Best Practice EMM Profile

Example configuration of an EMM profile

Last adaptation to the version: 1.28 (07.2024)

New:

Changed menu navigation
Updated option for restrictions: Tethering settings (v1.27)
Updated option for restrictions: WLAN configuration (v1.27)

notempty

This article refers to a Beta version

Preamble

In a profile permissions, restrictions, password requirements, email settings and security settings are configured.
Several users or user groups (roles) can be assigned to a profile.
Several devices or device groups (devices designated by tags) can be assigned to a profile.

notempty

For a large number of devices and users it is recommended to map the assignment via groups.

Device registration is directly tied to a profile
A profile must be created first' (and configured) before a device can be registered

In Android Enterprise profiles, numerous security-relevant settings can be made, e.g.

Disable Kamara
Disable microphone
Disable USB file transfer
Disable outgoing calls
Disable Bluetooth
Disable contact sharing
Disable tethering
Disable sms
Enable network only with VPN
and much more.

notempty

Android Enterprise Profiles are used immediately and do not need to be published!

Outdated Android profiles behave fundamentally different than Android Enterprise Profiles (EMM)
It is no longer possible to assign a profile to a role, user or tag

Overview of profile management

In the profile overview new profiles can be created, existing ones can be edited and deleted. The view of the profiles can be displayed in the list or tile view. You can also view details of existing profiles, update the list of profiles, and publish profiles.

Overview of profile management iOS

Overview of profile management Android

General Options

Name

Sorts the tiles by profile name

Priority

Sorts the tiles according to the priority of the profile

Ascending

Sorts the tiles in ascending or descending order according to the selected criterion

Search

Filters on profile tiles that contain the search text

Add profile

Creates a new profile. The settings in the profile vary depending on the operating system.

Import profile

Existing profiles that were previously exported from the Securepoint Mobile Security Portal can be imported here

Hide generated profiles

Hides the generated profiles

Show details

Show / hide details: For a large number of profiles, it can be useful to hide the most important details for clarity.

/ List view / Grid view

Switch between lists and grid view

Refresh

Refreshes the display

Profile tile

Profile-Options

The button at the top right of each profile tile provides the following options:

Edit

Editing the settings (see below)

Copy

Copying the profile to the clipboard

Export

Exporting the settings

Delete

The profile is deleted

notempty

New as of: 2.5

Android Profile, die mind. ein zugewiesenes Gerät haben, können nicht gelöscht werden.

Details displayed in the profile tile:

Updated

Changes have been made to the profile that have not yet been published!

Partially installed

Not all sub profiles were able to be installed

Profile information

Type

Profile type (see below)

Roles

Users

User

Devices

Copy & paste of profiles

Click on the logo of the profile tile to mark one or more profiles In the general options, another field now appears under the filter mask:

Action for selected items

Please choose

Execute the selected action with Ok

Copy

Copies one or more selected profiles to the clipboard

Delete

Deletes one or more selected profiles

notempty

New as of: 2.5

Android Profile, die mind. ein zugewiesenes Gerät haben, können nicht gelöscht werden.

Paste

Inserts a copy of a profile from the clipboard

This also works from one tenant / customer to another as long as they are assigned to the same reseller account

Android Enterprise Profile

General

Caption

Value

Description

General Settings

Name

Displays or enter the profile name

Devices

Add devices

For existing profiles: if available, display of the assigned devices

Save

Basic settings

notempty

The settings shown here are examples that provide a most comprehensive basic protection. Adjustment to local requirements must be carried out!

Caption

Value

Description

Basic settings

Maximum time to lock

120

This setting allows you to limit the maximum screen lock time that can be selected.
The default setting is 10 minutes. (=600 sec.).

Only values that are below 600 seconds are realised.

Input in seconds.

Encryption

Enable with password

Requires a password before starting the device to override encryption.

Encryption takes place at the file system level and prevents data from being read when physically accessing a locked device (turned off or not booted yet). It prevents 'not reading data from an unlocked device. Activating this option also deactivates the possibility to restart the device in "safe mode". In addition, a pin or password with the option "Safe start" is required as display lock. This means that the pin or password must be entered before the device is started. This means that no calls, messages or notifications (including wake-up calls) can be received before the device is unlocked and started.

Stay on plugged modes

Ignore Select modes

The battery charge mode should have no effect on whether the device remains switched on.

Sustained preferred activities

Sustained preferred activities

Add activity

Opens the section for setting the default intent handler activities

Receiver activity

Enter the activity that should be the default intent handler. Either the Android component name (com.android.enterprise.app/.MainActivity) or the app package name.

