Device Policy Settings
1. In the information view of the AEMM Starter Console, you will be able to view the devices found for the defined criteria. Select a device and in the detail view you will be able to view the device’s resume
2. Select the option View Details to edit or approve the policies associated with the device’s resume.
3. On the Configuration from the device resume, select the Edit, define a policy (restrictions, password, Wi-Fi, web clips, mail, EAS accounts, apps, kiosk), and turn on policy editing.
Restrictions
Restrictions on Android
These are the parameters that are restricted to Android mobile devices, after applying a policy.
| Name | Description |
|---|---|
| Allow use of the camera | If this option is not selected, the device cannot use the camera or through applications that require it (Only applies to Android version higher than 4.0 or Knox) |
| Allow pop-ups in the Android browser | If this policy is enabled, the device’s browser does not allow pop-up. (Only applies to Android Knox). |
| Allow backup to cloud services | If this parameter is active, the device is active. (Only applies to Android Knox). |
| Encrypt Android device | This option is disabled by default, but if you decide to apply it to the device, it allows you to merge all the data with a password or key. (Only applies to Android Knox) |
| Allow Roaming | If this policy is enabled, the device does not allow rooming. (Only applies to Android Knox) |
| Allow USB tethering | If this policy is applied, the device does not allow sharing the connection with any other computer (only applies to Android Knox). |
| Allow USB Media Player (Kies) | If this option is not selected, your Android device does not allow syncing with Samsung Kies (only applies to Android Knox). |
| Allow Bluetooth | If this setting is active, it does not allow Bluetooth connection on the mobile device. (Only applies to Android Knox) |
| Enable Javascript in Android browser | If this policy is enabled, the Android browser does not enable JavaScript. (Only applies to Android Knox). |
| Allow cookies in your Android browser | This parameter is activated and the mobile does not enable cookies for the browser. (Only applies to Android Knox). |
| Enable WiFi on an Android device | This restriction, if applied to the Android device, does not allow it to connect to the Wi-Fi. (Only applies to Android Knox) |
| Allow voice dialing | If this setting is active, voice dialing is not possible through the device. (Only applies to Android Knox) |
| Allow data roaming | If this policy is enabled, the device does not allow the data rooming service. (Only applies to Android Knox). |
| Allow USB Debugging | If this option is not selected, it is not possible to perform USB debugging with the mobile device (Only applies to Android Knox). |
| Allow SMS | If this policy applies, it is not possible to send or receive SMS to your mobile. (Only applies to Android Knox). |
| Allow GPS manipulation | If this parameter is active, you do not have access to the GPS (Only applies to Android Knox). |
| Allow OS Update | If this option is inactive, it will not be allowed to download or install operating system updates, both manually and automatically (Only applies to AFW links with Samsung Knox agent). |
| Enable Backup Service to Be Activated | Allows the device or profile owner to turn the backup service on or off. Disabling the backup service will prevent data from being backed up or restored. By default, the backup service is disabled. PO, DO, API 26. |
| Allow you to add accounts in the Google Play Store | Allows the user to add additional accounts in the Google Play store. PO, DO, For Google Play app versions greater than 80970100. |
Restrictions on iOS
These are the parameters that are restricted to iOS mobile devices, after a policy is applied.
Details
| Name | Description |
|---|---|
| Allow App Store (includes installing and updating apps through the App Store) | If this setting is applied, your iOS device won’t have access to the App Store. |
| Allow Siri while your device is locked | This policy does not enable SIRI speech recognition if the device is locked (only applies to iOS devices version higher than 5.1). |
| Enable automatic diagnostic reports | This active parameter disables the option to send automatic diagnostic reports (Only applies to iOS devices version higher than 6.0) |
| Allow Game Center | If this option is not selected, the device does not have access to Game Center. (Only applies to iOS devices version higher than 6.0). |
| Allow use of the iTunes Store | This policy does not allow access to the online store for digital content through the iTunes Store. |
| Allow Safari | This active parameter does not allow access to the Safari browser. |
| Allow backup to cloud services | If this setting is applied, the device is not allowed to back up to the Apple Services cloud (Only applies to iOS devices version higher than 5.0) |
| Allow Photo Stream | This parameter does not allow photo synchronization through PhotoStream (Only applies to iOS devices version higher than 5.0) |
| Allow Shared Photo Stream | If this policy is applied, the device can’t share the photos that are synced to them. Shared Photo Stream is disabled (Only applies to iOS devices version higher than 6.0) |
