Restrictions

The Restrictions settings restrict specific features, network settings, developer options, and location detection policies on Android devices.

Device features

The following table describes the restrictions that you can configure on a device:
Policy setting Description Supported devices
Allow camera If this setting is turned on, the device can use the camera. In addition to enabling this setting, enable the camera app in native app compliance. Android 5.0+ PO and DO
Allow camera on personal profile If this setting is turned on, MaaS360 allows the use of the camera on the personal profile of Work Profile on Corporate Owned (WPCO) devices.  
Mute master volume If this setting is turned on, the volume is muted at the device level and no sound through any audio connections. Android 5.0+ DO
Allow unmuting of microphone If this setting is turned on, MaaS360 grants access to the microphone. If this setting is turned off, the audio is transmitted through the microphone through the phone or any other applications that use this capability. Android 5.0+ DO
Allow volume adjustments If this setting is turned on, users can adjust the volume. If this setting is turned off, the device volume remains at the last set value. Android 5.0+ DO
Allow Bluetooth configuration If this setting is turned on, users can modify the Bluetooth settings and configurations. If this setting is turned off, MaaS360 locks down existing settings. Android 5.0+ DO
Allow outgoing beam If this setting is turned on, the device can send information externally with Near Field Communication (NFC). Android 5.1.1+ PO and DO
Allow sharing of locations If this setting is turned on, the apps are enabled to access the device's location information. Turn on this setting if you are configuring Wi-Fi policies, Trusteer policies, or Wi-Fi or Bluetooth settings within the kiosk. Location permission is required for identifying the list of configured networks, the presently connected network, and the discovery of other Bluetooth networks. Android 5.0+ PO and DO
Enable work contacts across profiles If this setting is turned on, users are allowed to access contacts in the work profile from across other profiles. Requires Google messages app to work with SMS. If this setting is turned off, users are restricted from accessing work contacts across multiple profiles. Android 7.0+ PO
Allow Bluetooth If this setting is turned on, the device can use Bluetooth. Android 8.0+ DO
Allow Bluetooth sharing The device cannot share data externally through Bluetooth. Android 8.0+ PO and DO
Allow backup service If this setting is turned on, MaaS360 allows backups by using embedded services. This setting does not impact the ability to backup data by using third-party content management applications. Android 8.0+ DO
Disable screen dim When this setting is turned on, the screen remains active until the device is locked. Enabling this setting makes sure that the MaaS360 app or kiosk launcher are not turned off because of timeouts. This setting does not apply to other native or third-party apps. Android 8.0+ DO
Allow audio recording If this setting is turned on, users can record audio on the device.
Note: Even after you disable this setting, the device microphone is still available so that the user can make calls and use audio streaming for VoIP.
Samsung Knox with DO
Allow SVoice If this setting is turned on, the user can use the SVoice app on the device. Samsung Knox with DO
Allow video recording If this setting is turned on, MaaS360 allows users to record video on the device. If this setting is turned off, the user can still take pictures with the camera. Samsung Knox with DO
Allow apps to manage certificates on Android TrustStore Determines which apps can install or list or remove certs to/in/from the TrustStore. Enter a comma-separated list of apps allowed to install/list/remove certificates to/in/from Android TrustStore. Samsung Knox with DO
Disallow Printing If this setting is turned off, printing is enabled from the device. Android 9.0+ (DO, PO)
Disable Date & Time Configuration If this setting is turned off, it allows users to manually set the date and time on the device. If disabled in Device Owner (DO) mode, MaaS360 disables the date, time, and time zone setting on the entire device. All users on the device are affected. Android 9.0+ (DO)
Disable Ambient Display If this setting is turned off, it allows users to use the Ambient Display feature that exhibits device notifications on the wake screen display. Android 9.0+ (DO)
Disable Brightness Configuration If this setting is turned off, it allows users to alter screen brightness settings. Android 9.0+ (DO)
Disallow Locale Configuration If this setting is turned off, it allows users to set the locale on the device. This can impact other features such as time and date. Android 9.0+ (DO)
Disallow System Error Dialogs If this setting is turned on, the device cannot display system errors for items like crashed apps or when processes stop working. Android 9.0+ (DO)
Disable Airplane Mode If this setting is turned on, disables Airplane mode on the entire device. Android 9.0+ (DO)

