Access and Setup IV: Policies and Types
Policies
Policies are rules that are applied to users’ devices. They can be assigned via an Organization or assigned individually to each user. You can create your own custom policies using the Policy types that are installed with your deployment. Keep in mind that policies granted in a higher Organization will also be applied to the sub Organizations. However policies set at the sub Organization will override the higher level Policy
Create a new Policy
- Navigate to Setup
- Open Policies
- Click Add Policy
- Enter a Policy Name
- Set Policy Priority to 1
- Select the Policy Tape
- Select the Owning Organization
Owning Organization will determine which administrators can edit and assign this Policy to other others and users.
- In the Policy view, expand the Policy type section
- Click the pencil (Edit) on the new Policy from the list of policies
- Ensure that ‘Yes’ is selected under Active,
- Navigate to the Policy Items tab
- Click ‘Add Policy Item’
- Select a Policy Item
- Select the Value
- Click Save
Assign Policy to Organization
- Once a Policy has been created, you can now assign it to an existing Organization.
- Navigate to Organizations
- Select the Organization in which you wish to assign the Policy
- Click Edit Organization
- On the Policies tab, expand the Policy type section and place a check mark next to the Policy.
- Click Done
Assign Policy to User
You can also assign a Policy directly to a user, when a Policy is assigned directly to a user it will take precedence over the group assigned Policy if there is a similar Policy assigned to the user’s Organization.
This feature is designed to be used when a user has an exception to the normal global Policy.
- Navigate to Users tab
- Search for the user and select edit
- Navigate to the Policies tab,
- On the left, by clicking the expanding the sections with you will see a list of policies assigned to the user by Organization
- As well you are able to select policies to assign directly to the user.
- Expand the Policy Type section and place a check mark next to the Policy you wish to assign
Policy Overview
Password
| Policy Item | Description | Values to enter |
|---|---|---|
| Container Requires Password | Determines if a password is required | 1=Yes, 0=No |
| Max Failed Password Attempts | Number of times user can enter the password before container wipes | Numeric value 1-10 |
| Minimum Password Length | Numeric value (# of characters required for a password 1-100) | Numeric value (# of characters required) |
| Password Expiry Days | Numeric value (# of days until user is required to change container password 1-100) | Numeric value (# of days until expiration of password) |
| Password History | Determines the number of times a user must wait before reusing a container password | Numeric |
| Password Requires Special Characters | Determines if special characters are required | 1=Yes, 0=No |
| Password Requires Numeric | Determines if numbers are required | 1=Yes, 0=No |
| Password Requires Uppercase | Determines if an upper case letter is required | 1=Yes, 0=No |
| Touch ID Enabled | Determines if a user is eligible to use the same login fingerprint they use for their phone. | 1=Yes, 0=No |
| Policy Item | Description | Values to enter |
|---|---|---|
|
Allowed attachment file types(comma separate) |
Determines which type of files a user can attach to an email or detach from an email |
Sample: enter each extension with a comma no spaces in between. doc,docx,xls,xlsx,ppt,pptx,pdf,txt,log,gif,jpeg,png |
| Default Mail Server | The FQDN name of Mail server the user will connect (Exchange CAS server name | Alpha (CAS server name) |
| Default Mail Domain | The domain used for authentication to the mail server. | Alpha (Domain used for authentication) |
| Default Mail Address | Default mail address that will appear when a user first provisions email in the client |
string |
| Email Disclaimer | The disclaimer message that will appear on every message sent by the user from the mail application | Enter the disclaimer message that will appear on every message sent by the user from the device that has this Policy |
| Disable Email Attachments | Determines if a user can view/open/save email attachments locally | 1=Yes, 0=No |
|
Enable GAL Contact Sync |
Determines if a user should have the whole GAL synced to their local device. Default is No | 1=Yes, 0=No |
|
Max attachment size to attach to new email |
Determines the max size of a file that can be attached to an email sent from the client | 1 MB=1,5 MB=5,10 MB=10,20 MB=20,50 MB=50,100 MB=100 |
|
Max attachment size to open/save |
Determines the max size of a file that can be opened or saved in an email received on the client | 1 MB=1,5 MB=5,10 MB=10,20 MB=20,50 MB=50,100 MB=100 |
Application Access
| Policy Item | Description | Values to enter |
|---|---|---|
|
Annotate Application Enabled |
Determines if user has access to contacts application |
