Android Enterprise device settings to allow or restrict features using Intune

This article lists and describes the different settings you can control on Android Enterprise devices. As part of your mobile device management (MDM) solution, use these settings to allow or disable features, run apps on dedicated devices, control security, and more.

This feature applies to:

  • Android Enterprise personally owned devices with a work profile (BYOD)
  • Android Enterprise corporate-owned work profile (COPE)
  • Android Enterprise corporate owned fully managed (COBO)
  • Android Enterprise corporate owned dedicated devices (COSU)

For Android device administrator, see Android and Samsung Knox Standard device restrictions.

Before you begin

Create an Android Enterprise device restrictions profile:

  • Fully managed, dedicated, and corporate-owned work profile
  • Personally owned devices with a work profile

Fully Managed, Dedicated, and Corporate-Owned Work Profile

These settings apply to Android Enterprise enrollment types where Intune controls the entire device, such as Android Enterprise fully managed, dedicated, and corporate-owned work profile devices.

Some settings are not supported by all enrollment types. To see which settings are supported by which enrollment types, see the user interface. Each setting is under a heading that indicates the enrollment types that can use the setting.

See the Android Enterprise Users and Accounts setting headers and the enrollment types they apply to in Microsoft Intune and Endpoint Manager.

Some settings only apply at the work profile level for corporate-owned devices with a work profile. For fully managed and dedicated devices, these settings apply device-wide. These settings have (work profile-level) in the setting.

See the Android Enterprise Applications settings that apply at the corporate-owned work profile level in Microsoft Intune and Endpoint Manager.

General

Fully managed, dedicated, and corporate-owned work profile devices

  • Screen capture (work profile-level): Block prevents screenshots or screen captures on the device. It also prevents the content from being shown on display devices that don't have a secure video output. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might let users capture the screen contents as an image.

  • Camera (work profile-level): Block prevents access to the camera on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow access to the camera.

    Intune only manages access to the device camera. It doesn't have access to pictures or videos.

  • Default permission policy (work profile-level): This setting defines the default permission policy for requests for runtime permissions. Your options

    • Device default (default): Use the device's default setting.
    • Prompt: Users are prompted to approve the permission.
    • Auto grant: Permissions are automatically granted.
    • Auto deny: Permissions are automatically denied.
  • Date and Time changes: Block prevents users from manually setting the date and time. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to the set date and time on the device.

  • Safe boot: Block prevents users from rebooting the device into safe mode. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to reboot the device in safe mode.

  • Roaming data services: Block prevents data roaming over the cellular network. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow data roaming when the device is on a cellular network.

  • Wi-Fi access point configuration: Block prevents users from creating or changing any Wi-Fi configurations. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to change the Wi-Fi settings on the device.

  • Bluetooth configuration: Block prevents users from configuring Bluetooth on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using Bluetooth on the device.

  • Tethering and access to hotspots: Block prevents tethering and access to portable hotspots. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow tethering and access to portable hotspots.

  • USB file transfer: Block prevents transferring files over USB. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow transferring files.

  • External media: Block prevents using or connecting any external media on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow external media on the device.

  • Beam data using NFC (work-profile level): Block prevents using the Near Field Communication (NFC) technology to beam data from apps. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using NFC to share data between devices.

  • Debugging features: Choose Allow to let users use debugging features on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might prevent users from using the debugging features on the device.

  • Microphone adjustment: Block prevents users from unmuting the microphone and adjusting the microphone volume. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to use and adjust the volume of the microphone on the device.

  • Factory reset protection emails: Choose Google account email addresses. Enter the email addresses of device administrators that can unlock the device after it's wiped. Be sure to separate the email addresses with a semi-colon, such as admin1@gmail.com;admin2@gmail.com. If an email isn't entered, anyone can unlock the device after it's restored to the factory settings. These emails only apply when a non-user factory reset is run, such as running a factory reset using the recovery menu.

    When set to Not configured (default), Intune doesn't change or update this setting.

  • System update: Choose an option to define how the device handles over-the-air updates. Your options

    • Device Default (default): Use the device's default setting.
    • Automatic: Updates are automatically installed without user interaction. Setting this policy immediately installs any pending updates.
    • Postponed: Updates are postponed for 30 days. At the end of the 30 days, Android prompts users to install the update. It's possible for device manufacturers or carriers to prevent (exempt) important security updates from being postponed. An exempted update shows a system notification to users on the device.
    • Maintenance window: Installs updates automatically during a daily maintenance window that you set in Intune. Installation tries daily for 30 days, and can fail if there's insufficient space or battery levels. After 30 days, Android prompts users to install. This window is also used to install updates for Play apps. Use this option for dedicated devices, such as kiosks, as single-app dedicated device foreground apps can be updated.

Fully managed and dedicated devices

  • Volume changes: Block prevents users from changing the device's volume, and also mutes the main volume. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using the volume settings on the device.

  • Factory reset: Block prevents users from using the factory reset option in the device's settings. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to use this setting on the device.

  • Status bar: Block prevents access to the status bar, including notifications and quick settings. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users access to the status bar.

  • Wi-Fi setting changes: Block prevents users from changing Wi-Fi settings created by the device owner. Users can create their own Wi-Fi configurations. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to change the Wi-Fi settings on the device.

