Functionality by Device Platform

Similar documents
Policy Rules: ios Device. Device Features Applications Safari Browser Ratings. Security. icloud. Management. Supervised Mode. Policy Rules: TouchDown

Default Policy Settings

Functionality by Device Platform ZENworks Mobile Management 2.8.x

Functionality by Device Platform ZENworks Mobile Management 2.7.x

Functionality Restriction Settings for ios

User Self-Administrative Web Guide

SIMPLIFY MULTI-PLATFORM ENTERPRISE MOBILITY MANAGEMENT

VMware AirWatch ios Platform Guide Deploying and managing ios devices

VMware AirWatch ios Platform Guide Deploying and managing ios devices. Workspace ONE UEM v9.4

Integration with Apple Configurator 2. VMware Workspace ONE UEM 1902

2017 NMUG CLASSES MANAGING THE IPHONE AND IPAD IN IOS 10

Created by Eugene Stephens ios 8.2

VMware AirWatch ios Platform Guide Deploying and managing ios devices

VMware AirWatch Integration with Apple Configurator 2 Guide Using Apple Configurator 2 and AirWatch to simplify mass deployments

Systems Manager Cloud-Based Enterprise Mobility Management

VMware AirWatch ios Platform Guide Deploying and managing ios devices

Device IT Policy Comparison

Compliance Manager ZENworks Mobile Management 2.7.x August 2013

What s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services

ipad in Business Mobile Device Management

Getting to know your ipad exploring the settings, App store, Mail

COPYRIGHTED MATERIAL. chapter 1. How Do I Configure My iphone? 2

VMware Workspace ONE UEM ios Device Management. VMware Workspace ONE UEM 1811 VMware AirWatch

Contents at a Glance

Managing Devices and Corporate Data on ios

Compliance Manager ZENworks Mobile Management 3.0.x January 2015

Image from Google Images tabtimes.com. CS87 Barbee Kiker

This guide provides information on...

Xperia TM. in Business. Product overview. Read about the enterprise policies and features supported in Xperia devices. March 2018

Xperia TM. in Business. Product overview. Read about the enterprise policies and features supported in Xperia devices.

NotifyMDM Device Application User Guide Installation and Configuration for ios with TouchDown

This guide describes features that are common to most models. Some features may not be available on your tablet.


VMware Boxer Comparison Matrix for IBM Notes Traveler Compare the features supported by VMware Boxer and AirWatch Inbox

NEO 4.5. User Manual

ipad Settings Turn on icloud Backup Go to Settings, icloud. From here you can choose what items you want to have backed up.

Taking Your iphone to

iphones for beginners

STUDIO 7.0 USER MANUAL

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

FAQ for KULT Basic. Connections. Settings. Calls. Apps. Media

Key codes of device management profile

NotifyMDM Device Application User Guide Installation and Configuration for Android

Mobile Device Management 101. Get more out of ipad in Education

Basics. screen? CALLS. In call. Missed call. Speakerphone on. Mute your microphone. Make another call. Turn on the speakerphone

BlackBerry BlackBerry 10 OS, version continues to build on the BlackBerry 10 platform for the Z10, Q10 and Z30 devices.

Mobile Device Management. Get more out of ipad and iphone in higher education

Windows 8/RT Features Matrix

Supervised only configuration Profile Key Reference

VMware Workspace ONE UEM Integration with Apple School Manager

IPHONE DEP REGISTRATION... 4 IPHONE DEP REGISTRATION... 3

VEGA. Operation Manual T A B L E T P C. advent vega operation manaul_new.indd 1

IPad Basics at Necessary Knowledge 2017

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

Studio 5.5. User Manual

Enterprise Security Solutions by Quick Heal. Seqrite.

Active Sync Devices: Procedures and Policies

This guide provides information on...

What s new? 2010 Sprint. SPRINT and the logo are trademarks of Sprint. Other marks are the property of their respective owners.

Accessibility Solutions for the ipad

device management The following policies can be applied to Knox container of Samsung devices. [Android OS, Samsung Only(Knox2+)]

VMware Browser Admin Guide Configuring and deploying the VMware Browser

ipad Training Field Management

Systems Manager. Endpoint Management

VMware Browser Admin Guide Configuring and deploying the VMware Browser

!!! ipad Support Training Student Workbook

This guide describes features that are common to most models. Some features may not be available on your tablet.

iphone & ipad Essentials

iphone & ipad Essentials

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

iphone & ipad Essentials

ipad Basics January, 2013 Scoville Memorial Library


Quick Guide for ipad ios 6 February 2012 Training:

NAVIGATING THE ipad SETTINGS

Mobile Device Growth 1

Sophos Central Self Service Portal help

iphone Basics Crystal Lake Public Library

Contents. 3 Procedures. 3 ipad given to a new user. 3 Syncing. 3 Requesting a New App. 4 ipad Setup. 7 Apple ID Creation. 9 Setup Account

The ipad Center for Innovation in Teaching and Research Presenter: Chad Dennis Instructional Technology Systems Manager

HotSpot USER MANUAL. twitter.com/vortexcellular facebook.com/vortexcellular instagram.com/vortexcellular

AT&T Toggle. 12/12/2013 Page i

Table of Contents... ii. GO AHEAD BRING YOUR OWN DEVICE TO WORK... 1 Requirements... 1

LIFE PURE User Manual

VMware Workspace One Web. VMware Workspace ONE UEM

ipad Beyond the Basics

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

NotifySync 4.7. Notify Technology Corporation

Content. Welcome... 5 Getting Started... 5 Initial setup... 5 Setting a SIM card... 5 Locking and unlocking the screen... 7

3CX Mobile Device Manager

What s New in Device Configuration, Deployment, and Management

Release Notes and Advisories Guide. BlackBerry UEM Version 12.7 and all maintenance releases

Dash 4.0. User Manual

1) Airplane Mode: Do NOT Turn ON.

