Restrictions configuration (Android device profile)

With the Restrictions configuration you define restrictions for devices.

Security

Setting/Field Description
Force encryption Users must encrypt their devices.
Force SD card encryption When the profile is installed onto a device, the user must encrypt the SD card.
Note: For some device types, users can choose to cancel the encryption. They will be reminded again on the next SD card mount.
Allow fast encryption If the check box is cleared, the fast encryption options in the device settings are unavailable.
Allow factory reset If the check box is cleared, users cannot reset their devices to factory state.
Allow developer options If the check box is cleared, users cannot change the developer options.
Allow safe mode If the check box is cleared, users cannot boot the device in safe mode.
Allow USB debugging If the check box is cleared, USB debugging is turned off.
Note: For Sony devices with Enterprise API version 9 or above, clearing the Allow USB debugging checkbox makes all developer options unavailable.
Allow firmware recovery If the check box is cleared, all types of firmware updates (like over-the-air, download etc.) are turned off.
Allow backup If the check box is cleared, users cannot create system backups. Google backup is turned off. Other backup methods (for example Sophos Mobile Control backups) remain available.
Allow settings changes If the check box is cleared, users cannot change device settings. Depending on individual devices the settings icon is removed.
Allow clipboard If the check box is cleared, users cannot copy any contents to the clipboard.
Note: This setting applies to devices with Android 4.2.2 or higher.
Enable shared clipboard Allows users to copy clipboard content between apps.

If the check box is cleared, each app has an individual clipboard.

This setting is only available if you select Allow clipboard.

Allow screen capture If the check box is cleared, users cannot take a screenshot of the display.
Allow mock GPS locations If the check box is cleared, users cannot select a mock location app in the Android developer options.
Allow over-the-air firmware updates If the check box is cleared, over-the-air firmware updates are turned off.
Allow audio recording If the check box is cleared, users cannot perform audio recording.
Allow video recording If the check box is cleared, users cannot record videos. They can take pictures and stream videos.
Allow Activation Lock If the check box is cleared, the Activation Lock options in the device settings are unavailable.
Allow S Beam If the check box is cleared, the Samsung S Beam app is unavailable.
Allow S Voice If the check box is cleared, the Samsung S Voice app is unavailable.
Allow “Share via” If the check box is cleared, the Share via feature is turned off.

Accounts

Setting/Field Description
Allow multiple user accounts If the check box is cleared, multi-user support is turned off. Users or other apps cannot create additional user accounts.
Allow addition of new email accounts If the check box is cleared, users cannot add email accounts.

This does not affect the account creation through a device profile.

Allow removal of the Google account If the check box is cleared, users cannot remove the Google account from the device.
Allow auto-sync for Google accounts If the check box is cleared, Google accounts are not synchronized automatically. Users are still able to perform a manual sync from inside some apps like Gmail.

Network and communication

Setting/Field Description
Allow airplane mode If the check box is cleared, users cannot enable airplane mode.
Allow sync while roaming If the check box is cleared, synchronization while roaming is turned off.
Allow emergency calls only Only emergency calls are allowed. All other calls will be blocked.
Force manual sync during roaming Automatic data synchronization is turned off when the device is roaming. This affects all configured accounts, such as Google or Exchange.
Force mobile data connection Users cannot turn off cellular data.
Allow SMS If the check box is cleared, users cannot send text messages.
Allow mobile data connection while roaming If the check box is cleared, mobile data connections while roaming are turned off.
Allow voice calls while roaming If the check box is cleared, voice calls while roaming are turned off.
Allow user mobile data limit If the check box is cleared, users cannot set a mobile data limit.
Allow VPN If the check box is cleared, users cannot use VPN connections.
Allow Wi-Fi Direct If the check box is cleared, data transfer through Wi-Fi Direct is turned off.
Allow Android Beam If the check box is cleared, data transfer through Android Beam is turned off. This includes the Samsung S Beam app.
Allow Miracast policy If the check box is cleared, data transfer through Miracast is turned off.
Allow Bluetooth If the check box is cleared, Bluetooth is turned off.
Allow NFC If the check box is cleared, NFC (near field communication) is turned off.
Allow Wi-Fi If the check box is cleared, Wi-Fi is turned off.