Android device policy selects an appropriate activity from the app.

Actions

Add action

Select the intentional actions to be matched in the filter. If no action is selected, the intentional action will be ignored.

Restrictions

Caption

Value

Description

Restrictions within an Enterprise Profile

Support Messages

Short support message

Deactivated by the IT department of ttt-Point AG

A message that is displayed to the user on the settings screen when the functionality has been disabled by the administrator. The maximum message length is 4096 characters.

Long support message

Deactivated by the IT department of ttt-Point AG due to general security precautions. If you have any questions, please contact Support at: +49 4131-2401-0

A message displayed to the user. The maximum message length is 4096 characters. See figure above.

Permitted input methods

Add package name

If available, only the input methods provided by packages in this list are allowed. If this field exists, but the list is empty, only system input methods are allowed.

Approved input support services

Add package name

Specifies the allowed input accessibility services. If the field is not set, any input accessibility service can be used. When the field is set, only the input assistance services included in this list and the input assistance services integrated in the system can be used. In particular, if the field is empty, only the system's built-in input accessibility services can be used.

Accounts to unlock after factory reset

it-intern@anyideas.de

Factory Reset Protection (FRP). Email addresses of device administrators to protect against resetting to factory defaults. When the device is reset to factory defaults, one of these administrators must log in with the Google Account email address and password to unlock the device.

If no administrators are specified, the device provides no protection against resetting to factory defaults.

Location mode

Unspecified

Unspecified	The current device value is not changed. The user can change the value unless the user cannot access device settings.
User choice	The location setting is not restricted on the device. No specific behavior is set or enforced.
Forced	Activates the location setting on the device
Disabled	Disables the location setting on the device

Disable screen capture

In order to provide data protection, it should not be possible to take screenshots. This also includes blocking screen sharing applications and similar applications (e.g. Google Assistant) that use the system's screenshot functions.

Disable camera

The camera should be deactivated by default.

Account types with management disabled

Account types that cannot be managed by the user

Disable adding users

Shows whether adding new users and profiles is disabled

Disable the volume setting

Shows whether adjusting the main volume is disabled

Deactivate factory reset

The reset to factory settings should be deactivated.

Disable mounting physical media

The mounting of external physical media by the user is to be deactivated.

Disable modifying accounts

Add or remove accounts should be disabled.notempty

If this item is not enabled, the user can create another Google Account, log into the Playstore and install any software.

Deactivate key lock

Indicates whether the key lock is deactivated

Disable Bluetooth contact sharing

No contact data should leave the device via Bluetooth.

Disable Bluetooth configuration

The Bluetooth configuration should be deactivated.

Disable cell broadcast configuration

The configuration of Cell Broadcast should be disabled.

Disable credentials configuration

The configuration of user credentials should be disabled. notempty

If disabled, certificates can no longer be installed. If these security settings are to be used, it is recommended to deactivate the configuration of the login credentials only after the security settings have been implemented on all devices.

Disable mobile network configuration

The configuration of mobile radio networks should be disabled.

Disable VPN configuration

The configuration of VPN should be disabled.

Disable airplane mode

Disabled

Controls the current status of flight mode and indicates whether the user can turn it on or off. notempty

Available from Android 9 or higher

Whether deactivation is necessary depends on local requirements.

Unspecified	The current device value is not modified. The user can enable or disable the flight mode.
User choice	The user can enable or disable the flight mode.
Disabled	The flight mode is deactivated. The user is not allowed to activate the flight mode.

Disable creating windows

Specifies whether creating windows next to app windows is disabled.

Disable resetting network settings

Indicates whether network settings reset is disabled.

Disable sending via NFC

The use of NFC to transfer data from apps should be disabled.

Disable outgoing calls

Indicates whether outgoing calls are disabled.

Disable the removal of users

Shows whether the removal of other users is disabled.

Disable location sharing

Indicates whether location sharing is disabled.

Disable SMS

Shows whether sending and receiving SMS messages is disabled.

Prevent microphone from being switched on

Shows whether the microphone is muted and the microphone volume cannot be adjusted.

USB data access notempty

New as of:1.24

Allow all

Controls what files and/or data can be transferred via USB. notempty

Does not impact charging functions.

notempty

Supported only on company-owned devices.

Unspecified	Unspecified. Defaults to "Disallow file transfer"
Allow all	All types of USB data transfers are allowed.
Disallow file transfer	Transferring files over USB is disallowed. Other types of USB data connections, such as mouse and keyboard connection, are allowed.
Disallow all data transfer	When set, all types of USB data transfers are prohibited. Supported for devices running Android 12 or above with USB HAL 1.3 or above.

