Introduction

Project policies are used to control various settings on your managed Android devices.

Note: Android projects can either be Fully Managed or Managed Profiles

TABLE OF CONTENTS

• Introduction
• Kiosk Settings
  • All Kiosk Modes
  • Kiosk Mode: None
  • Kiosk Mode: Single Application
  • Kiosk Mode: Multi-shortcut
• Device Settings
• Ensemble App Settings
• Application Settings
• Google Play Settings
• Update Settings
• Communication Settings
• Security Settings
• Connectivity Settings
• Network Settings
• Device Suspension Settings
• Push Notification Settings
• Inter App Messaging
• Samsung KPE Settings

Kiosk Settings

Note: This tab and the below settings are not accessible via Managed Profile project types, it is only available on a Fully Managed project.

Read our Key Feature: Kiosk Mode article to learn about ways to use kiosk mode.

All Kiosk Modes

These policies are shared across all modes

Kiosk Mode: None

In this mode, the user has full access to their device unless otherwise restricted by other policies.

Self-kiosk

While Ensemble is not in kiosk mode, other applications can call startLockTask themselves to enter kiosk mode, as long as their package name is stored in the Other Packages Allowed During Kiosk list. The Kiosk Features policies can be used to control the kiosk settings for the self-kiosked application. See above breakdown for more information.

For further information, please see this article from Android Developers: https://developer.android.com/work/dpc/dedicated-devices/lock-task-mode

Shortcuts on Home Screen

Ensemble cannot directly control where shortcuts appear on a device's native home screen but using this feature will prompt the user to add the shortcuts found in this list.

Shortcuts added this way will have a badge on them to indicate that Ensemble added them

If the shortcut is removed from the project, the shortcut will be disabled on the device and the message 'Removed by admin' will appear when clicked. The shortcut can only be deleted by the user.

Kiosk Mode: Single Application

Locks the device to one application of your choice, useful for creating a single-use device. If the kiosked app needs to open other apps, those packages must be added to the Other Packages Allowed During Kiosk list.

Kiosk Mode: Multi-shortcut

Kiosk the device to a customizable home screen application with shortcuts for apps, websites or contacts and more.

Shortcuts

Multi-shortcut mode supports managing various types of shortcuts so that admins can control what the users have access to open.

Summary

√ : supported 

- : unsupported

Definitions

• Label: this name will be displayed below the icon of this shortcut on the home screen.
• Label Font Color: the color of the label.
  • The specified value must be in the format of #rrggbb where rr, gg, bb are two-digit hexadecimal numbers.
• Custom Icon: the icon of the shortcut.
  • There is a default icon used for each type of shortcut and certain shortcuts support using a custom image file as the icon.
  • Application shortcuts will load the icon image from the app once it's installed.
• Placeholder Icon Color: the color of the placeholder icon if there is not custom image selected.
  • The specified value must be in the format of #rrggbb where rr, gg, bb are two-digit hexadecimal numbers.
• App Package: the package of the application for this shortcut.
  • To add an application that is part of the company content, just add it to the project content (if you haven't already) and select it here from the dropdown menu.
  • To add an application that is not part of the company content, enter the package name of that application in the Custom Kiosk Package input.
• URL: the link for the website that will be opened from this shortcut.
• Content: select a file from the project (e.g. PDF) to open from this shortcut.
• Contact: select a contact previously setup in Polices | Communication Settings to open that contact profile from this shortcut in the contacts application.

Device Settings

Note: This tab and the below settings are not accessible via Managed Profile project types, it is only available when on a Fully Managed project type. 

• Audio Volume Level
  • Disallow Adjust Volume from Device Side Keys: Prevents the user from changing the volume and vibration settings. 
  • Control Audio Volume: Set the global volume of the device (Media, notifications, system, and ringtone). User can still modify the volume after it is set by this policy but the volume will be reset to this level at every check-in. 
• Other Volume Settings
  • Disallow Un-Mute Microphone: Prevents user from adjusting microphone volume. If set, the microphone will be muted. 
  • Mute Volume:  Sets the global volume mute to on or off. 
• Display Brightness
  • Disallow Brightness Configuration: Prevents user from changing the brightness from settings.
  • Brightness Control
    • Not Controlled: Ensemble does not control the brightness of the device.
    • Manual: Set the value of brightness of the device.
    • Automatic: Turns automatic brightness on or off.
  • Advanced Brightness Settings: Android device brightness usually falls between 0 and 255 but certain devices like the Google Pixel use a proprietary logarithmic algorithm instead, and other devices have different maximum brightness settings. Use these settings to control how Ensemble interprets the brightness percentage from either policy or via the Quick Action menu.
    • Linear or Logarithmic: Most devices use a linear scale for their brightness values but some devices like the Pixel use logarithmic.
    • 

    • An approximation of that algorithm is displayed above with a logarithmic factor of 20.6 and maximum brightness of 128 for the Pixel 7.

