Configuration Android profile

Preamble

Overview of profile management

Android profile configuration

Preamble

Overview of profile management

Android profile configuration

General Options

Profile tile

Copy & paste of profiles

Basic settings

Restrictions

Personal use

Passcode

Applications

Compliance

Security / VPN

Cloud Shield

General Options

Profile tile

Copy & paste of profiles

General

Basic settings

Restrictions

Personal use

Passcode

Applications

Networks

Status reporting

Compliance

Security / VPN

Cloud Shield

Localize

Profile-Options

Details displayed in the profile tile:

Profile information

Support Messages

Connections

Device protection

Security guidelines

Updates

Input methods

System settings

Kiosk mode & kiosk starter

Various

Passcode-Kombinationen

Notes on using login providers

VPN Configurations

Profile-Options

Details displayed in the profile tile:

Profile information

Support Messages

Connections

Device protection

Security guidelines

Updates

Input methods

System settings

Kiosk mode & kiosk starter

Various

Passcode-Kombinationen

Notes on using login providers

VPN Configurations

Manage Android profiles in the Mobile Security Portal

Last adaptation to the version: 2.9

New:

Neue Komplexitätsstufen der Passworteinstellungen für Arbeitsprofile

Die Verwaltete Konfiguration einer App kann direkt konfiguriert werden

notempty

This article refers to a Beta version

-

In a profile permissions, restrictions, password requirements, email settings and security settings are configured.
Several users or user groups (roles) can be assigned to a profile.
Several devices or device groups (devices designated by tags) can be assigned to a profile.

notempty

For a large number of devices and users it is recommended to map the assignment via groups.

Device registration is directly tied to a profile
A profile must be created first' (and configured) before a device can be registered

In Android Enterprise profiles, numerous security-relevant settings can be made, e.g.

Disable Kamara
Disable microphone
Disable USB file transfer
Disable outgoing calls
Disable Bluetooth
Disable contact sharing
Disable tethering
Disable sms
Enable network only with VPN
and much more.

notempty

Android Enterprise Profiles are used immediately and do not need to be published!

Outdated Android profiles behave fundamentally different than Android Enterprise Profiles (EMM)
It is no longer possible to assign a profile to a role, user or tag

In the profile overview new profiles can be created, existing ones can be edited and deleted. The view of the profiles can be displayed in the list or tile view. You can also view details of existing profiles, update the list of profiles, and publish profiles.

Overview of profile management iOS

Overview of profile management Android

Name

Sorts the tiles by profile name

Priority

Sorts the tiles according to the priority of the profile

Ascending

Sorts the tiles in ascending or descending order according to the selected criterion

Search

Filters on profile tiles that contain the search text

Add profile

Creates a new profile. The settings in the profile vary depending on the operating system.

Import profile

Existing profiles that were previously exported from the Securepoint Mobile Security Portal can be imported here

Hide generated profiles

Hides the generated profiles

Show details

Show / hide details: For a large number of profiles, it can be useful to hide the most important details for clarity.

/ List view / Grid view

Switch between lists and grid view

Refresh

Refreshes the display

The button at the top right of each profile tile provides the following options:

Edit

Editing the settings (see below)

Copy

Copying the profile to the clipboard

Export

Exporting the settings

Delete

The profile is deleted

notempty

New as of: 2.5

Android Profile, die mind. ein zugewiesenes Gerät haben, können nicht gelöscht werden.

Updated

Changes have been made to the profile that have not yet been published!

Partially installed

Not all sub profiles were able to be installed

Type

Profile type (see below)

Roles

Users

User

Devices

Click on the logo of the profile tile to mark one or more profiles In the general options, another field now appears under the filter mask:

Action for selected items

Please choose

Execute the selected action with Ok

Copy

Copies one or more selected profiles to the clipboard

Delete

Deletes one or more selected profiles

notempty

New as of: 2.5

Android Profile, die mind. ein zugewiesenes Gerät haben, können nicht gelöscht werden.

Paste

Inserts a copy of a profile from the clipboard

This also works from one tenant / customer to another as long as they are assigned to the same reseller account

General General

Caption	Value	Description	General Settings Allgemeine Einstellungen mit Profil ist eine Vorlage aktiv
Name	Name	Displays or enter the profile name
Profil ist eine Vorlage notempty New as of: 2.8		Wenn aktiviert , werden für ausgewählte Benutzer basierend auf dieser Vorlage benutzerspezifische Profile generiert In diesen werden automatisch Variablen ersetzt, die beim Benutzer hinterlegt sind Zusätzlich werden Zertifikate für WPA2-Enterprise/Open Network Configuration automatisch ersetzt notempty Wenn dieser Schalter deaktiviert wird, können über diese Vorlage keine Änderungen mehr an den bereits generierten Geräte-Profilen vorgenommen werden!
Devices Eingeblendet, solange Profil ist eine Vorlage deaktiviert ist	Add devices	For existing profiles: if available, display of the assigned devices
Benutzernotempty New as of: 2.8 Eingeblendet, solange Profil ist eine Vorlage aktiviert ist	Benutzer hinzufügen	Es wird für jeden Nutzer jeweils ein Profil generiert.

Caption	Value	Description	Basic settings
Maximum time to lock	0	Maximum time in seconds for user activity until the device is locked This limits the time that can be set by the user A value of 0 means that there is no restriction This setting helps to increase the security of the device by automatically locking it if it is not used for a set period of time. Only values that are below 600 seconds are realised.
Verhalten beim Zurücksetzen auf Werkseinstellungen notempty New as of: 2.10	Flags auswählen	notempty Für Android-Geräte mit Version 15 oder höher Hier kann festgelegt werden, welche Daten gelöscht werden, wenn das Gerät zurückgesetzt wird Auswahlmöglichkeiten: eSims löschen
Encryption	Deactivated	Activates encryption Encryption protects the data stored on the device This is an important security measure to protect sensitive information from unauthorised access
	Deactivated	No encryption is used.
	Activated without password	Encryption is required, but no password is needed for booting. Encryption takes place at the file system level and prevents data from being read when physically accessing a locked device (turned off or not booted yet). It prevents 'not reading data from an unlocked device. Activating this option also deactivates the possibility to restart the device in "safe mode". In addition, a pin or password with the option "Safe start" is required as display lock. This means that the pin or password must be entered before the device is started. This means that no calls, messages or notifications (including wake-up calls) can be received before the device is unlocked and started.
	Enable with password	Requires a password before starting the device to override encryption. Encryption takes place at the file system level and prevents data from being read when physically accessing a locked device (turned off or not booted yet). It prevents 'not reading data from an unlocked device. Activating this option also deactivates the possibility to restart the device in "safe mode". In addition, a pin or password with the option "Safe start" is required as display lock. This means that the pin or password must be entered before the device is started. This means that no calls, messages or notifications (including wake-up calls) can be received before the device is unlocked and started.
Stay on plugged modes	AC charger Wireless charger	The battery charging modes in which the device remains switched on When using this setting, it is recommended to disable the maximum unlock time so that the device does not lock itself while it remains switched on This can be useful to ensure that the screen remains active during charging for certain tasks or monitoring functions ‘’'Ignore:‘’' This value is ignored ‘’'AC charger:‘’' Remains switched on if the energy source is a charger ‘’'USB:‘’ Remains switched on if the power source is a USB port ‘’'Wireless charger:‘’' Remains switched on if the power source is wireless

Sustained preferred activities
Sustained preferred activities	Add activity	Standard intent handler activities. These activities are specialised tasks or apps that are preferred to execute certain intents The device remains in these favoured activities to ensure consistent and efficient execution of the corresponding functions
Receiver activity	Receiver activity	Enter the activity that should be the default intent handler. Either the Android component name (com.android.enterprise.app/.MainActivity) or the app package name. Android device policy selects an appropriate activity from the app.
Actions	Add actions	Select the intentional actions to be matched in the filter. If no action is selected, the intentional action will be ignored.
Categories	Add categories	Select the intent categories to match in the filter. An intent contains the required categories, all of which must be included in the filter to match. In other words, adding a category to the filter will not affect the match unless that category is specified in the intent.