  • USB storage: Choose Allow to access USB storage on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might prevent access to USB storage.

  • Network escape hatch: Enable allows users to turn on the network escape hatch feature. If a network connection isn't made when the device boots, then the escape hatch asks to temporarily connect to a network and refresh the device policy. After applying the policy, the temporary network is forgotten and the device continues booting. This feature connects devices to a network if:

    • There isn't a suitable network in the last policy.
    • The device boots into an app in lock task mode.
    • Users are unable to reach the device settings.

    When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might prevent users from turning on the network escape hatch feature on the device.

  • Notification windows: When set to Disable, window notifications, including toasts, incoming calls, outgoing calls, system alerts, and system errors aren't shown on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might show notifications.

  • Skip first use hints: Enable hides or skips suggestions from apps that step through tutorials, or hints when the app starts. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might show these suggestions when the app starts.

Dedicated devices

  • Power button menu: Block hides the power options when users hold down the power button when in kiosk mode. Hiding these options prevents users from accidentally or intentionally shutting down devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, when users hold down the power button on a device, they're shown power options, such as Restart and Power off.

This setting applies to:

  • Android 9.0 and newer

  • System error warnings: Allow shows system warnings on the screen when in kiosk mode, including unresponsive apps and system warnings. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might hide these warnings. When one of these events occurs, the system forces the app to close.

This setting applies to:

  • Android 9.0 and newer

  • Enabled system navigation features: Allow users to access the device home and overview buttons when in kiosk mode. Your options:

    • Not configured (default): Intune doesn't change or update this setting. By default, the OS might disable the device home and overview buttons.
    • Home button only: Users can see and select the home button. They can't see or select the overview buttons.
    • Home and overview buttons: Users can see and select the home and overview buttons.

    This setting applies to:

    • Android 9.0 and newer
  • System notifications and information: Allow users to access the device status bar, and receive notifications from the status bar when in kiosk mode. Your options:

    • Not configured (default): Intune doesn't change or update this setting. By default, the OS might disable the status bar, and disable notifications on the status bar.
    • Show system information in device's status bar: Users can see system information on the status bar. Users can't see or receive notifications from the status bar.
    • Show system notifications and information in device's status bar: Users can see the system information, and receive notifications from the status bar. To see notifications, enable the device home button using the Enabled system navigation features setting.

    This setting applies to:

    • Android 9.0 and newer
  • End-user access to device settings: Block prevents users from accessing the Settings app. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to access the Settings app.

    This setting applies to:

    • Android 9.0 and newer

System security

  • Threat scan on apps: Require (default) enables Google Play Protect to scan apps before and after they're installed. If it detects a threat, it may warn users to remove the app from the device. When set to Not configured, Intune doesn't change or update this setting. By default, the OS might not enable or run Google Play Protect to scan apps.

Device experience

Use these settings to configure a kiosk-style experience on your dedicated devices, or to customize the home screen experiences on your fully managed devices. You can configure devices to run one app, or run many apps. When a device is set with kiosk mode, only the apps you add are available.

Enrollment profile type: Select an enrollment profile type to start configuring Microsoft Launcher or the Microsoft Managed Home Screen on your devices. Your options:

  • Not configured: Intune doesn't change or update this setting. By default, users might see the device's default home screen experience.

  • Dedicated device: Configure a kiosk-style experience on your dedicated devices. Before you configure these settings, be sure to add and assign the apps you want on the devices.

    • Kiosk mode: Choose if the device runs one app or runs multiple apps. Your options:

      • Not configured: Intune doesn't change or update this setting.

      • Single app: Users can only access a single app on the device. When the device starts, only the specific app starts. Users are restricted from opening new apps or from changing the running app.

        • Select an app to use for kiosk mode: Select the managed Google Play app from the list.

        Important

        When using single-app kiosk mode, dialer/phone apps may not work properly.

      • Multi-app: Users can access a limited set of apps on the device. When the device starts, only the apps you add start. You can also add some web links that users can open. When the policy is applied, users see icons for the allowed apps on the home screen.

        Important

        For multi-app dedicated devices, the Managed Home Screen app from Google Play must be:

        The Managed Home Screen app isn't required to be in the configuration profile, but it's required to be added as an app. When the Managed Home Screen app is added, any other apps you add in the configuration profile are shown as icons on the Managed Home Screen app.

        When using multi-app kiosk mode, dialer/phone apps may not function properly.

        For more information on the Managed Home screen, see setup Microsoft Managed Home Screen on Dedicated devices in multi-app kiosk mode.

        • Add: Select your apps from the list.

          If the Managed Home Screen app isn't listed, then add it from Google Play. Be sure to assign the app to the device group created for your dedicated devices.

          You can also add other Android apps and web apps created by your organization to the device. Be sure to assign the app to the device group created for your dedicated devices.

        • Folder icon: Select the color and shape of the folder icon that's shown on the Managed Home Screen. Your options:

          • Not configured
          • Dark theme rectangle
          • Dark theme circle
          • Light theme rectangle
          • Light theme circle
        • App and Folder icon size: Select the size of the folder icon that's shown on the Managed Home Screen. Your options:

          • Not configured

          • Extra small

          • Small

          • Average

          • Large

          • Extra large

            Depending on the screen size, the actual icon size may be different.