| Allow cookies in Safari | This policy can set Safari Cookies to never, always, or only from visited sites. |
| Allow Siri | This policy does not enable speech recognition through SIRI. |
| Allow use of the camera | If this option is not selected, the device cannot use the camera or through applications that require it. |
| Allow explicit content | This parameter does not allow access to explicit content. |
| Allow screenshots | When this policy is applied to the device, it is not possible to take screenshots on the mobile device. |
| Force iTunes password entry for each transaction | If this parameter is active, whenever any transaction is made with iTunes it will ask for the access key (Only applies to iOS devices version higher than 5.0) |
| Warn the user about untrusted HTTPS certificates instead of automatically rejecting them | If this policy applies to mobile, the user is always warned when the HTTPS certificate is untrusted (Only applies to iOS devices version higher than 5.0) |
| Allow document syncing in iCloud | This policy does not allow storage in Apple cloud computing (only applies to iOS devices version higher than 5.0). |
| Allow BookStore | If this policy applies, your device doesn’t have access to the Apple BookStore. (Only applies to iOS devices version higher than 6.0). |
| Allow Javascript in Safari | This parameter does not allow the use of Javascript in safari. |
| Enable predictive keyboards | If this option is not selected, the device will not use the predictive keypads option. |
| Enable AirDrop | If this option is not selected, your device will not use the AirDrop option. |
| Allow USB Restricted Mode | Allows the device to connect USB accessories while it is locked, in case of inactivity restricts the connection. |
| Allow password autofill | Allows you to activate/disable the password autofill function. This restriction also disables automatic strong passwords, and strong passwords are no longer suggested to users. |
| Allow fingerprint and/or face ID to unlock | It allows you to activate/deactivate the device through fingerprint or face ID. If the restriction is inactive, the device cannot be unlocked through the aforementioned mechanisms. |
| Allow fingerprint and/or face ID modification | It allows the user to modify both the fingerprints and the configured face ID. |
| Allow Find My Device | Allows you to enable/disable the option to search for the device. |
Password
Android
These are the parameters that are applied to an Android device to configure on the mobile.
| Name | Description |
|---|---|
| Password Quality | There are 5 types of password settings, these are: - Indefinite: It is necessary to enter a password with a minimum of 4 characters. - Alphabetical: The password must contain at least 4 alphabetic characters. - Alphanumeric: The password must contain at least 4 alphanumeric characters. - Complex: The password must contain at least 4 characters of which at least one is a letter, a lowercase letter, a capital letter, a special character and a number. - Any: The password can be a pattern, a pin, or a password. |
| Minimum Code Length | It is the minimum number of characters that the password must have, ranging from 4 to 16. |
| Minimum number of letters | It is the minimum number of letters that the password must have, ranging from 1 to 16. |
| Minimum number of lowercase letters | It is the minimum number of lowercase letters that the password must have, ranging from 1 to 16. |
| Minimum number of uppercase letters | It is the minimum number of capital letters that the password must have, ranging from 1 to 16. |
| Minimum number of characters other than letters | It is the minimum number of special characters that the password must have, ranging from 1 to 16. |
| Minimum number of numbers | It is the minimum number of numbers that the password must have, ranging from 1 to 16. |
| Minimum number of symbols | It is the minimum number of symbols that the password must have, ranging from 1 to 16. |
ios
These are the parameters that are applied to an iOS device to configure on the mobile
| Name | Description |
|---|---|
| Allow Simple Value | Allows the use of repeating, ascending, and descending character sequences |
| Require alphanumeric value | Require codes to contain at least one letter. |
| Minimum Code Length | This is the minimum number of characters that the password must contain, ranging from 1 to 16. |
| Minimum number of complex characters | It is the minimum number of complex characters that the password must contain, ranging from 1 to 4. |
| Maximum code validity period | Number of days (1-730) after which the password must be changed. |
| Maximum Auto Lock: | The device locks after the set time is between 1 to 15 minutes |
| Password History | Number of unique passwords (1-50) before they can be repeated. |
| Maximum grace period for device lock | The maximum amount of time the device can remain locked without prompting for the unlock code. The options are: Immediately, 1 minute, 5 minutes, 15 minutes, 1 hour or 4 hours. |
| Maximum number of failed attempts | Maximum number of attempts allowed to enter the password before all data is erased from the device or locked until it connects to the designated iTunes. It is between 2 and 11. |
Wifi
This is the policy that configures the WIFI network on the mobile device.
