Configuration Android profile

Preamble

Overview of profile management

Android profile configuration

Preamble

Overview of profile management

Android profile configuration

General Options

Profile tile

Copy & paste of profiles

Restrictions

Personal use

Passcode

Applications

Compliance

Sicherheit / VPN

General Options

Profile tile

Copy & paste of profiles

General

Basic settings

Restrictions

Personal use

Passcode

Applications

Networks

Status reporting

Compliance

Sicherheit / VPN

Localize

Profile-Options

Details displayed in the profile tile:

Profile information

Notes on using login providers

VPN-Konfigurationen

Profile-Options

Details displayed in the profile tile:

Profile information

Notes on using login providers

VPN-Konfigurationen

Manage Android profiles in the Mobile Security Portal

New article with version: 1.28

notempty

This article refers to a Resellerpreview

-

In a profile permissions, restrictions, password requirements, email settings and security settings are configured.
Several users or user groups (roles) can be assigned to a profile.
Several devices or device groups (devices designated by tags) can be assigned to a profile.

notempty

For a large number of devices and users it is recommended to map the assignment via groups.

Device registration is directly tied to a profile
A profile must be created first' (and configured) before a device can be registered

In Android Enterprise profiles, numerous security-relevant settings can be made, e.g.

Disable Kamara
Disable microphone
Disable USB file transfer
Disable outgoing calls
Disable Bluetooth
Disable contact sharing
Disable tethering
Disable sms
Enable network only with VPN
and much more.

notempty

Android Enterprise Profiles are used immediately and do not need to be published!

Outdated Android profiles behave fundamentally different than Android Enterprise Profiles (EMM)
It is no longer possible to assign a profile to a role, user or tag

In the profile overview new profiles can be created, existing ones can be edited and deleted. The view of the profiles can be displayed in the list or tile view. You can also view details of existing profiles, update the list of profiles, and publish profiles.

Overview of profile management iOS

Overview of profile management Android

Name

Sorts the tiles by profile name

Priority

Sorts the tiles according to the priority of the profile

Ascending

Sorts the tiles in ascending or descending order according to the selected criterion

Search

Filters on profile tiles that contain the search text

Add profile

Creates a new profile. The settings in the profile vary depending on the operating system.

Import profile

Existing profiles that were previously exported from the Securepoint Mobile Security Portal can be imported here

Hide generated profiles

Hides the generated profiles

Show / hide details: For a large number of profiles, it can be useful to hide the most important details for clarity.

/

Switch between lists and grid view

Refreshes the display

The button at the top right of each profile tile provides the following options:

Edit

Editing the settings (see below)

Copy

Copying the profile to the clipboard

Export

Exporting the settings

Delete

Deletes one or more selected profiles

Updated

Changes have been made to the profile that have not yet been published!

Partially installed

Not all sub profiles were able to be installed

Type

Profile type (see below)

Roles

Users

User

Devices

Click on the logo of the profile tile to mark one or more profiles In the general options, another field now appears under the filter mask:

Action for selected items

Please choose

Execute the selected action with Ok

Copy

Copies one or more selected profiles to the clipboard

Delete

Deletes one or more selected profiles

Paste

Inserts a copy of a profile from the clipboard

This also works from one tenant / customer to another as long as they are assigned to the same reseller account

Basic settings Basic settings
Caption	Value	Description	Basic settings
Maximum time to lock	120	This setting allows you to limit the maximum screen lock time that can be selected. The default setting is 10 minutes. (=600 sec.). Only values that are below 600 seconds are realised. Input in seconds.
Encryption	Deaktiviert	Es wird keine Verschlüsselung verwendet.
	Aktiviert ohne Passwort	Verschlüsselung ist erforderlich, jedoch wird kein Passwort zum Booten benötigt. Encryption takes place at the file system level and prevents data from being read when physically accessing a locked device (turned off or not booted yet). It prevents 'not reading data from an unlocked device. Activating this option also deactivates the possibility to restart the device in "safe mode". In addition, a pin or password with the option "Safe start" is required as display lock. This means that the pin or password must be entered before the device is started. This means that no calls, messages or notifications (including wake-up calls) can be received before the device is unlocked and started.
	Enable with password	Requires a password before starting the device to override encryption. Encryption takes place at the file system level and prevents data from being read when physically accessing a locked device (turned off or not booted yet). It prevents 'not reading data from an unlocked device. Activating this option also deactivates the possibility to restart the device in "safe mode". In addition, a pin or password with the option "Safe start" is required as display lock. This means that the pin or password must be entered before the device is started. This means that no calls, messages or notifications (including wake-up calls) can be received before the device is unlocked and started.
Stay on plugged modes	AC-Ladegerät Kabelloses Ladegerät	The battery charge mode should have no effect on whether the device remains switched on. Ignorieren: Dieser Wert wird ignoriert AC-Ladegerät: Bleibt eingeschaltet, wenn die Energiequelle ein Ladegerät ist USB: Bleibt eingeschaltet, wenn die Energiequelle ein USB Port ist Kabelloses Ladegerät: Bleibt eingeschaltet, wenn die Energiequelle kabellos ist

Sustained preferred activities
Sustained preferred activities	Add activity	Opens the section for setting the default intent handler activities
Receiver activity	Receiver activity	Enter the activity that should be the default intent handler. Either the Android component name (com.android.enterprise.app/.MainActivity) or the app package name. Android device policy selects an appropriate activity from the app.
Actions	Add actions	Select the intentional actions to be matched in the filter. If no action is selected, the intentional action will be ignored.
Categories	Add categories	Select the intent categories to match in the filter. An intent contains the required categories, all of which must be included in the filter to match. In other words, adding a category to the filter will not affect the match unless that category is specified in the intent.