Tethering settings notempty

Updated

Unspecified

The configuration of tethering (e.g. WLAN tethering or Bluetooth tethering) can be restricted.

Unspecified	Corresponds to the setting Allow everything If this value has not yet been set to active, the value from the outdated setting tetheringConfigDisabled is transferred to the new field TetheringSettings. Whose default value is false. Carefull: Double negation: »Deactivation of setting = false« means: Setting permitted. The new field displays Not specified if the value in the original field has never been set (i.e. is still in the default state). If the original value was set to tetheringConfigDisabled == true, the new field TetheringSettings receives the value DISALLOW_ALL_TETHERING
Allow all	All forms of thethering are permitted
Prohibit WLAN thethering	All forms of thethering, with the exception of WLAN tethering, are permitted
Prohibit tethering	All forms of thethering are prohibited

Configure WLAN notempty

Updated

Unspecified

Configuration of WLAN networks by users

Unspecified	Corresponds to the setting Allow everything If this value has not yet been set to active, the value from the obsolete setting wifiConfigDisabled is transferred to the new field ConfigureWifi. Whose default value wasfalse. Carefull: Double negation: »Deactivation of setting = false« means: Setting permitted. The new field displays Not specified if the value in the original field has never been set (i.e. is still in the default state). If the original value was set to wifiConfigDisabled == true, the new field ConfigureWifi receives the value DISALLOW_CONFIGURING_WIFI
Allow all	The WLAN configuration is fully authorised
Prohibit adding WLAN configuration	Adding new WLAN configurations is not permitted; you can only switch between networks that have already been configured
Do not allow WLAN configuration	Prevents the configuration of WLANs

Disable setting user icon

Indicates whether changing the user icon is disabled.

Disable the background settings

Shows whether changing the background image is disabled.

Disable roaming

Indicates whether roaming data services are disabled.

Disable the Network Escape Hatch

Indicates whether the Network Escape Hatch is enabled.

If a network connection cannot be established at boot time, the Escape Hatch prompts the user to temporarily connect to a network to update the device policy. After applying the policy, the temporary network is forgotten and the device continues booting. This prevents not being able to connect to a network if there is no suitable network in the last policy and the device launches an app in task lock mode or the user cannot otherwise reach the device settings.

Disable Bluetooth

Shows whether Bluetooth is disabled. This setting is preferable to Bluetooth Configuration because Bluetooth Configuration can be bypassed by the user.

Disable easter eggs

Whether the user is allowed to have fun. Controls whether the easter egg game is disabled in the settings.

Automatic date & time zone

Unspecified

Indicates whether automatic date, time, and time zone are enabled on a company-owned device.

Unspecified	This value is ignored. By default, the user's choice is used.
User choice	The automatic date, time and time zone are left to the user's choice.
Force automatically	Force the automatic date, time and time zone on the device.

Activate the custom kiosk launcher

Indicates whether the custom kiosk launcher is enabled.

This replaces the home screen with a launcher that locks the device to the apps installed via the application setting. The apps are displayed on a single page in alphabetical order. It is recommended to disable the status bar to block access to the device settings.

Skip hints on first user

Flag to skip first time use hints. The company administrator can enable the system recommendation for apps to skip the user tutorial and other introductory notes on first launch.

Enable private key selection

Allows the user interface to be displayed on a device so that a user can select a private key alias if there are no matching rules in ChoosePrivateKeyRules. For Android P devices, this setting can attack company keys.

Disable keyguard

Camera Ignore trust agents Remote input

Functions that are not available to the user in the lock screen.

System Update

Activate the status message

After you have activated this, you can set the system update configuration.

Update type

Unspecified

The type of system update to configure.

Unspecified	Follow the default update behavior for the device that normally requires the user to accept system updates.
Automatic	Automatically install when an update is available.
In window	Automatic installation within a daily maintenance window. This also configures Play apps to be updated within the window. This is highly recommended for kiosk devices, as it is the only way that apps that remain permanently in the foreground can be updated by Play.
Delay	Delay the automatic installation for a maximum of 30 days.

Start
Only with update type in window

0

If the type is windowed, the start of the maintenance window, measured as the number of minutes after midnight in the device's local time. This value must be between 0 and 1439, inclusive.

End
Only with update type in window

0

If the type is WINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device's local time. This value must be between 0 and 1439, inclusive. If this value is less than start_minutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.

