Restrictions

The Restrictions settings restrict specific features, network settings, developer options, and location detection policies on Android devices.

Device features

The following table describes the restrictions that you can configure on an Android device.
Policy setting Description Supported devices
Allow camera The device can use a camera. Android 5.0+ (PO and DO)
Allow camera on personal profile Allow or Restrict the use of the camera on the personal profile of WPCO enrolled devices. This setting disables hardware across all personal apps when restricted. The default value is Allow. Android 11.0+ (WPCO)
Mute Master Volume When enabled, the volume is muted at the device level, and there will be no sound from any audio connections. The default value is disabled. Android 5.0+ (DO)
Allow unmuting of microphone Allow or restrict access to the microphone. When restricted, the audio is not passed through the mic from either the phone or other apps that can leverage the functionality. The default value is Allow. Android 5.0+ (DO)
Allow volume adjustments Allow or restrict the ability to adjust the volume. If restricted the device volume remains at the last set value. The default value is Allow. Android 5.0+ (DO)
Allow bluetooth configuration Allow or restrict the ability to modify the Bluetooth settings and configurations. Restricting freezes the existing settings. The default value is Allow. Android 5.0+ (DO)
Allow outgoing beam Allow or restrict the ability to send information externally with Near Field Communication (NFC). The default value is Allow. Disabling this feature restricts DO enrollments on the device. Android 5.1.1+ (PO and DO)
Allow sharing of locations Allow/Restrict application access to location information. The default value is Allow. Android 5.0+ (PO and DO)
Allow SD card The device can use an SD card.

If this setting is disabled in the policy, the SD card cannot be mounted on a device.

 SAFE 2.0+
Allow SD card write The user can manage data on the SD card. SAFE 3.0+
Allow USB mass storage The user can connect a device to a computer through the USB port and transfer files between devices. Android 2.x or Android 3.x
Allow USB media player (MTP, PTP) The user can connect a device to a computer and transfer files between devices. SAFE 2.0+
Allow multiple user account The user can set up multiple user accounts on tablets. SAFE 4.0+
Use network-provided date and time The network provider can automatically update the device with the latest date and time.

Enable this setting if you are using the Mobile Expense Management (MEM) feature.

 Android 2.2+
Disable screen dim The device screen remains active until the device is locked. Android 6.0 (PO and DO)
Allow Audio recording The user can record audio on the device.

If this setting is disabled in the policy, the user can still use the device for phone calls and to stream audio with VoIP apps.

 SAFE 4.0+
Allow Video recording The user can record video on the device.

If this setting is disabled in the policy, the user can still take pictures with the camera.

SAFE 4.0+
Allow Svoice The user can use the S Voice app on the device. SAFE 4.0+
Allowed Apps to manage certificates on Android TrustStore Determines which apps can install, list, or remove certs to, in, or from the Trust Store. Enter comma separated values. SAFE 5.8+
Disallow Printing Enable or disable restrictions on printing from the device. Android 9.0+ (PO and DO)
Disable Date & Time Configuration Enabled or disable the ability to manually set the date and time on the device. The default setting is enabled. If disabled on DO, it disables the date, time, and time zone setting on the entire device and all users on the device are affected. Android 9.0+ (DO)
Disable Ambient Display Enable or disable the Ambient Display feature that exhibits device notifications on the wake screen display. The default value is enabled. Android 9.0+ (DO)
Disable Brightness Configuration Enable or disable the users ability to alter screen brightness settings. The default value is enabled. Android 9.0+ (DO)
Disallow Locale Configuration Allow or restrict the ability to set the locale on the device. This can impact other features such as time and date. The default value is Allow. Disallowing configuration stops the user from changing the locale. Android 9.0+ (DO)
Disallow System Error Dialogs Allow or restrict the device from displaying system errors for items like crashed apps or when processes stop working. The default value is Allow. Disallowing dialogs stops the system error dialogs for crashed or unresponsive apps. Android 9.0+ (DO)
Disable Airplane Mode Allow or restrict the use of Airplane Mode. The default value is Allow. Android 9.0+ (DO)