Setup actions
Setup actions	Add action	Actions to be performed during the installation process These can include steps such as setting up user accounts, configuring network settings or installing required applications and services This ensures that the device is ready for operation and fully configured after installation
Title	Title	Enter the title, name of the action
Description	Description	A description of the action
Launch the app	Package name	Package name of the app to be launched during setup

Device Owner lockscreen info
Activate lockscreen info		Actions to be performed during the installation process These can include steps such as setting up user accounts, configuring network settings or installing required applications and services This ensures that the device is ready for operation and fully configured after installation
Device Owner lockscreen info	Property of TTT-Point GmbH. Support: +49 4131 - 2401-0	The device owner information to be displayed on the lock screen. The maximum message length is 4096 characters.

Caption

Value

Description

Short support message

A message that is displayed to the user on the settings screen when the functionality has been disabled by the administrator. The maximum message length is 4096 characters.

Long support message

A message displayed to the user. The maximum message length is 4096 characters. See figure above.

Disable resetting network settings

When enabled , resetting the network settings is disabled.

This prevents users from resetting all network connections, including Wi-Fi, cellular and Bluetooth, ensuring a stable network environment.

Disable mobile network configuration

If is activated, the configuration of mobile networks is deactivated.

This prevents changes to the settings for mobile networks, such as APN settings, and thus ensures a consistent network connection.

Disable cell broadcast configuration

If is activated, the configuration of Cell Broadcast is deactivated.

Cell Broadcast is often used for emergency alerts and disabling the configuration prevents users from changing these settings.

Disable outgoing calls

If is activated, outgoing calls are deactivated.

This can be used to prevent users from making unwanted or unauthorized phone calls.

Disable roaming

When activated , roaming data services are deactivated.

This prevents the device from using data roaming services, which can be helpful to avoid high roaming charges.

Disable SMS

If is activated, sending and receiving SMS messages is deactivated.

This can be used to direct communication to other channels and retain control over SMS traffic.

Configure WiFi

Unspecified

Defines the authorizations for the WiFi configuration.

Depending on the option selected, the user can control the WiFi configuration either completely, only to a limited extent or not at all. This helps to control network access and prevent unauthorized WiFi connections.

Unspecified	Corresponds to the setting ‘'Allow everything’' If this value has not yet been set to active, the value from the obsolete setting wifiConfigDisabled is transferred to the new field ConfigureWifi. Its default value was ‘'false’'. Attention: Double negation: »Deactivation of setting = false« means: Setting allowed. The new field shows ‘'Unspecified’' if the value in the original field was never set (i.e. is still in the default state). If the original value was set to ‘'wifiConfigDisabled == true’', the new field ‘'ConfigureWifi’' receives the value ‘'DISALLOW_CONFIGURING_WIFI’'
Allow all	The WLAN configuration is fully permitted
Prohibit adding WLAN configuration	Adding new WLAN configurations is not permitted; you can only switch between networks that have already been configured
Do not allow WLAN configuration	Prevents the configuration of WLANs

Disable Bluetooth

If is activated, Bluetooth is deactivated.

This setting is preferable to “Disable Bluetooth configuration”, as disabling Bluetooth configuration can be bypassed by the user. This ensures that Bluetooth remains completely switched off.

Disable Bluetooth configuration

If is activated, the Bluetooth configuration is deactivated.

This prevents users from changing the Bluetooth settings, which increases the security of the devices.

Disable Bluetooth contact sharing

If is activated, Bluetooth contact sharing is deactivated.

Only for work profiles. This prevents the sharing of contacts via Bluetooth to protect privacy and data integrity.

Disable sending via NFC

If is activated, the use of NFC to send data from apps is deactivated.

This can prevent users from sharing data via NFC, which increases the security of data transmission.

Disable airplane mode

Disabled

Controls the current status of flight mode and indicates whether the user can turn it on or off. notempty

Available from Android 9 or higher

Whether deactivation is necessary depends on local requirements.

Unspecified	The current device value is not modified. The user can enable or disable the flight mode.
User choice	The user can enable or disable the flight mode.
Disabled	The flight mode is deactivated. The user is not allowed to activate the flight mode.

Tethering Settings

Unspecified

This policy defines the extent to which the user may use various forms of tethering (e.g. Wi-Fi tethering or Bluetooth tethering).

This helps to control and restrict the use of mobile data by other devices.

Unspecified	Corresponds to the setting ‘'Allow everything’' If this value has not yet been set to active, the value from the outdated setting tetheringConfigDisabled is transferred to the new field TetheringSettings. Its default value was ‘'false’'. Attention: Double negation: »Deactivation of setting = false« means: Setting permitted. The new field shows ‘'Unspecified’' if the value in the original field was never set (i.e. is still in the default state). If the original value was set to ‘'tetheringConfigDisabled == true’', the new field ‘'TetheringSettings’' receives the value ‘'DISALLOW_ALL_TETHERING’'
Allow all	All forms of thethering are permitted
Prohibit WLAN Thethering	All forms of thethering, with the exception of WLAN tethering, are permitted
Prohibit tethering	All forms of thethering are prohibited

Disable the Network Escape Hatch

Indicates whether the Network Escape Hatch is enabled.

If a network connection cannot be established at boot time, the Escape Hatch prompts the user to temporarily connect to a network to update the device policy. After applying the policy, the temporary network is forgotten and the device continues booting. This prevents not being able to connect to a network if there is no suitable network in the last policy and the device launches an app in task lock mode or the user cannot otherwise reach the device settings.

Accounts to unlock after factory reset

Select email address

Factory Reset Protection (FRP). Email addresses of device administrators to protect against resetting to factory defaults. When the device is reset to factory defaults, one of these administrators must log in with the Google Account email address and password to unlock the device. If no administrators are specified, the device provides no protection against resetting to factory defaults.

Disable mounting physical media

The mounting of external physical media by the user is to be deactivated.

USB data access

Unspecified

Controls what files and/or data can be transferred via USB. notempty

Does not impact charging functions.

notempty

Supported only on company-owned devices.

