Skip to main content
Matrix42 Self-Service Help Center

Tags Guide Part II: Android, SamsungSafe

Profile

Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Exchange Active Sync

Setting Android Samsung Safe Description
Exchange ActiveSync Settings Enabled or Disabled Enabled or Disabled Enables Profile
Exchange Type
  • Android for Work - Gmail
  • Android for Work - Divide (deprecated)

Exchange profiles are only supported in combination with Android for Work or Android Enterprise

  • Android for Work - Gmail
  • Android for Work - Divide (deprecated)
  • SamsungSafe

Android

Determines to which E-Mail client the Exchange settings should apply.

Samsung Safe

Determines if the Exchange settings should apply to the native email client, Gmail or within an Android for Work Container.

Label e.g. Imagoverum Exchange e.g. Imagoverum Exchange The Label for the Email Account as it appears on the device.
Server Name e.g. outlook.office365.com  e.g. outlook.office365.com  External Exchange Active Sync address 
Domain e.g. Imagoverum e.g. Imagoverum Internal Domain Suffix for the Exchange Server
Peak Schedule (*SamsungSafe only) not available
  • Automatic
  • Never
  • 5 Minutes
  • 15 Minutes
  • 1 hour
  • 2 hours
  • 4 hours
  • 12 hours

 

Sets the default behaviour for the “Peak” period.
Past Days of Mail to Sync
  • One Day
  • Three days
  • One week
  • Two weeks
  • One Month
  • One Day
  • Three days
  • One week
  • Two weeks
  • One Month
  • Unlimited*

*native SamsungSafe email client

Period of mail to synchronize to the device
Off-Peak Schedule (*SamsungSafe only) not available
  • Automatic
  • Never
  • 5 Minutes
  • 15 Minutes
  • 1 hour
  • 2 hours
  • 4 hours
  • 12 hours
Sets the default behaviour for the Off-Peak period
Peak Start Time  (*SamsungSafe only) not available Midnight - 11pm Sets the time of day in hours that the Peak period starts.
Peak Time End  (*SamsungSafe only) not available Midnight - 11pm Sets the time of day in hours that the Peak period ends. Outside of these two settings is considered “Off-Peak”.
Peak Days  (*SamsungSafe only) not available Sunday - Saturday Which days should use the Peak settings. Days not selected here will be considered Off-Peak.
Use SSL Enabled or Disabled Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use Custom Username Variable e.g. {CustLdapVar0} or support@imagoverum.com e.g. {CustLdapVar0} or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable e.g. {CustLdapVar0} or tim.tober@imagoverum.com e.g. {CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Enterprise Certificate Choose File Choose File Upload a certificate for certificate based authentication with one certificate
Certificate Password e.g Pa$$w0rd e.g. Pa$$w0rd Password for the certificate
Trust All Certificates Enabled or Disabled Enabled or Disabled Required for client certificate authentication with the Gmail app, if the device doesn’t trust the certificates correctly.

Passcode

Setting Android Samsung Safe Description
Passcode Settings Enabled or Disabled Enabled or Disabled Enables Profile
Allow Simple Enabled or Disabled Enabled or Disabled Permit the use of repeating, ascending or descending characters
Require Alpha Numeric Enabled or Disabled Enabled or Disabled Require passcode to contain at least one letter
Minimum Length 4-19 4-19 The smallest number of passcode characters allowed
Minimum Complex characters 1-4 1-4 Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled
Maximum Passcode Age - 1-730 days or none 1-730 or empty 1-730 or empty How often passcode must be changed
Auto-lock (minutes)

1, 2, 3, 4, 5,10, 15, 20, 25,30 

1, 2, 3, 4, 5,10, 15, 20, 25,30  Device automatically locks due to inactivity after this time period
Passcode history (1-50 passcodes, or none) 1-50 or empty 1-50 or empty Number of unique passcodes required before reuse
Maximum Failed Attempts 0-12 0-12 Number of passcode entry attempts allowed before the device is reset to factory settings

