Jump to:navigation, search
Wiki

Android configuration restrictions

From Securepoint Wiki




























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden
















































































































































Android profile configuration in the Restrictions menu item

Last adaptation to the version: 2.5

New:
  • New sorting of options with matching subdivisions
  • One corresponding screenshot per subsection
notempty
This article refers to a Beta version
-
Access: portal.securepoint.cloud  Mobile Security Android Profile  Tab Restrictions


Restrictions

Restrictions
Caption Value Description
Support Messages
Short support message Short support message A message that is displayed to the user on the settings screen when the functionality has been disabled by the administrator. The maximum message length is 4096 characters.
Long support message Long support message A message displayed to the user. The maximum message length is 4096 characters. See figure above.
Connections
Disable resetting network settings    When enabled   , resetting the network settings is disabled.

This prevents users from resetting all network connections, including Wi-Fi, cellular and Bluetooth, ensuring a stable network environment.

Disable mobile network configuration    If    is activated, the configuration of mobile networks is deactivated.

This prevents changes to the settings for mobile networks, such as APN settings, and thus ensures a consistent network connection.

Disable cell broadcast configuration    If    is activated, the configuration of Cell Broadcast is deactivated.

Cell Broadcast is often used for emergency alerts and disabling the configuration prevents users from changing these settings.

Disable outgoing calls    If    is activated, outgoing calls are deactivated.

This can be used to prevent users from making unwanted or unauthorized phone calls.

Disable roaming    When activated   , roaming data services are deactivated.

This prevents the device from using data roaming services, which can be helpful to avoid high roaming charges.

Disable SMS    If    is activated, sending and receiving SMS messages is deactivated.

This can be used to direct communication to other channels and retain control over SMS traffic.

Configure WiFi Unspecified Defines the authorizations for the WiFi configuration.

Depending on the option selected, the user can control the WiFi configuration either completely, only to a limited extent or not at all. This helps to control network access and prevent unauthorized WiFi connections.

Unspecified Corresponds to the setting ‘'Allow everything’'
If this value has not yet been set to active, the value from the obsolete setting wifiConfigDisabled is transferred to the new field ConfigureWifi.
  • Its default value was ‘'false’'.
    Attention: Double negation: »Deactivation of setting = false« means: Setting allowed.
  • The new field shows ‘'Unspecified’' if the value in the original field was never set (i.e. is still in the default state).
  • If the original value was set to ‘'wifiConfigDisabled == true’', the new field ‘'ConfigureWifi’' receives the value ‘'DISALLOW_CONFIGURING_WIFI’'
Allow all The WLAN configuration is fully permitted
Prohibit adding WLAN configuration Adding new WLAN configurations is not permitted; you can only switch between networks that have already been configured
Do not allow WLAN configuration Prevents the configuration of WLANs
Disable Bluetooth    If    is activated, Bluetooth is deactivated.

This setting is preferable to “Disable Bluetooth configuration”, as disabling Bluetooth configuration can be bypassed by the user. This ensures that Bluetooth remains completely switched off.

Disable Bluetooth configuration    If    is activated, the Bluetooth configuration is deactivated.

This prevents users from changing the Bluetooth settings, which increases the security of the devices.

Disable Bluetooth contact sharing    If    is activated, Bluetooth contact sharing is deactivated.

Only for work profiles. This prevents the sharing of contacts via Bluetooth to protect privacy and data integrity.

Disable sending via NFC    If    is activated, the use of NFC to send data from apps is deactivated.

This can prevent users from sharing data via NFC, which increases the security of data transmission.

Disable airplane mode Disabled Controls the current status of flight mode and indicates whether the user can turn it on or off. notempty
Available from Android 9 or higher
  • Whether deactivation is necessary depends on local requirements.
    • Unspecified The current device value is not modified. The user can enable or disable the flight mode.
    User choice The user can enable or disable the flight mode.
    Disabled The flight mode is deactivated. The user is not allowed to activate the flight mode.
    Tethering Settings Unspecified This policy defines the extent to which the user may use various forms of tethering (e.g. Wi-Fi tethering or Bluetooth tethering).

    This helps to control and restrict the use of mobile data by other devices.

    Unspecified Corresponds to the setting ‘'Allow everything’'
    If this value has not yet been set to active, the value from the outdated setting tetheringConfigDisabled is transferred to the new field

    TetheringSettings.

