Restrictions device policy

The Restrictions device policy allows or restricts certain features or functionality on user devices, such as the camera. You can also set security restrictions, as well as restrictions on media content and restrictions on the types of apps users can and cannot install. Most of the restriction settings default toOn,或allows．The main exceptions are the iOS Security - Force feature and all Windows Tablet features, which default toOff,或restricts．

For Windows 10 RS2 Phone: After a Custom XML policy or Restrictions policy that disables Internet Explorer deploys to the phone, the browser remains enabled. To work around this issue, restart the phone. This is a third-party issue.

Tip:

Any option for which you selectOnmeans that the user can perform the operation or use the feature. For example:

Camera．IfOn, the user can use the camera on their device. IfOff, the user cannot use the camera on their device.

Screen shots．IfOn, the user can take screen shots on their device. IfOff, the user cannot take screen shots on their device.

To add or configure this policy, go toConfigure > Device Policies．For more information, seeDevice policies．

iOS settings

Some iOS restrictions policy settings apply only to specific versions of iOS, as noted here and in the XenMobile console Restrictions policy page.

iOS策略设置的限制可能适用于th时e device is enrolled in user enrollment mode, unsupervised (full MDM) mode, or supervised mode. The following table shows the enrollment modes that are available for each restrictions policy setting for iOS 13 and later.

As noted the table, some settings that were previously available in unsupervised and supervised mode are available only in supervised mode starting with iOS 13. The following rules apply:

• If a supervised iOS 13+ device enrolls in XenMobile, the settings apply to the device.
• If an unsupervised iOS 13+ device enrolls in XenMobile, the settings don’t apply to the device.
• If an iOS 12 (or lower) device already enrolled in XenMobile and then upgrades to iOS 13, there are no changes. The settings apply to the device as they did before the upgrade.

For information on setting an iOS device to supervised mode, seeTo place an iOS device in Supervised mode by using the Apple Configurator．

