A one-stop shop for details on every policy setting you can change in your projects. 


Note: Certain policies are only available with a Fully Managed profile. Policies marked with * are not available to Managed Profile projects, and policies marked with ^ are only available to edit and change on Managed Profile projects.


Kiosk Settings

  • (Note^: For Managed Profile project types, these Kiosk settings are on the tab labeled Ensemble App Settings, not to be confused with the Fully Managed project types, which will be differentiated below.)
  • Kiosk Mode*
    • None: There will not be a kiosk mode set up on your users' devices. 
    • Single: Locks the device to one application of your choice, useful for creating a single-use device.
    • Multi: Create a custom home screen application for the device, with multiple applications able to be added, along with many customization options
  • Legacy Mode*
    • Legacy Mode allows for you to view multi-kiosk mode as used in Ensemble version 165 and older. (available with Multi kiosk mode only)
  • Ensemble Device Check-In Preview^
    • This is a preview of what the device screen will look like while checking in. Check the checkbox to enable Branding, which enables/disables custom branding that will appear during check-in. 
    • You can select a Logo from image files added to the project, a Title which behaves the same as the Action Bar mentioned below, and a Message that will show along with your branding Logo when the device is checking in.
  • Other Packages Allowed During Kiosk*
    • Allows for you to add and edit the package names of applications that you wish to be able to launch while in a kiosk.
      • Android Settings (com.android.settings) and Google Play Store (com.android.vending) are allowed by default.
  • Additional Kiosk Features* (note: for Managed Profile project types, there are settings on this screen under the title of Ensemble Menu settings, these are available to Fully Managed project types in the Ensemble App Settings tab)
    • Enable Global Actions Dialog: While in Kiosk, this enables to global actions dialog that shows when long-pressing the power button. Note, a user typically can't power off the device if you disable this dialog.
    • Enable System InfoWhile in Kiosk, this enables the status bar's system info area that contains indicators such as connectivity, battery, sound, and vibrate options.
    • Enable Keyguard: While in Kiosk, enables any lock screen that might be set on the device. Typically this is not suitable for devices with public users, such as digital signage or information kiosks.
    • Enable Home Button: While in Kiosk, this shows the home button in the bottom navigation bar. This allows the user to return to the main kiosk page if there are other allowed apps they could be using.
      • Enable Overview Button: While in Kiosk, this shows the Overview Button (tapping this button opens the Recents screen). In order to enable this, you must also enable the Home Button.
      • Enable Notifications: While in Kiosk, this enables notifications for all apps. This shows the notification icons in the status bar, heads-up notifications, and the expandable notification shade. You must add a package to the 'Other Packages Allowed During Kiosk' to open them from the notification shade.
  • Preview
    • Show Action Bar*: Choose to use the menu in the action bar while on the kiosk home screen. Note, if this is not selected, you must add a settings shortcut to the home screen to access the Ensemble Menu Options.
    • Application Information: Users can log press application shortcuts to access the information page in settings. 
    • Action Title Bar*: Here you can change the title of the action bar, if you wish it to say your company name, project name, etc.
  • Bookmark Browser*
    • Select the browser that will be used to view bookmarked links on the home screen. 
  • Default Font Color*
    • Set the default font color for the shortcut labels.
  • Background Color*
    • Set the background color. This could be fully covered by the wallpaper or show behind it depending on the wallpaper scale type. 
  • Wallpaper*
    • Choose an image to be the wallpaper of the device. You can upload images from the Content tab. 
  • Grid Configuration*
    • Select the number of slots to add packages of an application or bookmark to display on the home screen. 
  • Orientation*
    • Select if the kiosk screen is portrait, landscape or dynamic. 
  • Wallpaper Scale Type*
    • Select how the wallpaper image scales on the device.
      • Center: Center the image in the view, but perform no scaling
      • Fit: Attempts to resize the image to fit exactly into the device screen dimensions. 
      • Center Crop: This scales the image so that it fills the device screen and then crops the extra. Maintains aspect ratio. 
      • Center Inside: This scales the image so that both dimensions are equal to or less than the device screen and then centers the image. 
      • Fit Start: Scale and maintain aspect ratio to fit inside the view (height or width with fit perfectly). Aligns to upper left edge. 
      • Fit End: Scale and maintain aspect ratio to fit inside the view (height or width with fit perfectly). Aligns to lower right edge. 
  • Support Messages^ (Note: This is available on this tab for Managed Project types, these fields are available for Fully Managed projects on the Ensemble App Settings tab, as noted below)
    • Short Support Message: This message will be displayed to the end user in the settings screen where functionality has been disabled by the admin. The maximum character length for this message is 200 characters.
    • Long Support Message: This message will be displayed to the user in the device administrator's settings screen.
  • Settings^ (Note: This is available on this tab for Managed Project types, these fields are available for Fully Managed projects on the Ensemble App Settings tab, as noted below)
    • No Connection Timeout: If the device has no internet and the user reloads policies or the device is rebooted, an error message will appear. After the timeout, the app will automatically return to the kiosk screen.
    •  Check-In FrequencySelect the frequency that Ensemble should check-in after deployment. This defaults to 24 hours when using the Check-In Time Frame below. Note: choosing 'Never' means that the device will not check-in itself after a certain time frame or after a reboot. It will still respond to deployments from the portal.
    • Finish Check-In After Apps Install: This controls if the Ensemble MDM application will wait to complete the check-in until after all the applications have been installed.
      • Never: the device completes the check-in while the applications download in the background.
      • First Setup: the device waits to complete the check-in until all apps are installed during the first check-in.
      • Always: the device always waits to complete the check-in until all apps are installed.



