Springmatic Best Practices

Run through the key considerations for optimizing the Springmatic experience

Looking to get the most out of your Springmatic experience? Here we run through some key hints and considerations to make the most out of the platform. 

What platforms does Springmatic support? #platforms

Springmatic was designed to support Android devices first, but over time, more and more platforms are being added. Currently (Q1 2023), iOS is in beta testing, and Windows device management is in development.  

How can I streamline my device enrollment? #streamline

With Android, enrollments from a factory reset needs to take place during the device onboarding meaning that the device is downloading all the information, applications, associated with the profile while setting up the device for first time use. For the smoothest enrollment, it's recommended that devices be first enrolled in a staging fleet with no or relatively simple profile, then add complexity over time. 

More complex profiles or the layering of profiles can always happen after a device is enrolled by moving it to a different fleet. 

When enrolling, the device shows a red icon and doesn't complete? #redicon

When enrolling, be mindful of the available license count left in the tenant. Springdel strives to make license management as painless as possible, but if licenses are used up, new enrollments will fail. Please contact your Springdel support contact for quick resolution. 

What are Skip Device Encryption and Leave System Apps in the Enrollment options? #skipdeviceencryption

Both options are part of the Android Management options for enrolling devices. Whether using Android Edge or Android Enterprise enrollments, these options allow the admin to decide if they want to skip the mnagement API from further encrypting the device (potentially faster enrollments on older devices - negligible in newer devices) and/or whether system apps should be provisioned to the device. 

In Android Management, by default, only the bare minimum applications will persist on the device unless specified in the profile. 'Leave system apps enabled' is sometimes important for PDA or scanner manufacturers as a lot of the barcode and other utilities will be provisioned during the onboarding or OOBE setup of the device. Clicking 'Leave system apps enabled' ensures that all the standard applications that normally get set up during the OOBE process will remain. 

How can I speed up application provisioning to my fleet of devices? #applicationprovisioning

Springmatic allows for files and applications to be uploaded to its cloud-based backend and then pushed to the devices. The cloud backend is designed for scale, however, if the networks of the devices is throttled or suffers from a weak signal, it may be more optimal to host the files in a local network or LAN. 

More information about the benefits of a hybrid cloud model are located in the Springdel blog, as well as instructions in the file and app management section of the knowledge base. 

I published a new version of my application but Springmatic blocked it, why? #blockedapp

For applications uploaded to our cloud backend or exposed on the Internet, Springmatic will decipher meta data about the application including the version numbers. In Android there are 2 areas that need to be adjusted in the build information about an app - the Version Name and the Version Code. If either appears the same Springmatic will block the application from being uploaded to the platform. More information about the best practices around this design are located here.

I enrolled my device but Remote Control isn't working, why? #remotecontroltroubleshooting

Remote control is a powerful application that work without local user intervention unless desired. To set it up, ensure that the remote control was started and the appropriate accessibility permissions were granted to allow unattended access by admins to the devices. More information is included in the Troubleshooting Remote Control article in the knowledge base. 

I added my application to the kiosk, but the device doesn't display it #kioskapplication

The Kiosk builder for Android Edge type profiles is designed to allow any application or service to run while the device is in Kiosk mode. These could be applications provisioned to the device or those already native to the device. For example, a gallery or camera app that comes standard with the device does not need to be provisioned. 

For this reason, the kiosk part of the profile will only authorize which application IDs are supposed to be displayed in the kiosk. It will not push applications from the builder to the device. If applications in the kiosk also need to be provisioned or installed from the Springmatic platform, please ensure that the profile includes the desired applications in the App management section as well the application IDs in the Kiosk builder.

I want to use a kiosk mode but also have access to settings like WiFi and Bluetooth #wifibluetoothkiosk

That is not a problem. The Springdel support team has specialized tools to help users with this very problem and allow for WiFi and Bluetooth pairing to take place a device with Kiosk mode enabled. 

Generally, most WiFi or network settings are recommended to be set either via the enrollment ID or in the profile for Kiosk-enabled devices, but we understand that exceptions exist. Please reach out to us for more support. 

How can I build a custom HTML Kiosk? #HTMLkiosk

There are some detailed steps located in the Kiosk section of the knowledge base. There are any number of ways to build the HTML Kiosk file so long as the javascript is properly called to support the necessary function calls. 

To get started with a customized template, there is a Python script that walks through some basic steps for building a working HTML Kiosk file. Steps including company name, logo, background color or image, the number of apps to display, the app names, logos and app IDs. Further modification can be made to adjust and tweak once the template is built. 

More details are located here.

How and when should I use single app mode? #singleappmode

Single app mode is useful for kiosks where only a single app is desired to be shown. This scenario could be for self-service kiosks at a retail location, or wallpanels displaying updates, promotions, or even the weather. 

