Security
The Security settings provide device, app, data, and backup and restore settings for an Android device.
Device security settings
The following table describes the security settings that you can configure on a device:
Policy setting | Description | Supported devices |
---|---|---|
Configure Keyguard features | The keyguard functions are enabled by default if the device screen is locked. The following features are disabled if the keyguard functions are disabled: | Android 6.0+ (DO), Android 9.0+ (PO), and Android 11+ (WPCO) |
Allow remote input: The device allows external resources to input on the lock screen. If set to false, disables text entry in notifications on the lock screen. | Android 5.0+ (DO) and Android 9.0+ (PO) | |
Allow Fingerprint: A user can unlock the device with a biometric fingerprint. If set to false, disables the fingerprint sensor on the device. | Android 5.0+ (DO) and Android 9.0+ (PO) | |
Allow unredacted notifications: The device does not obscure notifications on the lock screen. | Android 5.0+ (DO) and Android 9.0+ (PO) | |
Allow trust agents: A trust agent is a service that notifies the
system on whether the device is in a safe environment. For example: Google Smart Lock or Profiles
Trust Provider If this setting is disabled, the device ignores the trust agent state on the secure keyguard screens. |
Android 5.0+ (DO) and Android 9.0+ (PO) | |
Allow secure camera: A user can use the camera on the device from the lock screen. If set to false, disables the camera on the lock screen. | Android 5.0+ (DO) and Android 11+ (WPCO) | |
Allow secure notifications: The device displays notifications on the lock screen. If this setting is disabled, all notifications are disabled on the lock screen. | Android 5.0+ (DO) and Android 11+ (WPCO) | |
Allow IRIS Recognition: The device allows IRIS authentication on the lock screen. | Android 9.0+ (PO and DO) | |
Allow Face Recognition: The device allows face authentication on the lock screen. | Android 9.0+ (PO and DO) | |
Allow Safe mode boot | The user can use the device in Safe mode. | Android Enterprise 6.0+ DO |
Allow factory reset | The device can be reset back to default factory settings. | Android Enterprise 5.0+ DO |
Allow configuration of credentials | The user can configure stored credentials on the device. | Android Enterprise 5.0+ DO |
Allow user profile creation | The user can create a user profile on the device. This setting does not affect the user profile that is provisioned during the setup process for Android Enterprise. | Android Enterprise 5.0+ DO |
Allow removal of user profile | The user can remove user profiles from the device. | Android Enterprise 5.0+ DO |
Allow modification of accounts | The user can modify accounts such as Google or Google Play accounts on the device. | Android Enterprise 5.0+ DO |
Enable Enterprise Security Logging | The device uses advanced logging to track preboot security logs. Note: Enabling this setting might impact performance and battery life on the device. Use this setting to capture the required data from the device and then disable the setting to preserve the device's battery life. |
Android Enterprise 7.0+ DO |
Allow lock down of wallpaper | The administrator can lock the wallpaper setting to prevent a device user from changing the wallpaper on the device. | Android Enterprise 7.0+ DO |
Allow lock down of customer user icon | The administrator can lock the custom icon to prevent a device user from changing the icon on the device. | Android Enterprise 7.0+ DO |
Custom message if a setting is disabled | A message is displayed to a user if the user tries to change a setting that is
disabled. The first field of the message displays the localized language and the second field displays the custom message. |
Android Enterprise 7.0+ PO and DO |
Custom lock screen message | The custom message that is displayed on the device lock screen. The first field of the message displays the localized language and the second field displays the custom message. |
Android Enterprise 7.0+ DO |
Enable device attestation | The health of the device is checked every 24 hours. If a device fails attestation, the device is reported as out of compliance. | Android Enterprise 5.0+ DO (requires MaaS360 App 5.85+) |
Enforce network date and time | The user cannot manually set the date and time on the device. | Android Enterprise 5.0+ DO |
Enable factory reset protection |
When this setting is turned on, Factory Reset Protection requires the Android device user to sign in with a Google Account that was previously set up for the device. This means that if a device is lost or stolen, an unauthorized person cannot unlock and use the device after the factory reset. Authorized accounts to override - The comma-separated list of Google user IDs that are authorized to override the Google Account verification after the factory reset. For more information on Factory Reset Protection, see Bypassing Factory Reset Protection in MaaS360 |
Android Enterprise 8.0+ DO |
Allow settings changes | The user can update the settings on the device. | Samsung Knox with DO |
Enable power saving mode | The user can toggle between power saving modes. | Samsung Knox with DO |
Enable Samsung device attestation | The health of the device is checked every 24 hours. If a device fails the health check, the device is reported as out of compliance. | Samsung Knox with DO |
Restrict rooted devices | The user cannot access secure content on the device if the device is rooted (Android term for a jailbroken device or a device that is compromised). | Android Enterprise 5.0+ DO |
Custom Long Support Message | The custom long message that is displayed on the device in the following path: | . Note: This setting requires the MaaS360 for Android app 6.80 and later.Android 7.0+ (PO and DO) |
App security settings
The following table describes the application settings that you can configure on a device:
Policy setting | Description | Supported devices |
---|---|---|
Allow installation of apps | The device allows apps to be installed on the device. | Android 5.0+ PO and DO |
Allow installation of non-Google Play applications | The device allows apps that are not Google Play apps to be installed on the
device. To install apps that are not Google Play apps on the device, make sure that this setting is also enabled on the device. |
Android 5.0+ PO and DO |
Enforce app verification before install | The device enforces app verification before the app is installed on the
device. You can enable this setting in the policy or the user can enable this setting on the device. |
Android 5.0+ PO and DO |
Allow uninstallation of apps | The user can uninstall apps from the device. | Android 5.0+ PO and DO |
Allow apps control | The user can modify apps from the app settings or from the launch screen on the device. | Android 5.0+ PO and DO |
Allow device wide installation from unknown sources | The device allows app installations from sources other than Google Play. If this setting is disabled, When this setting is disabled,
Note: This policy only affects future app installations. The apps that are already
installed through unknown sources remain on the device. Device users can still install apps into the
personal profile by using the Android Debug Bridge (ADB) at https://www.ibm.com/links?url=https%3A%2F%2Fdeveloper.android.com%2Fstudio%2Fcommand-line%2Fadb.