        • Screen orientation: Select the direction the Managed Home Screen is shown on devices. Your options:

          • Not configured
          • Portrait
          • Landscape
          • Autorotate
        • App notification badges: Enable shows the number of new and unread notifications on app icons. When set to Not configured, Intune doesn't change or update this setting.

        • Virtual home button: A soft-key button that returns users to the Managed Home Screen so users can switch between apps. Your options:

          • Not configured (default): A home button isn't shown. Users must use the back button to switch between apps.
          • Swipe-up: A home button shows when a user swipes up on the device.
          • Floating: Shows a persistent, floating home button on the device.
        • Leave kiosk mode: Enable allows Administrators to temporarily pause kiosk mode to update the device. To use this feature, the administrator:

          1. Continues to select the back button until the Exit kiosk button shows.
          2. Selects the Exit kiosk button, and enters the Leave kiosk mode code PIN.
          3. When finished, select the Managed Home Screen app. This step relocks the device into multi-app kiosk mode.

          When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might prevent administrators from pausing kiosk mode. If the administrator keeps selecting the back button, and selects the Exit kiosk button, then a message states that a passcode is required.

        • Leave kiosk mode code: Enter a 4-6 digit numeric PIN. The administrator uses this PIN to temporarily pause kiosk mode.

        • Set custom URL background: Enter a URL to customize the background screen on the dedicated device. For example, enter http://contoso.com/backgroundimage.jpg.

          Note

          For most cases, we recommend starting with images of at least the following sizes:

          • Phone: 1080x1920 px
          • Tablet: 1920x1080 px

          For the best experience and crisp details, it's suggested that per device image assets be created to the display specifications.

          Modern displays have higher pixel densities and can display equivalent 2K/4K definition images.

        • Shortcut to settings menu: Disable hides the Managed Settings shortcut on the Managed Home Screen. Users can still swipe down to access the settings. When set to Not configured (default), Intune doesn't change or update this setting. By default, the Managed Settings shortcut is shown on devices. Users can also swipe down to access these settings.

        • Quick access to debug menu: This setting controls how users access the debug menu. Your options:

          • Enable: Users can access the debug menu easier. Specifically, they can swipe down, or use the Managed Settings shortcut. As always, they can continue to select the back button 15 times.
          • Not configured (default): Intune doesn't change or update this setting. By default, easy access to the debug menu is turned off. Users must select the back button 15 times to open the debug menu.

          Using the debug menu, users can:

          • See and upload Managed Home Screen logs​
          • Open Google's Android Device Policy Manager app
          • Open the Microsoft Intune app
          • Exit kiosk mode
        • Wi-Fi configuration: Enable shows the Wi-Fi control on the Managed Home Screen, and allows users to connect the device to different WiFi networks. Enabling this feature also turns on device location. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not show the Wi-Fi control on the Managed Home Screen. It prevents users from connecting to Wi-Fi networks while using the Managed Home Screen.

          • Wi-Fi allow list: Create a list of valid wireless network names, also known as the service set identifier (SSID). Managed Home Screen users can only connect to the SSIDs you enter.

            When left blank, Intune doesn't change or update this setting. By default, all available Wi-Fi networks are allowed.

            Import a .csv file that includes a list of valid SSIDs.

            Export your current list to a .csv file.

          • SSID: You can also enter the Wi-Fi network names (SSID) that Managed Home Screen users can connect to. Be sure to enter valid SSIDs.

        • Bluetooth configuration: Enable shows the Bluetooth control on the Managed Home Screen, and allows users to pair devices over Bluetooth. Enabling this feature also turns on device location. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not show the Bluetooth control on the Managed Home Screen. It prevents users from configuring Bluetooth and pairing devices while using the Managed Home Screen.

        • Flashlight access: Enable shows the flashlight control on the Managed Home Screen, and allows users to turn the flashlight on or off. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not show the flashlight control on Managed Home Screen. It prevents users from using the flashlight while using the Managed Home Screen.

        • Media volume control: Enable shows the media volume control on the Managed Home Screen, and allows users to adjust the device's media volume using a slider. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not show the media volume control on Managed Home Screen. It prevents users from adjusting the device's media volume while using the Managed Home Screen, unless their hardware buttons support it.

        • Quick access to device information: Enable allows users to swipe down to see the device information on the Managed Home Screen, such as the serial number, make and model number, and SDK level. When set to Not configured (default), Intune doesn't change or update this setting. By default, the device information might not be shown.

        • Screen saver mode: Enable shows a screensaver on the Managed Home Screen when the device is locked or times out. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not show a screensaver on the Managed Home Screen.

          When enabled, also configure:

          • Set custom screen saver image: Enter the URL to a custom PNG, JPG, JPEG, GIF, BMP, WebP, or ICOimage. If you don't enter a URL, then the device's default image is used, if there's a default image.

            For example, enter:

            • http://www.contoso.com/image.jpg
            • www.contoso.com/image.bmp
            • https://www.contoso.com/image.webp

            Tip

            Any file resource URL that can be turned into a bitmap is supported.

          • Number of seconds the device shows screen saver before turning off screen: Choose how long the device shows the screensaver. Enter a value between 0-9999999 seconds. Default is 0 seconds. When left blank, or set to zero (0), the screen saver is active until a user interacts with the device.

