Jump to:navigation, search

Die Seite Vorlage:Ui-icon.css hat keinen Inhalt.


Example configuration of an EMM profile


Last adaption: 10.2021

The settings shown here are examples that provide a most comprehensive basic protection. Adjustment to local requirements must be carried out!

Instructions on how to connect Securepoint Mobile Security to Android Enterprise accounts can be found here.

Preliminary remark

Android Enterprise Profiles (EMM) behave fundamentally different from traditional Android profiles. Device registration is bound directly to a profile.
A profile must be created (and configured) first before a device can be registered.
It is no longer possible to assign a profile to a role, user or tag.

In Android Enterprise profiles, numerous security-relevant settings can be made, e.g.

  • Disable Kamara
  • Disable microphone
  • Disable USB file transfer
  • Disable outgoing calls
  • Disable Bluetooth
  • Disable contact sharing
  • Disable tethering
  • Disable sms
  • Enable network only with VPN
  • and much more.

Android Enterprise Profiles are used immediately and do not need to be published !

Android Enterprise Profile



General Settings

Displays the platform used, the profile name and the assigned devices.

If an Android EMM profile is to be newly created, Android Enterprise must be selected as the platform.




The settings shown here are examples that provide a most comprehensive basic protection. Adjustment to local requirements must be carried out!

Caption Values Description
Maximum time to lock 120Link= This setting allows you to limit the maximum screen lock time that can be selected.
The default setting is 10 minutes. (=600 sec.).
  • Only values that are below 600 seconds are realised.
  • Input in seconds.
  • Encryption Enable with password Requires a password before starting the device to override encryption.
    Encryption takes place at the file system level and prevents data from being read when physically accessing a locked device (turned off or not booted yet). It prevents 'not reading data from an unlocked device. Activating this option also deactivates the possibility to restart the device in "safe mode". In addition, a pin or password with the option "Safe start" is required as display lock. This means that the pin or password must be entered before the device is started. This means that no calls, messages or notifications (including wake-up calls) can be received before the device is unlocked and started.
    Stay on plugged modes Ignore The battery charge mode should have no effect on whether the device remains switched on.

    Device Owner lockscreen info
    Activate lockscreen info    Information is to be displayed in the lock screen.
    Device Owner lockscreen info Property of ttt-point GmbH.
    Support: +49 4131 - 2401-0
    The device owner information to be displayed on the lock screen. The maximum message length is 4096 characters.




    MS v1.4.8 Profile Android-emm Compliance-en.png

    Rules can be defined for when the telephone or work profile is locked and when it is deleted (factory reset). The user is prompted to activate the selected policy on the device. Otherwise, the device / work profile will be blocked or set to factory defaults / deleted.

    Caption Values Description
    Preference name passwordPolicies The password policies must be applied to the phone.

    Block action
    Block after x days 1Link= Number of days on which the policy is not compliant before the device or work profile is blocked. To block access immediately, the value is set to 0.

    Wipe action
    Preserve FRP    If enabled, the factory settings reset protection is preserved in the profile. In the event of theft or loss, you must first log into your Google Account before the device can be reset to factory defaults. This setting does not work with work profiles.
    Wipe after x days 7Link= Number of days before the device or work profile is deleted if the policy (here: password policies) has not been implemented on the device. Delete must be greater than Block.


    Apps on EMM-managed devices are configured within the profiles !

    The menu   Apps has no effect on these profiles / devices!

     Add application

      Select app Selection of the desired apps. For our example: Nextcloud

    MSP Playstore verwalteteKonfig.png

    If a message appears next to the app logo, certain values can be passed to the app.
    (Not available on Nextcloud)
    See Manage configuration template

