Tags Guide Part II: Android, Samsung Knox
Profile
Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When changing profiles, ensure the settings are correct as these will be applied immediately to all applicable devices. Additionally, ensure to click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.
Exchange Active Sync
This profile configures the Exchange Active Sync account for your managed devices. Please note that by deploying Android Enterprise, the Exchange ActiveSync configuration should be carried out with a managed configuration of the various applications (Gmail, Outlook, Samsung Mail, etc.). The managed configuration will offer all the available options provided by the application vendor. For this reason, we recommend to use the managed configuration to provisioning Exchange ActiveSync accounts to the devices. Please refer to the Application Configuration Guide to get an acquainted with Managed Configurations and consider to review Certificate Profile for VPN and Apps for a certificate based authentication.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Exchange ActiveSync Settings | Enabled or Disabled | Enabled or Disabled | Enables Profile. |
| Exchange Type |
Exchange profiles are only supported in combination with Android Enterprise. |
|
Determines to which E-Mail client the Exchange settings should apply. |
| Label | e.g. Imagoverum Exchange | e.g. Imagoverum Exchange or e.g. {firstname} | The Label for the Email Account as it appears on the device. Supports Silverback System Variables for Samsung Mail. |
| Server Name | e.g. outlook.office365.com | e.g. outlook.office365.com | External Exchange Active Sync address. |
| Domain | e.g. Imagoverum | e.g. Imagoverum | Internal Domain Suffix for the Exchange Server. |
| Peak Schedule (*Samsung Knox only) | not available |
|
Sets the default behaviour for the “Peak” period. |
| Past Days of Mail to Sync |
|
|
Period of mail to synchronize to the device. |
| Off-Peak Schedule (*Samsung Knox only) | not available |
|
Sets the default behaviour for the Off-Peak period. |
| Peak Start Time (*Samsung Knox only) | not available | Midnight - 11pm | Sets the time of day in hours that the Peak period starts. |
| Peak Time End (*Samsung Knox only) | not available | Midnight - 11pm | Sets the time of day in hours that the Peak period ends. Outside of these two settings is considered “Off-Peak”. |
| Peak Days (*Samsung Knox only) | not available | Sunday - Saturday | Which days should use the Peak settings. Days not selected here will be considered Off-Peak. |
| Use SSL | Enabled or Disabled | Enabled or Disabled | If the URL for the External Mail Server is protected by an SSL Certificate then use SSL. |
| Use Custom Username Variable | e.g. {CustLdapVar0} or support@imagoverum.com | e.g. {CustLdapVar0} or support@imagoverum.com | Define a Custom Variable Attribute for the Username for the EAS Profile. |
| Use Custom Email Variable | e.g. {CustLdapVar0} or tim.tober@imagoverum.com | e.g. {CustLdapVar0} or tim.tober@imagoverum.com | Define a Custom Variable Attribute for the Email Address for the EAS Profile. |
| Enterprise Certificate | Choose File | Choose File | Upload a certificate for certificate based authentication with one certificate. |
| Certificate Password | e.g Pa$$w0rd | e.g. Pa$$w0rd | Password for the certificate. |
| Trust All Certificates | Enabled or Disabled | Enabled or Disabled | Required for client certificate authentication with the Gmail app, if the device doesn’t trust the certificates correctly. |
Passcode
Settings Overview
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Passcode Settings | Enabled or Disabled | Enabled or Disabled | Enables Profile. |
| Quality |
|
|
Defines the password quality. |
| Minimum Length | 4-19 | 4-19 | The smallest number of passcode characters allowed. |
| Maximum Passcode Age - 1-730 days or none | 1-730 or empty | 1-730 or empty | How often passcode must be changed. |
| Auto-lock (minutes) |
1, 2, 3, 4, 5,10, 15, 20, 25,30 |
1, 2, 3, 4, 5,10, 15, 20, 25,30 | Device automatically locks due to inactivity after this time period. |
| Passcode history (1-50 passcodes, or none) | 1-50 or empty | 1-50 or empty | Number of unique passcodes required before reuse. |
| Maximum Failed Attempts | 0-12 | 0-12 | Number of passcode entry attempts allowed before the device is reset to factory settings. |
Quality Overview
| Quality | Description |
|---|---|
| Numeric | The user has to enter a password containing at least numeric characters. |
| Alphanumeric | The user has to enter a password containing at least numeric and alphabetic characters (or symbols). |
| Complex | The user has to enter by default a password containing at least a letter, a numerical digit and a special symbol. With this password quality, passwords can be restricted to contain various sets of characters, like at least one uppercase letter etc. |
| Numeric Complex | The user has to enter a password containing at least numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences. |
| Biometric Weak | The policy allows for low-security biometric recognition technology. This implies technologies that can recognize the identity of an individual to about a 3 digit PIN (false detection is less than 1 in 1.000). |
Additional Settings Complex Quality
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Minimum Length | 4-16 | 4-16 | Defines the minimum passcode length. |
| Minimum Letters | 0-15 | 0-15 | Defines the amount of minimum required letters in the passcode. |
| Minimum Lower Case | 0-15 | 0-15 | Defines the amount of minimum lower case letters in the passcode. |
| Minimum Upper Case | 0-15 | 0-15 | Defines the amount of minimum uppercase case letters in the passcode. |
| Minimum Non Letters | 0-15 | 0-15 | Defines the amount of minimum non letters (digits and complex characters) in the passcode. |
| Minimum Numeric | 0-15 | 0-15 | Defines the amount of minimum digits in the passcode. |
| Minimum Complex characters | 0-4 | 0-4 | Defines the amount of minimum complex characters in the passcode. |
Restrictions
Android Enterprise
These restrictions applies to Android devices and Samsung Knox devices with Android Enterprise.
