BYOD policies differ slightly from fully managed policies. In that approach most of the settings will affect only work profile container on the device. All the components, restrictions and enabled applications will function only in the container. Private part of the device will function according to the users settings.

General settings tab

Below is the list of parameters on general settings tab:

Parameter

Value

General settings

Template name

Input policy name (max 100 chars)

Set priority order

Specify position on the policy template list

Reinstall Base Agent automatically

When new Base Agent version appears in the system, it will be automatically reinstalled on devices (policy will be set as outdated).

Default value: not checked.

Uninstall not compatible policy components automatically

If set, not matching policy components from current policy will be uninstalled if device will be moved to other policy.

Default value: not checked.

Enable Samsung Premium API

In order to activate Samsung Premium API in the policy this option have to be marked. Once it is selected proper license key must be provided.

Default value: not checked.

Premium license

Samsung license key can be added/changed/removed by using plus/minus icons next to the license key field.

Enable Samsung attestation

If set, an additional operation for Samsung KNOX attestation process will be added to the queue and will check the device’s software integrity before creating the KNOX container.

Default value: not checked.

Safetynet attestation

If set, the device will be verified for SafetyNet attestation that detects, for example, rooting the device or using a custom ROM. If attestation fails, the policy update will not proceed (none of the configurations / apps assigned to the policy will be applied).

Available options:

  • Off

  • Once, during enrollment

  • Hourly

  • Every 6 hours

  • Once a day

  • Once a week

  • Once a month

Default value: Off.

Mark as wiped on Base Agent uninstallation

If set, the device will be marked as wiped in the FAMOC console if Base Agent is uninstalled.

Default value: not checked.

Enable remote access services

If this option is marked, Remote Access will be installed with the policy.

Default value: not selected

Enable location services

If this option is marked, Location Monitor will be installed with the policy.

Default value: not selected

Force the app monitor service to turn on

When set, an additional operation included in the general policy, called "Enable app monitor service", will be added to the queue and sent to the device asking the user to turn the FAMOC Accessibility Service on.

Ignore battery optimization for Location monitor and Usage monitor

Possibility to add Location and Usage monitor to ignore optimization battery app list, so that schedules, sms, mms reporting works properly.

Selecting this option sends an operation that requires user confirmation.

General policy settings

General settings tab

Schedules settings

Below is the list of parameters on schedules settings tab:

Parameter

Value

Schedules settings

Peak schedule interval

The interval of Base Agent server connection: 5 min./15 min./30 min. /1h/4h/12h/Once a day/Once a week/Once a month

Default value: Once a day

Peak days

Days of week during which Base Agent reports to FAMOC server

Default value: Monday - Friday

Peak begin

What time during peak days should Base Agent start reporting

Default value: 8:00

Peak end

What time during peak days should Base Agent stop reporting

Default value: 16:00

Device Monitor sessions interval

Sets the interval of Device Monitor sessions: Off/Hourly/4 times a day/Daily/Weekly/Monthly

Default value: Daily

Alerting device inactivity

Alerting inactivity of the Base Agent after: 1-5 days/Week/Month/3 months. In case Base Agent doesn’t report to server within this period, FAMOC generates an alert with three possible reaction options:

  • Remove device from FAMOC

  • Reinstall Base Agent

  • Mark device as stolen

Default value: After week

Wipe on exceeded device inactivity

If this option is marked and Base Agent doesn’t report to server within a specified period of time, in addition to generated alert, the device will be wiped.

Mark as wiped on exceeded device inactivity

If set, the device will be marked as wiped in the FAMOC console if it exceeds device inactivity period.

Schedules settings

Schedules settings tab

Assigned groups

Each policy is assigned to certain groups of users or groups of devices, therefore each device receives a policy settings pre-defined to its group assignment. Devices not being members of any group and groups not being assigned to any policy receive a policy of the lowest priority (policy being at the bottom of the list). Devices being members of several groups receive the policy of the higher priority. 