    • Logarithmic Scale Factor: Use this to approximate the logarithmic algorithm used by some devices to adjust brightness.
    • Maximum Brightness: The stand range of brightness values in Android is 0-255. This value should usually be 255 but some devices vary from this standard so adjusting this value will affect how the brightness policies are implemented.
• Organization Name
  • Changes the lock screen message 'Device is managed by your organization' to display the name you specify. 
• Lock Screen Info
  • Sets an additional lock screen message.
• Display Screen Time-Out
  • Disallow Screen Timeout Configuration: Prevents user from changing screen off timeout. 
  • Maximum Time to Lock Screen: Sets the maximum time for user activity until the device will lock. This limits the length that the user can set. 
  • Select Time-out: Select a time frame that a device's screen should stay lit. Enter a custom time frame in seconds on supported models (LM-G710ULM is not supported). Note: This will have no effect if set to exceed the maximum time to lock policy.
• Stay On While Plugged In
  • Select Behavior:
    • Never: Screen never stays on while plugged in.
    • AC: Screen will stay on while plugged into AC charger.
    • USB: Screen will stay on while charging with USB charger.
    • Wireless Charger: Screen will stay on while using a wireless charger.
    • Any: Screen will stay on regardless of charging method.
• Auto-Rotate Screen
  • Turn aromatic screen rotation on/off. Note: Must allow Ensemble to modify system settings to control this setting.
• Location Settings
  • Disallow Location Configuration From Settings: Prevents user from enabling or disabling location providers. As a result, user is disallowed from turning on or off location via Settings. 
  • Disallow Location Sharing Configuration From Settings: Prevents user from turning on location sharing.
  • Track Device Location:  Enable location tracking for devices on the project. Devices' current location will be visible from the company dashboard. 
• Time Settings
  • Sets whether the system time and/or the system time-zone is automatically updated with the current network connection. 
• Font Scale
  • Sets the scale of the device's font. The range is 0.8 to 2.0.
• Doze Mode Whitelist
  • Add application packages to this list so that they will not be affected by Android Doze Mode. Doze mode is a feature, which reduces power consumption by preventing certain tasks (background CPU and Network activity) from running if your device is in an idle state. 
• Shortcuts On Home Screen
  • Shortcuts in this list will be added to the home screen. 

Ensemble App Settings

Note: policy availability can vary by project type:

* are only available on Fully Managed projects 

^ are only available on Managed Profile projects

• Exit Pin
  • This PIN must be entered on the device in order for it to exit the kiosk. If there is not a PIN set, the user may exit the kiosk at anytime. 
• Quick Actions
  • Enable Quick Actions Menu: Enable / disable the quick actions menu in the Ensemble Application 
  • Brightness: Allows user to control the brightness of the device
  • Wi-Fi: :Allows user to quickly enable/disable Wi-Fi
  • Bluetooth: Allows user to enable or disable Bluetooth.
  • Auto-Rotate: Enable the user to toggle Auto-Rotate to either allow screen rotation or lock it in place.
  • Flashlight: Allows user to turn the flashlight On or Off.
  • More: Clicking this will show the following options.
    