| Restriction | Availability | Options | Requirements | Description |
|---|---|---|---|---|
| Applications | ||||
| Allow Apps Control |
|
|
|
Specifies if a user is disallowed from modifying applications in Settings or launchers. The following actions will not be allowed when this restriction is enabled:
|
| Allow Access to All Apps in Google Play Store |
|
|
When enabled, makes the entire Google Play Store available to users. Applications can be installed without adding a personal Google account, and a new Work Apps tab in the Google Play Store is created for applications assigned via Silverback. | |
| Allow Install Apps |
|
|
|
Specifies if a user is disallowed from installing applications. |
| Allow Uninstall Apps |
|
|
|
Specifies if a user is disallowed from uninstalling applications. |
| Allow Unknown Sources |
|
|
|
Specifies if a user is disallowed from enabling the Unknown Sources setting, that allows installation of apps from unknown sources. Unknown sources exclude adb and special apps such as trusted app stores. |
| Allow Unknown Sources (Device-wide) |
|
|
|
This restriction is a device-wide version of Allow Unknown Sources. Specifies if all users on the device are disallowed from enabling the "Unknown Sources" setting, that allows installation of apps from unknown sources. |
| Allow Widgets From Work Profile Apps |
|
|
|
Allows the user to add widgets to their home screen from applications that are resisted in the work profile. |
| Force Verify Apps |
|
|
|
Specifies if a user is force from enabling application verification. In Android 8.0 and higher, this is a global user restriction. The system enforces app verification across all users on the device. Running in earlier Android versions, this restriction affects only the profile that sets it. |
| Permission Policy |
|
|
|
Use this policy to auto grant or auto deny permission requests for installed applications. By default the user receives a prompt to accept permissions for each application separately after starting. If auto grant or auto deny is set, the UI is not shown to the user and permissions will be set as defined. |
| Network & Connections | ||||
| Allow Adding new Wi-Fi Configurations |
|
|
|
Specifies if a user is disallowed from adding a new Wi-Fi configuration. |
| Allow Android Beam |
|
|
|
Specifies if the user is not allowed to use NFC to beam out data from apps. |
| Allow Bluetooth |
|
|
|
Specifies if bluetooth is disallowed on the device. |
| Allow Bluetooth Contact Sharing |
|
|
|
If disabled, contact sharing via Bluetooth will be forbidden for the user. |
| Allow Bluetooth Sharing |
|
|
|
Specifies if outgoing bluetooth sharing is disallowed on the device. |
| Allow Configuration of Bluetooth |
|
|
|
Specifies if a user is disallowed from configuring bluetooth. This does not restrict the user from turning bluetooth on or off. This restriction doesn't prevent the user from using bluetooth. For disallowing usage of bluetooth completely on the device, use Allow Bluetooth. |
| Allow Configuration of VPN |
|
|
|
Specifies if a user is disallowed from configuring a VPN. This restriction also prevents VPNs from starting. |
| Allow Configuration of WiFi |
|
|
|
Specifies if a user is disallowed from changing Wi-Fi access points. |
| Allow Configure Cell Broadcasts |
|
|
|
Specifies if a user is disallowed from configuring cell broadcasts. |
| Allow Configure Mobile Networks |
|
|
|
Specifies if a user is disallowed from configuring mobile networks. |
| Allow Configure Tethering |
|
|
|
Specifies if a user is disallowed from configuring Tethering & portable hotspots. In Android 9.0 or higher, if tethering is enabled when this restriction is set, tethering will be automatically turned off. |
| Allow Data Roaming |
|
|
|
Specifies if a user is not allowed to use cellular data when roaming. |
| Allow Modify DNS Settings |
|
|
|
Specifies whether the user is allowed to modify private DNS settings. |
| Allow Modify Wi-Fi State |
|
|
|
Specifies if a user is disallowed from enabling or disabling Wi-Fi. Even if the user manages to put the device in airplane mode, the device remains connected. |
| Allow Network Reset |
|
|
|
Specifies if a user is disallowed from resetting network settings from Settings. |
| Allow Share Location |
|
|
|
Specifies if a user is disallowed from turning on location sharing. |
| Allow Sharing Wi-Fi for Admin Configured Networks |
|
|
|
Specifies if a user is disallowed from sharing Wi-Fi for admin-configured networks. |
| Allow USB File Transfer |
|
|
|
Specifies if a user is disallowed from transferring files over USB. |
| Allow Wi-Fi Direct |
|
|
|
Specifies if a user is disallowed from using Wi-Fi Direct. |
| Allow Wi-Fi Tethering |
|
|
|
Specifies if a user is disallowed from using Wi-Fi tethering, including existing control tethering. |
| Minimum Wi-Fi Security Level |
|
|
|
Prohibits devices from connecting to networks that do not meet a minimum level of security. |
| Privacy & Security | ||||
| Allow Autofill |
|
|
|
Specifies if a user is not allowed to use Autofill Services. |
| Allow Cross Profile Caller ID |
|
|
|
Block the lookup of call IDs with the Work Profile. As a result a contact from the work profile is not shown with the corresponding name if the user receives a call. |
| Allow Cross Profile Contact Search |
|
|
|
Block the work profile sharing contact information with the personal profile. If an IT admin blocks access, contact searches are returned as empty results. |
| Allow Cross Profile Copy/Paste |
|
|
|
Specifies if the clipboard contents can be exported by pasting the data into other users or profiles. This restriction doesn't prevent import, such as someone pasting clipboard data from other profiles or users. Because it's possible to extract data from screenshots using optical character recognition (OCR), we recommend combining this restriction with Allow Screen Capture. |
| Allow Debugging Features |
|
|
|
Specifies if a user is disallowed from enabling or accessing debugging features. It, disables debugging features altogether, including USB debugging. When set on Work Profile, it blocks debugging for that user only, including starting activities, making service calls, accessing content providers, sending broadcasts, installing/uninstalling packages, clearing user data, etc. |
| Allow Sharing Data Into Managed Profile |
|
|
|
Specifies whether the user can share file / picture / data from the primary user into the work profile, either by sending them from the primary side, or by picking up data within an app in the work profile. When a work profile is created, the system allows the user to send data from the primary side to the profile by setting up certain default cross profile intent filters. If this is undesired, this restriction can be set to disallow it. |
| System Settings | ||||
| Allow Adjust Microphone Volume |
|
|
|
Specifies if a user is disallowed from adjusting microphone volume. If set, the microphone will be muted. |
| Allow Airplane Mode |
|
|
|
If disabled, it disables airplane mode on the entire device. |
| Allow Ambient Display |
|
|
|
Specifies if ambient display is disallowed for the user. |
| Allow Camera in Work Profile |
|
|
|
Disables the usage of the Camera inside the Work Profile for the user. |
| Allow Change Language |
|
|
|
Specifies if a user is disallowed from changing the device language. |
| Allow Configuration of Brightness |
|
|
|
Specifies if a user is disallowed from configuring brightness. |
| Allow Configuration of Credentials |
|
|
|
Specifies if a user is disallowed from configuring user credentials for certificate storage etc. |
| Allow Configuration of Date, Time and Timezone |
|
|
|
Specifies if date, time and timezone configuring is disallowed. |
| Allow Configuration of Location |
|
|
|
Specifies if a user is disallowed from enabling or disabling location providers. As a result, user is disallowed from turning on or off location. |
| Allow Configuration of Screen Off Timeout |
|
|
|
Specifies if a user is disallowed from changing screen off timeout. |
| Allow Factory Wipe |
|
|
|
Specifies if a user is disallowed from factory resetting from Settings. |
| Allow Outgoing Calls |
|
|
|
Specifies that the user is not allowed to make outgoing phone calls. Emergency calls are still permitted. |
| Allow Printing |
|
|
|
Specifies whether the user is allowed to print. |
| Allow Reboot Into Safe Boot Mode |
|
|
|
Specifies if the user is not allowed to reboot the device into safe boot mode. |
| Allow Screen Capture |
|
|
|
Use this API to check whether the user can take a screenshot of the device screen. |
| Allow Set Wallpaper |
|
|
|
User restriction to disallow setting a wallpaper. |
| Allow SMS |
|
|
|
Specifies that the user is not allowed to send or receive SMS messages. |
| Allow System Error Dialogs |
|
|
|
Specifies that system error dialogs for crashed or unresponsive apps should not be shown. In this case, the system will force-stop the app as if the user chooses the "close app" option on the UI. A feedback report isn't collected as there is no way for the user to provide explicit consent. |
| Allow Volume Control |
|
|
|
Specifies if a user is disallowed from adjusting the master volume. If set, the master volume will be muted. |
| Users & Accounts | ||||
| Allow Add Users |
|
|
|
Specifies if a user is disallowed from adding new users. |
| Allow Modify Accounts |
|
|
|
Specifies if a user is disallowed from adding and removing accounts. |
| Allow Remove User |
|
|
|
When set on the primary user this specifies if the user can remove other users. When set on a secondary user, this specifies if the user can remove itself. |
| Allow User Switch |
|
|
|
Specifies if user switching is blocked on the current user. |
| Allow Create Windows |
|
|
|
Specifies that windows besides app windows should not be created. This will block the creation of the following types of windows.