Network restrictions

The following table describes the network restrictions that you can configure on a device:
Policy setting Description Supported devices
Allow outgoing calls The device can make outgoing calls. (This setting does not impact emergency phone numbers). Android 5.0+ DO
Allow SMS The device can use SMS (send and receive text messages). (This setting does not impact the visibility of the SMS app on the device, just the functionality of sending and receiving messages). Android 5.0+ DO
Allow Wi-Fi If this setting is disabled, users are not allowed to change Wi-Fi access points through Settings. This restriction does not affect Wi-Fi tethering settings on the device.
Note: The Wi-Fi connection remains uninterrupted and stays connected to the previously associated network. While the Wi-Fi can be turned on or off, it is not possible to change the Wi-Fi access point.
Android 5.0+ DO
Allow or block Wi-Fi networks by SSID The admin can define a Wi-Fi SSID restriction policy that the network must satisfy to be eligible for a connection. You can use Add allowlist or Add blocklist to define the list of Wi-Fi networks to be allowed or blocked for a device. You can also set the value to No Restrictions on Wi-Fi SSIDs.
Note: Admin-configured networks are not exempt from this restriction.
Android 13.0+ DO
Allowed Wi-Fi networks/ Blocked Wi-Fi networks
Note: In Allow or block Wi-Fi networks by SSID, select Add allowlist, Add blocklist from the drop-down list to view this setting.
The admin can do the following actions.
  • Add allowlist
    Specify the list of Wi-Fi SSIDs to allow. The device can connect only to the specified Wi-Fi networks. The device cannot connect to any other networks.
  • Add blocklist
    Specify the list of Wi-Fi SSIDs to block. The device cannot connect to the Wi-Fi network in the blocklist, but can connect to other networks.
Android 13.0+ DO
Minimum Wi-Fi security level The admin can set the minimum Wi-Fi security levels that are required to connect to the Wi-Fi networks for the device. The device fails to connect to networks that do not meet the minimum security level. Make sure that you select a suitable level to avoid connectivity issues or else the device gets disconnected. The following values are available.
  • Open where there is no encryption nor authentication.
  • Personal such as WEP, WPA, WPA2-Personal, WPA3-Personal with a Pre-Shared Key.
  • Enterprise EAP for Enterprise Wi-Fi with 802.1X authentication using EAP.
  • Enterprise 192 for the highest security and WPA3-Enterprise with 192-bit encryption.
Android 13.0+ DO
Allow configuring Wi-Fi This setting enables the user to configure and add Wi-Fi networks. If this setting is disabled, the user cannot access Wi-Fi on the devices if no Wi-Fi SSIDs are pushed to the devices through policies. Android 13.0+ DO
Allow change Wi-Fi State This setting enables the user to change the Wi-Fi state. Android 13.0+ DO
Allow Wi-Fi Tethering This setting enables the user to use Wi-Fi Tethering or portable hotspots from the device Settings. Android 13.0+ DO
Allow VPN The device can access a VPN.

If this setting is disabled, the user cannot access the VPN configuration screen to establish a VPN session.

Android 5.0+ DO and 6.0+ PO
Allow Mobile Network configuration If this setting is disabled, the user cannot modify Mobile network settings on the device.
Note: Do not use this setting to enable or disable mobile data on the device.
Android 5.0+ DO
Allow data roaming The device can use data roaming. Android 7.0+ DO
Allow configuration of cell broadcasts The user can modify cellular settings on the device. Android 5.0+ DO
Allow network reset The user can reset network settings on the device. Android 6.0+ DO
Allow tethering The device can connect (tether) to other devices through wifi, Bluetooth, or USB.

If this setting is disabled, the device cannot connect to other devices through wifi, Bluetooth, or USB.