Device Settings*

Note: This tab and the below settings are not accessible via Managed Profile project types, it is only available when on a Fully Managed project type. 

  • Audio Volume Level
    • Disallow Adjust Volume from Device Side Keys: Prevents the user from changing the volume and vibration settings. 
    • Control Audio Volume: Set the global volume of the device (Media, notifications, system, and ringtone). User can still modify the volume after it is set by this policy but the volume will be reset to this level at every check-in. 
  • Other Volume Settings
    • Disallow Un-Mute Microphone: Prevents user from adjusting microphone volume. If set, the microphone will be muted. 
    • Mute Volume:  Sets the global volume mute to on or off. 
  • Display Brightness
    • DIsallow Brightness Configuration:  Prevents user from changing the brightness from settings.
    • Enable Automatic Brightness:  Turns automatic brightness on or off. 
    • Control Display Brightness: Control the brightness of the device using the slider scale below.
  • Organization Name
    • Changes the lock screen message 'Device is managed by your organization' to display the name you specify. 
  • Lock Screen Info
    • Sets an additional lock screen message.
  • Display Screen Time-Out
    • Disallow Screen Timeout Configuration: Prevents user from changing screen off timeout. 
    • Maximum Time to Lock Screen: Sets the maximum time for user activity until the device will lock. This limits the length that the user can set. 
    • Select Time-out: Select a time frame that a device's screen should stay lit. Enter a custom time frame in seconds on supported models (LM-G710ULM is not supported). Note: This will have no effect if set to exceed the maximum time to lock policy.
  • Stay On While Plugged In
    • Select Behavior:
      • Never: Screen never stays on while plugged in.
      • AC: Screen will stay on while plugged into AC charger.
      • USB: Screen will stay on while charging with USB charger.
      • Wireless Charger: Screen will stay on while using a wireless charger.
      • Any: Screen will stay on regardless of charging method.
  • Auto-Rotate Screen
    • Turn aromatic screen rotation on/off. Note: Must allow Ensemble to modify system settings to control this setting.
  • Location Settings
    • Disallow Location Configuration From Settings: Prevents user from enabling or disabling location providers. As a result, user is disallowed from turning on or off location via Settings. 
    • Disallow Location Sharing Configuration From Settings: Prevents user from turning on location sharing.
    • Track Device Location:  Enable location tracking for devices on the project. Devices' current location will be visible from the company dashboard. 
  • Time Settings
    • Sets whether the system time and/or the system time-zone is automatically updated with the current network connection. 
  • Font Scale
    • Sets the scale of the device's font. The range is 0.8 to 2.0.
  • Doze Mode Whitelist
    • Add application packages to this list so that they will not be affected by Android Doze Mode. Doze mode is a feature, which reduces power consumption by preventing certain tasks (background CPU and Network activity) from running if your device is in an idle state. 
  • Shortcuts On Home Screen
    • Shortcuts in this list will be added to the home screen. 