          • Number of seconds the device is inactive before showing screen saver: Choose how long the device is idle before showing the screensaver. Enter a value between 1-9999999 seconds. Default is 30 seconds. You must enter a number greater than zero (0).

          • Detect media before starting screen saver: Enable (default) doesn't show the screen saver if audio or video is playing on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might show the screen saver, even if audio or video is playing.

  • Fully managed: Configures the Microsoft Launcher app on fully managed devices.

    • Make Microsoft Launcher the default launcher: Enable sets Microsoft Launcher as the default launcher on the home screen. If you make Launcher the default, users can't use another launcher. When set to Not configured (default), Intune doesn't change or update this setting. By default, the Microsoft Launcher isn't forced as the default launcher.

    • Configure custom wallpaper: In the Microsoft Launcher app, Enable lets you apply your own image as the home screen wallpaper, and choose if users can change the image. When set to Not configured (default), Intune doesn't change or update this setting. By default, the device keeps its current wallpaper.

      • Enter URL of wallpaper image: Enter the URL of your wallpaper image. This image shows on the device home screen. For example, enter http://www.contoso.com/image.jpg.
      • Allow user to modify wallpaper: Enable allows users to change the wallpaper image. When set to Not configured (default), Intune doesn't change or update this setting. By default, users are prevented from changing the wallpaper.
    • Enable launcher feed: Enable turns on the launcher feed, which shows calendars, documents, and recent activities. When set to Not configured (default), Intune doesn't change or update this setting. By default, this feed isn't shown.

      • Allow user to enable/disable feed: Enable lets users enable or disable the launcher feed. Enable only forces this setting the first time the profile is assigned. Any future profile assignments don't force this setting. When set to Not configured (default), Intune doesn't change or update this setting. By default, users are prevented from changing the launcher feed settings.
    • Dock presence: The dock gives users quick access to their apps and tools. Your options:

      • Not configured (default): Intune doesn't change or update this setting.
      • Show: The dock is shown on devices.
      • Hide: The dock is hidden. Users must swipe up to access the dock.
      • Disabled: The dock isn't shown on devices, and users are prevented from showing it.
    • Allow user to change dock presence: Enable allows users to show or hide the dock. Enable only forces this setting the first time the profile is assigned. Any future profile assignments don't force this setting. When set to Not configured (default), Intune doesn't change or update this setting. By default, users aren't allowed to change the device dock configuration.

    • Search bar replacement: Choose where to put the search bar. Your options:

      • Not configured (default): Intune doesn't change or update this setting.
      • Top: Search bar is shown at the top of devices.
      • Bottom: Search bar is shown at the bottom of devices.
      • Hide: Search bar is hidden.

Device password

Fully managed, dedicated, and corporate-owned work profile devices

  • Required password type: Enter the required password complexity level, and whether biometric devices can be used. Your options:

    • Device default (default): Most devices don't require a password when set to Device default. If you want to require users to set up a passcode on their devices, configure this setting to something more secure than Device default.

    • Password required, no restrictions

    • Weak biometric: Strong vs. weak biometrics (opens Android's web site)

    • Numeric: Password must only be numbers, such as 123456789. Also enter:

      • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • Numeric complex: Repeated or consecutive numbers, such as "1111" or "1234", aren't allowed. Also enter:

      • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • Alphabetic: Letters in the alphabet are required. Numbers and symbols aren't required. Also enter:

      • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • Alphanumeric: Includes uppercase letters, lowercase letters, and numeric characters. Also enter:

      • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • Alphanumeric with symbols: Includes uppercase letters, lowercase letters, numeric characters, punctuation marks, and symbols. Also enter:

      • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
      • Number of characters required: Enter the number of characters the password must have, between 0 and 16 characters.
      • Number of lowercase characters required: Enter the number of lowercase characters the password must have, between 0 and 16 characters.
      • Number of uppercase characters required: Enter the number of uppercase characters the password must have, between 0 and 16 characters.
      • Number of non-letter characters required: Enter the number of non-letters (anything other than letters in the alphabet) the password must have, between 0 and 16 characters.
      • Number of numeric characters required: Enter the number of numeric characters (1, 2, 3, and so on) the password must have, between 0 and 16 characters.
      • Number of symbol characters required: Enter the number of symbol characters (&, #, %, and so on) the password must have, between 0 and 16 characters.
  • Number of days until password expires: Enter the number of days, until the device password must be changed, from 1-365. For example, enter 90 to expire the password after 90 days. When the password expires, users are prompted to create a new password. When the value is blank, Intune doesn't change or update this setting.

  • Number of passwords required before user can reuse a password: Use this setting to restrict users from creating previously used passwords. Enter the number of previously used passwords that can't be used, from 1-24. For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. When the value is blank, Intune doesn't change or update this setting.

  • Number of sign-in failures before wiping device: Enter the number of wrong passwords allowed before the device is wiped, from 4-11. When the value is blank, Intune doesn't change or update this setting.

    Note

    Fully managed, dedicated, and corporate-owned work profile devices are not prompted to set a password. The settings are required, but users might not be notified. Users need to set the password manually. The policy reports as failed until the user sets a password that meets your requirements.

  • Disabled lock screen features: When the device is locked, choose the features that can't be used. For example, when Secure camera is checked, the camera feature is disabled on the device. Any features not checked are enabled on the device.

