Skip to main content
Matrix42 Self-Service Help Center

Tags Guide Part II: Android, SamsungSafe

Profile

Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Exchange Active Sync

Setting Android Samsung Safe Description
Exchange ActiveSync Settings Enabled or Disabled Enabled or Disabled Enables Profile
Exchange Type
  • Gmail

Exchange profiles are only supported in combination with Android for Work or Android Enterprise

  • Gmail
  • Samsung Mail

Android

Determines to which E-Mail client the Exchange settings should apply.

Samsung Safe

Determines if the Exchange settings should apply to the native email client, Gmail or within an Android for Work Container.

Label e.g. Imagoverum Exchange e.g. Imagoverum Exchange or e.g.  {firstname} The Label for the Email Account as it appears on the device. Supports Silverback System Variables for Samsung Mail
Server Name e.g. outlook.office365.com  e.g. outlook.office365.com  External Exchange Active Sync address 
Domain e.g. Imagoverum e.g. Imagoverum Internal Domain Suffix for the Exchange Server
Peak Schedule (*SamsungSafe only) not available
  • Automatic
  • Never
  • 5 Minutes
  • 15 Minutes
  • 1 hour
  • 2 hours
  • 4 hours
  • 12 hours

 

Sets the default behaviour for the “Peak” period.
Past Days of Mail to Sync
  • One Day
  • Three days
  • One week
  • Two weeks
  • One Month
  • Unlimited
  • One Day
  • Three days
  • One week
  • Two weeks
  • One Month
  • Unlimited
Period of mail to synchronize to the device
Off-Peak Schedule (*SamsungSafe only) not available
  • Automatic
  • Never
  • 5 Minutes
  • 15 Minutes
  • 1 hour
  • 2 hours
  • 4 hours
  • 12 hours
Sets the default behaviour for the Off-Peak period
Peak Start Time  (*SamsungSafe only) not available Midnight - 11pm Sets the time of day in hours that the Peak period starts.
Peak Time End  (*SamsungSafe only) not available Midnight - 11pm Sets the time of day in hours that the Peak period ends. Outside of these two settings is considered “Off-Peak”.
Peak Days  (*SamsungSafe only) not available Sunday - Saturday Which days should use the Peak settings. Days not selected here will be considered Off-Peak.
Use SSL Enabled or Disabled Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use Custom Username Variable e.g. {CustLdapVar0} or support@imagoverum.com e.g. {CustLdapVar0} or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable e.g. {CustLdapVar0} or tim.tober@imagoverum.com e.g. {CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Enterprise Certificate Choose File Choose File Upload a certificate for certificate based authentication with one certificate
Certificate Password e.g Pa$$w0rd e.g. Pa$$w0rd Password for the certificate
Trust All Certificates Enabled or Disabled Enabled or Disabled Required for client certificate authentication with the Gmail app, if the device doesn’t trust the certificates correctly.

Passcode

Settings Overview

Setting Android Samsung Safe Description
Passcode Settings Enabled or Disabled Enabled or Disabled Enables Profile
Quality
  • Numeric
  • Alpha Numeric
  • Complex
  • Numeric Complex
  • Biometric Weak
  • Numeric
  • Alpha Numeric
  • Complex
  • Numeric Complex
  • Biometric Weak
Defines the password quality
Minimum Length 4-19 4-19 The smallest number of passcode characters allowed
Maximum Passcode Age - 1-730 days or none 1-730 or empty 1-730 or empty How often passcode must be changed
Auto-lock (minutes)

1, 2, 3, 4, 5,10, 15, 20, 25,30 

1, 2, 3, 4, 5,10, 15, 20, 25,30  Device automatically locks due to inactivity after this time period
Passcode history (1-50 passcodes, or none) 1-50 or empty 1-50 or empty Number of unique passcodes required before reuse
Maximum Failed Attempts 0-12 0-12 Number of passcode entry attempts allowed before the device is reset to factory settings

Quality Overview

Quality Description
Numeric The user has to enter a password containing at least numeric characters
Alphanumeric The user has to enter a password containing at least numeric and alphabetic characters (or symbols)
Complex The user has to enter by default a password containing at least a letter, a numerical digit and a special symbol. With this password quality, passwords can be restricted to contain various sets of characters, like at least one uppercase letter etc. 
Numeric Complex The user has to enter a password containing at least numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences. 
Biometric Weak The policy allows for low-security biometric recognition technology. This implies technologies that can recognize the identity of an individual to about a 3 digit PIN (false detection is less than 1 in 1.000)

Additional Settings Complex Quality

Setting Android Samsung Safe Description
Minimum Length 4-16 4-16 Defines the Minimum Passcode length
Minimum Letters 0-15 0-15 Defines the amount of minimum required letters in the passcode
Minimum Lower Case 0-15 0-15 Defines the amount of minimum lower case letters in the passcode
Minimum Upper Case 0-15 0-15 Defines the amount of minimum uppercase case letters in the passcode
Minimum Non Letters 0-15 0-15 Defines the amount of minimum non letters (digits and complex characters) in the passcode
Minimum Numeric 0-15 0-15 Defines the amount of minimum digits in the passcode
Minimum Complex characters 0-4 0-4 Defines the amount of minimum complex characters in the passcode

Restrictions

Android Enterprise 

These restrictions applies to Android devices and Samsung Safe devices with Android Enterprise. 

Restriction Availability Options Requirements Description
Applications
Allow Apps Control
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is disallowed from modifying applications in Settings or launchers. The following actions will not be allowed when this restriction is enabled:

  • uninstalling apps
  • disabling apps
  • clearing app caches
  • clearing app data
  • force stopping apps
  • clearing app defaults
Allow Install Apps
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 4.3

Specifies if a user is disallowed from installing applications.

Allow Uninstall Apps
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 4.3

Specifies if a user is disallowed from uninstalling applications.

Allow Unknown Sources
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 4.3

Specifies if a user is disallowed from enabling the Unknown Sources setting, that allows installation of apps from unknown sources. Unknown sources exclude adb and special apps such as trusted app stores

Allow Unknown Sources (Device-wide)
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 10

This restriction is a device-wide version of Allow Unknown Sources. Specifies if all users on the device are disallowed from enabling the "Unknown Sources" setting, that allows installation of apps from unknown sources.

Force Verify Apps
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is force from enabling application verification. In Android 8.0 and higher, this is a global user restriction. The system enforces app verification across all users on the device. Running in earlier Android versions, this restriction affects only the profile that sets it.

Permission Policy
  • Device Owner
  • Work Profile
  • Prompt (Default)
  • Auto Grant
  • Auto Deny

 

Use this policy to auto grant or auto deny permission requests for installed applications. By default the user receives a prompt to accept permissions for each application separately after starting. If auto grant or auto deny is set, the UI is not shown to the user and permissions will be set as defined. 

Network and Connection
Allow Android Beam
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 5.1

Specifies if the user is not allowed to use NFC to beam out data from apps

Allow Bluetooth
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 8.0.0

Specifies if bluetooth is disallowed on the device.