|
| Allow Set Icon |
|
|
|
Specifies if a user is not allowed to change their icon. |
| Allow Remove Work Profile |
|
|
|
Specifies if managed profiles of this user can be removed. |
| Allow Adding Managed Profiles |
|
|
|
Specifies if a user is disallowed from adding managed profiles. |
| Allow Parent Profile Apps Linking |
|
|
|
Allows apps in the parent profile to handle web links from the work profile. |
| Content & Media | ||||
| Allow Content Capture |
|
|
|
Specifies if the contents of a user's screen is not allowed to be captured for artificial intelligence purposes. |
| Allow Content Suggestions |
|
|
|
Specifies if the current user is able to receive content suggestions for selections based on the contents of their screen. |
| Allow Mount Physical Media |
|
|
|
Specifies if a user is disallowed from mounting physical external media. |
Samsung Knox
These restrictions applies to Samsung Knox devices and can be combined with Android Enterprise restrictions. Due to the fact that devices with the same operating system version can have different Knox API Levels please refer to Knox version mapping. Knox API Level is part of the Software Information sections under About phone in device settings.
| Restriction | Availability | Options | Requirements | Description |
|---|---|---|---|---|
| Applications | ||||
| Allow App Store |
|
|
|
Use this API to disable the Google Play application silently. |
| Allow App Uninstallation |
|
|
|
Set the application uninstallation mode on the device to disallow. |
| Allow Browser |
|
|
|
This class provides APIs to control browser settings. The user cannot change the settings provided by this policy once the settings are disabled. The policies are applied only to Samsung browser. The policies do not apply to any third-party browser. |
| Allow Clipboard Sharing Between Apps |
|
|
|
Use this API to allow or disallow sharing a global clipboard between applications. If the administrator disallows clipboard sharing, each application has an individual clipboard. |
| Allow Non-Marketplace Apps |
|
|
|
Allow or disallow installation of non-Google-Play applications. If disabled, installation of non-Google-Play applications is disabled, and the user cannot access the UI until the administrator enables access again. If set to enabled, UI access to enabling installation of non-Google-Play applications is enabled. Enabling UI access does not enable the actual functionality. |
| Allow User to Stop System Apps |
|
|
|
Use this setting to disable a force stop button for system-signed applications on the application Info UI in Settings and the stop button for the system application process on the Running application UI in Settings. |
| Allow Youtube |
|
|
|
Use this API to disable the YouTube application silently. |
| Network & Connection | ||||
| Allow Android Beam |
|
|
|
Configure if Android Beam is allowed on device or not. |
| Allow Automatic Sync while Roaming |
|
|
|
API to check whether automatic syncing during roaming is enabled. |
| Allow GPS state change |
|
|
|
Use this API check whether the user is allowed to change the GPS state. If not allowed, the user cannot change GPS UI settings and Location Services will be deactivated.
|
| Allow Native VPN Access |
|
|
|
Use this settings to check whether a user can use the native VPN functionality or not. |
|
Allow S Beam |
|
|
|
Set this policy to block the use of S Beam on the device. S Beam allows users to share content using near field communication (NFC) or Wi-Fi Direct. When S Beam is disabled, the user cannot send or receive files using S Beam. |
| Allow Tethering |
|
|
|
Use this API to block the device from sharing its carrier data with another device through USB, WiFi, and Bluetooth. |
| Allow USB Host Storage |
|
|
|
Use this setting to check whether USB host storage devices are allowed to be mounted. Through USB OTG, a user can connect any pen drive (portable USB storage), external HD, or SD card reader, and it is mounted as a storage drive on the device. |
| Allow User to set Mobile Data Limit |
|
|
|
Use this setting to check whether the user is allowed to set the mobile data limit and take appropriate action based on enterprise policy. |
| Allow Wi-Fi AP Setting User Modification |
|
|
|
Use this API to deny the user modifying Wi-Fi AP settings. When disabled, the UI is grayed out so the user cannot modify the settings. When enabled, the user can modify the Wi-Fi AP Settings. |
| Allow Wi-Fi Direct |
|
|
|
Disable Wi-Fi Direct without user interaction. When Wi-Fi Direct is disabled, any ongoing Wi-Fi Direct connection is interrupted, and the user cannot turn on Wi-Fi Direct. S-Beam feature which depend on this policy will also be affected by this setting. |
| Privacy & Security | ||||
| Allow Google Crash Report Submission |
|
|
|
Use this API to enable or disable sending a crash report to Google. If disabled, all possible Google crash reports are blocked. |
| Allow Lock Screen View Settings |
|
|
|
API to check whether the usage of lock screen views is allowed or not. |
| Allow S Voice |
|
|
|
Use this API to check whether the S Voice application is allowed to be launched or not. |
| Allow USB Debugging |
|
|
|
For a device managed by multiple administrators, USB debugging is disabled if at least one administrator has disabled it. |
| Allow Voice Dialing |
|
|
|
Use this setting to disable the voice dialer application silently. Third-party voice dialer applications are not affected by this. |
| System Settings | ||||
| Allow Call |
|
|
|
Configure of devices can receive incoming calls or perform outgoing calls. |
| Allow Camera |
|
|
|
Use this API to check whether the camera is enabled or not. |
| Allow MMS |
|
|
|
Use this API to allow or disallow incoming MMS messages. |
| Allow NFC |
|
|
|
Use this setting to disallow NFC on the device. The user won't be able to change the state. |
| Allow Over the Air Upgrade |
|
|
|
Use this API to allow or disallow upgrading the OS via a firmware-over-the-air (FOTA) client (for example, Samsung DM or WebSync DM). If disabled, all possible OTA upgrade requests (user initiated, server initiated, and system initiated) are blocked; the user may see server messages related to new firmware updates but any attempt to upgrade fails. |
| Allow Power Off |
|
|
|
API to allow or disallow the user to power off the device by pressing the power button. For a device managed by multiple administrators, each administrator can apply a different status. Powering off using the power button is disabled if at least one administrator disables it. Powering off is enabled only if all administrators enable it. If powering off is disabled, a toast with the message "Security policy prevents power off" appears when the user tries to power off the device. |
| Allow Safe Mode Boot |
|
|
|
Administrator can use this API to allow or disallow Safe Mode boot. |
| Allow Screen Capture |
|
|
|
Use this API to check whether the user can take a screenshot of the device screen. |
| Allow Settings Access to User |
|
|
|
Allow or prevent changes to Settings application. After disabling Settings, several changes to system preferences cannot be made. |
| Allow SMS |
|
|
|
Use this setting to allow or disallow incoming SMS messages. |
| Allow User Access to Status Bar Controls |
|
|
|
Use this setting to check whether status bar expansion is allowed. If disabled, the user won't be able to expand the status bar on the device.