Unspecified	Unspecified. Defaults to "Disallow file transfer"
Allow all	All types of USB data transfers are allowed.
Disallow file transfer	Transferring files over USB is disallowed. Other types of USB data connections, such as mouse and keyboard connection, are allowed.
Disallow all data transfer	When set, all types of USB data transfers are prohibited. Supported for devices running Android 12 or above with USB HAL 1.3 or above.

Deactivate key lock

Indicates whether the key lock is deactivated

Disable keyguard

Select functions

Functions that are not available to the user in the lock screen.

Enable private key selection

Allows the user interface to be displayed on a device so that a user can select a private key alias if there are no matching rules in ChoosePrivateKeyRules. For Android P devices, this setting can attack company keys.

Rules for private keys

Add rule

Rules for automatically selecting a private key and certificate to authenticate the device to a server.
The rules are ordered by priority.
Thus, if an outgoing request matches more than one rule, the last rule defines which private key to use.
This prioritization ensures secure and consistent authentication.

URL-pattern

The URL pattern to match with the URL of the outgoing request. The pattern may contain wildcards with asterisks (*). Any URL matches if it is not specified.

Package names

Paketnamen hinzufügen

The package names for which outgoing requests are subject to this rule. If no package names are specified, the rule applies to all packages. For each listed package name, the rule applies to that package and all other packages that used the same Android UID. The SHA256 hash of the signature key signatures of each package name is compared to those provided by Play.

Alias for private key

Alias

The alias of the private key to be used.

Untrusted apps policy

Unspecified

This setting determines whether users can allow the installation of apps from unknown sources.

Prohibiting such apps protects the device from potentially harmful software that does not originate from the official App Store.

Unspecified	Not specified. Not allowed by default.
Allow only in personal profiles	For devices with work profiles, allow untrusted app installs in the device's personal profile only.
Do not allow	Default. Prohibit untrusted app installations on the entire device.
Allow	Allow untrusted app installations on the entire device.

Force app verification through 'Google Play Protect'

Unspecified

This option ensures that all apps installed on the device are regularly scanned and checked by “Google Play Protect”.

"Google Play Protect helps to detect and remove malicious apps, ensuring the security and integrity of the device.

Unspecified	Unspecified. Defaults to enforced.
Forced	Default. Force app verification.
User choice	Allows the user to choose whether to enable app verification.

Developer settings

Unspecified

Controls access to developer settings: Developer Options and Safe Launch.
This setting controls whether users can access the device's developer settings
This includes options such as USB debugging and other developer options that are normally used for app development
Disabling these settings prevents users from making changes that could affect the security or performance of the device

Unspecified	Not specified. Disabled by default.
Disabled	Default. Disables all developer settings and prevents the user from accessing them.
Allowed	Allows all developer settings. The user can access and optionally configure the settings.

Common Criteria mode

Unspecified

Controls Common Criteria mode: This setting activates security standards defined in the Common Criteria for Information Technology Security Evaluation (CC). Activating this mode increases certain security components on the device, such as the AES-GCM encryption of Bluetooth long-term keys and the Wi-Fi configuration.notempty

Enabling Common Criteria mode increases certain security components on a device, including AES-GCM encryption of Bluetooth long keys and Wi-Fi configuration warning: Common Criteria mode enforces a strict security model that is normally only required for IT products used in national security systems and other highly sensitive organizations. The use of standard devices may be affected. Activate only when required.

Unspecified	Not specified. Disabled by default.
Disabled	Default. Disables the Common Criteria mode.
Activated	Activates the Common Criteria mode.

System update

When activated , the configuration of system updates is activated.

This option allows administrators to control when and how system updates are installed on the device to ensure that the device is always kept up to date and secure.

Update type

Unspecified

The type of system update to configure.

Unspecified	Follow the default update behavior for the device that normally requires the user to accept system updates.
Automatic	Automatically install when an update is available.
In window	Automatic installation within a daily maintenance window. This also configures Play apps to be updated within the window. This is highly recommended for kiosk devices, as it is the only way that apps that remain permanently in the foreground can be updated by Play.
Delay	Delay the automatic installation for a maximum of 30 days.

Freeze periods

Add period

An annually recurring period of time when over-the-air (OTA) system updates are pushed to freeze the operating system version running on a device.
To prevent the device from freezing indefinitely, each freeze period must be at least 60 days apart.
This setting is particularly useful to avoid system changes during certain business hours or during important projects that could affect stability or compatibility

Start

Start of the period

End

End of period

Permitted input methods

Add package name

If present, only the input methods provided by packages in this list are allowed
If this field is present but the list is empty, only system input methods are allowed
This option restricts the use of keyboards and other input methods to a predefined list to increase security and control over data processing and input

Approved input support services

Add package name

Specifies the permitted input help services. If the field is not set, any input help service can be used
If the field is set, only the input help services contained in this list and the input help services integrated in the system can be used
In particular, if the field is empty, only the system's integrated accessibility services can be used
This setting helps to control and monitor the use of accessibility services to ensure the security and integrity of the system while supporting accessibility for users

Disable modifying accounts

When enabled , adding or removing accounts is disabled. This prevents users from adding or removing personal or professional accounts, which helps to ensure data integrity.notempty

If this item is not enabled, the user can create another Google Account, log into the Playstore and install any software.

Account types with management disabled

Account types that cannot be managed by the user.

This can be used to prevent the addition of different accounts from defined providers in order to prevent an unwanted outflow of data.

Disable adding users

If is activated, the addition of new users and profiles is deactivated.

This can be useful to ensure that no additional users or guest profiles are created on the device.

Disable the removal of users

If is activated, the removal of other users is deactivated.

This prevents existing users or guest profiles, especially administrative or business-critical ones, from being removed.

Disable setting user icon

If is activated, changing the user icon is deactivated.

This ensures a uniform display of the user profiles and can help to avoid confusion.

Deactivate factory reset

If is activated, resetting to factory settings is deactivated.

This protects against data loss and prevents the device from being reset to factory settings without administrator authorization.

Disable credentials configuration

The configuration of user credentials should be disabled.notempty

If disabled, certificates can no longer be installed. If these security settings are to be used, it is recommended to deactivate the configuration of the login credentials only after the security settings have been implemented on all devices.

Disable the background settings

If is activated, changing the background image is deactivated.

This can help to maintain a uniform appearance for all devices in a company.

Disable creating windows

When is enabled, the creation of windows next to app windows is disabled.

This can help to simplify the user interface and ensure that no additional windows disrupt the user experience.

Location mode

Unspecified

Determines the level of location detection.

The user can change the value, unless the user cannot access device settings. This makes it possible to switch between different location modes.

Unspecified	The current device value is not changed. The user can change the value unless the user cannot access device settings.
User choice	The location setting is not restricted on the device. No specific behavior is set or enforced.
Forced	Activates the location setting on the device
Disabled	Disables the location setting on the device

Disable location sharing

Indicates whether location sharing is disabled.

Skip hints on first user

Flag to skip first time use hints. The company administrator can enable the system recommendation for apps to skip the user tutorial and other introductory notes on first launch.

Kioskstarter

Activate the custom kiosk launcher

Indicates whether the custom kiosk launcher is enabled.