In the Assigned Groups tab administrator is allowed to assign groups to the policy. In order to select the group click on the Add device group or Add user group button. Popup with group list will appear.

Groups tab

Policy components

In addition to general settings there is possibility to add configurations & applications to the policy. Please bear in mind that all those components and configurations will be installed in the work profile part of the device.

To add configuration to the policy click the Select configuration button. Popup with configuration list will appear.

Configuration can be set for: 

  • Peak – configuration will be applied in peak

  • Off-peak – configuration will be applied in off-peak

  • Always – configuration will be applied always

Every time a device connects to the server, it checks if proper policy is applied, and if the change is needed (e.g. there was the end of the peak and currently applied configuration is only for the peak) old configuration is removed and the appropriate is applied. The time based policies can only be applied to iOS devices.

To add application, click on the Select application button. Popup with application list will appear. Selected applications will be installed while applying the policy on the device. When the assigned to device policy is changed, the new policy will be applied and the new list of application will be installed. When selecting the application, it is possible to specify number of installation retries (in case an application installation is cancelled by user, FAMOC will retry the operation). Possible options:

  • Installation obligatory (default option) – if installation is canceled, it will be applied every next day.

  • One installation attempt – if installation is canceled, it will not be retried.

  • Several installation attempts – installation will be retried specified number of times.

Policy components can be set in custom installation order using down/up arrows in Order column.

By default, each item is installed in a sequence (next item starts when previous has been successfully installed). It is possible to mark an item as independent (Independent column), which means the next action starts independently of the previous action, not waiting for its success report.

Select Ignore failure to execute the next action if the previous one failed.

Policy components tab

Security options

In the security options section you have the following settings available.

  • Wi-Fi lock - blocks possibility to use wireless network in work profile

  • Data wipe on SIM card change - if set, wipe will be performed when the SIM card change will be detected.

    • Wipe on no SIM card detection - If set, wipe will be performed when the SIM card is not detected. Option available when the first option is set (Data wipe on SIM card change). WARNING! Once this configuration is applied the users will not be able to use Android airplane mode, as it will cause a device wipe.

  • Wipe on root detection - if set, the device will be wiped when root will be detected

  • Application voice recording lock (Samsung SDK only) - if set, microphone cannot be used on the device

  • Internal storage encryption - if set, encryption will be required

  • Application installer lock - if set, there will be no possibility to install applications on the device

    • Notification when application installation is blocked You can set a notification that will appear on a device when user tries to install application. Default: Application installation is not allowed

  • Enable/Disable USB debugging – allows or blocks the possibility to install applications through ADB to the work profile. If disabled, application will be installed only in the private part of the device.

  • Enable unknown sources – allows or blocks the possibility to install applications through .apk files to the Work Profile. The policy will not be active on Android 5.0 devices (installation of .apk is blocked).

  • Block screen capture in application, which run in work profile to prevent from sharing data with that method.

  • Disable accounts modification - blocks the possibility to add, edit or delete an account.

    • Block creation of the mail account (Samsung SDK only)

    • Block creation of LDAP account (Samsung SDK only)

    • Block creation of Samsung account (Samsung SDK only)

  • Disable camera - block the possibility to use camera.

  • Disable cross profile copy-paste

  • Disable application control - blocks following actions: uninstalling & disabling apps, clearing app cache & data, force stopping apps and clearing apps defaults

  • Disable one lock code - block the possibility to use one lock code for the device and Work Profile.

  • Allow moving apps to work profile (Samsung SDK only)

  • Block NFC  (Samsung SDK only)

  • Disallow outgoing beam using NFC

  • Allow moving files from device to work profile (Samsung SDK only)

  • Allow moving files from work profile to device (Samsung SDK only)

  • Block change of the sharing of the calendar to the personal mode (Samsung SDK only)

  • Block change of the sharing of the calendar to work profile (Samsung SDK only)

  • Enable Bluetooth (Samsung SDK only)

  • Block Share Via List (Samsung SDK only)

  • Prevent users from configuring credentials in the managed keystore

Applications permissions

In this tab you can set global permission policy and set exceptions for specific apps.