• Ensemble Menu
  • Enable Ensemble Settings Menu in action bar: Enable / disable the settings menu in the Ensemble phone application. 
  • Reload Policies: Clicking Reload Policies will cause the Ensemble application to check into the server and fetch project updates.
  • Logout: If a user logged into Ensemble with an Application User Account, this will allow them to logout of that account.
  • View Policies: Clicking View Policies will open an information screen with various types of information depending on the enabled tabs. 
    • Device: The Device tab will show information about the device such as serial numbers, OS versions and some security information like device encryption status. 
    • Apps: The Apps tab will show information about the apps that were installed on the device by Ensemble.
    • Files: The Files tab will show information about the files that were installed on the device by Ensemble. 
    • Policies: The Policies tab will show information about the policies that were set on the device by Ensemble. 
    • APNs: The APNs tab will show information about the APNs on the device. 
    • Misc: The Misc tab will show some debugging actions that can be used to send information that can be used to troubleshoot issues with the device.
  • Accounts: Clicking Accounts will open a secure account management screen. This screen will only allow the user to manage their Google or Managed Play accounts. This feature can be used in addition to the account restriction policies to make sure that account changes can only be made through Ensemble.
    •  Manage Google Accounts:
      • Enable Add: This allows users to add a Google account to the device through the Ensemble menu. A whitelist of domains can be set in the account restrictions policy so that only those domains can be used to login. 
      • Enable Remove: This allows users to remove a Google account from the device through the Ensemble menu. 
    • Mange Managed Play Accounts:
      • Enable Add: This allows users to remove a Managed Play account from the device through the Ensemble menu.
      • Enable Remove: This allows users to remove a Managed Play Account from the device through the Ensemble menu.
  • Push Notification History: This will open the Push Notification History screen so the users can view them while in Single Kiosk Mode.
  • Exit: Clicking Exit will close Ensemble. If there is a kiosk PIN set, that PIN but be entered correctly before the user can exit.
  • System Settings: Each option will open the corresponding page in the Settings app:
    • Settings: Clicking Settings will open the device's default Settings application.
    • Accessibility Settings: Provide access to the device's accessibility settings page.
    • Airplane Mode Settings: Provide access to the device's airplane mode settings page.
    • APN Settings: Provide access to the device's APN settings page.
    • Application Settings: Provide access to the device's application settings page.
    • Battery Saver Settings: Provide access to the device's battery saver settings page.
    • Bluetooth Settings: Provide access to the device's Bluetooth settings page.
    • Captioning Settings: Provide access to the device's captioning settings page.
    • Cast Settings: Provide access to the device's cast settings page.
    • Change Password: Clicking Set Password will open the device's default Settings application's password configuration page. 
    • Data Roaming Settings: Provide access to the device's date roaming settings page.
    • Data Usage Settings: Provide access to the device's date usage settings page.
    • Date Settings: Provide access to the device's date settings page.
    • Device Info Settings: Provide access to the device's device info settings page.
    • Display Settings: Clicking Manage Display will open the device's default Settings application's display configuration page. 
    • Input Method Settings: Provide access to the device's input method settings page.
    • Internal Storage Settings: Provide access to the device's internal storage settings page.
    • Hotspot Settings: Clicking Manage Hotspot will open the device's default Settings application's hotspot configuration page.
    • Language Settings: Provide access to the device's language settings page.
    • Manage Mobile Networks: Clicking Manage Mobile Networks will open the device's default Settings application's mobile network management page.
    • Security Settings: Provide access to the device's security settings page.
    • VPN Settings: Provide access to the device's VPN settings page.
    • Wi-Fi Settings: Clicking Manage Wi-Fi Networks will either open the device's default Settings application's Wi-Fi management page or Ensemble's Wi-Fi management page.
      • System Wi-fi Menu: If this option is selected, clicking Manage Wi-Fi Networks will open the device's default Settings application's Wi-Fi management page. Note: This may provide the user full access to the Settings application depending on the manufacturer.
      • Ensemble Wi-Fi Menu: If this option is selected, clicking Manage Wi-Fi Networks will open Ensemble's Wi-Fi management page.
• Ensemble Device Check-In Preview
  • This is a preview of what the device screen will look like while checking in. Check the checkbox to enable Branding, which enables/disables custom branding that will appear during check-in. 
  • You can select a Logo from image files added to the project, a Title which behaves the same as the Action Bar mentioned below, and a Message that will show along with your branding Logo when the device is checking in.
• Disclaimer:
  • This message will show to the end user on a first run of the program, or after a reboot.
  • Choose when to display a disclaimer:
    • Never
    • On First Run
    • After Every Reboot
• Support Messages
  • Customize the support messages that will be displayed to the user.
    • Short Support Message: This message will be displayed to the end user in the settings screen where functionality has been disabled by the admin. The maximum character length for this message is 200 characters.
    • Long Support Message: This message will be displayed to the user in the device administrator's settings screen.
• Settings
  • Hide Ensemble In The App Drawer: Checking this will hide Ensemble from the phone's App Drawer.
    