This replaces the home screen with a launcher that locks the device to the apps installed via the application setting. The apps are displayed on a single page in alphabetical order. It is recommended to disable the status bar to block access to the device settings.

Kioskmodus

Power-Button-Actions

Unspecified

Defines the behavior of a device in kiosk mode when a user presses and holds the on/off button.

This can be used to ensure that users cannot bypass kiosk mode by restarting or switching off the device.

Unspecified	Not specified, available by default.
Available	The on / off menu (e.g. switch off, restart) is displayed when a user holds down the on / off key of a device in kiosk mode.
Blocked	The On / Off menu (e.g. power off, restart) is not displayed if a user holds down the On / Off button of a device in kiosk mode. Note: This may prevent users from turning off the device.

System error warnings

Unspecified

Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode.

This setting prevents users from seeing system error warnings and ensures that the device remains in the intended mode even if errors occur.

Unspecified	Not specified, muted by default.
Activated	All system error dialogs like crash and app not responding (ANR) are displayed.
Mute	All system error dialogs like crash and unresponsive app (ANR) are blocked. When it is blocked, the system forcibly stops the app as if the user closes the app from the user interface.

System navigation

Unspecified

Indicates which navigation functions are enabled in kiosk mode (e.g. Home, overview keys).

This option controls whether users can access the system navigation buttons to ensure that they cannot navigate out of kiosk mode or access other apps.

Unspecified	Not specified, disabled by default.
Activated	Home and overview buttons are enabled.
Disabled	The Home and Overview buttons cannot be accessed.
Home-button only	Only the home-button is enabled.

Status bar

Unspecified

Specifies whether system information and notifications are disabled in kiosk mode.

This setting hides the status bar to prevent users from accessing system information and notifications that could take them out of kiosk mode or distract them.

Unspecified	Not specified, notifications and system information disabled by default.
Notifications and system information enabled	System information and notifications are displayed in the status bar in kiosk mode
Notifications and system information disabled	System information and notifications are disabled in kiosk mode.
System information only	Only system information is displayed in the status bar.

Device settings

Unspecified

This option allows or prevents access to the device settings to ensure that users cannot change the device settings of the device.

Unspecified	Not specified, allowed by default.
Allowed	Access to the settings app is allowed in kiosk mode.
Blocked	Access to the settings app is not allowed in kiosk mode.

Automatic date & time zone

Unspecified

Specifies whether automatic date, time and time zone are enabled on a company-owned device.

This setting ensures that the device automatically sets the correct time and time zone based on the location to ensure that all time displays are correct and synchronized, especially when travelling or changing locations.

Unspecified	This value is ignored. By default, the user's choice is used.
User choice	The automatic date, time and time zone are left to the user's choice.
Force automatically	Force the automatic date, time and time zone on the device.

Disable screen capture

If is activated, the screenshot function is deactivated.

This setting prevents users from recording the device screen to protect sensitive information from unauthorized recording and distribution. It is particularly important for compliance with data protection and security guidelines.

Disable camera

If is activated, the camera is deactivated.

This setting allows you to completely disable the device's camera to increase privacy and security, especially in sensitive environments where no image or video recording is permitted.

Disable the volume setting

If is activated, the adjustment of the main volume is deactivated.

This option restricts users from changing the main volume of the device to ensure a consistent volume setting. This can be useful in certain environments such as schools or conference rooms to minimize interference.

Prevent microphone from being switched on

When is activated, the microphone is muted and the microphone volume cannot be adjusted.

This setting ensures that the device's microphone remains muted to prevent unauthorized listening in or recording of conversations and ambient noise, which is particularly important in safety-critical areas.

Disable easter eggs

If is activated, the Easteregg game is deactivated in the settings.

This option blocks hidden games or gimmicks that are built into operating systems as “Eastereggs”.

Caption

Value

Description

Personal use

Personal apps that can read work notifications

Add package name

Personal apps that can read work profile notifications with a NotificationListenerService
By default, no personal apps (except system apps) can read work notifications
Each value in the list must be a package name

Activate personal use

Activation allows you to configure the personal use of the Android device

Personal Play Store mode

Not specified

Used together with "Personal apps" to control how apps are allowed or blocked in the personal profile.

Not specified	Not specified. Block list by default.
Allowlist	Only apps that are explicitly specified in "Personal apps" and whose "Installation type" is set to "Available" may be installed in the personal profile.
Blocklist	All Play Store apps can be installed in the personal profile, except for those whose installation type is "Blocked" under "Personal apps".

Personal applications

Add applications

Guidelines for apps in the personal profile of a company-owned device with a work profile.
Each click on the button adds a section Application by customizing an app.

Package name

com.google.android.youtube Select application

The package name of the app. For example, com.google.android.youtube for the YouTube app.
Clicking on the button Select application opens the Google Play Store to select the app.

Installation type
Only appears when an app is selected in Package name.

Not specified

The way the installation is performed.

Not specified	Not defined. Equivalent to Available.
Block	The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled.
Available	The app is ready for installation.

Max. days without work profile

0

Controls how long the work profile can remain switched off.

Account types with management disabled

Account types that cannot be managed by the user

Disable screen capture

If is activated, the screenshot function is deactivated.

This setting prevents users from recording the device screen to protect sensitive information from unauthorized recording and distribution. It is particularly important for compliance with data protection and security guidelines.

Disable camera

When activated , the device's camera is completely deactivated.

This increases privacy and security, especially in sensitive environments where no image or video recording is permitted.

Cross-profile guidelines

Activate

If is activated, cross-profile policies are applied to the device

Show work contacts in personal profile

Allowed

Specifies whether contacts saved in the work profile can be displayed in the contact search in the personal profile and for incoming calls
This setting allows work contacts to be displayed in the personal profile to improve accessibility and communication while maintaining security and privacy

Not specified	Not specified. Allowed by default.
Not allowed	Prevents contacts from the work profile from being displayed when searching for personal profile contacts and incoming calls.
Allowed	Default. Allows work profile contacts to appear when searching for personal profile contacts and incoming calls.

Cross-profile copy & paste

Not allowed

Configures whether text copied from one profile (personal or business) can be pasted into the other profile
This feature controls whether users can share content between their personal and business profiles to minimize potential security risks from uncontrolled data transfers

Not specified	Not specified. Not allowed by default.
Not allowed	Default. Prevents users from pasting text copied from the work profile into the personal profile. Text copied from the personal profile can be pasted into the work profile and text copied from the work profile can be pasted into the work profile.
Allowed	Text copied in one of the profiles can be pasted in the other profile.

Cross-profile data sharing

Refuse from business to personal profile

Specifies whether data from one profile (personal or business) can be shared with apps in the other profile
Controls the simple exchange of data via intents. The management of other cross-profile communication channels (such as contact search, copy/paste or connected work & personal apps) is configured separately
This setting allows control over the sharing of data between profiles to ensure that sensitive information is not transferred without authorization

Not specified	Not specified. Not allowed by default.
Not allowed	Prevents data from being passed from both the personal profile to the work profile and from the work profile to the personal profile.
Refuse from business to personal profile	Default. Prevents users from sharing work profile data with apps in the personal profile. Personal data can be shared with business apps.
Allowed	Data from one of the profiles can be shared with the other profile.