    These features are available to users when the device is locked. Users won't see or access features that are checked.

    • On corporate-owned work profile devices, only Unredacted notifications, Trust agents, and Fingerprint unlock can be disabled.
    • If users turn off the Use one lock setting on their device, then disabling Fingerprint unlock and disabling Trust agents apply at the corporate-owned work profile-level. If users turn on the Use one lock setting, then disabling Fingerprint unlock and disabling Trust agents apply at the device-level.

Fully managed and dedicated devices

  • Disable lock screen: Disable blocks all Keyguard lock screen features from being used. When set to Not configured (default), Intune doesn't change or update this setting. By default, when the device is in lock screen, the OS might allow all the Keyguard features, such as camera, fingerprint unlock, and more.

Power settings

Fully managed, dedicated, and corporate-owned work profile devices

  • Time to lock screen (work profile-level): Enter the maximum time a user can set until the device locks. For example, if you set this setting to 10 minutes, then users can set the time from 15 seconds up to 10 minutes. When set to Not configured (default), Intune doesn't change or update this setting.

Fully managed and dedicated devices

  • Screen on while device plugged in: Choose which power sources cause the device's screen to stay on when plugged in.

Users and Accounts

Fully managed, dedicated, and corporate-owned work profile devices

  • Add new users: Block prevents users from adding new users. Each user has a personal space on the device for custom Home screens, accounts, apps, and settings. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to add other users to the device.

Fully managed and dedicated devices

  • User removal: Block prevents users from removing users. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to remove other users from the device.
  • Personal Google Accounts: Block prevents users from adding their personal Google account to the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to add their personal Google account.
  • User can configure credentials: Block prevents users from configuring certificates assigned to devices, even devices that aren't associated with a user account. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might make it possible for users to configure or change their credentials when they access them in the keystore.

Dedicated devices

  • Account changes: Block prevents users from updating or changing accounts when in kiosk mode. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to update user accounts on the device.

Applications

  • Allow installation from unknown sources: Allow lets users turn on Unknown sources. This setting allows apps to install from unknown sources, including sources other than the Google Play Store. It allows users to side-load apps on the device using means other than the Google Play Store. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might prevent users from turning on Unknown sources.

  • App auto-updates (work profile-level): Devices check for app updates daily. Choose when automatic updates are installed. Your options:

    • Not configured: Intune doesn't change or update this setting.
    • User choice: The OS might default to this option. Users can set their preferences in the managed Google Play app.
    • Never: Updates are never installed. This option isn't recommended.
    • Wi-Fi only: Updates are installed only when the device is connected to a Wi-Fi network.
    • Always: Updates are installed when they're available.
  • Allow access to all apps in Google Play store: When set to Allow, users get access to all apps in Google Play store. They don't get access to the apps the administrator blocks in Client Apps.

    When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might:

    • Force users to only access the apps the administrator makes available in the Google Play store, or apps required in Client Apps.
    • Automatically uninstall any apps that are detected as being installed by users outside of the Google Play store.

    If you want to enable side-loading, set the Allow installation from unknown sources and Allow access to all apps in Google Play store settings to Allow.

Connectivity

Fully managed, dedicated, and corporate-owned work profile devices

  • Always-on VPN (work profile-level): Enable sets the VPN client to automatically connect and reconnect to the VPN. Always-on VPN connections stay connected. Or, immediately connect when users lock their device, the device restarts, or the wireless network changes.

    Choose Not configured to disable always-on VPN for all VPN clients.

    Important

    Be sure to deploy only one Always-on VPN policy to a single device. Deploying multiple Always-on VPN policies to a single device isn't supported.

  • VPN client: Choose a VPN client that supports Always On. Your options:

    • Cisco AnyConnect
    • F5 Access
    • Palo Alto Networks GlobalProtect
    • Pulse Secure
    • Custom
      • Package ID: Enter the package ID of the app in the Google Play store. For example, if the URL for the app in the Play store is https://play.google.com/store/details?id=com.contosovpn.android.prod, then the package ID is com.contosovpn.android.prod.

    Important

    • The VPN client you choose must be installed on the device, and it must support per-app VPN in corporate-owned work profiles. Otherwise, an error occurs.
    • You do need to approve the VPN client app in the Managed Google Play Store, sync the app to Intune, and deploy the app to the device. After you do this, then the app is installed in the user's corporate-owned work profile.
    • You still need to configure the VPN client with a VPN profile, or through an app configuration profile.
    • There may be known issues when using per-app VPN with F5 Access for Android 3.0.4. For more information, see F5's release notes for F5 Access for Android 3.0.4.
  • Lockdown mode: Enable forces all network traffic to use the VPN tunnel. If a connection to the VPN isn't established, then the device won't have network access. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow traffic to flow through the VPN tunnel or through the mobile network.

Fully managed and dedicated devices

  • Recommended global proxy: Enable adds a global proxy to the devices. When enabled, HTTP and HTTPS traffic, including some apps on the device, use the proxy you enter. This proxy is only a recommendation. It's possible some apps won't use the proxy. Not configured (default) doesn't add a recommended global proxy.

    For more information on this feature, see setRecommendedGlobalProxy (opens an Android site).