    Takeover of the app with Select

    MSA Profile Anwendungen Apps-en.png

    Caption Proposed value Description
    Package name com.nextcloud.client The package name of the app that was previously selected.
    Install type Pre install The app is automatically installed on the device
    Pre install The app is installed automatically, but can be removed by the user.
    Force install The app will be installed automatically and can be not removed by the user.
    BLock The app is blocked and cannot be installed. If the app was installed under a previous policy, it will be uninstalled.
    Available The app is available for installation.
    Required for setup The app installs automatically and cannot be removed by the user, preventing the setup from completing until the installation is complete.
    Kiosk The app is automatically installed in kiosk mode: it is set as the preferred home intention and set to white list for lock-task mode. The device setup will not be completed until after the app has been installed. After installation, users can only use this app, which starts automatically and can no longer be removed. You can only set this installType for one application per policy. If this is present in the policy, the status bar is automatically disabled.
    Default permission policy Prompt If new, not explicitly granted or denied authorizations are required, the system asks for an authorization.
    Permissions  Add permission Individual permissions can be set differently than the previously configured default permission policy and overwrite their values.
    Permission / Expand or minimize an authorization
    Delete the permission
      Permission android.permission.
    The app needs access to the memory (this means internal memory and an additional SD card).
      Policy Grant The policy for granting authorisation.
      Permission android.permission.INTERNET The app should get access to existing internet connections.
      Policy Grant The policy for granting authorisation.
      Permission com.nextcloud.client.
    The app should be able to receive push messages via Firebase Cloud Messaging (formerly Google Cloud Massage) (Cloud to Device → C2D)
      Policy Grant The policy for granting authorisation.
    If necessary, further authorizations must be granted or denied here.
    Note: In the »Approval« field, only the authorizations that the respective app requires and is usually required for proper operation appear. It is recommended to grant necessary permissions in advance and to allow all other permissions only on request (prompt). The »deny« option should only be used for selected authorizations where it is clear that the desired function of the app is not affected by this.
    Managed Configuration Template Manage configuration template Calls up a template from the app manufacturer in which various parameters can be transferred to the app, depending on what the manufacturer specifies. These can be fixed parameters and variables in email apps:
    Example for Gmail app:
    Email Address $emailaddress$ Variable
    Hostname or Host m.google.com Fixed parameter
    Username $emailaddress$ Variable (for Gmail accounts the username is the email address.)
    With other accounts / apps the variable $username$ can be used here.
    For a correct function, the button Substitute Wildcard variables (see below) must be activated   !

    Die Seite Vorlage:Ui-icon.css hat keinen Inhalt.

    The values are taken from the user settings of the user to whom the respective device is assigned
    * Description: Example
    Username mmueller
    Email address mmueller@ttt-point.de
    First name Markus
    Last name Mueller
    First name and surname Markus Mueller
    custom value
    custom value
    custom value

  • %device_alias%

  • MSP Profile Anwendungen BP-en.png

    The settings shown here are examples that provide a most comprehensive basic protection. Adjustment to local requirements must be carried out!

    Caption Proposed value Description:
    Substitute Wildcard variables    (Default) If activated   , the content of the variables $username$ and $emailaddress$ is read from the user settings of the user to whom the respective device is assigned. A click box will appear in which all Users to which this function is to be applied must be selected.
    An automatically generated profile is created for each user, but only the profile template can be edited.
    If the button is deactivated again, the generated user profiles become editable profiles.
    Automatic App Updates Always The policy enforced on a device to automatically update apps depending on the network connection: Apps should also be updated on devices that rarely or never return to a wireless network. The volume of data usually has little effect with standard volume tariffs.
    Default permission policy Prompt New or non-configured permissions are approved or denied by query.
    Disable the installation of apps    If activated, no installations or Updates are possible. Also not via the portal!
    Disable the uninstallation of apps    The user should not be able to uninstall any apps.
    Force App Verification    Aktiviert Google Play Protect. Damit wird überprüft, daß die App sich im ursprünglichen Zustand befindet und im Vergleich zu der Version im App-Store nicht manipuliert wurde.
    Play Store Mode Whitelist Only apps that are configured here in the policy are available. Any app not included in this policy will be automatically uninstalled from the device.
    Blacklist means All apps in the Play Store are available, except for those configured here with Installation Type {ic



    Caption Default setting Description:

    Always on VPN
    Activate always on VPN    Always sets up a VPN. Enables further settings
    Package name de.securepoint.ms.agent The package name of the VPN app.
    Lockdown enabled    If the VPN is not connected, any network connection is prevented.