Allow Bluetooth Contact Sharing
  • Work Profile
  • Enabled or Disabled

 

If disabled, contact sharing via Bluetooth will be forbidden for the user.

Allow Bluetooth Sharing
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 8.0.0

Specifies if outgoing bluetooth sharing is disallowed on the device.

Allow Configuration of Bluetooth
  • Device Owner
  • Enabled or Disabled
  • Android 4.3

Specifies if a user is disallowed from configuring bluetooth. This does not restrict the user from turning bluetooth on or off. This restriction doesn't prevent the user from using bluetooth. For disallowing usage of bluetooth completely on the device, use Allow Bluetooth

Allow Configuration of VPN
  • Device Owner
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is disallowed from configuring a VPN. This restriction also prevents VPNs from starting. 

Allow Configuration of WiFi
  • Device Owner
  • Enabled or Disabled
  • Android 4.3

Specifies if a user is disallowed from changing Wi-Fi access points

Allow Configure Cell Broadcasts
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is disallowed from configuring cell broadcasts

Allow Configure Mobile Networks
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is disallowed from configuring mobile networks.

Allow Configure Tethering
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is disallowed from configuring Tethering & portable hotspots. In Android 9.0 or higher, if tethering is enabled when this restriction is set, tethering will be automatically turned off.

Allow Data Roaming
  • Device Owner
  • Enabled or Disabled
  • Android 7.0

Specifies if a user is not allowed to use cellular data when roaming.

Allow Modify DNS Settings
  • Device Owner
  • Enabled or Disabled
  • Android 10

Specifies whether the user is allowed to modify private DNS settings.

Allow Network Reset
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 6.0

Specifies if a user is disallowed from resetting network settings from Settings

Allow Share Location
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 4.3

Specifies if a user is disallowed from turning on location sharing.

Allow USB File Transfer
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 4.3

Specifies if a user is disallowed from transferring files over USB.

Security and Privacy
Allow Autofill
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 8.0.0

Specifies if a user is not allowed to use Autofill Services.

Allow Cross Profile Caller ID
  • Work Profile
  • Enabled or Disabled

 

Block the lookup of call IDs with the Work Profile. As a result a contact from the work profile is not shown with the corresponding name if the user receives a call. 

Allow Cross Profile Contact Search 
  • Work Profile
  • Enabled or Disabled

 

Block the work profile sharing contact information with the personal profile. If an IT admin blocks access, contact searches are returned as empty results

Allow Cross Profile Copy/Paste
  • Work Profile
  • Enabled or Disabled
  • Android 5.0

Specifies if the clipboard contents can be exported by pasting the data into other users or profiles. This restriction doesn't prevent import, such as someone pasting clipboard data from other profiles or users. Because it's possible to extract data from screenshots using optical character recognition (OCR), we recommend combining this restriction with Allow Screen Capture.

Allow Debugging Features
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is disallowed from enabling or accessing debugging features. It, disables debugging features altogether, including USB debugging. When set on Work Profile, it blocks debugging for that user only, including starting activities, making service calls, accessing content providers, sending broadcasts, installing/uninstalling packages, clearing user data, etc

Allow Sharing Data Into Managed Profile
  • Work Profile
  • Enabled or Disabled
  • Android 9

Specifies whether the user can share file / picture / data from the primary user into the work profile, either by sending them from the primary side, or by picking up data within an app in the work profile.

When a work profile is created, the system allows the user to send data from the primary side to the profile by setting up certain default cross profile intent filters. If this is undesired, this restriction can be set to disallow it. 

System Settings
Allow Adjust Microphone Volume
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is disallowed from adjusting microphone volume. If set, the microphone will be muted.

Allow Airplane Mode
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 9

If disabled, it disables airplane mode on the entire device.

Allow Ambient Display
  • Device Owner
  • Enabled or Disabled
  • Android 9

Specifies if ambient display is disallowed for the user.

Allow Camera in Work Profile
  • Work Profile
  • Enabled or Disabled

 

Disables the usage of the Camera inside the Work Profile for the user. 

Allow Change Language
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 9

Specifies if a user is disallowed from changing the device language.

Allow Configuration of Brightness
  • Device Owner
  • Enabled or Disabled
  • Android 9

Specifies if a user is disallowed from configuring brightness. 

Allow Configuration of Credentials
  • Device Owner
  • Enabled or Disabled
  • Android 4.3

Specifies if a user is disallowed from configuring user credentials for certificate storage etc.

Allow Configuration of Date, Time and Timezone
  • Device Owner
  • Enabled or Disabled
  • Android 9

Specifies if date, time and timezone configuring is disallowed.

Allow Configuration of Location
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 9

Specifies if a user is disallowed from enabling or disabling location providers. As a result, user is disallowed from turning on or off location.

Allow Configuration of Screen Off Timeout
  • Device Owner
  • Enabled or Disabled
  • Android 9

Specifies if a user is disallowed from changing screen off timeout.

Allow Factory Wipe
  • Device Owner
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is disallowed from factory resetting from Settings.

Allow Outgoing Calls
  • Device Owner
  • Enabled or Disabled
  • Android 5.0

Specifies that the user is not allowed to make outgoing phone calls. Emergency calls are still permitted.

Allow Printing
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 9

Specifies whether the user is allowed to print

Allow Reboot Into Safe Boot Mode
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 6.0

Specifies if the user is not allowed to reboot the device into safe boot mode.

Allow Screen Capture
  • Device Owner
  • Work Profile
  • Enabled or Disabled

 

Use this API to check whether the user can take a screenshot of the device screen. 

Allow Set Wallpaper
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 7.0

User restriction to disallow setting a wallpaper

Allow SMS
  • Device Owner
  • Enabled or Disabled
  • Android 5.0

Specifies that the user is not allowed to send or receive SMS messages.

Allow System Error Dialogs
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 9

Specifies that system error dialogs for crashed or unresponsive apps should not be shown. In this case, the system will force-stop the app as if the user chooses the "close app" option on the UI. A feedback report isn't collected as there is no way for the user to provide explicit consent

Allow Volume Control
  • Device Owner
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is disallowed from adjusting the master volume. If set, the master volume will be muted.

Users, Accounts and Profiles
Allow Add Users
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is disallowed from adding new users.

Allow Modify Accounts
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 4.3

Specifies if a user is disallowed from adding and removing accounts.

Allow Remove User
  • Device Owner
  • Enabled or Disabled
  • Android 4.3

When set on the primary user this specifies if the user can remove other users. When set on a secondary user, this specifies if the user can remove itself.

Allow User Switch
  • Device Owner
  • Enabled or Disabled
  • Android 9

Specifies if user switching is blocked on the current user.

Allow Create Windows
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 5

Specifies that windows besides app windows should not be created. This will block the creation of the following types of windows.

  • Toast
  • Phone
  • Priority Phone
  • System Alert
  • System Error
  • System Overlay
  • Application Overlay
Allow Set Icon
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 7.0

Specifies if a user is not allowed to change their icon.

