Container |
||||
Clipboard Share (Supported from Android 5.0) | By enabling this, users can share the Clipboard content between different applications. This can be enabled only when Clipboard feature is enabled on the device. | No separate restriction - Restricted when Clipboard is restricted | ||||
Safe mode |
By enabling this, users can boot device in Safe mode. | |||||
Developer Mode | By enabling this, users can use developer options on the device. | | ||||
'Share via' list (Samsung-only feature, supported from Android 5.0) | By enabling this, users will be allowed to use the share list on their devices. | |||||
Google Play Protect | Google Play Protect regularly checks apps and the devices for any harmful behavior. | |||||
Auto fill | By enabling this option, users will be allowed to use Auto-Fill Settings. | |||||
SYNC AND STORAGE | ||||||
Backup and restore data | By enabling this option, users will be allowed to backup the device data and restore it. Note: Backup services are disabled by default on Samsung devices enrolled as Device Owner or Profile Owner and for the restore option to work, Samsung Smart Switch app should be installed on the device. |
|||||
Backup data in Google Server (Samsung-only feature) | By enabling this option, users will be allowed to backup the device data like images, videos, etc. in the Google server. | |||||
Google Account Auto-Sync (Samsung-only feature, supported from Android 5.0) | By enabling this option, users will be allowed to sync their Google Accounts on their devices. | |||||
Report Crash to Google (Samsung-only feature, supported from Android 5.0) | By enabling this, crash reports will be sent to Google. | |||||
SD Card | By enabling this, users will be allowed to use an SD Card on their devices. For non-Samsung devices: This restriction only blocks new SD card mounts; existing mounts are unaffected. For Samsung devices: This restriction applies to both newly inserted and already mounted SD cards. | |||||
Storing data in SD Card (Supported from Android 5.0) | By enabling this, users will be allowed to store data on SD Cards of the devices. | No separate restriction - Restricted when SD Card is restricted | ||||
Move apps to SD Card (Samsung-only feature, supported from Android 5.0) | By enabling this, users will be able to move applications installed in device memory to the SD card. | |||||
USB | By enabling this, users will be allowed to use USB on their devices. | |||||
Connections using USB | By enabling this, users will be allowed to use USB to establish connections for debugging. | No separate restriction - Restricted when USB is restricted | ||||
Connect a USB storage device | By enabling this, users will be allowed to connect USB Storage devices. This can be enabled only when USB is enabled on a device. | No separate restriction - Restricted when USB is restricted | ||||
APPLICATIONS | ||||||
Users can install unapproved apps | This restriction lets the admin grant access to install all the applications or restricts to install apps only distributed from the MDM app repository. If this restriction is configured as Yes, then the user will be able to install only admin approved apps. All apps previously installed by users gets disabled, and in the case of subsequent installations of unapproved apps, although the apps get downloaded and installed, the apps are automatically uninstalled. Once this restriction is removed, apps previously disabled gets enabled automatically If No is chosen, then a sub-condition will be shown where the admin can choose whether the user can access all apps under Managed Google Play or only admin approved apps. | Applied only to the Work Container |
||||
Allow access to all apps under Managed Google Play | In case Managed Google Play is configured in the server, the admin can still restrict the access to either all apps under Managed Google Play or only admin approved apps.
|
Applied only to the Work Container |
||||
Uninstalling apps (Supported from Android 5.0) | By enabling this, users will be allowed to uninstall applications from the device. Note: Despite this setting, apps silently installed on devices cannot be uninstalled by users. | Applied only to the Work Container |
||||
Stop system apps (Samsung-only feature, supported from Android 5.0) | By enabling this, users can stop the system apps present in their devices. | |||||
Application notification mode (Samsung-only feature, supported from Android 5.0) | By enabling this, the user can choose to allow or restrict app notification If restricted the app notifications would be disabled. | |||||
YouTube | By enabling this, users will be allowed to access Youtube from the device. | |||||
Gmail | By enabling this, users will be allowed to access Gmail on their devices. | |||||
S-Finder (Samsung-only feature, supported from Android 5.0) | By enabling this, users will be allowed to use "S Finder" to search for Apps and settings on the device. This is applicable only for Samsung Knox devices. | |||||
Global App Permission policy | Configuring this ensures you can choose to automatically deny/allow permissions for apps present on the device. In case if Auto-deny is chosen, for some apps such as Camera, the app will be disabled and the user will not be prompted to accept the permission. While in other apps such as Phone, a display message will be shown notifying the user of the denied access. Optionally, you can also leave it to the user. | Applied only to the Work Container |
||||
BROWSER (Applicable only for Google Chrome in legacy) | ||||||
Android browser | By enabling this option, the users will not be able to use any web browsers on the device. | Applied only to the Work Container |
||||
Fraud warning settings | By enabling this, users will be allowed to use Fraud Warning Settings on the device. | Applied only to the Work Container |
||||