Restrictions

Restriction Available on Android Available on Samsung Safe
Allow App Store no yes
Allow Automatic Sync while Roaming no yes
Allow Camera yes yes
Allow Screen Capture yes, with  Android Enterprise yes
Allow Youtube no yes
Allow Voice Dialing no yes
Allow Wi-Fi yes yes
Allow Bluetooth yes yes
Force Storage Encryption yes yes
Allow Apps Control yes, with  Android Enterprise yes, with  Android Enterprise
Force Verify Apps yes, with  Android Enterprise yes, with  Android Enterprise
Allow Configuration of Bluetooth yes, with  Android Enterprise yes, with  Android Enterprise
Allow Configuration of Credentials yes, with  Android Enterprise yes, with  Android Enterprise
Allow Configuration of VPN yes, with  Android Enterprise yes, with  Android Enterprise
Allow Configuration of WiFi yes, with  Android Enterprise yes, with  Android Enterprise
Allow Cross Profile Copy/Paste yes, with  Android Enterprise yes, with  Android Enterprise
Allow Debugging Features yes, with  Android Enterprise yes, with  Android Enterprise
Allow Install Apps yes, with  Android Enterprise yes, with  Android Enterprise
Allow Unknown Sources yes, with  Android Enterprise yes, with  Android Enterprise
Allow Modify Accounts yes, with  Android Enterprise yes, with  Android Enterprise
Allow Remove User yes, with  Android Enterprise yes, with  Android Enterprise
Allow Share Location yes, with  Android Enterprise yes, with  Android Enterprise
Allow Uninstall Apps yes, with  Android Enterprise yes, with  Android Enterprise
Allow Contact Search yes, with  Android Enterprise yes, with  Android Enterprise
Allow Caller Name Sharing yes, with  Android Enterprise yes, with  Android Enterprise
Allow Wi-Fi AP Setting User Modification no yes
Allow Non-Marketplace Apps no yes
Allow USB Debugging no yes
Allow Writing to SD Card no yes

Allow S Beam

no yes
Allow App Uninstallation no yes
Allow Wi-Fi Direct no yes
Allow Wallpaper Changes no yes

 

no yes
Allow Video Recording no yes
Allow User to set Mobile Data Limit no yes
Allow USB Host Storage no yes
Allow User to Stop System Apps no yes
Allow User Access to Status Bar Controls no yes
Allow Share Via List no yes
Allow Settings Access to User no yes
Allow Safe Mode Boot no yes
Allow S Voice no yes
Allow Power Off no yes
Allow Over the Air Upgrade no yes
Allow Lock Screen View Settings no yes
Allow Google Crash Report Submission no yes
Allow User to Perform Factory Reset no yes
Allow Clipboard Sharing Between Apps no yes
Allow User to Set Background Process Limit no yes
Allow Audio Recording no yes
Allow Android Beam no yes
Force Internal Storage Encryption no yes
Force External Storage Encryption no yes
Allow Google Backup no  
Allow Call no
  • Enable Incoming Call
  • Enable Outgoing Call

 

Allow Tethering no
  • Enable Bluetooth Tethering
  • Enable Wi-Fi Tethering
  • Enable USB Tethering
Allow Browser no
  • Enable Autofill
  • Enable Javascript
  • Allow Popup
  • Force Fraud Warning
  • Allow Cookies
Allow SMS no
  • Enable Incoming SMS
  • Enable Outgoing SMS
Allow MMS no
  • Enable Incoming MMS
  • Enable Outgoing MMS
Allow NFC no yes

VPN

Setting Android Samsung Safe Description
VPN Settings not available Enabled or disabled Enables Profile
VPN Type not available Cisco AnyConnect Supported VPN Provider
Connection Name not available e.g. Imagoverum VPN Display name in AnyConnect
Server Address not available e.g vpn.imagoverum.com Server Address for VPN Endpoint
Authentication Type not available Certificate Supported Authentication Type

Private APN

If you have a Private Access Point Name (APN) for your SIM Cards, then Silverback has the ability to configure this for you on the managed devices.

Setting Android Samsung Safe Description
  Private APN Settings     not available     Enabled or Disabled     Enables the Private APN Feature on Selected Devices.  
  Name     not available     e.g. VFD2 Web     The name of the carrier access point  
  Username     not available     e.g User     The username to connect to the access point  
  Password     not available     e.g Pa$$w0rd     The password to connect to the access point  
  Server     not available     e.g web.vodafone.com     The fully qualified address of the proxy server  
Proxy not available e.g apn.proxy.com APN Proxy
Port not available e.g. 8080 APN Port
Type not available e.g. default,supl,mms APN Type
Auth Type not available
  • None
  • PAP
  • CHAP
  • CHAP or PAP
APN Authentication Type

Wi-Fi

Silverback also has the ability to pre-populate multiple Wi-Fi settings on your devices, so the user does not need to know the password for these networks themselves.