    • Its default value was ‘'false’'.
      Attention: Double negation: »Deactivation of setting = false« means: Setting permitted.
    • The new field shows ‘'Unspecified’' if the value in the original field was never set (i.e. is still in the default state).
    • If the original value was set to ‘'tetheringConfigDisabled == true’', the new field ‘'TetheringSettings’' receives the value ‘'DISALLOW_ALL_TETHERING’'
    Allow all All forms of thethering are permitted
    Prohibit WLAN Thethering All forms of thethering, with the exception of WLAN tethering, are permitted
    Prohibit tethering All forms of thethering are prohibited
    Disable the Network Escape Hatch    Indicates whether the Network Escape Hatch is enabled.
    If a network connection cannot be established at boot time, the Escape Hatch prompts the user to temporarily connect to a network to update the device policy. After applying the policy, the temporary network is forgotten and the device continues booting. This prevents not being able to connect to a network if there is no suitable network in the last policy and the device launches an app in task lock mode or the user cannot otherwise reach the device settings.
    Device protection
    Accounts to unlock after factory reset Select email address Factory Reset Protection (FRP). Email addresses of device administrators to protect against resetting to factory defaults. When the device is reset to factory defaults, one of these administrators must log in with the Google Account email address and password to unlock the device. If no administrators are specified, the device provides no protection against resetting to factory defaults.
    Disable mounting physical media    The mounting of external physical media by the user is to be deactivated.
    USB data access Unspecified Controls what files and/or data can be transferred via USB. notempty
    Does not impact charging functions.
     notempty
    Supported only on company-owned devices.
    Unspecified Unspecified. Defaults to "Disallow file transfer"
    Allow all All types of USB data transfers are allowed.
    Disallow file transfer Transferring files over USB is disallowed. Other types of USB data connections, such as mouse and keyboard connection, are allowed.
    Disallow all data transfer When set, all types of USB data transfers are prohibited. Supported for devices running Android 12 or above with USB HAL 1.3 or above.
    Deactivate key lock    Indicates whether the key lock is deactivated
    Disable keyguard Select functions Functions that are not available to the user in the lock screen.
    Enable private key selection    Allows the user interface to be displayed on a device so that a user can select a private key alias if there are no matching rules in ChoosePrivateKeyRules. For Android P devices, this setting can attack company keys.
    Rules for private keys  Add rule
    • Rules for automatically selecting a private key and certificate to authenticate the device to a server.
    • The rules are ordered by priority.
    • Thus, if an outgoing request matches more than one rule, the last rule defines which private key to use.
    • This prioritization ensures secure and consistent authentication.
    URL-pattern URL-pattern The URL pattern to match with the URL of the outgoing request. The pattern may contain wildcards with asterisks (*). Any URL matches if it is not specified.
    Package names Paketnamen hinzufügen The package names for which outgoing requests are subject to this rule. If no package names are specified, the rule applies to all packages. For each listed package name, the rule applies to that package and all other packages that used the same Android UID. The SHA256 hash of the signature key signatures of each package name is compared to those provided by Play.
    Alias for private key Alias The alias of the private key to be used.
    Security guidelines
    Untrusted apps policy Unspecified This setting determines whether users can allow the installation of apps from unknown sources.

    Prohibiting such apps protects the device from potentially harmful software that does not originate from the official App Store.

    Unspecified Not specified. Not allowed by default.
    Allow only in personal profiles For devices with work profiles, allow untrusted app installs in the device's personal profile only.
    Do not allow Default. Prohibit untrusted app installations on the entire device.
    Allow Allow untrusted app installations on the entire device.
    Force app verification through 'Google Play Protect' Unspecified This option ensures that all apps installed on the device are regularly scanned and checked by “Google Play Protect”.

    "Google Play Protect helps to detect and remove malicious apps, ensuring the security and integrity of the device.