    When enabled, also enter the Type of proxy. Your options:

    • Direct: Manually enter the proxy server details, including:

      • Host: Enter the hostname or IP address of your proxy server. For example, enter proxy.contoso.com or 127.0.0.1.
      • Port number: Enter the TCP port number used by the proxy server. For example, enter 8080.
      • Excluded hosts: Enter a list of host names or IP addresses that won't use the proxy. This list can include an asterisk (*) wildcard and multiple hosts separated by semicolons (;) with no spaces. For example, enter 127.0.0.1;web.contoso.com;*.microsoft.com.
    • Proxy Auto-Config: Enter the PAC URL to a proxy autoconfiguration script. For example, enter https://proxy.contoso.com/proxy.pac.

      For more information on PAC files, see Proxy Auto-Configuration (PAC) file (opens a non-Microsoft site).

    For more information on this feature, see setRecommendedGlobalProxy (opens an Android site).

Work profile password

These settings apply to corporate-owned work profiles.

  • Required password type: Enter the required password complexity level, and whether biometric devices can be used. Your options:

    • Device default

    • Password required, no restrictions

    • Weak biometric: Strong vs. weak biometrics (opens Android's web site)

    • Numeric: Password must only be numbers, such as 123456789. Also enter:

      • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • Numeric complex: Repeated or consecutive numbers, such as "1111" or "1234", aren't allowed. Also enter:

      • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • Alphabetic: Letters in the alphabet are required. Numbers and symbols aren't required. Also enter:

      • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • Alphanumeric: Includes uppercase letters, lowercase letters, and numeric characters. Also enter:

      • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • Alphanumeric with symbols: Includes uppercase letters, lowercase letters, numeric characters, punctuation marks, and symbols. Also enter:

      • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
      • Number of characters required: Enter the number of characters the password must have, between 0 and 16 characters.
      • Number of lowercase characters required: Enter the number of lowercase characters the password must have, between 0 and 16 characters.
      • Number of uppercase characters required: Enter the number of uppercase characters the password must have, between 0 and 16 characters.
      • Number of non-letter characters required: Enter the number of non-letters (anything other than letters in the alphabet) the password must have, between 0 and 16 characters.
      • Number of numeric characters required: Enter the number of numeric characters (1, 2, 3, and so on) the password must have, between 0 and 16 characters.
      • Number of symbol characters required: Enter the number of symbol characters (&, #, %, and so on) the password must have, between 0 and 16 characters.
  • Number of days until password expires: Enter the number of days, until the device password must be changed, from 1-365. For example, enter 90 to expire the password after 90 days. When the password expires, users are prompted to create a new password. When the value is blank, Intune doesn't change or update this setting.

  • Number of passwords required before user can reuse a password: Use this setting to restrict users from creating previously used passwords. Enter the number of previously used passwords that can't be used, from 1-24. For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. When the value is blank, Intune doesn't change or update this setting.

  • Number of sign-in failures before wiping device: Enter the number of wrong passwords allowed before the device is wiped, from 4-11. 0 (zero) might disable the device wipe functionality. When the value is blank, Intune doesn't change or update this setting.

    Note

    Fully managed, dedicated, and corporate-owned work profile devices are not prompted to set a password. The settings are required, but users might not be notified. Users need to set the password manually. The policy reports as failed until the user sets a password that meets your requirements.

Personal profile

  • Camera: Block prevents access to the camera during personal use. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using the camera in the personal profile.
  • Screen capture: Block prevents screen captures during personal use. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to get screen captures or screenshots in the personal profile.
  • Allow users to enable app installation from unknown sources in the personal profile: Select Allow so users can install apps from unknown sources in the personal profile. It allows users to install apps from sources other than the Google Play Store. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might prevent users from installing apps from unknown sources in the personal profile.

Personally owned devices with a work profile

These settings apply to Android Enterprise personally owned devices with a work profile (BYOD).

Personally owned devices with a work profile settings

  • Copy and paste between work and personal profiles: Block prevents copy-and-paste between work and personal apps. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to share data using copy-and-paste with apps in the personal profile.

  • Data sharing between work and personal profiles: Choose if apps in the personally owned work profile can share with apps in the personal profile. For example, you can control sharing actions within applications, such as the Share… option in the Chrome browser app. This setting doesn't apply to copy/paste clipboard behavior. Your options:

    • Device default: The default sharing behavior of the device varies depending on the Android version:
      • On devices running Android 6.0 and newer, sharing from the personally owned work profile to the personal profile is blocked. Sharing from the personal profile to the personally owned work profile is allowed.
      • On devices running Android 5.0 and older, sharing between the personally owned work profile and the personal profile is blocked in both directions.
    • Apps in work profile can handle sharing request from personal profile: Enables the built-in Android feature that allows sharing from the personal to the personally owned work profile. When enabled, a sharing request from an app in the personal profile can share with apps in the personally owned work profile. This setting is the default behavior for Android devices running versions earlier than 6.0.
    • No restrictions on sharing: Enables sharing across the personally owned work profile boundary in both directions. When you select this setting, apps in the personally owned work profile can share data with unbadged apps in the personal profile. This setting allows managed apps in the personally owned work profile to share with apps on the unmanaged side of the device. So, use this setting carefully.
  • Work profile notifications while device locked: Block prevents window notifications, including toasts, incoming calls, outgoing calls, system alerts, and system errors from showing on locked devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might show notifications.