  • Click New WiFi Profile
Setting Android Samsung Safe Description
  Wi-Fi Settings   Enabled or Disabled   Enabled or Disabled   Enables the sending of Wi-Fi settings
  SSID   e.g. Corporate Wi-Fi   e.g. Corporate Wi-Fi Service Set Identifier of the wireless network
Security Type  
  • WEP
  • WPA2
  • WEP Enterprise
  • WPA2 Enterprise
  • WEP
  • WPA2
  • WEP Enterprise
  • WPA2 Enterprise
Defines the used Wireless network encryption
  Hidden Network     Enabled or Disabled   Enabled or Disabled Enable if the target network is not open or hidden
Automatically Join     Enabled or Disabled   Enabled or Disabled The device will automatically join the Wi-Fi network
Password e.g. Pa$$w0rd e.g. Pa$$w0rd Password for authenticating to the wireless network
Proxy (WEP Enterprise & WPA2 Enterprise only)
Protocols  
  • TLS
  • LEAP
  • TTLS
  • PEAP
  • EAP-FAST
  • TLS
  • LEAP
  • TTLS
  • PEAP
  • EAP-FAST
Defines the protocol utilized by encryption type
Authentication 
  • Use Individual Username
    • Use User Password
  • Use Individual Client Certificates
    • Individual Client Certificate subject
    • Populate into Active Directory
  • Add Certificates
  • Use Individual Username
    • Use User Password
  • Use Individual Client Certificates
    • Individual Client Certificate subject
    • Populate into Active Directory
  • Add Certificates
Defines the used authentication mechanism
Trust
  • Add Certificate
  • Remove Certificate
  • Add Certificate
  • Remove Certificate
Defines Trusted certificates
Proxy
  • Enable Proxy
  • Server
  • Port 
  • Exclusion list
  • Enable Proxy
  • Server
  • Port 
  • Exclusion list
Ensures the device talks to the necessary Proxy

Managed Profile 

Managed Profile is designed for Android Enterprise purpose. By enabling managed profile the device owner mode on Android and SamsungSafe devices will be activated, which makes the complete device as a containerized device and enabled special capabilities like Single App Mode. 

Device Owner mode needs to be activated on Out-of-box experience on every device. Instead of entering a personal Google account use afw#matrix42 as username. Afterwards the companion application will be downloaded and the device will be enrolled during the Out-of-box experience. 

Setting Android Samsung Safe Description
Managed Profile   Enabled or Disabled   Enabled or Disabled   Enables the Managed Profile
Single App Mode   Enabled   Enabled Enables and lock the device to a single purpose used application
Application Identifier e.g. com.matrix42.securecontainer e.g. com.matrix42.securecontainer

Defines the app which should run in Single App Mode

Application must either be present in App Portal as Managed Play or a pre-installed system app on device. By entering e.g. com a suggestion appears for all Apps marked as Managed Play in App Portal

Work Profile 

Work Profile is designed for Android for Work purpose. When enabled, the device will automatically activate the  Android for Work Container on the device.

Setting Android Samsung Safe Description
Work Profile   Enabled or Disabled   Enabled or Disabled   Enables the Work Profile
Passcode Settings   Enabled or Disabled Enabled or Disabled Enables the usage of a separated passcode for the Android for Work Container
Quality
  • Numeric
  • Alpha Numeric
  • Complex
  • Numeric
  • Alpha Numeric
  • Complex

Defines the minimum requirements for passcode.

Minimum Length 4-19 4-19 Defines the minimum passcode length 
Maximum Passcode Age 1-730 or empty 1-730 or empty How often passcode must be changed
Passcode history 1-50 or empty 1.50 or empty Number of unique passcodes required before reuse.

Global HTTP Proxy

Enabling the Global HTTP Proxy will force all Network Traffic through a designated proxy server.

Setting Android Samsung Safe Description
Global HTTP Proxy   not available   Enabled or Disabled   Enables the HTTP Proxy
Server   not available e.g. proxy.imagoverum.com or 10.0.0.1 The FQDN or IP address of the proxy server
Port not available e.g 443 The port of the proxy server

App Portal

The Application portal is where devices can access Enterprise applications and recommended Third Party applications via a web clip icon. To enable access to the Application portal for end users and push the app portal web clip icon to devices, ensure App Portal Enabled box is ticked.

