Restrictions for Android on work profile and work managed devices

This article shows how to configure and deploy restrictions to Android Enterprise devices.

Requirements

• Premium Plan subscription or trial.
• Miradore Online Client 2.4.0 or newer installed on the devices.
• Devices are running Android 5.0 or later. Notice that some restrictions require a newer Android version.
• Work profile has been enabled to the target Android devices or
• Devices have been provisioned as work-managed devices with device owner mode.

When these requirements are met, administrators can create and deploy work profile restrictions to the devices.

Important information

If you want to change previously deployed restrictions, do not apply the same restriction to the same device multiple times. Instead, modify the previously deployed configuration profile, or remove the earlier configuration profile from the devices first.

Please note that deploying restrictions that overlap with Kiosk mode's restrictions may cause unwanted behavior.

Make sure not to deploy the below-listed restrictions to devices if you have already deployed them using a Kiosk mode configuration.

• Disable volume adjusting
• Disable factory reset
• Disable safe booting
• Disable screen off timeout configuration
• Disable adding new users
• Disable any physical media
• Disable system error dialogs

How to create and deploy restrictions?

Navigate to Management > Configuration profiles and start the Create configuration profile action from the page action menu. Select Android > Restrictions and define the desired configuration.

Application control

Default runtime permission policy

Specifies the default runtime permission policy for applications. For example, fine location access is automatically granted, denied, or prompted by the device user. This has no effect on already granted or denied runtime permissions.

Application control

Specifies whether a user is allowed to modify applications in Settings or launchers. The following user actions will be denied when this restriction is enabled:

• Uninstalling apps
• Disabling apps
• Clearing app caches
• Clearing app data
• Force stopping apps
• Clearing app defaults

This restriction is supported in devices with Android 5.0 or later.

Application uninstallation

Specifies whether a user is allowed to uninstall applications. This restriction is supported in devices with Android 4.3 or later.

Disable application verification

Specifies whether a user is allowed to disable application verification. This restriction is supported in devices with Android 5.0 or later.

Allowlisted system applications

Specifies a list of allowlisted system applications by their package name*. These are enabled in the work profile when deployed.

Blocklisted system applications

Specifies a list of blocklisted system applications by their package name*. These are enabled in the work profile when deployed. Requires Miradore Online Client version 2.6.5 or newer.

Please note that system apps package names you can find in the particular Device's view > Applications tab (see the screenshot below). Maybe you have to first enroll that device or similar device with the system apps to see all those package names or check those names from another device's Application inventory.

Another way is to try to search for the desired app from Play Store. The app's package name is visible on the app's URL: e.g https://play.google.com/work/apps/details?id=com.android.chrome.

Unfortunately, we don't have any list of those package names.

Common restrictions

Autofill

Specifies whether the device user is allowed to use autofill features. This restriction is supported in devices with Android 8.0 or newer.

Bluetooth sharing

Specifies if outgoing Bluetooth sharing is allowed on the device. This restriction is supported in devices with Android 8.0 or newer.

Camera

Specifies whether the device user is allowed to access the camera. This restriction is supported in devices with Android 4.0 or newer.

Credentials configuration

Specifies whether the device user is allowed to configure user credentials. This restriction is supported in devices with Android 4.3 or newer.

Debugging

Specifies whether the device user is allowed to enable or access debugging features. This restriction is enabled by default when a work profile is installed on the device. This restriction is supported in devices with Android 5.0 or newer.

Language configuration

Specifies whether the device user is allowed to configure/change the device language. This restriction is supported in devices with Android 9.0 or newer.

Location provider configuration

Specifies whether the device user is allowed to enable/disable location providers. This restriction is supported in devices with Android 9.0 or newer.

Location share

Specifies whether the device user is allowed to turn on location sharing. This restriction is supported in devices with Android 4.3 or newer.

NFC outgoing beam

Specifies whether the user is not allowed to use NFC to beam out data from apps. Supported in devices with Android 5.1 or newer.

Printing

Specifies whether the device user is allowed to print. This restriction is supported in devices with Android 9.0 or newer.

Screen capture

Specifies whether the device user is allowed to take screenshots. This restriction is supported in devices with Android 5.0 or newer.