Ensemble App Settings


  • Exit Pin
    • This PIN must be entered on the device in order for it to exit the kiosk. If there is not a PIN set, the user may exit the kiosk at anytime. 
  • Ensemble Device Check-In Preview
    • This is a preview of what the device screen will look like while checking in. Check the checkbox to enable Branding, which enables/disables custom branding that will appear during check-in. 
    • You can select a Logo from image files added to the project, a Title which behaves the same as the Action Bar mentioned below, and a Message that will show along with your branding Logo when the device is checking in.
  • Ensemble Menu
    • Enable Ensemble Settings Menu: Enable / disable the settings menu in the Ensemble phone application. 
    • Reload Policies: Clicking Reload Policies will cause the Ensemble application to check into the server and fetch project updates. 
    • Settings: Clicking Settings will open the device's default Settings application. 
    • Manage WiFi Networks: Clicking Manage Wi-Fi Networks will either open the device's default Settings application's Wi-Fi management page or Ensemble's Wi-Fi management page. 
      • System Wifi Menu: If this option is selected, clicking Manage Wi-Fi Networks will open the device's default Settings application's Wi-Fi management page. Note: This may provide the user full access to the Settings application depending on the manufacturer.
      • Ensemble WiFi Menu: If this option is selected, clicking Manage Wi-Fi Networks will open Ensemble's Wi-Fi management page.
    • Manage Mobile Networks: Clicking Manage Mobile Networks will open the device's default Settings application's mobile network management page. 
    • Manage Hotspot: Clicking Manage Hotspot will open the device's default Settings application's hotspot configuration page. 
    • Manage Display: Clicking Manage Display will open the device's default Settings application's display configuration page. 
    • Set Password: Clicking Set Password will open the device's default Settings application's password configuration page.
    • View Policies: Clicking View Policies will open an information screen with various types of information depending on the enabled tabs. 
    • Device: The Device tab will show information about the device such as serial numbers, OS versions and some security information like device encryption status. 
    • Apps: The Apps tab will show information about the apps that were installed on the device by Ensemble.
    • Files: The Files tab will show information about the files that were installed on the device by Ensemble. 
    • Policies: The Policies tab will show information about the policies that were set on the device by Ensemble. 
    • APNs: The APNs tab will show information about the APNs on the device. 
    • Misc: The Misc tab will show some debugging actions that can be used to send information that can be used to troubleshoot issues with the device.
  • Accounts
    •  Manage Google Accounts:
      • Enable Add: This allows users to add a Google account to the device through the Ensemble menu. A whitelist of domains can be set in the account restrictions policy so that only those domains can be used to login. 
      • Enable Remove: This allows users to remove a Google account from the device through the Ensemble menu. 
    • Mange Managed Play Accounts:
      • Enable Add: This allows users to remove a Managed Play account from the device through the Ensemble menu.
      • Enable Remove: This allows users to remove a Managed Play Account from the device through the Ensemble menu. 
  • Logout
    • If a user logged into Ensemble with an Application User Account, this will allow them to logout of that account.
  • Exit
    • Clicking Exit will close Ensemble. If there is a kiosk PIN set, that PIN but be entered correctly before the user can exit.
  • Disclaimer:
    • This message will show to the end user on a first run of the program, or after a reboot.
    • Choose when to display a disclaimer:
      • Never
      • On First Run
      • After Every Reboot
  • Support Messages
    • Customize the support messages that will be displayed to the user.
      • Short Support Message: This message will be displayed to the end user in the settings screen where functionality has been disabled by the admin. The maximum character length for this message is 200 characters.
      • Long Support Message: This message will be displayed to the user in the device administrator's settings screen.
  • Settings
    • Hide Ensemble In The App Drawer: Checking this will hide Ensemble from the phone's App Drawer.