Setting Android Samsung Safe Description
App Portal   Enabled or Disabled   Enabled or Disabled   Enables and pushes the App Portal Icon to enrolled devices.

To customize the App Portal navigate to Admin > App Portal  

M42 Mobile

The M42 Mobile section allows you to configure Branding, Service Store connection and data sources for users who use the M42 Mobile client.

Setting Android Samsung Safe Description
M42 Mobile Enabled   Enabled or Disabled   Enabled or Disabled   Enables M42 Mobile Settings
Logo Url e.g. https://www.imagoverum.com/logo.jpg e.g https://www.imagoverum.com/logo.jpg Allows  to override the default Matrix42 Logo with a custom logo. Enter the URL of the logo file that clients should download.
Tint Color

e.g: 

  • R: 252
  • G: 133
  • B: 41

e.g: 

  • R: 252
  • G: 133
  • B: 41
The RGB value of the main color of the M42 Mobile App. This will visually change the color of UI elements on the device.
Username e.g. {UserName} e.g. {UserName} Accepts System Variables ands pre-populates the Username field. 
Password e.g. {UserPassword} e.g. {UserPassword} Accepts System Variables ands pre-populates the Password field
Server e.g https://www.imagoverum.com/wm e.g https://www.imagoverum.com/wm Pre-populates the Service Store Server URL.
Domain e.g. iv e.g iv Pre-populates the Domain field
Port e.g. 443 e.g. 443 Pre-populates the Port field
Custom Data
  • Key
  • Values

 

  • Key
  • Values

This allows custom fields to be defined, for example if a new M42Mobile app is being tested but not publicly available, this could be used to add new configurable fields.

Should only be used when directed by Matrix42.

Sharepoint Sites

This sections allows to add SharePoint Sites to M42Mobile Application.

  • Click New SharePoint Site
Setting Android Samsung Safe Description
Label   e.g. Imagoverum Sharepoint e.g. Imagoverum Sharepoint Display Name of the Sharepoint Site
URL e.g. https://imagoverum.sharepoint.com e.g. https://imagoverum.sharepoint.com Sharepoint Site Address
Authentication Type
  • Office365
  • Web Forms
  • Basic Authentication
  • Form Authentication
  • Client Certificate - Basic
  • Client Certificate - Kerberos
  • Office365
  • Web Forms
  • Basic Authentication
  • Form Authentication
  • Client Certificate - Basic
  • Client Certificate - Kerberos

Office 365 authentication is only available for Office 365

Webforms authentication requires the user to type their credentials in the web view

Basic authentication sends the credentials of the user in the Authorization header

Form authentication is a headless authentication method for Sharepoint site configured for Form Based Authentication

Client Certificate - Basic will provide a specified certificate to the user to use in conjunction with Basic authentication

Client Certificate - Kerberos will provide a specified certificate to the user to use in conjunction with Kerberos authentication
Access Model
  • Sharepoint 2013 REST
  • Sharepoint 2010 REST
  • Sharepoint 2013 REST
  • Sharepoint 2010 REST
The Access Model that should be used.
Sharepoint 2013 Access Model is recommended for best experience.
Content Refresh Interval (hours) e.g. 4 e.g. 4 The Interval for check Sharepoint for Updates.
Username e.g. {UserName} or tim.tober@imagoverum.com e.g. {UserName} or tim.tober@imagoverum.com Field to specify the Username.
Custom LDAP attributes can be used in this field.
Use User Password Enabled or Disabled Enabled or Disabled Specifies that the client should automatically use the User’s Password. This is only available when Password is Cached or on initial enrollment
Certificate Select Certificate Select Certificate

Displays uploaded Certificates in Certificates section when Authentication Type is set to Client Certificate

Certificates

 

Silversync

This sections allows to add Silversync to M42Mobile Application.

Setting Android Samsung Safe Description
Allow File Sync   Enabled or Disabled Enabled or Disabled Allows File Sync
Disable on Blocked Enabled or Disabled Enabled or Disabled Disables File Sync for blocked devices
Allow Sync on Cellular Data Enabled or Disabled Enabled or Disabled Allow Sync when device uses Cellular
Cellular Data File Size Limit e.g. 10 e.g. 10 Restricts file sizes in MB when device uses Cellular
Allow Email of Files Enabled or Disabled Enabled or Disabled Allows to Email File types via Email
Allow Opening Files Into Other Apps Enabled or Disabled Enabled or Disabled Allows opening files into other apps on device

Certificate Trusts  

For Android and Samsung SAFE devices, arbitrary certificate trusts can be defined. These certificates will be deployed to the root or intermediate trust stores on the devices.

