Configuration Profiles

→ Martin Müller | ttt-Point AG

Managing profiles for iOS or Android devices in the Mobile Security Portal

Last adaptation to the version: 1.4.8 (11.2019)

New:

• iOS profiles: Configuration of Exchange ActiveSync and email with placeholder variables for user name and email address
• Copy & paste of profiles (from v.1.4.8 09.2019)
• WLAN profiles can be pushed in the Networks tab (from v.1.4.7 07.2019)
• The region can be defined for Switzerland in the Security tab. (from v.1.4.7 07.2019)
• Android devices from version 10 (Q) are exclusively administered with Android Enterprise Profiles. 

Preamble

In a profile, permissions, restrictions, password requirements, e-mail settings and security settings are configured.

Several users or user groups (roles) can be assigned to a profile.
Many devices or device groups (devices designated by tags) can be assigned to a profile.
  For a large number of devices and users it is recommended to map the assignment via groups.  

Overview of profile management

Overview of profile management

In the profile overview new profiles can be created, existing ones can be edited and deleted. The view of the profiles can be displayed in the list or tile view. You can also view details of existing profiles, update the list of profiles, and publish profiles.

General Options

Profile tile

Profile tile

The button at the top right of each profile tile provides the following options:

Details displayed in the profile tile:

Copy & paste of profiles

Click on the logo of the profile tile to mark it. In the general options, another field now appears under the filter mask:

iOS profile

Network configurations

In this section, access profiles for WiFi networks can be configured and pushed to the device.

Add a network configuration with   Konfiguration hinzufügen

Finish the configuration with   Save

Restrictions

Configuration by clicking on Activate restrictions   

Numerous restrictions can be configured to control the behavior of a device.

   List of possible restrictions with default values and explanations

The last column (SO) indicates if this function is only available in supervised mode (supervised only) .

