Security

The Security settings provide device, app, data, and backup and restore settings for an Android device.

Device security settings

The following table describes the security settings that you can configure on a device:

Policy setting Description Supported devices
Configure Keyguard features The keyguard functions are enabled by default if the device screen is locked. The following features are disabled if the keyguard functions are disabled: Android 6.0+ (DO), Android 9.0+ (PO), and Android 11+ (WPCO)
Allow remote input: The device allows external resources to input on the lock screen. If set to false, disables text entry in notifications on the lock screen. Android 5.0+ (DO) and Android 9.0+ (PO)
Allow Fingerprint: A user can unlock the device with a biometric fingerprint. If set to false, disables the fingerprint sensor on the device. Android 5.0+ (DO) and Android 9.0+ (PO)
Allow unredacted notifications: The device does not obscure notifications on the lock screen. Android 5.0+ (DO) and Android 9.0+ (PO)
Allow trust agents: A trust agent is a service that notifies the system on whether the device is in a safe environment. For example: Google Smart Lock or Profiles Trust Provider

If this setting is disabled, the device ignores the trust agent state on the secure keyguard screens.

Android 5.0+ (DO) and Android 9.0+ (PO)
Allow secure camera: A user can use the camera on the device from the lock screen. If set to false, disables the camera on the lock screen. Android 5.0+ (DO) and Android 11+ (WPCO)
Allow secure notifications: The device displays notifications on the lock screen. If this setting is disabled, all notifications are disabled on the lock screen. Android 5.0+ (DO) and Android 11+ (WPCO)
Allow IRIS Recognition: The device allows IRIS authentication on the lock screen. Android 9.0+ (PO and DO)
Allow Face Recognition: The device allows face authentication on the lock screen. Android 9.0+ (PO and DO)
Allow Safe mode boot The user can use the device in Safe mode. Android Enterprise 6.0+ DO
Allow factory reset The device can be reset back to default factory settings. Android Enterprise 5.0+ DO
Allow configuration of credentials The user can configure stored credentials on the device. Android Enterprise 5.0+ DO
Allow user profile creation The user can create a user profile on the device. This setting does not affect the user profile that is provisioned during the setup process for Android Enterprise. Android Enterprise 5.0+ DO
Allow removal of user profile The user can remove user profiles from the device. Android Enterprise 5.0+ DO
Allow modification of accounts The user can modify accounts such as Google or Google Play accounts on the device. Android Enterprise 5.0+ DO
Enable Enterprise Security Logging The device uses advanced logging to track preboot security logs.

Note: Enabling this setting might impact performance and battery life on the device. Use this setting to capture the required data from the device and then disable the setting to preserve the device's battery life.

Android Enterprise 7.0+ DO
Allow lock down of wallpaper The administrator can lock the wallpaper setting to prevent a device user from changing the wallpaper on the device. Android Enterprise 7.0+ DO
Allow lock down of customer user icon The administrator can lock the custom icon to prevent a device user from changing the icon on the device. Android Enterprise 7.0+ DO
Custom message if a setting is disabled A message is displayed to a user if the user tries to change a setting that is disabled.

The first field of the message displays the localized language and the second field displays the custom message.

Android Enterprise 7.0+ PO and DO
Custom lock screen message The custom message that is displayed on the device lock screen.

The first field of the message displays the localized language and the second field displays the custom message.

Android Enterprise 7.0+ DO
Enable device attestation The health of the device is checked every 24 hours. If a device fails attestation, the device is reported as out of compliance. Android Enterprise 5.0+ DO (requires MaaS360 App 5.85+)
Enforce network date and time The user cannot manually set the date and time on the device. Android Enterprise 5.0+ DO
Enable factory reset protection

When this setting is turned on, Factory Reset Protection requires the Android device user to sign in with a Google Account that was previously set up for the device. This means that if a device is lost or stolen, an unauthorized person cannot unlock and use the device after the factory reset.

Authorized accounts to override - The comma-separated list of Google user IDs that are authorized to override the Google Account verification after the factory reset.

For more information on Factory Reset Protection, see Bypassing Factory Reset Protection in MaaS360

Android Enterprise 8.0+ DO
Allow settings changes The user can update the settings on the device. Samsung Knox with DO
Enable power saving mode The user can toggle between power saving modes. Samsung Knox with DO
Enable Samsung device attestation The health of the device is checked every 24 hours. If a device fails the health check, the device is reported as out of compliance. Samsung Knox with DO
Restrict rooted devices The user cannot access secure content on the device if the device is rooted (Android term for a jailbroken device or a device that is compromised). Android Enterprise 5.0+ DO
Custom Long Support Message The custom long message that is displayed on the device in the following path: Settings > Device Administrators > MaaS360. Note: This setting requires the MaaS360 for Android app 6.80 and later. Android 7.0+ (PO and DO)

App security settings

The following table describes the application settings that you can configure on a device:

Policy setting Description Supported devices
Allow installation of apps The device allows apps to be installed on the device. Android 5.0+ PO and DO
Allow installation of non-Google Play applications The device allows apps that are not Google Play apps to be installed on the device.

To install apps that are not Google Play apps on the device, make sure that this setting is also enabled on the device.

Android 5.0+ PO and DO
Enforce app verification before install The device enforces app verification before the app is installed on the device.

You can enable this setting in the policy or the user can enable this setting on the device.

Android 5.0+ PO and DO
Allow uninstallation of apps The user can uninstall apps from the device. Android 5.0+ PO and DO
Allow apps control The user can modify apps from the app settings or from the launch screen on the device. Android 5.0+ PO and DO
Allow device wide installation from unknown sources The device allows app installations from sources other than Google Play.