      Note: If using 'User Interaction Required' deploy type, the user may open the Ensemble app by clicking on it in the notification shade.

  • No Connection Timeout
    • If the device has no internet and the user reloads policies or the device is rebooted, an error message will appear. After the timeout, the app will automatically return to the kiosk screen.
  • Finish Check-In After Apps Install
    • This controls if the Ensemble MDM application will wait to complete the check-in until after all the applications have been installed.

      Never: the device completes the check-in while the applications download in the background.

      First Setup: the device waits to complete the check-in until all apps are installed during the first check-in.

      Always: the device always waits to complete the check-in until all apps are installed.


Application Settings


  • Start Application On Install*
    • Applications in this list will start after being installed.
  • Runtime Permission Policy
    • This sets the default behavior of applications when they attempt to ask for a permission.

      Prompt: The user is asked whether they want to allow the permission or not.

      Grant: all applications are silently granted permissions by default when they attempt to ask.

      Deny: all applications are silently denied permissions by default when they attempt to ask.
  • Block Applications*
    • Hide applications. This prevents the application from being used and it will no longer show up on the home screen.
    • Each ? icon shows the package name of popular applications. 
  • Block Applications By Category*
    • Allows you to choose one or multiple of the categories listed to block any applications labeled with that type of category. 
  • Block Game Applications by Category
    • Allows you to choose one or multiple of the categories listed to block any game applications labeled with that type of category.
  • Enable System Applications
    • If system apps were disabled during provisioning, re-enable them by adding them to this list.

      Samsung Camera: com.sec.android.app.camera
      Samsung Gallery: com.sec.android.gallery3d
      Samsung Clock: com.sec.android.app.clockpackage
      Samsung Calendar: com.samsung.android.calendar
  • Permitted Accessibility Services*
    • By default, the user can use any accessibility service.

      System accessibility services are always available to the user and this method can't disable them.

      When one or more packages have been added, accessibility services that are not in the list and not part of the system can not be enabled by the user.

      An empty list disables the restriction so that all services can be used.
  • Grant Access To Privilaged APIs
    • Android MDM applications have access to certain methods that cannot be used by other apps. This feature allows Ensemble to share that elevated access to certain features.
  • Disable User Control Of Applications
    • User will not be able to clear app data or force-stop the applications on this list.
  • Start Application On Resume*
    • This application will start after the device is unlocked or when the screen resumes.


Google Play Settings


  • Play Protect Restrictions
    • Google Play Protect helps you keep your device safe and secure.
      • It runs a safety check on apps from the Google Play Store before you download them.
      • It checks your device for potentially harmful apps from other sources. These harmful apps are sometimes called malware.
      • It warns you about any detected potentially harmful apps found, and removes known harmful apps from your device.
      • It warns you about detected apps that violate our Unwanted Software Policy by hiding or misrepresenting important information.
      • It sends you privacy alerts about apps that can get user permissions to access your personal information, violating our Developer Policy.
    • Ensure Verify Apps:
      • Prevents user from disabling application verification in Play store Play Protect Settings.
  • Application Availability
    • All Play store applications: device will have access to all applications from Play store. 
    • Only project content: device will only have access to apps that have been added to this project.
  • Maintenance Window
    • When apps running in the foreground should be updated.



Update Settings

  • Device Update Policy*
    • Set the update setting for the device. The device will force system updates based upon the setting you have selected:
      • Automatic: Installs system updates as soon as they become available.
      • Windowed: Installs system updates during a scheduled daily time.
      • PostPone: Postpones the installation of system updates for 30 days.
  • Download Mode
    • Allow Download Mode Firmware Update: Uncheck this policy to prevent a user from performing a device firmware update from download mode.
  • Backup And Restore
    • Use this to control backup services across all users on the device. Disabling the backup service will prevent data from being backed up or restored.


