Managing Policies

Print Friendly, PDF & Email

To know the details of the policies, navigate to the Edit Policies tab that includes all policies. The policies are differentiated into different sections for better understanding such as Password, Policy for Device Applications, Policy for App Stores, Policy for Downloaded Apps, Policy for ADO enabled devices, and Policy for KNOX supported devices.

Sections Description
All This section shows all the policies available in Seqrite Enterprise Mobility Management (mSuite). The All policies section includes the Inherit From option to inherit a policy from the drop-down list of already created policies. Select this option to inherit the policy from earlier created policies.

– Click the Select All option on the right side of the Edit Details tab if you want to select all the policies.
Inherit From: Allows to inherit the password policy from already created policies. While creating a new policy, you can select the Inherit From list to inherit the policies from already created policies.

Password Shows all the policies related to the password criteria. You can turn on the policies as per your requirement.
Policy for Device Applications Lists the policies related to the device. You can turn on the policies as per your requirement.
Policy for App Stores This policy lists the policies related to the device applications. You can turn on the policies as per your requirement.
Policy for Downloaded Apps This policy defines more about security of the downloaded apps. You can turn on the following policy as per your requirement.
Policy for ADO enabled devices The ADO policy is applicable to those devices where Seqrite EMM Agent is the device user.

– All the ADO policies are superscripted with “D” for easy identification.
– This policy is applicable to the devices where the Seqrite EMM Agent is the device user. Also, check on the Seqrite EMM console the specific OS versions of the devices to which this policy can be applied.

Policy for KNOX supported devices The KNOX policies are applicable to the Samsung KNOX-supported devices.
– All the KNOX policies are superscripted with “K” for easy identification.

Seqrite Enterprise Mobility Management (mSuite) supports following policies:

Requires Password

This policy applies a screen lock and sets the password on the device. Different password types are Low, Medium, and High. After applying this policy on the device, the user has to set the password as per the type of the password suggested. If the user does not apply this policy, the device will be shown as the Non-compliant device.

The following are the three values of the password:

  • Low: A less secure option. You can set the Pattern, Pin, or Password for the device screen lock.
  • Medium: A secure option. You can set the Pin or Password for the device screen lock.
  • High: The most secure option. You can set only the Password for the device screen lock.

Password Minimum Length

To set the length of the password, turn on the Password Minimum Length policy. This policy is dependent on the Requires Password policy. After applying this policy on the device, the user must set the password as per the recommended password length.

  • If the password type is Low, then the password length must be in between 4 to 16.
  • If the password type is Medium, then the password length must be in between 6 to 16 alphanumeric letters.
  • If the password type is High, then the password length must be in between 8 to 16 letters. The user has to set the password with at least one character, one numeric, and one special character.
Note:
The user must apply settings as per the policy. Otherwise, the device will be shown as Non-compliant device.

Password Age

To set the expiry age for the password, turn on the Age policy and then select the expiry age for the password such as 15 Days, 30 Days, 45 Days, and 90 Days.

This policy is dependent on the Requires Password policy. After the specified time expires, the user must reset a new password. Otherwise, the device will be shown as a non-compliant device.

Device Autolock

To lock the device automatically after a preset idle time, turn on the Autolock policy.

This policy is dependent on the Requires Password policy. After applying this policy on the device, if the device screen remains idle for the selected time, the device will be automatically locked. The time can be 15 Sec, 30 Sec, 1 Min, 2 Min, 5 Min, 10 Min, and 30 Min.

Password History

To maintain a history of old passwords and to restrict the user from using the old passwords, turn on the Password History policy.

After applying this policy, the device saves the selected number of old passwords given in the list. The values given in the list are 2, 3, 4, and 5. This policy is applicable only on iOS devices.

Block Voice Dialing from Lock Screen

To block voice dialing, turn on the Block Voice Dialing on Lock Screen policy. After applying this policy on the device, the user will not be able to use voice dialing when the device is locked with a password.

This policy is dependent on the Require Password policy. This policy is applicable only to the Supervised iOS devices.