Caption

Value

Description

Password policies

Add policy

Password policies can be used for work profiles and fully managed devices.

Scope

The scope to which the password requirement applies. This setting defines whether the password requirements apply to the entire device or only to specific profiles (e.g. work profile). This helps to apply the security guidelines in a differentiated manner, depending on the needs of the organisation or the user.

Device

The policy applies only to fully managed devices

Work Profile

The policy only applies to work profiles

Both

The policy applies to fully managed devices as well as devices with a work profile.

Passcode quality

Complex

Diese Option legt die Anforderungen an den Passcode fest
Hierbei wird in qualitäts- und komplexitätsbasierte Passwortrichtlinien unterschieden
Komplexitätsbasierte Passwortrichtlinien werden ab Android 12 angewandt und können nur in Kombination mit einer qualitätsbasieren Passwortrichtlinie konfiguriert werden
Wird zuerst eine komplexitätsbasierte Passcode-Qualität ausgewählt, wird eine zweite Passwortrichtlinie mit einer qualitätsbasierten Passcode-Qualität Einfach automatisch angelegt.
Hier werden Beispiele für Kombinationen von Passcode-Qualitäten (erlaubte wie nicht erlaubte) für die Geltungsbereiche Geräte und Arbeitsprofile aufgelistet notempty
Das Profil kann nicht abgespeichert werden, bzw. ist ungültig, wenn
→ eine komplexitätsbasierte Passwortrichtlinie keine qualitätsbasierte Passwortrichtlinie hat
→ eine komplexitäts- und qualitätsbasierte Passwortrichtlinie im Geltungsbereich Arbeitsprofil auch eine qualitätsbasierte Passwortrichtlinie im Geltungsbereich Gerät aufweist

Alphabetic	The password must consist only of alphabetical characters (or symbols).
Alphanumeric	The password must consist of both digits and alphabetical characters (or symbols).
Biometric	The device must be secured with at least low security biometric detection technology. This includes technologies that can recognize the identity of a person corresponding to a three-digit PIN (misidentification is less than 1 in 1,000).
Simple	A password is required, but there are no restrictions on what the password must contain.
Complex	The password must contain at least a letter, a number and a special symbol. Other password restrictions, such as passwordMinimumLetters, are enforced.
Not specified	There are no password requirements.
Numeric	The password may only consist of digits.
Numeric (complex)	The password may only consist of digits that do not contain repetitive (4444) or ordered (1234, 4321, 2468) sequences.

Geringe Komplexität	Zulässig sind einfache Muster oder PINs mit wiederholten oder geordneten Sequenzen (z.B. 4444, 1234).
Mittlere Komplexität	Erforderlich sind PINs ohne einfache Muster, alphabetische oder alphanumerische Passwörter mit mindestens 4 Zeichen.
Hohe Komplexität	Erforderlich sind sichere PINs (mind. 8 Zeichen), alphabetische oder alphanumerische Passwörter mit mindestens 6 Zeichen.

notempty

New as of: 2.9

Expiration timeout

0

The duration in days until the password must be changed. This setting forces the user to change the password regularly to increase security and reduce the risk of a compromised password being used over a longer period of time.

Minimum length

0

The minimum allowed password length. A value of 0 means there is no restriction.
Only enforced when Passcode quality is Numeric, Numeric (Complex), Alphabetic, Alphanumeric, or Complex.

Minimum letters

0

Minimum number of letters in the password
Forced only if the Password quality is Complex.

Minimum lowercase letters

0

Minimum number of lowercase letters required in the password
Forced only if the Password quality is Complex.

Minimum uppercase letters

0

Minimum number of capital letters in the password
Forced only if the Password quality is Complex.

Minimum non letter characters

0

Minimum number of non-letters (numeric digits or symbols) required in the password.
Forced only if the Password quality is Complex.

Minimum numeric characters

0

Minimum number of digits in the password
Forced only if the Password quality is Complex.

Minimum symbols

0

Minimum number of symbols in the password
Forced only if the Password quality is Complex.

Password history length

0

The length of the password history. After setting this field, the user won't be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.

Maximum failed attempts

10

The number of permitted input attempts before all data on the device is deleted. A value of 0 means that there is no restriction. This security measure protects sensitive data.
notempty

If this number is reached, the device is automatically reset to factory settings.

Password unlock required

The amount of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that can be unlocked using another authentication method (e.g., fingerprint, trusted agent, face). After the specified period, only strong authentication forms can be used to unlock the device or work profile.

Not specified

Not specified. By default, the device-timeout is used.

Device-timeout

The timeout is set to the default setting of the device.

Daily

The timeout is 24 hours.

notempty

New as of: 2.9

Generell kann fast jede Kombination von qualitätsbasierten mit komplexitätsbasierten Passcode-Qualitäten kombiniert werden (je nach Geltungsbereich), solange für komplexitätsbasierten Passcode auch ein qualitätsbasierter Passcode vorhanden ist.

Jedoch muss unterschieden werden, ob das Android-Gerät voll-verwaltet oder ein Privatgerät mit einem Arbeitsprofil ist.
Die folgende Tabelle zeigt eine Übersicht von Kombinationsbeispielen von Passwortrichtlinien an.

Geltungsbereich Gerät

Geltungsbereich Arbeitsprofil

Beispielkonfiguration Passcode-Qualität

Passcode quality: Komplexität & Qualität

Device: Hohe Komplexität & Simple
Arbeitsprofil: Geringe Komplexität & Complex

Passcode quality: Komplexität & Qualität

Passcode quality: Qualität

Device: Hohe Komplexität & Simple
Arbeitsprofil: Alphabetic

Passcode quality: Komplexität & Qualität

Passcode quality: Nicht vorhanden

Device: Hohe Komplexität & Simple

Passcode quality: Qualität

Device: Numeric
Arbeitsprofil: Alphabetic

Passcode quality: Qualität

Passcode quality: Nicht vorhanden

Device: Numeric

Passcode quality: Nicht vorhanden

Passcode quality: Komplexität & Qualität

Arbeitsprofil: Hohe Komplexität

Passcode quality: Nicht vorhanden

Passcode quality: Qualität

Arbeitsprofil: Alphabetic

Passcode quality: Nicht vorhanden

Nicht vorhanden

Folgende Kombinationen sind ebenfalls nicht erlaubt

Geltungsbereich Gerät

Geltungsbereich Arbeitsprofil

Mögliche Lösung

Passcode quality: Komplexität

Jeweils eine Passwortrichtlinie mit der Passcode-Qualität Qualitätsbasiert müssen angelegt werden

Passcode quality: Komplexität

Passcode quality: Nicht vorhanden

Eine Passwortrichtlinie mit der Passcode-Qualität Qualitätsbasiert muss angelegt werden

Passcode quality: Nicht vorhanden

Passcode quality: Komplexität

Eine Passwortrichtlinie mit der Passcode-Qualität Qualitätsbasiert muss angelegt werden

Passcode quality: Qualität

Passcode quality: Komplexität & Qualität

Passwortrichtlinien von Arbeitsprofilen dürfen nicht mit ausschließlich qualitätsbasierten Passwortrichtlinien von Geräteprofilen kombiniert werden

Eine Passwortrichtlinie mit der Passcode-Qualität Komplexitätsbasiert für das Geräteprofil muss angelegt werden

Passcode quality: Qualität

Passcode quality: Komplexität

Eine Passwortrichtlinie mit der Passcode-Qualität Komplexitätsbasiert für das Geräteprofil und eine mit der Passcode-Qualität Qualitätsbasiert für das Arbeitsprofil müssen angelegt werden

Caption

Value

Description

Applications

Add applications

Adds apps to this profile notempty

Apps on EMM-managed devices are configured within the profiles!