Allow Remove Work Profile
  • Device Owner
  • Enabled or Disabled
  • Android 8.0.0

Specifies if managed profiles of this user can be removed.

Allow Adding Managed Profiles
  • Device Owner
  • Enabled or Disabled
  • Android 8.0.0

Specifies if a user is disallowed from adding managed profiles.

Allow Parent Profile Apps Linking
  • Work Profile
  • Enabled or Disabled
  • Android 6.0

Allows apps in the parent profile to handle web links from the work profile.

Content and Media
Allow Content Capture
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 10

Specifies if the contents of a user's screen is not allowed to be captured for artificial intelligence purposes.

Allow Content Suggestions
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 10

Specifies if the current user is able to receive content suggestions for selections based on the contents of their screen.

Allow Mount Physical Media
  • Device Owner
  • Work Profile
  • Enabled or Disabled
  • Android 5.0

Specifies if a user is disallowed from mounting physical external media.

Samsung Safe

These restrictions applies to Samsung Safe devices and can be combined with Android Enterprise restrictions. Due to the fact that devices with the same operating system version can have different Knox API Levels please refer to Knox version mapping.  Knox API Level is part of the Software Information sections under About phone in device settings. 

Restriction Availability Options Requirements Description
Allow App Store
  • Samsung Safe
  • Enabled or Disabled
  • Android 3.2
  • Knox API Level 2

Use this API to disable the Google Play application silently.

Allow Automatic Sync while Roaming
  • Samsung Safe
  • Enabled or Disabled
  • Android 2
  • Knox API Level 1

API to check whether automatic syncing during roaming is enabled.

Allow Camera
  • Samsung Safe
  • Enabled or Disabled
  • Android 3.2
  • Knox API Level 2

Use this API to check whether the camera is enabled or not. 

Allow Screen Capture
  • Samsung Safe
  • Enabled or Disabled
  • Android 3.2
  • Knox API Level 2

Use this API to check whether the user can take a screenshot of the device screen. 

Allow Youtube
  • Samsung Safe
  • Enabled or Disabled
  • Android 3.2
  • Knox API Level 2

Use this API to disable the YouTube application silently.

Allow Voice Dialing
  • Samsung Safe
  • Enabled or Disabled
  • Android 3.2
  • Knox API Level 2

Use this setting to disable the voice dialer application silently. Third-party voice dialer applications are not affected by this.

Allow Wi-Fi AP Setting User Modification
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 4

Use this API to deny the user modifying Wi-Fi AP settings. When disabled, the UI is grayed out so the user cannot modify the settings. When enabled, the user can modify the Wi-Fi AP Settings.

Allow Non-Marketplace Apps
  • Samsung Safe
  • Enabled or Disabled
  • Android 3.2
  • Knox API Level 2

Allow or disallow installation of non-Google-Play applications. If disabled, installation of non-Google-Play applications is disabled, and the user cannot access the UI until the administrator enables access again. If set to enabled, UI access to enabling installation of non-Google-Play applications is enabled. Enabling UI access does not enable the actual functionality.

Allow USB Debugging
  • Samsung Safe
  • Enabled or Disabled
  • Android 3.2
  • Knox API Level 2

For a device managed by multiple administrators, USB debugging is disabled if at least one administrator has disabled it.

Allow Writing to SD Card
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 5

Enable or disable writing to the SD card. If disabled, all possible writes to the SD card are blocked.

Allow S Beam

  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Set this policy to block the use of S Beam on the device. S Beam allows users to share content using near field communication (NFC) or Wi-Fi Direct. When S Beam is disabled, the user cannot send or receive files using S Beam.

Allow App Uninstallation
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 4

Set the application uninstallation mode on the device to disallow

Allow Wi-Fi Direct
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Disable Wi-Fi Direct without user interaction. When Wi-Fi Direct is disabled, any ongoing Wi-Fi Direct connection is interrupted, and the user cannot turn on Wi-Fi Direct. S-Beam feature which depend on this policy will also be affected by this setting.

Allow Wallpaper Changes
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 5

Use this settings to check whether the user is allowed to change the device wallpaper or not. 

Allow Native VPN Access
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 4

Use this settings to check whether a user can use the native VPN functionality or not.

Allow Video Recording
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Enable or disable video recording without user interaction. The device camera is still available after disabling video recording so that user can take pictures and use video streaming. When video recording is disabled, any ongoing video recording is interrupted.

Allow User to set Mobile Data Limit
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Use this setting to check whether the user is allowed to set the mobile data limit and take appropriate action based on enterprise policy.

Allow USB Host Storage
  • Samsung Safe
  • Enabled or Disabled
  • Android 3.2
  • Knox API Level 2
Use this setting to check whether USB host storage devices are allowed to be mounted. Through USB OTG, a user can connect any pen drive (portable USB storage), external HD, or SD card reader, and it is mounted as a storage drive on the device.
Allow User to Stop System Apps
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Use this setting to disable a force stop button for system-signed applications on the application Info UI in Settings and the stop button for the system application process on the Running application UI in Settings.

Allow User Access to Status Bar Controls
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 5

Use this setting to check whether status bar expansion is allowed. If disabled, the user won't be able to expand the status bar on the device

 

Allow Share Via List
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Disable the display of the Share Via List. The Share Via List is displayed in certain applications that share data with other applications.

Allow Settings Access to User
  • Samsung Safe
  • Enabled or Disabled
  • Android 3.2
  • Knox API Level 2

Allow or prevent changes to Settings application. After disabling Settings, several changes to system preferences cannot be made.

Allow Safe Mode Boot
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Administrator can use this API to allow or disallow Safe Mode boot.

Allow S Voice
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Use this API to check whether the S Voice application is allowed to be launched or not. 

Allow Power Off
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 5

API to allow or disallow the user to power off the device by pressing the power button. For a device managed by multiple administrators, each administrator can apply a different status. Powering off using the power button is disabled if at least one administrator disables it. Powering off is enabled only if all administrators enable it. If powering off is disabled, a toast with the message "Security policy prevents power off" appears when the user tries to power off the device.

Allow Over the Air Upgrade
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 5

Use this API to allow or disallow upgrading the OS via a firmware-over-the-air (FOTA) client (for example, Samsung DM or WebSync DM). If disabled, all possible OTA upgrade requests (user initiated, server initiated, and system initiated) are blocked; the user may see server messages related to new firmware updates but any attempt to upgrade fails. Allow Lock Screen View Settings

Allow Lock Screen View Settings
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

API to check whether the usage of lock screen views is allowed or not.

Allow Google Crash Report Submission
  • Samsung Safe
  • Enabled or Disabled
  • API Level 5
  • MDM 3.0

Use this API to enable or disable sending a crash report to Google. If disabled, all possible Google crash reports are blocked.

Allow User to Perform Factory Reset
  • Samsung Safe
  • Enabled or Disabled
  • Android 3.2
  • Knox API Level 2

Use this API to check whether a user is allowed to perform a factory reset

Allow Clipboard Sharing Between Apps
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Use this API to allow or disallow sharing a global clipboard between applications. If the administrator disallows clipboard sharing, each application has an individual clipboard.