Setup actions
Setup actions	Add action	Opens the section for setting the actions to be performed during the installation process
Title	Title	Enter the title, name of the action
Description	Description	A description of the action
Launch the app	Package name	Package name of the app to be launched during setup

Device Owner lockscreen info
Activate lockscreen info		Information is to be displayed in the lock screen.
Device Owner lockscreen info	Property of TTT-Point GmbH. Support: +49 4131 - 2401-0	The device owner information to be displayed on the lock screen. The maximum message length is 4096 characters.

Caption

Value

Description

Restrictions within an Enterprise Profile

Support Messages

Short support message

Deactivated by the IT department of ttt-Point AG

A message that is displayed to the user on the settings screen when the functionality has been disabled by the administrator. The maximum message length is 4096 characters.

Short support message. Change to long support message with Learn more

Long support message

Deactivated by the IT department of ttt-Point AG due to general security precautions. If you have any questions, please contact Support at: +49 4131-2401-0

A message displayed to the user. The maximum message length is 4096 characters. See figure above.

Permitted input methods

Add package name

If available, only the input methods provided by packages in this list are allowed. If this field exists, but the list is empty, only system input methods are allowed.

Approved input support services

Add package name

Specifies the allowed input accessibility services. If the field is not set, any input accessibility service can be used. When the field is set, only the input assistance services included in this list and the input assistance services integrated in the system can be used. In particular, if the field is empty, only the system's built-in input accessibility services can be used.

Accounts to unlock after factory reset

it-intern@anyideas.de

Factory Reset Protection (FRP). Email addresses of device administrators to protect against resetting to factory defaults. When the device is reset to factory defaults, one of these administrators must log in with the Google Account email address and password to unlock the device. If no administrators are specified, the device provides no protection against resetting to factory defaults.

Location mode

Unspecified

Der Grad der Standorterkennung ist aktiviert. Der Benutzer kann den Wert ändern, es sei denn, der Benutzer kann nicht auf Geräteeinstellungen zugreifen.

Unspecified	The current device value is not changed. The user can change the value unless the user cannot access device settings.
User choice	The location setting is not restricted on the device. No specific behavior is set or enforced.
Forced	Activates the location setting on the device
Disabled	Disables the location setting on the device

Disable screen capture

In order to provide data protection, it should not be possible to take screenshots. This also includes blocking screen sharing applications and similar applications (e.g. Google Assistant) that use the system's screenshot functions.

Disable camera

The camera should be deactivated by default.

Account types with management disabled

Account types that cannot be managed by the user

Disable adding users

Shows whether adding new users and profiles is disabled

Disable the volume setting

Shows whether adjusting the main volume is disabled

Deactivate factory reset

The reset to factory settings should be deactivated.

Disable mounting physical media

The mounting of external physical media by the user is to be deactivated.

Disable modifying accounts

Add or remove accounts should be disabled.notempty

If this item is not enabled, the user can create another Google Account, log into the Playstore and install any software.

Deactivate key lock

Indicates whether the key lock is deactivated

Disable Bluetooth contact sharing

No contact data should leave the device via Bluetooth.

Disable Bluetooth configuration

The Bluetooth configuration should be deactivated.

Disable cell broadcast configuration

The configuration of Cell Broadcast should be disabled.

Disable credentials configuration

The configuration of user credentials should be disabled.notempty

If disabled, certificates can no longer be installed. If these security settings are to be used, it is recommended to deactivate the configuration of the login credentials only after the security settings have been implemented on all devices.

Disable mobile network configuration

The configuration of mobile radio networks should be disabled.

Disable VPN configuration

The configuration of VPN should be disabled.

Disable airplane mode notempty

New as of 1.18

Disabled

Controls the current status of flight mode and indicates whether the user can turn it on or off. notempty

Available from Android 9 or higher

Whether deactivation is necessary depends on local requirements.

Unspecified	The current device value is not modified. The user can enable or disable the flight mode.
User choice	The user can enable or disable the flight mode.
Disabled	The flight mode is deactivated. The user is not allowed to activate the flight mode.

Disable creating windows

Specifies whether creating windows next to app windows is disabled.

Disable resetting network settings

Indicates whether network settings reset is disabled.

Disable sending via NFC

The use of NFC to transfer data from apps should be disabled.

Disable outgoing calls

Indicates whether outgoing calls are disabled.

Disable the removal of users

Shows whether the removal of other users is disabled.

Disable location sharing

Indicates whether location sharing is disabled.

Disable SMS

Shows whether sending and receiving SMS messages is disabled.

Prevent microphone from being switched on

Shows whether the microphone is muted and the microphone volume cannot be adjusted.