The following device commands are used most frequently: Lock/Unlock device O - O O. Reset screen password O - O - Factory reset + Initialize SD Card

AT&T Toggle. 2/3/2014 Page i

PiceaServices. Quick Start Guide. November 2017, v.4.12

ipad User Guide For ios 8.4 Software

Sophos Mobile. user help. product version: 8.6

Apple ios Enterprise Mobility Management (cloud based)

Transcription:

Functionality by Device Platform Functionality by Device Platform for the Notify Mobile Device Management System Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 1

TABLE OF CONTENTS Policy Rules: All Devices 5 Policy Rules: Devices 19 Policy Rules: KNOX Devices 31 Policy Rules: TouchDown 38 Policy Rules: Windows Devices 51 User Self-Administration Portal (USAP) 54 Security Actions: All Devices 57 Device Statistics: All Devices 61 Compliance Manager 70 Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 2

Expanded Table of Contents Policy Rules: All Devices Audit Tracking Device Control Device Features Email ActiveSync Synchronization lications File Share Permissions Resource Control Security Settings Passw ord Encryption S/MIME Settings Device Inactivity and Locking Emergency Calls Whitelists/Blacklists Permissions Policy Rules: Samsung KNOX Samsung KNOX Device Policies Samsung KNOX Workspace Policies Policy Rules: Devices Device Features lications Safari Brow ser Ratings Security icloud MDM Management Mode Policy Rules: TouchDown Installation General Signature Widgets Phone Book User Configurable Settings Suppression Rules Policy Rules: Windows Devices lications Device Features Management Passport for Work User Self-Administration Portal (USAP) Security Actions Android Security Actions Device Statistics lications Android lications Certificates Security: All Devices Security Commands Netw ork Connection Security and Configuration Device Statistics: All Devices Device Statistics Compliance Manager Access Policies and Device Restrictions Non-Access Policy Based Alerts Event Based Alerts System Alerts Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 3

The information in these tables describes functionality supported by each device platform for NotifyMDM, version 3.6.x. Device platforms supported are Android, BlackBerry (OS 4.5-7.1), BlackBerry (OS 10),, webos, Windows Devices 8.1+, and Windows Phone. Supported device operating system versions are listed below. Anrd TD/A BB10 NS/BB TD/ Windows wos Android OS v2.2 5.1 Android OS v2.2 5.1 with TouchDown v8.4.x or 8.5.x BlackBerry Devices OS 10 BlackBerry OS v4.5 7.1 with NotifySync v4.9 or greater 6.0 9.0 multitasking 6.0 9.0 multitasking with latest TouchDown app version Windows Devices OS 8.1 Windows PCs & tablets OS 10 WebOS OS v1.4.3/1.4.5, 2.0.0/2.0.1, 2.1.2 Windows Phone OS v7,7.5, 8 The NotifyMDM Device lication Android, BlackBerry (OS 4.5-7.1), and use the NotifyMDM device application to provide additional functionality and enforce policies that are not handled by ActiveSync. The device platforms listed above also require a native ActiveSync agent or a 3 rd party ActiveSync application, such as NotifySync TM for BlackBerry or TouchDown TM for Android. On Android with OS 2.2 or greater - the ActiveSync agent native to the device is sufficient although the TouchDown application, available from the Play Store, offers greater functionality. See Policy Rules: TouchDown On BlackBerry (OS 4.5-7.1) - NotifySync for BlackBerry v4.10.x or greater is the ActiveSync application required to handle the ActiveSync policies. The application has a NotifyMDM component that provides additional functionality. On 6, 7, 8, 9 with multitasking capabilities - the ActiveSync policies are enforced using le configuration profiles. Windows 8.1+ - phones and tablets with OS 8.1+ or tablets and PCs with OS 10. Enrolling Android or without the NotifyMDM app is not recommended, because only ActiveSync policies supported by the device platform or model can be enforced. BlackBerry (OS 4.5-7.1) do not have native ActiveSync capabilities and are not supported without the NotifySync app. ActiveSync Only Devices BlackBerry (OS 10), webos and Windows Phone platforms, for which there are no NotifyMDM applications, are also supported. Because these utilize the native ActiveSync protocol alone, only ActiveSync policies supported by the device platform or model can be enforced. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 4

POLICY RULES: ALL DEVICES Policy Suite Rules: All Devices Red text or dots indicate ActiveSync functionality The device does not have the NotifyMDM app and supports the feature via the native ActiveSync app on the device. BlackBerry 4.5-7.1 w hich do not have a native ActiveSync app (NS/BB) are only supported w ith the NotifySync app. Description Anrd Anrd w/o MDM TD/A NS/BB TD/ Windows Active- Sync Only Audit Tracking Archive Device File List Record Phone Log Record Text Message Log Requires device to periodically send a list of all folders and files stored on the device and the SD card to the server. Displayed in the User Profile: File Archive on the dashboard. Administrator defines frequency of the file archiving. Requires the device to send all telephone log information to the server. Future development may include call times and lengths; whether the call was roaming, incoming, or outgoing; usage tracking for work related calls versus personal, defined by a list of approved work numbers on the server. BlackBerry: Tracks only calls made after NotifyMDM enrollment. Requires the device to send all Short Message Service (SMS) and Multimedia Messaging Service (MMS) information to server. BlackBerry: Tracks only texts made after NotifyMDM enrollment Does not track MMS messages, therefore, on that use only MMS, text messaging is not tracked Android: Text and MMS logging functionality may vary based on device manufacturer or carrier. (See Android SMS & MMS Capabilities.) Record Installed lications Requires the device to send app information with data Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 5