Allow User to Set Background Process Limit
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Use this API to check whether a limit on background processes is allowed and take appropriate action based on enterprise policy.

Allow Audio Recording
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Disable audio recording. The device microphone is still available after disabling audio recording so that the user can make calls and use audio streaming. This API relies on declared use of the audio, allowing only calls, voice recognition, and voice over IP (VoIP). If the application declares a use type and does something else, then this API is not able to block it. When audio recording is disabled, any ongoing audio recording is interrupted. Video recording is still allowed if no audio recording is attempted.

Allow Android Beam
  • Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 6

Configure if Android Beam is allowed on device or not.

Allow Google Backup
  • Samsung Safe
  • Enabled or Disabled
  • Android 3.2
  • Knox API Level 2

For a device managed by multiple administrators, Google backup is disabled if at least one administrator has disabled it.

Allow Call
  • Samsung Safe
  • Enable Incoming Call
  • Enable Outgoing Call

 

Configure of devices can receive incoming calls or perform outgoing calls. 

Allow Tethering
  • Samsung Safe
  • Enable Bluetooth Tethering
  • Enable Wi-Fi Tethering
  • Enable USB Tethering
  • Android 3.2
  • Knox API Level 2

Use this API to block the device from sharing its carrier data with another device through USB, WiFi, and Bluetooth.

Allow Browser
  • ​​​​​​​Samsung Safe
  • Enable Autofill
  • Enable Javascript
  • Allow Popup
  • Force Fraud Warning
  • Allow Cookies
  • Android 3.2
  • Knox API Level 2

This class provides APIs to control browser settings. The user cannot change the settings provided by this policy once the settings are disabled. The policies are applied only to Samsung browser. The policies do not apply to any third-party browser.

Allow SMS
  • ​​​​​​​Samsung Safe
  • Enable Incoming SMS
  • Enable Outgoing SMS
  • Android 4
  • Knox API Level 5
Use this setting to allow or disallow incoming SMS messages.
Allow MMS
  • ​​​​​​​Samsung Safe
  • Enable Incoming MMS
  • Enable Outgoing MMS
  • Android 4
  • Knox API Level 5
Use this API to allow or disallow incoming MMS messages.
Allow NFC
  • ​​​​​​​Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 11
Use this setting to disallow NFC on the device. The user won't be able to change the state. 
Allow GPS state change
  • ​​​​​​​Samsung Safe
  • Enabled or Disabled
  • Android 4
  • Knox API Level 5
Use this API check whether the user is allowed to change the GPS state. If not allowed, the user cannot change GPS UI settings and Location Services will be deactivated.

 

Legacy

Legacy Restrictions are a mix of restrictions, that came historically and can't be dedicated to Android Enterprise or Samsung Safe, has been build for Silverback Management purposes or are replaced with automatic settings. As an example Storage Encryption needed to be activated in older Android devices, but nowadays all devices will be encrypted by default.

Restriction Availability Options Description
Allow Camera
  • Legacy Management
  • Device Owner
  • Enabled or Disabled
Historically this settings was present for Android devices in former times and can now be used for Device Owner but is not an explicit Android Enterprise control. 
Enable Bluetooth During Enrollment
  • Android Legacy Management
  • Device Owner
  • Work Profile
  • Enabled or Disabled
If this setting is applied, Bluetooth will be automatically activated during the device enrollment process as a one time switch. Please note if disabled, it will disable Bluetooth if is activated on the device. 
Enable Wi-Fi During Enrollment
  • Android Legacy Management
  • Device Owner
  • Work Profile
  • Enabled or Disabled
If this setting is applied, Wi-Fi will be automatically activated during the device enrollment process as a one time switch. Please note if disabled, it will disable Wi-Fi if this connection type is used during the enrollment.
Allow Wi-Fi
  • Samsung Safe
  • Enabled or Disabled

If this setting is applied, Wi-Fi will be automatically activated during the device enrollment process as a one time switch. Please note if disabled, it will disable Wi-Fi if this connection type is used during the enrollment.

Allow Bluetooth
  • Samsung Safe
  • Enabled or Disabled

If this setting is applied, Bluetooth will be automatically activated during the device enrollment process as a one time switch. Please note if disabled, it will disable Bluetooth if is activated on the device. 

Force Storage Encryption
  • Android Legacy Management
  • Samsung Safe
  • Enabled or Disabled
In previously ages Android or Samsung Devices were not encrypted by default. This setting was used to force the encryption of the device storage.
Force Internal Storage Encryption
  • Samsung Safe
  • Enabled or Disabled
In contrast to Android devices, Samsung Safe had the possibility to distinguished the encryption setting for internal and external storage. Please note that newer devices are by default encrypted.
Force External Storage Encryption
  • Samsung Safe
  • Enabled or Disabled
In contrast to Android devices, Samsung Safe had the possibility to distinguished the encryption setting for internal and external storage. Please note that newer devices are by default encrypted.

Virtual Private Network

For Android Enterprise devices please use the Managed Configuration for each individual Virtual Private Network client. 

Setting Android Samsung Safe Description
VPN Settings not available Enabled or disabled Enables Profile
VPN Type not available Cisco AnyConnect Supported VPN Provider
Connection Name not available e.g. Imagoverum VPN Display name in AnyConnect
Server Address not available e.g vpn.imagoverum.com Server Address for VPN Endpoint
Authentication Type not available Certificate Supported Authentication Type

System Update

Android devices can receive and install over-the-air (OTA) updates to the system and application software. Android notifies the device user that a system update is available and the device user can install the update immediately or later. You can manage system updates for Device Owner mode devices. 

Setting Android Samsung Safe
System Update
  • Device Default
  • Automatic
  • Postpone
  • Maintenance Window
  • Device Default
  • Automatic
  • Postpone
  • Maintenance Window
Start time 00:00 - 23:30 00:00 - 23:30
End Time 00:30 - 00:00 00:30 - 00:00
Supported for Device Owner  Device Owner 

Automatic: Installs system updates as soon as they become available (without user interaction). Setting this policy type immediately installs any pending updates that might be postponed or waiting for a maintenance window.

Postpone: Postpones the installation of system updates for 30 days. After the 30-day period has ended, the system prompts the device user to install the update.

Postponing OTA updates can prevent devices from receiving critical updates. For this reason device manufacturers or carriers might choose to exempt important security updates from a postponement policy. Exempted updates notify the device user when they become available.

Maintenance Window:  Installs system updates during a daily maintenance window (without user interaction). Set the start and end of the daily maintenance window, as minutes of the day, when creating a new windowed policy. The period begins when the system first postpones the update and setting new postponement policies won’t extend the period.

Private APN

If you have a Private Access Point Name (APN) for your SIM Cards, then Silverback has the ability to configure this for you on the managed devices.

