Configuration Profiles

Managing profiles for iOS or Android devices in the Mobile Security Portal

Last adaptation to the version: 1.5.3.2 (07.2020)

New

Delay software updates

Preamble

In a profile, permissions, restrictions, password requirements, e-mail settings and security settings are configured.

Several users or user groups (roles) can be assigned to a profile.
Many devices or device groups (devices designated by tags) can be assigned to a profile.
For a large number of devices and users it is recommended to map the assignment via groups.

Overview of profile management

In the profile overview new profiles can be created, existing ones can be edited and deleted. The view of the profiles can be displayed in the list or tile view. You can also view details of existing profiles, update the list of profiles, and publish profiles.

General Options

Filter displayed profiles Filter Search	The search criteria can be filtered to specific areas: all Devices Platform tags roles used User
Add profile Add profile	Creates a new profile. The settings in the profile vary depending on the operating system. See Edit iOS / Edit Android
Publish profile Publish profiles	The transmission may take a few minutes. The changes to a profile must be published so that they can be transmitted to the devices.
Import profile Import profiles	Show details
Show details	List view / Grid view
List view / Grid view /	Switch between lists and grid view.
Refresh	Refresh the display

Profile tile

The button at the top right of each profile tile provides the following options:

Edit	Editing the settings (see below)
Export	Exporting the settings
Kopieren	Copying the profile to the clipboard
Revoke	The profile is withdrawn, i.e. it is no longer available on the devices, but can be configured.
Delete	The profile is deleted.

Details displayed in the profile tile:

Updated Changes have been made to the profile that have not yet been published!

PARTIALLY INSTALLED The transfer of the profile could not be completed completely.

Platform iOS, Android or Android Enterprise

Roles Roles

Users User

Devices Devices

Tags Tags

Parts Restrictions | Security

Copy & paste of profiles

Click on the logo of the profile tile to mark it. In the general options, another field now appears under the filter mask:

Action for selected items

Please choose

Execute the selected action with Ok

Copy

Copies one or more selected profiles to the clipboard.

Delete

Deletes one or more selected profiles

New button

Paste

Inserts a copy of a profile from the clipboard.

This also works from one tenant / customer to another as long as they are assigned to the same reseller account.

iOS profile

General

General Settings

Caption	Values	Description
Platform	iOS	Device OS. When creating a new profile, Android Enterprise can also be selected here. tab and Functions differ depending on the selected operating system.
Name	Name	Profilname
Priority	5	The higher the number, the higher the priority. Is only used if a device is affected by multiple profiles.
Roles	Add roles	Klick-Box: The profile will be assigned to all devices of all users with these roles
Users	Add users	The profile will be assigned to all devices from these users
Devices	Add devices	The profile will be assigned to these devices
Tags	Add tags	The profile will be assigned to all devices with these Tags
Comment	Comment	Kommentar

Save

Shared devices

Information that can be displayed on the login screen and lock screen.
Devices used by different people Shared device in Apple terminology can thus display accessible information for everyone (e.g. an inventory number).

caption:	Default	description:
Activate configuration		After setting this, you can set the shared device configuration. The Shared Device Configuration Payload allows you to specify optional text displayed on the login window and lock screen (i.e. a ”If Lost, Return To” message and Asset Tag Information). It is supported on iOS 9.3 and later.
Lockscreen footnote		Optional. A footnote displayed on the login window and lock screen.
Asset Tag Information		Optional. Asset tag information for the device, displayed on the login window and lock screen.

Save

Network

Network configurations

In this section, access profiles for WiFi networks can be configured and pushed to the device.

Add a network configuration with Konfiguration hinzufügen

Caption	Values	Description
Name	Name	Name of the configuration
Type	WiFi	Configuration type (WiFi predefined)
SSID	SSID	The SSID of the network
Security		Security Level
	None	no security
	WEP-PSK	insecure
	WPA-PSK	secure
Password	Password	The networks passphrases. Hidden with placeholders<.br> shows the password in plain text.
Hidden SSID		Specifies whether the SSID of the network is visible (button off) or hidden (button on).
Autoconnect		Enable to automatically connect the device to the network.

Finish the configuration with Save

App-Lock

The app lock activates the guided mode which limits the device to a single app. In this state - also called kiosk mode - you can control which app functions are available.