System error dialogs

Specifies if system error dialogs for crashed or unresponsive apps are allowed and shown. When denied, the system will force stop the apps if the user chooses the "close app" option on the UI. This restriction is supported in devices with Android 9.0 or newer.

User icon modification

Specifies whether the device user is allowed to change his/her user icon. This restriction is supported in devices with Android 7.0 or newer.

VPN configuration

Specifies whether the device user is allowed to configure VPN. This restriction is supported in devices with Android 5.0 or newer.

Wallpaper modification

Specifies whether the device user is allowed to change the device wallpaper. This restriction is supported in devices with Android 7.0 or newer.

Weblinks with parent applications

Specifies if parent profile applications can be used to open web links in managed work profile applications. For example, Chrome on the primary user can be used to open web links received to the work profile email. This restriction is supported in devices with Android 6.0 or newer.

Fully managed (Device Owner, excluding COPE devices)

Add managed profiles

Specifies whether the device user is allowed to add managed profiles. This restriction is supported in devices with Android 8.0 or newer.

Add users

Specifies whether the device user is allowed to add users. This restriction is supported in devices with Android 5.0 or newer.

Adjust volume

Specifies if a user is disallowed from adjusting the master volume. If set, the master volume will be muted. This restriction is supported in devices with Android 5.0 or newer.

Airplane mode

Specifies whether the device user is allowed to enable airplane mode. This restriction is supported in devices with Android 9.0 or newer.

Ambient display

Specifies whether the device user is allowed to enable ambient display on the device. This restriction is supported in devices with Android 9.0 or newer.

Audio

Specifies whether the device audio is enabled. Set to denied to mute the audio. This restriction is supported in devices with Android 5.0 or newer.

Backup service

Specifies whether the backup and restore mechanisms are available on the device. This setting is denied by default. This restriction is supported in devices with Android 8.0 or newer.

Bluetooth

Specifies whether the use of Bluetooth is allowed on the device. This restriction is supported in devices with Android 8.0 or newer.

Bluetooth configuration

Specifies whether the device user is allowed to configure Bluetooth settings on the device. This restriction is supported in devices with Android 4.3 or newer.

Brightness configuration

Specifies whether the device user is allowed to change the device's screen brightness. This restriction is supported in devices with Android 9.0 or newer.

Cellular broadcast configuration

Specifies whether the device user is allowed to configure cellular emergency broadcast settings. This restriction is supported in devices with Android 5.0 or newer.

Create windows

Specifies whether the device user is allowed to create windows besides app windows. This restriction is supported in devices with Android 5.0 or newer.

Data roaming

Specifies whether it is allowed to enable data roaming on the device. This restriction is supported in devices with Android 7.0 or newer.

Date and time configuration

Specifies whether the device user is allowed to configure date, time, or timezone settings on the device. This restriction is supported in devices with Android 9.0 or newer.

Factory reset

Specifies if the factory reset is denied from the settings or using google device manager. Works only if the manufacturer allows this functionality. This restriction is supported in devices with Android 5.0 or newer.

• Important: Make sure you always remember the possible passcode of your device because denying the factory reset will also prevent the device from being hard reset. There is no way to reset, restore or keep using the device without a password if the factory reset has been prevented with Miradore.

Fun

Specifies if a user is allowed to have fun. In some cases, the device owner may wish to prevent the user from experiencing amusement or joy while using the device. Controls whether the Easter egg game in Settings is disabled. This restriction is supported in devices with Android 6.0 or newer.

Mobile network configuration

Specifies whether the device user is allowed to configure mobile network settings. This restriction is supported in devices with Android 5.0 or newer.

Mount physical media

Specifies whether the device user is allowed to mount physical external media. This restriction is supported in devices with Android 5.0 or newer.

Network reset

Specifies whether the device user is allowed to reset network settings. This restriction is supported in devices with Android 6.0 or newer.

Outgoing calls

Specifies whether the device user is allowed to make outgoing phone calls. This restriction is supported in devices with Android 5.0 or newer.

Remove managed profiles

Specifies whether the device user is allowed to remove managed profiles from the device. This restriction is supported in devices with Android 8.0 or newer.

Remove users

Specifies whether the device user is allowed to remove users from the device. This restriction is supported in devices with Android 4.3 or newer.

Safe boot

Specifies whether the device user is allowed to reboot the device into safe boot mode. This restriction is supported in devices with Android 6.0 or newer.