|
| Allow User to Perform Factory Reset |
|
|
|
Use this API to check whether a user is allowed to perform a factory reset. |
| Allow User to Set Background Process Limit |
|
|
|
Use this API to check whether a limit on background processes is allowed and take appropriate action based on enterprise policy. |
| Allow Wallpaper Changes |
|
|
|
Use this settings to check whether the user is allowed to change the device wallpaper or not. |
| Content & Media | ||||
| Allow Audio Recording |
|
|
|
Disable audio recording. The device microphone is still available after disabling audio recording so that the user can make calls and use audio streaming. This API relies on declared use of the audio, allowing only calls, voice recognition, and voice over IP (VoIP). If the application declares a use type and does something else, then this API is not able to block it. When audio recording is disabled, any ongoing audio recording is interrupted. Video recording is still allowed if no audio recording is attempted. |
| Allow Google Backup |
|
|
|
For a device managed by multiple administrators, Google backup is disabled if at least one administrator has disabled it. |
| Allow Share Via List |
|
|
|
Disable the display of the Share Via List. The Share Via List is displayed in certain applications that share data with other applications. |
| Allow Video Recording |
|
|
|
Enable or disable video recording without user interaction. The device camera is still available after disabling video recording so that user can take pictures and use video streaming. When video recording is disabled, any ongoing video recording is interrupted. |
| Allow Writing to SD Card |
|
|
|
Enable or disable writing to the SD card. If disabled, all possible writes to the SD card are blocked. |
Legacy
Legacy Restrictions are a mix of restrictions, that came historically and can't be dedicated to Android Enterprise or Samsung Knox, has been build for Silverback Management purposes or are replaced with automatic settings. As an example Storage Encryption needed to be activated in older Android devices, but nowadays all devices will be encrypted by default.
| Restriction | Availability | Options | Description |
|---|---|---|---|
| Network & Connection | |||
| Enable Bluetooth During Enrollment |
|
|
If this setting is applied, Bluetooth will be automatically activated during the device enrollment process and whenever the Restriction profile will be installed. It acts as a one time switch. Please note if disabled, it will disable Bluetooth if is activated on the device. |
| Enable Wi-Fi During Enrollment |
|
|
If this setting is applied, Wi-Fi will be automatically activated during the device enrollment process nd whenever the Restriction profile will be installed. It acts as a one time switch. Please note if disabled, it will disable Wi-Fi if this connection type is used during the enrollment. |
| System Settings | |||
| Allow Bluetooth |
|
|
Specifies if Bluetooth is allowed or disallowed on the device. |
| Allow Camera |
|
|
Historically this settings was present for Android devices in former times and can now be used for Device Owner but is not an explicit Android Enterprise control. |
| Allow Wi-Fi |
|
|
If this setting is applied, Wi-Fi will be automatically activated during the device enrollment process as a one time switch. Please note if disabled, it will disable Wi-Fi if this connection type is used during the enrollment. |
| Privacy & Security | |||
| Force Storage Encryption |
|
|
In previously ages Android or Samsung Devices were not encrypted by default. This setting was used to force the encryption of the device storage. |
| Force Internal Storage Encryption |
|
|
In contrast to Android devices, Samsung Knox had the possibility to distinguished the encryption setting for internal and external storage. Please note that newer devices are by default encrypted. |
| Force External Storage Encryption |
|
|
In contrast to Android devices, Samsung Knox had the possibility to distinguished the encryption setting for internal and external storage. Please note that newer devices are by default encrypted. |
Factory Reset Protection
In general, the Factory Reset Protection is a security feature on Android and Samsung Knox devices running on Android 5 and newer. It was designed to make sure that someone is not able wipe and factory reset a phone that is lost or stolen.
If a user adds to their devices one or multiple Google Accounts, the Factory Reset Protection is active and when the devices go though an untrusted factory reset, the next user for the device needs either to enter one of the previously added Google Account or use the last known Passcode or PIN on the device to unlock the device. As this scenario is very useful for private used devices, it might lead to a scenario where a user in your organization is using a managed device with a personal Google Account and will leave your company for any reason. In this scenario, you will probably wipe the device from the Management Console and hand the device over to the next user. As the remote wipe from the Management Console is a method, that is considered as untrusted, the next user would need (one of) the previous Google Account credentials to unlock the device. Without having this account or at least the last used Passcode/PIN, the device can't be used anymore as it is locked.
With the Factory Reset Protection configuration, Silverback offers two ways to prevent this scenario in the future for Device Owner devices running on Android 11 and later. You can choose if you want to disable the Factory Reset protection on managed devices or to determine which account can unlock the device, like a master account that is capable to unlock the device after an untrusted factory reset has been performed.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Factory Reset Protection | Enabled or Disabled | Enabled or Disabled | Enables the Factory Reset Protection Profile. |
| Configuration |
|
|
Determines if the Factory Reset Protection should be disabled or if additional bypassing accounts should be added to the FRP. |
| Accounts |
|
|
By selecting Bypass Factory Reset Protection, add here additional Google Accounts to bypass the Factory Reset Protection. |
Refer to Factory Reset Protection and Bypassing for Android and Samsung Knox for additional information.
System Update
Android devices can receive and install over-the-air (OTA) updates to the system and application software. Android notifies the device user that a system update is available and the device user can install the update immediately or later. You can manage system updates for Device Owner mode devices.
| Setting | Android | Samsung Knox |
|---|---|---|
| System Update |
|
|
| Start time | 00:00 - 23:30 | 00:00 - 23:30 |
| End Time | 00:30 - 00:00 | 00:30 - 00:00 |
| Supported for | Device Owner | Device Owner |
Automatic: Installs system updates as soon as they become available (without user interaction). Setting this policy type immediately installs any pending updates that might be postponed or waiting for a maintenance window.
Postpone: Postpones the installation of system updates for 30 days. After the 30-day period has ended, the system prompts the device user to install the update.
