The settings in the existing Mobile Security Policy and Mobile Device Control Policy have been extended to secure devices enrolled in the work profile mode.
You can configure password restrictions and inactivity settings for devices enrolled in the work profile mode by using the Mobile Security Policy. For more information on creating and assigning a Mobile Security Policy, see Mobile Management Reference.
These settings are applicable for Android 7.0 devices or later. To configure these settings:
Click Policies from the left hand pane in ZCC.
Click the Mobile Security Policy that you have created.
Click the Details tab.
Click Profile Security.
Alternatively, select Define Additional Properties while creating the Mobile Security Policy.
To enable the profile security settings, select Yes from the Secure Work Profile drop-down list, based on the ownership type with which the devices are enrolled (Corporate or Personal).
NOTE:If you have assigned the profile security password settings to a device and the Use one lock feature is enabled on the same device (under Settings > Security), then the password setting with a stricter restriction is applied both on the device as well as the work profile. For example, if the configured work profile password is more complex than the configured device password, then the work profile password is used to unlock the device as well.
The Password settings are listed in increasing order of complexity (strictness). If more than one setting applies to a device, the more complex (strict) setting is enforced. For more information on the device password settings, see Editing Mobile Security Policy Settings.
|
Setting |
Description |
|
|---|---|---|
|
Require inactivity lock |
Confirms that the device should be locked if the work profile has been inactive for a specified period of time. |
|
|
Maximum inactivity timeout (minutes) |
Applies only if Require inactivity lock is set to Yes. Specifies the maximum number of minutes the user can set for the inactivity lock. For example, if set to 5, the user can set the inactivity timeout up to 5 minutes. |
|
|
Wipe profile on failed number of unlock attempts |
Wipes the work profile after the specified number of failed attempts to unlock the device. |
|
|
Maximum number of unlock attempts |
Applies only if Wipe profile on failed number of unlock attempts is set to Yes. Specifies the number of failed attempts to unlock the work managed app that is allowed before the work profile is wiped. For example, if set to 10, the profile is removed after the 10th failed attempt. |
|
Device restrictions can be applied using the Mobile Device Control Policy. To create and assign this policy, see Creating a Mobile Device Control Policy. To apply restrictions on the work profile:
Click Policies from the left hand pane in ZCC.
Click the Mobile Device Control Policy that you have created.
Click the Details tab.
Click Android.
|
Settings |
Description |
|---|---|---|
|
Devices |
Allow camera |
Determines whether the device camera should be enabled. If disabled on devices enrolled in the work profile mode, the camera can still be accessed from the device’s personal space. |
|
Allow install from unknown sources |
Determines whether or not the user can install apps from outside the managed Google Play Store. |
|
Allow debugging features |
Determines whether or not debugging within the work profile of the device can be enabled. |
|
Allow screenshots |
Determines whether the user can capture screenshots of the work apps. |
|
Allow copy and paste |
Determines whether the user can copy and paste data from the work profile to the personal space on the device. |
|
Apps |
Runtime permissions |
Select the default response for any runtime permissions requested by apps. This setting is applicable for Android 6.0 or newer devices. For more information, see the Android Developer Documentation. You can select any one of the following values:
You can edit permissions for specific apps in the Apps Catalog page. If the permissions are edited in this page, then the values defined in the Mobile Device Control Policy are overridden for that specific app. |
|
Allow Adding of Accounts |
.Determines whether the user can add or remove accounts to access apps within the work profile. However, this setting should be used with caution, as by enabling it users can also add their personal accounts to access apps within the work profile, which might make it difficult to contain corporate data within the profile workspace. By default this feature is disabled by ZENworks |