Setting Android Samsung Safe Description
Certificate Settings   Enabled or Disabled Enabled or Disabled Enables Certificate Settings in this Tag
Add Root Certificate Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Root Certificates e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details
Add Root Certificate Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Intermediate Certificates e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details

Web Clips 

Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.

  • Click New Web Clip
Setting Android Samsung Safe Description
Web Clip Name   e.g. Matrix42 e.g. Matrix42 Web Clip Display Name 
Link e.g. https://www.matrix42.com e.g. https://www.matrix42.com Target URL for the Web Clip
Icon File Choose File Choose File Web Clip Display Icon.  Support File Type: *.png

KNOX 

KNOX is a section where Administrators can configure settings for Samsung KNOX enabled devices. The KNOX Section is only available when a Tag is enabled for Samsung SAFE devices. To enter the Samsung KNOX License Key navigate to Admin > Licenses > Samsung Knox License. 

  • Navigate within the Tag to Knox in the left Panel
  • Click New Container
  • Enter a friendly name
  • Click Save
  • Click OK 
  • Now configure the Samsung Knox Container

Restrictions

To allow a function for the Container you are creating or editing, simply ensure the corresponding checkbox is ticked and click Save or Save & Close at the bottom of the page.

Setting Android Samsung Safe Description
Allow Share List   not available Enabled or Disabled Disables the display of the Share Via List, the Share Via List is displayed in certain applications that share data with other applications.
Allow Camera not available Enabled or Disabled

Disables the photo camera, video camera, and video telephony functionality without user interaction. User or third-party applications cannot enable the camera once it is disabled.

Allow Non Secure Keypad not available Enabled or Disabled  
Allow Knox App Store not available Enabled or Disabled  
Browser
Allow Auto Fill not available Enabled or Disabled The setting applies to the native Android browser to prevent any website from providing autofill suggestions when a user is filling in form data on the webpage, even if the user has previously filled in the form
Allow Cookies not available Enabled or Disabled This setting is applied to the native Android browser to prevent any website from storing cookies related to the website on the device
Show Security Warning not available Enabled or Disabled This setting applies to the native Android browser to force the browser to show an untrusted certificate security warning to the user when applicable. If the user tries to connect to a website whose certificate is not present in the certificate trust chain used by the browser, the security warning is shown.
Allow Javascript not available Enabled or Disabled This setting is applied to the native Android browser to prevent the browser from running JavaScript code for a website
Allow Pop-ups not available Enabled or Disabled If set to Disabled, the setting overrides the default pop-up browser setting to prevent any website from popping up new browser windows when the user navigates to a website that invokes such action
Email Policies
Allow Account Additions not available Enabled or Disabled Restrict user from adding any new email accounts. Only  administrators can still add an account.

Password

This section governs the security level of the password for the specific Container if enabled.

Setting Android Samsung Safe Description
Password Settings   not available Enabled or Disabled Disables the display of the Share Via List, the Share Via List is displayed in certain applications that share data with other applications.
Minimum Length not available e.g. 4

Disables the photo camera, video camera, and video telephony functionality without user interaction. User or third-party applications cannot enable the camera once it is disabled.

Maximum times a character can occur not available e.g. 10 Maximum times an individual character can occur in the password
Maximum character sequence length not available e.g. 10 Maximum sequence for letters, for example a maximum of 3 would allow “abc” but not “abcd”
Maximum numeric sequence length not available e.g. 10 Maximum sequence for numbers, for example a maximum of 3 would allow “123” but not “1234”
Maximum failed attempts to disable container not available e.g. 10 Number of times the user can enter an incorrect password before access to the Container is disabled
Idle time for key guard lock (seconds) not available e.g 600 Amount of time before the device automatically locks when not interacted with
Forbidden strings in password (comma delimited) not available e.g. pass,password List of words or numbers, delimited by comma, that are not allowed to exist within the password as a whole. For example, a setting of “word” would not allow the password “password”
Minimum number of changed characters from previous password not available e.g. 10 Number of characters that must be different from the previous password, this prevents the user using the same password and incrementing a tailing number for example
Number of historical passwords to remember not available e.g. 10 Number of passwords to remember that the user cannot use again

not available Enabled or Disabled Allow the user to make their password visible when editing it

Exchange ActiveSync

This section governs the Exchange ActiveSync settings for the specific Container if enabled.