Freeze periods

Add period

An annually recurring period of time when over-the-air (OTA) system updates are pushed to freeze the operating system version running on a device. To prevent the device from freezing indefinitely, each freeze period must be at least 60 days apart.

Start

Start of the period

End

End of period

Rules for private keys

Add rule

Rules for automatically selecting a private key and certificate to authenticate the device to a server. The rules are ordered by priority. Thus, if an outgoing request matches more than one rule, the last rule defines which private key to use.

URL-pattern

The URL pattern to match with the URL of the outgoing request. The pattern may contain wildcards with asterisks (*). Any URL matches if it is not specified.

Package names

Paketnamen hinzufügen

The package names for which outgoing requests are subject to this rule. If no package names are specified, the rule applies to all packages. For each listed package name, the rule applies to that package and all other packages that used the same Android UID. The SHA256 hash of the signature key signatures of each package name is compared to those provided by Play.

Alias for private key

Alias

Der Alias des zu verwendenden privaten Schlüssels.

Untrusted apps policy

Unspecified

The policy for untrusted apps (apps from unknown sources) enforced on the device.

Unspecified	Not specified. Not allowed by default.
Allow only in personal profiles	For devices with work profiles, allow untrusted app installs in the device's personal profile only.
Do not allow	Default. Prohibit untrusted app installations on the entire device.
Allow	Allow untrusted app installations on the entire device.

Force app verification through 'Google Play Protect'

Unspecified

Specifies whether app verification is enforced by 'Google Play Protect'.

Unspecified	Unspecified. Defaults to enforced.
Forced	Default. Force app verification.
User choice	Allows the user to choose whether to enable app verification.

Developer settings

Unspecified

Controls access to developer settings: Developer Options and Safe Launch.

Unspecified	Not specified. Disabled by default.
Disabled	Default. Disables all developer settings and prevents the user from accessing them.
Allowed	Allows all developer settings. The user can access and optionally configure the settings.

Common Criteria mode

Unspecified

Controls Common Criteria mode - security standards defined in the Common Criteria for Information Technology Security Evaluation (CC).

Enabling Common Criteria mode increases certain security components on a device, including AES-GCM encryption of Bluetooth long keys and Wi-Fi configuration warning: Common Criteria mode enforces a strict security model that is normally only required for IT products used in national security systems and other highly sensitive organizations. The use of standard devices may be affected. Activate only when required.

Unspecified	Not specified. Disabled by default.
Disabled	Default. Disables the Common Criteria mode.
Activated	Activates the Common Criteria mode.

Personal apps that can read work notifications

Add package name

Personal apps that can read work profile notifications with a NotificationListenerService. By default, no personal apps (except system apps) can read work notifications. Each value in the list must be a package name.

Power-Button-Actions

Unspecified

Sets the behavior of a device in kiosk mode when a user presses and holds the On / Off button.

Unspecified	Not specified, available by default.
Available	The on / off menu (e.g. switch off, restart) is displayed when a user holds down the on / off key of a device in kiosk mode.
Blocked	The On / Off menu (e.g. power off, restart) is not displayed if a user holds down the On / Off button of a device in kiosk mode. Note: This may prevent users from turning off the device.

System error warnings

Unspecified

Specifies whether to block system error dialogs for crashed or unresponsive apps in kiosk mode.

Unspecified	Not specified, muted by default.
Activated	All system error dialogs like crash and app not responding (ANR) are displayed.
Mute	All system error dialogs like crash and unresponsive app (ANR) are blocked. When it is blocked, the system forcibly stops the app as if the user closes the app from the user interface.

System navigation

Unspecified

Indicates which navigation functions are enabled in kiosk mode (e.g. Home, overview keys).

Unspecified	Not specified, disabled by default.
Activated	Home and overview buttons are enabled.
Disabled	The Home and Overview buttons cannot be accessed.
Home-button only	Only the home-button is enabled.

Status bar

Unspecified

Specifies whether system information and notifications are disabled in kiosk mode.

Unspecified	Not specified, notifications and system information disabled by default.
Notifications and system information enabled	System information and notifications are displayed in the status bar in kiosk mode
Notifications and system information disabled	System information and notifications are disabled in kiosk mode.
System information only	Only system information is displayed in the status bar.

Device Settings

Unspecified

Indicates whether reporting is enabled for device settings.

Unspecified	Not specified, allowed by default.
Allowed	Access to the settings app is allowed in kiosk mode.
Blocked	Access to the settings app is not allowed in kiosk mode.

Save

Personal use

Caption

Value

Description

Personal use

Activate

Activation allows you to configure the personal use of the Android device.