Android
| Name | Description |
|---|---|
| Service Set Identifier (SSID) | This is the name of the wireless network you will connect to |
| Security Type | Encryption of the wireless network that will be used for the connection. There is WEP, WPA/WPA2, WPA2 Enterprise. In the case of WPA2 Enterprise security type, an additional user name must be provided that will be used to authenticate to the radius server associated with the wireless network. The password in this case will be the one associated with the user entered. |
| Password | This is the password for authentication on the wireless network. |
ios
| Name | Description |
|---|---|
| Service Set Identifier (SSID) | This is the name of the wireless network you will connect to |
| Automatic connection: | You select whether you want to automatically connect to the target network. |
| Hidden network | You select whether the destination network is open or not. |
| Security Type | Encryption of the wireless network that will be used for the connection. There is WEP or WPA/WPA2. |
| Password | The password for authentication on the wireless network. |
| Proxy | It is selected whether the setting for the proxy wireless network is none, automatic or manual. According to the selection made, different additional fields will be loaded, namely: Automatic: - ProxyPACFallback allowed: Allows you to connect directly to the destination if the PAC file is not accessible. - Proxy server URL: The server from which proxy settings are obtained. Manual: - Server and Port: The full address and port of the proxy server - Authentication: Username used to connect to the proxy - Password: Password used to connect to the proxy |
Clips Web
This policy creates a shortcut on the mobile device, which directs to a URL.
Android
| Name | Description |
|---|---|
| Label | This is the name assigned to the web clip |
| URL | Address Directing Web Clip |
| Icon | Image to be displayed in the WebClip. This image must be a maximum size of 200 pixels tall and 200 pixels wide. It is possible to add more than one web clip with the option “Create a new web clip”. |
ios
| Name | Description |
|---|---|
| Label | This is the name assigned to the web clip |
| URL | Address Directing Web Clip |
| Removable | Allow deletion of the Web Clip. |
| Icon | Image to be displayed in the Web Clip. This image must be a maximum size of 200 pixels tall and 200 pixels wide. |
| Pre-composed icon | The icon will be displayed without any added visual effects. |
| Full screen | Present the web clip as a full-screen application. It is possible to add more than one web clip with the option “Create a new web clip”. |
| URL | Address Directing Web Clip |
This is the setting for an email account that applies to a mobile device.
Android
This setting is only available for Samsung devices with KNOX support.
| Name | Description |
|---|---|
| This is the email to be configured. The administrator has the option to enter it or the mobile user. | |
| Entry Protocol | The name of the protocol for incoming mail from your provider. |
| Incoming mail server | The address of the incoming mail server. |
| Incoming mail server port | The port used by the incoming mail server. |
| Incoming mail server login | Login used on the incoming mail server. The administrator has the possibility to enter the user or ask the user to enter the Username or Email. |
| Incoming Mail Server Password | Password used on the incoming mail server. This field is only enabled if the information in the previous box is entered. |
| Exit Protocol | The name of your Provider’s outgoing mail protocol. |
| Outgoing Mail Server | The address of the outgoing mail server |
| Outgoing Mail Server Port | The port used by the outgoing mail server |
| Outgoing Mail Server Login | Login used on the outgoing mail server. The administrator has the possibility of entering the user or asking him to enter his username or email. |
| Outgoing Mail Server Password | Password used on the outgoing mail server. This field is only enabled if the information in the previous box is entered |
iOS
| Name | Description |
|---|---|
| Account Description | Display name of the account. |
| Guy | Account access protocol. There are two protocols: - Pop: It is used in local mail clients to retrieve e-mail messages stored on a remote server. - Imap: With this protocol, you can access e-mail from any computer that has an Internet connection. |
| User Display Name | It is the name of the user. The administrator has the possibility to enter the information or ask the user for the Username or Email. |
| Email address | The account address. The administrator has the possibility of entering the information or requesting the user’s Email. |
| Server (Incoming Mail) | Server URL or IP. |
| Port (Inbound Mail) | Port number for connection. |
| Username (Incoming Mail) | The name used to connect to the incoming mail server. The administrator has the possibility to enter the information or ask the user for the Username or Email. |
| Authentication Type (Incoming Mail) | The authentication method of the incoming mail server. |
| Password (Incoming Mail) | The password for the incoming mail server. |
| Use SSL (inbound mail) | Retrieve incoming mail via SSL. |
| Server (Outgoing Mail) | Server URL or IP. |
| Port (Outgoing Mail) | Port number for connection |
| Username (Outgoing Mail) | The name used to connect to the outgoing mail server. The administrator has the possibility to enter the information or ask the user for the Username or Email. |
| Authentication Type (Outgoing Mail) | The outgoing mail server authentication method |
| Password (Outgoing Mail) | The password for the outgoing mail server. |
EAS (Exchange Active Sync) accounts
This is the setting for an email account that applies to a mobile device.