    Unspecified Unspecified. Defaults to enforced.
    Forced Default. Force app verification.
    User choice Allows the user to choose whether to enable app verification.
    Developer settings Unspecified
    • Controls access to developer settings: Developer Options and Safe Launch.
    • This setting controls whether users can access the device's developer settings
    • This includes options such as USB debugging and other developer options that are normally used for app development
    • Disabling these settings prevents users from making changes that could affect the security or performance of the device
    Unspecified Not specified. Disabled by default.
    Disabled Default. Disables all developer settings and prevents the user from accessing them.
    Allowed Allows all developer settings. The user can access and optionally configure the settings.
    Common Criteria mode Unspecified Controls Common Criteria mode: This setting activates security standards defined in the Common Criteria for Information Technology Security Evaluation (CC). Activating this mode increases certain security components on the device, such as the AES-GCM encryption of Bluetooth long-term keys and the Wi-Fi configuration.notempty
    Enabling Common Criteria mode increases certain security components on a device, including AES-GCM encryption of Bluetooth long keys and Wi-Fi configuration warning: Common Criteria mode enforces a strict security model that is normally only required for IT products used in national security systems and other highly sensitive organizations. The use of standard devices may be affected. Activate only when required.
    Unspecified Not specified. Disabled by default.
    Disabled Default. Disables the Common Criteria mode.
    Activated Activates the Common Criteria mode.
    Updates
    System update    When activated   , the configuration of system updates is activated.

    This option allows administrators to control when and how system updates are installed on the device to ensure that the device is always kept up to date and secure.

    Update type Unspecified The type of system update to configure.
    Unspecified Follow the default update behavior for the device that normally requires the user to accept system updates.
    Automatic Automatically install when an update is available.
    In window Automatic installation within a daily maintenance window. This also configures Play apps to be updated within the window. This is highly recommended for kiosk devices, as it is the only way that apps that remain permanently in the foreground can be updated by Play.
    Delay Delay the automatic installation for a maximum of 30 days.
    Freeze periods  Add period
    • An annually recurring period of time when over-the-air (OTA) system updates are pushed to freeze the operating system version running on a device.
    • To prevent the device from freezing indefinitely, each freeze period must be at least 60 days apart.
    • This setting is particularly useful to avoid system changes during certain business hours or during important projects that could affect stability or compatibility
    Start     Start of the period
    End     End of period
    Input methods
    Permitted input methods Add package name
    • If present, only the input methods provided by packages in this list are allowed
    • If this field is present but the list is empty, only system input methods are allowed
    • This option restricts the use of keyboards and other input methods to a predefined list to increase security and control over data processing and input
    Approved input support services Add package name
    • Specifies the permitted input help services. If the field is not set, any input help service can be used
    • If the field is set, only the input help services contained in this list and the input help services integrated in the system can be used
    • In particular, if the field is empty, only the system's integrated accessibility services can be used
    • This setting helps to control and monitor the use of accessibility services to ensure the security and integrity of the system while supporting accessibility for users
    System settings
    Disable modifying accounts    When enabled   , adding or removing accounts is disabled. This prevents users from adding or removing personal or professional accounts, which helps to ensure data integrity.notempty
    If this item is not enabled, the user can create another Google Account, log into the Playstore and install any software.
    Account types with management disabled     Account types that cannot be managed by the user.

    This can be used to prevent the addition of different accounts from defined providers in order to prevent an unwanted outflow of data.

    Disable adding users    If    is activated, the addition of new users and profiles is deactivated.

    This can be useful to ensure that no additional users or guest profiles are created on the device.

    Disable the removal of users    If    is activated, the removal of other users is deactivated.

    This prevents existing users or guest profiles, especially administrative or business-critical ones, from being removed.

    Disable setting user icon    If    is activated, changing the user icon is deactivated.

    This ensures a uniform display of the user profiles and can help to avoid confusion.

    Deactivate factory reset    If    is activated, resetting to factory settings is deactivated.

    This protects against data loss and prevents the device from being reset to factory settings without administrator authorization.

    Disable credentials configuration    The configuration of user credentials should be disabled.notempty
    If disabled, certificates can no longer be installed. If these security settings are to be used, it is recommended to deactivate the configuration of the login credentials only after the security settings have been implemented on all devices.
    Disable the background settings    If    is activated, changing the background image is deactivated.

    This can help to maintain a uniform appearance for all devices in a company.

    Disable creating windows    When    is enabled, the creation of windows next to app windows is disabled.

    This can help to simplify the user interface and ensure that no additional windows disrupt the user experience.

    Location mode Unspecified Determines the level of location detection.

    The user can change the value, unless the user cannot access device settings. This makes it possible to switch between different location modes.