Package name

com.google.android.youtube Select application

Package name of the application

Install type

Pre install

The way the installation is performed.

Pre install	The app is installed automatically, but can be removed by the user.
Force install	The app is installed automatically and cannot be deleted by the user.
Block	The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled.
Available	The app is ready for installation.
Required for setup	The app is installed automatically, cannot be deleted by the user, and prevents the device from being set up until the app is installed.
Kiosk	The app is automatically installed in kiosk mode: it is set as the prefered home intention and set to white list for lock-task mode. The device setup will not be completed until after the app has been installed. After installation, users can only use this app, which starts automatically and can no longer be removed. You can only set this installType for one application per policy. If this is present in the policy, the status bar is automatically disabled.

Default permission policy

Prompt

The default policy for all permissions requested by the app. If set, overrides the default policy-level permission policy that applies to all apps. It does not override the global permission grant, which applies to all apps.

Nicht spezifiziert (Nur Apps mit Anmeldedatenanbieter-Richtlinie)	Policy not specified. If no policy is specified for a permission at any level, 'Prompt' is used by default.
Prompt	Prompts the user to grant an authorization.
Grant	Grant authorization automatically
Deny	Deny authorization automatically

Permissions

Add permission

Grants explicit permission or denial for the app. These values override the default permission policy and global permission restrictions that apply to all apps.

Permission

The Android permission or group, for example android.permission.READ_CALENDAR or android.permission_group.CALENDAR.

Nicht spezifiziert (Nur Apps mit Anmeldedatenanbieter-Richtlinie)	Policy not specified. If no policy is specified for a permission at any level, 'Prompt' is used by default.
Prompt	Prompt the user to grant permission.
Grant	Grant permission automatically
Deny	Deny permission automatically

Policy

Nicht spezifiziert (Nur Apps mit Anmeldedatenanbieter-Richtlinie)

The policy for granting authorization.

If necessary, further authorizations must be granted or denied here.
Note: In the »Approval« field, only the authorizations that the respective app requires and is usually required for proper operation appear. It is recommended to grant necessary permissions in advance and to allow all other permissions only on request (prompt). The »deny« option should only be used for selected authorizations where it is clear that the desired function of the app is not affected by this.

Managed configuration

Manage configuration

Managed configuration applied to the app.

The format for the configuration depends on the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the managed property. The field value must be compatible with the ManagedProperty type.
notempty

New as of: 2.8.7

Die Verwaltete Konfiguration einer App lässt sich direkt manuell konfigurieren:

über Feld hinzufügen ein neues leeres Feld erzeugen
Manage configuration zuvor betätigen
dort die gewünschten ManagedProperty-Variable eintragen und den benötigten Typ auswählen
mit Speichern die Einstellung abspeichern
Anschließend kann der gewünschte Wert eingetragen werden

notempty

Darüber lassen sich auch Benutzervariablen verwenden.

Managed Configuration Template

Manage configuration template

This field is ignored if the managed configuration is set.

Calls up a template from the app manufacturer in which various parameters can be transferred to the app, depending on what the manufacturer specifies. These can be fixed parameters and variables in email apps:

Example for Gmail app:
Email Address	$emailaddress$	Variable
Hostname or Host	m.google.com	Fixed parameter Example: Hostname of the mail server for Gmail accounts
Username	$emailaddress$	Variable (for Gmail accounts the username is the email address.) With other accounts / apps the variable $username$ can be used here.

notempty

New as of: 2.8

notempty

For a correct function, in the tab General the button Profile is a template must be activated and the users must be selected!

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

Deactivated

Whether the app is disabled. When deactivated, the app data is still retained.

Minimum version code

0

The minimum version of the app that will run on the device.

If set, the device will attempt to update the app to at least this version code. If the app is not up to date, the device contains a non-compliance detail with the non-compliance reason APP_NOT_UPDATED. The app must already be published in Google Play with a version code equal or greater than this value. A maximum of 20 apps can set a minimum version code per policy.

Delegate areas

The permissions selected here are delegated to the app by the Device Policy Controller.

Nicht spezifiziert (Nur Apps mit Anmeldedatenanbieter-Richtlinie)	No delegation area specified.
Certificate installation	Provides access to the installation and management of certificates.
Managed configurations	Provides access to the management of managed configurations.
Block uninstall	Gives access to blocking the uninstallation.
Grant permission	Provides access to the permission policy and permission status.
Packet access	Gives access to the packet access status.
Enable system apps	Grants access to activate system apps.

Accessible Track IDs

List of track IDs of the app that an enterprise device can access. If the list contains multiple track IDs, devices get the latest version among all accessible tracks. If the list does not contain any track IDs, devices have access only to the production track of the app.

Connected Work & Personal App

Nicht spezifiziert (Nur Apps mit Anmeldedatenanbieter-Richtlinie)

Controls whether the app can communicate with itself through a device's work and personal profiles with the user's permission.

Nicht spezifiziert (Nur Apps mit Anmeldedatenanbieter-Richtlinie)	Not allowed by default
Not allowed	Default. Prevents cross-profile communication of the app.
Allowed	Allows the app to communicate across profiles after receiving the user's consent.

Anmeldedatenanbieter

Login Provider - Use Default Policy

Diese App kann (z.B. als Passwort-Manager) genutzt werden

Login Provider - Use Default Policy	The default login provider policy ( siehe unten) determines, whether this app can be used as the default login provider.
This app is allowed to act as a login provider	This app can function as a login provider regardless of global app settings.

Play Store Mode

Allow list

Only apps that are configured here in the policy are available. Any app not included in this policy will be automatically uninstalled from the device.

Blocklist means All apps in the Play Store are available, except for those configured here with Installation Type Block!

Automatic App Updates

Always

The policy enforced on a device to automatically update apps depending on the network connection: Apps should also be updated on devices that rarely or never return to a wireless network. The volume of data usually has little effect with standard volume tariffs.

Nicht spezifiziert (Nur Apps mit Anmeldedatenanbieter-Richtlinie)	The auto-update policy is not set. Corresponds with the user selection.
User selection	The user can control the automatic updates.
Never	Apps are never updated automatically
Via WLAN only	Apps are only updated automatically via WLAN.
Always	Apps are updated automatically at any time. Data charges may apply.

Disable installation of apps

notempty

If activated , no installations or Updates are possible. Also not via the portal!

Disable uninstalling apps

The user should not be able to uninstall any apps.