    
    
    Note: If using 'User Interaction Required' deploy type, the user may open the Ensemble app by clicking on it in the notification shade.
    
    
• No Connection Timeout
  • If the device has no internet and the user reloads policies or the device is rebooted, an error message will appear. After the timeout, the app will automatically return to the kiosk screen.
• Finish Check-In After Apps Install
  • This controls if the Ensemble MDM application will wait to complete the check-in until after all the applications have been installed.
    
    
    
    Never: the device completes the check-in while the applications download in the background.
    
    
    First Setup: the device waits to complete the check-in until all apps are installed during the first check-in.
    
    
    Always: the device always waits to complete the check-in until all apps are installed.

Application Settings

Note: policy availability can vary by project type:

* are only available on Fully Managed projects 

^ are only available on Managed Profile projects

• Start Application On Install*
  • Applications in this list will start after being installed.
• Runtime Permission Policy
  • This sets the default behavior of applications when they attempt to ask for a permission.
    
    
    Prompt: The user is asked whether they want to allow the permission or not.
    
    
    Grant: all applications are silently granted permissions by default when they attempt to ask.
    
    
    Deny: all applications are silently denied permissions by default when they attempt to ask.
• Block Applications*
  • Hide applications. This prevents the application from being used and it will no longer show up on the home screen.
  • Each ? icon shows the package name of popular applications. 
• Block Applications By Category*
  • Allows you to choose one or multiple of the categories listed to block any applications labeled with that type of category. 
• Block Game Applications by Category
  • Allows you to choose one or multiple of the categories listed to block any game applications labeled with that type of category.
    
• Enable System Applications
  • If system apps were disabled during provisioning, re-enable them by adding them to this list.
    
    
    Samsung Camera: com.sec.android.app.camera
    Samsung Gallery: com.sec.android.gallery3d
    Samsung Clock: com.sec.android.app.clockpackage
    Samsung Calendar: com.samsung.android.calendar
• Permitted Accessibility Services*
  • By default, the user can use any accessibility service.
    
    
    System accessibility services are always available to the user and this method can't disable them.
    
    
    When one or more packages have been added, accessibility services that are not in the list and not part of the system can not be enabled by the user.
    
    
    An empty list disables the restriction so that all services can be used.
• Grant Access To Privilaged APIs
  • Android MDM applications have access to certain methods that cannot be used by other apps. This feature allows Ensemble to share that elevated access to certain features.
• Disable User Control Of Applications
  • User will not be able to clear app data or force-stop the applications on this list.
• Start Application On Resume*
  • This application will start after the device is unlocked or when the screen resumes.

Google Play Settings

Note: policy availability can vary by project type:

* are only available on Fully Managed projects 

^ are only available on Managed Profile projects

• Play Protect Restrictions
  • Google Play Protect helps you keep your device safe and secure.
    • It runs a safety check on apps from the Google Play Store before you download them.
    • It checks your device for potentially harmful apps from other sources. These harmful apps are sometimes called malware.
    • It warns you about any detected potentially harmful apps found, and removes known harmful apps from your device.
    • It warns you about detected apps that violate our Unwanted Software Policy by hiding or misrepresenting important information.
    • It sends you privacy alerts about apps that can get user permissions to access your personal information, violating our Developer Policy.
  • Ensure Verify Apps:
    • Prevents user from disabling application verification in Play store Play Protect Settings.
• Application Availability
  • All Play store applications: device will have access to all applications from Play store. 
  • Only project content: device will only have access to apps that have been added to this project.
• Maintenance Window
  • When apps running in the foreground should be updated.

Update Settings

Note: policy availability can vary by project type:

* are only available on Fully Managed projects 

^ are only available on Managed Profile projects

• Device Update Policy*
  • Set the update setting for the device. The device will force system updates based upon the setting you have selected:
    • Automatic: Installs system updates as soon as they become available.
    • Windowed: Installs system updates during a scheduled daily time.
    • Post Pone: Postpones the installation of system updates for 30 days.
• Download Mode
  • Allow Download Mode Firmware Update: Uncheck this policy to prevent a user from performing a device firmware update from download mode.
• Backup And Restore
  
  • Use this to control backup services across all users on the device. Disabling the backup service will prevent data from being backed up or restored.

For more information, please visit the Android Developer site here. 