  • Default app permissions: Sets the default permission policy for all apps in the personally owned work profile. Starting with Android 6, users are prompted to grant certain permissions required by apps when the app is launched. This policy setting lets you decide if users are prompted to grant permissions for all apps in the personally owned work profile. For example, you assign an app to the personally owned work profile that requires location access. Normally that app prompts users to approve or deny location access to the app. Use this policy to automatically grant permissions without a prompt, automatically deny permissions without a prompt, or let users decide. Your options:

    • Device default
    • Prompt
    • Auto grant
    • Auto deny

    You can also use an app configuration policy to grant permissions for individual apps (Client Apps > App configuration policies).

  • Add and remove accounts: Block prevents users from manually adding or removing accounts in the personally owned work profile. For example, when you deploy the Gmail app into an Android personally owned work profile, you can prevent users from adding or removing accounts in this personally owned work profile. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow adding accounts in the personally owned work profile.

    Note

    Google accounts can't be added to personally owned devices with a work profile.

  • Contact sharing via Bluetooth: Enable allows sharing and access to personally owned devices with a work profile contacts from another device, including a car, that's paired using Bluetooth. Enabling this setting may allow certain Bluetooth devices to cache work contacts upon first connection. Disabling this policy after an initial pairing/sync may not remove work contacts from a Bluetooth device.

    When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not share work contacts.

    This setting applies to:

    • Android 6.0 and newer personally owned devices with a work profile
  • Screen capture: Block prevents screenshots or screen captures on the device in the personally owned work profile. It also prevents the content from being shown on display devices that don't have a secure video output. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow getting screenshots.

  • Display work contact caller-id in personal profile: Block doesn't show the work contact caller number in the personal profile. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might show work contact caller details.

    This setting applies to:

    • Android 6.0 and newer personally owned devices with a work profile
  • Search work contacts from personal profile: Block prevents users from searching for work contacts in apps in the personal profile. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow searching for work contacts in the personal profile.

  • Camera: Block prevents access to the camera on the device in the personally owned work profile. The camera on the personal side is not affected by the setting. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow access to the camera.

  • Allow widgets from work profile apps: Enable allows users to put widgets exposed by apps on the home screen. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might disable this feature.

    For example, Outlook is installed on your users' personally owned work profiles. When set to Enable, users can put the agenda widget on the device home screen.

  • Require Work Profile Password: Require forces a passcode policy that only applies to apps in the personally owned work profile. By default, users can use the two separately defined PINs. Or, users can combine the PINs into the stronger of the two PINs. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to use work apps without entering a password.

    This setting applies to:

    • Android 7.0 and newer personally owned devices with a work profile

    Also configure:

    • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.

    • Maximum minutes of inactivity until work profile locks: Enter the length of time devices must be idle before the screen is automatically locked. Users must enter their credentials to regain access. For example, enter 5 to lock the device after 5 minutes of being idle. When the value is blank or set to Not configured, Intune doesn't change or update this setting.

      On devices, users can't set a time value greater than the configured time in the profile. Users can set a lower time value. For example, if the profile is set to 15 minutes, users can set the value to 5 minutes. Users can't set the value to 30 minutes.

    • Number of sign-in failures before wiping device: Enter the number of wrong passwords allowed before the personally owned work profile in the device is wiped, from 4-11. 0 (zero) might disable the device wipe functionality. When the value is blank, Intune doesn't change or update this setting.

    • Password expiration (days): Enter the number of days until user passwords must be changed (from 1-365).

    • Required password type: Enter the required password complexity level, and whether biometric devices can be used. Your options:

      • Device default
      • Low security biometric: Strong vs. weak biometrics (opens Android's web site)
      • Required
      • At least numeric: Includes numeric characters, such as 123456789.
      • Numeric complex: Repeated or consecutive numbers, such as 1111 or 1234, aren't allowed.
      • At least alphabetic: Includes letters in the alphabet. Numbers and symbols aren't required.
      • At least alphanumeric: Includes uppercase letters, lowercase letters, and numeric characters.
      • At least alphanumeric with symbols: Includes uppercase letters, lowercase letters, numeric characters, punctuation marks, and symbols.
    • Prevent reuse of previous passwords: Use this setting to restrict users from creating previously used passwords. Enter the number of previously used passwords that can't be used, from 1-24. For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. When the value is blank, Intune doesn't change or update this setting.

    • Face unlock: Block prevents users from using the device's facial recognition to unlock the personally owned work profile. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to unlock the device using facial recognition.

    • Fingerprint unlock: Block prevents users from using the device's fingerprint scanner to unlock the personally owned work profile. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to unlock the device using a fingerprint.

    • Iris unlock: Block prevents users from using the device's iris scanner to unlock the personally owned work profile. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to unlock the device using the iris scanner.

    • Smart Lock and other trust agents: Block prevents Smart Lock or other trust agents from adjusting lock screen settings on compatible devices. If devices are in a trusted location, then this feature, also known as a trust agent, lets you disable or bypass the device lock screen password. For example, bypass the personally owned work profile password when devices are connected to a specific Bluetooth device, or when devices are close to an NFC tag. Use this setting to prevent users from configuring Smart Lock.

