Skip to content

Restrictions configuration (Android Enterprise device policy)

With the Restrictions configuration you set restrictions for Android Enterprise fully managed devices.


Setting Description
Force encryption Users must encrypt their devices.
Allow factory reset Users can reset the device to its factory settings.
Allow safe mode Users can boot the device in safe mode.
Allow debugging Users can turn on the debugging features in the Android developer options.
Allow screen capture Users can take a screenshot of the display.
Allow user to configure credentials Users can install or remove certificates.
Allow Smart Lock

Users can turn on the Android Smart Lock feature that automatically unlocks the device in certain situations.

This setting affects the device lock. It is ignored if there is also a work profile lock configured.

Allow location services

Allow users to share the device location with apps and services. If you clear the checkbox, location services are turned off, and users can’t turn them on.

Sophos Mobile can’t find the device if you clear the checkbox.

Allow unlocking device by fingerprint Users can use the fingerprint sensor to unlock the device.
Allow changing the account picture Users can change the photo used for their user account.
Hide sensitive information on lock screen If notifications on the lock screen are turned on, sensitive notification content is hidden.
System update policy

Select when system updates are installed:

  • No policy: The user decides when to install system updates.
  • Install automatically: System updates are installed automatically as soon as they are available.
  • Install within maintenance window: System updates are installed automatically within a daily maintenance window. Enter start and end time of the day.
  • Postpone: System updates (except for security updates) are blocked for 30 days.


Setting Description
Allow managing accounts Users can add or remove non-Google accounts such as app accounts from the device.
Allow managing Google accounts Users can add or remove Google accounts from the device.

Network and communication

Setting Description
Allow SMS If the check box is cleared, users cannot send text messages.
Allow mobile data connection while roaming If the check box is cleared, mobile data connections while roaming are turned off.
Allow VPN If the check box is cleared, users cannot use VPN connections.
Allow Android Beam Users can send data from apps through Android Beam (data transfer through NFC).
Allow Bluetooth

Users can connect to Bluetooth devices.

When you turn this setting off, users can’t connect to new Bluetooth devices. Users can continue to connect to already paired Bluetooth devices.

Allow outgoing phone calls Users can make phone calls.
Allow network reset Users can reset network settings to their defaults.
Enable Wi-Fi settings Users can change the Wi-Fi settings.
Allow configuring cell broadcasts Users can turn cell broadcast (CB) messages on or off in their messaging app.
Enable cellular networks settings Users can change the cellular network settings.
Enable tethering settings Users can change the tethering and portable hotspot settings.


Setting Description
Allow camera If the check box is cleared, the camera is unavailable.
Allow microphone If the check box is cleared, the microphone is unavailable.
Allow external media Users can connect external media like USB storage to the device.
Enable USB storage

Users can connect the device in USB Mass Storage mode (USB MSC) to a host computer, i.e. as an external hard drive.

If you clear the check box, users can still connect the device in Media Transfer mode (USB MTP) or Picture Transfer mode (USB PTP) to transfer files.

Allow transferring files over USB Users can transfer files between the device and external USB storage.


Setting Description
Allow app uninstall Users can uninstall apps.
Allow installing apps from unknown sources If the check box is cleared, users can only install apps from Google Play, not from unknown sources or through Android Debug Bridge (ADB).
Enable system apps

By default, most system apps (apps that are preinstalled by the device manufacturer) are disabled. Users can only access system apps that provide basic device features, such as Phone, Contacts, or Messages. The list may vary depending on the device model.

Turn this setting on to enable all system apps.

Note that you can’t disable system apps after you enable them.

Allow wallpaper change If the check box is cleared, users cannot change the wallpaper.
Allow managing apps

If the check box is cleared, users can’t perform the following tasks for apps:

  • Uninstall apps
  • Disable apps
  • Stop apps
  • Clear app cache
  • Clear app data
  • Clear setting Open by default
Allow disabling Google security scans

Users can turn off the Google security setting Scan device for security threats.

The setting is available in the Settings app, under Google > Security > Google Play Protect.

Allow setting date and time

Users can set the date and time.

If the check box is cleared, network date and time is used.

Short message

A company-specific support message that is displayed to the user when functionality has been turned off.

If you enter more than 200 characters, the message may be truncated.

Long message

Additional text to complement the short message. The text is displayed when the user taps More details in screens that display the short message.

This text is also displayed on the Android Device administrator screen for the Sophos Mobile Control app.

Allowed accessibility services

Restrict the list of apps that can provide accessibility services:

  • If you select All available apps, users can use all accessibility services.
  • If you select Only system apps, users can only use accessibility services from system apps.
  • If you select an app group, users can only use accessibility services from apps within that group, and from system apps.