Communication Settings

Note: policy availability can vary by project type:

* are only available on Fully Managed projects 

^ are only available on Managed Profile projects

• Communication*
  • Disallow Mobile Network Configuration:
    • Prevents user from configuring mobile networks. 
  • Disallow Cell Broadcasts Configuration:
    • Prevents user from configuring cell broadcasts. This may be controlled by the messaging app depending on the model. 
  • Allow SMS/MMS:
    • Allow use of messaging applications to send SMS or MMS messages. 
    • Check the boxes if you wish your project to allow/deny SMS and/or MMS messages
  • Allow Incoming/Outgoing Calls:
    • Select/deselect these boxes if you wish for your project to allow or disallow calls.
• Call Blacklist*
  •  Numbers listed here will be blocked. 
• Default SMS Application*
  • Set the default SMS application. The package must be a pre-installed system package.
    Example system packages:
    com.android.dialer,
    com.android.contacts,
    com.android.incallui,
    com.android.phone,
    com.android.server.telecom,
    com.google.android.dialer,
    com.htc.contacts,
    com.htc.dialerservice,
    com.samsung.android.contacts,
    com.samsung.android.dialer,
    com.samsung.android.incallui,
    com.qualcomm.qti.confdialer
    com.oneplus.mms
• Contacts List
  • Contacts listed here will be added to project devices.
  • For more specific information on this topic, please see this article.

Security Settings

Note: policy availability can vary by project type:

* are only available on Fully Managed projects 

^ are only available on Managed Profile projects

• Device Commands*
  • Clear App Data: 
    Send the clear app data command from the company or project device table, all the apps on this list will have their app data cleared.
    
    
    This is equivalent to the user choosing to clear the app's data from within the device settings UI. It erases all dynamic data associated with the app -- its private data and data in its private area on external storage -- but does not remove the installed application itself, nor any OBB files.
    It also revokes all runtime permissions that the app has acquired, clears all notifications and removes all Uri grants related to this application.
    
    
• On Reboot*
  • Clear App Data:
    On reboot, all the apps on the list will have their app data cleared.
    • This is equivalent to the user choosing to clear the app's data from within the device settings UI. It erases all dynamic data associated with the app -- its private data and data in its private area on external storage -- but does not remove the installed application itself, nor any OBB files.
      It also revokes all runtime permissions that the app has acquired, clears all notifications and removes all Uri grants related to this application.
  • Remove Non-Work Accounts:
    • Removes all non-work accounts from the AccountManager. This does not delete the account from the server and the authenticator may have its own policies preventing account deletion, in which case the account will not be deleted.
• Enforce Security Patch Installation
  • Set a list of apps that should be disabled if there is a pending security patch update for the device. 
• Enforce Encryption*
  • Enable external Secure Digital (SD) card encryption if available. The device password must be set to at least alphanumeric quality.
• Restrict Account Management
  • Prevents user adding or removing accounts by type. Ensemble will still be able to add a work account.
• Restrictions
  • Allow Installing Applications from Unknown Sources: Checking this allows third-party applications to be installed on the device.
  • Allow Debugging Features: Checking this allow access to developer mode on the device.
  • Allow Changes to Applications: Checking this allows the following changes to applications: uninstalling apps, disabling apps, clearing app caches, clearing app data, force stopping apps, and clearing app defaults. 
  • Allow Lock Screen*:  Checking this allows the device to have a lock screen. This must be checked to set a required password quality.
    Setting the lock screen to disabled has the same effect as choosing 'None' as the screen lock type. However, this call has no effect if a password, pin or pattern is currently set. If a password, pin or pattern is set after the lock screen was disabled, the lock screen stops being disabled. As of Android Pie (9.0) this also dismisses the lock screen if it is currently shown.
  • Disable Lock Screen Camera*: Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password has been set)
  • Disable Lock Screen Notifications*: Disable showing all notifications on secure keyguard screens (e.g. PIN/Pattern/Password has been set)
  • Disable Lock Screen Un-redacted Notifications*: Only allow redacted notifications on secure keyguard screens (e.g. PIN/Pattern/Password has been set)
  • Disable Fingerprint Authentication*: Disable fingerprint authentication on secure keyguard screens (e.g. PIN/Pattern/Password has been set)
  • Disable Iris Authentication*: Disable iris authentication on keyguard secure screens (e.g. PIN/Pattern/Password has been set)
  • Disable Face Authentication*: Disable face authentication on keyguard secure screens (e.g. PIN/Pattern/Password has been set)
  • Disable Trust Agents*: Disable Trust Agents on keyguard secure screens (e.g. PIN/Pattern/Password has been set). Smart Lock is built upon an Android Lollipop feature called trust agents. A trust agent is a 'service that notifies the system about whether it believes the environment of the device to be trusted.' (i.e. unlock device in response to trusted Wi-Fi network, place or face). Starting in Android 10, trust agents can only extend the device unlock, it can no longer unlock a locked device.
  • Allow Screen Capture*: Turn screen capture on/off, used to record the screen of the device.
  • Allow Camera: This will disable or enable the camera app. The app will still be visible in the app drawer and on the home screen. 
  • Disallow Airplane Mode*: Prevents user from being able to enable / disable airplane mode. 
  • Disallow Ambient Display*: Prevents user from being able to enable / disable ambient display. Ambient display allows the user to see information such as time and notifications without pressing the power key. On Samsung, this is called Always On Display.
  • Disallow Auto-Fill*: Prevents user from using Autofill Services.
  • Disallow User Credential Configuration*:  Prevents user from configuring user credentials.
  • Disallow Language Configuration*: Prevents user from changing the device language.
  • Disallow Content Capture*: Prevents the contents of a user's screen to be captured for artificial intelligence purposes.
  • Disallow Content Suggestions*: Prevents user from receiving content suggestions for selections based on the contents of their screen. 
  • Disallow Create Windows*: Prevents the creation of:
    • Toasts
    • Incoming Call Overly
    • System Alert Overlay
    • System Error Overlay
  • Disallow Outgoing NFC Beam*: Prevents user from using NFC to beam out data.
    