Policy Suite Rules: All Devices Description Anrd Anrd w/o MDM usage statistics for all applications installed on the device. Usage statistics are displayed in the s section of the User Profile. TD/A NS/BB TD/ Windows Active- Sync Only Record Managed lications Record Location of Device (Latitude / Longitude) Requires the device to send app information with data usage statistics for managed applications. Usage statistics are displayed in the s section of the User Profile. When device GPS service is on, uses GPS or triangulation to locate a user s device. Information is displayed using Google Maps. The device reports longitude and latitude as two separate values. This setting will be automatically replicated in the user self-administration portal (USAP) permission, Display Locate Device. KNOX : If the device s GPS Service is off, enabling this will turn the GPS service on and return the device s current location to the server. support this only when the MDM is installed on the device. Instruct users to set Settings > MDM > Privacy > Location Services > Allow Location Access to Always on the device. Windows : Require Windows OS 10 or higher GPS Location Accuracy Allows administrators to specify a level of location accuracy. Accuracy primarily depends on using a cell tower vs. GPS (satellite) location methods. Additional factors may be involved depending on the device type. Because improved accuracy generally results in increased battery usage, the level can be adjusted to facilitate a more efficient use of device battery. Set levels via the policy suite. support this only when the MDM is installed on the device. Windows : Require Windows OS 10 or higher Device Controls: Device Features Allow Bluetooth Determines whether Bluetooth is allowed to operate on Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 6

Policy Suite Rules: All Devices Description Anrd Anrd w/o MDM TD/A NS/BB TD/ Windows Active- Sync Only (ActiveSync) the device. There are three settings: Disabled - Don t allow Bluetooth Handsfree only - Allow only Bluetooth headsets Allowed - Allow all Bluetooth Android : Requires KNOX compatibility. Handsfree functions the same as the Allowed option on KNOX. Windows : When MDM proxy is not on, Handsfree functions the same as the Allowed option. Allow Browser (ActiveSync) Allow Camera (ActiveSync) Allow GPS Allow Infrared (ActiveSync) Allow Internet Sharing from the Device (Tethering) (ActiveSync) Determines whether the use of the native Web browser is allowed on the device. This setting can also prevent the use of third-party browsers that use the native browser as a basis for operation. Android : Enforced through the device app on select Android and those supporting KNOX. Determines whether the use of the device camera is allowed. Disabling the camera can limit the functionality of 3rd party apps that use the camera, such as Photoshop. Android: Supported on with OS 4.0 and KNOX compatible. Android (native): See knowledge base. Determines whether the device will allow the use of GPS. Determines whether infrared connections are allowed to and from the device. This feature may only be supported by ActiveSync only using a third-party email client that supports it. Determines whether the device can be used as a modem for a desktop or a portable computer. This feature may only be supported by ActiveSync only using a third-party email client that supports it. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 7

Policy Suite Rules: All Devices Allow NFC Description Anrd Anrd w/o MDM Determines whether the device will allow Near Field Communication. TD/A NS/BB TD/ Windows Active- Sync Only Allow Remote Desktop (ActiveSync) Determines whether a remote desktop connection can be created from the device. This feature may only be supported by ActiveSync only using a third-party email client that supports it. Allow SD Card (ActiveSync) Determines whether the use of an SD Card is allowed on the device. Android w/ TouchDown: Allows or disallows SD card access for the TouchDown application only. Allow Synchronization from a Desktop (ActiveSync) Allow Text Messaging (ActiveSync) Allow USB Allow Wi-Fi (ActiveSync) Allow user to remove enrollment Initiate Selective Wipe when user removes MDM app account Determines whether the device can synchronize with a computer through a cable, Bluetooth, or IrDA connection. This feature may only be supported by ActiveSync only using a third-party email client that supports it. Determines whether the device can send or receive text messages. This feature may only be supported by ActiveSync only using a third-party email client that supports it. Determines whether the device will allow a USB connection. Determines whether wireless Internet access is permitted on the device. Android : Requires KNOX compatibility. Windows : Require OS 8.1 or higher. Determines whether the user is permitted to remove the MDM user account from the device. If the user removes the MDM account on the device, a selective wipe is executed. Selective Wipe functionality varies by device platform. Allow Screen Capture Determines whether the device will allow the user to take Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 8

Policy Suite Rules: All Devices Description Anrd Anrd w/o MDM TD/A NS/BB TD/ Windows Active- Sync Only screenshots. This policy can only be enforced when the MDM device agent is provisioned as a device owner or profile owner app. (Enable the Provision Managed Profile policy under Resource Control OR use NFC to provision the MDM device agent as the Device Owner.) Requires Android OS version 5.0+. Can be enforced only when the MDM device agent is provisioned as a device owner or profile owner app. Disable Fingerprint Device Controls: Email Determines whether the device will allow the user to user the finger print reader. Requires Android OS version 5.0+ Allow HTML formatted Email (ActiveSync) Maximum HTML email body truncation size (in KB) (ActiveSync) Allow Consumer Email (ActiveSync) Allow POP/IMAP Email (ActiveSync) Maximum plain text email body truncation size (in KB) (ActiveSync) Determines whether email synchronized to the device can be in HTML format. Not supported on systems operating with ActiveSync protocol 2.5, such as Exchange 2003. Defines the maximum HTML email body size of messages received on the device. Not supported on systems operating with ActiveSync protocol 2.5, such as Exchange 2003. Determines whether the user can use Windows Live services, such as Hotmail, Office, or Spaces.\ This feature may only be supported by ActiveSync only using a third-party email client that supports it. Determines whether the device can access POP3 or IMAP4 email on the device. This feature may only be supported by ActiveSync only using a third-party email client that supports it. Defines the maximum email body size of plain text messages received on the device. BB10 Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 9