Global default authorization policy

Not specified (prompt)

The default authorization policy for runtime authorization requests.

Not specified (prompt)	Policy not specified. If no policy is specified for a permission at any level, 'Prompt' is used by default.
Prompt	Prompt the user to grant permission.
Grant	Grant authorization automatically
Deny	Deny correction automatically

Global permission granting

Add permission

Explicit permission or group grant or deny for all apps. These values override the Default permission policy.

Permission

The Android permission or group, for example android.permission.READ_CALENDAR or android.permission_group.CALENDAR.

Policy

Nicht spezifiziert (Nur Apps mit Anmeldedatenanbieter-Richtlinie)

The policy for granting authorization.

Nicht spezifiziert (Nur Apps mit Anmeldedatenanbieter-Richtlinie)	Policy not specified. If no policy is specified for a permission at any level, 'Prompt' is used by default.
Prompt	Prompt the user to grant permission.
Grant	Grant permission automatically
Deny	Deny permission automatically

Anmeldedatenanbieter-Standardrichtlinie

Not specified (Only apps with a login provider policy)

This feature determines whether an app on Android 14 and above is allowed to function as a login provider for managing login credentials. If it is relevant for apps that handle authentication or login data, such as password managers or multi-factor authentication apps.

Not specified (Only apps with a login provider policy)	Not specified. Only apps that have explicitly defined a login provider policy.
Nur Apps mit Anmeldedatenanbieter-Richtlinie	Only apps that have specified a login provider policy.
Only apps that have declared a login provider policy or OEM default login providers	Only apps with a declared login provider policy or those pre-defined by the OEM as default login providers are allowed.

Option	Value	Description
Anmeldedatenanbieter	Anmeldedatenanbieter	Diese App kann (z.B. als Passwort-Manager) genutzt werden
Anmeldedatenanbieter	Anmeldedatenanbieter-Standardrichtlinie benutzen	Auswahlmöglichkeit s.u.

Anmeldedatenanbieter-Standardrichtlinie Nur wenn App nicht selbst als Anbieter fungiert!	Nicht spezifiziert (Nur Apps mit Anmeldedatenanbieter-Richtlinie)	Die App kann nicht verwendet werden
	Nur Apps mit Anmeldedatenanbieter-Richtlinie	Die App kann nicht verwendet werden
	Nur Apps mit Anmeldedatenanbieter-Richtlinie oder OEM-Standardanmeldedatenanbieter	Sowohl die ausgewählte App als auch von Google als Anmeldedatenanbieter klassifizierte Apps können genutzt werden

Networks Networks

Caption	Value	Description	Datei:MS 2.11 Android Profile Netzwerke-en.png Networks
Always on VPN
Enable "Always-On-VPN"		Activates the “Always-On VPN” configuration, which means that the VPN remains permanently active and connected to ensure a continuous and secure network connection This option is particularly useful to ensure that all data transfers are made over an encrypted connection and no unprotected connections are allowed Negligible for mobile security, as this option is implicitly set by the app
Package name	de.securepoint.ms.agent	The package name of the VPN app.
Lockdown enabled		This option prevents all network connections when the VPN is not connected It ensures that no data can be transferred if the VPN fails or is disconnected for any reason, thereby guaranteeing the security of the data
Recommended global proxy
Activate the global proxy		Allows you to specify a global proxy to be used for all network connections on the device After enabling this option, details of the global proxy can be configured to route all traffic through a specified proxy server, providing additional security and control over network connections
Host	Hostname	The host name or IP address of the direct proxy used for forwarding network traffic This setting defines where the connections should be forwarded to before they reach the destination
Port	Port number	The network port of the direct proxy that is used together with the host to route the data traffic
Excluded host	Hostnames	When using a direct proxy, certain hosts can be specified for which the proxy is bypassed These hosts, often defined as wildcards such as *.example.com, are contacted directly without going through the proxy This can be useful for local or trusted domains where the proxy is not required
PAC URI	URI	The URI (Uniform Resource Identifier) of the PAC (Proxy Auto-Configuration) script used to configure the proxy A PAC script is a file that regulates how web browsers and other user agents select a suitable proxy for the connection to a specific URL The PAC URI specifies the location of this script, which is retrieved by the device and used to dynamically apply the proxy settings
Network configuration
Network configurations	Add configuration	Configuring Access Profiles for WiFi Networks
Name	ttt-point Headquarters	The name of the configuration gives the specific network configuration a unique and meaningful identifier
Type	WiFi	The configuration type is predefined
Wifi
SSID	ttt-point-headquarter-WIFI	The SSID (Service Set Identifier) of the network is the unique name assigned to a WLAN network This name is displayed when searching for available networks and enables devices to select the desired network for connection
Security	WPA-EAP	This option allows you to select the security level for the network Common security levels include WEP, WPA, WPA2 and WPA3 The security level determines how data transmissions in the network are encrypted and protected to prevent unauthorized access
Passwort Nur bei WEP-PSK und WPA-PSK	••••••••••	Passwort für die Authentifizierung beim inneren Protokoll Even if it sounds trivial: WIFI.MyCompany.123 or Location.HouseNumber are no secure passwords! Also 1234 and abcd or qwerty are not' really secure passwords!
EAP notempty New as of: 2.11 Nur bei WPA-EAP und WEP-8021X
Äußeres Protokoll	EAP-TLS	Das äußere Protokoll für EAP Auswahlmöglichkeiten: EAP-TLS, EAP-TTLS, EAP-SIM, EAP-AKA, PEAP
Inneres Protokoll Nur bei EAP-TTLS und PEAP	MSCHAPv2	Das innere Protokoll für EAP Auswahlmöglichkeiten: MSCHAPv2, PAP
Identität	Identität	Identität für die Authentifizierung beim inneren Protokoll
Passwort Nur bei EAP-TTLS und PEAP	Passwort	Passwort für die Authentifizierung beim inneren Protokoll
Anonyme Identität	Anonyme Identität	Identität für die Authentifizierung beim äußeren Protokoll
Valide Server-Domains	Valide Server-Domains	Eine Liste an Domains, welche zur Validierung des Authentifizierungs-Servers dient
Client-Zertifikat Nur bei EAP-TLS		Das Client-Zertifikat
Valide CAs	Liste an CAs	Eine Liste an CAs, welche vom Client zur Validierung des Server-Zertifikats verwendet werden

Hidden SSID		Determines whether the SSID of the network is hidden If this option is activated, the SSID is not displayed in the list of available networks and devices must enter the SSID manually to establish a connection This can increase network security by making it more difficult for unauthorized users to find the network
Autoconnect		The device should automatically connect to the network

Status reporting Status reporting

Caption	Value	Description	Status reporting
Activate the status message		When activated , this setting activates the transmission of status messages relating to various aspects and metrics of the device or application The specific configurations for the type of status reports to be sent can then be defined Note: When Mobile Security is enabled, this option is automatically enabled and cannot be disabled
Hardwarestatus		When activated , messages about the current status and performance of the device's hardware are enabled Typical information includes CPU utilization, temperature, battery status and other hardware-related metrics
Application Reports		When activated , reports are sent about installed applications on the device This includes information such as the names of apps and their versions
Software information		When activated , reports are sent about the installed software and its configurations on the device This includes versions of operating systems, installed updates and other relevant software details
Working memory information		When activated , reports are sent about the use and utilization of the working memory on the device This information is important for monitoring device performance and optimizing resource usage
Display information		When activated , reports are sent about the display and screen settings of the device This includes resolution, brightness settings and other relevant display information
Network information		When activated , reports are sent on the device's network activity and connections This can include information about networks used, APN settings and hardware addresses
Device Settings		When activated , reports are sent about the configurations and settings of the device This includes information about Wi-Fi, Bluetooth and other device settings that are relevant to the configuration and use of the device
Power Management Events		When activated , reports are sent on events and activities related to the device's power management This includes information about battery usage, energy saving modes and other relevant power management aspects

Rules can be defined for when the telephone or work profile is locked and when it is deleted (factory reset). The user is prompted to activate the selected policy on the device. Otherwise, the device / work profile will be blocked or set to factory defaults / deleted.

