Restrictions

The Restrictions settings restrict specific features, network settings, developer options, and location detection policies on Android devices.

Device features

The following table describes the restrictions that you can configure on a device:

Policy setting	Description	Supported devices
Allow camera	If this setting is turned on, the device can use the camera. In addition to enabling this setting, enable the camera app in native app compliance.	Android 5.0+ PO and DO
Allow camera on personal profile	If this setting is turned on, MaaS360 allows the use of the camera on the personal profile of Work Profile on Corporate Owned (WPCO) devices.
Mute master volume	If this setting is turned on, the volume is muted at the device level and no sound through any audio connections.	Android 5.0+ DO
Allow unmuting of microphone	If this setting is turned on, MaaS360 grants access to the microphone. If this setting is turned off, the audio is transmitted through the microphone through the phone or any other applications that use this capability.	Android 5.0+ DO
Allow volume adjustments	If this setting is turned on, users can adjust the volume. If this setting is turned off, the device volume remains at the last set value.	Android 5.0+ DO
Allow Bluetooth configuration	If this setting is turned on, users can modify the Bluetooth settings and configurations. If this setting is turned off, MaaS360 locks down existing settings.	Android 5.0+ DO
Allow outgoing beam	If this setting is turned on, the device can send information externally with Near Field Communication (NFC).	Android 5.1.1+ PO and DO
Allow sharing of locations	If this setting is turned on, the apps are enabled to access the device's location information. Turn on this setting if you are configuring Wi-Fi policies, Trusteer policies, or Wi-Fi or Bluetooth settings within the kiosk. Location permission is required for identifying the list of configured networks, the presently connected network, and the discovery of other Bluetooth networks.	Android 5.0+ PO and DO
Enable work contacts across profiles	If this setting is turned on, users are allowed to access contacts in the work profile from across other profiles. Requires Google messages app to work with SMS. If this setting is turned off, users are restricted from accessing work contacts across multiple profiles.	Android 7.0+ PO
Allow Bluetooth	If this setting is turned on, the device can use Bluetooth.	Android 8.0+ DO
Allow Bluetooth sharing	The device cannot share data externally through Bluetooth.	Android 8.0+ PO and DO
Allow backup service	If this setting is turned on, MaaS360 allows backups by using embedded services. This setting does not impact the ability to backup data by using third-party content management applications.	Android 8.0+ DO
Disable screen dim	When this setting is turned on, the screen remains active until the device is locked. Enabling this setting makes sure that the MaaS360 app or kiosk launcher are not turned off because of timeouts. This setting does not apply to other native or third-party apps.	Android 8.0+ DO
Allow audio recording	If this setting is turned on, users can record audio on the device. Note: Even after you disable this setting, the device microphone is still available so that the user can make calls and use audio streaming for VoIP.	Samsung Knox with DO
Allow SVoice	If this setting is turned on, the user can use the SVoice app on the device.	Samsung Knox with DO
Allow video recording	If this setting is turned on, MaaS360 allows users to record video on the device. If this setting is turned off, the user can still take pictures with the camera.	Samsung Knox with DO
Allow apps to manage certificates on Android TrustStore	Determines which apps can install or list or remove certs to/in/from the TrustStore. Enter a comma-separated list of apps allowed to install/list/remove certificates to/in/from Android TrustStore.	Samsung Knox with DO
Disallow Printing	If this setting is turned off, printing is enabled from the device.	Android 9.0+ (DO, PO)
Disable Date & Time Configuration	If this setting is turned off, it allows users to manually set the date and time on the device. If disabled in Device Owner (DO) mode, MaaS360 disables the date, time, and time zone setting on the entire device. All users on the device are affected.	Android 9.0+ (DO)
Disable Ambient Display	If this setting is turned off, it allows users to use the Ambient Display feature that exhibits device notifications on the wake screen display.	Android 9.0+ (DO)
Disable Brightness Configuration	If this setting is turned off, it allows users to alter screen brightness settings.	Android 9.0+ (DO)
Disallow Locale Configuration	If this setting is turned off, it allows users to set the locale on the device. This can impact other features such as time and date.	Android 9.0+ (DO)
Disallow System Error Dialogs	If this setting is turned on, the device cannot display system errors for items like crashed apps or when processes stop working.	Android 9.0+ (DO)
Disable Airplane Mode	If this setting is turned on, disables Airplane mode on the entire device.	Android 9.0+ (DO)