Communication Settings

  • Communication*
    • Disallow Mobile Network Configuration:
      • Prevents user from configuring mobile networks. 
    • Disallow Cell Broadcasts Configuration:
      • Prevents user from configuring cell broadcasts. This may be controlled by the messaging app depending on the model. 
    • Allow SMS/MMS:
      • Allow use of messaging applications to send SMS or MMS messages. 
      • Check the boxes if you wish your project to allow/deny SMS and/or MMS messages
    • Allow Incoming/Outgoing Calls:
      • Select/deselect these boxes if you wish for your project to allow or disallow calls.
  • Call Blacklist*
    •  Numbers listed here will be blocked. 
  • Default SMS Application*
    • Set the default SMS application. The package must be a pre-installed system package.
      Example system packages:
      com.android.dialer,
      com.android.contacts,
      com.android.incallui,
      com.android.phone,
      com.android.server.telecom,
      com.google.android.dialer,
      com.htc.contacts,
      com.htc.dialerservice,
      com.samsung.android.contacts,
      com.samsung.android.dialer,
      com.samsung.android.incallui,
      com.qualcomm.qti.confdialer
      com.oneplus.mms
  • Contacts List
    • Contacts listed here will be added to project devices.
    • For more specific information on this topic, please see this article.



Security Settings

  • Device Commands*
    • Clear App Data
      Send the clear app data command from the company or project device table, all the apps on this list will have their app data cleared.

      This is equivalent to the user choosing to clear the app's data from within the device settings UI. It erases all dynamic data associated with the app -- its private data and data in its private area on external storage -- but does not remove the installed application itself, nor any OBB files.
      It also revokes all runtime permissions that the app has acquired, clears all notifications and removes all Uri grants related to this application.