Restriction	Default	Explication	(Supervised mode only) SOSO
Restrict App Usage (supervised only). (supervised only)	Default: Allow all apps Do not allow specific apps Do allow only specific apps	Konfiguriert, ob für Apps keine Einschränkung, eine Blacklist oder eine Whitelist verwendet wird.	Supervised mode only ✓
Blacklisted Apps Whitelisted Apps	Clickbox for selecting apps	Depending on the selection in the line above: Blacklisted Apps / Whitelisted Apps 'Searches the entire app store for possible apps.	Supervised mode only ✓
Allow App Removal	Default:	Allows the user to remove apps (supervised only)	Supervised mode only ✓
Allow Trusting Enterprise Apps	Default:	Allows the user to trust enterprise apps. (Apps that can be deployed without the iTunes App Store and don't need to be authorized by Apple)
Allow Explicit Content	Default:	Allows the user to access explicit content. When activated, the SafeSearch function is switched off by search engines.
Allow Screenshots and Screen Recording	Default:	Allows the user to take screenshots or screen recordings
Allow Remote Screen Observation	Default:	Allows you to observe the screen in a classroom, for example.	x
Allow use of iMessage	Default:	Allow use of iMessage (Supervised mode only)	Supervised mode only ✓
Allow Bookstore	Default:	If this value is set to false, the iBookstore will be disabled. (Supervised mode only).	Supervised mode only ✓
Allow Bookstore Erotica	Default:	If set to false, the user will not be able to download media from the iBookstore that is tagged as erotica. (Supervised mode only).	Supervised mode only ✓
Allow Apple Music	Default:	If set to false, Apple Music will be disabled in the Music app.	x
Allow iTunes Radio	Default:	If set to false, iTunes Radio will be disabled in the Music app.
Allow Shared Stream	Default:	If set to false, the shared stream is disabled.
Allow Wallet While Locked	Default:	If set to false, Wallet notifications will not be shown on the lock screen.
Allow UI Configuration Profile Installation		If set to false, the user is prohibited from installing configuration profiles and certificates interactively. (Supervised mode only).	Supervised mode only ✓
Allow use of iTunes	Default:	Allows the user to use iTunes
Allow use of News	Default:	Allows the user to access and use News
Allow use of Safari	Default:	Allows the user to use Safari
Allow Game Center	Default:	Allows the Game Center (Supervised mode only).	Supervised mode only ✓
Allow Adding Game Center Friends	Default:	Allows the user to add Friends on Game Center
Allow modifying Bluetooth settings	Default:	Allow modifying Bluetooth settings
Allow Modifying Cellular Data Usage for Apps Settings	Default:	Allows modifying cellular data usage for apps settings
Allow Modifying Device Name	Default:	Allows the user to change device names.
Allow Modifying Wallpaper	Default:	Allows you to change the background image. (Supervised mode only)	Supervised mode only ✓
Allow Configuring Restrictions	Default:	Allows the user to configure restrictions. (Supervised mode only)	Supervised mode only ✓
Allow Automatic Sync While Roaming	Default:	Allows automatic synchronization during roaming.
Allow iCloud Sync for Managed Apps	Default:	Allows iCloud synchronization for managed apps.
Allow Enterprise Books Backup	Default:	Allows Enterprise books to be backed up.
Allow Enterprise Books Notes and Highlights Sync	Default:	Allows Enterprise Books to synchronize notes and highlights.
Allow In App Purchases	Default:	Allows the user to make purchases within applications
Allow Multiplayer Gaming	Default:	Allows Multiplayer Gaming
Allow voice dialing while device is locked	Default:	Allows voice dialing while device is locked
Force Encrypted Backups	Default:	Forces encrypted backups
Force Apple Watch Wrist Detection	Default:	Forces Apple Watch Wrist Detection
Allow Pairing With Apple Watch	Default:	Allows Pairing With Apple Watch
Allow Erase All Content and Settings	Default:	If set to false, the user cannot choose the option "Erase All Content and Settings" in Settings → General → Reset (Supervised mode only)	Supervised mode only ✓
Allow Internet results in Spotlight	Default:	If set to false, search results from the web will not be shown in Spotlight.
Allow iCloud Document Sync	Default:	Allows document syncing with iCloud
Allow user to accept untrusted TLS certificates	Default:	Allows user to accept untrusted TLS certificates
Allow Photo Stream	Default:	Allows Photo Stream to be used on the device
Allow iCloud Photo Library	Default:	Allows iCloud Photo Library to be used on the device
Allow iCloud Backup	Default:	Allows backup using iCloud
Require iTunes password for all purchases	Default:	Require the user's iTunes password to be entered for every purchase
Apps Ranking Number	1000	Ranking number for apps
Movies Ranking Number	1000	Ranking number for movies
TV Shows Ranking Number	1000	Ranking number for TV Shows
Region Code	Germany	Two-character code for the region used to specify ratings }}
Accept Cookies in Safari	Klickbox	Accepting cookies 0 – Never 1 – From current website only (iOS 8) or visited sites (pre-iOS 8), 1.5 From websites I visit 2 Alwys
Allow AutoFill in Safari	Default:	Allows autocomplete in Safari browser.
Allow JavaScript	Default:	AllowS JavaScript in Safari
Allow Pop-ups	Default:	AllowS Pop-ups in Safari
Enable Fraud Warning	Default:	Enables fraud warning in Safari
Allow Predictive Keyboard	Default:	Allows Predictive Keyboard (Supervised mode only)	Supervised mode only ✓
Allow Keyboard Shortcuts	Default:	Allows Keyboard Shortcuts (Supervised mode only)	Supervised mode only ✓
Allow Auto Correction	Default:	Allows Auto Correction (Supervised mode only)	Supervised mode only ✓
Allow Spell Check	Default:	Allows Spell Check (Supervised mode only)	Supervised mode only ✓
Allow Define	Default:	Allows Define(Supervised mode only)	Supervised mode only ✓
Enable allow open from unmanaged to managed	Default:	Allows managed apps to access unmanaged documents.
Enable allow open from managed to unmanaged	Default:	Allows unmanaged apps to access managed documents.
Treat AirDrop as Unmanaged Destination	Default:	When activated, protected (managed) data is prevented from leaving the device unauthorized by Airdrop.
Allow Handoff	Default:	If this value is set to "false", handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device.
Touch ID/Face ID zum Entsperren erlauben}}	Default:	Allow Touch ID/Face ID to Unlock Device
Allow Modifying Notifications Settings	Default:	Allows Modifying Notifications Settings
Allow incoming AirPlay requests	Default:	Allows incoming AirPlay requests
Allow pairing with Remote app	Default:	Allows pairing with Remote app
Allow dictation	Default:	Allows dictation
Allow Camera Use	Default:	Allows the user to use the camera
Video-Konferenz erlauben}}	Default:	Allow Video Conferencing
Allow Siri	Default:	Allows Siri
Allow Siri While Locked	Default:	Allows Siri while device is locked
Enable Siri Profanity Filter	Default:	Enables Siri Profanity Filter (Supervised mode only)	Supervised mode only ✓
Allow Siri User Generated Content	Default:	When false, prevents Siri from querying user-generated content from the web.
Allow App Installation from Apple Configurator and iTunes	Default:	Allow only a connected Mac host to install applications
Allow Automatic App Downloads	Default:	Allows Automatic App Downloads (Supervised mode only)
Allow Automatic App Downloads	Default:	Allow the user to install applications
Allow Modifying Passcode	Default: Default:	The user is allowed to change the pass code. (Supervised mode only)	Supervised mode only ✓
Allow Modifying Touch ID/Face ID	Default:	The user is allowed to change the Touch ID/Face ID.	Supervised mode only ✓
Allow diagnostic submission	Default:	Send diagnostic and usage stats to Apple
Allow modifying diagnostics settings	Default:	The user is allowed to change the diagnostic settings.