Block USB Connection

To block the device from connecting to other devices through USB, turn on the Block USB Connection policy. After applying this policy on the device, the user will not be able to connect to any device through USB. If the user tries to connect to any device through USB, the device will be locked and the device password will get reset.

If this policy is applied to the KNOX devices, the device user would not be able to detect or transfer the data through USB connection.

Note:
– This policy is dependent on the Require Password policy.
– This policy may or may not be applicable to some of the devices.
– For ADO devices, this policy is applicable only when the device OS version is 6 or later.
– This policy is applicable to the non-ADO devices with OS 6 and earlier versions.
– For Android 10 and above, the password policy will be applied only if ADO is enabled. Ensure that ADO is enabled before you apply the password policy.

Block Safe Mode

To restrict the access of Safe Mode on the selected device, turn on the Block Safe Mode policy. This policy is dependent on the Requires Password policy. After applying this policy on the device, the user device will be blocked and asked to set the password as per the password policy. After setting the password, the user will not be able to access the Safe Mode. The access to Safe Mode will be permanently blocked. If you do not want to block the Safe Mode access for a specified user, revoke the policy for that user.

If this policy is applied to the KNOX devices, those device users will not be able to access the Safe Mode.

Note:
– To apply this policy, it is mandatory that the Requires Password type must be set to Medium or High.
– For ADO devices, this policy is applicable only when the device OS version is 6 or later.
– For non-ADO devices, this policy is applicable only when the device OS version is 6 or earlier versions.
– This policy may or may not be applicable to some of the devices.

Block Camera

To block the use of camera, turn on the Block Camera policy. After applying this policy on the device, the user cannot use the camera on the device. If the user tries to launch the device camera, the Seqrite EMM will automatically close it.

Note:
For Android 10 and above, the camera can be blocked only if ADO is enabled. Ensure that ADO is enabled before you apply the Block Camera policy.

Block Face Time

To block the use of Face Time app on iOS devices, you can enable this policy. It dependents on the Block Camera policy.

Block Factory Reset from Device Setting

This policy disables the Factory Reset option on the device. Thus, the device user cannot factory reset the device. The Restrict Factory Reset policy is applicable only to the devices where Seqrite EMM Agent is the Device user or to the Samsung KNOX supported devices or to the Supervised iOS devices.

Note:
This policy is applicable to non-ADO Android devices with OS 6 or earlier versions.

Block Bluetooth

To block the usage of the Bluetooth, turn on the Block Bluetooth policy. After applying this policy on the device, the user cannot switch on the Bluetooth mode on the device. If the user tries to use Bluetooth on the device, the Seqrite EMM will automatically close it for security.

The Block Bluetooth policy is applicable to the KNOX devices and also to the Android ADO devices where Seqrite EMM Agent is the device user.

Block Configuring Bluetooth

The Block Configuring Bluetooth policy can be enabled only when the Block Bluetooth policy is turned off. To restrict the user from configuring the Bluetooth on the device, turn on the Restrict Bluetooth Configuration policy.

If this policy is applied, the user cannot pair with new Bluetooth devices, but can connect with already paired devices.

This policy is applicable to KNOX devices as well as to the ADO devices where Seqrite EMM Agent is the device user.

Block Wi-Fi

To block the usage of Wi-Fi, turn on the Block Wi-Fi policy. After applying this policy on the device, the user cannot switch on the Wi-Fi. If the user tries to use the Wi-Fi on the device, Seqrite EMM will automatically close it.

Note: The policy works for ADO devices when there is a SIM card in the device. Also, the policy works for normal enrollment when there is a SIM card in the device, and the OS is below 10.

Block Open Wi-Fi

To prevent the user from connecting to the available open Wi-Fi networks, turn on the Block Open Wi-Fi policy. After applying this policy on the device, the user will not be able to connect to any open Wi-Fi network.

Block Mobile Hotspot

To block the usage of the Mobile Hotspot, turn on the Block Mobile Hotspot policy. After applying this policy on the device, the user cannot switch on the mobile Hotspot. If the user tries to use the mobile Hotspot on the device, Seqrite EMM will automatically close it.