Setting Android Samsung Safe Description
  Private APN Settings     not available     Enabled or Disabled     Enables the Private APN Feature on Selected Devices.  
  Name     not available     e.g. VFD2 Web     The name of the carrier access point  
  Username     not available     e.g User     The username to connect to the access point  
  Password     not available     e.g Pa$$w0rd     The password to connect to the access point  
  Server     not available     e.g web.vodafone.com     The fully qualified address of the proxy server  
Proxy not available e.g apn.proxy.com APN Proxy
Port not available e.g. 8080 APN Port
Type not available e.g. default,supl,mms APN Type
Auth Type not available
  • None
  • PAP
  • CHAP
  • CHAP or PAP
APN Authentication Type

Wi-Fi

Silverback also has the ability to pre-populate multiple Wi-Fi settings on your devices, so the user does not need to know the password for these networks themselves.

  • Click New WiFi Profile
Setting Android Samsung Safe Description
  Wi-Fi Settings   Enabled or Disabled   Enabled or Disabled   Enables the sending of Wi-Fi settings
  SSID   e.g. Corporate Wi-Fi   e.g. Corporate Wi-Fi Service Set Identifier of the wireless network
Security Type  
  • WEP
  • WPA2
  • WEP Enterprise
  • WPA2 Enterprise
  • WEP
  • WPA2
  • WEP Enterprise
  • WPA2 Enterprise
Defines the used Wireless network encryption
  Hidden Network     Enabled or Disabled   Enabled or Disabled Enable if the target network is not open or hidden
Automatically Join     Enabled or Disabled   Enabled or Disabled The device will automatically join the Wi-Fi network
Password e.g. Pa$$w0rd e.g. Pa$$w0rd Password for authenticating to the wireless network
Proxy (WEP Enterprise & WPA2 Enterprise only)
Protocols  
  • TLS
  • LEAP
  • TTLS
  • PEAP
  • EAP-FAST
  • TLS
  • LEAP
  • TTLS
  • PEAP
  • EAP-FAST
Defines the protocol utilized by encryption type
Authentication 
  • Use Individual Username
    • Use User Password
  • Use Individual Client Certificates
    • Individual Client Certificate subject
    • Populate into Active Directory
  • Add Certificates
  • Use Individual Username
    • Use User Password
  • Use Individual Client Certificates
    • Individual Client Certificate subject
    • Populate into Active Directory
  • Add Certificates
Defines the used authentication mechanism
Trust
  • Add Certificate
  • Remove Certificate
  • Add Certificate
  • Remove Certificate
Defines Trusted certificates
Proxy
  • Enable Proxy
  • Server
  • Port 
  • Exclusion list
  • Enable Proxy
  • Server
  • Port 
  • Exclusion list
Ensures the device talks to the necessary Proxy

Work Profile 

Work Profile is designed for Android for Work purpose. When enabled, the device will automatically activate the  Android for Work Container on the device.

Setting Android Samsung Safe Description
Work Profile   Enabled or Disabled   Enabled or Disabled   Enables the Work Profile
Passcode Settings   Enabled or Disabled Enabled or Disabled Enables the usage of a separated passcode for the Android for Work Container
Quality
  • Numeric
  • Alpha Numeric
  • Complex
  • Numeric
  • Alpha Numeric
  • Complex

Defines the minimum requirements for passcode.

Minimum Length 4-19 4-19 Defines the minimum passcode length 
Maximum Passcode Age 1-730 or empty 1-730 or empty How often passcode must be changed
Passcode history 1-50 or empty 1.50 or empty Number of unique passcodes required before reuse.
Auto-update apps
  • Choice to the user
  • Over any network
  • Over Wi-Fi Only
  • Do not auto-update apps
  • Choice to the user
  • Over any network
  • Over Wi-Fi Only
  • Do not auto-update apps
Configures the Auto-update apps settings in Google Managed Play 

Managed Account

Managed Account is designed for Device Owner purpose on Android Enterprise. By enabling managed account the device owner device on Android and SamsungSafe devices will receive an corporate Account for the Google Managed Play

Device Owner mode needs to be activated on Out-of-box experience on every device. Instead of entering a personal Google account use afw#matrix42 as username. Afterwards the companion application will be downloaded and the device will be enrolled during the Out-of-box experience. 

Setting Android Samsung Safe Description
Managed Account   Enabled or Disabled   Enabled or Disabled   Enables the Managed Account
Auto-update apps
  • Choice to the user
  • Over any network
  • Over Wi-Fi Only
  • Do not auto-update apps
  • Choice to the user
  • Over any network
  • Over Wi-Fi Only
  • Do not auto-update apps
Configures the Auto-update apps settings in Google Managed Play 

Lock Screen Message

On Android Enterprise, administrators have the ability to configure Custom Lock Screen Messages for device owner devices.. This feature allows to place additional information on the devices lock screen. As an example you can place useful information like the serial number, the device user or the managed by information.

Use System Variables, e.g. {SerialNumber} to display Serial Number on the lock screen. 

Setting Android Samsung Safe Description
Lock Screen Message Enabled or Disabled Enabled or Disabled Enables the profile to display Lock Screen messages
Device Owner Information
  • e.g. Device Owner: {firstname} {lastname}
  • e.g. Serial Number: {SerialNumber}
  • e.g. Device Owner: {firstname} {lastname}
  • e.g. Serial Number: {SerialNumber}

Add here as an example information about the device user or asset information like the Serial Number

Organization Name
  • e.g. Imagoverum
  • e.g. Imagoverum

Add here your Organization name. It will be displayed as This device is managed by

Global HTTP Proxy

Enabling the Global HTTP Proxy will force all Network Traffic through a designated proxy server.

Setting Android Samsung Safe Description
Global HTTP Proxy   not available   Enabled or Disabled   Enables the HTTP Proxy
Server   not available e.g. proxy.imagoverum.com or 10.0.0.1 The FQDN or IP address of the proxy server
Port not available e.g 443 The port of the proxy server

App Portal

The Application portal is where devices can access Enterprise applications and recommended Third Party applications via a web clip icon. To enable access to the Application portal for end users and push the app portal web clip icon to devices, ensure App Portal Enabled box is ticked.

Setting Android Samsung Safe Description
App Portal   Enabled or Disabled   Enabled or Disabled   Enables and pushes the App Portal Icon to enrolled devices.

To customize the App Portal navigate to Admin > App Portal  

Single App Mode 

Single App Mode will enable the dedicated devices purpose of device owner mode devices. The devices will run in a kiosk mode with the defined application. 

Setting Android Samsung Safe Description
Single App Mode   Enabled   Enabled Enables and lock the device to a single purpose used application
Applica   tion Identifier e.g. com.matrix42.securecontainer e.g. com.matrix42.securecontainer

Defines the app which should run in Single App Mode

Application must either be present in App Portal as Managed Play or a pre-installed system app on device. By entering e.g. com a suggestion appears for all Apps marked as Managed Play in App Portal

M42 Mobile

The M42 Mobile section allows you to configure Branding, Service Store connection and data sources for users who use the M42 Mobile client.