USB data access notempty

New as of:1.24

Allow all

Controls what files and/or data can be transferred via USB. notempty

Does not impact charging functions.

notempty

Supported only on company-owned devices.

Unspecified	Unspecified. Defaults to "Disallow file transfer"
Allow all	All types of USB data transfers are allowed.
Disallow file transfer	Transferring files over USB is disallowed. Other types of USB data connections, such as mouse and keyboard connection, are allowed.
Disallow all data transfer	When set, all types of USB data transfers are prohibited. Supported for devices running Android 12 or above with USB HAL 1.3 or above.

Tethering Einstellungen notempty

Aktualisiert

Unspecified

Die Konfiguration von Tethering (z. B. WLAN-Tethering oder Bluetooth-Tethering) kann eingeschränkt werden.

Unspecified	Entspricht der Einstellung Alles erlauben Wurde dieser Wert noch nicht aktiv gesetzt wird der Wert aus der veralteten Einstellung tetheringConfigDisabled in das neue Feld TetheringSettings übernommen. Dessen Default Wert war false. Achtung: Doppelte Verneinung: »Deaktivierung der Einstellung = falsch« bedeutet: Einstellung erlaubt. Das neue Feld zeigt Nicht spezifiziert an, wenn der Wert im ursprünglichen Feld nie gesetzt wurde (also noch im Default Zustand ist). Wurde der ursprüngliche Wert auf tetheringConfigDisabled == true gesetzt, erhält neue Feld TetheringSettings den Weret 'DISALLOW_ALL_TETHERING
Allow all	Alle Formen des Thethering sind erlaubt
WLAN Thethering verbieten	Alle Formen des Thethering, ausgenommen WLAN-Tethering, sind erlaubt
Tethering verbieten	Alle Formen des Thethering sind verboten

WLAN Konfigurieren notempty

Aktualisiert

Unspecified

Konfiguration von WLAN-Netzen durch Anwender

Unspecified	Entspricht der Einstellung Alles erlauben Wurde dieser Wert noch nicht aktiv gesetzt wird der Wert aus der veralteten Einstellung wifiConfigDisabled in das neue Feld ConfigureWifi übernommen. Dessen Default Wert war false. Achtung: Doppelte Verneinung: »Deaktivierung der Einstellung = falsch« bedeutet: Einstellung erlaubt. Das neue Feld zeigt Nicht spezifiziert an, wenn der Wert im ursprünglichen Feld nie gesetzt wurde (also noch im Default Zustand ist). Wurde der ursprüngliche Wert auf wifiConfigDisabled == true gesetzt, erhält neue Feld ConfigureWifi den Weret 'DISALLOW_CONFIGURING_WIFI
Allow all	Die WLAN Konfiguration ist vollständig erlaubt
WLAN Konfiguration hinzufügen verbieten	Das Hinzufügen neuer WLAN-Konfigurationen ist nicht zulässig, es kann nur zwischen bereits konfigurierten Netzwerken gewechselt werden
WLAN Konfiguration nicht zulassen	Verhindert die Konfiguration von WLANs

Disable setting user icon

Indicates whether changing the user icon is disabled.

Disable the background settings

Shows whether changing the background image is disabled.

Disable roaming

Indicates whether roaming data services are disabled.

Disable the Network Escape Hatch

Indicates whether the Network Escape Hatch is enabled.

If a network connection cannot be established at boot time, the Escape Hatch prompts the user to temporarily connect to a network to update the device policy. After applying the policy, the temporary network is forgotten and the device continues booting. This prevents not being able to connect to a network if there is no suitable network in the last policy and the device launches an app in task lock mode or the user cannot otherwise reach the device settings.

Disable Bluetooth

Shows whether Bluetooth is disabled. This setting is preferable to Bluetooth Configuration because Bluetooth Configuration can be bypassed by the user.

Disable easter eggs

Whether the user is allowed to have fun. Controls whether the easter egg game is disabled in the settings.

Automatic date & time zone

Unspecified

Indicates whether automatic date, time, and time zone are enabled on a company-owned device.

Unspecified	This value is ignored. By default, the user's choice is used.
User choice	The automatic date, time and time zone are left to the user's choice.
Force automatically	Force the automatic date, time and time zone on the device.

Activate the custom kiosk launcher

Indicates whether the custom kiosk launcher is enabled.

This replaces the home screen with a launcher that locks the device to the apps installed via the application setting. The apps are displayed on a single page in alphabetical order. It is recommended to disable the status bar to block access to the device settings.

Skip hints on first user

Flag to skip first time use hints. The company administrator can enable the system recommendation for apps to skip the user tutorial and other introductory notes on first launch.

Enable private key selection

Allows the user interface to be displayed on a device so that a user can select a private key alias if there are no matching rules in ChoosePrivateKeyRules. For Android P devices, this setting can attack company keys.

Disable keyguard

Camera Ignore trust agents Remote input

Functions that are not available to the user in the lock screen.

System Update

Activate the status message

After you have activated this, you can set the system update configuration.

Update type

Unspecified

The type of system update to configure.