Policy Suite Rules: All Devices Description Anrd Anrd w/o MDM TD/A NS/BB TD/ Windows Active- Sync Only Device Control: ActiveSync Synchronization Maximum calendar age for synchronization (ActiveSync) Defines the maximum look-back age of calendar events. Events older than the maximum age are automatically removed from the device. Not supported on systems operating with ActiveSync protocol 2.5, such as Exchange 2003. BB10 Specific calendar age for synchronization Determines a specific number of calendar days that can be synchronized. The value should be lower than the Maximum calendar age for synchronization. Maximum email age for synchronization (ActiveSync) Defines the maximum age of email on the device. Emails older than the maximum age are automatically removed from the device. Not supported on systems operating with ActiveSync protocol 2.5, such as Exchange 2003. BB10 Specific Email age for synchronization Determines a specific age for emails to synchronize. The value should be lower than the Maximum Email age for synchronization. Require manual sync when roaming (ActiveSync) Enforces the use of manual synchronization on the device while roaming to avoid the higher data costs that are often incurred with automatic synchronization. Device Controls: lications Allow Copy and Paste Determines whether the users is able copy and paste across applications. Allow Unsigned lications Allow Unsigned Package Installation Determines whether unsigned applications which already exist on the device are permitted to run. Determines whether the device permits unsigned installers to install applications. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 10

Policy Suite Rules: All Devices File and lication Management Description Anrd Anrd w/o MDM TD/A NS/BB TD/ Windows Active- Sync Only File Share Permissions Create a directory of folders and files to make accessible to users. Users access files directly through the NotifyMDM app. Set permissions for access per policy suite. Whitelists/Blacklists Permissions Resource Control Create a list of strings that will filter either by blacklisting or whitelisting applications. Blacklist - When one or more blacklisted applications are installed on a device, the user s access to email, shared files, app lists, or other organization resources can be blocked. Whitelist When one or more applications are installed on a device that are not on the Whitelist, the user s access to email, shared files, app lists, or other organization resources can be blocked. Android KNOX and KNOX Workspace compatible : Blacklist/Whitelist restrictions will prevent apps that do not meet the criteria from being installed on the device. Workspace require KNOX v2.0 and prevent installation only in the container. Allow ActiveSync Determines whether users are permitted to make ActiveSync connections. BB10 w OS Allow File Share Allow Managed s Provision Managed Profile Determines whether users are permitted to access the File Share. Determines whether users are permitted to access the Managed s list. This setting will be automatically replicated in the user self-administration portal (USAP) permissions, Display Managed s. Determines whether a Managed Profile is installed on Android. When a Managed Profile exists, all Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 11

Policy Suite Rules: All Devices Description Anrd Anrd w/o MDM MDM managed apps are installed inside the profile. This allows an administrator to remove the profile and apps with a selective wipe if necessary. lications installed outside of the Managed Profile will not be removed when the Managed Profile is removed. TD/A NS/BB TD/ Windows Active- Sync Only Notes: 1) Some device modes may not support managed profile installation. 2) Enabling managed profile installation will require full device encryption. 3) Managed Profile won t be activated if the TouchDown app is enrolled. Requires Android OS version 5.0+ Remove Managed Profile Security: Password Determines whether the managed profile will be removed from the device when the Provision Managed Profile policy settings changes from Yes to No. When enabled, a selective wipe is also issued when the Provision Managed Profile policy changes from Yes to NO. Requires Android OS version 5.0 Require Device Password (ActiveSync) Forces the device to require a password to unlock the device. BB10 w OS Require TouchDown PIN Enable password recovery (ActiveSync) Determines whether a PIN is required to access the TouchDown app. Can be used in addition to or in place of the Require Device Password option. This allows or disallows a user to issue, from the device, a request for a temporary recovery password if they have forgotten their unlock password. The recovery password can be retrieved from the MDM User Self Administration Portal or the administrative dashboard. Not supported on systems operating with ActiveSync protocol 2.5, such as Exchange 2003. Android w/touchdown, gives temporary unlock password for only the TouchDown application; does not provide temporary unlock password when lock is imposed by the device s native OS. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 12

Policy Suite Rules: All Devices Allow Simple Password (ActiveSync) Description Anrd Anrd w/o MDM Determines whether or not a password can consist of only repeating or sequential characters, such as 1111 or abcd. Not supported on systems operating with ActiveSync protocol 2.5, such as Exchange 2003. TD/A NS/BB TD/ Windows Active- Sync Only Require Minimum Password Length (ActiveSync) Forces the device to require a password with a specified minimum length. BB10 w OS Minimum Password Length (ActiveSync) Defines the minimum password length. BB10 w OS Require complex password User must create a password containing at least a letter, a numerical digit, and a special symbol. Requires Android OS 3.0 or greater. If this requirement is set and a device does not support it, the next level of security, which is alphanumeric, will be implemented. Require Alphanumeric Password (ActiveSync) Minimum Number of Complex Characters (ActiveSync) Require alphabetic password Forces the device to require a device password to contain both letters and numbers. Forces the device to require a minimum number of complex characters (symbols) in the alphanumeric password. This is disabled when alphanumeric password is not required. Android (native): Supported on with OS 3.0, selected OS 2.x, and KNOX compatible. BlackBerry: Minimum number of each type of character required in an alphanumeric password. (Example: If minimum is 2, password must have 2 uppercase, 2 lowercase, 2 numeric, and 2 symbol characters.) User must create a password containing at least alphabetic (or other symbol) characters. w OS Require numeric password User must create a password containing at least numeric Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 13

Policy Suite Rules: All Devices Description Anrd Anrd w/o MDM TD/A NS/BB TD/ Windows Active- Sync Only characters. Require biometric password Allows for low-security biometric (face) recognition technology. Uses technologies that can recognize the identity of an individual to about a 3 digit PIN (false detection is less than 1 in 1,000). Requires Android OS 4.0 or greater. Require Device Password Expiration Forces the device to require users to update their passwords after a number of days. (ActiveSync) Not supported on systems operating with ActiveSync protocol 2.5, such as Exchange 2003. Android: Supported on with OS 3.0, selected with OS 2.x, and KNOX compatible. BB10 Android (native): See knowledge base. BlackBerry 10: Not supported on Q5 and Z30 Password expiration in days (ActiveSync) Defines the number of days a password can be used before it expires. Not supported on systems operating with ActiveSync protocol 2.5, such as Exchange 2003. Android: Supported on with OS 3.0, selected with OS 2.x, and KNOX compatible. BB10 Android (native): See knowledge base. BlackBerry 10: Not supported on Q5 and Z30 Require Device Password History (ActiveSync) Forces the device to disallow the entry of passwords that have been used in the recent past. The number of stored past passwords is configurable. Not supported on systems operating with ActiveSync protocol 2.5, such as Exchange 2003. Android (native): Supported on with OS 3.0 or greater, selected OS 2.x, and KNOX compatible. BB10 Android w/ TouchDown: lies to the password associated with the TouchDown application only. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 14