Postponing OTA updates can prevent devices from receiving critical updates. For this reason device manufacturers or carriers might choose to exempt important security updates from a postponement policy. Exempted updates notify the device user when they become available.
Maintenance Window: Installs system updates during a daily maintenance window (without user interaction). Set the start and end of the daily maintenance window, as minutes of the day, when creating a new windowed policy. The period begins when the system first postpones the update and setting new postponement policies won’t extend the period.
Private APN
If you have a Private Access Point Name (APN) for your SIM Cards, then Silverback has the ability to configure this for you on the managed devices.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Private APN Settings | not available | Enabled or Disabled | Enables the Private APN Feature on Selected Devices. |
| Name | not available | e.g. VFD2 Web | The name of the carrier access point. |
| Username | not available | e.g User | The username to connect to the access point. |
| Password | not available | e.g Pa$$w0rd | The password to connect to the access point. |
| Server | not available | e.g web.vodafone.com | The fully qualified address of the proxy server. |
| Proxy | not available | e.g apn.proxy.com | APN Proxy. |
| Port | not available | e.g. 8080 | APN Port. |
| Type | not available | e.g. default,supl,mms | APN Type. |
| Auth Type | not available |
|
APN Authentication Type. |
Wi-Fi
Silverback offers the ability to pre-populate multiple Wi-Fi Profile and settings on your devices, so the user does not need to know the password for these networks. If you having a WPA Enterprise protected network (e.g. with a RADIUS Server), please refer to WPA Enterprise Settings for additional information.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| General Settings | |||
| Wi-Fi Settings | Enabled or Disabled | Enabled or Disabled | Enables the sending of Wi-Fi settings. |
| SSID | e.g. Corporate Wi-Fi | e.g. Corporate Wi-Fi | Service Set Identifier of the wireless network. |
| Security Type |
|
|
Defines the used Wireless network encryption. |
| Hidden Network | Enabled or Disabled | Enabled or Disabled | Enable if the target network is not open or hidden. |
| MAC Address Randomization |
|
|
Allows devices to use a randomized MAC address when connecting to a Wi-Fi network.
|
| Password | e.g. Pa$$w0rd | e.g. Pa$$w0rd | Password for authenticating to the wireless network for personal networks. |
| Proxy Settings | |||
| Proxy |
|
|
Ensures the device uses the necessary proxy. Review WPA Enterprise Settings for additional information. |
| Protocol Settings (only Enterprise) | |||
| EAP Method |
|
|
Defines the protocol utilized by encryption type. Review WPA Enterprise Settings for additional information. |
| Phase 2 Authentication |
|
|
Defines the pahse 2 authentication method for TTLS and PEAP. Review WPA Enterprise Settings for additional information. |
| Authentication Settings (only Enterprise) | |||
| Identity |
|
|
Defines the used authentication mechanism. Review WPA Enterprise Settings for additional information. |
| Certificate-based authentication |
|
|
Defines the used authentication mechanism. Please refer to: Certification Authority Integration Guide for Certificate Based Authentication. |
| Trust Settings (only Enterprise) | |||
| Trust Configuration |
|
|
Defines the trust configuration. Review WPA Enterprise Settings for additional information. |
Work Profile
Work Profiles are designed for personal owned devices that should gain access to corporate data. Activation of work profiles requires an Android Enterprise Integration and when enabled, devices will automatically activate a work container to ensure a separation between personal and corporate data. Additionally, accessing the work container can be passcode protected.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Work Profile | Enabled or Disabled | Enabled or Disabled | Enables the Work Profile. |
| Passcode Settings | Enabled or Disabled | Enabled or Disabled | Enables the usage of a separated passcode for the Work Container. |
| Quality |
|
|
Defines the minimum requirements for passcode. |
| Minimum Length | 4-19 | 4-19 | Defines the minimum passcode length. |
| Maximum Passcode Age | 1-730 or empty | 1-730 or empty | How often passcode must be changed. |
| Passcode history | 1-50 or empty | 1.50 or empty | Number of unique passcodes required before reuse. |
| Auto-update apps |
|
|
Configures the Auto-update apps settings in Google Managed Play. |
| Enable System Apps | Enabled or Disabled | Enabled or Disabled | By default, pre-installed system applications are automatically disabled during the enrollment process, and enabling this setting will automatically enable applications marked as system applications by the device manufacturer. Please note that this setting only takes effect during the enrollment process, and any subsequent changes will not affect devices that have already been enrolled. |
Managed Account
Managed Accounts are designed for corporate owned devices, that will be activated as a device owner device during the out-of-the-box experience. By enabling and distributing managed accounts, device owner devices will receive after the enrollment a managed corporate account that elevates users to download and install administrator approved apps. Distributing managed accounts requires an Android Enterprise Integration.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Managed Account | Enabled or Disabled | Enabled or Disabled | Enables the Managed Account. |
| Auto-update apps |
|
|
Configures the Auto-update apps settings in Google Managed Play. |
| Enable System Apps | Enabled or Disabled | Enabled or Disabled | By default, pre-installed system applications are automatically disabled during the enrollment process, and enabling this setting will automatically enable applications marked as system applications by the device manufacturer. Please note that this setting only takes effect during the enrollment process, and any subsequent changes will not affect devices that have already been enrolled. |
Knox Service Plugin
The Knox Service Plugin (KSP) is Samsung’s OEMConfig based solution that enables you as an IT administrator to use a wide range of Knox management features with Silverback as soon as they are commercially available in the market. Please refer to Android Enterprise VII: Knox Service Plugin for additional information.
Lock Screen Message
With Android Enterprise, administrators have the ability to configure custom Lock Screen Messages for device owner devices.This feature allows to place additional information on the devices lock screen. As an example you can place helpful information like the serial number, the device user or the managed by information.
Use System Variables, e.g. {SerialNumber} to display Serial Number on the lock screen.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Lock Screen Message | Enabled or Disabled | Enabled or Disabled | Enables the profile to display Lock Screen messages. |
| Device Owner Information |
|
|
Add here as an example information about the device user or asset information like the Serial Number. |
| Organization Name |
|
|
Add here your Organization name. It will be displayed as This device is managed by. |
Global HTTP Proxy
Enabling the Global HTTP Proxy will force all Network Traffic through a designated proxy server.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Global HTTP Proxy | not available | Enabled or Disabled | Enables the HTTP Proxy. |
| Server | not available | e.g. proxy.imagoverum.com or 10.0.0.1 | The FQDN or IP address of the proxy server. |
| Port | not available | e.g 443 | The port of the proxy server. |
App Portal
The App portal offers users access to enterprise applications and third-party applications via an web clip icon. Administrators can decide which available App Portal applications will be visible and installable for users on a Tag based level. To enable access to the app portal for users and to push the app portal web clip icon to devices, ensure the App Portal Enabled box is ticked.
