BYOD policies differ slightly from fully managed policies. In that approach most of the settings will affect only work profile container on the device. All the components, restrictions and enabled applications will function only in the container. Private part of the device will function according to the users settings.
General settings tab
Below is the list of parameters on general settings tab:
General policy settings
General settings tab
Schedules settings
Below is the list of parameters on schedules settings tab:
Schedules settings
Schedules settings tab
Assigned groups
Each policy is assigned to certain groups of users or groups of devices, therefore each device receives a policy settings pre-defined to its group assignment. Devices not being members of any group and groups not being assigned to any policy receive a policy of the lowest priority (policy being at the bottom of the list). Devices being members of several groups receive the policy of the higher priority.
In the Assigned Groups tab administrator is allowed to assign groups to the policy. In order to select the group click on the Add device group or Add user group button. Popup with group list will appear.
Groups tab
Policy components
In addition to general settings there is possibility to add configurations & applications to the policy. Please bear in mind that all those components and configurations will be installed in the work profile part of the device.
To add configuration to the policy click the Select configuration button. Popup with configuration list will appear.
Configuration can be set for:
Peak – configuration will be applied in peak
Off-peak – configuration will be applied in off-peak
Always – configuration will be applied always
Every time a device connects to the server, it checks if proper policy is applied, and if the change is needed (e.g. there was the end of the peak and currently applied configuration is only for the peak) old configuration is removed and the appropriate is applied. The time based policies can only be applied to iOS devices.
To add application, click on the Select application button. Popup with application list will appear. Selected applications will be installed while applying the policy on the device. When the assigned to device policy is changed, the new policy will be applied and the new list of application will be installed. When selecting the application, it is possible to specify number of installation retries (in case an application installation is cancelled by user, FAMOC will retry the operation). Possible options:
Installation obligatory (default option) – if installation is canceled, it will be applied every next day.
One installation attempt – if installation is canceled, it will not be retried.
Several installation attempts – installation will be retried specified number of times.
Policy components can be set in custom installation order using down/up arrows in Order column.
By default, each item is installed in a sequence (next item starts when previous has been successfully installed). It is possible to mark an item as independent (Independent column), which means the next action starts independently of the previous action, not waiting for its success report.
Select Ignore failure to execute the next action if the previous one failed.
Policy components tab
Security options
In the security options section you have the following settings available.
Wi-Fi lock - blocks possibility to use wireless network in work profile
Data wipe on SIM card change - if set, wipe will be performed when the SIM card change will be detected.
Wipe on no SIM card detection - If set, wipe will be performed when the SIM card is not detected. Option available when the first option is set (Data wipe on SIM card change). WARNING! Once this configuration is applied the users will not be able to use Android airplane mode, as it will cause a device wipe.
Wipe on root detection - if set, the device will be wiped when root will be detected
Application voice recording lock (Samsung SDK only) - if set, microphone cannot be used on the device
Internal storage encryption - if set, encryption will be required
Application installer lock - if set, there will be no possibility to install applications on the device
Notification when application installation is blocked You can set a notification that will appear on a device when user tries to install application. Default: Application installation is not allowed
Enable/Disable USB debugging – allows or blocks the possibility to install applications through ADB to the work profile. If disabled, application will be installed only in the private part of the device.
Enable unknown sources – allows or blocks the possibility to install applications through .apk files to the Work Profile. The policy will not be active on Android 5.0 devices (installation of .apk is blocked).
Block screen capture in application, which run in work profile to prevent from sharing data with that method.
Disable accounts modification - blocks the possibility to add, edit or delete an account.
Block creation of the mail account (Samsung SDK only)
Block creation of LDAP account (Samsung SDK only)
Block creation of Samsung account (Samsung SDK only)
Disable camera - block the possibility to use camera.
Disable cross profile copy-paste
Disable application control - blocks following actions: uninstalling & disabling apps, clearing app cache & data, force stopping apps and clearing apps defaults
Disable one lock code - block the possibility to use one lock code for the device and Work Profile.
Allow moving apps to work profile (Samsung SDK only)
Block NFC (Samsung SDK only)
Disallow outgoing beam using NFC
Allow moving files from device to work profile (Samsung SDK only)
Allow moving files from work profile to device (Samsung SDK only)
Block change of the sharing of the calendar to the personal mode (Samsung SDK only)
Block change of the sharing of the calendar to work profile (Samsung SDK only)
Enable Bluetooth (Samsung SDK only)
Block Share Via List (Samsung SDK only)
Prevent users from configuring credentials in the managed keystore
Applications permissions
In this tab you can set global permission policy and set exceptions for specific apps.
Runtime permission policy – setting responsible for behavior of applications, which asks for specific permission during its work. You can set three values:
Managed by user – default value, the user will be asked to give apps access to functions, which require specific permission. The user also will be able to change permissions for application.
Allow – applications, which ask for permission, will have it granted automatically and the user will not be able to change it.
Deny – applications, which ask for permission, will have it denied automatically and user will not be able to change it.
Applications permissions tab
Enabled applications
In this section Admin can enable Google system applications in the work profile to be automatically accessible for users after profile activation. Enabled applications on the device may be different as some Android versions (especially branded versions) may not include all listed system applications. The admin can change the list of enabled applications and hide them according to needs. Default applications, which are always visible after profile activation are FAMOC Base Agent and managed Google Store.
System applications selection
Advanced settings
In the Advanced policy settings you can configure following parameters.
Device details fields in Base Agent
Administrator can add custom fields which will be displayed in the Device Information Tab on the device.
Device details fields
Contacts data synchronization
This section allows to set synchronization of all contacts or synchronization of data only within groups the user is a member of. In case of the latter option, administrator can specify additional groups, within which contacts are to be synchronized. To enlist groups of users for contact data synchronization, use the Select button. You can also set contacts sync interval on a daily, weekly or monthly basis.
Contacts synchronization settings
Usage policy
This section enables usage policy settings like:
Reporting data traffic using WIFI
Reporting data traffic using GPRS
Reporting SMS content
Reporting of the call type
Selecting the Enable usage monitor services checkbox activates the usage policy. After that, Usage Monitor will be installed with the policy and the usage policy applied.
Usage policy settings