Setting Android Samsung Safe Description

Exchange ActiveSync Settings

not available Enabled or Disabled Disables the display of the Share Via List, the Share Via List is displayed in certain applications that share data with other applications.
Label not available e.g. Imagoverum E-Mail The Label for the Email Account as it appears on the device.
Servername not available e.g. outlook.office365.com  The External Mail Server URL
Past Days of Mail to Sync not available
  • Unlimited
  • One Day
  • Three Days
  • One Week
  • Two Weeks
  • One Month
Period of mail to synchronize to the device
Use SSL not available Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use Custom Username Variable not available e.g. {CustLdapVar0}or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable not available e.g{CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Always Vibrate On Email Notification not available Enabled or Disabled Sets the mail settings to vibrate when receiving a mail
Allow Calendar not available Enabled or Disabled Determines whether the user can use the calendar associated with the Exchange ActiveSync Account
Allow Contacts not available Enabled or Disabled Determines whether the user can use the contacts associated with the Exchange ActiveSync Account
Allow Tasks not available Enabled or Disabled Determines whether the user can use the tasks associated with the Exchange ActiveSync Account
Allow Notes not available Enabled or Disabled Determines whether the user can use the notes associated with the Exchange ActiveSync Account
Default Signature not available

e.g. 

Best Regards

Imagoverum

Elbinger Str. 7

60487 Frankfurt am Main

Pre-Define a signature for the account
Enterprise Certificate not available Choose File Upload a certificate for Authentication
Certificate Password not available e.g. Pa$$w0rd Password for the certificate

Apps 

Enterprise Apps that have been nominated as “KNOX Signed” when being uploaded to the App Portal section can be assigned to KNOX Containers. These apps will be deployed within the Container on the device. This page lists the currently assigned apps, and lets you assign more to the Container.

  • Click Assign More Apps
  • Select the Apps to assign to the Tag
  • Click Add Select Apps 
Column Android Samsung Safe Description

Type

not available Enterprise Displays the app type
Name not available e.g. M42Mobile Displays the name of the app
Description not available e.g.  The Matrix42 Mobile App delivers the power of Matrix42 Workspace Management at your users' fingertips, anytime and anywhere... Displays the app description
Remove not available Admin_Guide_SB_027.png Removes the app from the tag

Policy 

With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.

OS Version Compliance

Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.

  • Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
  • Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.

Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.

Hardware Compliance

Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.

  • Alert Administrators:  When the  checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.

Application Blacklist

Silverback maintains a blacklist of application names to ensure the detection and management of devices with blacklisted applications. The blacklist works by matching application names of applications on devices against the strings in the blacklist. The blacklist employs a case-insensitive substring search algorithm to determine policy violations.

To add an application to the blacklist

  • Enter the Application Identifier (e.g. com.whatsapp) 
  • Click Add
  • Notice the info message: This application name has been blacklisted successfully.

Perform these steps for applications that you want to blacklist.

Action Description
Edit Edit the selected value in the blacklist
Remove Delete the value from the blacklist

Lockdown

The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.

Lockdown Actions

Action Description
No action No action is performed on the device; however alerting administrators may be performed if configured.
Lock A lock command is sent to the device which will lock the screen of the device. 
Block The device is blocked, and the device is moved to the blocked devices table. 
Wipe The device is hard reset to factory default settings.
Force This will re-apply the Android Setting that disables the ability for the device to roam for voice or data. The setting is forced upon the user.  For application black list in particular, this will prevent the application from launching or being installed on the device.
Alert administrator Emails are sent to all administrators notifying them of the policy violation when it is detected. 
Exclude Home Network Allows the Administrator to disable roaming alerts for devices roaming on Home Networks
Allow Home Networks Allow Home Network’ checkbox allows the user to roam on Home Networks without triggering lockdown action.

Lockdown Policies

Policy  General Android SamsungSafe Description
Enforce SIM Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Wipe
  • No action
  • Lock 
  • Block
  • Wipe
The first SIM Silverback detects on a managed device will be considered the ‘canonical’ SIM. Any subsequent changes to the SIM (e.g. removal of the SIM from the device or changing the SIM on the device) are considered a policy violation.
Enforce Application Blacklist

Enabled or Disabled

Either Blacklist or Whitelist

  • No action
  • Lock 
  • Block
  • Wipe
  • No action
  • Lock 
  • Block
  • Wipe
  • Force

See the blacklist section for more information on this configuration. The blacklist can be enabled or disabled from this screen.