Activate configuration

The last column (SO) indicates if this function is only available in supervised mode (supervised only) .

caption:	Default	description:
Identifier	Default:	The bundle identifier of the application.
Options
Disable touch	Default:	If true, the touch screen is disabled.
Gerätedrehung deaktivieren	Default:
Deaktivieren Sie die Lautstärketasten	Default:
Klingelschalter deaktivieren	Default:
Deaktivieren Sie de Sleep-Wake-Button	Default:
Deaktivieren Sie die automatische Sperre	Default:
Voice-Over aktivieren	Default:
Zoom aktivieren	Default:
Invertieren von Farben aktivieren	Default:
Assistive touch aktivieren	Default:
Sprachauswahl aktivieren	Default:
Mono-Audio aktivieren	Default:
User Enabled Options
Voice-Over	Default:
Zoom	Default:
Farben invertieren	Default:
Assistive touch	Default:

Finish the configuration with Save

Restrictions

Configuration by clicking on Activate restrictions

Numerous restrictions can be configured to control the behavior of a device.

List of possible restrictions with default values and explanations

General restrictions

Neu ab v1.5.3.2:

Links aktiv, wenn Liste eingeblendet

Delay software updates

The last column (SO) indicates if this function is only available in supervised mode (supervised only) .

Restriction	Default	Explication	(Supervised mode only) SOSO
Restrict App Usage (supervised only). (supervised only)	Default: Allow all apps Do not allow specific apps Do allow only specific apps	Konfiguriert, ob für Apps keine Einschränkung, eine Blacklist oder eine Whitelist verwendet wird.	Supervised mode only ✓
Blacklisted Apps Whitelisted Apps	Clickbox for selecting apps	Depending on the selection in the line above: Blacklisted Apps / Whitelisted Apps 'Searches the entire app store for possible apps.	Supervised mode only ✓
Allow Account Modification	Default:	If set to false, account modification is disabled. (Supervised only)	Supervised mode only ✓
Allow QuickPath Keyboard	Default:	If set to false, disables QuickPath keyboard.
Allow Network access for Files	Default:	If set to false, prevents connecting to network drives in the Files app.
Allow USB drive for Files	Default:	If set to false, prevents connecting to any connected USB devices in the Files app.
Allow Find My Device	Default:	If set to false, disables Find My Device in the Find My app.
Allow Find My Friends	Default:	If set to false, disables Find My Friends in the Find My app.
Force WiFi on	Default:	If set to true, prevents Wi-Fi from being turned off in Settings or Control Center, even by entering or leaving Airplane Mode. It does not prevent selecting which Wi-Fi network to use.
Allow App Removal	Default:	Allows the user to remove apps (supervised only)	Supervised mode only ✓
Allow Trusting Enterprise Apps	Default:	Allows the user to trust enterprise apps. (Apps that can be deployed without the iTunes App Store and don't need to be authorized by Apple)
Allow Explicit Content	Default:	Allows the user to access explicit content. When activated, the SafeSearch function is switched off by search engines.
Allow Screenshots and Screen Recording	Default:	Allows the user to take screenshots or screen recordings
Allow Remote Screen Observation	Default:	Allows you to observe the screen in a classroom, for example.	x
Allow use of iMessage	Default:	Allow use of iMessage (Supervised mode only)	Supervised mode only ✓
Allow Bookstore	Default:	If this value is set to false, the iBookstore will be disabled. (Supervised mode only).	Supervised mode only ✓
Allow Bookstore Erotica	Default:	If set to false, the user will not be able to download media from the iBookstore that is tagged as erotica. (Supervised mode only).	Supervised mode only ✓
Allow Apple Music	Default:	If set to false, Apple Music will be disabled in the Music app.	x
Allow iTunes Radio	Default:	If set to false, iTunes Radio will be disabled in the Music app.
Allow Shared Stream	Default:	If set to false, the shared stream is disabled.
Allow Wallet While Locked	Default:	If set to false, Wallet notifications will not be shown on the lock screen.
Allow UI Configuration Profile Installation	Default:	If set to false, the user is prohibited from installing configuration profiles and certificates interactively. (Supervised mode only).	Supervised mode only ✓
Allow use of iTunes	Default:	Allows the user to use iTunes
Allow use of News	Default:	Allows the user to access and use News
Allow use of Safari	Default:	Allows the user to use Safari
Allow Game Center	Default:	Allows the Game Center (Supervised mode only).	Supervised mode only ✓
Allow Adding Game Center Friends	Default:	Allows the user to add Friends on Game Center
Allow modifying Bluetooth settings	Default:	Allow modifying Bluetooth settings
Allow Modifying Cellular Data Usage for Apps Settings	Default:	Allows modifying cellular data usage for apps settings
Allow Modifying Device Name	Default:	Allows the user to change device names.
Allow Modifying Wallpaper	Default:	Allows you to change the background image. (Supervised mode only)	Supervised mode only ✓
Allow Configuring Restrictions	Default:	Allows the user to configure restrictions. (Supervised mode only)	Supervised mode only ✓
Allow Automatic Sync While Roaming	Default:	Allows automatic synchronization during roaming.