  Save

---

Passcode

Passcode

Settings Passcode

Configuration by clicking on Activate Passcode   

Operation	Default	Description
Require Passcode on Device		Enforces the use of a passcode before using the device
Set maximum number of failed attempts		Number of passcode entry attempts allowed before all data on device will be erased     Maximum Number of Failed Attempts 11
Set auto-lock		The number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system Automatic lock after 15 minutes
Set maximum passcode age		The number of days for which the passcode can remain unchanged 730
Restrict password complexity		Allows restricting password complexity    Allow Simple Value    Permits the use of repeating, ascending, and descending character sequences Require Alphabetic Value    Require passcodes to contain at least one letter Minimum Number of Complex Characters 0 Smallest number of non-alphanumeric characters allowed Minimum Passcode Length 0 Smallest allowable number of characters in passcode
Use Passcode History		Allows defining the number of different passcodes required between the reuse of passcodes    Passcode History 1 Number of unique passcodes required between passcode reuse
Use grace period for device lock		Allows defining the maximum time in minutes to unlock the phone    Grace period for device lock -1 The maximum grace period, in minutes, to unlock the phone without entering a passcode. The default value -1 pretends iOS does not apply a time limit.

---

Exchange ActiveSync

Exchange ActiveSync

Settings Exchange ActiveSync

It is possible to retrieve emails via https connections.

Configuration by clicking on Activate exchange   

Operation	Default	Description
Payload Certificate UUID	Select certificate	UUID of the certificate that is used for authentication.
Exchange ActiveSync Host	Enter host	Host name or IP address of the Exchange server.
Past Days of Mail to Sync	7	synchronization period
Use SSL		Send all communication through Secure Socket layer
Email Address	Select Email Address	The address of the account to be synchronized (e.g. "john@company.com"). New   The entry %device_email% reads the email address from the user settings of the user to whom the device is assigned.
Domain\User	Username	Domain\user (e.g.: ttt-point.local\user ). The field must remain empty if the device is to ask. New   The entry %device_user%} reads the user names from the user settings of the user to whom the respective device is assigned.
Password	Password	The password for the account
Prevent Move		If set to true, messages may not be moved out of this email account into another account.
Prevent App Sheet		If set to true, this account will not be available for sending mail in third party applications
Allow Mail Drop		If set to true, this account is allowed to use Mail Drop.
S/MIME Enabled		If set to true, this account will support S/MIME
S/MIME Signing Enabled		If set to true, this account will enable message signing.
S/MIME Encryption Enabled		If set to true, this account will support message encryption.
S/MIME Enable Per-Message Switch		If set to true, enable the per-message encryption switch.
Disable Mail Recents Syncing		If set to true, this account is excluded from address Recents syncing.

  Save

---

Email

Email

Settings Email

A mail profile can be configured in the Email Settings.
These settings affect IMAP or POP3 accounts.
Settings for Exchange ActiveSync must be made in the corresponding tab!

