Restrictions configuration (Android Enterprise device policy)

With the Restrictions configuration you set restrictions for Android Enterprise fully managed devices.

Security

Setting/Field

Description

Force encryption

Users must encrypt their devices.

Allow factory reset

Users can reset the device to its factory settings.

Allow safe mode

Users can boot the device in safe mode.

Allow debugging

Users can turn on the debugging features in the Android developer options.

Allow screen capture

Users can take a screenshot of the display.

Allow user to configure credentials

Users can install or remove certificates.

Allow Smart Lock

Users can turn on the Android Smart Lock feature that automatically unlocks the device in certain situations.

Note This setting affects the device lock. It is ignored if there is also a work profile lock configured.

Allow location sharing

Users can turn on location sharing.

Allow unlocking device by fingerprint

Users can use the fingerprint sensor to unlock the device.

Allow changing the account picture

Users can change the photo used for their user account.

Hide sensitive information on lock screen

If notifications on the lock screen are turned on, sensitive notification content is hidden.

System update policy

Select when system updates are installed:

  • No policy: The user decides when to install system updates.
  • Install automatically: System updates are installed automatically as soon as they are available.
  • Install within maintenance window: System updates are installed automatically within a daily maintenance window. Enter start and end time of the day.
  • Postpone: System updates (except for security updates) are blocked for 30 days.

Accounts

Setting/Field

Description

Allow managing accounts

Users can add or remove non-Google accounts such as app accounts from the device.

Allow managing Google accounts

Users can add or remove Google accounts from the device.

Network and communication

Setting/Field

Description

Allow SMS

If the check box is cleared, users cannot send text messages.

Allow mobile data connection while roaming

If the check box is cleared, mobile data connections while roaming are turned off.

Allow VPN

If the check box is cleared, users cannot use VPN connections.

Allow Android Beam

Users can send data from apps through Android Beam (data transfer through NFC).

Allow Bluetooth

If the check box is cleared, Bluetooth is turned off.

Allow outgoing phone calls

Users can make phone calls.

Allow network reset

Users can reset network settings to their defaults.

Enable Wi-Fi settings

Users can change the Wi-Fi settings.

Allow configuring cell broadcasts

Users can turn cell broadcast (CB) messages on or off in their messaging app.

Enable cellular networks settings

Users can change the cellular network settings.

Enable tethering settings

Users can change the tethering and portable hotspot settings.

Hardware

Setting/Field

Description

Allow camera

If the check box is cleared, the camera is unavailable.

Allow microphone

If the check box is cleared, the microphone is unavailable.

Allow external media

Users can connect external media like USB storage to the device.

Enable USB storage

Users can connect the device in USB Mass Storage mode (USB MSC) to a host computer, i.e. as an external hard drive.

If you clear the check box, users can still connect the device in Media Transfer mode (USB MTP) or Picture Transfer mode (USB PTP) to transfer files.

Allow transfering files over USB

Users can transfer files between the device and external USB storage.

Applications

Setting/Field

Description

Allow app uninstall

Users can uninstall apps.

Allow installing apps from unknown sources

If the check box is cleared, users can only install apps from Google Play, not from unknown sources or through Android Debug Bridge (ADB).

Enable system apps

If the check box is cleared, only these apps are enabled: Google Play Store, Contacts, Messages, Phone. Google recommends this for Android Enterprise fully managed devices.

If you select the check box, all apps pre-installed by the manufacturer are enabled.

Allow wallpaper change

If the check box is cleared, users cannot change the wallpaper.

Allow managing apps

If the check box is cleared, users can’t perform the following tasks for apps:
  • Uninstall apps
  • Disable apps
  • Stop apps
  • Clear app cache
  • Clear app data
  • Clear setting Open by default

Allow disabling Google security scans

Users can turn off the Google security setting Scan device for security threats.

The setting is available in the Settings app, under Google > Security > Google Play Protect.

Allow setting date and time

Users can set the date and time.

If the check box is cleared, network date and time is used.

Short message

A company-specific support message that is displayed to the user when functionality has been turned off.
Note If you enter more than 200 characters, the message may be truncated.

Long message

Additional text to complement the short message. The text is displayed when the user taps More details in screens that display the short message.
Note This text is also displayed on the Android Device administrator screen for the Sophos Mobile Control app.

Allowed accessibility services

Restrict the list of apps that can provide accessibility services:

  • If you select All available apps, users can use all accessibility services.
  • If you select Only system apps, users can only use accessibility services from system apps.
  • If you select an app group, users can only use accessibility services from apps within that group, and from system apps.