Enforce Application Whitelist

Enabled or Disabled

Either Blacklist or Whitelist

  • No action
  • Lock 
  • Block
  • Wipe
  • No action
  • Lock 
  • Block
  • Wipe
  • Force

Application Whitelist will ensure that each device has only applications approved by a system administrator that reside in the Silverback App Portal. Whitelist is derived from the Application Name. Ensure applications in the App Portal are labelled correctly prior to enabling Application Whitelist.

Enforce Hardware Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Wipe
  • No action
  • Lock 
  • Block
  • Wipe
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration.
Cost Control Settings
Send Roaming Alerts Enabled or Disabled No actions available No actions available

Enabling this will send an alert to all Silverback Administrators when a device starts Roaming for any reason (Voice/Data).

Enforce Data Roaming Policy Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Wipe
  • No action
  • Lock 
  • Block
  • Wipe
  • Force

You can choose which lockdown action to apply when a device has data roaming enabled. Availability of this setting on the device is dependent on the Carrier.

Enforce Push While Roaming Policy

Enabled or Disabled

Enforce Data Roaming Policy will activate this setting

 

not available
  • No action
  • Lock 
  • Block
  • Wipe
  • Force

You can choose which lockdown action to apply when a device has push enabled while roaming. To disable it completely, select Force as the Non-Compliance Action.

Enforce Sync While Roaming Policy

Enabled or Disabled

Enforce Data Roaming Policy will activate this setting

not available
  • No action
  • Lock 
  • Block
  • Wipe
  • Force

You can choose which lockdown action to apply when a device has sync enabled while roaming. To disable it completely, select Force as the Non-Compliance Action.

Enforce Voice Roaming Policy

Enabled or Disabled

Enforce Data Roaming Policy will activate this setting

not available
  • No action
  • Lock 
  • Block
  • Wipe
  • Force
Voice Roaming is when the device has Voice Roaming Enabled = YES on the device. Availability of this setting on the device is dependent on the Carrier.
Enforce Home Networks Policy Enabled or Disabled
  • No action 
  • Block
  • Wipe
  • No action 
  • Block
  • Wipe
Enables the ‘Home Networks’ policy, meaning Silverback Admins can specify what data networks are classed as ‘Home Networks’.
Home Networks

Add

Enforce Home Networks  Policy will activate this grid

e.g. Imagoverum Wi-Fi e.g. Imagoverum Wi-Fi This grid is where Silverback Administrators can specify their ‘Home Networks’.

Companion

Companion extends end point security into a secure workspace for your users. Users can store and edit files locally within the application, ensuring that these documents are kept securely and cannot be accessed by other applications or users. Companion also allows users and administrators to manage data usage on the device and configure policy settings around this.

Setting Android Samsung Safe Description
Companion Enabled Enabled or Disabled Enabled or Disabled Enables Profile
EPiC Settings
Secure Enrollment Enabled or Disabled Enabled or Disabled Enables Secure Enrollment for devices
Offline Grace Period e.g. 30 e.g 30 Companion modules will be blocked if the device doesn’t check in during this period. The value is days
Custom Epic Text e.g. This is a free form text e.g. This is a free form text Configure custom text to be displayed to the user
Show Blocked Reasons Enabled or Disabled Enabled or Disabled Configures whether the user is told why they have been blocked. If this is disabled the user is not told why, just that they are blocked
Allow Automated Unblocking Enabled or Disabled Enabled or Disabled Companion can allow users to rectify a block where it was triggered by a policy violation. For example if the user violated an application blacklist, they may remove the app and then scan with Companion to automatically become unblocked
File Settings
Enabled Files Enabled or Disabled Enabled or Disabled Determines whether the Files module is available to the users
Disabled on Blocked Enabled or Disabled Enabled or Disabled Disables the Files module when Silverback blocks the device
RequirePIN Enabled or Disabled Enabled or Disabled Determines whether the users are required to have a PIN code protecting Companion
Allow Email Out Enabled or Disabled Enabled or Disabled Allow the user to email files out of Companion or not
Data Cost Control Settings
Allow Usage Enabled or Disabled Enabled or Disabled Determines whether the Data Usage module is available to the users
Disabled on Blocked Enabled or Disabled Enabled or Disabled Disables the Data Usage module when Silverback blocks the device
Allow User to Change Settings Enabled or Disabled Enabled or Disabled Allow the user to change settings within the Companion Client. If not, the administrator must define settings
Rollover Day 1-31 1-31 Determines the day for the Data Usage to be reset on the device
Local Data Cost Control
Allow User To Reset Usage Enabled or Disabled Enabled or Disabled Allow the user the ability to reset their local Data Usage within the Companion client
Data Allowance (MB) e.g. 2048 e.g. 2048 The Amount of local Cellular Data the user is allowed, until the user is alerted and the configured action is performed.
Action on Local Data Limit Reached
  • No Action
  • Lock
  • Block 
  • Wipe
  • No Action
  • Lock
  • Block 
  • Wipe
The MDM action that is carried out when the local data limit is reached
Alert Administrators Enabled or Disabled Enabled or Disabled Determines whether the administrative e-mail alert is sent out when a device reached the data limit.
Consumed Usage Alert Threshold