Network Restrictions

The following table describes the network restrictions that you can configure on an Android device.
Policy setting Description Supported devices
Allow outgoing calls Allow or restrict outgoing calls (does not impact emergency numbers). The default value is Allow. Android 5.0+ (DO)
Allow SMS Allow or restrict SMS does not impact the visibility of the SMS app on the device itself but just the functionality of sending and receiving messages. The default value is Allow. Android 5.0+ (DO)
Allow Wi-Fi

If this setting is set to Yes, then the device can use wifi.

The device in COSU mode can still access the MaaS360® custom Wi-Fi settings and switch between available networks even though the following settings are set to the wanted mode.
  • Allow Wi-Fi is set to No.
  • Allow Settings Changes is disabled.
  • Wi-Fi Restrict edit or delete of profile is set to No.
 Android 2.2+
Allow or block Wi-Fi networks by SSID Define a list of wifi networks to be allowed or blocked. The values are as follows.
  • No Restrictions
  • Add allowlist
  • Add blocklist
 Android 13.0+ (DO)
Minimum Wi-Fi security level Define the minimum security levels required to connect to the wifi networks. The values are as follows.
  • Open
  • Personal
  • Enterprise EAP
  • Enterprise 192
 Android 13.0+ (DO)
Allow configuring Wi-Fi Allow user to configure Wi-Fi networks. Disabling this setting may result in no Wi-Fi access on the devices if no wifi SSIDs are pushed to the devices through policies. Android 13.0+ (DO)
Allow change Wi-Fi state Allow the user to turn on or off the wifi. Android 13.0+ (DO)
Allow Wi-Fi Direct Allow or restrict the use of Wi-Fi Direct (direct device-to-device connection) for file sharing. The default value is Allow. SAFE 4.0+

Android 13.0+ (DO)
Allow Wi-Fi Tethering Allow or restrict the use of Wi-Fi Tethering. Android 13.0+ (DO)
Enforce Wi-Fi is always on The device is forced to use wifi instead of cellular data. Android 2.2+
Bluetooth The device can use Bluetooth. Android 2.2+
Allow data network The device can use cellular data. Android 2.2+
Enable background data synchronization In the background, the device synchronizes apps on the device, and sends and downloads data. Android 2.x or Android 3.x
Auto-Sync The device can automatically synchronize device accounts such as Facebook and Twitter. Android 2.2+
Allow VPN The device can access a VPN.

If this setting is disabled in the policy, the user cannot access the VPN configuration screen to establish a VPN session.

 SAFE 2.2+
Allow Mobile Network configuration Allow or restrict the modification of network settings on the device. The default value is Allow. Android 5.0+ (DO)
Allow Data roaming Allow or restrict data roaming. The default value is Allow. Android 7.0+ (DO)
Allow configuration of cell broadcasts Allow or restrict cellular setting changes on the device. The default value is Allow. Android 5.0+ (DO)
Allow Network reset Allow or restrict the reset of network settings on the device. The default value is Allow. Android 6.0+ (DO)
Mobile AP The device can use a Mobile AP (Mobile Access Point). Android 2.2+
Allow Tethering The device can connect (tether) to other devices through wifi, Bluetooth, or USB.

If this setting is disabled in the policy, the device cannot connect to other devices through wifi, Bluetooth, or USB.

Note: You can block third-party apps that allow tethering.
 SAFE 2.0+

Android 5.0+ (DO)
USB tethering The device can connect to another device through USB. Android 2.2+
Allow Bluetooth tethering The device can connect to another device through Bluetooth. SAFE 2.0+
Allow Airplane Mode The device user is allowed to enable Airplane mode if this setting is turned on. Zebra, Honeywell, Bluebird
Allow Android Beam The device uses Android Beam to share data with another device that supports NFC.