1=Yes,0=No |
|
Box Sync Application Enabled |
Determines if user has access to Box Sync application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Box Sync Disable file download |
Determines if a user can download files from Box Sync to their local file manager |
1=Yes,0=No |
|
Box Sync Disable file upload |
Determines if a user can upload files from their local file manager to Box Sync |
1=Yes,0=No |
|
Box Sync Max file Size |
Determines the size of a file a user can download/upload to or from Box Sync |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Briefcase Application Enabled |
Determines if user has access to Briefcase application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Browser Application Enabled |
Determines if user has access to browser application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Calendar Application Enabled |
Determines if user has access to contacts application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Camera Application Enabled |
Determines if user has access to camera application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Contacts Application Enabled |
Determines if user has access to contacts application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Dropbox Application Enabled |
Determines if user has access to Dropbox application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Dropbox disable file download |
Determines if a user has rights to download a file from Dropbox to local file manager |
1=Yes,0=No |
|
Dropbox disable file upload |
Determines if a user has rights to upload a file to Dropbox from local file manager |
1=Yes,0=No |
|
Dropbox max file size |
Determines the max size a user can download or upload between Dropbox and local file manager |
1 MB=1,5 MB=5,10 MB=10,20 MB=20,50 MB=50,100 MB=100 |
|
Email Application Enabled |
Determines if user has access to mail application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
File Manager Application Enabled |
Determines if user has access to File Manager application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
File Sync Application Enabled |
Determines if user has access to File Sync application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Gmail Application Enabled |
Determines if a user has access to the Gmail application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Images Application Enabled |
Determines if user has access to Images application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Maps Application Enabled |
Determines if user has access to Maps application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Notes Application Enabled |
Determines if user has access to the Notes application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Office Application Enabled |
Determines if user has access to the Smart Office application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
OneDrive Application Enabled |
Determines if user has access to the One Drive application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
OneDrive disable file download |
Determines if a user has access to download files from OneDrive to local file manager |
1=Yes,0=No |
|
OneDrive disable file upload |
Determines if a user has access to upload files from local file manager to OneDrive |
1=Yes,0=No |
|
OneDrive max file size |
Determines max size of file a user can download/upload from/to OneDrive from local file manager |
1 MB=1,5 MB=5,10 MB=10,20 MB=20,50 MB=50,100 MB=100 |
|
Phone Application Enabled |
Determines if user has access to phone application |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
Settings Application Enabled |
Determines if user has access to settings application |
1=Yes,0=No |
|
WebApp1 - WebApp10 Application Enabled |
Determines if user has access to Access application in the container 1=Yes 0 = No |
Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
|
WebApp1 - WebApp10 Application Name |
The name of the web application the user will access (Icon name) |
Freeform text |
|
WebApp1 – WebApp10 Application URL |
The URL of the server used to access the application |
Briefcase
| Policy Item | Description | Values to enter |
|---|---|---|
| Enable Briefcase editing | Determines if the user has rights to edit/add documents. | 1=Yes, 0=No |
Browser
| Policy Item | Description | Values to enter |
|---|---|---|
| Default Homepage Enabled | Determines if the Default Homepage will be enabled | Enabled-Optional=2,Enabled-Mandatory=1,Disabled=0 |
| Default Home Page | Determines if a user has a specific required default homepage in browser | https://www.FQDN.domain.com |
| Allow Browser Download | Determines if a user can download files from the browser to local file manager. Default is not allowed | 1=Yes,0=No |
| Allow Browser upload | Determines if a user can upload files from the local file manager to the browser | 1=Yes,0=No |
Container