Setting Android Samsung Safe Description
M42 Mobile Enabled   Enabled or Disabled   Enabled or Disabled   Enables M42 Mobile Settings
Logo Url e.g. https://www.imagoverum.com/logo.jpg e.g https://www.imagoverum.com/logo.jpg Allows  to override the default Matrix42 Logo with a custom logo. Enter the URL of the logo file that clients should download.
Tint Color

e.g: 

  • R: 252
  • G: 133
  • B: 41

e.g: 

  • R: 252
  • G: 133
  • B: 41
The RGB value of the main color of the M42 Mobile App. This will visually change the color of UI elements on the device.
Username e.g. {UserName} e.g. {UserName} Accepts System Variables ands pre-populates the Username field. 
Password e.g. {UserPassword} e.g. {UserPassword} Accepts System Variables ands pre-populates the Password field
Server e.g https://www.imagoverum.com e.g https://www.imagoverum.com Pre-populates the Service Store Server URL.
Domain e.g. iv e.g iv Pre-populates the Domain field
Port e.g. 443 e.g. 443 Pre-populates the Port field
Custom Data
  • Key
  • Values

 

  • Key
  • Values

This allows custom fields to be defined, for example if a new M42Mobile app is being tested but not publicly available, this could be used to add new configurable fields.

Should only be used when directed by Matrix42.

Sharepoint Sites

This sections allows to add SharePoint Sites to M42Mobile Application.

  • Click New SharePoint Site
Setting Android Samsung Safe Description
Label   e.g. Imagoverum Sharepoint e.g. Imagoverum Sharepoint Display Name of the Sharepoint Site
URL e.g. https://imagoverum.sharepoint.com e.g. https://imagoverum.sharepoint.com Sharepoint Site Address
Authentication Type
  • Office365
  • Web Forms
  • Basic Authentication
  • Form Authentication
  • Client Certificate - Basic
  • Client Certificate - Kerberos
  • Office365
  • Web Forms
  • Basic Authentication
  • Form Authentication
  • Client Certificate - Basic
  • Client Certificate - Kerberos

Office 365 authentication is only available for Office 365

Webforms authentication requires the user to type their credentials in the web view

Basic authentication sends the credentials of the user in the Authorization header

Form authentication is a headless authentication method for Sharepoint site configured for Form Based Authentication

Client Certificate - Basic will provide a specified certificate to the user to use in conjunction with Basic authentication

Client Certificate - Kerberos will provide a specified certificate to the user to use in conjunction with Kerberos authentication
Access Model
  • Sharepoint 2013 REST
  • Sharepoint 2010 REST
  • Sharepoint 2013 REST
  • Sharepoint 2010 REST
The Access Model that should be used.
Sharepoint 2013 Access Model is recommended for best experience.
Content Refresh Interval (hours) e.g. 4 e.g. 4 The Interval for check Sharepoint for Updates.
Username e.g. {UserName} or tim.tober@imagoverum.com e.g. {UserName} or tim.tober@imagoverum.com Field to specify the Username.
Custom LDAP attributes can be used in this field.
Use User Password Enabled or Disabled Enabled or Disabled Specifies that the client should automatically use the User’s Password. This is only available when Password is Cached or on initial enrollment
Certificate Select Certificate Select Certificate

Displays uploaded Certificates in Certificates section when Authentication Type is set to Client Certificate

Certificates

 

Silversync

This sections allows to add Silversync to M42Mobile Application.

Setting Android Samsung Safe Description
Allow File Sync   Enabled or Disabled Enabled or Disabled Allows File Sync
Disable on Blocked Enabled or Disabled Enabled or Disabled Disables File Sync for blocked devices
Allow Sync on Cellular Data Enabled or Disabled Enabled or Disabled Allow Sync when device uses Cellular
Cellular Data File Size Limit e.g. 10 e.g. 10 Restricts file sizes in MB when device uses Cellular
Allow Email of Files Enabled or Disabled Enabled or Disabled Allows to Email File types via Email
Allow Opening Files Into Other Apps Enabled or Disabled Enabled or Disabled Allows opening files into other apps on device

Certificate Trusts  

For Android and Samsung SAFE devices, arbitrary certificate trusts can be defined. These certificates will be deployed to the root or intermediate trust stores on the devices.

Setting Android Samsung Safe Description
Certificate Settings   Enabled or Disabled Enabled or Disabled Enables Certificate Settings in this Tag
Add Root Certificate Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Root Certificates e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details
Add Root Certificate Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Intermediate Certificates e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details

Web Clips 

Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.

  • Click New Web Clip
Setting Android Samsung Safe Description
Web Clip Name   e.g. Matrix42 e.g. Matrix42 Web Clip Display Name 
Link e.g. https://www.matrix42.com e.g. https://www.matrix42.com Target URL for the Web Clip
Icon File Choose File Choose File Web Clip Display Icon.  Support File Type: *.png

KNOX 

KNOX Containers are deprecated by Silverback 20.0 and are replaced with Android Enterprise Work Files. Please refer to Silverback 20.0 Release Notes

KNOX is a section where Administrators can configure settings for Samsung KNOX enabled devices. The KNOX Section is only available when a Tag is enabled for Samsung SAFE devices. To enter the Samsung KNOX License Key navigate to Admin > Licenses > Samsung Knox License. 

  • Navigate within the Tag to Knox in the left Panel
  • Click New Container
  • Enter a friendly name
  • Click Save
  • Click OK 
  • Now configure the Samsung Knox Container

Restrictions

To allow a function for the Container you are creating or editing, simply ensure the corresponding checkbox is ticked and click Save or Save & Close at the bottom of the page.

Setting Android Samsung Safe Description
Allow Share List   not available Enabled or Disabled Disables the display of the Share Via List, the Share Via List is displayed in certain applications that share data with other applications.
Allow Camera not available Enabled or Disabled

Disables the photo camera, video camera, and video telephony functionality without user interaction. User or third-party applications cannot enable the camera once it is disabled.

Allow Non Secure Keypad not available Enabled or Disabled  
Allow Knox App Store not available Enabled or Disabled  
Browser
Allow Auto Fill not available Enabled or Disabled The setting applies to the native Android browser to prevent any website from providing autofill suggestions when a user is filling in form data on the webpage, even if the user has previously filled in the form
Allow Cookies not available Enabled or Disabled This setting is applied to the native Android browser to prevent any website from storing cookies related to the website on the device
Show Security Warning not available Enabled or Disabled This setting applies to the native Android browser to force the browser to show an untrusted certificate security warning to the user when applicable. If the user tries to connect to a website whose certificate is not present in the certificate trust chain used by the browser, the security warning is shown.
Allow Javascript not available Enabled or Disabled This setting is applied to the native Android browser to prevent the browser from running JavaScript code for a website
Allow Pop-ups not available Enabled or Disabled If set to Disabled, the setting overrides the default pop-up browser setting to prevent any website from popping up new browser windows when the user navigates to a website that invokes such action
Email Policies
Allow Account Additions not available Enabled or Disabled Restrict user from adding any new email accounts. Only  administrators can still add an account.

Password

This section governs the security level of the password for the specific Container if enabled.