On Android Enterprise, the App Portal should be used only to provide enterprise applications to corporate owned devices, as the Web Clip approach has shifted to Managed Play.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| App Portal | Enabled or Disabled | Enabled or Disabled | Enables and pushes the App Portal Icon to enrolled devices. |
To customize the App Portal navigate to Admin > App Portal
Single App Mode
One common use-case for managing mobile devices with Android Enterprise is to run them as dedicated devices that serve a specific purpose. These devices were formerly called by Google as corporate-owned single-use, or COSU (Android Enterprise - Key Terms) devices and are used in special employee-facing (Inventory management, filed service management, transport and logistics) and customer-facing (Kiosks, digital signage, hospitality check-in) scenarios. With Silverback, you can assign a Single App and Multi App Mode profile to device owner devices to achieve the single-use mode for your managed devices, which is also commonly named as kiosk mode. For additional information, please refer to Single App and Multi App Mode on Android Enterprise.
M42 Mobile (depreacted)
The M42 Mobile section allows you to configure branding options, a Service Store connection and data sources for users who use the M42 Mobile client. This section is designed for non Android Enterprise devices, where you want to provide access either to Silversync or to the Enterprise Service Management. Please refer to Matrix42 Mobile to perform configurations through Android Enterprise and provide access to Silversync.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| M42 Mobile Enabled | Enabled or Disabled | Enabled or Disabled | Enables M42 Mobile Settings. |
| Logo Url | e.g. https://www.imagoverum.com/logo.jpg | e.g https://www.imagoverum.com/logo.jpg | Allows to override the default Matrix42 Logo with a custom logo. Enter the URL of the logo file that clients should download. |
| Tint Color |
e.g:
|
e.g:
|
The RGB value of the main color of the M42 Mobile App. This will visually change the color of UI elements on the device. |
| Username | e.g. {UserName} | e.g. {UserName} | Accepts System Variables ands pre-populates the Username field. |
| Password | e.g. {UserPassword} | e.g. {UserPassword} | Accepts System Variables ands pre-populates the Password field. |
| Server | e.g https://www.imagoverum.com | e.g https://www.imagoverum.com | Pre-populates the Service Store Server URL. |
| Domain | e.g. iv | e.g iv | Pre-populates the Domain field. |
| Port | e.g. 443 | e.g. 443 | Pre-populates the Port field. |
| Custom Data |
|
|
This allows custom fields to be defined, for example if a new M42Mobile app is being tested but not publicly available, this could be used to add new configurable fields. Should only be used when directed by Matrix42. |
Sharepoint Sites (deprecated)
This sections allows to add SharePoint Sites to M42Mobile Application.
- Click New SharePoint Site
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Label | e.g. Imagoverum Sharepoint | e.g. Imagoverum Sharepoint | Display Name of the Sharepoint Site. |
| URL | e.g. https://imagoverum.sharepoint.com | e.g. https://imagoverum.sharepoint.com | Sharepoint Site Address. |
| Authentication Type |
|
|
Office 365 authentication is only available for Office 365. Webforms authentication requires the user to type their credentials in the web view. Basic authentication sends the credentials of the user in the Authorization header. Form authentication is a headless authentication method for Sharepoint site configured for Form Based Authentication. Client Certificate - Basic will provide a specified certificate to the user to use in conjunction with Basic authentication. Client Certificate - Kerberos will provide a specified certificate to the user to use in conjunction with Kerberos authentication. |
| Access Model |
|
|
The Access Model that should be used. Sharepoint 2013 Access Model is recommended for best experience. |
| Content Refresh Interval (hours) | e.g. 4 | e.g. 4 | The Interval for check Sharepoint for Updates. |
| Username | e.g. {UserName} or tim.tober@imagoverum.com | e.g. {UserName} or tim.tober@imagoverum.com | Field to specify the Username. Custom LDAP attributes can be used in this field. |
| Use User Password | Enabled or Disabled | Enabled or Disabled | Specifies that the client should automatically use the User’s Password. This is only available when Password is Cached or on initial enrollment. |
| Certificate | Select Certificate | Select Certificate |
Displays uploaded Certificates in Certificates section when Authentication Type is set to Client Certificate. |
Certificates (deprecated)
Silversync (deprecated)
This sections allows to add Silversync to the M42Mobile application.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Allow File Sync | Enabled or Disabled | Enabled or Disabled | Allows File Sync. |
| Disable on Blocked | Enabled or Disabled | Enabled or Disabled | Disables File Sync for blocked devices. |
| Allow Sync on Cellular Data | Enabled or Disabled | Enabled or Disabled | Allow Sync when device uses Cellular. |
| Cellular Data File Size Limit | e.g. 10 | e.g. 10 | Restricts file sizes in MB when device uses Cellular. |
| Allow Email of Files | Enabled or Disabled | Enabled or Disabled | Allows to Email File types via Email. |
| Allow Opening Files Into Other Apps | Enabled or Disabled | Enabled or Disabled | Allows opening files into other apps on device. |
Certificate Trusts
For Android and Samsung Knox devices, arbitrary certificate trusts can be defined. These certificates will be deployed to the root or intermediate trust stores on the devices.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Certificate Settings | Enabled or Disabled | Enabled or Disabled | Enables Certificate Settings in this Tag. |
| Add Root Certificate | Choose File | Choose File | Select and Upload Root Certificate. |
| Certificate Password | e.g. Pa$$w0rd | e.g. Pa$$w0rd | Defines Password for Root Certificate. |
| Root Certificates | e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE | e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE | Displays uploaded certificates details. |
| Add Root Certificate | Choose File | Choose File | Select and Upload Root Certificate. |
| Certificate Password | e.g. Pa$$w0rd | e.g. Pa$$w0rd | Defines Password for Root Certificate. |
| Intermediate Certificates | e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE | e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE | Displays uploaded certificates details. |
Certificate Profile
With Silverback you can use certificates to authenticate your users to applications and corporate resources like E-Mail, Wi-Fi and Virtual Private Networks. Distributing certificates facilitates the access for a seamless authentication without the need to enter any usernames or passwords. On Android Enterprise and with Managed Configurations application configurations are made very easy for any Administrators. With Silverback 20.0 Update 3 we introduced the preview of a new mechanism for distributing certificates to devices, which is dedicated to meet the great capabilities of Managed Configurations. This feature ensures that certificates from the new certificate profile are distributed to your managed devices and an alias can be provided in any supported Managed Configuration (e.g Gmail, Samsung Mail, Cisco AnyConnect, F5 Access etc.) to pre-choose certificates on the devices for VPN and other applications for the user. Please refer to Android III: Certificate Profile for VPN and Apps for additional information.
Logs
Logging and debugging is an important part for troubleshooting scenarios. With Silverback, Administrators can granularly and remotely control the log level for the Companion application. By default, the log level will be applied to Info within the System Tag. In case of troubleshooting scenarios Administrators can create a new Tag and set the Log level to any of the other offered levels, like Debug or Verbose and apply this Tag to affected devices. The Log Level is represented within the Companion under the Support section. Users will not be able to change manually the log level on managed devices.