Android
This setting is only available for Samsung devices with KNOX support
| Name | Description |
|---|---|
| Your personal email. The administrator has the possibility of entering the information or requesting the user’s Email. | |
| Entry Protocol | The name of your provider’s inbound mail protocol |
| Incoming mail server | The address of the incoming mail server |
| Incoming mail server port | The port used by the incoming mail server. |
| Incoming mail server login | Login used on the incoming mail server. The administrator has the possibility to enter the information or ask the user for the Username or Email. |
| Incoming Mail Server Password | Password used on the incoming mail server. |
| Exit Protocol | The name The address of the outgoing mail server |
| Outgoing Mail Server Port | The port used by the outgoing mail server. |
| Outgoing Mail Server Login | Login used on the outgoing mail server. The administrator has the possibility to enter the information or ask the user for the Username or Email. |
| Outgoing Mail Server Password | Password used on the outgoing mail server. |
ios
| Name | Description |
|---|---|
| Exchange ActiveSync account name: | Exchange ActiveSync account name. The administrator has the possibility to enter the information or ask the user for the Username or Email. |
| Microsoft Exchange Server | Microsoft Exchange Server. |
| Allow Moving | Messages can be moved between email accounts, and messages can be forwarded or replied to from a different account than the one originally used. |
| Use only in Mail | Send mail only from the Mail app (avoiding sending mail from third-party apps). |
| Use SSL | Send all communications via SSL. |
| Domain | Account domain (if you leave this field empty, the device will prompt the user). The administrator has the possibility of entering the information or requesting the user’s Email. |
| User | Account user (if you leave this field empty, the device will prompt the user). The administrator has the possibility to enter the information or ask the user for the Username or Email. |
| Email address | The account address. The administrator has the possibility of entering the information or requesting the user’s Email. |
| Password | The password for the account. |
| Past days of mail included in sync | The number of days spent in mail that will be included in the sync. You have the option to select: No limit, one day, three days, one week, two weeks, or one month. |
Applications
It is a policy that is applied to mobile devices, to audit the applications they have installed. There are three types of lists that classify the state that applications should have.
Whitelist
A list of apps that the device associated with this policy will be allowed to install. For KNOX devices, it is possible to uninstall applications that are not listed.
Blacklist
A list of apps that you will be prohibited from installing on devices associated with this policy. For Knox Android devices, you can force uninstall these apps.
Required Applications
List of applications that must have the device installed associated with this policy. For Knox Android devices, you have the possibility to prevent the uninstallation of these applications.
Kiosk
The Kiosk module is intended for the device to present a default interface with the applications and configurations selected here only.
Android
Kiosk mode for generic Android is available only for links with Samsung Knox Agent and Android above 4.0.
To add applications to kiosk mode, type at least 3 characters into the searchable text box, and then the console will present the matching results in a drop-down list, as shown in the following screenshot.
Then click on the app to add it to the listing.
Repeat the process for each application
To configure additional options, go to the “configuration options” tab and configure the options that are needed.
The available configuration options are as follows:
- Kiosk exit password: By entering a password, the end user of the device will have the possibility to exit kiosk mode, after entering said password.
- Wallpaper: The kiosk mode on the device will display the image that is loaded here. (5 Mb maximum)
- Custom Message: The kiosk mode interface will present the message configured here. (100 characters maximum)
Android For Work
Kiosk mode for Android for Work is only available for devices linked in AFW DO (Device Owner) mode.
For Android for Work, only apps that have been approved for AFW in advance can be added.
To add them to the kiosk, proceed in the same way as in the previous section.
In the case of configuration options, the following groups are presented in addition to those in the previous section
In this group you can enable/disable system applications whose packages have been added with the previous in the Android System Applications configuration section. When you tick each box, the selected applications will appear at the kiosk.
In this group, you can enable/disable configuration screens in kiosk mode for each of the options presented.
For this group, you can activate/deactivate power switches in kiosk mode to turn each of the options presented on or off.
⚐ Note: In the kiosk configuration, the following must be taken into account:
- Bluetooth functionality for devices smaller than OS version 9 cannot see notifications to grant permission to transmit files via bluetooth.
Safe browsing (iOS, Android, and Android For Work)
In the Safe Browsing module, you can configure websites to access or restrict access from the Aranda Secure Browser application. This application allows access to internet websites and serves as the device’s web browser.
⚐ Note: - Currently this functionality is used with the Aranda Secure Browser application, which is not enabled in the store since it will be removed from the suite.
You will be able to make the settings in the policy, but not access the Aranda Secure Browser application.
Tracking Policy Settings
In the policy module, after selecting the platform and assigning a name to the policy, the section that allows you to carry out the monitoring parameterization will be displayed.
Clicking on the “Enable Tracking Policy Editing” option presents the options to select the tracking level to with the values of: low, medium, and high.
Once the tracking frequency has been selected, the section is available in which the tracking time can be configured. By clicking on the clock icon, the section that allows you to select the hours, minutes and day (a.m./p.m.) in which the tracking will be carried out appears.
Finally, there is the section that allows you to configure the days, which allows you to individually select the days to apply the configuration or there is also the option that allows you to mark all the days.
Once the tracking policy has been created and assigned to a device, it can be viewed in the device’s location details
4. After configuring the policies, select the Save.