Allow iCloud Sync for Managed Apps	Default:	Allows iCloud synchronization for managed apps.
Allow Enterprise Books Backup	Default:	Allows Enterprise books to be backed up.
Allow Enterprise Books Notes and Highlights Sync	Default:	Allows Enterprise Books to synchronize notes and highlights.
Allow In App Purchases	Default:	Allows the user to make purchases within applications
Allow Multiplayer Gaming	Default:	Allows Multiplayer Gaming
Allow voice dialing while device is locked	Default:	Allows voice dialing while device is locked
Force Apple Watch Wrist Detection	Default:	Forces Apple Watch Wrist Detection
Allow Pairing With Apple Watch	Default:	Allows Pairing With Apple Watch
Allow Erase All Content and Settings	Default:	If set to false, the user cannot choose the option "Erase All Content and Settings" in Settings → General → Reset (Supervised mode only)	Supervised mode only ✓
Allow Internet results in Spotlight	Default:	If set to false, search results from the web will not be shown in Spotlight.
Allow iCloud Document Sync	Default:	Allows document syncing with iCloud
Allow user to accept untrusted TLS certificates	Default:	Allows user to accept untrusted TLS certificates
Allow Photo Stream	Default:	Allows Photo Stream to be used on the device
Allow iCloud Photo Library	Default:	Allows iCloud Photo Library to be used on the device
Allow iCloud Backup	Default:	Allows backup using iCloud
Require iTunes password for all purchases	Default:	Require the user's iTunes password to be entered for every purchase
Apps Ranking Number	1000	Ranking number for apps
Movies Ranking Number	1000	Ranking number for movies
TV Shows Ranking Number	1000	Ranking number for TV Shows
Region Code	Germany	Two-character code for the region used to specify ratings
Accept Cookies in Safari	Never	Accepting cookies Does not accept cookies
	From current website only (iOS 8) or visited sites (pre-iOS 8)	Depending on iOS version: from iOS 8: Only from current website from iOS 8: Only from visited pages
	From websites I visit	Accepts cookies from all visited websites
	Alwys	Accepts all cookies
Allow AutoFill in Safari	Default:	Allows autocomplete in Safari browser.
Allow JavaScript	Default:	AllowS JavaScript in Safari
Allow Pop-ups	Default:	AllowS Pop-ups in Safari
Enable Fraud Warning	Default:	Enables fraud warning in Safari
Allow Predictive Keyboard	Default:	Allows Predictive Keyboard (Supervised mode only)	Supervised mode only ✓
Allow Keyboard Shortcuts	Default:	Allows Keyboard Shortcuts (Supervised mode only)	Supervised mode only ✓
Allow Auto Correction	Default:	Allows Auto Correction (Supervised mode only)	Supervised mode only ✓
Allow Spell Check	Default:	Allows Spell Check (Supervised mode only)	Supervised mode only ✓
Allow Define	Default:	Allows Define(Supervised mode only)	Supervised mode only ✓
Enable allow open from unmanaged to managed	Default:	Allows managed apps to access unmanaged documents.
Enable allow open from managed to unmanaged	Default:	Allows unmanaged apps to access managed documents.
Treat AirDrop as Unmanaged Destination	Default:	When activated, protected (managed) data is prevented from leaving the device unauthorized by Airdrop.
Allow Handoff	Default:	If this value is set to "false", handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device.
Touch ID/Face ID zum Entsperren erlauben	Default:	Allow Touch ID/Face ID to Unlock Device
Allow Modifying Notifications Settings	Default:	Allows Modifying Notifications Settings
Allow incoming AirPlay requests	Default:	Allows incoming AirPlay requests
Allow pairing with Remote app	Default:	Allows pairing with Remote app
Allow dictation	Default:	Allows dictation
Allow Camera Use	Default:	Allows the user to use the camera
Video-Konferenz erlauben	Default:	Allow Video Conferencing
Allow Siri	Default:	Allows Siri
Allow Siri While Locked	Default:	Allows Siri while device is locked
Allow Siri User Generated Content	Default:	When false, prevents Siri from querying user-generated content from the web.
Enable Siri Profanity Filter	Default:	Enables Siri Profanity Filter (Supervised mode only)	Supervised mode only ✓
Allow App Installation from Apple Configurator and iTunes	Default:	Allow only a connected Mac host to install applications
Allow Automatic App Downloads	Default:	Allows Automatic App Downloads (Supervised mode only)
Force Delayed Software Updates	Default:	If set to true, delays user visibility of Software Updates. (Supervised only)	Supervised mode only ✓
Software Update Delay in days	Default: 30	This restriction allows the admin to set how many days a software update on the device will be delayed. With this restriction in place, the user will not see a software update until the specified number of days after the software update release date. (Supervised only)	Supervised mode only ✓
Allow Automatic App Downloads	Default:	Allow the user to install applications
Allow Modifying Passcode	Default: Default:	The user is allowed to change the pass code. (Supervised mode only)	Supervised mode only ✓
Allow Modifying Touch ID/Face ID	Default:	The user is allowed to change the Touch ID/Face ID.	Supervised mode only ✓
Allow diagnostic submission	Default:	Send diagnostic and usage stats to Apple
Allow modifying diagnostics settings	Default:	The user is allowed to change the diagnostic settings.