Unspecified	Follow the default update behavior for the device that normally requires the user to accept system updates.
Automatic	Automatically install when an update is available.
In window	Automatic installation within a daily maintenance window. This also configures Play apps to be updated within the window. This is highly recommended for kiosk devices, as it is the only way that apps that remain permanently in the foreground can be updated by Play.
Delay	Delay the automatic installation for a maximum of 30 days.

Start
Only with update type in window

0

If the type is windowed, the start of the maintenance window, measured as the number of minutes after midnight in the device's local time. This value must be between 0 and 1439, inclusive.

End
Only with update type in window

0

If the type is WINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device's local time. This value must be between 0 and 1439, inclusive. If this value is less than start_minutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.

Freeze periods

Add period

An annually recurring period of time when over-the-air (OTA) system updates are pushed to freeze the operating system version running on a device. To prevent the device from freezing indefinitely, each freeze period must be at least 60 days apart.

Start

Start of the period

End

End of period

Rules for private keys

Add rule

Rules for automatically selecting a private key and certificate to authenticate the device to a server. The rules are ordered by priority. Thus, if an outgoing request matches more than one rule, the last rule defines which private key to use.

URL-pattern

The URL pattern to match with the URL of the outgoing request. The pattern may contain wildcards with asterisks (*). Any URL matches if it is not specified.

Package names

Paketnamen hinzufügen

The package names for which outgoing requests are subject to this rule. If no package names are specified, the rule applies to all packages. For each listed package name, the rule applies to that package and all other packages that used the same Android UID. The SHA256 hash of the signature key signatures of each package name is compared to those provided by Play.

Alias for private key

Alias

Der Alias des zu verwendenden privaten Schlüssels.

Untrusted apps policy

Unspecified

The policy for untrusted apps (apps from unknown sources) enforced on the device.

Unspecified	Not specified. Not allowed by default.
Allow only in personal profiles	For devices with work profiles, allow untrusted app installs in the device's personal profile only.
Do not allow	Default. Prohibit untrusted app installations on the entire device.
Allow	Allow untrusted app installations on the entire device.

Force app verification through 'Google Play Protect'

Unspecified

Specifies whether app verification is enforced by 'Google Play Protect'.

Unspecified	Unspecified. Defaults to enforced.
Forced	Default. Force app verification.
User choice	Allows the user to choose whether to enable app verification.

Developer settings

Unspecified

Controls access to developer settings: Developer Options and Safe Launch.

Unspecified	Not specified. Disabled by default.
Disabled	Default. Disables all developer settings and prevents the user from accessing them.
Allowed	Allows all developer settings. The user can access and optionally configure the settings.

Common Criteria mode

Unspecified

Controls Common Criteria mode - security standards defined in the Common Criteria for Information Technology Security Evaluation (CC).

Enabling Common Criteria mode increases certain security components on a device, including AES-GCM encryption of Bluetooth long keys and Wi-Fi configuration warning: Common Criteria mode enforces a strict security model that is normally only required for IT products used in national security systems and other highly sensitive organizations. The use of standard devices may be affected. Activate only when required.

Unspecified	Not specified. Disabled by default.
Disabled	Default. Disables the Common Criteria mode.
Activated	Activates the Common Criteria mode.

Personal apps that can read work notifications

Add package name

Personal apps that can read work profile notifications with a NotificationListenerService. By default, no personal apps (except system apps) can read work notifications. Each value in the list must be a package name.

Power-Button-Actions

Unspecified

Sets the behavior of a device in kiosk mode when a user presses and holds the On / Off button.

Unspecified	Not specified, available by default.
Verfügbar	The on / off menu (e.g. switch off, restart) is displayed when a user holds down the on / off key of a device in kiosk mode.
Blocked	The On / Off menu (e.g. power off, restart) is not displayed if a user holds down the On / Off button of a device in kiosk mode. Note: This may prevent users from turning off the device.

System error warnings

Unspecified

Specifies whether to block system error dialogs for crashed or unresponsive apps in kiosk mode.

Unspecified	Not specified, muted by default.
Activated	All system error dialogs like crash and app not responding (ANR) are displayed.
Mute	All system error dialogs like crash and unresponsive app (ANR) are blocked. When it is blocked, the system forcibly stops the app as if the user closes the app from the user interface.

System navigation

Unspecified

Indicates which navigation functions are enabled in kiosk mode (e.g. Home, overview keys).

Unspecified	Not specified, disabled by default.
Activated	Home and overview buttons are enabled.
Disabled	The Home and Overview buttons cannot be accessed.
Home-button only	Only the home-button is enabled.

Status bar

Unspecified

Specifies whether system information and notifications are disabled in kiosk mode.

Unspecified	Not specified, notifications and system information disabled by default.
Notifications and system information enabled	System information and notifications are displayed in the status bar in kiosk mode
Notifications and system information disabled	System information and notifications are disabled in kiosk mode.
System information only	Only system information is displayed in the status bar.

Device settings

Unspecified

Specifies whether a user can access the app settings of the device in kiosk mode.

Unspecified	Not specified, allowed by default.
Allowed	Access to the settings app is allowed in kiosk mode.
Blocked	Access to the settings app is not allowed in kiosk mode.