    Network configuration
    Network configurations + Add configuration Configuring Access Profiles for WiFi Networks
    Name ttt-point Headquarters The name of the configuration
    Type WiFi The configuration type is predefined


    SSID ttt-point-headquarter-WIFI The SSID of the network
    Security WPA-PSK High security level
    Password ••••••••••    "Even if it sounds trivial: WIFI.MyCompany.123 or Location.HouseNumber are no secure passwords! Also 1234 and abcd or qwertz are not' really secure passwords!"
    Hidden SSID    Indicating if the SSID will be broadcast.
    Autoconnect    The device should automatically connect to the network.

    MS v1.5.5 Profile Statusmeldung-en.png

    Status reporting

    Caption Default setting Description:
    Activate the status message    After you have activated this, you can set the configuration of the status reports
    Hardware Status    Indicates whether the hardware status message is enabled.
    Application Reports    Indicates whether app reports are enabled.
    Softwareinfo    Indicates whether software info reporting is enabled.
    Memory Info    Indicates whether memory reporting is enabled.
    Display information    Indicates whether the display of reports is enabled.
    Netzwerk Information    Indicates whether the network info message is enabled.
    Device Settings    Indicates whether reporting is enabled for device settings.
    Power Management Events    Indicates whether power management event reporting is enabled.


    Restrictions within an Enterprise Profile

    Caption Input Description:

    Support Messages
    Short support message Deactivated by the IT department of ttt-Point AG A message that is displayed to the user on the settings screen when the functionality has been disabled by the administrator. The maximum message length is 4096 characters.
    Long support message Deactivated by the IT department of ttt-Point AG due to general security precautions. If you have any questions, please contact Support at: +49 4131-2401-0 A message displayed to the user. The maximum message length is 4096 characters. See figure above.
    Permitted input methods     Falls vorhanden, sind nur die Eingabemethoden zulässig, die von Paketen in dieser Liste bereitgestellt werden. Wenn dieses Feld vorhanden ist, die Liste jedoch leer ist, sind nur Systemeingabemethoden zulässig.
    Location mode High accuracy
    Not specified The current device value is not changed. The user can change the value unless the user cannot access device settings.
    High accuracy All location detection methods are enabled, including GPS, networks and other sensors.
    Sensors only Only GPS and other sensors are active.
    Battery saving Only the network provider's location information is enabled.
    Off Location detection is disabled.
    Disable screen capture    In order to provide data protection, it should not be possible to take screenshots. This also includes blocking screen sharing applications and similar applications (e.g. Google Assistant) that use the system's screenshot functions.
    Disable camera    The camera should be deactivated by default.
    Deactivate factory reset    The reset to factory settings should be deactivated.
    Disable mounting physical media    The mounting of external physical media by the user is to be deactivated.
    Disable modifying accounts    Add or remove accounts should be disabled.
    If this item is not enabled, the user can create another Google Account, log into the Playstore and install any software.
    Disable safe boot    In "safe mode", third-party apps are disabled. This makes unwanted settings possible! (Strictly speaking, this setting is not necessary because it is already forced by the Encryption:Activate with Password setting in the Basic Settings tab.)
    Disable bluetooth contact sharing    No contact data should leave the device via Bluetooth.
    Disable bluetooth configuration    The Bluetooth configuration should be deactivated.
    Disable cell broadcast configuration    The configuration of Cell Broadcast should be disabled.
    Disable mobile network configuration    The configuration of mobile radio networks should be disabled.
    Disable tethering configuration    The configuration of tethering and portable hotspots should be disabled.
    Disable VPN configuration    The configuration of VPN should be disabled.
    Disable Wi-Fi configuration    The configuration of WiFi access points should be disabled.
    Disable resetting network settings    Indicates whether network settings reset is disabled.
    Disable outgoing beam    The use of NFC to transfer data from apps should be disabled.
    Disable USB filetransfer    The transfer of files via USB should be deactivated.
    Allow debbuging features    Der Benutzer darf Debugging-Funktionen aktivieren.
    Skip hints on first user    Flag, um Hinweise zur ersten Verwendung zu überspringen. Der Unternehmensadministrator kann die Systemempfehlung für Apps aktivieren, um das Benutzer-Tutorial und andere einführende Hinweise beim ersten Start zu überspringen.
    Disable keyguard Camera Ignore trust agents Remote input Functions that are not available to the user in the lock screen.


    Password policies

    Password policies can be used for work profiles and fully managed devices.