Pop-ups | By enabling this, user Pop-Ups will be enabled on the device. | Applied only to the Work Container |
||||
JavaScript | By enabling this, users will be allowed to use applications running on Java scripts. | Applied only to the Work Container |
||||
Auto-fill | By enabling this option, users will be allowed to use Auto-Fill Settings. | Applied only to the Work Container |
||||
Cookies | By enabling this option, users will be allowed to use Cookies Settings on the device. | Applied only to the Work Container |
||||
NETWORK AND ROAMING | ||||||
Airplane Mode (supported for Samsung and devices running Android 9.0 and above) | If this is restricted, users will be unable to use airplane mode on their devices. | |||||
Background data (Samsung-only feature) | If Allow is chosen, users will be able to disable the background data whereas background data will be enabled by default. (This profile does not get applied automatically and the user has to accept this profile) | |||||
Data Saver Mode (Samsung-only feature) | Enable this option to reduce data usage by preventing apps from sending or receiving data in the background. | |||||
Wi-Fi | If 'User Controlled' is chosen, users will be allowed to disable or enable Wi-Fi on the device. If Wi-Fi is Always On on the device, users will not have permission to disable it. Note: This is not supported for corporate Samsung devices running Android 10.0 or above enrolled via invites. If Wi-Fi is Always Off on the device, users will not have permission to enable it. The managed devices will be out of network connectivity and even the MDM server cannot reach the device until cellular data is enabled on the device. |
|||||
Wi-Fi Direct (Samsung-only feature - Supported from Android 5.0) | By enabling this, users will be allowed to access Wi-Fi Direct on their devices. | |||||
Connecting to Wi-Fi, only if distributed via MDM (Supported from Android 5.0 to 9.0) | Restrict/Allow users to connect to Wi-Fi networks only if Wi-Fi configurations have been distributed as a profile via MDM. If no Wi-Fi profile has been configured via MDM, the device can connect to other Wi-Fi networks. Also, if the Wi-Fi SSID has been changed, then the profile must be modified to include the new SSID and then re-distributed to the device, for continued management. | |||||
Restrict users from connecting to unsecure public Wi-Fi networks: | By restricting this, users will not be able to connect their devices with public or unsecure Wi-Fi network connections which are not protected with a password. | |||||
Allow users to configure VPN (Supported from Android 5.0) | Users are restricted from configuring VPN on devices, apart from any VPN configurations distributed through the MDM server. If this restriction is enabled on Samsung devices (running on OS 5.0 and above), any VPN configured by the user gets deleted. | |||||
Roaming always on | By allowing this, roaming is always set to on and cannot be turned off by the user. Else, this can be user-controlled. | |||||
Roaming data (Samsung-only feature) | If you have allowed this, users can choose to allow or disallow roaming data on the device. Else, this setting will be disabled and greyed out in the device. | |||||
Sync data while Roaming (Samsung-only feature) | By enabling this, users will be allowed to use Sync feature while roaming. | |||||
Roaming Push (Samsung-only feature) | By enabling this, data will be pushed to devices even if they are in roaming. | |||||
Voice Call while Roaming (Samsung-only feature, supported from Android 5.0) | By enabling this, users will be allowed to receive/make voice calls during roaming. | |||||
DEVICE CONNECTIONS | ||||||
NFC | By enabling this, users can utilize Near Field Communication (NFC). |
The device will display a policy violation message, prompting the user to enable/disable the NFC setting as specified in the profile. |
||||
Android Beam (Supported from Android 5.0) | By enabling this, users can utilize Android Beam to transfer data to other supported devices. | Applied only to the Work Profile |
Restricted by default | |||
S Beam (Samsung-only feature, supported up to Android 5.0) | By enabling this, users can utilize S Beam to share files with other supported devices. | |||||
Bluetooth | By enabling this, users will be allowed to use Bluetooth in their devices. | |||||
Bluetooth discovery (Samsung-only feature) | By enabling this, users can allow other devices to detect and connect to their devices. | |||||
Bluetooth pairing (Samsung-only feature) | By enabling this, users will be allowed to pair their devices with other devices to enable data transfer. | |||||
Make outgoing calls using Bluetooth (Samsung-only feature) | By enabling this, users will be allowed to place outgoing calls using Bluetooth. | |||||
Connect to Laptop/Desktop via Bluetooth (Samsung-only feature) | By enabling this, users can connect their devices to desktops/laptops using Bluetooth. | |||||
Data transfer via Bluetooth (Samsung-only feature) | By enabling this, users will be allowed to transfer data from their devices to other devices using Bluetooth. | |||||
Printing (Supported from Android 9.0) | By enabling this, users will be allowed to use bluetooth printers through their devices. | |||||
TETHERING | ||||||
Tethering | Disabling this, restricts managed devices from tethering with other devices, for sharing the cellular network. | |||||
Bluetooth Tethering | By enabling this, users will be allowed to share Internet connection via Bluetooth with other devices. This can be enabled only when Bluetooth is enabled on a device. | No separate restriction - Restricted when Tethering is restricted | ||||
Wi-Fi Tethering | By enabling this, users will be allowed to share Internet connection via Wi-Fi with other devices. This can be enabled only when Wi-Fi and Wi-fi Direct are enabled on the device. | No separate restriction - Restricted when Tethering is restricted | ||||