Classroom-App

The Classrom App is available free of charge in the App-Store and offers possibilities for use in school classes.
Important restrictions can be configured here.

Restriction	Default	Explication
Remote-Bildschirmbeobachtung zulassen	Default:	Wenn nicht erlaubt, wird die Remote-Bildschirmbeobachtung durch die Classroom-App deaktiviert. Wenn Screenshots deaktiviert sind, beobachtet die Classroom-App keine Remote-Bildschirme.
Erzwingen, dass Kursen automatisch beigetreten werden	Default:	Wenn erzwungen, werden die Anfragen des Lehrers automatisch akzeptiert, ohne dass der Schüler dazu aufgefordert wird.
Erzwinge die Erlaubnis, Klassen zu verlassen	Default:	Wenn erzwungen, muss ein Schüler, der über das Classroom in einen nicht verwalteten Kurs eingeschrieben ist, den Lehrer um Erlaubnis bitten, um den Kurs zu verlassen.
Erzwingen der App- und Gerätesperre	Default:	Wenn erzwungen, kann der Lehrer Apps oder das Gerät sperren, ohne den Schüler dazu aufzufordern.
Bildschirmbeobachtung erzwingen	Default:	Wenn erzwungen wird und eine Fernüberwachung des Bildschirms erlaubt ist, erteilt ein Schüler, der über die Classroom-App in einem verwalteten Kurs eingeschrieben ist, automatisch die Erlaubnis, den Bildschirm zu beobachten, ohne aufgefordert zu werden.

Save

Passcode

Settings Passcode

Configuration by clicking on Activate Passcode

Operation

Default

Description

Require Passcode on Device

Enforces the use of a passcode before using the device

Set maximum number of failed attempts

Number of passcode entry attempts allowed before all data on device will be erased

Maximum Number of Failed Attempts 11

Set auto-lock

The number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system

Automatic lock after 15 minutes

Set maximum passcode age

The number of days for which the passcode can remain unchanged 730

Restrict password complexity

Allows restricting password complexity


Allow Simple Value		Permits the use of repeating, ascending, and descending character sequences
Require Alphabetic Value		Require passcodes to contain at least one letter
Minimum Number of Complex Characters	0	Smallest number of non-alphanumeric characters allowed
Minimum Passcode Length	0	Smallest allowable number of characters in passcode

Use Passcode History

Allows defining the number of different passcodes required between the reuse of passcodes


Passcode History	1	Number of unique passcodes required between passcode reuse

Use grace period for device lock

Allows defining the maximum time in minutes to unlock the phone


Grace period for device lock	-1	The maximum grace period, in minutes, to unlock the phone without entering a passcode. The default value -1 pretends iOS does not apply a time limit.

Save

Exchange ActiveSync

Settings Exchange ActiveSync

It is possible to retrieve emails via https connections.