0%-100% in 5% steps

 

0%-100% in 5% steps Determines the threshold value for the local Data Allowance usage alert. When this threshold is reached, the user receives a notification on the device
Roaming Data Cost Control
Allow User To Reset Usage Enabled or Disabled Enabled or Disabled Allow the user the ability to reset their roaming Data Usage within the Companion client
Data Allowance (MB) e.g 100 e.g. 100 The Amount of roaming Cellular Data the user is allowed, until the user is alerted and the configured action is performed
Action on Local Data Limit Reached
  • No Action
  • Lock
  • Block 
  • Wipe
  • Reapply
  • No Action
  • Lock
  • Block 
  • Wipe
  • Reapply
The MDM action that is carried out when the roaming data limit is reached
Alert Administrators Enabled or Disabled Enabled or Disabled Determines whether the administrative e-mail alert is sent out when a device reached the data limit
Consumed Usage Alert Threshold

0%-100% in 5% steps

0%-100% in 5% steps Determines the threshold value for the roaming Data Allowance usage alert. When this threshold is reached, the user receives a notification on the device
Licence Message Settings
Invalid Message Settings e.g. You have no valid License. Please contact your System Administrator e.g. You have no valid License. Please contact your System Administrator The text message displayed on the users’ devices

Apps 

The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.

App Types

Three different App Types are available for Android and Samsung Safe devices:

Type Description
Enterprise Applications owned by an Organization with *.apk file
App Store Applications from public Google Play Store
Managed Play / Afw Applications from company Google Managed Play Store 

Managed Play / AfW application types requires Android Enterprise 

Assign Apps 

Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.

  • Navigate to Apps
  • Click Assign More Apps
  • Select any applications from the shown Assign Applications page 
  • Click Add Selected Apps 

Overview

Already assigned applications are displayed in the Apps section of any Tag with the following columns: 

Column Description
Type Displays the app type, either Enterprise, App Store or Managed Play
Name Displays the application name
Version Displays the application version for Enterprise Apps
Description Displays the application description given in App Portal
Remove Removes the App from the Tag

Content

The Content Tab is where content locations are provided for users. These are defined at a Tag level which means only users in this Tag will receive these content settings in their M42Mobile app.

Content Provider

The following content providers can be configured for the M42Mobile App. The Username and Password fields support system variables, so you can dynamically configure these for all users.

Content Provider Settings
Silversync
  • Name
  • Notes
  • Silversync Server Locations
Box
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
Dropbox
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
GoogleDrive
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
OneDrive
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
ownCloud
  • Name
  • Notes
  • Username
  • Password
  • Server URL
  • Custom Values
Sharepoint 
  • Name
  • Notes
  • Username
  • Password
  • Server URL
  • Access Model 
    • Sharepoint 2010
    • Sharepoint 2013
  • Authentication Mode
    • Basic
    • Forms
    • WebForms
    • Office365
  • Custom Values

Silversync Server Locations

For assigning content with Silversync, there are generally two ways to do this: 

Add Content Requirement Description
Selecting the folders from the Content Tree Server Based Authentication Expand and collapse folders if you want to assign content at a level down in the file system
Typing in file paths manually User based Authentication Assign the content manually by typing in file paths.

To add content manually:

  • Click Add
  • Enter the path directly
    • C:\SilversyncContent\users\{UserName}
    • \\NetworkShare\SilversyncFiles\Everybody 

It’s important to note that these paths support system variables. In the example above “{UserName}” will be replaced with that unique user’s username. This is useful for mapping to a home drive network share for example.

 

  • Was this article helpful?