  • Disallow System Error Dialogs*: Prevents error dialogs for crashed or unresponsive apps from being shut down. 
• Recommended Kiosk Restrictions*
  • Disallow Factory Reset: Prevents user from resetting the device to its factory defaults from Settings. The user can still factory reset from recovery. 
  • Disallow Safe Boot: Prevents user from starting the device in safe mode where the system won’t automatically launch your app. 
  • Disallow Mounting Physical Data: Prevents user from mounting any storage volumes they might attach to the device. 
  • Disallow Adding User: Prevents user from adding new users, such as secondary users or restricted users. 
  • Disallow USB File Transfer: Prevents user from transferring files over USB. 
  • Disallow System Error Dialogs: Prevent error dialogs for crashed or unresponsive apps from being shown.
• Managed Profile (BYOD) Restrictions
  • Disallow Cross Profile Copy & Paste: Specifies if the clipboard contents can be exported by pasting the data into other users or profiles. 
  • Disallow Share Into Managed Profile: Prevents user from sharing files / pictures / data from the primary user into the managed profile, either by sending them from the primary side, or by picking up data within an app in the managed profile. 
  • Disallow Mounting Physical Data: Prevents user from mounting any storage volumes they might attach to the device. 
  • Disallow Adding User: Prevents user from adding new users, such as secondary users or restricted users. 
  • Disallow USB File Transfer: Prevents user from transferring files over USB. 
  • Disallow System Error Dialogs: Prevent error dialogs for crashed or unresponsive apps from being shown. 
• Advanced Restrictions
  • Remove Device Owner After Setup: Checking this this will deactivate device owner permission after initial customization is completed. This means that Ensemble will no longer be able to customize the device.
    
    
    Note: use with caution as this is a non-reversible action. Factory reset the device to fully remove Ensemble.
    
    
  • Disable Factory Reset Protection: Turn factory reset protection on/off. If a Google account has been added reset protection (FRP) requires those account credentials to be used while going through the setup wizard.
    
    
    Note: toggling this feature after a device is already FRP locked, will NOT allow FRP to be bypassed.
  • Enable Common Criteria Mode: Turn common criteria mode on/off. This setting enables FIPS-validated cryptography, disables USB connectivity in recovery mode and only allows FOTA updates to the system. You must set up lock-screen password, device encryption and password wipe policy in order to fully enable CC Mode.
    
    
    More info: https://docs.samsungknox.com/admin/whitepaper/kpe/common-criteria-mode.htm
• Password Restrictions
  • Wipe After Number Of Attempts: Setting this to a value greater than zero enables a built-in policy that will perform a device or profile wipe after too many incorrect device-unlock passwords have been entered.
    