Configuration by clicking on Activate Email   

Operation	Default	Description
Account Description	Account Description	The display name of the account (e.g. "Company Mail Account")
Account Name	Account Name	The display name of the user (e.g. "John Appleseed") New   The display name can be combined with the variable %device_user_name%. The variable reads from the user settings of the user to whom the respective device is assigned the fields first name and last name. e.g.: {ic
Email Address	Email Address	The address of the account (e.g. "john@company.com") New   The entry %device_email% reads the email address from the user settings of the user to whom the device is assigned.
Prevent Move		If set to true, messages may not be moved out of this email account into another account.
Disable Mail Recents Syncing		If set to true, this account is excluded from address Recents syncing.
Allow Mail Drop		If set to true, this account is allowed to use Mail Drop.
Prevent App Sheet		If set to true, this account will not be available for sending mail in third party applications
S/MIME Enabled		If set to true, this account will support S/MIME
S/MIME Signing Enabled		If set to true, this account will enable message signing.
S/MIME Encryption Enabled		If set to true, this account will support message encryption.
S/MIME Enable Per-Message Switch		If set to true, enable the per-message encryption switch.
Incoming mails
Operation	Default	Description
Mailserver	Mailserver	Hostname or IP Address
Port	993	Port number for incoming mail
Account Type	IMAP POP	The protocol for accessing the email account
Username	Select user	The username used to connect to the server for incoming mail New   The entry %device_user%} reads the user names from the user settings of the user to whom the respective device is assigned.
Path Prefix	Path Prefix	Path prefix for IMAP mail server
Incoming Mail Server Authentification	authentication method	The authentication method for the incoming mail server None Password CrammD5 NTLM HTTPMD5
Password	Password	The password for the incoming mail server
Use SSL		Send outgoing mail through Secure Socket Layer
Outgoing mails
Operation	Default	Description
Mail Server	Mail Server	Hostname or IP address for outgoing mail
Port	587	The port number for outgoing mail
Username	Select user	The username used to connect to the server for outgoing mail. New   The entry %device_user%} reads the user names from the user settings of the user to whom the respective device is assigned.
authentication type	authentication method	The authentication method for the outgoing mail server Password CrammD5 NTLM HTTPMD5
Outgoing Password Same As Incoming		SMTP authentication uses the same password as POP/IMAP    Password Password The password for the outgoing mail server
Use SSL		end outgoing mail through Secure Socket Layer

  Save

---

Security iOS

Security

Settings Security

{

Numerous settings are configured, that control the security of web applications.

Configuration by clicking on Activate security   

Aktion	Default	Beschreibung
Region	Germany / EU	Geographical assignment of the VPN endpoint
Protocol	TCP	Protocol used for VPN tunnel. TCP or UDP
Portfilter Type		Filter network traffic based on network ports.
	Open	all ports are open
	Closed	Only port 80 (http) and 443 (https) are enabled.
	Selection	Port filter rule selection: Specify which port collections are open for network traffic: { Port-Collection Port Protocol Application ✕ Administrative Tools 21 TCP ftp 3389 TCP ms-rdp 23 TCP telnet 5900 TCP vnc 22 TCP ssh 5938 TCP/UDP teamviewer ✕ Communication 3478-3481 UDP Skype 49152-65535 UDP 49152-65535 TCP 5222 TCP Google Push-Notifications 5223 UDP 5228 TCP ✕ VOIP 5060 UDP SIP/RTP 7070-7089 UDP ✕ VPN 1194 TCP OpenVPN 1194 UDP 500 UDP IPSec 4500 UDP & ESP 1701 UDP L2TP ✕ Mail 25 TCP smtp 587 TCP 465 TCP smtps 110 TCP pop3 995 TCP 143 TCP imap 993 TCP
SSL interception	Default	Defines whether or not to intercept SSL traffic. The default value is to intercept traffic based on content filter response.
Content-Filter-Whitelist	Add entries	Click box: Web pages that are to be added to a whitelist. Possible entries: Contentfilter
Content-Filter-Blacklist	Add entries	Click box: Websites that are to be added to a blacklist.
Disable for SSIDs	Add SSIDs	Enter WLAN SSIDs for which the security features shall be disabled.
Disable for IP addresses	Add IPs	IP addresses or networks can be entered for which the security functions are to be deactivated, i.e. the individual host 192.0.2.192/32 or the entire subnet 192.0.2.0/24. For address blocks with less than three digits, a dot must be entered or navigated within the mask using the cursor keys.
Allow Suspend Always-On-VPN		Allows the user to temporary disable the VPN-Connection. If not activated manually, the VPN will resume at a time chosen by the user.
Appconfiguration
Allow other VPN profiles		Allows adding other VPN profiles in addition to the security profile

  Save

---

Android Profile

General android

General

Settings general

In addition to the name and the platform, the assignment to groups, users or devices can also be configured in the general settings.

Caption	Values	Description
Platform	ANDROID	Device OS. When creating a new profile, iOS can also be selected here. tab and Functions differ depending on the selected operating system.
Name	Name	Profilname
Priority	5	The higher the number, the higher the priority. Is only used if a device is affected by multiple profiles.
Roles	Add roles	Klick-Box: The profile will be assigned to all devices of all users with these roles
Users	Add users	The profile will be assigned to all devices from these users
Devices	Add devices	The profile will be assigned to these devices
Tags	Add tags	The profile will be assigned to all devices with these Tags
Comment	Comment	Kommentar

  Save

---

Networks Android

Network

Network configurations

In this section, access profiles for WiFi networks can be configured and pushed to the device.