Disable camera

The camera should be deactivated by default.

Disable screen capture

In order to provide data protection, it should not be possible to take screenshots. This also includes blocking screen sharing applications and similar applications (e.g. Google Assistant) that use the system's screenshot functions.

Account types with management disabled

Account types that cannot be managed by the user

Max. days without work

0

Controls how long the work profile can remain off.

Personal Play Store mode

Unspecified

Used together with "Personal apps" to control how apps are allowed or blocked in the personal profile.

Unspecified	Not specified. Block list by default.
Allow list	Only apps that are explicitly specified in "Personal apps" and whose "Installation type" is set to "Available" may be installed in the personal profile.
Blocklist	All Play Store apps can be installed in the personal profile, except for those whose installation type is "Blocked" under "Personal apps".

Personal applications

Add applications

Guidelines for apps in the personal profile of a company-owned device with a work profile.
Each click on the button adds a section Application by customizing an app.

Package name

com.google.android.youtube Select application

The package name of the VPN app.

Install type
Only appears when an app is selected in Package name.

Unspecified

The way the installation is performed.

Unspecified	Not defined. Equivalent to Available.
Block	The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled.
Available	The app is ready for installation.

Cross-profile guidelines

Activate

Cross-profile policies applied to the device.

Show work contacts in personal profile

Allowed

Whether contacts stored in the work profile can be displayed in the contact search in the personal profile and on incoming calls.

Unspecified	Not specified. Allowed by default.
Not allowed	Prevents contacts from the work profile from being displayed when searching for personal profile contacts and incoming calls.
Allowed	Default. Allows work profile contacts to appear when searching for personal profile contacts and incoming calls.

Cross-profile copy & paste

Not allowed

Whether text copied from one profile (personal or business) can be pasted into the other profile.

Unspecified	Not specified. Not allowed by default.
Not allowed	Default. Prevents users from pasting text copied from the work profile into the personal profile. Text copied from the personal profile can be pasted into the work profile and text copied from the work profile can be pasted into the work profile.
Allowed	Text copied in one of the profiles can be pasted in the other profile.

Cross-profile data sharing

Refuse from business to personal profile

Whether data from one profile (personal or business) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste or connected work & personal apps, are configured separately.

Unspecified	Not specified. Not allowed by default.
Not allowed	Prevents data from being passed from both the personal profile to the work profile and from the work profile to the personal profile.
Refuse from business to personal profile	Default. Prevents users from sharing work profile data with apps in the personal profile. Personal data can be shared with business apps.
Allowed	Data from one of the profiles can be shared with the other profile.

Save

Passcode

Caption

Value

Description

Password policies

Add policy

Password policies can be used for work profiles and fully managed devices.

Scope

The scope that the password requirement applies to.

Device

The policy applies only to fully managed devices

Work Profile

The policy only applies to work profiles

Both

The policy applies to fully managed devices as well as devices with a work profile.

Passcode quality

Complex

The required password quality.

Unspecified	There are no password requirements.
Biometric	The device must be secured with at least low security biometric detection technology. This includes technologies that can recognize the identity of a person corresponding to a three-digit PIN (misidentification is less than 1 in 1,000).
Something	A password is required, but there are no restrictions on what the password must contain.
Numeric	The password may only consist of digits.
Numeric (complex)	The password may only consist of digits that do not contain repetitive (4444) or ordered (1234, 4321, 2468) sequences.
Alphabetic	The password must consist only of alphabetical characters (or symbols).
Alphanumeric	The password must consist of both digits and alphabetical characters (or symbols).
Complex	The password must contain at least a letter, a number and a special symbol. Other password restrictions, such as passwordMinimumLetters, are enforced.

Minimum length

0

The minimum allowed password length. A value of 0 means there is no restriction.
Only enforced when Passcode quality is Numeric, Numeric (Complex), Alphabetic, Alphanumeric, or Complex.

Minimum letters

0

Minimum number of letters in the password
Forced only if the Password quality is Complex.

Minimum lowercase letters

0

Minimum number of lowercase letters required in the password
Forced only if the Password quality is Complex.

Minimum uppercase letters

0

Minimum number of capital letters in the password
Forced only if the Password quality is Complex.

Minimum non letter characters

0

Minimum number of non-letters (numeric digits or symbols) required in the password.
Forced only if the Password quality is Complex.

Minimum numeric characters

0

Minimum number of digits in the password
Forced only if the Password quality is Complex.

Minimum symbols

0

Minimum number of symbols in the password
Forced only if the Password quality is Complex.

Password history length

0

The length of the password history. After setting this field, the user won't be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.