Configuration by clicking on Activate exchange

Operation	Default	Description
Activate exchange		After setting this, you can set exchange policies
Exchange accounts	Add account	Add exchange accounts
Account Name		The display name of the user (e.g. "John Appleseed"). You also can use following variables: %device_user_name%, %device_user_firstname%, %device_user_lastname%
Exchange ActiveSync Host	Enter host	Host name or IP address of the Exchange server.
Past Days of Mail to Sync	Forever	synchronization period
Use SSL		Send all communication through Secure Socket layer
Email Address	Select Email Address	The address of the account to be synchronized (e.g. "john@company.com"). New The entry %device_email% reads the email address from the user settings of the user to whom the device is assigned.
Domain\User	Username	Domain\user (e.g.: ttt-point.local\user ). The field must remain empty if the device is to ask. New The entry %device_user%} reads the user names from the user settings of the user to whom the respective device is assigned.
Password	Password	The password for the account
Payload Certificate UUID	Select certificate	UUID of the certificate that is used for authentication.
Prevent Move		If set to true, messages may not be moved out of this email account into another account.
Prevent App Sheet		If set to true, this account will not be available for sending mail in third party applications
Allow Mail Drop		If set to true, this account is allowed to use Mail Drop.
S/MIME Enabled		If set to true, this account will support S/MIME
S/MIME Signing Enabled		If set to true, this account will enable message signing.
S/MIME Encryption Enabled		If set to true, this account will support message encryption.
S/MIME Enable Per-Message Switch		If set to true, enable the per-message encryption switch.
Disable Mail Recents Syncing		If set to true, this account is excluded from address Recents syncing.

Save

Operation	value:
Exchange ActiveSync Host	outlook.office.de
Use SSL
Email Address	support.ttt-point.onmicrosoft.de
Domain\User	support.ttt-point.onmicrosoft.de
Password	The password for the account

Email

Settings Email

Several mail accounts can be set up in the email settings.
These settings affect IMAP or POP3 accounts.
Settings for Exchange ActiveSync must be made in the corresponding tab!

Configuration by clicking on Activate Email

Operation

Default

Description

Activate Email

After setting this, you can set Email configurations

Email accounts

Add account

Add email accounts

Account Description

The display name of the account (e.g. "Company Mail Account")

Account Name

The display name of the user (e.g. "John Appleseed")
New The display name can be combined with the variable %device_user_name%. The variable reads from the user settings of the user to whom the respective device is assigned the fields first name and last name. e.g.: %device_user_name% | ttt-Point AG → Martin Müller | ttt-Point AG

Email Address

The address of the account (e.g. "john@company.com")
New The entry %device_email% reads the email address from the user settings of the user to whom the device is assigned.

Prevent Move

If set to true, messages may not be moved out of this email account into another account.

Disable Mail Recents Syncing

If set to true, this account is excluded from address Recents syncing.

Allow Mail Drop

If set to true, this account is allowed to use Mail Drop.

Prevent App Sheet

If set to true, this account will not be available for sending mail in third party applications

S/MIME Enabled

If set to true, this account will support S/MIME

S/MIME Signing Enabled

If set to true, this account will enable message signing.

S/MIME Encryption Enabled

If set to true, this account will support message encryption.

S/MIME Enable Per-Message Switch

If set to true, enable the per-message encryption switch.

Incoming mails

Operation

Default

Description

Mailserver

Hostname or IP Address

Port

993

Port number for incoming mail

Account Type

IMAP

POP

The protocol for accessing the email account

Username

Select user

The username used to connect to the server for incoming mail
New The entry %device_user%} reads the user names from the user settings of the user to whom the respective device is assigned.

Path Prefix

Path prefix for IMAP mail server

Incoming Mail Server Authentification

authentication method

The authentication method for the incoming mail server
None
Password
CrammD5
NTLM
HTTPMD5

Password

The password for the incoming mail server

Use SSL

Send outgoing mail through Secure Socket Layer

Outgoing mails

Operation

Default

Description

Mail Server

Hostname or IP address for outgoing mail

Port

587

The port number for outgoing mail

Username

Select user

The username used to connect to the server for outgoing mail.
New The entry %device_user%} reads the user names from the user settings of the user to whom the respective device is assigned.

authentication type

authentication method

The authentication method for the outgoing mail server
Password
CrammD5
NTLM
HTTPMD5

Outgoing Password Same As Incoming

SMTP authentication uses the same password as POP/IMAP


Password	Password	The password for the outgoing mail server

Use SSL

end outgoing mail through Secure Socket Layer

Save

Datei:MSP v1.5.3.2 Profile iOS Zertifikate-en-en.png

Certificates

Caption	Values	Description
Certificates	Select certificates

Security

Settings Security

Numerous settings are configured, that control the security of web applications.