Add a network configuration with   Konfiguration hinzufügen

Caption	Values	Description
Name	Name	Name of the configuration
Type	WiFi	Configuration type (WiFi predefined)
SSID	SSID	The SSID of the network
Security	no security None insecure WEP-PSK secure WPA-PSK	Security Level no security insecure secure
Passphrase	Passphrase	The networks passphrases
Hidden SSID		Specifies whether the SSID of the network is visible (button off) or hidden (button on).
Autoconnect		Enable to automatically connect the device to the network.

Finish the configuration with   Save

---

Restrictions Android

Restrictions

Settings Restrictions

Configuration by clicking on Activate restrictions   

Restriction	Default	Explication
Enable Camera Restrictions		After setting this, no applications will be able to access any cameras on the device.
Enable Storage Encryption		This profile controls encryption of the secure (application data) storage area. Data written to other storage areas may or may not be encrypted, and this profile does not require or control the encryption of any other storage areas. Important Note:  On some devices, it is possible to encrypt storage without requiring the user to create a device PIN or Password. In this case, the storage is encrypted, but the encryption key may not be fully secured. For maximum security, the administrator should also require a password.
Enable WIFI Restrictions		After setting this, WIFI will be disabled permanently.
Enable Bluetooth Restrictions		After setting this, Bluetooth will be disabled permanently.

  Save

---

Passcode Android

Passcode

Settings Passcode

Configuration by clicking on Activate Passcode   

Operation	Default	Description
Minimum password length	No password required	Attention   Attention   The current password remains until the user sets a new one. The change therefore does not take effect immediately. (Values from 4 to 30 are possible)
Password Quality	Unspecified	After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set.   Attention   Note that the current password will remain until the user has set a new one, so the change does not take place immediately. Quality constants are ordered so that higher values are more restrictive; thus the highest requested quality constant (between the profile set here, the user's preference, and any other considerations) is the one that is in effect. Something Numeric Numeric Complex Alphabetic Alphanumeric Complex
Maximum Failed Passwords For Wipe		Setting this to a value greater than zero enables a built-in profile that will perform a device wipe after too many incorrect device-unlock passwords have been entered.

  Save

---

Security Android

Security

Settings Security

{

Numerous settings are configured, that control the security of web applications.

Configuration by clicking on Activate security   

Aktion	Default	Beschreibung
Region	Germany / EU	Geographical assignment of the VPN endpoint
Protocol	TCP	Protocol used for VPN tunnel. TCP or UDP
Portfilter Type		Filter network traffic based on network ports.
	Open	all ports are open
	Closed	Only port 80 (http) and 443 (https) are enabled.
	Selection	Port filter rule selection: Specify which port collections are open for network traffic: { Port-Collection Port Protocol Application ✕ Administrative Tools 21 TCP ftp 3389 TCP ms-rdp 23 TCP telnet 5900 TCP vnc 22 TCP ssh 5938 TCP/UDP teamviewer ✕ Communication 3478-3481 UDP Skype 49152-65535 UDP 49152-65535 TCP 5222 TCP Google Push-Notifications 5223 UDP 5228 TCP ✕ VOIP 5060 UDP SIP/RTP 7070-7089 UDP ✕ VPN 1194 TCP OpenVPN 1194 UDP 500 UDP IPSec 4500 UDP & ESP 1701 UDP L2TP ✕ Mail 25 TCP smtp 587 TCP 465 TCP smtps 110 TCP pop3 995 TCP 143 TCP imap 993 TCP
SSL interception	Default	Defines whether or not to intercept SSL traffic. The default value is to intercept traffic based on content filter response.
Content-Filter-Whitelist	Add entries	Click box: Web pages that are to be added to a whitelist. Possible entries: Contentfilter
Content-Filter-Blacklist	Add entries	Click box: Websites that are to be added to a blacklist.
Disable for SSIDs	Add SSIDs	Enter WLAN SSIDs for which the security features shall be disabled.
Disable for IP addresses	Add IPs	IP addresses or networks can be entered for which the security functions are to be deactivated, i.e. the individual host 192.0.2.192/32 or the entire subnet 192.0.2.0/24. For address blocks with less than three digits, a dot must be entered or navigated within the mask using the cursor keys.
Allow Suspend Always-On-VPN		Allows the user to temporary disable the VPN-Connection. If not activated manually, the VPN will resume at a time chosen by the user.
Appconfiguration
Allow other VPN profiles		Allows adding other VPN profiles in addition to the security profile

  Save

---