In case of assigning multiple tags with different levels, the setting will win from top (Verbose) to down ( Error)
Change the Log Level to Debug or Verbose only in case of troubleshooting.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Logs Settings | Enabled or Disabled | Enabled or Disabled | Enables Logs Settings in this Tag. |
| Logs Level |
|
|
Defines the target Log Level on the devices.
|
Web Clips
Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.
- Click New Web Clip
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Web Clip Name | e.g. Matrix42 | e.g. Matrix42 | Web Clip Display Name. |
| Link | e.g. https://www.matrix42.com | e.g. https://www.matrix42.com | Target URL for the Web Clip. |
| Icon File | Choose File | Choose File |
Web Clip Display Icon. Supported File Type: *.png |
Policy
With Policy or Policies, Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.
OS Version Compliance
Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.
- Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
- Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.
Use this feature where you do not want devices to be automatically blocked when users upgrades their device to a new OS version that is released by their software vendor.
Hardware Compliance
Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.
- Alert Administrators: When the checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.
Application Blacklist
For Android and Samsung Knox devices, administrators have two different ways to create an Application Blacklist. Depending on what you enter here in this section and what you configure under the Lockdown policy, either the Silverback blacklist or the Enforced blacklist will take effect. The Silverback blacklist is a method where the system periodically detects installed applications. In combination with the Lockdown policy, you can decide then what action should apply to a device that violates the configuration. The second method is the Enforced blacklist whitelist, where Administrators can easily decide which application should be visible or installable on the device or which applications should not be usable on devices. Please refer to Application Black- and Whitelisting for additional information.
To add an application to the blacklist
- Enter the Application Identifier (e.g. WhatsApp for the Silverback blacklist for Android, or com.whatsapp for the Enforced blacklist)
- Click Add
- Notice the info message: This application name has been blacklisted successfully.
Perform these steps for applications that you want to blacklist.
| Action | Description |
|---|---|
| Edit | Edit the selected value in the blacklist. |
| Remove | Delete the value from the blacklist. |
Lockdown
The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.
Lockdown Actions
| Action | Description |
|---|---|
| No action | No action is performed on the device; however alerting administrators may be performed if configured. |
| Lock | A lock command is sent to the device which will lock the screen of the device. |
| Block | The device is blocked, and the device is moved to the blocked devices table. |
| Delete Business Data | Deletes the device and removes all corporate data. |
| Factory Wipe | The device is hard reset to factory default settings. |
| Force | This will re-apply the Android Setting that disables the ability for the device to roam for voice or data. The setting is forced upon the user. For the application blacklist in particular, this prevents the application from being launched or installed on the device, depending on the operating system's behavior. |
| Alert administrator | Emails are sent to all administrators notifying them of the policy violation when it is detected. |
| Exclude Home Network | Allows the Administrator to disable roaming alerts for devices roaming on Home Networks. |
| Allow Home Networks | Allow Home Network’ checkbox allows the user to roam on Home Networks without triggering lockdown action. |
Lockdown Policies
| Policy | General | Android | Samsung Knox | Description |
|---|---|---|---|---|
| Enforce SIM Authentication | Enabled or Disabled |
|
|
The first SIM Silverback detects on a managed device will be considered the ‘canonical’ SIM. Any subsequent changes to the SIM (e.g. removal of the SIM from the device or changing the SIM on the device) are considered a policy violation. |
| Enforce Application Blacklist |
Enabled or Disabled Either Blacklist or Whitelist |
|
|
The application blacklist can be enabled or disabled from this screen. Please review the aplication blacklist section for more information on this configuration. |
| Enforce Application Whitelist |
Enabled or Disabled Either Blacklist or Whitelist |
|
|
Application Whitelist will ensure that each device has only applications approved by a system administrator that reside in the Silverback App Portal. Whitelist is derived from the Application Name. Ensure applications in the App Portal are labelled correctly prior to enabling Application Whitelist. |
| Enforce Hardware Authentication | Enabled or Disabled |
|
|
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration. |
| Enforce Basic Integrity | Enabled or Disabled |
|
|
When the SafetyNet Attestation reports that the device does not meet the basic integrity requirements, the selected action will be triggered. |
| Enforce Extended Integrity | Enabled or Disabled |
|
|
When the SafetyNet Attestation reports that the device does not meet the extended integrity requirements, the selected action will be triggered. |
| Cost Control Settings | ||||
| Send Roaming Alerts | Enabled or Disabled | No actions available | No actions available |
Enabling this will send an alert to all Silverback Administrators when a device starts Roaming for any reason (Voice/Data). |
| Enforce Data Roaming Policy | Enabled or Disabled |
|
|
You can choose which lockdown action to apply when a device has data roaming enabled. Availability of this setting on the device is dependent on the Carrier. |
| Enforce Push While Roaming Policy |
Enabled or Disabled Enforce Data Roaming Policy will activate this setting
|
not available |
|
You can choose which lockdown action to apply when a device has push enabled while roaming. To disable it completely, select Force as the Non-Compliance Action. |
| Enforce Sync While Roaming Policy |
Enabled or Disabled Enforce Data Roaming Policy will activate this setting |
not available |
|
You can choose which lockdown action to apply when a device has sync enabled while roaming. To disable it completely, select Force as the Non-Compliance Action. |
| Enforce Voice Roaming Policy |
Enabled or Disabled Enforce Data Roaming Policy will activate this setting |
not available |
|
Voice Roaming is when the device has Voice Roaming Enabled = YES on the device. Availability of this setting on the device is dependent on the Carrier. |
| Enforce Home Networks Policy | Enabled or Disabled |
|
|
Enables the ‘Home Networks’ policy, meaning Silverback Admins can specify what data networks are classed as ‘Home Networks’. |
| Home Networks |
Add Enforce Home Networks Policy will activate this grid |
e.g. Imagoverum Wi-Fi | e.g. Imagoverum Wi-Fi | This grid is where Silverback Administrators can specify their ‘Home Networks’. |
Companion
Companion extends end point security into a secure workspace for your users. Users can store and edit files locally within the application, ensuring that these documents are kept securely and cannot be accessed by other applications or users. Companion also allows users and administrators to manage data usage on the device and configure policy settings around this.