USB Tethering | By enabling this, users will be allowed to share Internet connection via USB with other devices. This can be enabled only when USB is enabled on the device. | No separate restriction - Restricted when Tethering is restricted | ||||
LOCATION SERVICES | ||||||
Location Services (Supported in legacy from OS 5.0) | When set as Always On, Location Services is forcefully enabled (Location Tracking can be highly accurate when Location Services are set to Always On only for devices running OS below 9). Even if users turn it Off, it automatically reverts to On state. This is applicable for Always Off option as well. In case, you configure it as User Controlled, device users can enable/disable it as per their needs. | |||||
Mock location (Samsung-only feature) | Allow/Restrict users from showing falsifying location data. | |||||
Google Maps | By enabling this, users can utilize Google Maps. | |||||
PHONE | ||||||
SMS (Supported from Android 5.0 in Samsung devices) | By disabling this, users will not be able to use Short Messaging Service(SMS) in the managed devices. | |||||
Incoming SMS (Supported up to Android 5.0 in Samsung devices) | By disabling this, users will not be able to receive any incoming message on their devices. | No separate restriction - Restricted when SMS is restricted | ||||
Outgoing SMS (Supported from Android 5.0 in Samsung devices) | By disabling this, users will not be able to send any outgoing message from their devices. | No separate restriction - Restricted when SMS is restricted | ||||
MMS (Supported from Android 5.0 in Samsung devices) | By disabling this, users will not be able to use Multimedia Messaging Service (MMS) in the managed devices. | No separate restriction - Restricted when SMS is restricted | ||||
Incoming MMS (Supported from Android 5.0 in Samsung devices) | By disabling this, users will not be able to receive any incoming MMS to their devices. | No separate restriction - Restricted when SMS is restricted | ||||
Outgoing MMS (Supported from Android 5.0 in Samsung devices) | By disabling this, users will not be able to send any outgoing MMS from their devices | No separate restriction - Restricted when SMS is restricted | ||||
Call (Samsung-only feature) | If disabled, users cannot make/receive calls. | |||||
Incoming Call (Samsung-only feature) | By disabling this, users will not be able to receive any incoming calls on their devices. Even when it is allowed, incoming calls will work only when the Microphone is enabled on the device. | |||||
Outgoing Call | By disabling this, users will not be able to place any outgoing calls on their devices. Even when it is allowed, outgoing calls will work only when the Microphone is on the device. | |||||
DATE/TIME SETTINGS | ||||||
Set device time (Supported from Android 9.0 and above) | You can set the device time either based on network provider's time or set up manually. Note: If the incorrect time is displayed, then try connecting to a different network and check the Wifi router. | |||||
Timezone (Supported from Android 9.0 and above) | If you have enabled the device time to be set manually, then you can choose the desired timezone from the dropdown. | |||||
Modify date/time settings (Supported from Android 9.0 and above) | Restricting this prevents the users from modifying date/time settings such as time format, date format, etc. | |||||
Modify date/time (Supported from Android 5.0 in Samsung devices) | Restricting this prevents the users from modifying the date/time already set on the device. | |||||
DISPLAY SETTINGS (Supported from Android 9.0) | ||||||
Screen Timeout | The duration(between 5 and 1800 seconds) of inactivity, after which the device goes to sleep. Note: Screen Timeout duration cannot be higher than Maximum idle time allowed before auto-lock configured in Passcode profile. |
|||||
Modify Screen Timeout Settings | Disabling this, ensures the screen timeout configured above or on the device cannot be modified. | |||||
Brightness | Provide the level of brightness to be configured on the device. | |||||
Modify Brightness Settings | Disabling this, ensures the brightness configured above or on the device cannot be modified. | |||||
Ambient Display | Enable/Disable displaying details such as the time, date, etc, on the device lock screen, when it is in sleep. | | | |||
MISCELLANEOUS | ||||||
Add user (Supported from Android 5.0 in Samsung devices) Note: In Device Owner devices, adding users is restricted by default because management of primary user is only possible. |
Disabling this, will restrict creating multiple users on the device. | | ||||
Turn the device off, using Power button (Samsung-only feature, supported from Android 5.0) | By disabling this, users will not be able to turn off their devices using the Power Button. | |||||
Background process limit (Samsung-only feature, supported up to Android 5.0) | By enabling this, the background processes running on the device can be enabled/disabled by the user. If disabled, then the background process limit is set to maximum. | |||||
Terminating app on exiting (Samsung-only feature, supported from Android 5.0) | This setting(Dont keep activities) is restricted in the device by default. If you choose to allow this, users can prefer to enable or disable them. | |||||
Modify default device settings (Samsung-only feature) | By enabling this, the device can be restored to the default settings. | |||||
Air Command (Samsung-only feature, supported from Android 5.0) | Enabling this will allow users to the access featues related to S Pen, such as Notepad, virtual keyboard, Memo, etc. This is applicable only for Samsung Knox devices. | |||||
Smart View (Samsung-only feature, supported from Android 5.0) | Enabling this allows users to view multimedia content present on the device, on a Samsung smart TV. |