Caption

Value

Description

Compliance

Rules for enforcing the profile

Add rule

A rule that defines the actions to be taken when a device or a work profile does not comply with the policy specified in "Setting name".

Preference name

Password policy

The password policies must be applied to the phone.

Block action

Block after x days

1

Number of days on which the policy is not compliant before the device or work profile is blocked. To block access immediately, the value is set to 0.

Block scope

Not specified

Specifies the scope of the blocking action. Applies only to devices owned by the company.

Not specified	Not specified. Work profile by default.
Work profile	The blocking action is applied only to apps in the work profile. Apps in the personal profile are not affected.
Device	The blocking action is applied to the entire device, including the apps in the personal profile.

Delete

Get factory reset protection

When activeted , the factory settings reset protection is preserved in the profile
In the event of theft or loss, you must first log into your Google Account before the device can be reset to factory defaults. This setting does not work with work profiles

Wipe after x days

7

Number of days before the device or work profile is deleted if the policy (here: password policies) has not been implemented on the device
Delete must be greater than Block

notempty

The Security tab is only available if a Mobile Security license is present.
EMM licenses do not have VPN functionality that enables these security functions.

Caption

Value

Description

Security / VPN

Allow Suspend Always-On-VPN

When activated allows the user to temporarily deactivate the VPN
If the user does not reactivate it themselves, this will happen at the time selected by the user

Allow other VPN profiles

When activated , the addition of other VPN profiles, in addition to the security profile, is permitted

Authentication required after app start

Requirement for this feature: App version 3.1

When activated , authentication (PIN or biometric) is required when starting the app
The user must set an authentication (PIN or biometric) to start the app

Activate Securepoint Mobile Security

With Activation , the Securepoint Mobile Security app is added in the Applications tab and can be configured here
When deactivated , the app is removed
This is required to configure the security settings
notempty
New as of: 2.3.13
notempty
On Android devices, Mobile Security cannot be activated at the same time as Cloud Shield, as only one VPN service can be active at a time.

Protocol

TCP

The protocol TCP or UDP used for the VPN tunnel

Portfilter Type

Open

Filter network traffic based on network ports.
Closed Open Selection

Port filter rule selection
Appears when Port filter type Selection is selected

Communication VPN

Specify which port collections are open for network traffic

Port-Collection	Port	Protocol	Application
Administrative Tools	21	TCP	ftp
	3389	TCP	ms-rdp
	23	TCP	telnet
	5900	TCP	vnc
	22	TCP	ssh
	5938	TCP/UDP	teamviewer
Communication	3478-3481	UDP	Skype
	49152-65535	UDP
	49152-65535	TCP
	5222	TCP	Google Push-Notifications
	5223	UDP
	5228	TCP
VOIP	5060	UDP	SIP/RTP
VOIP	7070-7089	UDP	SIP/RTP
VPN	1194	TCP	OpenVPN
	1194	UDP	OpenVPN
	500	UDP	IPSec
	4500	UDP & ESP	IPSec
	1701	UDP	L2TP
Mail	25	TCP	smtp
	587	TCP	smtp
	465	TCP	smtps
	110	TCP	pop3
	995	TCP	pop3
	143	TCP	imap
	993	TCP	imap

SSL-Interception

Default

SSL traffic from web pages listed in the content filter allowlist is not intercepted, other pages are checked using SSL interception.

Content-Filter Allowlist

Updates and important services

Click box: Web pages that are to be added to a allowlist. Possible entries: Contentfilter

Content-Filter Blocklist

HackingProxyThreat Intelligence Feed

Click box: Websites that are to be added to a blocklist.

Exclude local WLAN from VPN

If enabled , a route is added that excludes the local WLAN IP range from the tunnel

Disable VPN for SSIDs

Add SSIDs

Enter WiFi SSIDs for which the security features shall be disabled.

Exclude IP addresses from VPN

Add IPs

Enter IP addresses or networks for which the security functions are to be bypassed, i.e. the individual host 222.222.222/32 or the entire subnet 123.123.123.0/24. Use the cursor keys to navigate within the mask

Exclude apps from VPN

Add package name

Enter the package names of the apps that are to bypass the VPN service

Displays a list of all Roadwarrior connections that are connected to this profile.
New connections can be created via .
For more information, see the following Wiki article.

Roadwarrior:

Alias name of the roadwarrior connection, the transfer network, the core UTM and the IPs used
Clicking on the alias name redirects to the corresponding VPN configuration

Autostart:

When activated , this connection is started immediately if it is selected as the active connection
If the connection is interrupted, it is automatically restarted
This setting can be changed on the device by the user afterwards
notempty
On Android devices, Mobile Security cannot be activated at the same time as Cloud Shield, as only one VPN service can be active at a time.

Caption

Value

Description

Settings Cloud Shield

Activate Cloud Shield

After enabling a Cloud Shield Profile can be selected, and the Cloud Shield App for Android will be installed automatically.

In the

Applications

{{{2}}}

tab, the Securepoint Cloud Shield app is automatically added

If Cloud Shield is active , Securepoint Mobile Security can be activated in Security / VPN (link to wiki article) until not activated
If Securepoint Mobile Security is activated under Security / VPN, Cloud Shield is automatically deactivated and cannot be activated until not is activated
For profiles that were created before version 2.3 and where Securepoint Mobile Security and Cloud Shield are active, these buttons are displayed as inactive
Can be solved if one of the two apps is removed under Applications
notempty
Cloud Shield technically uses the Android VPN service. Only one (1) VPN service (Mobile Security or Cloud Shield) can be active on Android devices at the same time.

Profile

Select Profile

The Cloud Shield profile to be used for the Cloud Shield configuration.

The profile must be created in advance in the Cloud Shield Profile menu item, see the following Wiki article.

Install CA for block page

If is activated, the CA certificate for the block page is installed on the device so that certificate warnings are no longer displayed if a page is blocked.

In the

Applications

{{{2}}}

tab, the value Certificate installation is automatically set in the Delegate areas option in the Securepoint Cloud Shield application

Localize
Localize

Description

Enable localization function

Adds functionality to find the devices assigned to this policy. This functionality is limited to fully managed devices only.