Policy Suite Rules: All Devices Number of passwords stored (ActiveSync) Description Anrd Anrd w/o MDM TD/A NS/BB TD/ Defines the number of device passwords stored to prevent users from reusing them too soon. Windows Active- Sync Only BB10 Enable Password Echo Begin password echo after attempts After the specified number of password entry attempts are made, the last password entered is unmasked to allow the user to see the error they are making. Define the number of unlock attempts before echoing begins. Require numeric complex password Security: Encryption Require Encryption on the Device (ActiveSync) Determines whether the device will allow the user to enter a password that has repeating numeric sequences, such as 4444, 1234. Requires Android OS version 5.0+ Determines whether the device encrypts stored data. Not supported on systems operating with ActiveSync protocol 2.5, such as Exchange 2003. (iphone and ipad) have hardware encryption that is always enabled. The ActiveSync policy is not used to enable/disable. Android (native): Supported on with OS 3.0 or greater, selected with OS 2.2 and compatible with KNOX. Gives repeated reminders until the user initiates encryption. Android w/ TouchDown: TouchDown data is encrypted (email, calendar, contacts, tasks) as well. Use Require TouchDown encryption instead, to require encryption of TouchDown data only. Gives repeated reminders until the user initiates encryption. BlackBerry: Only NotifySync data is encrypted (email). Windows 10 desktop: For encryption of a local or internal data drive, BitLocker must be enabled on a desktop computer. Follow the instructions at http://www.howtogeek.com/howto/6229/how-to-usebitlocker-on-drives-without-tpm/ BB10 Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 15

Policy Suite Rules: All Devices Require Encryption on the Storage Card (ActiveSync) Description Anrd Anrd w/o MDM Forces the device to encrypt the file system of a storage card. Android: Requires KNOX compatibility. The device will not prompt the user to encrypt the SD card until a reboot of the device is performed. Android w/ TouchDown: Only TouchDown files are encrypted (email attachments that have been downloaded are encrypted using AES (256); attachments are still unreadable if the card is moved to another device). TD/A NS/BB TD/ Windows Active- Sync Only BB10 Security: Device Inactivity and Locking Require Max Inactivity Time Device Lock (ActiveSync) Forces the device to lock after a set number of minutes of user inactivity. This value serves as a maximum. This is also known as Time without user input before password must be re-entered. BB10 w OS Max Inactivity Timeout (in minutes) (ActiveSync) Defines the maximum value a user can set for the number of minutes of inactivity before the device locks. If Challenge Timeout is being enforced, the Max Inactivity Timeout should be less than Challenge Timeout. BB10 w OS Require Device Challenge Timeout Forces the device to enable a challenge timeout. A lock is initiated regardless of activity and is intended to challenge the use of a lost or stolen device. Max Device Challenge Timeout Defines the maximum value a user can set for the number of minutes before the device initiates a challenge lock. This lock is initiated regardless of activity and is intended to challenge the use of a lost or stolen device. If Max Inactivity Timeout is being enforced, the Challenge Timeout should be greater than Max Inactivity Timeout. Enable Customizable Lock Message Enable the lock message and enter the text to be displayed when device is locked. Customizable lock message Lock message phone number Enter text to be displayed when device locks. Enter a contact phone number to be displayed when the Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 16

Policy Suite Rules: All Devices Description Anrd Anrd w/o MDM device locks. A user can tap the displayed phone to initiate dialing. TD/A NS/BB TD/ Windows Active- Sync Only Requires 7 or later. Audible Alert On Lock Causes a device to constantly emit a loud noise when a server-initiated device lock has been issued. The intent is to draw attention to a missing device and the device thief. The noise continues while the device is powered on, until the device is unlocked. Maximum grace period (in minutes) Determines how soon the device can be unlocked again after use, without re-prompting for the password. Administrator can also disallow a grace period by selecting Immediately or choose not to impose a limit by selecting None. Android native: Requires KNOX compatibility. : If Touch ID is enabled on the device, Maximum grace period is set to Immediately since the user can easily access the device with a fingerprint scan. An administrator can block the use of Touch ID by disabling Allow fingerprint for unlock. Wipe device on Failed Number of Unlock Attempts (ActiveSync) After the specified number of password entry attempts are made, data is cleared from the device. Functionality varies by device. Android or Android w/touchdown: Device returns to factory settings. This entails deleting all data and applications from the device. Does not erase SD card. BlackBerry: Removes all mail and PIM data associated with the NotifySync application and removes the NotifySync / NotifyMDM accounts. Locks the device if Require Password is enabled. Erases NotifySync data from SD card, including saved attachments. : Device returns to factory settings. This entails deleting all data and applications from the device. BB10, webos, and or any device without NotifyMDM app: Device returns to factory settings. This entails deleting all data and applications from the device. BB10 w OS Maximum number of unlock Defines the number of unlock attempts before a device- BB10 Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 17