To enable enter the the Kiosk section fo the profile. Toggle on 'Single App Mode' and enter the Kiosk Builder. In the Kiosk Builder also add the app to both the Kiosk App list AND the Autolaunch App list. Doing so will ensure that the app will launch immediately when using the kiosk mode, and relaunch itself if ever closed for any reason.

I want to use the phone dialer app in Kiosk mode, but it isn't working #phoneinkiosk

The phone dialer in Android has a lot of applications and services that tie in to enable normal functionality. In the Kiosk builder Springmatic has the ability to whitelist services which are not shown in the kiosk itself but would still be allowed to function in the background. 

Add the phone dialer application in the Kiosk app list.

Stock Android devices: com.google.android.dialer

Samsung devices: com.samsung.android.dialer

For stock Android devices (i.e. Pixel, Nexus,  Nokia, Android One lines) whitelist the following:

  • com.android.server.telecom.overlay.common
  • com.android.providers.telephony
  • com.android.server.telecom
  • com.android.phone

For Samsung devices whitelist the following:

  • com.android.server.telecom
  • com.google.android.apps.messaging
  • com.samsung.android.incallui
  • com.android.incallui.call.InCallActivity

Working example with stock Android device:

If any issues or problems still exist, please reach out to your Springdel representative for more assistance. 

I just moved my device and now all the apps are gone, why? #movingfleet

Moving a device or a fleet will remove the device profile associated with the previous fleet and apply the new profile including the applications, files, feature controls, etc. This behavior is by design so users can ensure anything sensitive in one profile can be removed by moving the device(s) to a different fleet. 

To move devices without losing the existing profiles, suggest to use sub-fleets with our hierarchical fleet structure. Applications can be in the top fleet profile, and different settings or groups can be created as sub-fleets with multiple profiles layered together. There is no limit on the number of sub-fleets that can be created and managed this way.

How can I test my latest application in my profile? #testapps

Testing and production should never be mixed. Springel supports this and can help organizations via the clone feature. 

Profiles can be cloned in the Springmatic UI. Before testing, its recommended to create a new fleet which will be the 'testfleet' or 'pre-production' fleet. The original profile can be cloned by clicking the checkbox next to it, and then the clone icon at the bottom of the page. 

The new test application, file, or setting can then be applied to the device(s) in the test fleet with with the cloned profile. Once testing is complete and found adequate the new policy or applications can then be updated in the production profile. 

How to prevent devices losing network connection? #maintainnetworkconnection

Springdel has the unique solution whereby devices can drop from the network without suffering changes to the applied policies and settings on the device. However, if devices are unreachable for too long that can prevent access for updates and remote debugging support. 

To ensure devices stay available on the network, be careful of the following scenarios.

  • Using Profile WiFi - Just as profile settings can get erased if the device is moved to another fleet, network settings in the profile could suffer if the device is moved.

  • Setting 'Allow Only These WiFi' - By default the WiFi settings are simply added to the known networks on the device. Toggling 'Allow Only These WiFi' forces the device to forget any other known network not specified in the profile. This setting needs to be done with caution in case there are edge cases in the network where certain devices actually have another WiFi SSID not known to the profile.

  • Geofencing - Springdel has a unique, on-device Geofence behavior whereby the device will move itself based on its perceived location. The device self-monitors its location, and can leave one known good profile to a locked-down profile when it leaves the authorized area. However, if all the WiFi networks are associated with the known good profile, and not associated with the lockdown profile, the device will be unable to automatically reconnect to the networks. Also, device location in Android is not always 100% accurate, so it's recommended to setup Geofencing with some buffer to prevent devices from accidentally leaving the network because of the device's perceived location.

Why do my User Groups lose remote control and other permissions for new fleets? #usergrouppermissions

When creating a user group admins have the option to apply remote control to all available fleets by selecting the 'Select all fleets' option. However, this is not a blanket permission, nor should it be. New fleets, by design, will not auto-grant permissions to non-Admin User Groups. This is done for better control and security.


Should admins wish to create new fleets with waterfall permissions to existing User Groups, recommend creating subfleets which DO retain permissions from the master fleet.

As Springmatic can support an unlimited number of fleets and subfleets, should admins wish to waterfall permissions to all newly created fleets, recommend creating all new fleets in a primary master fleet with the correct User Group permissions assigned. Doing so helps achieve the desired behavior, but also retains the option to create private fleets with different User Group permissions in the future.

Device action 'Reset password' does not take effect on my device. #resetpassword

Android's API for sercure password management requires temporary certificates to be created and stored on a device. Certain Android devices with an existing password or pin have shown they cannot accept the addition of a new certificate for the secure password reset to take place. As a result, Springdel ignores this case for those devices to prevent any device error or malfunction.