Note: You can block third-party apps that allow tethering.

Android 5.0+ DO
Enable separate dialer for work profile The device allows a separate dialer specifically for the work profile. Android 7.0+ DO
Allow S-Beam The device uses S Beam to share data through Wi-Fi Direct. Samsung Knox with DO
Allow Wi-Fi Direct The device can use Wi-Fi Direct. Samsung Knox with DO, Android 13.0+ DO
Allow user to set mobile data limit The user can set a limit on the amount of cellular data that is used on the device. Samsung Knox with DO
Near Field Communication (NFC) The device uses Near Field Communication (NFC) for short-range communications. Samsung Knox with DO
Wifi timeout The device times out when the device attempts to connect to a wifi network.
  • Default: The device uses the default system setting.
  • Never: The timeout setting is disabled on the device.
  • Never when plugged in: The timeout setting is disabled when the device is connected to external hardware.
Samsung Knox with DO

Developer options

The following table describes the restrictions that developers can configure on an Android device:
Policy setting Description Supported devices
Allow background process limit The user can set the number of processes that are running in the background.

If this setting is disabled, the number of processes that run in the background is set at a maximum number.

Samsung Knox with DO
Allow killing activities on leave The device can end all instances of an activity when the user logs out of the device.

If this setting is disabled, the Don't Keep Activities setting is disabled on the device, and the user cannot enable the setting on the device.

Samsung Knox with DO
Allow Google crash report The device can send the logs for a crash report to Google. Samsung Knox with DO

Location sharing settings

Configure the following options to configure location sharing settings on Android devices:
Policy setting Description Supported devices
Location sharing mode
  • High Accuracy: The device uses all available resources for the most accurate location.
  • Sensors Only: The location of the device is tracked through sensors.
  • Battery Saving: The device location is not updated as often to save battery power on the device.
  • None: Location sharing mode is disabled.
Android 5.0 to Android 8.0 (DO)
Enable location on device Enables or disables the location services on the device. However, users can manually turn location services on or off from the Location settings on the device. Android 11.0+ (DO)
Disallow Location Configuration Prevents users from configuring location sharing information for their device. The default setting is disabled, or allows location sharing. Android 9+ DO
Configure delegated apps Allow delegation of enabling system apps: The MaaS360® for Android app grants access to enable system apps. Android 8+ (DO and PO)

Configure Package Delegation

Configure apps that are allowed to delegate permissions such as enabling system apps and installing existing packages to other apps on the device.
Policy Setting Description Supported devices
Configure delegated apps Configure apps that are allowed to grant permissions to specialized apps. Android 8.0+ (PO and DO)
Allow delegation of app restriction Grants access for restricting other apps. Enter comma-separated package IDs of specialized apps. Android 8.0+ (PO and DO)
Allow Delegation Block Uninstall Grant access for block removal of other apps. Enter comma-separated package IDs of specialized apps. Android 8.0+ (PO and DO)
Allow Delegation Permission Grant Grant access for managing permissions of other apps. Enter comma-separated package IDs of specialized apps. Android 8.0+ (PO and DO)
Allow Delegation Package Access Grant access for hiding or suspending other apps. Enter comma-separated package IDs of specialized apps. Android 8.0+ (PO and DO)
Allow delegation of enabling system apps Grant access to enable system apps. Enter comma-separated package IDs of specialized apps. Android 8.0+ (PO and DO)
Allow delegation for installing existing packages Grant access for installing packages that are installed in another user, or are kept after removal. Enter comma-separated package IDs of specialized apps. Android 9.0+ (PO and DO)
Allow delegation of management of uninstalled packages Grant access for keeping APKs of other apps on the device. Enter comma-separated package IDs of specialized apps. Android 9.0+ (PO and DO)

Additional Settings

Add custom policy settings to configure restrictions that aren't built in to the MaaS360 portal. You can use these custom policies to control features and settings on managed Android Enterprise devices. For more information, see Configuring policy restrictions on Android devices.