If Android Beam is disabled, S Beam is also automatically disabled.

 SAFE 4.0+
Enable separate dialer for Work Profile Enable/Disable separate dialer feature specifically for the work profile. The default value is disabled. Android 7.0+ (PO)
Allow Sbeam The device uses S Beam to share data through Wi-Fi Direct. SAFE 4.0+
Allow user to set mobile data limit The user can set a limit on the amount of cellular data that is used on the device. SAFE 4.0+
Near Field Communication (NFC) The device uses Near Field Communication (NFC) for short-range communications. SAFE 2.0+
Wi-Fi Timeout Define the timeout settings for device attempts to connect to a wifi network.
  • Default
    The device uses the default system setting.
  • Never
    The timeout setting is disabled on the device.
  • Never when plugged-in
    The timeout setting is disabled when the device is connected to external hardware.
 Android 5.0+ (DO)
Default dialer application Set the default dialer application. The default value is empty. The OS provides the default dialer app to receive the phone call.
Note: When a custom app is set on the policy and the app is installed on the device, the new app receives the phone call. When an admin removes the app from the policy on the Portal, it remains as default until it is removed from the device.
 Android 14+ (DO)
Default SMS application Set the default SMS application for a DO device, or in the personal profile for a WPCO device. The default value is empty. The OS provides the default SMS app to send or receive the text messages.
Note: When a custom app is set on the policy and the app is installed on the device, the new app receives the SMS. When a user removes the app from the policy on the Portal, it remains as default until it is removed from the device.
 Android 10+ (DO)

Android 11+ (WPCO)
Configure 5G network slicing Configure your 5G network slices to enable access to multiple virtual networks that support different capabilities over a single 5G mobile connection.

This option is available in the IBM® MaaS360 Android app version 9.00 and later.

Select the Configure 5G network slicing checkbox to display the following options.
  • Network identifier
    Select the identifier for the network slice from the drop-down.
  • App IDs
    Enter a comma-separated list of app IDs to be routed on the network slice in the text box.
  • Enable automatic fallback to default network
    For apps specified in the App IDs field, select this checkbox to enable automatic fallback to the device-wide default network if the network slice is not available.
  • Block apps from accessing non-matching networks

    Android 14+ (PO and DO)

    Select this checkbox to block apps that are specified in the App IDs field from accessing other networks than the network slice.

    This option is applicable only when Enable automatic fallback to default network is disabled.

Android 13+ (PO and DO)

Developer options

The following table describes the restrictions that developers can configure on an Android device.
Policy setting Description Supported devices
Allow USB debugging
Important: This setting is dependent on the Allow Installation of Non-Google Play Applications policy. USB debugging can only be enabled if that policy is also enabled.

Enables USB debugging, allowing users to connect the device to a computer with the Android SDK for development and troubleshooting.

 SAFE 2.0+
Allow Background Process Limit The user can set the number of processes that are running in the background.

If this setting is disabled in the policy, the number of processes that run in the background is set at a maximum number.

 SAFE 4.0+
Allow Killing Activities on Leave The device can kill all instances of an activity when the user logs out of the device.

If this setting is disabled in the policy, the Don't Keep Activities setting is disabled on the device, and the user cannot enable the setting on the device.

 SAFE 4.0+
Allow mock locations The user can fake the GPS location on a device. Android 2.2+
Allow Google Crash Report The device can send the logs for a crash report to Google. SAFE 3.0+

Location detection policies

The following table describes the restrictions that you can configure to locate an Android device.
Policy setting Description Supported devices
Use wireless networks / Google's Location service for location detection The device can use wifi networks.

If this setting is enabled in the policy, the location of the device is tracked through wifi and the mobile network.

 Android 2.2+
Use GPS satellites for location detection The device can use GPS satellites.

If this setting is enabled in the policy, the device location is tracked through GPS.

 Android 2.2+
Use sensor aiding for location detection The location of the device is tracked through sensors. SAFE 3.0+