      When set to Not configured (default), Intune doesn't change or update this setting.

Password

These password settings apply to personally owned devices with a work profile.

  • Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.

  • Maximum minutes of inactivity until screen locks: Enter the length of time devices must be idle before the screen is automatically locked. Users must enter their credentials to regain access. For example, enter 5 to lock the device after 5 minutes of being idle. When the value is blank or set to Not configured, Intune doesn't change or update this setting.

    On devices, users can't set a time value greater than the configured time in the profile. Users can set a lower time value. For example, if the profile is set to 15 minutes, users can set the value to 5 minutes. Users can't set the value to 30 minutes.

  • Number of sign-in failures before wiping device: Enter the number of wrong passwords allowed before the personally owned work profile in the device is wiped, from 4-11. 0 (zero) might disable the device wipe functionality. When the value is blank, Intune doesn't change or update this setting.

  • Password expiration (days): Enter the number of days, until the device password must be changed, from 1-365. For example, enter 90 to expire the password after 90 days. When the password expires, users are prompted to create a new password. When the value is blank, Intune doesn't change or update this setting.

  • Required password type: Enter the required password complexity level, and whether biometric devices can be used. Your options:

    • Device default
    • Low security biometric: Strong vs. weak biometrics (opens Android's web site)
    • Required
    • At least numeric: Includes numeric characters, such as 123456789.
    • Numeric complex: Repeated or consecutive numbers, such as 1111 or 1234, aren't allowed.
    • At least alphabetic: Includes letters in the alphabet. Numbers and symbols aren't required.
    • At least alphanumeric: Includes uppercase letters, lowercase letters, and numeric characters.
    • At least alphanumeric with symbols: Includes uppercase letters, lowercase letters, numeric characters, punctuation marks, and symbols.
  • Prevent reuse of previous passwords: Use this setting to restrict users from creating previously used passwords. Enter the number of previously used passwords that can't be used, from 1-24. For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. When the value is blank, Intune doesn't change or update this setting.

  • Fingerprint unlock: Block prevents users from using the device's fingerprint scanner to unlock the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to unlock the device using a fingerprint.

  • Face unlock: Block prevents users from using the device's facial recognition to unlock the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to unlock the device using facial recognition.

  • Iris unlock: Block prevents users from using the device's iris scanner to unlock the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to unlock the device using the iris scanner.

  • Smart Lock and other trust agents: Block prevents Smart Lock or other trust agents from adjusting lock screen settings on compatible devices. If devices are in a trusted location, then this feature, also known as a trust agent, lets you disable or bypass the device lock screen password. For example, bypass the personally owned work profile password when devices are connected to a specific Bluetooth device, or when devices are close to an NFC tag. Use this setting to prevent users from configuring Smart Lock.

    When set to Not configured (default), Intune doesn't change or update this setting.

System security

  • Threat scan on apps: Require enforces that the Verify Apps setting is enabled for work and personal profiles. When set to Not configured (default), Intune doesn't change or update this setting.

    This setting applies to:

    • Android 8 (Oreo) and newer personally owned devices with a work profile
  • Prevent app installations from unknown sources in the personal profile: By design, Android Enterprise personally owned devices with a work profile can't install apps from sources other than the Play Store. This setting allows administrators more control of app installations from unknown sources. Block prevents app installations from sources other than the Google Play Store in the personal profile. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow app installations from unknown sources in the personal profile. By nature, personally owned devices with a work profile are intended to be dual-profile:

    • A personally owned devices with a work profile managed using MDM.
    • A personal profile that's isolated from MDM management.

Connectivity

  • Always-on VPN: Enable sets a VPN client to automatically connect and reconnect to the VPN. Always-on VPN connections stay connected. Or, immediately connect when users lock their device, the device restarts, or the wireless network changes.

    When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might disable always-on VPN for all VPN clients.

    Important

    Be sure to deploy only one Always On VPN policy to a single device. Deploying multiple Always VPN policies to a single device isn't supported.

  • VPN client: Choose a VPN client that supports Always On. Your options:

    • Cisco AnyConnect
    • F5 Access
    • Palo Alto Networks GlobalProtect
    • Pulse Secure
    • Custom
      • Package ID: Enter the package ID of the app in the Google Play store. For example, if the URL for the app in the Play store is https://play.google.com/store/details?id=com.contosovpn.android.prod, then the package ID is com.contosovpn.android.prod.

    Important

    • The VPN client you choose must be installed on the device. It must also support per-app VPN in personally owned devices with a work profile. Otherwise, an error occurs.
    • You do need to approve the VPN client app in the Managed Google Play Store, sync the app to Intune, and deploy the app to the device. After you do this, then the app is installed in the user's personally owned devices with a work profile.
    • There may be known issues when using per-app VPN with F5 Access for Android 3.0.4. For more information, see F5's release notes for F5 Access for Android 3.0.4.
  • Lockdown mode: Enable forces all network traffic to use the VPN tunnel. If a connection to the VPN isn't established, then the device won't have network access.

    When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow traffic to flow through the VPN tunnel or through the mobile network.

Next steps

Assign the profile and monitor its status.

You can also create dedicated device kiosk profiles for Android and Windows 10 devices.

Configure and troubleshoot Android enterprise devices in Microsoft Intune.