Caption

Value

Description

Personal use

Activate

Activation allows you to configure the personal use of the Android device.

Disable camera

The camera should be deactivated by default.

Disable screen capture

In order to provide data protection, it should not be possible to take screenshots. This also includes blocking screen sharing applications and similar applications (e.g. Google Assistant) that use the system's screenshot functions.

Account types with management disabled

Account types that cannot be managed by the user

Max. days without work

0

Controls how long the work profile can remain off.

Personal Play Store mode

Nicht spezifiziert

Used together with "Personal apps" to control how apps are allowed or blocked in the personal profile.

Nicht spezifiziert	Not specified. Block list by default.
Allow/Approval list	Only apps that are explicitly specified in "Personal apps" and whose "Installation type" is set to "Available" may be installed in the personal profile.
Blocklist	All Play Store apps can be installed in the personal profile, except for those whose installation type is "Blocked" under "Personal apps".

Personal applications

Add applications

Guidelines for apps in the personal profile of a company-owned device with a work profile.
Each click on the button adds a section Application by customizing an app.

Paketname

com.google.android.youtube Select application

The package name of the app. For example, com.google.android.youtube for the YouTube app.
Clicking on the button Select application opens the Google Play Store to select the app.

Installation type
Only appears when an app is selected in Package name.

Nicht spezifiziert

The way the installation is performed.

Nicht spezifiziert	Not defined. Equivalent to Available.
Block	The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled.
Verfügbar	The app is ready for installation.

Cross-profile guidelines

Activate

Cross-profile policies applied to the device.

Show work contacts in personal profile

Erlaubt

Whether contacts stored in the work profile can be displayed in the contact search in the personal profile and on incoming calls.

Nicht spezifiziert	Not specified. Allowed by default.
Not allowed	Prevents contacts from the work profile from being displayed when searching for personal profile contacts and incoming calls.
Erlaubt	Default. Allows work profile contacts to appear when searching for personal profile contacts and incoming calls.

Cross-profile copy & paste

Not allowed

Whether text copied from one profile (personal or business) can be pasted into the other profile.

Nicht spezifiziert	Not specified. Not allowed by default.
Not allowed	Default. Prevents users from pasting text copied from the work profile into the personal profile. Text copied from the personal profile can be pasted into the work profile and text copied from the work profile can be pasted into the work profile.
Erlaubt	Text copied in one of the profiles can be pasted in the other profile.

Cross-profile data sharing

Refuse from business to personal profile

Whether data from one profile (personal or business) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste or connected work & personal apps, are configured separately.

Nicht spezifiziert	Not specified. Not allowed by default.
Not allowed	Prevents data from being passed from both the personal profile to the work profile and from the work profile to the personal profile.
Refuse from business to personal profile	Default. Prevents users from sharing work profile data with apps in the personal profile. Personal data can be shared with business apps.
Erlaubt	Data from one of the profiles can be shared with the other profile.

Caption

Value

Description

Password policies

Add policy

Password policies can be used for work profiles and fully managed devices.

Scope

The scope that the password requirement applies to.

Device

The policy applies only to fully managed devices

Work Profile

The policy only applies to work profiles

Both

The policy applies to fully managed devices as well as devices with a work profile.

Passcode quality

Complex

The required password quality.

Nicht spezifiziert	There are no password requirements.
Biometric	The device must be secured with at least low security biometric detection technology. This includes technologies that can recognize the identity of a person corresponding to a three-digit PIN (misidentification is less than 1 in 1,000).
Something	A password is required, but there are no restrictions on what the password must contain.
Numeric	The password may only consist of digits.
Numeric (complex)	The password may only consist of digits that do not contain repetitive (4444) or ordered (1234, 4321, 2468) sequences.
Alphabetic	The password must consist only of alphabetical characters (or symbols).
Alphanumeric	The password must consist of both digits and alphabetical characters (or symbols).
Complex	The password must contain at least a letter, a number and a special symbol. Other password restrictions, such as passwordMinimumLetters, are enforced.

Minimum length

0

The minimum allowed password length. A value of 0 means there is no restriction.
Only enforced when Passcode quality is Numeric, Numeric (Complex), Alphabetic, Alphanumeric, or Complex.

Minimum letters

0

Minimum number of letters in the password
Forced only if the Password quality is Complex.

Minimum lowercase letters

0

Minimum number of lowercase letters required in the password
Forced only if the Password quality is Complex.

Minimum uppercase letters

0

Minimum number of capital letters in the password
Forced only if the Password quality is Complex.

Minimum non letter characters

0

Minimum number of non-letters (numeric digits or symbols) required in the password.
Forced only if the Password quality is Complex.

Minimum numeric characters

0

Minimum number of digits in the password
Forced only if the Password quality is Complex.

Minimum symbols

0

Minimum number of symbols in the password
Forced only if the Password quality is Complex.

Password history length

0

The length of the password history. After setting this field, the user won't be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.

Maximum failed attempts

10

Number of permitted input attempts before all data on the device is deleted.

Validity

0

A duration in days until the password must be changed. A value of 0 means that the password never needs to be changed.

Password unlock required

The amount of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that can be unlocked using another authentication method (e.g., fingerprint, trusted agent, face). After the specified period, only strong authentication forms can be used to unlock the device or work profile.