  • On Reboot*
    • Clear App Data:
      On reboot, all the apps on the list will have their app data cleared.
      • This is equivalent to the user choosing to clear the app's data from within the device settings UI. It erases all dynamic data associated with the app -- its private data and data in its private area on external storage -- but does not remove the installed application itself, nor any OBB files.
        It also revokes all runtime permissions that the app has acquired, clears all notifications and removes all Uri grants related to this application.
    • Remove Non-Work Accounts:
      • Removes all non-work accounts from the AccountManager. This does not delete the account from the server and the authenticator may have its own policies preventing account deletion, in which case the account will not be deleted.
  • Enforce Security Patch Installation
    • Set a list of apps that should be disabled if there is a pending security patch update for the device. 
  • Enforce Encryption*
    • Enable external Secure Digital (SD) card encryption if available. The device password must be set to at least alphanumeric quality.
  • Restrict Account Management
    • Prevents user adding or removing accounts by type. Ensemble will still be able to add a work account.
  • Restrictions
    • Allow Installing Applications from Unknown Sources: Checking this allows third-party applications to be installed on the device.
    • Allow Debugging Features: Checking this allow access to developer mode on the device.
    • Allow Changes to Applications: Checking this allows the following changes to applications: uninstalling apps, disabling apps, clearing app caches, clearing app data, force stopping apps, and clearing app defaults. 
    • Allow Lock Screen*:  Checking this allows the device to have a lock screen. This must be checked to set a required password quality.
      Setting the lock screen to disabled has the same effect as choosing 'None' as the screen lock type. However, this call has no effect if a password, pin or pattern is currently set. If a password, pin or pattern is set after the lock screen was disabled, the lock screen stops being disabled. As of Android Pie (9.0) this also dismisses the lock screen if it is currently shown.
    • Disable Lock Screen Camera*: Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password has been set)
    • Disable Lock Screen Notifications*: Disable showing all notifications on secure keyguard screens (e.g. PIN/Pattern/Password has been set)
    • Disable Lock Screen Un-redacted Notifications*: Only allow redacted notifications on secure keyguard screens (e.g. PIN/Pattern/Password has been set)
    • Disable Fingerprint Authentication*: Disable fingerprint authentication on secure keyguard screens (e.g. PIN/Pattern/Password has been set)
    • Disable Iris Authentication*: Disable iris authentication on keyguard secure screens (e.g. PIN/Pattern/Password has been set)
    • Disable Face Authentication*: Disable face authentication on keyguard secure screens (e.g. PIN/Pattern/Password has been set)
    • Disable Trust Agents*Disable Trust Agents on keyguard secure screens (e.g. PIN/Pattern/Password has been set). Smart Lock is built upon an Android Lollipop feature called trust agents. A trust agent is a 'service that notifies the system about whether it believes the environment of the device to be trusted.' (i.e. unlock device in response to trusted Wi-Fi network, place or face). Starting in Android 10, trust agents can only extend the device unlock, it can no longer unlock a locked device.
    • Allow Screen Capture*: Turn screen capture on/off, used to record the screen of the device.
    • Allow Camera: This will disable or enable the camera app. The app will still be visible in the app drawer and on the home screen. 
    • Disallow Airplane Mode*: Prevents user from being able to enable / disable airplane mode. 
    • Disallow Ambient Display*Prevents user from being able to enable / disable ambient display. Ambient display allows the user to see information such as time and notifications without pressing the power key. On Samsung, this is called Always On Display.
    • Disallow Auto-Fill*: Prevents user from using Autofill Services.
    • Disallow User Credential Configuration*:  Prevents user from configuring user credentials.
    • Disallow Language Configuration*: Prevents user from changing the device language.
    • Disallow Content Capture*: Prevents the contents of a user's screen to be captured for artificial intelligence purposes.
    • Disallow Content Suggestions*: Prevents user from receiving content suggestions for selections based on the contents of their screen. 
    • Disallow Create Windows*: Prevents the creation of:
      • Toasts
      • Incoming Call Overly
      • System Alert Overlay
      • System Error Overlay
    • Disallow Outgoing NFC Beam*: Prevents user from using NFC to beam out data.
    • Disallow System Error Dialogs*: Prevents error dialogs for crashed or unresponsive apps from being shut down. 
  • Recommended Kiosk Restrictions*
    • Disallow Factory Reset: Prevents user from resetting the device to its factory defaults from Settings. The user can still factory reset from recovery. 
    • Disallow Safe Boot: Prevents user from starting the device in safe mode where the system won’t automatically launch your app. 
    • Disallow Mounting Physical Data: Prevents user from mounting any storage volumes they might attach to the device. 
    • Disallow Adding User: Prevents user from adding new users, such as secondary users or restricted users. 
    • Disallow USB File Transfer: Prevents user from transferring files over USB. 
    • Disallow System Error Dialogs: Prevent error dialogs for crashed or unresponsive apps from being shown.
  • Managed Profile (BYOD) Restrictions
    • Disallow Cross Profile Copy & Paste: Specifies if the clipboard contents can be exported by pasting the data into other users or profiles. 
    • Disallow Share Into Managed Profile: Prevents user from sharing files / pictures / data from the primary user into the managed profile, either by sending them from the primary side, or by picking up data within an app in the managed profile. 
    • Disallow Mounting Physical Data: Prevents user from mounting any storage volumes they might attach to the device. 
    • Disallow Adding User: Prevents user from adding new users, such as secondary users or restricted users. 
    • Disallow USB File Transfer: Prevents user from transferring files over USB. 
    • Disallow System Error Dialogs: Prevent error dialogs for crashed or unresponsive apps from being shown. 
  • Advanced Restrictions
    • Remove Device Owner After SetupChecking this this will deactivate device owner permission after initial customization is completed. This means that Ensemble will no longer be able to customize the device.

      Note: use with caution as this is a non-reversible action. Factory reset the device to fully remove Ensemble.

    • Disable Factory Reset Protection: Turn factory reset protection on/off. If a Google account has been added reset protection (FRP) requires those account credentials to be used while going through the setup wizard.

      Note: toggling this feature after a device is already FRP locked, will NOT allow FRP to be bypassed.
    • Enable Common Criteria Mode: Turn common criteria mode on/off. This setting enables FIPS-validated cryptography, disables USB connectivity in recovery mode and only allows FOTA updates to the system. You must set up lock-screen password, device encryption and password wipe policy in order to fully enable CC Mode.