Setting	User Enrollment	Unsupervised	Supervised
允许hardware controls
Camera	没有	Yes	Yes
FaceTime	没有	没有(new in iOS 13)	Yes
Screenshots	Yes	没有	Yes
允许the Classroom app to remotely observe student screens	没有	没有	Yes
允许the Classroom app to perform AirPlay and View Screen without prompting	没有	没有	Yes
Photo streams	没有	Yes	Yes
Shared photo streams	没有	Yes	Yes
Voice dialing	没有	Yes	Yes
Siri	Yes	Yes	Yes
允许while device is locked	Yes	Yes	Yes
Siri profanity filter	没有	没有	Yes
Installing apps	没有	没有(new in iOS 13)	Yes
允许global background fetch while roaming	没有	Yes	Yes
允许apps
iTunes Store	没有	没有(new in iOS 13)	Yes
In-app purchases	没有	Yes	Yes
Require iTunes password for purchases	没有	Yes	Yes
Safari	没有	没有(new in iOS 13)	Yes
Autofill	没有	没有(new in iOS 13)	Yes
Force fraud warning	Yes	Yes	Yes
Enable JavaScript	没有	Yes	Yes
Block pop-ups	没有	Yes	Yes
Accept cookies	没有	Yes	Yes
Network - Allow iCloud actions
iCloud documents and data	没有	没有(new in iOS 13)	Yes
iCloud backup	没有	Yes	Yes
iCloud photo keychain	没有	Yes	Yes
iCloud photo library	没有	Yes	Yes
Security - Force
Encrypted backups	Yes	Yes	Yes
Limited ad tracking	没有	Yes	Yes
Passcode on first AirPlay pairing	Yes	Yes	Yes
Paired Apple Watch to use Wrist Detection	Yes	Yes	Yes
Sharing managed documents using AirDrop	Yes	Yes	Yes
Security - Allow
Accepting untrusted SSL certificates	没有	Yes	Yes
Automatic update to certificate trust settings	没有	Yes	Yes
Documents from managed apps in unmanaged apps	Yes	Yes	Yes
Unmanaged apps read managed contacts	没有	没有	Yes
Managed apps write unmanaged contacts	没有	没有	Yes
Documents from unmanaged apps in managed apps	Yes	Yes	Yes
Diagnostic submission to Apple	Yes	Yes	Yes
Touch ID to unlock device	没有	Yes	Yes
Passbook notifications when locked	没有	Yes	Yes
Handoff	没有	Yes	Yes
iCloud sync for managed apps	Yes	Yes	Yes
Backup for enterprise books	Yes	Yes	Yes
没有tes and highlights sync for enterprise books	Yes	Yes	Yes
Internet results in Spotlight	没有	Yes	Yes
Enterprise app trust	没有	Yes	Yes
Supervised only settings - Allow
Erase all content and settings	没有	没有	Yes
Configuring restrictions	没有	没有	Yes
Podcasts	没有	没有	Yes
Installing configuration profiles	没有	没有	Yes
Fingerprint modification	没有	没有	Yes
Installing apps from device	没有	没有	Yes
Keyboard shortcuts	没有	没有	Yes
Paired Apple watch	没有	没有	Yes
Passcode modification	没有	没有	Yes
Device name modification	没有	没有	Yes
Wallpaper modification	没有	没有	Yes
Automatically downloading apps	没有	没有	Yes
AirDrop	没有	没有	Yes
iMessage	没有	没有	Yes
Siri user-generated content	没有	没有	Yes
iBooks	没有	没有	Yes
Removing apps	没有	Yes	Yes
Game Center	没有	没有(new in iOS 13)	Yes
Add friends	没有	没有	Yes
Multiplayer gaming	没有	没有(new in iOS 13)	Yes
Modifying account settings	没有	没有	Yes
Modifying app cellular data settings	没有	没有	Yes
Modifying app cellular data settings	没有	没有	Yes
Modifying Find My Friends settings	没有	没有	Yes
Pairing with non-Configurator hosts	没有	没有	Yes
Predictive keyboards	没有	没有	Yes
Keyboard auto-corrections	没有	没有	Yes
Keyboard spell-check	没有	没有	Yes
Definition lookup	没有	没有	Yes
Single App bundle ID
News	没有	没有	Yes
Apple Music service	没有	没有	Yes
iTunes Radio	没有	没有	Yes
没有tifications modification	没有	没有	Yes
Restricted App usage	没有	没有	Yes
Diagnostic submission modification	没有	没有	Yes
蓝牙modification	没有	没有	Yes
允许dictation	没有	没有	Yes
Join only Wi-Fi networks installed by a Wi-Fi policy	没有	没有	Yes
允许the Classroom app to perform AirPlay and View Screen without prompting	没有	没有	Yes
允许the Classroom app to lock to an app and lock the device without prompting	没有	没有	Yes
Automatically join the Classroom app classes without prompting	没有	没有	Yes
允许AirPrint	没有	没有	Yes
允许存储AirPrint credentials in Keychain	没有	没有	Yes
允许discovery of AirPrint printers by using iBeacons	没有	没有	Yes
允许AirPrint only to destinations with trusted certificates	没有	没有	Yes
Adding VPN configurations	没有	没有	Yes
Modifying cellular plan settings	没有	没有	Yes
Removing system apps	没有	没有	Yes
Setting up new nearby devices	没有	没有	Yes
允许USB restricted mode	没有	没有	Yes
Force delayed software updates	没有	没有	Yes
Enforced software update delay	没有	没有	Yes
Force classroom request permission to leave classes	没有	没有	Yes
Force automatic date and time	没有	没有	Yes
Password AutoFill	没有	没有	Yes
Password proximity requests	没有	没有	Yes
Password Sharing	没有	没有	Yes
Security - Show in lock screen
Control Center	Yes	Yes	Yes
没有tification	Yes	Yes	Yes
Today view	Yes	Yes	Yes
Media content - Allow
Explicit music, podcasts, and iTunes U material	没有	没有(new in iOS 13)	Yes
Explicit sexual content in iBooks	没有	Yes	Yes
Ratings region	没有	Yes	Yes
Movies	没有	Yes	Yes
TV Shows	没有	Yes	Yes
Apps	没有	Yes	Yes

• 允许hardware controls
  • Camera:允许users to use the camera on their devices.
    • FaceTime:允许users to use FaceTime on their devices. For supervised iOS devices.
  • Screenshots:允许users to take screenshots on their devices.
    • 允许the Classroom app to remotely observe student screens:If this restriction is unselected, an instructor can’t use the Classroom app to remotely observe student screens. The default setting is selected, an instructor can use the Classroom app to observe student screens. The setting for允许the Classroom app to perform AirPlay and View Screen without promptingdetermines whether students receive a prompt to give the instructor permission. For supervised iOS devices.
    • 允许the Classroom app to perform AirPlay and View Screen without prompting:If this restriction is selected, the instructor can perform AirPlay and View Screen on a student device, without prompting for permission. The default setting is unselected. For supervised iOS devices.
  • Photo streams:允许users to use MyPhotoStream to share photos through iCloud to all their iOS devices.
  • Shared photo streams:允许users to use iCloud Photo Sharing to share photos with coworkers, friends, and family.
  • Voice dialing:Enables voice dialing on user devices.
  • Siri:允许s users to use Siri.
    • 允许while device is locked:允许users to use Siri while their devices are locked.

    • Siri profanity filter:Enable the Siri profanity filter. The default is to restrict this feature, which means no profanity filtering is done.

      For more information about Siri and security, seeSiri and dictation policies．

  • Installing apps:允许users to install apps. For supervised iOS devices.
  • 允许global background fetch while roaming:允许devices to automatically sync mail accounts to iCloud while the device is roaming. WhenOff, disables global background fetch activity when an iOS phone is roaming. Defaults toOn．
• 允许apps
  • iTunes Store:允许users to access the iTunes Store. For supervised iOS devices.
  • In-app purchases:允许users to make in-app purchases.
    • Require iTunes password for purchases:Require a password for in-app purchases. The default is to restrict this feature, which means no password is required for in-app purchases.
  • Safari:允许users to access Safari. For supervised iOS devices.
    • Autofill:允许users to set up autofill for user names and passwords on Safari.
    • Force fraud warning:If this setting is enabled and users visit a suspected phishing website, Safari alerts users. The default is to restrict this feature, which means no warnings are issued.
    • Enable JavaScript:允许JavaScript to run on Safari.
    • Block pop-ups:Block pop-ups while viewing websites. The default is to restrict this feature, which means pop-ups are not blocked.
  • Accept cookies:Set to what extent cookies are accepted. In the list, choose an option to allow or restrict cookies. The default option isAlways, which allows all websites to save cookies in Safari. Other options areCurrent website only,Never, andFrom visited sites only．

• Network - Allow iCloud actions

  • iCloud documents and data:允许users to sync documents and data to iCloud. For supervised iOS devices.
  • iCloud backup:允许users to back up their devices to iCloud.
  • iCloud keychain:允许users to store passwords, Wi-Fi network, credit card, and other information in the iCloud Keychain.
  • Cloud photo library:允许users to access their iCloud photo library.

• Security - Force

  The default is to restrict the following features, which means no security features are enabled.

  • Encrypted backups:Force backups to iCloud to be encrypted.
  • Limited ad tracking:Block targeted ad tracking.
  • Passcode on first Airplay pairing:Require that AirPlay-enabled devices are verified with a one-time onscreen code before they can use AirPlay.
  • Paired Apple Watch to use Wrist Detection:Require a paired Apple Watch to useWrist Detection．
  • Sharing managed documents using AirDrop:Setting this option toOnmakes AirDrop appear as an unmanaged drop target.

• Security - Allow

  • Accepting untrusted SSL certificates:允许users to accept websites’ untrusted SSL certificates.
  • Automatic update to certificate trust settings:允许trusted certificates to be updated automatically.
  • Documents from managed apps in unmanaged apps:允许users to move data from managed (corporate) apps to unmanaged (personal) apps.
  • Documents from unmanaged apps in managed apps:允许users to move data from unmanaged (personal) apps to managed (corporate) apps.
  • Diagnostic submission to Apple:允许anonymous diagnostic data about users’ devices to be sent to Apple.
  • Touch ID to unlock device:允许users to use their fingerprints to unlock their devices.
  • Passbook notifications when locked:允许Passbook notifications to appear on the lock screen.
  • Handoff:允许users to transfer activities from one iOS device to another nearby iOS device.
  • iCloud sync for managed apps:允许users to sync managed apps to iCloud.
  • Backup for enterprise books:允许enterprise books to be backed up to iCloud.
  • 没有tes and highlights sync for enterprise books:允许notes and highlights users have added to enterprise books to be synced to iCloud.
  • Enterprise app trust:允许enterprise applications to be trusted. Enterprise apps are any apps that are custom made for your organization. These can be made internally or they can be developed and purchased from an external vendor. For additional information, seeInstall custom enterprise apps on iOS．
  • Internet results in Spotlight:允许Spotlight to show search results from the Internet as well as the device.
  • Unmanaged apps read managed contacts:Optional. Only available ifDocuments from managed apps in unmanaged appsis disabled. If this policy is enabled, unmanaged apps can read data from managed accounts’ contacts. Default isOff．Available as of iOS 12.
  • Managed apps write unmanaged contacts:Optional. If enabled, allow managed apps to write contacts to unmanaged accounts’ contacts. IfDocuments from managed apps in unmanaged appsis enabled, this restriction has no effect. Default isOff．Available as of iOS 12.

• Supervised only settings - Allow

  These settings apply only to supervised devices. For the steps on setting an iOS device to supervised mode, seeTo place an iOS device in Supervised mode by using the Apple Configurator．

  • Erase all content and settings:允许users to erase all content and settings from their devices.
  • Configuring restrictions:允许users to configure parental controls on their devices.
  • Podcasts:允许users to download and sync podcasts.
  • Installing configuration profiles:允许用户安装另外一个配置概要文件er than that the one deployed by you.
  • Fingerprint modification:允许users to change or delete their Touch ID fingerprint.
  • Installing apps from device:允许users to install apps. Disabling this setting stops end users from installing new apps. The App Store is disabled and its icon is removed from the Home Screen.
  • Keyboard shortcuts:允许users to create custom keyboard shortcuts for words or phrases that they use often.
  • Paired Apple watch:允许users to pair an Apple Watch to a supervised device.
  • Passcode modification:允许users to change the passcode on a supervised device.
  • Device name modification:允许users to change the name of their device.
  • Wallpaper modification:允许users to change the wallpaper on their devices.
  • Automatically downloading apps:允许apps to download.
  • AirDrop:允许users to share photos, videos, websites, locations, and more with nearby iOS devices.
  • iMessage:允许users to text over Wi-Fi with iMessage.
  • Siri user-generated content:允许Siri to query user-generated content from the web. Consumers, not traditional journalists; produce user-generated content. For example, content found on Twitter or Facebook is user-generated.
  • iBooks:允许users to use the iBooks app.
  • Removing apps:允许users to remove apps from their devices.
  • Game Center:允许users to play online games through Game Center on their devices.
    • Add friends:允许users to send a notification to a friend to play a game.
    • Multiplayer gaming:允许users to start multiplayer game play on their devices.
  • Modifying account settings:允许users to modify their device account settings.
  • Modifying app cellular data settings:允许users to modify how apps use cellular data.
  • Modifying Find My Friends settings:允许users to change their Find My Friends settings.
  • Pairing with non-Configurator hosts:允许admin to control to which devices a user device can pair. Disabling this setting prevents pairing except with the supervising host running the Apple Configurator. If no supervising host certificate is configured, all pairing is disabled.
  • Predictive keyboards:允许user devices to use the predictive keyboard for suggesting words as they type. Disable this option in situations such as administering standardized tests where you do not want users to have access to suggested words.
  • Keyboard auto-corrections:允许user devices to use keyboard autocorrect. Disable this option in situations such as administering standardized tests where you do not want users to have access to autocorrect.
  • Keyboard spell-check:允许user devices to use spell checking while typing. Disable this option in situations such as administering standardized tests where you do not want users to have access to the spell-checker.
  • Definition lookup:允许user devices to use definition look-up while typing. Disable this option in situations such as administering standardized tests where you do not want users to be able to look up definitions as they type.
  • Single App bundle ID:Create a list of apps that are allowed to retain control over the device and prevent interaction with other apps or functions. To add an app, clickAdd, type anApp name, and clickSave．Repeat that process for each app you want to add.
  • News:允许users to use the News app.
  • Apple Music service:允许users to use the Apple Music service. If you don’t allow Apple Music service, the Music app runs in classic mode.
  • iTunes Radio:允许users to use iTunes Radio.
  • 没有tifications modification:允许users to modify notification settings.

  • Restricted App usage:允许users to use all apps or to use or not use apps, based on the bundle IDs you provide. Applies only to supervised devices. If you selectOnly allow some apps, add an app with the bundle IDcom.apple.webappto allow web clips.

    没有te:

    Beginning with iOS 11, Apple introduced changes to the policies that are available to app restrictions. Apple no longer lets you remove access to the Settings app and the Phone app by restricting the appropriate iOS application bundle.

    After you configure the Restrictions device policy to block some apps and then deploy the policy: If you later want to allow some or all of those apps, changing and deploying the Restrictions device policy doesn’t change the restrictions. In this case, iOS doesn’t apply the changes to the iOS profile. To proceed, use the Profile Removal policy to remove the iOS Profile and then deploy the updated Restrictions device policy.

    If you change this setting toOnly allow some apps:Before deploying this policy, advise users of devices enrolled using Apple Deployment Program to sign in to their Apple accounts from the Setup Assistant. Otherwise, users might have to disable two-factor authentication on their devices to sign in to their Apple accounts and access allowed apps.

  • Diagnostic submission modification:允许users to modify the diagnostic submission and app analytics settings in theSettings > Diagnostics & Usagepane.
  • 蓝牙modification:允许users to modify Bluetooth settings.
  • 允许dictation:Supervised only. If this restriction is set toOff, dictation input is not allowed, including speech-to-text. The default setting isOn．
  • Join only WiFi networks installed by a WiFi policy:Optional. Supervised only. If this restriction is set toOn, the device can join Wi-Fi networks only when they were set up through a configuration profile. The default setting isOff．
  • 允许the Classroom app to perform AirPlay and View Screen without prompting:If this restriction is selected, the instructor can perform AirPlay and View Screen on a student device, without prompting for permission. The default setting is unselected. For supervised iOS devices.
  • 允许the Classroom app to lock to an app and lock the device without prompting:If this restriction is set toOn, the Classroom app automatically locks user devices to an app and locks the device, without prompting the users. The default setting isOff．For supervised devices running iOS 11 (minimum version).
  • Automatically join the Classroom app classes without prompting:If this restriction is set toOn, the Classroom app automatically joins users to classes, without prompting the users. The default setting isOff．For supervised devices running iOS 11 (minimum version).
  • 允许AirPrint:If this restriction is set toOff, users can’t print with AirPrint. The default setting isOn．When this restriction isOn, these extra restrictions appear. For supervised devices running iOS 11 (minimum version).
    • 允许存储AirPrint credentials in Keychain:If this restriction is unselected, the AirPrint user name and password aren’t stored in the Keychain. The default setting is selected. For supervised devices running iOS 11 (minimum version).
    • 允许discovery of AirPrint printers by using iBeacons:If this restriction is unselected, iBeacon discovery of AirPrint printers is disabled. This prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. The default setting is selected. For supervised devices running iOS 11 (minimum version).
    • 允许AirPrint only to destinations with trusted certificates:如果选择了这个限制,用户可以使用空气Print to print only to destinations with trusted certificates. The default setting is unselected. For supervised devices running iOS 11 (minimum version).
  • Adding VPN configurations:If this restriction is set toOff, users can’t create VPN configurations. The default setting isOn．For supervised devices running iOS 11 (minimum version).
  • Modifying cellular plan settings:If this restriction is set toOff, users can’t modify cellular plan settings. The default setting isOn．For supervised devices running iOS 11 (minimum version).
  • Removing system apps:If this restriction is set toOff, users can’t remove system apps from their device. The default setting isOn．For supervised devices running iOS 11 (minimum version).
  • Setting up new nearby devices:If this restriction is set to Off, users can’t set up new nearby devices. The default setting is On. For supervised devices running iOS 11 (minimum version).
  • 允许USB restricted mode:IfOff, the device can always connect to USB accessories while locked. Default isOn．Available only for supervised iOS 11.3 and later devices.
  • Force delayed software updates:IfOn, delays user visibility of Software Updates. With this restriction in place, the user doesn’t see a software update until the specified number of days after the software update release date. Default isOff．Available only for supervised iOS 11.3 and later devices.
  • Enforced software update delay (days):允许s you to specify a number of days to delay a software update on the device. The maximum delay is90days. Default is30days. Available only for supervised iOS 11.3 and later devices.
  • Force classroom request permission to leave classes:IfOn, a student enrolled in an unmanaged course with Classroom must request permission from the teacher when attempting to leave the course. Default isOff．Available only for supervised iOS 11.3 and later devices.
  • Force automatic date and time:允许s you to automatically set the date and time on supervised devices. IfOn, device users can’t turn offSet AutomaticallyunderGeneral > Date & Time．设备上的时区更新只有当the device can determine its location. That is, when a device has a cellular connection or a Wi-Fi connection with location services enabled. Default isOff．Available only for supervised iOS 12 and later devices.
  • Password AutoFill:Optional. If disabled, users cannot use the AutoFill Passwords or Automatic Strong Passwords features. Default isOn．Available as of iOS 12.
  • Password proximity requests:Optional. If disabled, users’ devices don’t request passwords from nearby devices. Default isOn．Available as of iOS 12.
  • Password Sharing:Optional. If disabled, users can’t share their passwords using the AirDrop Passwords feature. Default isOn．Available as of iOS 12.
• Security - Show in lock screen
  • Control Center:允许access to Control Center on the lock screen. Control Center lets users easily modify Airplane Mode, Wi-Fi, Bluetooth, Do Not Disturb Mode, and Lock Rotation settings.
  • 没有tification:允许notifications on the lock screen.
  • Today view:允许Today View, which aggregates information such as the weather and the current day’s calendar items, on the lock screen.
• Media content - Allow
  • Explicit music, podcasts, and iTunes U material:允许explicit material on users’ devices.
  • Explicit sexual content in iBooks:允许explicit material to be downloaded from iBooks.
  • Ratings region:Set the region from which parental control ratings are obtained. In the list, click a country to set the ratings region. The default isUnited States．
  • Movies:Set whether movies are allowed on users’ devices. If movies are allowed, optionally set the ratings level for movies. In the list, click an option to allow or restrict movies on the device. The default is Allow all movies.
  • TV Shows:Set whether TV shows are allowed on users’ devices. If TV shows are allowed, optionally set the ratings level for TV shows. In the list, click an option to allow or restrict TV shows on the device. The default is Allow all TV Shows.
  • Apps:Set whether apps are allowed on users’ devices. If apps are allowed, optionally set the ratings level for apps. In the list, click an option to allow or restrict apps on the device. The default is Allow all apps.
• Policy settings
  • Remove policy:Choose a method for scheduling policy removal. Available options areSelect dateandDuration until removal (in hours)
    • Select date:Click the calendar to select the specific date for removal.
    • Duration until removal (in hours):Type a number, in hours, until policy removal occurs. Only available for iOS 6.0 and later.
  • Profile scope:Select whether this policy applies to aUseror an entireSystem．The default isUser．This option is available only on iOS 9.3 and later.

macOS settings

• Preferences
  • Restrict items in System Preferences:允许or restrict user access to System Preferences. The default isOff, which allows users full access to System Preferences. If enabled, configure the following settings.
    • System Preference Pane:Select whether the settings you select are enabled or disabled. The default is to enable all settings, which areOnby default.
      • Users & Groups
      • General
      • Accessibility
      • App Store
      • Software Update
      • 蓝牙
      • CDs & DVDs
      • Date & Time
      • Desktop & Screen Saver
      • Displays
      • Dock
      • Energy Saver
      • Extensions
      • FibreChannel
      • iCloud
      • Ink
      • Internet Accounts
      • Keyboard
      • Language & Text
      • Mission Control
      • Mouse
      • Network
      • 没有tifications
      • Parental Controls
      • Printers & Scanners
      • Profiles
      • Security & Privacy
      • Sharing
      • Sound
      • Diction & Speech
      • Spotlight
      • Startup Disk
      • Time Machine
      • Trackpad
      • Xsan
• Apps
  • 允许use of Game Center:允许users to play online games through Game Center. The default isOn．
  • 允许adding Game Center friends:允许users to send a notification to a friend to play a game. The default isOn．
  • 允许multiplayer gaming:允许users to initiate multiplayer game play. The default isOn．
  • 允许Game Center account modification:允许users to modify their Game Center account settings. The default isOn．
  • 允许App Store adoption:允许or restrict the App Store to adopt apps that preexist in OS X. The default isOn．
  • 允许Safari Autofill:允许Safari to automatically populate fields on websites with passwords, addresses, and other basic information that it has stored. The default isOn．
  • Require admin password to install or update apps:Require an administrator password to install or update apps. The default isOff, which means no administrator password is required.
  • Restrict App Store to software update only:Restrict the App Store to updates only, which disables all tabs in the App Store except Updates. The default isOff, which allows full App Store access.
  • Restrict which apps are allowed to open:Restrict or allow apps users can use. The default is OFF, which allows all apps to be used. If enabled, configure the following settings:
    • 允许ed Apps:ClickAdd,enter the name and bundle ID for an app allowed to launch, and then clickSave．Repeat this step for each app allowed to launch.
    • Disallowed Folders:ClickAdd, type the file path to a folder to which you want to restrict user access (for example, /Applications/Utilities), and then clickSave．Repeat this step for all folders you do not want users to be able to access.
    • 允许ed folders:ClickAdd, type the file path to a folder to which you want to grant user access, and then clickSave．Repeat this step for all folders you want users to be able to access.
• Widgets
  • 允许only the following Dashboard widgets to run:允许or restrict which Dashboard widgets, such as World Clock or Calculator, users are allowed to run. The default isOff, which allows users to run all widgets. If enabled, configure the following setting:
    • 允许ed Widgets:ClickAdd, type the name and ID of a widget that is allowed to run, and then clickSave．Repeat this step for each widget you want to run on the Dashboard.
• Media
  • 允许AirDrop:允许users to share photos, videos, web sites, locations, and more with nearby iOS devices.
• Sharing
  • 自动启用新的共享服务:Select whether to automatically enable sharing services.
  • Mail:Select whether to allow a shared mailbox.
  • Facebook:Select whether to allow a shared Facebook account.
  • Video Services - Flickr, Vimeo, Tudou, and Youku:Select whether to allow shared video services.
  • Add to Aperture:Select whether to allow shared ability to add to Aperture.
  • Sina Weibo:Select whether to allow a shared Sina Weibo microblogging account.
  • Twitter:Select whether to allow a shared Twitter account.
  • Messages:Select whether to allow shared access to messages.
  • Add to iPhoto:Select whether to allow shared ability to add to iPhoto.
  • Add to Reading List:Select whether to allow shared ability to add to Reading List.
  • AirDrop:Select whether to allow a shared AirDrop account.
• Functionality
  • Lock desktop picture:Select whether users can change the desktop picture. The default isOff, which means users can change the desktop picture.
  • 允许use of camera:Select whether users can use the camera on their Macs. The default isOff, which means users cannot use the camera.
  • 允许Apple Music:允许users to use the Apple Music service (macOS 10.12 and later). If you don’t allow Apple Music service, the Music app runs in classic mode. Applies only to supervised devices. Defaults toOn．
  • 允许Spotlight Suggestions:Select whether users can use Spotlight Suggestions to search their Mac and to provide Spotlight Suggestions from the Internet, iTunes, and the App Store. The default isOff, which prevents users from using Spotlight Suggestions.
  • 允许Look Up:Select whether users can look up the definitions of words with the context menu or the Spotlight search menu. The default is OFF, which prevents users from using Look Up on their Macs.
  • 允许use of iCloud password for local accounts:Select whether users can use their Apple ID and iCloud password to sign on to their Macs. Enabling this policy means that users use only one ID and password foralllogin screens on their Macs. The default isOn, which allows users to use their Apple ID and iCloud password to access their Macs.
  • 允许iCloud documents & data:Select whether to allow users to access documents and data stored on iCloud on their Macs. The default isOff, which prevents users from using iCloud documents and data on their Macs.
    • 允许iCloud Desktop and Documents:(macOS 10.12.4 and later) The default is selected.
  • 允许iCloud Keychain Sync:允许iCloud Keychain sync (macOS 10.12 and later). The default isOn．
  • 允许iCloud Mail:允许users to use iCloud Mail (macOS 10.12 and later). The default isOn．
  • 允许iCloud Contacts:允许users to use iCloud Contacts (macOS 10.12 and later). The default isOn．
  • 允许iCloud Calendars:允许users to use iCloud Calendars (macOS 10.12 and later). The default isOn．
  • 允许iCloud Reminders:允许users to use iCloud Reminders (macOS 10.12 and later). The default isOn．
  • 允许iCloud Bookmarks:允许users to sync with iCloud Bookmarks (macOS 10.12 and later). The default isOn．
  • 允许iCloud Notes:允许users to use Cloud Notes (macOS 10.12 and later). The default isOn．
  • 允许iCloud Photos:If you change this setting toOff, any photos not fully downloaded from the iCloud Photo Library are removed from local device storage (macOS 10.12 and later). The default isOn．
  • 允许Auto Unlock:For information about this option and Apple Watch, seehttps://www.imore.com/auto-unlock(macOS 10.12 and later). The default isOn．
  • 允许Touch ID To Unlock Mac:(macOS 10.12.4 and later). The default isOn．
  • Force delayed software updates:IfOn, this setting delays user visibility of Software Updates. Users don’t see a software update until the specified number of days after the software update release date. Default isOff．Available only for supervised devices running macOS 10.13.4 and later.
  • Enforced software update delay (days):Specifies how many days to delay a software update on the device. The maximum is 90 days. Default is30．Available only for supervised devices running macOS 10.13.4 and later.
  • Password AutoFill:Optional. If disabled, users cannot use the AutoFill Passwords or Automatic Strong Passwords features. Default isOn．Available as of macOS 10.14.
  • Password proximity requests:Optional. If disabled, users’ devices don’t request passwords from nearby devices. Default isOn．Available as of macOS 10.14.
  • Password Sharing:Optional. If disabled, users can’t share their passwords using the Airdrop Passwords feature. Default isOn．Available as of macOS 10.14.