Configuration by clicking on Activate security

Aktion

Default

Beschreibung

Region

Germany / EU

Geographical assignment of the VPN endpoint

Protocol

TCP

Protocol used for VPN tunnel. TCP or UDP

Portfilter Type

Filter network traffic based on network ports.

Open

all ports are open

Closed

Only port 80 (http) and 443 (https) are enabled.

Selection

Port filter rule selection: Specify which port collections are open for network traffic:

Port-Collection	Port	Protocol	Application
✕ Administrative Tools	21	TCP	ftp
	3389	TCP	ms-rdp
	23	TCP	telnet
	5900	TCP	vnc
	22	TCP	ssh
	5938	TCP/UDP	teamviewer
✕ Communication	3478-3481	UDP	Skype
	49152-65535	UDP
	49152-65535	TCP
	5222	TCP	Google Push-Notifications
	5223	UDP
	5228	TCP
✕ VOIP	5060	UDP	SIP/RTP
✕ VOIP	7070-7089	UDP	SIP/RTP
✕ VPN	1194	TCP	OpenVPN
	1194	UDP	OpenVPN
	500	UDP	IPSec
	4500	UDP & ESP	IPSec
	1701	UDP	L2TP
✕ Mail	25	TCP	smtp
	587	TCP	smtp
	465	TCP	smtps
	110	TCP	pop3
	995	TCP	pop3
	143	TCP	imap
	993	TCP	imap

SSL interception

Default

Defines whether or not to intercept SSL traffic. The default value is to intercept traffic based on content filter response.

Content-Filter-Whitelist

Add entries

Click box: Web pages that are to be added to a whitelist. Possible entries: Contentfilter

Content-Filter-Blacklist

Add entries

Click box: Websites that are to be added to a blacklist.

Disable for SSIDs

Add SSIDs

Enter WLAN SSIDs for which the security features shall be disabled.

Disable for IP addresses

Add IPs

IP addresses or networks can be entered for which the security functions are to be deactivated, i.e. the individual host 192.0.2.192/32 or the entire subnet 192.0.2.0/24. For address blocks with less than three digits, a dot must be entered or navigated within the mask using the cursor keys.

Allow Suspend Always-On-VPN

Allows the user to temporary disable the VPN-Connection. If not activated manually, the VPN will resume at a time chosen by the user.

Appconfiguration

Allow other VPN profiles

Allows adding other VPN profiles in addition to the security profile

Save

Android Profile

Android devices from version 10 (Q) are exclusively administered with Android Enterprise Profiles.

General

Settings general

In addition to the name and the platform, the assignment to groups, users or devices can also be configured in the general settings.

Caption	Values	Description
Platform	ANDROID	Device OS. When creating a new profile, iOS can also be selected here. tab and Functions differ depending on the selected operating system.
Name	Name	Profilname
Priority	5	The higher the number, the higher the priority. Is only used if a device is affected by multiple profiles.
Roles	Add roles	Klick-Box: The profile will be assigned to all devices of all users with these roles
Users	Add users	The profile will be assigned to all devices from these users
Devices	Add devices	The profile will be assigned to these devices
Tags	Add tags	The profile will be assigned to all devices with these Tags
Comment	Comment	Kommentar

Save

Network

Network configurations

In this section, access profiles for WiFi networks can be configured and pushed to the device.

Add a network configuration with Konfiguration hinzufügen

Caption	Values	Description
Name	Name	Name of the configuration
Type	WiFi	Configuration type (WiFi predefined)
SSID	SSID	The SSID of the network
Security	no security None insecure WEP-PSK secure WPA-PSK	Security Level no security insecure secure
Password	Password	The networks passphrases. Hidden with placeholders<.br> shows the password in plain text.
Hidden SSID		Specifies whether the SSID of the network is visible (button off) or hidden (button on).
Autoconnect		Enable to automatically connect the device to the network.