    
    When set by a profile owner (BYOD), only the corresponding user or profile will be wiped.
  • Password Expiration: Called by a device admin to set the password expiration timeout. Calling this method will restart the countdown for password expiration for the given admin, as will changing the device password (for all admins).
    
    
    The provided timeout is the time delta in ms and will be added to the current time. For example, to have the password expire 5 days from now, timeout would be 5 * 86400 * 1000 = 432000000 ms for timeout.
    
    
    To disable password expiration, a value of 0 may be used for timeout.
  • Password History Length: After setting this, the user will not be able to enter a new password that was used in the last number of passwords set by this policy.
  • Strong Auth Timeout: Set the timeout after which unlocking with secondary, non strong auth (e.g. fingerprint, face, trust agents) times out, i.e. the user has to use a strong authentication method like password, pin or pattern.
• Password Quality
  • Use this to set the required password restrictions for devices on this project. The user will be prompted to set a password that matches the password restriction rules at the next check-in.
• Security Logging
  • Enable Security Logging: Enable security logging. Intended for security auditing purposes 
• Certificate Revocation Check
  • Enable CRL Check: The Certificate Revocation List (CRL) check downloads a file that contains a list of revoked IDs that is maintained by the CA of the certificate being checked. If the certificate ID is in the list then it is revoked and the SSL/SMIME verification will fail, otherwise it will proceed. 
  • Enable OCSP Check: Enable Online Certificate Status Protocol (OCSP) when checking for certificate revocation for the applications using SSL connections or SMIME encryption/signing.
    
    
    Note: CRL check must be enabled to use the OCSP check. The OCSP check will be done prior to the CRL check. If it cannot get a decisive response, it will try to use CRL.

Connectivity Settings

Note: This tab and the below settings are not accessible via Managed Profile project types, it is only available when on a Fully Managed project type.

• Wi-Fi
  • Select whether Wi-Fi is disabled and specify Wi-Fi configurations that devices can connect to.
    
    
    Disable Wi-Fi allows you to toggle Wi-Fi on devices in the project.
    
    
    To Enable specific Wi-Fi networks: specify a SSID and Password and click 'Add Wi-Fi Configuration'.
    
    
    Note: you can view the configurations you specify in the list by the SSID. You can also remove configurations by clicking 'x' next to each SSID.
• Disallow Wi-Fi Configuration From Settings
  • Prevents user from changing Wi-Fi configurations via the Settings screen.
• Bluetooth
  • Disallow Controlling Bluetooth via Settings: Specifies if bluetooth is disallowed on the device. If bluetooth is disallowed on the device, bluetooth cannot be turned on or configured via Settings. 
  • Disallow Bluetooth Tethering: Prevents user from sharing outgoing bluetooth. 
  • Disallow Existing Bluetooth Connection Configuration: Prevents user from configuring existing bluetooth connections via Settings. This does not restrict the user from turning bluetooth on or off (See disallow bluetooth). 
• Tethering
  • Disallow Tethering/Hotspot Configuration: 
    Prevents user from configuring Tethering and portable hotspots via Settings.
    
    
• VPN
  • Disallow VPN Configuration: Prevents user from configuring a VPN and will also prevent a VPN from starting (6.0), unless the VPN was made as an always-on VPN by Ensemble (7.0+).
• VPN DNS Relay
  • Enable this feature to use a local VPN to reroute all device traffic to the provided DNS addresses.
    
    
    Note: this is not a real VPN. The service does not relay data to a VPN server, it reroutes the data to the configured DNS addresses.
    
    
    Google DNS
    Primary: 8.8.8.8
    Secondary: 8.8.4.4
• VPN Always On
  • Select the package of the APK that you would like to use for VPN. The connection is always granted and will persist a reboot.
    
    
    To use an application that is part of the company content, add it to the project content, and select it here from the dropdown menu.
    
    
    To use an application that is not part of the company content, choose 'Other' and then enter the package name of that application. The application must be on the device.
• Custom VPN Package
  • To use an application that is not part of the company content, enter the package name of that application here.
    
    
    
    i.e. The package name for apps found on Google Play is part of the url:
    https://play.google.com/store/apps/details?id=com.android.chrome&hl=en_US
    
    
    
    The package name for CleanBrowsing's Android application is com.sergeybutenko.cleanbroswing.

Network Settings

Note: This tab and the below settings are not accessible via Managed Profile project types, it is only available when on a Fully Managed project type.