| Setting | Android | Samsung Knox | Description |
|---|---|---|---|
| Companion Enabled | Enabled or Disabled | Enabled or Disabled | Enables the Profile. |
| Companion Settings | |||
| Secure Enrollment | Enabled or Disabled | Enabled or Disabled | Enables Secure Enrollment for devices. |
| Offline Grace Period | e.g. 30 | e.g 30 | Companion modules will be blocked if the device doesn’t check in during this period. The value is in days. |
| Custom Epic Text | e.g. This is a free form text | e.g. This is a free form text | Configure custom text to be displayed to the user. |
| Show Blocked Reasons | Enabled or Disabled | Enabled or Disabled | Configures whether the user is told why they have been blocked. If this is disabled the user is not told why, just that they are blocked. |
| Allow Automated Unblocking | Enabled or Disabled | Enabled or Disabled | Companion can allow users to rectify a block where it was triggered by a policy violation. For example if the user violated an application blacklist, they may remove the app and then scan with Companion to automatically become unblocked. |
| File Settings | |||
| Enabled Files | Enabled or Disabled | Enabled or Disabled | Determines whether the Files module is available to the users. |
| Disabled on Blocked | Enabled or Disabled | Enabled or Disabled | Disables the Files module when Silverback blocks the device. |
| RequirePIN | Enabled or Disabled | Enabled or Disabled | Determines whether the users are required to have a PIN code protecting Companion. |
| Allow Email Out | Enabled or Disabled | Enabled or Disabled | Allow the user to email files out of Companion or not. |
| Data Cost Control Settings | |||
| Allow Usage | Enabled or Disabled | Enabled or Disabled | Determines whether the Data Usage module is available to the users. |
| Disabled on Blocked | Enabled or Disabled | Enabled or Disabled | Disables the Data Usage module when Silverback blocks the device. |
| Allow User to Change Settings | Enabled or Disabled | Enabled or Disabled | Allow the user to change settings within the Companion Client. If not, the administrator must define settings. |
| Rollover Day | 1-31 | 1-31 | Determines the day for the Data Usage to be reset on the device. |
| Local Data Cost Control | |||
| Allow User To Reset Usage | Enabled or Disabled | Enabled or Disabled | Allow the user the ability to reset their local Data Usage within the Companion client. |
| Data Allowance (MB) | e.g. 2048 | e.g. 2048 | The Amount of local Cellular Data the user is allowed, until the user is alerted and the configured action is performed. |
| Action on Local Data Limit Reached |
|
|
The MDM action that is carried out when the local data limit is reached. |
| Alert Administrators | Enabled or Disabled | Enabled or Disabled | Determines whether the administrative e-mail alert is sent out when a device reached the data limit. |
| Consumed Usage Alert Threshold |
0%-100% in 5% steps
|
0%-100% in 5% steps | Determines the threshold value for the local Data Allowance usage alert. When this threshold is reached, the user receives a notification on the device. |
| Roaming Data Cost Control | |||
| Allow User To Reset Usage | Enabled or Disabled | Enabled or Disabled | Allow the user the ability to reset their roaming Data Usage within the Companion client. |
| Data Allowance (MB) | e.g 100 | e.g. 100 | The Amount of roaming Cellular Data the user is allowed, until the user is alerted and the configured action is performed. |
| Action on Local Data Limit Reached |
|
|
The MDM action that is carried out when the roaming data limit is reached. |
| Alert Administrators | Enabled or Disabled | Enabled or Disabled | Determines whether the administrative e-mail alert is sent out when a device reached the data limit. |
| Consumed Usage Alert Threshold |
0%-100% in 5% steps |
0%-100% in 5% steps | Determines the threshold value for the roaming Data Allowance usage alert. When this threshold is reached, the user receives a notification on the device. |
| License Message Settings | |||
| Invalid Message Settings | e.g. You have no valid License. Please contact your System Administrator | e.g. You have no valid License. Please contact your System Administrator | The text message displayed on the users’ devices. |
Apps
The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.
App Types
Three different App Types are available for Android and Samsung Knox devices:
| Type | Description |
|---|---|
| Enterprise | Applications owned by an Organization with *.apk file. |
| App Store | Applications from public Google Play Store. |
| Managed Play | Applications from company Google Managed Play Store . |
Managed Play application types requires Android Enterprise Integration
Assign Apps
Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.
- Navigate to Apps
- Click Assign More Apps
- Select any applications from the shown Assign Applications page
- Click Add Selected Apps
Overview
Already assigned applications are displayed in the Apps section of any Tag with the following columns:
| Column | Description |
|---|---|
| Type | Displays the app type, either Enterprise, App Store or Managed Play. |
| Name | Displays the application name. |
| Version | Displays the application version for Enterprise Apps. |
| Description | Displays the application description given in App Portal. |
| Remove | Removes the App from the Tag. |
| Manage Config | Click edit to change deployment options. |
Change Deployment Options
By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application:
- Click the Edit button in the Manage Config column
- Update Deployment Options
- Click Save
When you add an application to a Tag that has an enabled Auto Population, be aware that the changes affects immediately after adding the application to the Tag. So, if your application has enabled as an example the App Management option Automatically push to managed devices, and you add this application into an Auto Population enabled Tag, devices will get instant a push with the application configuration that is inherit from the App Portal, as it is the default configuration. In this scenario you might run into an accidental automatic installation of applications. When you want to add applications to a Tag with enabled Auto Population tag, either disable temporary the Auto Population or ensure as an example that the Application has a not set the Automatically push to managed devices option in the App Portal.
Content
The Content Tab is where content locations are provided for users. These are defined at a Tag level which means only users in this Tag will receive these content settings in their M42Mobile app (deprecated) or Matrix42 Documents application.
Content Provider
The following content providers can be configured for the M42Mobile App (deprecated) or the Matrix42 Documents application. The Username and Password fields support system variables, so you can dynamically configure them for all users.
| Content Provider | Settings | M42Mobile (deprecated) | Matrix42 Documents |
|---|---|---|---|
| Silversync |
|
Supported, but the M42Mobile application is deprecated. | Supported with automatic configuration, please refer to the Silversync Guide for additional information. |
| Box |
|
Supported, but the M42Mobile application is deprecated. | Not supported |
| Dropbox |
|
Supported, but the M42Mobile application is deprecated. | Not supported |
| GoogleDrive |
|
Supported, but the M42Mobile application is deprecated. | Supported with manual configuration. Please refer to Matrix42 Documents for additional information. |
| OneDrive |
|
Supported, but the M42Mobile application is deprecated. | Supported with manual configuration. Please refer to Matrix42 Documents for additional information. |
| ownCloud |
|
Supported, but the M42Mobile application is deprecated. | Not supported |
| Sharepoint |
|
Supported, but the M42Mobile application is deprecated. | Supported with automatic configuration, please refer to the Silversync Guide and to to Matrix42 Documents for additional information. |
Silversync Server Locations
For assigning content with Silversync, there are generally two ways to do this:
| Add Content | Requirement | Description |
|---|---|---|
| Selecting the folders from the Content Tree | Server Based Authentication | Expand and collapse folders if you want to assign content at a level down in the file system. |
| Typing in file paths manually | User based Authentication | Assign the content manually by typing in file paths. |
To add content manually:
- Click Add
- Enter the path directly
- C:\SilversyncContent\users\{UserName}
- \\NetworkShare\SilversyncFiles\Everybody
It’s important to note that these paths support system variables. In the example above “{UserName}” will be replaced with that unique user’s username. This is useful for mapping to a home drive network share for example.