| Policy Item | Description | Values to enter |
|---|---|---|
| Allow Container Offline Access | Allows user to log into container when out of coverage/airplane mode | 1=Yes,0=No |
| Allow Device Types | Determines what types of devices a user can provision in the system. Default is all | All=0,iOS Only=1,Android Only=2 |
| Background lock Policy | Determines how long before locking the container if a user quickly flips container to background. Default is immediate | Immediate=0,2 Minutes=2,5 Minutes=5,10 Minutes=10,15 Minutes=15,20 Minutes=20,30 Minutes=30 |
| Briefcase Sync disabled | Determines if data from briefcase on server is synced to device. | 1=Yes,0=No |
| Client Debug | Determines if the user can collect debug logs on the device and send them when required | 1=Yes,0=No |
| Container Lockout Time | Time of inactivity in foreground/background mode before container locks |
Select from drop down values Immediate=0,2 Minutes=2,5 Minutes=5,10 Minutes=10,15 Minutes=15,20 Minutes=20,30 Minutes=30 |
| Disable file download on cellular | Disable the file download when device is connected to a cellular network | 1=Yes,0=No |
| Disable Secure Transport | Determines if a user to bypass’s System transport server. Default is No | 1=Yes,0=No |
| Display Splash Screen Number of Logins | The number of times a user logs into the container before a Splash screen advertisement appears | A numeric value between 0 to 100. |
| Emergency Notification Email | *coming soon | *coming soon |
| Emergency Wipe Password | *coming soon | *coming soon |
| Enabled Caller ID | Enables caller id lookup from contacts inside container | 1=Yes,0=No |
| Enable Contacts Export to Native* | Grants the user rights to export their adressbook to native OS | 1=Yes,0=No |
| Enable Full Calendar details Export to Native* | Grants the user rights to sync their full calendar details to their native calendar | 1=Yes,0=No |
| Enable Splash Screen | Determines whether a Splash screen will appear for a device user | 1=Yes,0=No |
| Provisioning Authentication Type | Determines what is used to initially provision the user’s container | PIN=1,Active Directory=2 (planned) |
| Splash Screen URL | Determines what splash screen will appear for a device user | URL of site to be used |
* Important Warning
A full company risk assessment should be completed before enabling this policy. By default these policies are NOT enabled and can only be enabled by your local Systems Administrators. It is possible for a user to circumvent a company’s ability to remove the contacts or calendar data at a later date. Any data that has been synced with an iCloud or Gmail account can be accessed by any device that has rights to access those same iCloud/Gmail accounts. Please ensure your company has accepted this risk before implementing these policies.
The native data cannot be removed if:
- The user removes the Secure Container Application after a sync has been completed and before a wipe command can be issued
- The user disables Secure Container access in native settings to contacts or calendar after a sync has been completed and before a wipe command can be issued.
Disclaimer
| Policy Item | Description | Values to enter |
|---|---|---|
| Disclaimer Enabled | Determines if the Client will show a disclaimer before user logs in. | 1=Yes,0=No |
| Disclaimer Content | The disclaimer message that will appear that a user must accept before logging into the container. | Text |
GPS
| Policy Item | Description | Values to enter |
|---|---|---|
| GPS Tracking Enabled | Determines if the Client will report GPS location information back to the server | 1=Yes,0=No |
Relay
| Policy Item | Description | Values to enter |
|---|---|---|
| Force Relay Rotation for Each Packet | Determine if client will rotate between relays for each connect session it makes. | 1=Yes,0=No |
Screenshot
| Policy Item | Description | Values to enter |
|---|---|---|
| Disable Policy when screenshot detected | Disables a Policy if a screenshot has been detected. E.g. disables access to (email enabled) if a screenshot is disabled | Select value from dropdown. |
| Enable Policy when screenshot detected | Enables a Policy if a screenshot has been detected. E.g. enable access to email restrict (email disabled) Policy if a screenshot is enabled | Select value from dropdown |
| Lock container when screenshot is taken | 1=Yes,0=No | |
| Screenshot Enabled (specific to android) | Determines if the user can take screen shots of data in the container. | 1=Yes,0=No |
| Send screenshot via email | Captures the screenshot and sends on to an email so it may be audited | Manually enter the email address where the screenshot is to be sent |
Timebomb
| Policy Item | Description | Values to enter |
|---|---|---|
| Container Has Timebomb | Determines if the Client will self-destruct after a period of inactivity | 1=Yes,0=No |
| Timebomb Period | Number of days of non-access of container | 1,3,7,10,14,30,60,90,180 days |