Network restrictions

The following table describes the network restrictions that you can configure on a device:

Policy setting	Description	Supported devices
Allow outgoing calls	The device can make outgoing calls. (This setting does not impact emergency phone numbers).	Android 5.0+ DO
Allow SMS	The device can use SMS (send and receive text messages). (This setting does not impact the visibility of the SMS app on the device, just the functionality of sending and receiving messages).	Android 5.0+ DO
Allow Wi-Fi	If this setting is disabled, users are not allowed to change Wi-Fi access points through Settings. This restriction does not affect Wi-Fi tethering settings on the device. Note: The Wi-Fi connection remains uninterrupted and stays connected to the previously associated network. While the Wi-Fi can be turned on or off, it is not possible to change the Wi-Fi access point.	Android 5.0+ DO
Allow or block Wi-Fi networks by SSID	The admin can define a Wi-Fi SSID restriction policy that the network must satisfy to be eligible for a connection. You can use `Add allowlist` or `Add blocklist` to define the list of Wi-Fi networks to be allowed or blocked for a device. You can also set the value to `No Restrictions` on Wi-Fi SSIDs. Note: Admin-configured networks are not exempt from this restriction.	Android 13.0+ DO
Allowed Wi-Fi networks/ Blocked Wi-Fi networks	Note: In Allow or block Wi-Fi networks by SSID, select `Add allowlist`, `Add blocklist` from the drop-down list to view this setting. The admin can do the following actions. `Add allowlist` Specify the list of Wi-Fi SSIDs to allow. The device can connect only to the specified Wi-Fi networks. The device cannot connect to any other networks. `Add blocklist` Specify the list of Wi-Fi SSIDs to block. The device cannot connect to the Wi-Fi network in the blocklist, but can connect to other networks.	Android 13.0+ DO
Minimum Wi-Fi security level	The admin can set the minimum Wi-Fi security levels that are required to connect to the Wi-Fi networks for the device. The device fails to connect to networks that do not meet the minimum security level. Make sure that you select a suitable level to avoid connectivity issues or else the device gets disconnected. The following values are available. `Open` where there is no encryption nor authentication. `Personal` such as WEP, WPA, WPA2-Personal, WPA3-Personal with a Pre-Shared Key. `Enterprise EAP` for Enterprise Wi-Fi with 802.1X authentication using EAP. `Enterprise 192` for the highest security and WPA3-Enterprise with 192-bit encryption.	Android 13.0+ DO
Allow configuring Wi-Fi	This setting enables the user to configure and add Wi-Fi networks. If this setting is disabled, the user cannot access Wi-Fi on the devices if no Wi-Fi SSIDs are pushed to the devices through policies.	Android 13.0+ DO
Allow change Wi-Fi State	This setting enables the user to change the Wi-Fi state.	Android 13.0+ DO
Allow Wi-Fi Tethering	This setting enables the user to use Wi-Fi Tethering or portable hotspots from the device Settings.	Android 13.0+ DO
Allow VPN	The device can access a VPN. If this setting is disabled, the user cannot access the VPN configuration screen to establish a VPN session.	Android 5.0+ DO and 6.0+ PO
Allow Mobile Network configuration	If this setting is disabled, the user cannot modify Mobile network settings on the device. Note: Do not use this setting to enable or disable mobile data on the device.	Android 5.0+ DO
Allow data roaming	The device can use data roaming.	Android 7.0+ DO
Allow configuration of cell broadcasts	The user can modify cellular settings on the device.	Android 5.0+ DO
Allow network reset	The user can reset network settings on the device.	Android 6.0+ DO
Allow tethering	The device can connect (tether) to other devices through wifi, Bluetooth, or USB. If this setting is disabled, the device cannot connect to other devices through wifi, Bluetooth, or USB. Note: You can block third-party apps that allow tethering.	Android 5.0+ DO
Enable separate dialer for work profile	The device allows a separate dialer specifically for the work profile.	Android 7.0+ DO
Allow S-Beam	The device uses S Beam to share data through Wi-Fi Direct.	Samsung Knox with DO
Allow Wi-Fi Direct	The device can use Wi-Fi Direct.	Samsung Knox with DO, Android 13.0+ DO
Allow user to set mobile data limit	The user can set a limit on the amount of cellular data that is used on the device.	Samsung Knox with DO
Near Field Communication (NFC)	The device uses Near Field Communication (NFC) for short-range communications.	Samsung Knox with DO
Wifi timeout	The device times out when the device attempts to connect to a wifi network. Default: The device uses the default system setting. Never: The timeout setting is disabled on the device. Never when plugged in: The timeout setting is disabled when the device is connected to external hardware.	Samsung Knox with DO