Note:
This policy is applicable only to the Samsung devices that support KNOX.

Block NFC

To block the usage of NFC, turn on the Block NFC policy. If this policy is applied on the device, the NFC option gets disabled.

Note:
This policy is applicable only to the Samsung devices that support KNOX.

Location Service (GPS)

This policy helps to enable or disable the location services option on the device. You can apply this policy as follows:

  • Always ON: To allow the device user to use the location services continuously, select this option.
  • Always OFF: To completely block the device user from using the location services, select this option.
Note:
– This policy is applicable to the Android devices.
– This policy is applicable to both ADO and KNOX supported devices.

Sync Frequency

To set the frequency of the reports from the server, turn on the Sync Frequency policy. After applying this policy on the device, the device will send the reports (scan /non-compliance reports) to the server at the selected intervals. The frequency intervals are 4 hours, 8 hours, 16 hours, 24 hours, and 48 hours. If the user turns off this policy, then the server will send reports only in 24 hours.

Note:
This policy is applicable only to the Android devices.

Block Certificate

To block the unwanted downloads of certificates on the device from the untrusted websites, turn on the Block Certificate policy. This policy is device specific as follows:

  • iOS device: In iOS devices, this policy blocks untrusted TLS certificate.

Block Screen Capture

To block screen capturing on the device, turn on the Block Screen Capture policy. If this policy is applied on the device, the user cannot capture any screenshots.

Note:
– This policy is applicable only to the ADO and KNOX supported devices.
– This policy is not applicable to the non-ADO devices with OS 6 and earlier versions.

Block Text Copy and Paste

To block the copy and paste of the text on the device, turn on the Block Text Copy and Paste policy. After applying this policy on the device, the user will not be able to copy and paste the text on the device.

Note:
This policy is applicable only to the Android devices. However, this policy would not work on Android 10 and above.

Block iTunes App

To hide the iTunes app on the Supervised iOS devices, turn on the Block iTunes App policy. After applying this policy on the device, the user will not be able to view/access the iTunes app on the device.

Block App Store

To hide the app store on the Supervised iOS devices, turn on the Block App Store policy. The app store will be blocked, and the user will not be able to view/access anything from the App store for iOS devices.

Set Google Account

To configure a Google account on the user’s Android device, turn on the Set Google Account policy. After applying this policy, the user must configure the Google account manually on the device. If the user does not configure the Google account, the device will go in non-compliance mode.

Block Primary Microphone

To block the primary microphone on the user’s Android device, turn on the Block Primary Microphone policy. After applying this policy, the user will not be able to use the microphone on the device.

Note:
– This policy is applicable to the ADO and KNOX supported devices.
– This policy is not supported by Lenovo devices.

Block Siri

To block Siri application on the iOS device, turn on the Block Siri policy. After applying this policy on the device, the user will not be able to delegate any request or action to Siri. You can select the available options to block Siri: Always and When Locked.

  • Always: With this option, Siri will be entirely blocked on the users’ device.
  • When Locked: With this option, Siri will be blocked only when the device is locked.

Device Time-out

This policy is to ensure that the device remains connected to the server when the device is not communicating with the server for the specified number of days, then the device will be in the non-compliance mode. Select the number of days from the available options; 1, 2, 3, 5, and 7 days. After you select the days, the device will remain disconnected for the specific duration and after that the device will go into the non-compliance mode. This policy is applicable to the Android and iOS devices.

Set Auto Time Zone

To set automatic date, time, and time zone on the user Android device, turn on the Set Auto Time Zone policy. After applying this policy, if the user sets the time and date or time zone manually, the device will go into the non-compliance mode.

  • If this policy is applied to the devices with KNOX operating system, the device user would be restricted from editing or updating the time zone or date and time on the device.
  • If this policy is applied to the ADO devices where Seqrite EMM Agent is the device user, the device user would be able to turn it off, but within 30 seconds the auto time zone is turned on automatically by Seqrite EMM Agents.

Block Profile Switch

At times, the user may have multiple user profile on a single device and can easily switch between the profiles. To restrict the user from switching to different user profiles, turn on the Restrict Profile Switch policy.