Tethering

Setting/Field Description
Allow tethering If the check box is cleared, all tethering is turned off. This includes tethering over Wi-Fi, USB and Bluetooth.
Note: If the check box is cleared, the settings Allow Wi-Fi tethering, Allow USB tethering and Allow Bluetooth tethering have no effect.
Allow Wi-Fi tethering If the check box is cleared, Wi-Fi tethering (Wi-Fi hotspot) is turned off.
Allow USB tethering If the check box is cleared, USB tethering is turned off.
Allow Bluetooth tethering If the check box is cleared, Bluetooth tethering is turned off.
Allow configuring Wi-Fi tethering The user can configure the settings of the Wi-Fi hotspot.

Hardware

Setting/Field Description
Allow camera If the check box is cleared, the camera is unavailable.
Force GPS for location queries GPS information is used for device location.
Allow SD card If the check box is cleared, SD cards cannot be used in devices.
Allow moving apps to the SD card If the check box is cleared, users cannot move apps from the internal storage to the SD card.
Allow writing to the SD card If the check box is cleared, it is not possible to write to unencrypted SD cards.
Allow microphone If the check box is cleared, the microphone is unavailable.
Allow USB The USB mass storage mode and the USB media player are available on the device.
Allow USB media player If the check box is cleared, the Media Transfer Protocol (MTP) is unavailable. Because Android uses MTP for USB file transfer, any file transfer over USB is blocked.

Applications

Setting/Field Description
Allow app install If the check box is cleared, users cannot install apps.
Allow app uninstall If the check box is cleared, users cannot uninstall apps.
Allow unsigned app install If the check box is cleared, users can only install signed APK files.
Allow Play Store If the check box is cleared, the Google Play Store app is unavailable.
Note: This setting applies to devices with Android 4.2.2 or higher.
Allow apps from unknown sources If the check box is cleared, users can only install apps through the Google Play Store app.
Allow native browser If the check box is cleared, the native browser is unavailable. Third-party browser apps are not affected.
Allow app crash reports If the check box is cleared, apps cannot send crash reports.
Allow wallpaper change If the check box is cleared, users cannot change the wallpaper.
Allow camera on lock screen If the check box is cleared, the camera is unavailable when the screen is locked.
Allow widgets on lock screen If the check box is cleared, widgets are unavailable when the screen is locked.
Allow Knox contact info for personal calls By default, a Samsung Knox device displays contact information when the user receives a call from a Knox contact while in personal mode.

If the check box is cleared, Knox contact information is not displayed in personal mode.

Allow autofill in browser The user can enable autofill in the settings of the native Android browser. If enabled, web pages can provide suggestions when the user is filling in form data.

If the check box is cleared, autofill is turned off and the browser setting is unavailable.

Allow cookies in browser The user can enable cookies in the settings of the native Android browser. If enabled, web pages can store cookies on the device.

If the check box is cleared, cookies are turned off and the browser setting is unavailable.

Allow JavaScript in browser The user can enable JavaScript in the settings of the native Android browser. If enabled, web pages can execute JavaScript code on the device.

If the check box is cleared, JavaScript is turned off and the browser setting is unavailable.

Allow pop-ups in browser The user can enable pop-ups in the settings of the native Android browser. If enabled, web pages can open new browser windows.

If the check box is cleared, pop-ups are turned off and the browser setting is unavailable.

Allow changing date and time settings The user can change the date and time settings.
Allowed apps / Forbidden apps You can configure either Allowed apps or Forbidden apps. Select the desired option from the first list and then select the app group containing the apps that should be allowed or forbidden from the second list.

App installations initiated by the Sophos Mobile Control server are not restricted by this setting.

For information on creating app groups, see App groups.