Runtime permission policy – setting responsible for behavior of applications, which asks for specific permission during its work. You can set three values:

  • Managed by user – default value, the user will be asked to give apps access to functions, which require specific permission. The user also will be able to change permissions for application.

  • Allow – applications, which ask for permission, will have it granted automatically and the user will not be able to change it.

  • Deny – applications, which ask for permission, will have it denied automatically and user will not be able to change it.

Applications permissions tab

Enabled applications

In this section Admin can enable Google system applications in the work profile to be automatically accessible for users after profile activation. Enabled applications on the device may be different as some Android versions (especially branded versions) may not include all listed system applications. The admin can change the list of enabled applications and hide them according to needs. Default applications, which are always visible after profile activation are FAMOC Base Agent and managed Google Store.

System applications selection

Advanced settings

In the Advanced policy settings you can configure following parameters.

Parameter

Value

Advanced policy settings

Number of stored Device Monitor sessions

Sets how many sessions of Device Monitor should be stored by FAMOC (1-10)

Default value: 5

Number of archived Device Monitor sessions

Sets how many sessions of Device Monitor should be archived in logs (10-150)

Default value: 20

Time synchronization interval

Sets how often the system clock on the S60 device is synchronized with a Network Time Protocol Server

Default value: Disabled

SIM change notify (for example if device was stolen)

Yes/No

Default value: No

Device limit per user

Number of devices that user can add via startup page when user authentication option is set. If the limit is exceeded, specified user is not allowed to add any other device to the system using startup page.


Device details fields in Base Agent

Administrator can add custom fields which will be displayed in the Device Information Tab on the device.

Device details fields

Contacts data synchronization

This section allows to set synchronization of all contacts or synchronization of data only within groups the user is a member of. In case of the latter option, administrator can specify additional groups, within which contacts are to be synchronized. To enlist groups of users for contact data synchronization, use the Select button. You can also set contacts sync interval on a daily, weekly or monthly basis.

Contacts synchronization settings

Usage policy

This section enables usage policy settings like:

  • Reporting data traffic using WIFI

  • Reporting data traffic using GPRS

  • Reporting SMS content

  • Reporting of the call type

Selecting the Enable usage monitor services checkbox activates the usage policy. After that, Usage Monitor will be installed with the policy and the usage policy applied.

Parameter

Description

Usage policy settings

Enable usage monitor services

If this option is marked, Usage Monitor will be installed with the policy.

Default value: not checked.

Report device data after restart of the device

If set, Usage Monitor will collect and send data on device restart.

Report data traffic using WIFI every

Interval of the WIFI data reporting (Do not report / 1 day / 3 days / 1 week / 2 weeks / 1 month / 3 months).

Default value: 1 month.

Report data traffic using GPRS every

Interval of the GPRS data reporting (Do not report / 1 day / 3 days / 1 week / 2 weeks / 1 month / 3 months).

Default value: 1 month.

Report SMS content

If set, content of the SMS will be reported.

Default value: not checked.

Report device state

If set, reports device state.

Default value: not checked.

Report application usage

If set, reports application usage.

Default value: not checked.

Report browser history

If set, reports browser history.

Default value: not checked.

Report extended parameters every

Interval for reporting device state, application usage and browser history (Do not report / 15 minutes / 30 minutes / 1 hour / 6 hours / 1 day / 3 days / 1 week / 2 weeks / 1 month)

Default value: 1 day.

Allow user to select the type of the call

If Allow is selected, after the call the user will be prompted to select the type of the call. List of call types can be customized. By default there are: Private, Corporate call types.

Default value: Do not allow.

Usage policy settings