Note:
This policy is applicable to the ADO and KNOX supported devices.

Device Accessibility Service & App Usage

With this policy, the user is forced (Strict) or notified (Notify) to apply the accessibility and app usage services within the defined time. The user can be forced or notified to apply the services within the set number of days, hours, minutes, or seconds.

Block Accounts Modification

To restrict user from modifying any user profile, turn on the Block Accounts Modification policy. When this policy is applied on the device, the user will not be able to make any changes to the user profile. This policy is applicable to those devices where Seqrite EMM Agent is the device user or Supervised iOS devices or Knox supported devices.

Block USB Debug Mode

To restrict the user from accessing the debug mode when the device is connected to the system, turn on the Block USB Debug Mode policy. If this policy is applied, the user will not be able to use the USB Debug Mode on the device.

Note:
This policy is applicable to both, the KNOX Samsung devices and ADO supported devices where the Seqrite EMM Agent is the device user.

Block App Control

To restrict the user from installing or uninstalling the apps from their device, turn on the Block App Control policy.

Note:
This policy is applicable to the ADO supported devices where the Seqrite EMM agent is the device user.

Block Adding New User Profile

To restrict the user from creating new user profile, turn on the Block Adding New User Profile policy. This policy is applicable to all ADO enabled devices.

Block deletion of user profile

To restrict the user from deleting any user profile, turn on the Block deletion of user profile policy. If this policy is applied on the device and the user tries to delete the user profile, the device will go in non-compliance mode.

Note:
This policy is applicable to both, the KNOX Samsung devices and ADO supported devices where the Seqrite EMM Agent is the device user.

Block Configuring Mobile Data Setting

To restrict the user from configuring the mobile data on the device, turn on the Block Configuring Mobile Data Setting policy. This policy is applicable to the ADO enabled devices where Seqrite EMM Agent is the device user.

Block Outgoing Calls

To restrict the user from making any outgoing call, turn on the Block Outgoing Calls policy.

Note:
This policy is applicable to both, Samsung KNOX and the ADO supported devices where the Seqrite EMM Agent is the device user.

Block Mounting Physical Media

To restrict the user from mounting any physical media on the device, turn on the Block Mounting Physical Media policy.

Note:
This policy is applicable to the Samsung KNOX supported devices.

Wi-Fi On in Sleep Mode

To keep the Wi-Fi on even in sleep mode, turn on the Wi-Fi On in Sleep Mode policy. If this policy is applied, the user cannot change the Wi-Fi settings and it will be kept on in sleep mode. To do more customization with this policy, following options are available:

  • Always: Select this option to access Wi-Fi continuously.
  • Never: Select this option to completely block the Wi-Fi usage.

Only When Plugged In: Select this option to allow Wi-Fi only when the device is plugged in to the charger.

Note:
This policy is applicable to both, Samsung KNOX and the ADO enabled devices.

Block App Installation from Unknown Sources

To restrict the device user from installing any app from unknown sources, turn on the Block App Installation from Unknown Sources policy.

Note:
This policy is applicable to both, Samsung KNOX and the ADO supported devices where the Seqrite EMM Agent is the device user.

Block Notification Area

To restrict the device user from viewing any notifications and block the notification area on the device, turn on the Block Notification Area policy.

Note:
This policy is applicable to both, ADO and KNOX supported devices. For ADO devices, it is applicable where the Seqrite EMM Agent is the device user and OS of the device is Marshmallow (6.0) or later.

Block Cellular Data

To restrict the apps and services, on user device, from using cellular data to connect to the Internet, turn on the Block Cellular Data policy. When this policy is applied, the device user cannot access Internet using Cellular Data.

Note:
This policy is applicable to the Samsung KNOX supported devices.

Block Mock Location

Mock Locations allow the device users to show the fake location of their device with the help of GPS and network operator. To restrict device user to create the mock location of their device, turn on the Block Mock Location policy.

Note:
This policy is applicable to the Samsung KNOX supported devices.