Screen off timeout configuration

Specifies whether the device user is allowed to change the screen off timeout setting. This restriction is supported in devices with Android 9.0 or newer.

SMS

Specifies whether the device user is allowed to send or receive SMS messages. This restriction is supported in devices with Android 5.0 or newer.

Tethering configuration

Specifies whether the device user is allowed to configure tethering settings. This restriction is supported in devices with Android 5.0 or newer.

Ultra-wideband

Specifies whether the device user is allowed to use ultra-wideband communication. This requires Miradore Android client 2.10.0, or newer.

Unknown sources

Specifies whether the device user is allowed to enable the "Unknown sources" setting that allows the installation of apps from sources other than the Google Play Store. This restriction is supported in devices with Android 4.3 or newer. Notice that this setting works only when managing the device in device owner mode and it requires Miradore Online Client version 2.6.5 or newer.

Unmute microphone

Specifies whether the device user is allowed to unmute the microphone. This restriction is supported in devices with Android 5.0 or newer.

USB file transfer

Specifies whether the device user is allowed to transfer files over USB. This restriction is supported in devices with Android 4.3 or newer.

User switch

Specifies if user switching is allowed on the device. This restriction is supported in devices with Android 9.0 or newer.

Wi-Fi configuration

Specifies whether the device user is allowed to configure Wi-Fi settings. This restriction is supported in devices with Android 4.3 or newer.

Profile owner

Cross-profile caller ID

Specifies whether the caller-ID information from the work profile will be shown in the private profile for incoming calls. This restriction is supported in devices with Android 5.0 or newer.

Cross-profile contact search

Specifies whether the contact search from the work profile will be shown in the private profile. This restriction is supported in devices with Android 7.0 or newer.

Cross-profile copy-paste

Specifies whether the contents of the clipboard of this profile can be pasted to other profiles, e.g. outside of the work profile. Does not restrict whether the clipboard of other profiles can be pasted to this profile. This restriction is supported in devices with Android 5.0 or newer.

Bluetooth contact sharing

Specifies whether Bluetooth devices can access enterprise contacts inside the work profile. This restriction is supported in devices with Android 6.0 or newer.

Share into the work profile

Specifies whether the device user can share files, photos, or data from the private profile into the work profile either by sending them or by picking up data within an app in the work profile. This restriction is supported in devices with Android 9.0 or newer.

Unified passcode

Specifies whether the work profile is allowed to have a unified lock screen challenge with the private profile. This restriction is supported in devices with Android 9.0 or newer.

Account management

Account modification

Specifies whether the device user is allowed to add and remove accounts unless they are programmatically added by Authenticator. This restriction is supported in devices with Android 4.3 or newer.

Deny account management types

Specifies a list of account types that cannot be managed on the device or work profile. Users cannot add, remove or modify these account types.

In the personal devices deployment scenario, the restrictions only apply to the applications and services inside the created work profile since Miradore Online Client operates as the profile owner of the work data and has limited control outside of the work profile. In other words, the Miradore Online Client is no longer the device administrator of the whole device. For example, if you deny the use of a camera, then the camera application and features cannot be used in applications inside the work profile, but the camera application is available outside of the work profile.

In work managed devices deployment scenario the restrictions apply to the entire device since Miradore Online Client is the device owner of the device.

In addition to these restrictions, unknown sources are always disabled when a work profile is enabled on an Android device or managed account is created. This means that if you want to deploy in-house applications, you must install them as private applications for the managed Google Play Enterprise. For more information about private apps, see Adding private managed Google Play applications.

Play Store for unmanaged accounts

Specifies whether device users are allowed to access the consumer version of Google Play store using their personal Google Accounts. When denied, device users can only access the managed Google Play store. This restriction allows the device users to add their personal Google account to the device if they want to use other Google services with the personal account. See Restricting the use of personal Google accounts on Android devices for more.

Location control

With the location control settings, administrators can remotely manage the location settings of Android devices. They can, for example, enable the use of GPS for device positioning and prevent device users from disabling the location services on the device. See How to remotely manage and enforce location settings on Android for more details.

More information:

About Android device management

How to configure managed Google Play Enterprise

How to enable work profile to Android devices

How to enroll work managed devices

Creating a configuration profile

Deploying a configuration profile

Removing deployed configuration profiles