Finish the configuration with Save

Restrictions

Settings Restrictions

Configuration by clicking on Activate restrictions

Restriction	Default	Explication
Enable Camera Restrictions		After setting this, no applications will be able to access any cameras on the device.
Enable Storage Encryption		This profile controls encryption of the secure (application data) storage area. Data written to other storage areas may or may not be encrypted, and this profile does not require or control the encryption of any other storage areas. Important Note: On some devices, it is possible to encrypt storage without requiring the user to create a device PIN or Password. In this case, the storage is encrypted, but the encryption key may not be fully secured. For maximum security, the administrator should also require a password.

Due to Google requirements, it is no longer possible to switch off Bluetooth and WLAN connections! Save

Passcode

Settings Passcode

Configuration by clicking on Activate Passcode

Operation	Default	Description
Minimum password length	No password required	Attention Attention The current password remains until the user sets a new one. The change therefore does not take effect immediately. (Values from 4 to 30 are possible)
Password Quality	Unspecified	After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set. Attention Note that the current password will remain until the user has set a new one, so the change does not take place immediately. Quality constants are ordered so that higher values are more restrictive; thus the highest requested quality constant (between the profile set here, the user's preference, and any other considerations) is the one that is in effect. Something Numeric Numeric Complex Alphabetic Alphanumeric Complex
Maximum Failed Passwords For Wipe		Setting this to a value greater than zero enables a built-in profile that will perform a device wipe after too many incorrect device-unlock passwords have been entered.

Save

Security

Settings Security

Numerous settings are configured, that control the security of web applications.

Configuration by clicking on Activate security

Aktion

Default

Beschreibung

Region

Germany / EU

Geographical assignment of the VPN endpoint

Protocol

TCP

Protocol used for VPN tunnel. TCP or UDP

Portfilter Type

Filter network traffic based on network ports.

Open

all ports are open

Closed

Only port 80 (http) and 443 (https) are enabled.

Selection

Port filter rule selection: Specify which port collections are open for network traffic:

Port-Collection	Port	Protocol	Application
✕ Administrative Tools	21	TCP	ftp
	3389	TCP	ms-rdp
	23	TCP	telnet
	5900	TCP	vnc
	22	TCP	ssh
	5938	TCP/UDP	teamviewer
✕ Communication	3478-3481	UDP	Skype
	49152-65535	UDP
	49152-65535	TCP
	5222	TCP	Google Push-Notifications
	5223	UDP
	5228	TCP
✕ VOIP	5060	UDP	SIP/RTP
✕ VOIP	7070-7089	UDP	SIP/RTP
✕ VPN	1194	TCP	OpenVPN
	1194	UDP	OpenVPN
	500	UDP	IPSec
	4500	UDP & ESP	IPSec
	1701	UDP	L2TP
✕ Mail	25	TCP	smtp
	587	TCP	smtp
	465	TCP	smtps
	110	TCP	pop3
	995	TCP	pop3
	143	TCP	imap
	993	TCP	imap

SSL interception

Default

Defines whether or not to intercept SSL traffic. The default value is to intercept traffic based on content filter response.

Content-Filter-Whitelist

Add entries

Click box: Web pages that are to be added to a whitelist. Possible entries: Contentfilter

Content-Filter-Blacklist

Add entries

Click box: Websites that are to be added to a blacklist.

Disable for SSIDs

Add SSIDs

Enter WLAN SSIDs for which the security features shall be disabled.

Disable for IP addresses

Add IPs

IP addresses or networks can be entered for which the security functions are to be deactivated, i.e. the individual host 192.0.2.192/32 or the entire subnet 192.0.2.0/24. For address blocks with less than three digits, a dot must be entered or navigated within the mask using the cursor keys.

Allow Suspend Always-On-VPN

Allows the user to temporary disable the VPN-Connection. If not activated manually, the VPN will resume at a time chosen by the user.

Appconfiguration

Allow other VPN profiles

Allows adding other VPN profiles in addition to the security profile

Save

Configuration Profiles

Contents

Preamble

Overview of profile management

General Options

Filter displayed profiles

Add profile

Publish profile

Import profile

Show details

List view / Grid view

Refresh

Profile tile

Profile Options

edit

Export

Copy

Revoke

delete

Details displayed in the profile tile:

Copy & paste of profiles

iOS profile

General iOS

Shared devices

Network

App-Lock

Restrictions

General restrictions

Classroom-App

Passcode

Exchange ActiveSync

Email

Certificates

Security iOS

Android Profile

General android

Networks Android

Restrictions Android

Passcode Android

Security Android