Block Outgoing MMS and SMS

To restrict the incoming or outgoing MMS and SMS on the user device, turn on the Block Outgoing MMS and SMS policy.

Block Airplane Mode

Airplane Mode disconnects call and SMSs and, in some devices, it also disables Wi-Fi and Bluetooth. Thus, to restrict the device user from accessing Airplane Mode on the device turn on the Block Airplane Mode policy.

Note:
This policy is applicable to the Samsung KNOX supported devices.

Block Notification on Lock Screen

When this policy is applied, the user will not be able to view the earlier notifications or today’s events when device screen is locked. This policy is applicably only to the Supervised iOS devices.

Block Control Center on Lock Screen

To block the control center on the locked screen, turn on this policy. When this policy is applied, the device user will not be able to view the control center if the device screen is locked. You can apply this policy only to the Supervised iOS devices.

Block Safari

To hide the Safari app on the user device, Admin can turn on the Block Safari policy.

Block App Uninstallation

To restrict the Seqrite EMM Agent uninstallation by any unauthorized user, turn on this policy. This policy is applicable only to the iOS Supervised devices.

Block iMessage

With this policy you can block the iMessages on Supervised iOS devices. The user will not be able to view any iMessages.

Block Apple Books

To block the Apple books on the supervised iOS devices, turn on the Block Apple Books policy. The user will not be able to access any Apple books on the device.

Block In-app Purchase

To restrict the user from making any in-app purchase from the device, turn on the Block in-app Purchase policy. The device user will not be able to perform any in-app purchase from the device. This policy is applicable only to the supervised iOS devices.

Block Backup to iCloud

To restrict the user from automatically placing the device backup on iCloud, turn on the Block Backup to iCloud policy. This policy will put restriction on iCloud functionality. You can apply this policy only to the Supervised iOS devices.

Note:
Policies superscripted with “D” and “K” alphabets are applicable only to the ADO enabled and KNOX-supported devices. Such policies are not applicable to non-ADO and non-KNOX devices.

Block Factory Reset from Device Setting

Allows you to block Factory reset from device setting. If this option is enabled from the Seqrite EMM console, the device user cannot do Factory reset.

Note:
Policies superscripted with “D”, “K”, and “S” alphabets are applicable only to KNOX-supported Samsung devices, iOS Supervised devices, and Device Owner enabled devices.

Block USB Debug Mode

Allows you to restrict the device users from accessing the debug mode when the USB is connected to the system.

Note:
Policies superscripted with “D” and “K” alphabets are applicable only to KNOX-supported Samsung devices and Device Owner enabled devices.

Factory Reset Protection

Factory Reset Protection (FRP) policy prevents anyone from using the device if it is factory reset by unauthorized user. During the device setup (after factory reset) it requires the login credentials such as email address and passwords that were configured on the device. This means that if a device is lost or stolen, no one else will be able to reset or use it.

Moreover, if enterprise-managed devices are allotted to the employees for business usage, the devices are configured with email addresses of the employees. If the FRP has been enabled on the devices, it will prevent misuse of the device after factory reset.

In an organization, devices are allotted to different users based on requirement. For example, when an employee leaves the organization, the device is handed over to another employee for which the factory resetting would be required.

With FRP, the admin can select a Google account that can be used to activate the devices. This account can be associated with devices by enabling and publishing FRP policy.

After configuring FRP, you can provision the devices with personal Google accounts. However, when a factory reset is done even by hard reset, the devices can be activated only using the Google account selected by the admin. This ensures the devices are always managed by the Seqrite EMM admin.

This policy is applicable for devices with 6.0 OS or later versions and provisioned as Device Owner.

To know how to map the corporate email address with Google Id, see our knowledge based article here.

Delay Automatic OS updates

Allows to delay the updates of Android operating system by 30 days. If there is an update in the Android operating system and the users find the update not required immediately, they can delay the update by 30 days. However, the update cannot be delayed further.

Please refer below for more:
https://developer.android.com/work/dpc/system-updates

See also
Android Management API (AMA) Policy

Was this page helpful?

Leave a Comment