Policy Suite Rules: All Devices Description Anrd Anrd w/o MDM TD/A NS/BB TD/ Windows Active- Sync Only attempts initiated wipe is performed. w OS (ActiveSync) Security: Emergency Calls Enable emergency calls when locked Allows the device to make emergency calls in a locked state. Allows emergency numbers to be specified for allowed calls on a locked device: ambulance, fire, police, and one other emergency number. Allow dialing of any number Gives the user an option to manually enter and call any number when the device is locked. S/MIME Settings Require signed SMIME messages When enabled, this setting forces the device to send digitally signed S/MIME messages. Require encrypted SMIME messages When enabled, this setting forces the device to send encrypted S/MIME messages. Require signed SMIME algorithm This setting specifies the algorithm to be used for signing messages. Options are SHA1, MD5. Require encryption SMIME algorithm This setting specifies the algorithm to be used for encrypting messages. Options are TripleDES, DES, RC2128bit, RC264bit, RC240bit. Allow S/MIME Encryption algorithm negotiation This setting enables/disables the device from negotiating the encryption algorithm used for signing messages. Options are Do not negotiate, Negotiate only strong algorithms, Negotiate any algorithm. Allow SMIME soft certs Enables or disables the device from using soft certificates to sign outgoing messages. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: All Devices 18

POLICY RULES: IOS DEVICES Policy Suite Rules: Specific Device Features Description TD/ Allow Explicit Content Allow FaceTime Allow Fingerprint for Unlock Allow Game Center Allow Adding Game Center Friends Allow Multiplayer Gaming Allow Global Background Fetch while roaming Allow Lock Screen Control Center Allow Lock Screen Notification View Determines whether or not explicit music or video content purchased from the itunes store is hidden. Determines whether the user can receive or place video calls. Allow Camera in the Device Controls must be enabled as well. Determines whether the user s Touch ID can be used to unlock the device. 7 or later required Determines whether the Game Center is accessible. When disabled, the icon is removed from the Home screen. Functional on in mode only. Disabling this policy also disables Allow Multiplayer Gaming and Allow Adding Game Center Friends. Determines whether the device allows adding friends or building a social gaming network associated with the Game Center app. Determines whether the device allows multiplayer gaming between via Bluetooth or WiFi. When this option is disabled, users cannot play multiplayer games in the Game Center. Determines if global background fetch activity (automated data capture) is permitted when an phone is roaming. Determines whether Control Center appears on the Lock screen. Control Center appears with a swipe up from any screen giving the user quick access to controls and apps. 7 or later required Determines whether the Notifications view in Notification Center can be accessed from the Lock screen. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: Devices 19

Policy Suite Rules: Specific Description TD/ 7 or later required Allow Lock Screen Today View Allow Over-the-Air PKI Updates Allow Passbook while device locked Determines whether the Today view in Notification Center can be accessed from the Lock screen. 7 or later required Determines whether over-the-air if Public Key Infrastructure (PKI) updates are permitted. Requires 7 or later. Allows use of the le Passbook app when the device is locked, giving users access to their boarding passes, tickets, store cards, coupons, etc. Requires 6.0 or higher. Allow Screenshot Determines if the device will allow screenshots and screen recordings. Allow Siri Allow Siri while device locked Enable Siri Profanity Filter Allow Voice Dialing Force Encrypted Backup Force itunes Store Password Entry Determines whether allow the Siri speech recognition personal assistant. Determines whether Siri is disabled when the device is locked with a password. Enabling Allow Siri is a prerequisite for enabling this option. Requires 5.1 or greater Determines whether profanity is filtered on the device. Allow Siri must be enabled in order to enable this policy. Functional on in mode only. Determines whether the user can dial their phone using voice commands. Require Password in Security Settings must be enabled as well. When disabled, users can choose whether or not device backups, performed in itunes, are stored in encrypted format on their computer. Determines whether the device requires a password to access the itunes store. Requires users to enter their le ID before making any purchase. Normally, there is a brief grace period after a purchase is made before users must authenticate for subsequent purchases. Force Limited Ad Tracking Determines whether advertisers tracking of a user s habits is limited. Enabling Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: Devices 20

Policy Suite Rules: Specific Description TD/ this does not eliminate ad tracking, but may reduce it to some degree. Requires 7 or later. Force Unmanaged Air Drop Force Watch Wrist Detection lications Allow Management Determines whether AirDrop is an unmanaged drop target. When enabled, sharing managed documents using AirDrop is not allowed. Requires 9.0 or greater Determines whether le Watch will lock automatically when removed from the wrist. Requires 8.2 or greater Determines whether an administrator has the ability to give user access to apps or force push apps to users in a particular policy suite. Allow Activity Continuation Determines whether the device will allow activity continuation. Allow Store Allow managed applications installation Allow Bookstore Allow Bookstore Erotica Determines whether an device will allow users to install applications. When disabled, the Store is disabled and the icon is removed from the device Home screen. Determines whether 7 or greater will allow users to install recommended or required applications even if the Allow Store policy has been disabled. When disabled, ibookstore is disabled and users are prevented from accessing it from the ibooks app. Functional on in mode only. Disabling this policy also disables the non-supervised policy Allow Bookstore Erotica. Determines whether users can purchase books categorized as Erotica from ibookstore. Allow Enterprise Books Backup Allow Enterprise Books Metadata Backup Allow In Purchases Determines whether the device will allow backups of Enterprise books. Determines whether the device will allow backups of Enterprise books, notes and highlights. Determines whether or not users can make in-app purchases. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: Devices 21

Policy Suite Rules: Specific Allow itunes Description TD/ Determines whether the use of itunes is allowed on the device. If disabled, the icon is removed from the Home screen and users cannot preview, purchase, or download content. Allow Managed Documents to Open in Unmanaged s Allow Unmanaged Documents to Open in Managed s Determines whether documents in managed apps and accounts will only open in other managed apps and accounts. Requires 7 or later. Determines whether documents in unmanaged apps and accounts will only open in other unmanaged apps and accounts. Note: When disabled, this setting prevents users from attaching photos from the iphone camera roll. Requires 7 or later. Record Installed lications Access and record applications installed on. Force pairing password for outgoing AirPlay requests Safari Browser Allow Safari Accept Cookies Determines if a pairing password is required from any device receiving AirPlay requests from an MDM device (an MDM device attempting to stream media to other AirPlay-enabled on the same Wi-Fi network). Requires 7.1 or later. Determines whether use of the Safari Web browser is allowed on the device. If disabled, the Safari icon is removed from the Home screen and it prevents users from opening web clips. Disabling Safari can also prevent the use of third-party browsers. Allow Browser in the Device Controls must also be enabled. Determines the Safari cookie policy Whether the device accepts all cookies, no cookies, or only cookies from sites that were directly accessed. Allow Auto-fill Allow JavaScript Block Pop-ups Determines whether Safari remembers what users enter in web forms. Determines whether Safari ignores JavaScript on Websites. Determines whether Safari s pop-up blocking feature is enabled. Force Fraud Warning Determines whether Safari attempts to prevent the user form visiting websites identified as being fraudulent of compromised. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: Devices 22