Maximum failed attempts

10

Number of permitted input attempts before all data on the device is deleted.

Validity

0

A duration in days until the password must be changed. A value of 0 means that the password never needs to be changed.

Password unlock required

The amount of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that can be unlocked using another authentication method (e.g., fingerprint, trusted agent, face). After the specified period, only strong authentication forms can be used to unlock the device or work profile.

Unspecified

Not specified. By default, the device-timeout is used.

Device-timeout

The timeout is set to the default setting of the device.

Daily

The timeout is 24 hours.

Save

Applications

notempty

The settings shown here are examples that provide a most comprehensive basic protection. Adjustment to local requirements must be carried out!

Caption

Value

Description

Applications

Add applications

Adds apps to this profile notempty

Apps on EMM-managed devices are configured within the profiles!

Package name

com.google.android.youtube Select application

The package name of the VPN app.
For our example: Nextcloud
If a message appears next to the app logo, certain values can be passed to the app.
(Not available on Nextcloud)
See Manage configuration template

Save

Install type

Pre install

The way the installation is performed.

Pre install	The app is installed automatically, but can be removed by the user.
Force install	The app is installed automatically and cannot be deleted by the user.
Block	The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled.
Available	The app is ready for installation.
Required for setup	The app is installed automatically, cannot be deleted by the user, and prevents the device from being set up until the app is installed.
Kiosk	The app is automatically installed in kiosk mode: it is set as the preferred home intention and set to allowlist for lock-task mode. The device setup will not be completed until after the app has been installed. After installation, users can only use this app, which starts automatically and can no longer be removed. You can only set this installType for one application per policy. If this is present in the policy, the status bar is automatically disabled.

Default permission policy

Prompt

The default policy for all permissions requested by the app. If set, overrides the default policy-level permission policy that applies to all apps. It does not override the global permission grant, which applies to all apps.

Unspecified	Policy not specified. If no policy is specified for a permission at any level, 'Prompt' is used by default.
Prompt	Prompts the user to grant an authorization.
Grant	Grant authorization automatically
Deny	Deny authorization automatically

Permissions

Add permission

Grants explicit permission or denial for the app. These values override the default permission policy and global permission restrictions that apply to all apps.

Permission

android.permission.WRITE_EXTERNAL_STORAGE

The app needs access to the memory (this means internal memory and an additional SD card).

Policy

Grant

The policy for granting authorization.

Permission

android.permission.INTERNET

The app should get access to existing internet connections.

Policy

Grant

The policy for granting authorization.

Permission

com.nextcloud.client.permission.C2D_MASSAGE

The app should be able to receive push messages via Firebase Cloud Messaging (formerly Google Cloud Massage) (Cloud to Device → C2D)

Policy

Grant

The policy for granting authorization.

If necessary, further authorizations must be granted or denied here.
Note: In the »Approval« field, only the authorizations that the respective app requires and is usually required for proper operation appear. It is recommended to grant necessary permissions in advance and to allow all other permissions only on request (prompt). The »deny« option should only be used for selected authorizations where it is clear that the desired function of the app is not affected by this.

Managed configuration

Manage configuration

Managed configuration applied to the app. The format for the configuration depends on the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the managed property. The field value must be compatible with the ManagedProperty type.

Managed Configuration Template

Manage configuration template

This field is ignored if the managed configuration is set.
Calls up a template from the app manufacturer in which various parameters can be transferred to the app, depending on what the manufacturer specifies. These can be fixed parameters and variables in email apps:

Example for Gmail app:
Email Address	$emailaddress$	Variable
Hostname or Host	m.google.com	Fixed parameter Example: Hostname of the mail server for Gmail accounts
Username	$emailaddress$	Variable (for Gmail accounts the username is the email address.) With other accounts / apps the variable $username$ can be used here.

notempty

For a correct function, the button Substitute Wildcard variables (see below) must be activated!

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

Disabled

Whether the app is disabled. When deactivated, the app data is still retained.

Minimum version code

0

The minimum version of the app that will run on the device.

If set, the device will attempt to update the app to at least this version code. If the app is not up to date, the device contains a non-compliance detail with the non-compliance reason APP_NOT_UPDATED. The app must already be published in Google Play with a version code greater than or equal to this value. A maximum of 20 apps can set a minimum version code per policy.

Delegate areas

The permissions selected here are delegated to the app by the Device Policy Controller.