      More info: https://docs.samsungknox.com/admin/whitepaper/kpe/common-criteria-mode.htm
  • Password Restrictions
    • Wipe After Number Of Attempts: Setting this to a value greater than zero enables a built-in policy that will perform a device or profile wipe after too many incorrect device-unlock passwords have been entered.

      When set by a profile owner (BYOD), only the corresponding user or profile will be wiped.
    • Password Expiration: Called by a device admin to set the password expiration timeout. Calling this method will restart the countdown for password expiration for the given admin, as will changing the device password (for all admins).

      The provided timeout is the time delta in ms and will be added to the current time. For example, to have the password expire 5 days from now, timeout would be 5 * 86400 * 1000 = 432000000 ms for timeout.

      To disable password expiration, a value of 0 may be used for timeout.
    • Password History Length: After setting this, the user will not be able to enter a new password that was used in the last number of passwords set by this policy.
    • Strong Auth Timeout: Set the timeout after which unlocking with secondary, non strong auth (e.g. fingerprint, face, trust agents) times out, i.e. the user has to use a strong authentication method like password, pin or pattern.
  • Password Quality
    • Use this to set the required password restrictions for devices on this project. The user will be prompted to set a password that matches the password restriction rules at the next check-in.
  • Security Logging
    • Enable Security Logging: Enable security logging. Intended for security auditing purposes 
  • Certificate Revocation Check
    • Enable CRL Check: The Certificate Revocation List (CRL) check downloads a file that contains a list of revoked IDs that is maintained by the CA of the certificate being checked. If the certificate ID is in the list then it is revoked and the SSL/SMIME verification will fail, otherwise it will proceed. 
    • Enable OCSP CheckEnable Online Certificate Status Protocol (OCSP) when checking for certificate revocation for the applications using SSL connections or SMIME encryption/signing.

      Note: CRL check must be enabled to use the OCSP check. The OCSP check will be done prior to the CRL check. If it cannot get a decisive response, it will try to use CRL.



Connectivity Settings*

  • Wi-Fi
    • Select whether Wi-Fi is disabled and specify Wi-Fi configurations that devices can connect to.

      Disable Wi-Fi allows you to toggle Wi-Fi on devices in the project.

      To Enable specific Wi-Fi networks: specify a SSID and Password and click 'Add Wi-Fi Configuration'.

      Note: you can view the configurations you specify in the list by the SSID. You can also remove configurations by clicking 'x' next to each SSID.
  • Disallow Wi-Fi Configuration From Settings
    • Prevents user from changing Wi-Fi configurations via the Settings screen.
  • Bluetooth
    • Disallow Controlling Bluetooth via Settings: Specifies if bluetooth is disallowed on the device. If bluetooth is disallowed on the device, bluetooth cannot be turned on or configured via Settings. 
    • Disallow Bluetooth Tethering: Prevents user from sharing outgoing bluetooth. 
    • Disallow Existing Bluetooth Connection Configuration: Prevents user from configuring existing bluetooth connections via Settings. This does not restrict the user from turning bluetooth on or off (See disallow bluetooth). 
  • Tethering
    • Disallow Tethering/Hotspot Configuration
      Prevents user from configuring Tethering and portable hotspots via Settings.

  • VPN
    • Disallow VPN Configuration: Prevents user from configuring a VPN and will also prevent a VPN from starting (6.0), unless the VPN was made as an always-on VPN by Ensemble (7.0+).
  • VPN DNS Relay
    • Enable this feature to use a local VPN to reroute all device traffic to the provided DNS addresses.

      Note: this is not a real VPN. The service does not relay data to a VPN server, it reroutes the data to the configured DNS addresses.

      Google DNS
      Primary: 8.8.8.8
      Secondary: 8.8.4.4
  • VPN Always On
    • Select the package of the APK that you would like to use for VPN. The connection is always granted and will persist a reboot.

      To use an application that is part of the company content, add it to the project content, and select it here from the dropdown menu.

      To use an application that is not part of the company content, choose 'Other' and then enter the package name of that application. The application must be on the device.
  • Custom VPN Package
    • To use an application that is not part of the company content, enter the package name of that application here.

      i.e. The package name for apps found on Google Play is part of the url:
      https://play.google.com/store/apps/details?id=com.android.chrome&hl=en_US

      The package name for CleanBrowsing's Android application is com.sergeybutenko.cleanbroswing.