Setting Android Samsung Safe Description
Password Settings   not available Enabled or Disabled Disables the display of the Share Via List, the Share Via List is displayed in certain applications that share data with other applications.
Minimum Length not available e.g. 4

Disables the photo camera, video camera, and video telephony functionality without user interaction. User or third-party applications cannot enable the camera once it is disabled.

Maximum times a character can occur not available e.g. 10 Maximum times an individual character can occur in the password
Maximum character sequence length not available e.g. 10 Maximum sequence for letters, for example a maximum of 3 would allow “abc” but not “abcd”
Maximum numeric sequence length not available e.g. 10 Maximum sequence for numbers, for example a maximum of 3 would allow “123” but not “1234”
Maximum failed attempts to disable container not available e.g. 10 Number of times the user can enter an incorrect password before access to the Container is disabled
Idle time for key guard lock (seconds) not available e.g 600 Amount of time before the device automatically locks when not interacted with
Forbidden strings in password (comma delimited) not available e.g. pass,password List of words or numbers, delimited by comma, that are not allowed to exist within the password as a whole. For example, a setting of “word” would not allow the password “password”
Minimum number of changed characters from previous password not available e.g. 10 Number of characters that must be different from the previous password, this prevents the user using the same password and incrementing a tailing number for example
Number of historical passwords to remember not available e.g. 10 Number of passwords to remember that the user cannot use again

not available Enabled or Disabled Allow the user to make their password visible when editing it

Exchange ActiveSync

This section governs the Exchange ActiveSync settings for the specific Container if enabled.

Setting Android Samsung Safe Description

Exchange ActiveSync Settings

not available Enabled or Disabled Disables the display of the Share Via List, the Share Via List is displayed in certain applications that share data with other applications.
Label not available e.g. Imagoverum E-Mail The Label for the Email Account as it appears on the device.
Servername not available e.g. outlook.office365.com  The External Mail Server URL
Past Days of Mail to Sync not available
  • Unlimited
  • One Day
  • Three Days
  • One Week
  • Two Weeks
  • One Month
Period of mail to synchronize to the device
Use SSL not available Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use Custom Username Variable not available e.g. {CustLdapVar0}or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable not available e.g{CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Always Vibrate On Email Notification not available Enabled or Disabled Sets the mail settings to vibrate when receiving a mail
Allow Calendar not available Enabled or Disabled Determines whether the user can use the calendar associated with the Exchange ActiveSync Account
Allow Contacts not available Enabled or Disabled Determines whether the user can use the contacts associated with the Exchange ActiveSync Account
Allow Tasks not available Enabled or Disabled Determines whether the user can use the tasks associated with the Exchange ActiveSync Account
Allow Notes not available Enabled or Disabled Determines whether the user can use the notes associated with the Exchange ActiveSync Account
Default Signature not available

e.g. 

Best Regards

Imagoverum

Elbinger Str. 7

60487 Frankfurt am Main

Pre-Define a signature for the account
Enterprise Certificate not available Choose File Upload a certificate for Authentication
Certificate Password not available e.g. Pa$$w0rd Password for the certificate

Apps 

Enterprise Apps that have been nominated as “KNOX Signed” when being uploaded to the App Portal section can be assigned to KNOX Containers. These apps will be deployed within the Container on the device. This page lists the currently assigned apps, and lets you assign more to the Container.

  • Click Assign More Apps
  • Select the Apps to assign to the Tag
  • Click Add Select Apps 
Column Android Samsung Safe Description

Type

not available Enterprise Displays the app type
Name not available e.g. M42Mobile Displays the name of the app
Description not available e.g.  The Matrix42 Mobile App delivers the power of Matrix42 Workspace Management at your users' fingertips, anytime and anywhere... Displays the app description
Remove not available Admin_Guide_SB_027.png Removes the app from the tag

Policy 

With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.

OS Version Compliance

Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.

  • Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
  • Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.

Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.

Hardware Compliance

Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.

  • Alert Administrators:  When the  checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.

Application Blacklist

Silverback maintains a blacklist of application names to ensure the detection and management of devices with blacklisted applications. The blacklist works by matching application names of applications on devices against the strings in the blacklist. The blacklist employs a case-insensitive substring search algorithm to determine policy violations.

To add an application to the blacklist

  • Enter the Application Identifier (e.g. WhatsApp) 
  • Click Add
  • Notice the info message: This application name has been blacklisted successfully.

Perform these steps for applications that you want to blacklist.

Action Description
Edit Edit the selected value in the blacklist
Remove Delete the value from the blacklist

Lockdown

The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.

Lockdown Actions

Action Description
No action No action is performed on the device; however alerting administrators may be performed if configured.
Lock A lock command is sent to the device which will lock the screen of the device. 
Block The device is blocked, and the device is moved to the blocked devices table. 
Wipe The device is hard reset to factory default settings.
Force This will re-apply the Android Setting that disables the ability for the device to roam for voice or data. The setting is forced upon the user.  For application black list in particular, this will prevent the application from launching or being installed on the device.
Alert administrator Emails are sent to all administrators notifying them of the policy violation when it is detected. 
Exclude Home Network Allows the Administrator to disable roaming alerts for devices roaming on Home Networks
Allow Home Networks Allow Home Network’ checkbox allows the user to roam on Home Networks without triggering lockdown action.

Lockdown Policies

Policy  General Android SamsungSafe Description
Enforce SIM Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
The first SIM Silverback detects on a managed device will be considered the ‘canonical’ SIM. Any subsequent changes to the SIM (e.g. removal of the SIM from the device or changing the SIM on the device) are considered a policy violation.
Enforce Application Blacklist

Enabled or Disabled

Either Blacklist or Whitelist

  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • Force

See the blacklist section for more information on this configuration. The blacklist can be enabled or disabled from this screen.

Enforce Application Whitelist

Enabled or Disabled

Either Blacklist or Whitelist

  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • Force

Application Whitelist will ensure that each device has only applications approved by a system administrator that reside in the Silverback App Portal. Whitelist is derived from the Application Name. Ensure applications in the App Portal are labelled correctly prior to enabling Application Whitelist.

Enforce Hardware Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration.
Cost Control Settings
Send Roaming Alerts Enabled or Disabled No actions available No actions available

Enabling this will send an alert to all Silverback Administrators when a device starts Roaming for any reason (Voice/Data).

Enforce Data Roaming Policy Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • Force

You can choose which lockdown action to apply when a device has data roaming enabled. Availability of this setting on the device is dependent on the Carrier.

Enforce Push While Roaming Policy

Enabled or Disabled

Enforce Data Roaming Policy will activate this setting

 

not available
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • Force

You can choose which lockdown action to apply when a device has push enabled while roaming. To disable it completely, select Force as the Non-Compliance Action.

Enforce Sync While Roaming Policy

Enabled or Disabled

Enforce Data Roaming Policy will activate this setting

not available
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • Force

You can choose which lockdown action to apply when a device has sync enabled while roaming. To disable it completely, select Force as the Non-Compliance Action.