Unspecified	No delegation area specified.
Certificate installation	Provides access to the installation and management of certificates.
Managed configurations	Provides access to the management of managed configurations.
Block uninstall	Gives access to blocking the uninstallation.
Grant permission	Provides access to the permission policy and permission status.
Packet access	Gives access to the packet access status.
Enable system apps	Grants access to activate system apps.

Accessible Track IDs

List of track IDs of the app that an enterprise device can access. If the list contains multiple track IDs, devices get the latest version among all accessible tracks. If the list does not contain any track IDs, devices have access only to the production track of the app.

Connected Work & Personal App

Unspecified

Controls whether the app can communicate with itself through a device's work and personal profiles with the user's permission.

Unspecified	Not allowed by default
Not allowed	Default. Prevents cross-profile communication of the app.
Allowed	Allows the app to communicate across profiles after receiving the user's consent.

Substitute Wildcard variables

(Default)

If activated , the content of the variables $username$ and $emailaddress$ is read from the user settings of the user to whom the respective device is assigned. A click box will appear in which all Users to which this function is to be applied must be selected.

An automatically generated profile is created for each user, but only the profile template can be edited.
If the button is deactivated again, the generated user profiles become editable profiles.

Automatic App Updates

Always

The policy enforced on a device to automatically update apps depending on the network connection: Apps should also be updated on devices that rarely or never return to a wireless network. The volume of data usually has little effect with standard volume tariffs.

Unspecified	The auto-update policy is not set. Corresponds with the user selection.
User selection	The user can control the automatic updates.
Never	Apps are never updated automatically
Via WLAN only	Apps are only updated automatically via WLAN.
Always	Apps are updated automatically at any time. Data charges may apply.

Global default authorization policy

Not specified (prompt)

The default authorization policy for runtime authorization requests.

Not specified (prompt)	Policy not specified. If no policy is specified for a permission at any level, 'Prompt' is used by default.
Prompt	Prompt the user to grant permission.
Grant	Grant authorization automatically
Deny	Deny correction automatically

Disable installation of apps

notempty

If activated, no installations or Updates are possible. Also not via the portal!

Disable uninstalling apps

The user should not be able to uninstall any apps.

App Tracks

The app track that the device can access with the policy. The device receives the latest version of all available tracks. If no tracks are specified, the device uses only the production track.

Unspecified	This value is ignored
Production	The production track, which offers the latest stable version.
Beta	The beta track, which contains the latest beta version.

Play Store Mode

Allow list

Only apps that are configured here in the policy are available. Any app not included in this policy will be automatically uninstalled from the device.
Blocklist means All apps in the Play Store are available, except for those configured here with Installation Type Block!

Global permission granting

Add permission

Explicit permission or group grant or deny for all apps. These values override the Default permission policy.

Permission

The Android permission or group, for example android.permission.READ_CALENDAR or android.permission_group.CALENDAR.

Policy

Unspecified

The policy for granting authorization.

Unspecified	Policy not specified. If no policy is specified for a permission at any level, 'Prompt' is used by default.
Prompt	Prompt the user to grant permission.
Grant	Grant permission automatically
Deny	Deny permission automatically

Save

Networks

Caption

Value

Description

Networks

Always on VPN

Enable "Always-On-VPN"

Always sets up a VPN. Enables further settings

Package name

de.securepoint.ms.agent

The package name of the VPN app.

Lockdown enabled

If the VPN is not connected, any network connection is prevented.

Recommended global proxy

Activate the global proxy

After activation, a global proxy can be set.

Host

Host name

The host of the direct proxy.

Port

Port number

The port of the direct proxy.

Excluded host

Host names

For a direct proxy, the hosts for which the proxy is bypassed. The host names can contain wildcards such as * .example.com.

PAC URI

URI

The URI of the PAC script used to configure the proxy.

Network configuration

Network configurations

Add configuration

Configuring Access Profiles for WiFi Networks

Name

ttt-point Headquarters

The name of the configuration

Type

WiFi

Profile type (see below)

Wifi

SSID

ttt-point-headquarter-WIFI

The SSID of the network

Security

WPA-PSK

High security level

Password

••••••••••

"Even if it sounds trivial: WIFI.MyCompany.123 or Location.HouseNumber are no secure passwords! Also 1234 and abcd or qwerty are not' really secure passwords!"

Hidden SSID

Indicating if the SSID will be broadcast.

Autoconnect

The device should automatically connect to the network.

Save

Status reporting

Caption

Value

Description

Status reporting

Activate the status message

After activation, the configuration of the status reports can be set.

Hardwarestatus

Indicates whether the hardware status message is enabled.

Application Reports

Indicates whether app reports are enabled.

Software information

Indicates whether software info reporting is enabled.