Policy Suite Rules: Specific Ratings Description TD/ Rating Region lication Ratings Movie Ratings TV Show Ratings Security Allow Untrusted TLS Prompt Allow Diagnostic Submission Text Determines the media content rating scale used by a particular region. If rating restrictions are enabled, items that violate the restrictions cannot be downloaded over-the-air and those installed via itunes are hidden. Items violating the restriction that existed on the device before rating restrictions were imposed will be hidden. Determines the maximum allowed ratings for apps. If rating restrictions are enabled, applications that violate the restrictions cannot be downloaded over-the-air and those installed via itunes are hidden. lications violating the restriction that existed on the device before rating restrictions were imposed will be hidden. Caution: If you choose the Don t Allow s option, the NotifyMDM app will be hidden on. Rating settings determine the highest rating permissible. For example a policy with the U.S. application rating of 9+ will allow the installation of applications with a rating of 4+ or 9+, but will block applications with a rating of 12+ or 17+. Note: Set to Allow All to allow users to install VPP apps w ithout having to enter their le ID credentials. Determines the maximum allowed ratings for movies. If rating restrictions are enabled, movies that violate the restrictions cannot be downloaded over-the-air and those installed via itunes are hidden. Movies violating the restriction that existed on the device before rating restrictions were imposed will be hidden. Determines the maximum allowed ratings for TV shows. If rating restrictions are enabled, TV shows that violate the restrictions cannot be downloaded over-the-air and those installed via itunes are hidden. TV shows violating the restriction that existed on the device before rating restrictions were imposed will be hidden. Determines whether users are asked if they want to trust certifications that cannot be verified. This setting applies to Safari and to Mail, Contacts, and Calendar accounts. Determines whether the device sends diagnostic data to le. When this option is disabled, diagnostic information is not sent to le. Requires 6.0 or higher. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: Devices 23

Policy Suite Rules: Specific Managed Domains Managed Email Domains Managed Safari Domains Description TD/ Managed mail domains list and the managed Safari domains list are enabled only when the managed domains policy is enabled. Requires 8.0 or higher. Recipient email addresses from unmanaged domains entered in this list will be highlighted in the Mail app. Requires 8.0 or higher. Documents originating from managed domains entered in this list can only be opened within Safari. Requires 8.0 or higher. icloud Allow icloud Backup Allow icloud Keychain Sync Allow icloud Photo Library Allow Document Sync Determines whether the device is permitted to back up to and restore from icloud. Determines whether icloud Keychain sync is permitted. Stores 256-bit AES encrypted user passwords in icloud so they can be synced across trusted. Helps users create strong passwords. Requires 7 or later. Determines whether photos in icloud can be accessed on the device. Requires 9.0 or greater Determines whether the device allows document synchronization to icloud. When this option is enabled, users can store documents in icloud. Allow managed apps cloud sync Determines whether the device allows cloud sync for managed apps. Allow Photo Stream Determines whether icloud automatically pushes (via WiFi) a copy of any photo taken on or imported to an device, to the user s other, iphoto or Aperture on a Mac, Pictures Library on a PC, and le TV. When this option is disabled, installing a configuration profile with this restriction can erase Photo Stream photos from the user s device and prevents photos from the Camera Roll from being sent to Photo Stream. If there are no other copies of these photos, they may be lost. Allow Shared Photo Streams Determines whether the user can post and share a Photo Stream album with Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: Devices 24

Policy Suite Rules: Specific Management Description TD/ other users or through the icloud Web site. Requires 6.0 or later. Allow Management of Settings Allow Voice Roaming Allow Data Roaming Determines whether the voice and data roaming settings can be managed. Determines whether the device will allow voice calls and SMS messages while roaming. Determines whether the device will allow data or video while roaming. Enable personal hotspot Mode Allow Account Modification Allow Activation Lock Allow AirDrop Allow Cellular Data Modification Enables the personal hotspot feature on user, which allows the user to connect computers and other to the Internet using the device s cellular data connection. A user can change this setting on the device, but it will revert back to the setting from the server each time the device synchronizes. Requires 7 or later. Determines whether the user can modify the itunes & Stores account. Requires 7 or later. Determines whether a user will be able to lock the activation of the device (also known as bricking the device) via the Find My Phone app. Requires 7 or later. Determines whether AirDrop is enabled or disabled. AirDrop allows users to easily share, via Wi-Fi or Bluetooth, photos, videos, contacts or anything else from any app with a Share button. 'Determines if AirDrop is an unmanaged drop target. When enabled, sharing managed documents using AirDrop is not allowed.' 7 or later required Determines whether changes to cellular data usage settings for apps are permitted. Requires 7 or later. Config/ DEP Devices Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: Devices 25