Developer options

The following table describes the restrictions that developers can configure on an Android device:

Policy setting	Description	Supported devices
Allow background process limit	The user can set the number of processes that are running in the background. If this setting is disabled, the number of processes that run in the background is set at a maximum number.	Samsung Knox with DO
Allow killing activities on leave	The device can end all instances of an activity when the user logs out of the device. If this setting is disabled, the Don't Keep Activities setting is disabled on the device, and the user cannot enable the setting on the device.	Samsung Knox with DO
Allow Google crash report	The device can send the logs for a crash report to Google.	Samsung Knox with DO

Location sharing settings

Configure the following options to configure location sharing settings on Android devices:

Policy setting	Description	Supported devices
Location sharing mode	High Accuracy: The device uses all available resources for the most accurate location. Sensors Only: The location of the device is tracked through sensors. Battery Saving: The device location is not updated as often to save battery power on the device. None: Location sharing mode is disabled.	Android 5.0 to Android 8.0 (DO)
Enable location on device	Enables or disables the location services on the device. However, users can manually turn location services on or off from the Location settings on the device.	Android 11.0+ (DO)
Disallow Location Configuration	Prevents users from configuring location sharing information for their device. The default setting is disabled, or allows location sharing.	Android 9+ DO
Configure delegated apps	Allow delegation of enabling system apps: The MaaS360® for Android app grants access to enable system apps.	Android 8+ (DO and PO)

Configure Package Delegation

Configure apps that are allowed to delegate permissions such as enabling system apps and installing existing packages to other apps on the device.

Policy Setting	Description	Supported devices
Configure delegated apps	Configure apps that are allowed to grant permissions to specialized apps.	Android 8.0+ (PO and DO)
Allow delegation of app restriction	Grants access for restricting other apps. Enter comma-separated package IDs of specialized apps.	Android 8.0+ (PO and DO)
Allow Delegation Block Uninstall	Grant access for block removal of other apps. Enter comma-separated package IDs of specialized apps.	Android 8.0+ (PO and DO)
Allow Delegation Permission Grant	Grant access for managing permissions of other apps. Enter comma-separated package IDs of specialized apps.	Android 8.0+ (PO and DO)
Allow Delegation Package Access	Grant access for hiding or suspending other apps. Enter comma-separated package IDs of specialized apps.	Android 8.0+ (PO and DO)
Allow delegation of enabling system apps	Grant access to enable system apps. Enter comma-separated package IDs of specialized apps.	Android 8.0+ (PO and DO)
Allow delegation for installing existing packages	Grant access for installing packages that are installed in another user, or are kept after removal. Enter comma-separated package IDs of specialized apps.	Android 9.0+ (PO and DO)
Allow delegation of management of uninstalled packages	Grant access for keeping APKs of other apps on the device. Enter comma-separated package IDs of specialized apps.	Android 9.0+ (PO and DO)

Additional Settings

Add custom policy settings to configure restrictions that aren't built in to the MaaS360 portal. You can use these custom policies to control features and settings on managed Android Enterprise devices. For more information, see Configuring policy restrictions on Android devices.