Nicht spezifiziert

Not specified. By default, the device-timeout is used.

Device-timeout

The timeout is set to the default setting of the device.

Daily

The timeout is 24 hours.

Caption

Value

Description

Applications

Add applications

Adds apps to this profile notempty

Apps on EMM-managed devices are configured within the profiles!

Package name

com.google.android.youtube Select application

Package name of the application

Install type

Pre install

The way the installation is performed.

Pre install	The app is installed automatically, but can be removed by the user.
Force install	The app is installed automatically and cannot be deleted by the user.
Block	The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled.
Available	The app is ready for installation.
Required for setup	The app is installed automatically, cannot be deleted by the user, and prevents the device from being set up until the app is installed.
Kiosk	The app is automatically installed in kiosk mode: it is set as the prefered home intention and set to white list for lock-task mode. The device setup will not be completed until after the app has been installed. After installation, users can only use this app, which starts automatically and can no longer be removed. You can only set this installType for one application per policy. If this is present in the policy, the status bar is automatically disabled.

Default permission policy

Prompt

The default policy for all permissions requested by the app. If set, overrides the default policy-level permission policy that applies to all apps. It does not override the global permission grant, which applies to all apps.

Not specified	Policy not specified. If no policy is specified for a permission at any level, 'Prompt' is used by default.
Prompt	Prompts the user to grant an authorization.
Grant	Grant authorization automatically
Deny	Deny authorization automatically

Permissions

Add permission

Grants explicit permission or denial for the app. These values override the default permission policy and global permission restrictions that apply to all apps.

Permission

The Android permission or group, for example android.permission.READ_CALENDAR or android.permission_group.CALENDAR.

Not specified	Policy not specified. If no policy is specified for a permission at any level, 'Prompt' is used by default.
Prompt	Prompt the user to grant permission.
Grant	Grant permission automatically
Deny	Deny permission automatically

Policy

Not specified

The policy for granting authorization.

If necessary, further authorizations must be granted or denied here.
Note: In the »Approval« field, only the authorizations that the respective app requires and is usually required for proper operation appear. It is recommended to grant necessary permissions in advance and to allow all other permissions only on request (prompt). The »deny« option should only be used for selected authorizations where it is clear that the desired function of the app is not affected by this.

Managed configuration

Manage configuration

Managed configuration applied to the app. The format for the configuration depends on the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the managed property. The field value must be compatible with the ManagedProperty type.

Managed Configuration Template

Manage configuration template

This field is ignored if the managed configuration is set.
Calls up a template from the app manufacturer in which various parameters can be transferred to the app, depending on what the manufacturer specifies. These can be fixed parameters and variables in email apps:

Example for Gmail app:
Email Address	$emailaddress$	Variable
Hostname or Host	m.google.com	Fixed parameter Example: Hostname of the mail server for Gmail accounts
Username	$emailaddress$	Variable (for Gmail accounts the username is the email address.) With other accounts / apps the variable $username$ can be used here.

notempty

For a correct function, the button Substitute Wildcard variables (see below) must be activated !

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

Disabled

Whether the app is disabled. When deactivated, the app data is still retained.

Minimum version code

0

The minimum version of the app that will run on the device.

If set, the device will attempt to update the app to at least this version code. If the app is not up to date, the device contains a non-compliance detail with the non-compliance reason APP_NOT_UPDATED. The app must already be published in Google Play with a version code equal or greater than this value. A maximum of 20 apps can set a minimum version code per policy.

Delegate areas

The permissions selected here are delegated to the app by the Device Policy Controller.

Not specified	No delegation area specified.
Certificate installation	Provides access to the installation and management of certificates.
Managed configurations	Provides access to the management of managed configurations.
Block uninstall	Gives access to blocking the uninstallation.
Grant permission	Provides access to the permission policy and permission status.
Packet access	Gives access to the packet access status.
Enable system apps	Grants access to activate system apps.

Accessible Track IDs

List of track IDs of the app that an enterprise device can access. If the list contains multiple track IDs, devices get the latest version among all accessible tracks. If the list does not contain any track IDs, devices have access only to the production track of the app.

Connected Work & Personal App

Not specified

Controls whether the app can communicate with itself through a device's work and personal profiles with the user's permission.

Not specified	Not allowed by default
Not allowed	Default. Prevents cross-profile communication of the app.
Erlaubt	Allows the app to communicate across profiles after receiving the user's consent.

Login Provider notempty

New as of 2.1

Login Provider - Use Default Policy

This feature determines whether an app on Android 14 and above is allowed to function as a login provider for managing login credentials. It is relevant for apps that handle authentication or login data, such as password managers or multi-factor authentication apps.

Login Provider - Use Default Policy	The default login provider policy ( siehe unten) determines, whether this app can be used as the default login provider.
This app is allowed to act as a login provider	This app can function as a login provider regardless of global app settings.

Substitute Wildcard variables

(Default)

If activated , the content of the variables $username$ and $emailaddress$ is read from the user settings of the user to whom the respective device is assigned. A click box will appear in which all Users to which this function is to be applied must be selected.