• Mobile Network Settings
  • Select Data Roaming State: Turn mobile data roaming on/off.
  • Disallow Network Reset: Prevents user from resetting network settings from Settings. 
• Network Logs
  • Enable Network Logging: Turn network logging on. 
• Domain Whitelist
  • Enable Domain Whitelist: While enabled, this will block all websites except the ones you have added to the whitelist below. Disabling the list will allow all domains.
    
    
    It is recommended you use the wildcard variable * for domains that have mobile versions and non-standard URLs. Example: to enable Facebook on all devices, enter *.facebook.* rather than www.facebook.com
    
    
• Global Private DNS
  • Enable Private DNS Configuration: Prevents user from modifying private DNS settings
  • Select Private DNS Mode: Set Private DNS mode to Automatic or set a Private DNS provider hostname. Choosing Not Controlled will NOT turn off the existing DNS setting, unfortunately there is no way to turn this off automatically once it has been set.
    
    
    Note these DNS hostnames can be added manually starting in Android 9.0.
  • Hostname: Contact support for integration with CleanBrowsing or use one of their free filters to get started:
    • Family Filter: family-filter-dns.cleanbrowsing.org
    • Adult Filter: adult-filter-dns.cleanbrowsing.org
    • Security Filter: security-filter-dns.cleanbrowsing.org
  • Note these DNS hostnames can be added manually starting in Android 9.0.
• Global Proxy
  • Select Global Proxy Mode: Set a network-independent global HTTP proxy. On a private network where the proxy is not accessible, you may break HTTP using this.
    • Not Controlled: the existing global HTTP proxy will not be affected
    • Off: this will clear any existing global HTTP proxy
    • Static: a proxy on the specified host and port. The proxy will not be used to access any host in exclusion list
    • Automatic: this will download and run the proxy auto-config (PAC) script at the specified URL

Device Suspension Settings

Note: This tab and the below settings are not accessible via Managed Profile project types, it is only available when on a Fully Managed project type.

• Enable Suspension Time-Frame
  • Checking this box activates the device suspension time-frame and will apply your suspension settings to all project devices during the next deployment.
• Day Of The Week
  • Select the days that the suspension time frame should be applied. Select all days if you would like a daily suspension on devices. 
•  Time Frame
  • Select the time frame that Ensemble should suspend the devices on the project.
• Suspended Device Preview
  • This is a preview of what the device screen will look like when it is suspended.
• Suspend Message
  • This message will be displayed on the suspension screen as the reason for the device being suspended.
• Suspend Message Font Color
  • Set the font color for the suspend message.  
• Background Color
  • Set the background color for the suspended device.
• Logo
  • Choose an image to be the logo that is displayed on the device while it is suspended. You can upload images from the Content tab.
• Customer Service Number
  • The customer service number that will be available when the device is suspended.
    
    
    The policy for outgoing calls will be used, so this number needs to be added
    to the outgoing calls whitelist under policies > communication settings. unless all outgoing calls are allowed.

Push Notification Settings

Note: This tab and the below settings are not accessible via Managed Profile project types, it is only available when on a Fully Managed project type.

• Enable Push Notifications:
  • Checking this box activates the device push notification feature and will apply your settings to all project devices during the next deployment. 
    
• You can enter:
  • Title: A heading for the Push Notifications window.
  • Title color & font color: You can edit the color of the title background, and the font color to suit your business needs.
  • Background color: You can edit the background color as well, to match your company branding.
• Preview:
  • There is a preview window on the right side of the screen that will show any changes that you make to the Title and/or colors, to show you what it will look like on your device(s).

Inter App Messaging

Note: This tab and the below settings are not accessible via Managed Profile project types, it is only available when on a Fully Managed project type.

• Application Information
  • This application can send messages to and receive messages from Ensemble.
• Package Name
  • Enter the package name for the application.
• Service Name
  • Enter the class name of the service that will receive the messages.

Samsung KPE Settings

Note: This tab and the below settings are not accessible via Managed Profile project types, it is only available when on a Fully Managed project type.

• Knox Key
  • Place a paid for Samsung Knox SDK license key here to utilize the policies below.
• Samsung License Required
  • Auto Start Up When Connected To Power: Device boots up fully when power is applied to USB connector instead of booting up to the battery charging UI.
    
    Only available on Samsung devices using a license key.

https://developer.android.com/work/dpc/dedicated-devices/lock-task-mode