|
Android 9.0+ PO |
Default runtime app permissions | The method that the device uses to handle permission requests from apps:
|
Android 6.0+ PO and DO |
Configure runtime app permissions | The administrator configures how a runtime permission request is handled for a specific app. The first field displays the app ID, followed by the specific runtime permission, and the state: default, allow, or deny. | Android 6.0+ PO and DO |
Allow system apps to be stopped | The user can force apps to quit on the device. Disabling this setting in the policy prevents the user from forcing apps to quit. |
Samsung Knox with DO |
Allow widgets | The device can use widgets for apps on the device. | Samsung Knox with DO |
Allow notifications | The device can receive notifications from an app on the device. | Samsung Knox with DO |
Developer options
Policy setting | Description | Supported devices |
---|---|---|
Allow USB file transfer | The user can use a USB device to transfer files between devices. | Android 5.0+ DO |
Allow USB debugging | The user can use a USB tethered program to debug the device. | Android 5.0+ PO and DO |
Allow mounting of physical media | The user can tether the device to a PC. | Android 5.0+ DO |
Allow create windows | The user can create any app windows on the device. | Android 5.0+ DO |
Data security settings
The following table describes the data settings that you can configure on a device:
Policy setting | Description | Supported devices |
---|---|---|
Allow screen capture | The device allows screen captures from the device. | Android 5.0+ PO and DO |
Enable preferred app intent filter | The app intent filters that are defined by the administrator for a specific app. (An
intent filter is an expression in the apps manifest file that specifies the type of
intents that a component wants to receive.) Provide the following information for the intent filter:
|
Android 5.0+ PO and DO |
Allow input method restriction lever | The interface that a user uses to enter data on a device. For example, a keyboard. The
following options are available:
|
Android 5.0+ PO and DO |
Allow accessibility services restriction level | The interface enhancements on the device that assist users with disabilities. The following
options are available:
|
Android 5.0+ PO and DO |
Allow clipboard | The user can copy and paste content from an app on the device to a clipboard. | Samsung Knox with DO |
Allow clipboard sharing between apps | The user can copy and paste content from an app on the device to a clipboard
and share that content with other apps on the device. If you disable this setting in the policy, content cannot be shared between apps. Each app uses a separate clipboard. |
Samsung Knox with DO |
Allow share list | The device allows apps to share data with other apps on the device. If you disable this setting in the policy, the Share through list setting is unavailable on the device. |
Samsung Knox with DO |
Work Profile settings
Policy setting | Description | Supported devices |
---|---|---|
Allow clipboard sharing between apps | The user can copy and paste content from an app on the device to a clipboard
and share that content with other apps on the device. If you disable this setting in the policy, content cannot be shared between apps. Each app uses a separate clipboard. |
Android 5.0+ PO |
Enable Work Profile intent filters from Personal Profile | The user can use intents from a personal profile to a work profile (non-work to work data sharing). The administrator must define the intent actions that are allowed for use. | Android 5.0+ PO |
Enable Personal Profile intent filters from Work Profile | The user can use intents from a work profile to a personal profile (work to non-work data sharing). The administrator must define the intent actions that are allowed for use. | Android 5.0+ PO |
Allow Work Profile widgets | The comma-separated app IDs for the work profile apps that can use widgets on the device's home screen. | Android 5.0+ PO |
Allow Bluetooth contact sharing | The work profile can use Bluetooth to share contacts. | Android 6.0+ PO |
Allow cross profile caller ID | The dialer on the device that can access work profile contacts to use for caller ID on incoming and outgoing phone calls. | Android 6.0+ PO |
Allow web links to apps of the parent | The user can launch apps in the work profile from web links. | Android 5.0+ PO |
Custom message if Work profile is removed by the admin | The notification message that is displayed when a wipe action is issued to a device. If you have devices that use multiple locales, you must create a custom message for the corresponding locales. Note: The locale-specific text that is created by the administrator must match the locale on the device for the notification to be delivered to the device. | Android 9.0+ PO |
Allow work events on personal calendar | The personal calendar on the device can display events from selected work apps. | Android 10+ PO |
Allow cross-profile apps | Apps can now communicate across different profiles. In previous releases, the Google Chrome
app in the personal profile could not communicate with the Google Chrome app in the work
profile. Prerequisites:
|
Android 11+ PO |
Set maximum number of days a work profile can remain off |
Advanced settings
Policy setting | Description | Supported devices |
---|---|---|
Configure global settings | A list of global settings that affect the device and the device users. These settings correspond to the settings preferences that a user can modify from the system user interface. | Android 5.0+ DO |
Configure global proxy | The type of proxy that is used by the device to access the corporate network: manual or
automatic. Provide the following information for the proxy:
|
Android 5.0+ DO |