    Caption Values Description:
    Scope The scope that the password requirement applies to.
    Device The policy applies only to fully managed devices
    Workprofile The policy only applies to work profiles
    Both The policy applies to fully managed devices as well as devices with a work profile.
    Passcode quality Numeric (complex) The required password quality.
    Not specified There are no password requirements.
    Biometric The device must be secured with at least low security biometric detection technology. This includes technologies that can recognize the identity of a person corresponding to a three-digit PIN (misidentification is less than 1 in 1,000).
    Something A password is required, but there are no restrictions on what the password must contain.
    Numeric Das Passwort darf nur aus Ziffern bestehen.
    Numeric (complex) The password may only consist of digits that do not contain repetitive (4444) or ordered (1234, 4321, 2468) sequences.
    Alphabetic The password must consist only of alphabetical characters (or symbols).
    Alphanumeric The password must consist of both digits and alphabetical characters (or symbols).
    Complex The password must contain at least a letter, a number and a special symbol. Other password restrictions, such as passwordMinimumLetters, are enforced.
    Minimum length The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when Passcode quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
    Minimum letters Only required if Passcode quality is COMPLEX.
    Minimum lowercase letters Minimum number of lowercase letters required in the password. Only required if passwordQuality is COMPLEX.
    Minimum uppercase letters Minimum number of uppercase letters required in password. Only required if passwordQuality is COMPLEX.
    Minimum non letter characters Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when passwordQuality is COMPLEX.
    Minimum numeric characters Minimum number of numerical digits required in the password. Only enforced when passwordQuality is COMPLEX.
    Minimum symbols Minimum number of symbols required in the password. Only enforced when passwordQuality is COMPLEX.
    Password history length 0Link= The length of the password history. After setting this field, the user won't be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
    Maximum failed attempts 10Link= Maximum Number of Failed Attempts
    Expiration timeout 0s A duration for entering a password in seconds with up to nine decimal places (sic!), concluded with "s". Example: 3.5s


    Security    The Security tab is only available if a Mobile Security license is present
    EMM licenses do not have VPN functionality that enables these security functions.


    With    Activation, the Securepoint Mobile Security app is added or removed in the Applications tab and can be configured here.
    This is required to configure the security settings.

    Numerous settings are configured, that control the security of web applications.

    Configuration by clicking on Activate security   

    Aktion Default Beschreibung
    Region Germany / EU Geographical assignment of the VPN endpoint
    Protocol TCP Protocol used for VPN tunnel.
    Portfilter Type Selection Filter network traffic based on network ports.
    Communication VPN

    Die Seite Vorlage:Ui-icon.css hat keinen Inhalt.

    Port-Collection Port Protocol Application
    Administrative Tools 21 TCP ftp
    3389 TCP ms-rdp
    23 TCP telnet
    5900 TCP vnc
    22 TCP ssh
    5938 TCP/UDP teamviewer
    Communication 3478-3481 UDP Skype
    49152-65535 UDP
    49152-65535 TCP
    5222 TCP Google Push-Notifications
    5223 UDP
    5228 TCP
    7070-7089 UDP
    VPN 1194 TCP OpenVPN
    1194 UDP
    500 UDP IPSec
    4500 UDP & ESP
    1701 UDP L2TP
    Mail 25 TCP smtp
    587 TCP
    465 TCP smtps
    110 TCP pop3
    995 TCP
    143 TCP imap
    993 TCP
    SSL interception Default SSL traffic from web pages listed in the content filter whitelist is not intercepted, other pages are checked using SSL interception.
    Content-Filter-Whitelist Remote maintenance Click box: Web pages that are to be added to a whitelist. Possible entries: Contentfilter
    Content-Filter-Blacklist Default-Values

    Hacking Proxy

    Threat Intelligence Feed

    Click box: Websites that are to be added to a blacklist.
    Disable for SSIDs ttt-point-headquarter-WiFi Enter WiFi SSIDs for which the security features shall be disabled.
    Allow Suspend Always-On-VPN    The user shall not be allowed to temporarily deactivate the VPN.

    Allow other VPN profiles    Adding other VPN profiles in addition to the Securepoint Security profile shall not be allowed.


    The settings shown here are examples that provide a most comprehensive basic protection. Adjustment to local requirements must be carried out!