Policy Suite Rules: Specific Allow Removal Allow Assistant User Generated Content Allow Auto Correction Allow Automatic Downloads Allow Configuration Profile Installation Allow Definition Lookup Allow Device Name Modification Allow Enterprise Trust Allow Find My Friends Modification Allow Full Wipe via Device Allow Host Pairing Allow imessage Description TD/ Determines whether users can remove apps from the device. This does not include apps that are included with, such as Store and itunes. Functional on in mode only. If this is disabled, it does not prevent managed apps from being removed via the MDM API. Determines whether Siri can query web sources, such as Bing, Wikipedia, and Twitter, to answer user questions. 7 or later required Determines whether the device allows auto correction of keyboard entries. Determines whether the device is permitted to download apps automatically. Determines whether users can install additional configuration profiles onto the device. Functional on in mode only. If this is disabled, it does not prevent the MDM API from installing configuration profiles on the device. Determines whether the use of word definition features are permitted. Determines whether a user can change the device name. Determines whether the device is permitted to trust enterprise apps. Determines whether changes to Find My Friends settings are permitted. Allows users to locate friends and family that also have the Find My Friends app. Requires 7 or later. Determines whether the device enables the Erase All Content and Settings under Reset UI on the device. Determines whether host pairing, other than the supervision host, is disabled. If a supervision host has not been configured, all pairing is disabled. Requires 7 or later. Determines whether users can send or receive messages using imessage. It does not prevent messaging through third party apps. If the device does not support text messaging, disabling this policy will remove the Messages icon from the Home screen. Functional on in mode only. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: Devices 26

Policy Suite Rules: Specific Allow Keyboard Shortcuts Allow Paired Watch Allow Passcode Modification Allow Predictive Keyboard Allow Spell Check Allow Spotlight Results Allow user to change restrictions Allow Wallpaper Modification Global HTTP Proxy Content Filter Filter Type Auto Filter Inappropriate Web Sites Permitted URLs Description TD/ Determines whether the device permits the use of keyboard shortcuts for onscreen menus. Determines whether a device can pair with an le Watch. Determines whether a user can change the device passcode. Determines whether the use of Predictive Keyboard is permitted. Determines whether the device permits the use of spell check. Determines whether Spotlight will return Internet search results. Determines whether the device enables the Enable Restrictions option under Restrictions UI in the device Settings. Determines whether the user can change the device wallpaper. This payload allows the administrator to specify global HTTP proxy settings: Proxy Type, Proxy Server, Proxy Server Port, Proxy Username, and Proxy Password. Configuring the settings incorrectly can prevent the le API from functioning altogether on the device. There can only be one of this payload at any time and it can only be installed on supervised. Web content filter policies (Auto Filter, Permitted URLs, and Blacklisted URLs) for 8+ are enabled only when Content Filter is enabled. Requires 8.0 or later. Choose Blacklisted/Permitted URLs and enter URLs to be blocked or choose Whitelisted Bookmarks and enter bookmarks for the URLs to which the device is limited. When Filter Type is Blacklisted/ Permitted URLs, this determines whether web sites with content inappropriate for children are blocked. Requires 8.0 or later. When Filter Type is Blacklisted/ Permitted URLs: Permitted URLS can only be entered when Auto Filter is enabled. Specified URLs are accessible whether the automatic filter allows access or not. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: Devices 27

Policy Suite Rules: Specific Blacklisted URLs Whitelisted Bookmarks Single Mode Single Mode: Disable Touch Screen Single Mode: Disable Device Rotation Single Mode: Disable Volume Buttons Single Mode: Disable Ringer Switch Single Mode: Disable Sleep/Wake Button Single Mode: Disable AutoLock Description TD/ Requires 8.0 or later. When Filter Type is Blacklisted/ Permitted URLs, access to the specified URLs is blocked. Requires 8.0 or later. When Filter Type is Whitelisted Bookmarks, URLs entered here are added to the browser s bookmarks, and the user is not allowed to visit any sites other than these. This payload allows administrators to specify an app to which supervised will be locked. The device is locked to a single application until the payload is removed. The Home button is disabled and the device returns to the specified application automatically upon wake or reboot. There can only be one of this payload at any time and it can only be installed on supervised. Requires 6.0 or later. Several options associated with Single Mode are listed below Determines whether the touch screen is operational. Requires 7 or later. Determines whether device rotation sensing is operational. Requires 7 or later. Determines whether volume buttons are operational. Requires 7 or later. Determines whether the ringer switch is operational. Requires 7 or later. Determines whether the sleep/wake button is operational. Requires 7 or later. Determines whether the device will automatically go to sleep after an idle period. Requires 7 or later. Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: Devices 28

Policy Suite Rules: Specific Single Mode: Enable VoiceOver Single Mode: Allow VoiceOver Adjustments Single Mode: Enable Zoom Single Mode: Allow Zoom Adjustments Single Mode: Enable Invert Colors Single Mode: Allow Invert Colors Adjustments Single Mode: Enable AssistiveTouch Single Mode: Allow AssistiveTouch Adjustments Single Mode: Enable Speak Selection Description TD/ Determines whether VoiceOver, a feature that audibly assists a user in navigating the touch screen, is on or off. VoiceOver enables a blind or low vision user to touch the screen to hear what is under their finger, then gesture to control the device. Works with apps that come with the device. Requires 7 or later. Determines whether the user is permitted to adjust VoiceOver settings. Enable Voice Over must be on. Requires 7 or later. Determines whether Zoom, an assistive built in magnifier is turned on or off. A double tap with three fingers instantly zooms 100-500 percent. Requires 7 or later. Determines whether the user is permitted to adjust Zoom settings. Enable Zoom must be on. Requires 7 or later. Determines whether Invert Colors, an assistive feature that inverts colors for a higher contrast, is turned on or off. Once colors are set, the settings apply systemwide, even to video. Requires 7 or later. Determines whether the user is permitted to adjust Invert Colors settings. Enable Invert Colors must be on. Requires 7 or later. Determines whether the AssistiveTouch, a feature that provides alternatives to the standard navigation gestures, is turned on or off. Alternatives or customization can be created for gestures such as pinch, pressing the Home button, rotate, or shake. Requires 7 or later. Determines whether the user is permitted to adjust AssistiveTouch. Enable AssistiveTouch must be on. Requires 7 or later. Determines whether Speak Selection, an assistive feature that reads text, is turned on or off. Speak Selection allows a user to highlight text in any Last revision: 02/24/16 Current Release: Version 3.9.x Policy Rules: Devices 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback