12.5 Securing the Device

The settings in the existing Mobile Security Policy and Mobile Device Control Policy have been extended to secure devices enrolled in the work profile and work-managed device mode.

12.5.1 Applying Profile Password and Inactivity Restrictions

Using the Mobile Security Policy, you can configure password restrictions and inactivity settings for devices enrolled in the work profile and work-managed device mode. For more information on creating and assigning a Mobile Security Policy, see Mobile Management Reference.

These settings are applicable for Android 7.0 devices or later. To configure these settings:

  1. Click Policies from the left hand pane in ZCC.

  2. Click the Mobile Security Policy that you have created.

  3. Click the Details tab.

Alternatively, select Define Additional Properties while creating the Mobile Security Policy.

Securing the work profile

Click Profile Security to set the password and other settings on devices enrolled in the work profile mode. To enable the Profile Security settings, select Yes from the Secure Work Profile drop-down list, based on the ownership type with which the devices are enrolled (Corporate or Personal).

NOTE:If you have assigned the profile security password settings to a device and the Use one lock feature is enabled on the same device (under Settings > Security), then the password setting with a stricter restriction is applied both on the device as well as the work profile. For example, if the configured work profile password is more complex than the configured device password, then the work profile password is used to unlock the device as well.

Setting Password Restrictions

The Password settings are listed in increasing order of complexity (strictness). If more than one setting applies to a device, the more complex (strict) setting is enforced. For more information on the device password settings, see Editing Mobile Security Policy Settings.

Setting Inactivity Restrictions

Setting

Description

Require inactivity lock

Confirms that the device should be locked if the work profile has been inactive for a specified period of time.

Maximum inactivity timeout (minutes)

Applies only if Require inactivity lock is set to Yes.

Specifies the maximum number of minutes the user can set for the inactivity lock. For example, if set to 5, the user can set the inactivity timeout up to 5 minutes.

Wipe profile on failed number of unlock attempts

Wipes the work profile after the specified number of failed attempts to unlock the device.

Maximum number of unlock attempts

Applies only if Wipe profile on failed number of unlock attempts is set to Yes.

Specifies the number of failed attempts to unlock the work managed app that is allowed before the work profile is wiped. For example, if set to 10, the profile is removed after the 10th failed attempt.

Securing a work-managed device

The settings in the Device Password, Encryption and Device Inactivity tabs can be applied to a work-managed device. For more information on each of these settings, see Editing Mobile Security Policy Settings.

12.5.2 Applying Device Restrictions

Using the Mobile Device Control Policy, you can apply restrictions on devices enrolled in the work-managed device and work profile mode. To create and assign this policy, see Creating a Mobile Device Control Policy. The check mark in the Work Profile and Work Managed columns indicate that the setting is applicable for either of the modes or both. To apply restrictions:

  1. Click Policies from the left hand pane in ZCC.

  2. Click the Mobile Device Control Policy that you have created.

  3. Click the Details tab.

  4. Click Android.

Android

The settings that can be enabled or disabled for Android devices are as follows:

 

Settings

Description

Applicable from

Devices

Allow camera

Determines whether the device camera should be enabled. If disabled on devices enrolled in the work profile mode, the camera can still be accessed from the device’s personal space.

Android 5.0+

 

Allow install from unknown sources

Determines whether or not the user can install apps from outside the managed Google Play Store.

Android 5.0+

 

Allow debugging features

Determines whether or not debugging of the device can be enabled.

Android 5.0+

 

Allow screenshots

Determines whether the user can capture images of the device’s display screen.

Android 5.0+

 

Allow Copy and Paste

Determines whether the user can copy and paste data between the work profile and the personal space on the device.

Android 7.0+

Apps

Runtime permissions

Select the default response for any runtime permissions requested by apps. For more information, see the Android Developer Documentation. You can select any one of the following values:

  • Prompt: Allows the user to grant or deny permissions to the apps.

  • Auto Grant: Automatically grant permissions to the apps.

  • Auto Deny: Automatically denies permission to the apps.

Android 6.0+

Allow adding accounts

Determines whether the user can add or remove accounts to access work apps. However, this setting should be used with caution, as by enabling it users can also add their personal accounts to access work apps, which might make it difficult to contain corporate data within the workspace.

Android 5.0+