If this setting is disabled,

When this setting is disabled,
  • App installations through sources other than Google Play are blocked on the device both in the personal and work profiles.
  • This setting takes precedence over Allow Installation of Non-Google Play Applications and Enforce App Verification. This means that when this policy is disabled, MaaS360 does not allow the installation of Non-Google Play applications and enforces app verification, even at the profile level.
Note: This policy only affects future app installations. The apps that are already installed through unknown sources remain on the device. Device users can still install apps into the personal profile by using the Android Debug Bridge (ADB) at https://www.ibm.com/links?url=https%3A%2F%2Fdeveloper.android.com%2Fstudio%2Fcommand-line%2Fadb.
Android 9.0+ PO
Default runtime app permissions The method that the device uses to handle permission requests from apps:
  • Prompt the user for permissions
  • Always allow
  • Always deny
Android 6.0+ PO and DO
Configure runtime app permissions The administrator configures how a runtime permission request is handled for a specific app. The first field displays the app ID, followed by the specific runtime permission, and the state: default, allow, or deny. Android 6.0+ PO and DO
Allow system apps to be stopped The user can force apps to quit on the device.

Disabling this setting in the policy prevents the user from forcing apps to quit.

Samsung Knox with DO
Allow widgets The device can use widgets for apps on the device. Samsung Knox with DO
Allow notifications The device can receive notifications from an app on the device. Samsung Knox with DO

Developer options

The following table describes the settings that developers can configure on a device:
Policy setting Description Supported devices
Allow USB file transfer The user can use a USB device to transfer files between devices. Android 5.0+ DO
Allow USB debugging The user can use a USB tethered program to debug the device. Android 5.0+ PO and DO
Allow mounting of physical media The user can tether the device to a PC. Android 5.0+ DO
Allow create windows The user can create any app windows on the device. Android 5.0+ DO

Data security settings

The following table describes the data settings that you can configure on a device:

Policy setting Description Supported devices
Allow screen capture The device allows screen captures from the device. Android 5.0+ PO and DO
Enable preferred app intent filter The app intent filters that are defined by the administrator for a specific app. (An intent filter is an expression in the apps manifest file that specifies the type of intents that a component wants to receive.) Provide the following information for the intent filter:
  • App ID
  • Intent filter activity
  • Intent action
  • Intent category
  • MIME type
Android 5.0+ PO and DO
Allow input method restriction lever The interface that a user uses to enter data on a device. For example, a keyboard. The following options are available:
  • No restrictions: All input methods are allowed on the device.
  • System only: The user can only use the system keyboard on the device.
  • Allow 3rd party apps: The user can use third-party input methods on the device.
Android 5.0+ PO and DO
Allow accessibility services restriction level The interface enhancements on the device that assist users with disabilities. The following options are available:
  • No restrictions: Any app sets the accessibility services on the device.
  • System apps only: The device only uses system accessibility services from an app.
  • 3rd party apps: The device can use third-party accessibility services.
Android 5.0+ PO and DO
Allow clipboard The user can copy and paste content from an app on the device to a clipboard. Samsung Knox with DO
Allow clipboard sharing between apps The user can copy and paste content from an app on the device to a clipboard and share that content with other apps on the device.

If you disable this setting in the policy, content cannot be shared between apps. Each app uses a separate clipboard.

Samsung Knox with DO
Allow share list The device allows apps to share data with other apps on the device.

If you disable this setting in the policy, the Share through list setting is unavailable on the device.

Samsung Knox with DO

Work Profile settings

The following table describes the work profile settings that you can configure on a device:
Policy setting Description Supported devices
Allow clipboard sharing between apps The user can copy and paste content from an app on the device to a clipboard and share that content with other apps on the device.

If you disable this setting in the policy, content cannot be shared between apps. Each app uses a separate clipboard.

Android 5.0+ PO
Enable Work Profile intent filters from Personal Profile The user can use intents from a personal profile to a work profile (non-work to work data sharing). The administrator must define the intent actions that are allowed for use. Android 5.0+ PO
Enable Personal Profile intent filters from Work Profile The user can use intents from a work profile to a personal profile (work to non-work data sharing). The administrator must define the intent actions that are allowed for use. Android 5.0+ PO
Allow Work Profile widgets The comma-separated app IDs for the work profile apps that can use widgets on the device's home screen. Android 5.0+ PO
Allow Bluetooth contact sharing The work profile can use Bluetooth to share contacts. Android 6.0+ PO
Allow cross profile caller ID The dialer on the device that can access work profile contacts to use for caller ID on incoming and outgoing phone calls. Android 6.0+ PO
Allow web links to apps of the parent The user can launch apps in the work profile from web links. Android 5.0+ PO
Custom message if Work profile is removed by the admin The notification message that is displayed when a wipe action is issued to a device. If you have devices that use multiple locales, you must create a custom message for the corresponding locales. Note: The locale-specific text that is created by the administrator must match the locale on the device for the notification to be delivered to the device. Android 9.0+ PO
Allow work events on personal calendar The personal calendar on the device can display events from selected work apps. Android 10+ PO
Allow cross-profile apps Apps can now communicate across different profiles. In previous releases, the Google Chrome app in the personal profile could not communicate with the Google Chrome app in the work profile.
Prerequisites:
  • Apps must support cross-profile communication.
  • The same instance of the allowed app must be present in both the personal and work profiles.
Android 11+ PO
Set maximum number of days a work profile can remain off    

Advanced settings

Policy setting Description Supported devices
Configure global settings A list of global settings that affect the device and the device users. These settings correspond to the settings preferences that a user can modify from the system user interface. Android 5.0+ DO
Configure global proxy The type of proxy that is used by the device to access the corporate network: manual or automatic. Provide the following information for the proxy:
  • Proxy server address
  • Port
  • Exclusion list (if applicable)
Android 5.0+ DO