    Unspecified The current device value is not changed. The user can change the value unless the user cannot access device settings.
    User choice The location setting is not restricted on the device. No specific behavior is set or enforced.
    Forced Activates the location setting on the device
    Disabled Disables the location setting on the device
    Disable location sharing    Indicates whether location sharing is disabled.
    Skip hints on first user    Flag to skip first time use hints. The company administrator can enable the system recommendation for apps to skip the user tutorial and other introductory notes on first launch.
    Kiosk mode & kiosk starter
    Kioskstarter
    Activate the custom kiosk launcher    Indicates whether the custom kiosk launcher is enabled.
    This replaces the home screen with a launcher that locks the device to the apps installed via the application setting. The apps are displayed on a single page in alphabetical order. It is recommended to disable the status bar to block access to the device settings.
    Kioskmodus
    Power-Button-Actions Unspecified Defines the behavior of a device in kiosk mode when a user presses and holds the on/off button.

    This can be used to ensure that users cannot bypass kiosk mode by restarting or switching off the device.

    Unspecified Not specified, available by default.
    Available The on / off menu (e.g. switch off, restart) is displayed when a user holds down the on / off key of a device in kiosk mode.
    Blocked The On / Off menu (e.g. power off, restart) is not displayed if a user holds down the On / Off button of a device in kiosk mode. Note: This may prevent users from turning off the device.
    System error warnings Unspecified Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode.

    This setting prevents users from seeing system error warnings and ensures that the device remains in the intended mode even if errors occur.

    Unspecified Not specified, muted by default.
    Activated All system error dialogs like crash and app not responding (ANR) are displayed.
    Mute All system error dialogs like crash and unresponsive app (ANR) are blocked. When it is blocked, the system forcibly stops the app as if the user closes the app from the user interface.
    System navigation Unspecified Indicates which navigation functions are enabled in kiosk mode (e.g. Home, overview keys).

    This option controls whether users can access the system navigation buttons to ensure that they cannot navigate out of kiosk mode or access other apps.

    Unspecified Not specified, disabled by default.
    Activated Home and overview buttons are enabled.
    Disabled The Home and Overview buttons cannot be accessed.
    Home-button only Only the home-button is enabled.
    Status bar Unspecified Specifies whether system information and notifications are disabled in kiosk mode.

    This setting hides the status bar to prevent users from accessing system information and notifications that could take them out of kiosk mode or distract them.

    Unspecified Not specified, notifications and system information disabled by default.
    Notifications and system information enabled System information and notifications are displayed in the status bar in kiosk mode
    Notifications and system information disabled System information and notifications are disabled in kiosk mode.
    System information only Only system information is displayed in the status bar.
    Device settings Unspecified This option allows or prevents access to the device settings to ensure that users cannot change the device settings of the device.
    Unspecified Not specified, allowed by default.
    Allowed Access to the settings app is allowed in kiosk mode.
    Blocked Access to the settings app is not allowed in kiosk mode.
    Various
    Automatic date & time zone Unspecified Specifies whether automatic date, time and time zone are enabled on a company-owned device.

    This setting ensures that the device automatically sets the correct time and time zone based on the location to ensure that all time displays are correct and synchronized, especially when travelling or changing locations.

    Unspecified This value is ignored. By default, the user's choice is used.
    User choice The automatic date, time and time zone are left to the user's choice.
    Force automatically Force the automatic date, time and time zone on the device.
    Disable screen capture    If    is activated, the screenshot function is deactivated.

    This setting prevents users from recording the device screen to protect sensitive information from unauthorized recording and distribution. It is particularly important for compliance with data protection and security guidelines.

    Disable camera    If    is activated, the camera is deactivated.

    This setting allows you to completely disable the device's camera to increase privacy and security, especially in sensitive environments where no image or video recording is permitted.

    Disable the volume setting    If    is activated, the adjustment of the main volume is deactivated.

    This option restricts users from changing the main volume of the device to ensure a consistent volume setting. This can be useful in certain environments such as schools or conference rooms to minimize interference.

    Prevent microphone from being switched on    When    is activated, the microphone is muted and the microphone volume cannot be adjusted.

    This setting ensures that the device's microphone remains muted to prevent unauthorized listening in or recording of conversations and ambient noise, which is particularly important in safety-critical areas.

    Disable easter eggs    If    is activated, the Easteregg game is deactivated in the settings.

    This option blocks hidden games or gimmicks that are built into operating systems as “Eastereggs”.

    Retrieved from "https://wiki.securepoint.de/index.php?title=MS/deployment/profile/android/einschraenkungen&oldid=98296"