Reference for all the available features and security settings in Android Enterprise
This is a list of the feature control and security settings and the role or use for each function.
Feature Control
Maximum time to Lock | Maximum time in seconds to lock the device and display just the lock screen. Setting to 0 means there is no specific setting and device uses the setting in the Display timeout on the device. *Note: Springmatic uses seconds rather than the Google API default of milliseconds |
Screen Capture Disabled | Prevent remote screen capture of devices. This does NOT prevent local screen caps, rather it prevents the display being available by remote users. *Note: Enabling this feature could affect Remote Control functionality. |
Default Permission Policy |
Whether apps 'prompt', 'grant', or 'deny' the requested permissions at start. This applies to all apps on the device. *Note: More granular control is in the App Management - App Permissions setting. |
Factory Reset Disabled | Whether the device can be factory reset by the device user in the Settings app on the device. |
Bluetooth Disabled | Prevents the use of Bluetooth. |
Bluetooth Config Disabled | Prevents the ability to configure Bluetooth. Useful if bluetooth is needed in a preconfigured state, but wish to prevent that state from being altered. |
Tethering Config Disabled | Prevent the device from USB or Bluetooth network tethering. |
Network Reset Disabled | Prevents resetting or modifiying the Network settings. |
Outgoing Beam Disabled | Whether NFC can beam data from the device to other equipment. |
Outgoing Calls Disabled | Prevents making outgoing phone calls from the device. |
USB File Transfer Disabled |
Prevents USB file transfer (MTP) from the device. *Note: ADB can still make pull requests if Debugging is activated so recommend also disabling Debugging in the security settings. |
Data roaming Disabled | Prevent the device roaming when using cellular data. |
Location Mode | Set device-wide location to 'User Choice', 'Enforced', 'Disabled'. This determines whether the device can enable or disable its location services. |
Permitted Accessibility Services |
Enter the package name (App ID) of the applications which are allowed to set accessibility *Note this is needed for Springmatic Entperprise to allow remote control for Springmatic admins. |
Auto Date and Time Zone |
Select if the device should enable auto data and time, or if it follows another setting. *If a data and time is set in the profile, this should be left unspecified. |
Camera Access |
Set device camera permission to 'Unspecified', 'Enforced', or 'Disabled' for any camera app on the device. So doing either prompts the user to accept the camera permission, allows the camera by default, or blocks use of the device camera(s). |
Microphone Access | Set device mircophone / recording permission to 'Unspecified' or 'Disabled' for any recording or conferencing app on the device. So doing either prompts the user to accept the microphone permission, or blocks use of the device microphone(s). |
Security Settings
Encryption Policy |
If encryption is required on the device side and whether a password is required. *Note most Android devices have encryption enabled by default. Leaving 'unspecified' defaults to the device factory setting for encryption. |
Play Store Mode |
This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy. |
Choose Private Key Rules |
This function is used if the organization has an app requiring a private key to install and use. Admins should provide the URL to match against, the package name (App ID), and the alias of the private key. |
Permission Grants |
Specify a specific permission which is allowed for all apps on the device. Similar to the Default Permission Grant in Feature Control, this setting specifies a specific permission type (i.e. location, calendar, files and media, etc.). Note: To grant permissions to a single managed app, use App Management - App Permissions. |
Password Policies | Set policies enforcing the password types and requirements for managed devices. This includes the required complexity of the password on the device (i.e. minimum 8 characters or more). Once set, if a managed device does not comply with the password requirements, all apps aside from settings are locked until the device password is compliant. |
Policy Enforcement Rules |
Enable to force the device to take action if it fails to update its profile. This can be used to help mitigate impact due to lost or stolen devices. Block after Days - Number of days for which the device can fail to apply the policy before it is blocked from the management platform. Block scope - Define how the block should affect the device. Wipe after days - Wipe an unresponsive device after a period of time. Preserve Factory Reset Protection - Factory Reset Protection (FRP) is an anit-theft feature in Android. Preserving this if the device is wiped due to incompliance will render the device unusable until the same Google account can be added to the device. Setting Name - Select which setting should be the primary determiner of policy compliance / incompliance. |
Advanced Security Overrides - Untrusted Apps Policy | Select if users are allowed to install untrusted apps (non-Play Store apps) on the device. This effectively locks down sideloading. |
Advanced Security Overrides - Google Play Protect Verify Apps |
Select if Google Play Protect should be running on the managed devices. |
Advanced Security Overrides - Developer Settings | Select whether users are allowed to enable Developer settings, for example USB debugging and other settings, on the device. By default this is disabled for all managed devices with an Android Enterprise profile. |
Advanced Security Overrides - Common Criteria Mode |
Enables stricter set of security standards. This feature is only recommended for organizations aware of and comply with the Security standards defined in the Common Criteria for Information Technology Security Evaluation (CC). Enabling Common Criteria Mode increases certain security components on a device, including AES-GCM encryption of Bluetooth Long Term Keys, and Wi-Fi configuration stores. Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. |
Usage Log - Enabled Log Types | Specify the types of logs managed devices will collect. |
Usage Log - Upload On Cellular Allowed | Set allow if logs can be uploaded on a cellular (3G, 4G, 5G) network or WiFi only. |
More information about Android Enterprise Policy Controls is avaialble here.