Enforce Voice Roaming Policy

Enabled or Disabled

Enforce Data Roaming Policy will activate this setting

not available
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • Force
Voice Roaming is when the device has Voice Roaming Enabled = YES on the device. Availability of this setting on the device is dependent on the Carrier.
Enforce Home Networks Policy Enabled or Disabled
  • No action 
  • Block
  • Factory Wipe
  • No action 
  • Block
  • Factory Wipe
Enables the ‘Home Networks’ policy, meaning Silverback Admins can specify what data networks are classed as ‘Home Networks’.
Home Networks

Add

Enforce Home Networks  Policy will activate this grid

e.g. Imagoverum Wi-Fi e.g. Imagoverum Wi-Fi This grid is where Silverback Administrators can specify their ‘Home Networks’.

Companion

Companion extends end point security into a secure workspace for your users. Users can store and edit files locally within the application, ensuring that these documents are kept securely and cannot be accessed by other applications or users. Companion also allows users and administrators to manage data usage on the device and configure policy settings around this.

Setting Android Samsung Safe Description
Companion Enabled Enabled or Disabled Enabled or Disabled Enables Profile
EPiC Settings
Secure Enrollment Enabled or Disabled Enabled or Disabled Enables Secure Enrollment for devices
Offline Grace Period e.g. 30 e.g 30 Companion modules will be blocked if the device doesn’t check in during this period. The value is days
Custom Epic Text e.g. This is a free form text e.g. This is a free form text Configure custom text to be displayed to the user
Show Blocked Reasons Enabled or Disabled Enabled or Disabled Configures whether the user is told why they have been blocked. If this is disabled the user is not told why, just that they are blocked
Allow Automated Unblocking Enabled or Disabled Enabled or Disabled Companion can allow users to rectify a block where it was triggered by a policy violation. For example if the user violated an application blacklist, they may remove the app and then scan with Companion to automatically become unblocked
File Settings
Enabled Files Enabled or Disabled Enabled or Disabled Determines whether the Files module is available to the users
Disabled on Blocked Enabled or Disabled Enabled or Disabled Disables the Files module when Silverback blocks the device
RequirePIN Enabled or Disabled Enabled or Disabled Determines whether the users are required to have a PIN code protecting Companion
Allow Email Out Enabled or Disabled Enabled or Disabled Allow the user to email files out of Companion or not
Data Cost Control Settings
Allow Usage Enabled or Disabled Enabled or Disabled Determines whether the Data Usage module is available to the users
Disabled on Blocked Enabled or Disabled Enabled or Disabled Disables the Data Usage module when Silverback blocks the device
Allow User to Change Settings Enabled or Disabled Enabled or Disabled Allow the user to change settings within the Companion Client. If not, the administrator must define settings
Rollover Day 1-31 1-31 Determines the day for the Data Usage to be reset on the device
Local Data Cost Control
Allow User To Reset Usage Enabled or Disabled Enabled or Disabled Allow the user the ability to reset their local Data Usage within the Companion client
Data Allowance (MB) e.g. 2048 e.g. 2048 The Amount of local Cellular Data the user is allowed, until the user is alerted and the configured action is performed.
Action on Local Data Limit Reached
  • No Action
  • Lock
  • Block 
  • Wipe
  • No Action
  • Lock
  • Block 
  • Wipe
The MDM action that is carried out when the local data limit is reached
Alert Administrators Enabled or Disabled Enabled or Disabled Determines whether the administrative e-mail alert is sent out when a device reached the data limit.
Consumed Usage Alert Threshold

0%-100% in 5% steps

 

0%-100% in 5% steps Determines the threshold value for the local Data Allowance usage alert. When this threshold is reached, the user receives a notification on the device
Roaming Data Cost Control
Allow User To Reset Usage Enabled or Disabled Enabled or Disabled Allow the user the ability to reset their roaming Data Usage within the Companion client
Data Allowance (MB) e.g 100 e.g. 100 The Amount of roaming Cellular Data the user is allowed, until the user is alerted and the configured action is performed
Action on Local Data Limit Reached
  • No Action
  • Lock
  • Block 
  • Wipe
  • Reapply
  • No Action
  • Lock
  • Block 
  • Wipe
  • Reapply
The MDM action that is carried out when the roaming data limit is reached
Alert Administrators Enabled or Disabled Enabled or Disabled Determines whether the administrative e-mail alert is sent out when a device reached the data limit
Consumed Usage Alert Threshold

0%-100% in 5% steps

0%-100% in 5% steps Determines the threshold value for the roaming Data Allowance usage alert. When this threshold is reached, the user receives a notification on the device
Licence Message Settings
Invalid Message Settings e.g. You have no valid License. Please contact your System Administrator e.g. You have no valid License. Please contact your System Administrator The text message displayed on the users’ devices

Apps 

The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.

App Types

Three different App Types are available for Android and Samsung Safe devices:

Type Description
Enterprise Applications owned by an Organization with *.apk file
App Store Applications from public Google Play Store
Managed Play Applications from company Google Managed Play Store 

Managed Play application types requires Android Enterprise Integration

Assign Apps 

Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.

  • Navigate to Apps
  • Click Assign More Apps
  • Select any applications from the shown Assign Applications page 
  • Click Add Selected Apps

Overview

Already assigned applications are displayed in the Apps section of any Tag with the following columns: 

Column Description
Type Displays the app type, either Enterprise, App Store or Managed Play
Name Displays the application name
Version Displays the application version for Enterprise Apps
Description Displays the application description given in App Portal
Remove Removes the App from the Tag
Manage Config Click edit to change deployment options

Change Deployment Options

By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application.

  • Click the Edit button in the Manage Config column
  • Update Deployment Options
  • Click Save

Content

The Content Tab is where content locations are provided for users. These are defined at a Tag level which means only users in this Tag will receive these content settings in their M42Mobile app.

Content Provider

The following content providers can be configured for the M42Mobile App. The Username and Password fields support system variables, so you can dynamically configure these for all users.

Content Provider Settings
Silversync
  • Name
  • Notes
  • Silversync Server Locations
Box
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
Dropbox
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
GoogleDrive
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
OneDrive
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
ownCloud
  • Name
  • Notes
  • Username
  • Password
  • Server URL
  • Custom Values
Sharepoint 
  • Name
  • Notes
  • Username
  • Password
  • Server URL
  • Access Model 
    • Sharepoint 2010
    • Sharepoint 2013
  • Authentication Mode
    • Basic
    • Forms
    • WebForms
    • Office365
  • Custom Values

Silversync Server Locations

For assigning content with Silversync, there are generally two ways to do this: 

Add Content Requirement Description
Selecting the folders from the Content Tree Server Based Authentication Expand and collapse folders if you want to assign content at a level down in the file system
Typing in file paths manually User based Authentication Assign the content manually by typing in file paths.

To add content manually:

  • Click Add
  • Enter the path directly
    • C:\SilversyncContent\users\{UserName}
    • \\NetworkShare\SilversyncFiles\Everybody 

It’s important to note that these paths support system variables. In the example above “{UserName}” will be replaced with that unique user’s username. This is useful for mapping to a home drive network share for example.

 

  • Was this article helpful?