An automatically generated profile is created for each user, but only the profile template can be edited.
If the button is deactivated again, the generated user profiles become editable profiles.

Automatic App Updates

Always

The policy enforced on a device to automatically update apps depending on the network connection: Apps should also be updated on devices that rarely or never return to a wireless network. The volume of data usually has little effect with standard volume tariffs.

Not specified	The auto-update policy is not set. Corresponds with the user selection.
User selection	The user can control the automatic updates.
Never	Apps are never updated automatically
Via WLAN only	Apps are only updated automatically via WLAN.
Always	Apps are updated automatically at any time. Data charges may apply.

Global default authorization policy

Not specified (prompt)

The default authorization policy for runtime authorization requests.

Not specified (prompt)	Policy not specified. If no policy is specified for a permission at any level, 'Prompt' is used by default.
Prompt	Prompt the user to grant permission.
Grant	Grant authorization automatically
Deny	Deny correction automatically

Disable installation of apps

notempty

If activated , no installations or Updates are possible. Also not via the portal!

Disable uninstalling apps

The user should not be able to uninstall any apps.

App Tracks

The app track that the device can access with the policy. The device receives the latest version of all available tracks. If no tracks are specified, the device uses only the production track.

Not specified	This value is ignored
Production	The production track, which offers the latest stable version.
Beta	The beta track, which contains the latest beta version.

Play Store Mode

Allow list

Only apps that are configured here in the policy are available. Any app not included in this policy will be automatically uninstalled from the device.

Blocklist means All apps in the Play Store are available, except for those configured here with Installation Type Block!

Global permission granting

Add permission

Explicit permission or group grant or deny for all apps. These values override the Default permission policy.

Permission

The Android permission or group, for example android.permission.READ_CALENDAR or android.permission_group.CALENDAR.

Policy

Not specified

The policy for granting authorization.

Not specified	Policy not specified. If no policy is specified for a permission at any level, 'Prompt' is used by default.
Prompt	Prompt the user to grant permission.
Grant	Grant permission automatically
Deny	Deny permission automatically

Login Provider Default Policy notempty

New as of 2.1

Not specified (Only apps with a login provider policy)

This feature determines whether an app on Android 14 and above is allowed to function as a login provider for managing login credentials. If it is relevant for apps that handle authentication or login data, such as password managers or multi-factor authentication apps.

Not specified (Only apps with a login provider policy)	Not specified. Only apps that have explicitly defined a login provider policy.
Only apps with a login provider policy	Only apps that have specified a login provider policy.
Only apps that have declared a login provider policy or OEM default login providers	Only apps with a declared login provider policy or those pre-defined by the OEM as default login providers are allowed.

notempty

New as of 2.1

Depending on the selected settings in the options Applications → Login Provider and Login Provider Default Policy various behaviors may arise:

Login Provider This app is allowed to act as a login provider : The user of the Android device can then use this app as a password manager
Login Provider Use Login Provider Default Policy and Login Provider Default Policy Not specified (Only Apps with login provider policy) or Only apps with login provider policy : The user cannot use this app
Login Provider Use Login Provider Default Policy (and the app complies with the OEM Standard) and Login Provider Default Policy Only apps with a Login Provider policy or OEM Standard Login Providers : The selected app, as well as apps classified by Google as login providers, can be used.

Networks Networks

Caption	Value	Description	Networks
Always on VPN
Enable "Always-On-VPN"		Always sets up a VPN. Enables further settings
Package name	de.securepoint.ms.agent	The package name of the VPN app.
Lockdown enabled		If the VPN is not connected, any network connection is prevented.
Recommended global proxy
Activate the global proxy		After activation, a global proxy can be set.
Host	Hostname	The host of the direct proxy.
Port	Port number	The port of the direct proxy.
Excluded host	Hostnames	For a direct proxy, the hosts for which the proxy is bypassed. The host names can contain wildcards such as * .example.com.
PAC URI	URI	The URI of the PAC script used to configure the proxy.
Network configuration
Network configurations	Add configuration	Configuring Access Profiles for WiFi Networks
Name	ttt-point Headquarters	The name of the configuration
Type	WiFi	The configuration type is predefined
Wifi
SSID	ttt-point-headquarter-WIFI	The SSID of the network
Security	WPA-PSK	High security level
Password	••••••••••	'Secure Password Even if it sounds trivial: WIFI.MyCompany.123 or Location.HouseNumber are no secure passwords! Also 1234 and abcd or qwerty are not really secure passwords!
Hidden SSID		Indicating if the SSID will be broadcast.
Autoconnect		The device should automatically connect to the network.

Status reporting Status reporting

Caption	Value	Description	Status reporting
Activate the status message		After activation, the configuration of the status reports can be set.
Hardwarestatus	Default	Indicates whether the hardware status message is enabled.
Application Reports	Default	Indicates whether app reports are enabled.
Software information	Default	Indicates whether software info reporting is enabled.
Working memory information		Indicates whether memory reporting is enabled.
Display information		Indicates whether the display of reports is enabled.
Network information	Default	Indicates whether the network info message is enabled.
Device Settings	Default	Indicates whether reporting is enabled for device settings.
Power Management Events		Indicates whether power management event reporting is enabled.