Network Settings*

  • Mobile Network Settings
    • Select Data Roaming State: Turn mobile data roaming on/off.
    • Disallow Network Reset: Prevents user from resetting network settings from Settings. 
  • Network Logs
    • Enable Network Logging: Turn network logging on. 
  • Domain Whitelist
    • Enable Domain WhitelistWhile enabled, this will block all websites except the ones you have added to the whitelist below. Disabling the list will allow all domains.

      It is recommended you use the wildcard variable * for domains that have mobile versions and non-standard URLs. Example: to enable Facebook on all devices, enter *.facebook.* rather than www.facebook.com

  • Global Private DNS
    • Enable Private DNS Configuration: Prevents user from modifying private DNS settings
    • Select Private DNS Mode: Set Private DNS mode to Automatic or set a Private DNS provider hostname. Choosing Not Controlled will NOT turn off the existing DNS setting, unfortunately there is no way to turn this off automatically once it has been set.

      Note these DNS hostnames can be added manually starting in Android 9.0.
    • Hostname: Contact support for integration with CleanBrowsing or use one of their free filters to get started:
      • Family Filter: family-filter-dns.cleanbrowsing.org
      • Adult Filter: adult-filter-dns.cleanbrowsing.org
      • Security Filter: security-filter-dns.cleanbrowsing.org
    • Note these DNS hostnames can be added manually starting in Android 9.0.
  • Global Proxy
    • Select Global Proxy Mode: Set a network-independent global HTTP proxy. On a private network where the proxy is not accessible, you may break HTTP using this.
      • Not Controlled: the existing global HTTP proxy will not be affected
      • Off: this will clear any existing global HTTP proxy
      • Static: a proxy on the specified host and port. The proxy will not be used to access any host in exclusion list
      • Automatic: this will download and run the proxy auto-config (PAC) script at the specified URL



Device Suspension Settings*

  • Enable Suspension Time-Frame
    • Checking this box activates the device suspension time-frame and will apply your suspension settings to all project devices during the next deployment.
  • Day Of The Week
    • Select the days that the suspension time frame should be applied. Select all days if you would like a daily suspension on devices. 
  •  Time Frame
    • Select the time frame that Ensemble should suspend the devices on the project.
  • Suspended Device Preview
    • This is a preview of what the device screen will look like when it is suspended.
  • Suspend Message
    • This message will be displayed on the suspension screen as the reason for the device being suspended.
  • Suspend Message Font Color
    • Set the font color for the suspend message.  
  • Background Color
    • Set the background color for the suspended device.
  • Logo
    • Choose an image to be the logo that is displayed on the device while it is suspended. You can upload images from the Content tab.
  • Customer Service Number
    • The customer service number that will be available when the device is suspended.

      The policy for outgoing calls will be used, so this number needs to be added
      to the outgoing calls whitelist under policies > communication settings. unless all outgoing calls are allowed.



Push Notification Settings*


  • Enable Push Notifications:
    • Checking this box activates the device push notification feature and will apply your settings to all project devices during the next deployment. 
  • You can enter:
    • Title: A heading for the Push Notifications window.
    • Title color & font color: You can edit the color of the title background, and the font color to suit your business needs.
    • Background color: You can edit the background color as well, to match your company branding.
  • Preview:
    • There is a preview window on the right side of the screen that will show any changes that you make to the Title and/or colors, to show you what it will look like on your device(s).



Inter App Messaging*

  • Application Information
    • This application can send messages to and receive messages from Ensemble.
  • Package Name
    • Enter the package name for the application.
  • Service Name
    • Enter the class name of the service that will receive the messages.



Samsung KPE Settings*

  • Knox Key
    • Place a paid for Samsung Knox SDK license key here to utilize the policies below.
  • Samsung License Required
    • Auto Start Up When Connected To Power: Device boots up fully when power is applied to USB connector instead of booting up to the battery charging UI.

      Only available on Samsung devices using a license key.