Working memory information

Indicates whether memory reporting is enabled.

Display information

Indicates whether the display of reports is enabled.

Network information

Indicates whether the network info message is enabled.

Device Settings

Indicates whether reporting is enabled for device settings.

Power Management Events

Indicates whether power management event reporting is enabled.

Save

Compliance

Rules can be defined for when the telephone or work profile is locked and when it is deleted (factory reset). The user is prompted to activate the selected policy on the device. Otherwise, the device / work profile will be blocked or set to factory defaults / deleted.

Caption

Value

Description

Compliance

Rules for enforcing the profile

Add rule

A rule that defines the actions to be taken when a device or a work profile does not comply with the policy specified in "Setting name".

Preference name

Password policy

The password policies must be applied to the phone.

Block

Block after x days

1

Number of days on which the policy is not compliant before the device or work profile is blocked. To block access immediately, the value is set to 0.

Block scope

Unspecified

Specifies the scope of the blocking action. Applies only to devices owned by the company.

Unspecified	Not specified. Work profile by default.
Work profile	The blocking action is applied only to apps in the work profile. Apps in the personal profile are not affected.
Device	The blocking action is applied to the entire device, including the apps in the personal profile.

Delete

Get factory reset protection

If enabled, the factory settings reset protection is preserved in the profile. In the event of theft or loss, you must first log into your Google Account before the device can be reset to factory defaults. This setting does not work with work profiles.

Wipe after x days

7

Number of days before the device or work profile is deleted if the policy (here: password policies) has not been implemented on the device. Delete must be greater than Block.

Save

Security

notempty

The Security tab is only available if a Mobile Security license is present.
EMM licenses do not have VPN functionality that enables these security functions.

Caption

Value

Description

Security

Activate Securepoint Mobile Security

With Activation, the Securepoint Mobile Security app is added or removed in the Applications tab and can be configured here.
This is required to configure the security settings.

Protocol

TCP

The protocol TCP or UDP used for the VPN tunnel

Portfilter Type

Selection

Filter network traffic based on network ports.
Closed Open Selection

Port filter rule selection
Appears when Port filter type Selection is selected

Communication VPN

Specify which port collections are open for network traffic

Port-Collection	Port	Protocol	Application
Administrative Tools	21	TCP	ftp
	3389	TCP	ms-rdp
	23	TCP	telnet
	5900	TCP	vnc
	22	TCP	ssh
	5938	TCP/UDP	teamviewer
Communication	3478-3481	UDP	Skype
	49152-65535	UDP
	49152-65535	TCP
	5222	TCP	Google Push-Notifications
	5223	UDP
	5228	TCP
VOIP	5060	UDP	SIP/RTP
VOIP	7070-7089	UDP	SIP/RTP
VPN	1194	TCP	OpenVPN
	1194	UDP	OpenVPN
	500	UDP	IPSec
	4500	UDP & ESP	IPSec
	1701	UDP	L2TP
Mail	25	TCP	smtp
	587	TCP	smtp
	465	TCP	smtps
	110	TCP	pop3
	995	TCP	pop3
	143	TCP	imap
	993	TCP	imap

SSL-Interception

Default

SSL traffic from web pages listed in the content filter allowlist is not intercepted, other pages are checked using SSL interception.

Content-Filter Allowlist

Remote maintenance

Click box: Web pages that are to be added to a allowlist. Possible entries: Contentfilter

Content-Filter Blocklist

Default-Values HackingProxyThreat Intelligence Feed

Click box: Websites that are to be added to a blocklist.

Exclude local WLAN from VPN

If enabled , a route is added that excludes the local WLAN IP range from the tunnel

Disable VPN for SSIDs

ttt-point-headquarter-WiFi

Enter WiFi SSIDs for which the security features shall be disabled.

Exclude IP addresses from VPN

Add IPs

Enter IP addresses or networks for which the security functions are to be bypassed, i.e. the individual host 222.222.222/32 or the entire subnet 123.123.123.0/24. Use the cursor keys to navigate within the mask

Exclude apps from VPN

Add package name

Enter the package names of the apps that are to bypass the VPN service

Allow Suspend Always-On-VPN

Allow other VPN profiles

Adding other VPN profiles in addition to the Securepoint Security profile shall not be allowed.

Save

Localize

Caption

Value

Description

Localize

Enable localization function

Adds functionality to find the devices assigned to this policy. This functionality is limited to fully managed devices only.

Save

notempty

The settings shown here are examples that provide a most comprehensive basic protection. Adjustment to local requirements must be carried out!