Rules can be defined for when the telephone or work profile is locked and when it is deleted (factory reset). The user is prompted to activate the selected policy on the device. Otherwise, the device / work profile will be blocked or set to factory defaults / deleted.

Caption

Value

Description

Compliance

Rules for enforcing the profile

Regel hinzufügen

A rule that defines the actions to be taken when a device or a work profile does not comply with the policy specified in "Setting name".

Preference name

Password policy

The password policies must be applied to the phone.

Block action

Block after x days

1

Number of days on which the policy is not compliant before the device or work profile is blocked. To block access immediately, the value is set to 0.

Block scope

Not specified

Specifies the scope of the blocking action. Applies only to devices owned by the company.

Not specified	Not specified. Work profile by default.
Work profile	The blocking action is applied only to apps in the work profile. Apps in the personal profile are not affected.
Device	The blocking action is applied to the entire device, including the apps in the personal profile.

Delete

Get factory reset protection

If enabled, the factory settings reset protection is preserved in the profile. In the event of theft or loss, you must first log into your Google Account before the device can be reset to factory defaults. This setting does not work with work profiles.

Wipe after x days

7

Number of days before the device or work profile is deleted if the policy (here: password policies) has not been implemented on the device. Delete must be greater than Block.

notempty

The Security tab is only available if a Mobile Security license is present.
EMM licenses do not have VPN functionality that enables these security functions.

Caption

Value

Description

Sicherheit / VPN

Allow Suspend Always-On-VPN

Allow other VPN profiles

Adding other VPN profiles in addition to the Securepoint Security profile shall not be allowed.

Authentifizierung nach App-Start erforderlich notempty

New as of 2.1

Requirement for this feature: App version 3.1

Wenn aktiviert, ist eine Authentifizierung (PIN oder biometrisch) beim App-Start erforderlich. Diese muss der User festlegen.

Activate Securepoint Mobile Security

With Activation, the Securepoint Mobile Security app is added or removed in the Applications tab and can be configured here.
This is required to configure the security settings.

Protocol

TCP

The protocol TCP or UDP used for the VPN tunnel

Portfilter Type

Open

Filter network traffic based on network ports.
Closed Open Selection

Port filter rule selection
Appears when Port filter type Selection is selected

Communication VPN

Specify which port collections are open for network traffic

Port-Collection	Port	Protocol	Application
Administrative Tools	21	TCP	ftp
	3389	TCP	ms-rdp
	23	TCP	telnet
	5900	TCP	vnc
	22	TCP	ssh
	5938	TCP/UDP	teamviewer
Communication	3478-3481	UDP	Skype
	49152-65535	UDP
	49152-65535	TCP
	5222	TCP	Google Push-Notifications
	5223	UDP
	5228	TCP
VOIP	5060	UDP	SIP/RTP
VOIP	7070-7089	UDP	SIP/RTP
VPN	1194	TCP	OpenVPN
	1194	UDP	OpenVPN
	500	UDP	IPSec
	4500	UDP & ESP	IPSec
	1701	UDP	L2TP
Mail	25	TCP	smtp
	587	TCP	smtp
	465	TCP	smtps
	110	TCP	pop3
	995	TCP	pop3
	143	TCP	imap
	993	TCP	imap

SSL-Interception

Default

SSL traffic from web pages listed in the content filter whitelist is not intercepted, other pages are checked using SSL interception.

Content-Filter Allowlist

Updates und wichtige Dienste

Click box: Web pages that are to be added to a whitelist. Possible entries: Contentfilter

Content-Filter Blocklist

HackingProxyThreat Intelligence Feed

Click box: Websites that are to be added to a blacklist.

Exclude local WLAN from VPN

If enabled , a route is added that excludes the local WLAN IP range from the tunnel

Disable VPN for SSIDs

SSIDs hinzufügen

Enter WiFi SSIDs for which the security features shall be disabled.

Exclude IP addresses from VPN

Add IPs

Enter IP addresses or networks for which the security functions are to be bypassed, i.e. the individual host 222.222.222/32 or the entire subnet 123.123.123.0/24. Use the cursor keys to navigate within the mask

Exclude apps from VPN

Add package name

Enter the package names of the apps that are to bypass the VPN service

notempty

New as of: 1.32

Zeigt eine Auflistung sämtlicher Roadwarrior-Verbindungen an, die mit diesem Profil verbunden sind.
Über können neue Verbindungen erstellt werden.
Weitere Informationen sind im folgendem Wiki-Artikel zu finden.

Roadwarrior:

Aliasname der Roadwarrior-Verbindung, das Transfernetz, die Core-UTM und die benutzten IPs.
Per Klick auf den Aliasnamen erfolgt eine Weiterleitung auf die entsprechende VPN-Konfiguration.

Autostart:

Bei Aktivierung wird diese Verbindung sofort gestartet, wenn sie als aktive Verbindung ausgewählt wird.
Bei einem Verbindungsabbruch wird sie automatisch neu gestartet.
Diese Einstellung kann auf dem Gerät vom Benutzer selbst anschließend verändert werden.

General
General

Description

General Settings

Displays or enter the profile name

Add devices

For existing profiles: if available, display of the assigned devices