Android settings

• Camera:允许users to use the camera on their devices. IfOff, the camera is disabled. Defaults toOn．

Android Enterprise settings

When a new or factory reset Android device enrolls in work profile mode, devices running Android 9.0-10.x enroll as fully-managed devices with a work profile. Devices running Android 11+ enroll as work profile on corporate-owned devices. The restriction policy can apply to either the work profile on the device or the managed device.

On devices enrolled in the work profile on corporate-owned devices mode, the following restrictions are only available for the work profile:

• 允许backup service
• Enable system apps
• Keep the keyguard from locking the device
• 允许use of the status bar
• Keep the device screen on
• 允许user control of application settings
• 允许user to configure user credentials
• 允许VPN configuration
• 允许USB mass storage
• 允许factory reset
• 允许app uninstall
• 允许non-Google Play apps
• 允许cross profile copy and paste
• Enable app verification
• 允许account management
• 允许printing
• 允许NFC
• 允许adding users

By default, theUSB Debugging and Unknown Sourcessettings are disabled on a device when it is enrolled in Android Enterprise in work profile mode.

For devices running Android 9.0-10.x and Samsung Knox 3.0 and later, configure settings for Samsung Knox and Samsung SAFE on theAndroid Enterprisepage. For devices running earlier versions of Android or Samsung Knox, use theSamsung KnoxandSamsung SAFEpages.

Samsung restrictions don’t apply to devices enrolled in the work profile on corporate-owned devices mode. Use the Knox Service Plugin (KSP) to apply Samsung restrictions to these devices. For more information, see theSamsung documentation．

We recommend that you use Samsung Knox 3.4 or higher for the latest Samsung Knox management features.

• Apply to fully managed devices with a work profile/Work profile on corporate-owned devices:允许s restrictions policy settings to be configured for fully managed devices with work profiles. When this setting isOn, select one of these settings:
  • Work profile:The restrictions settings you configure apply only to the work profile on the device.
  • Manage device:The restrictions settings you configure apply only to the device.

  When this setting isOff, the credentials settings you configure apply to the device, except for settings that explicitly apply to the work profile. Default isOff．

WhenApply to fully managed devices with a work profile/Work profile on corporate-owned devicesis off, configure these settings:

• Security

  • 允许account management:允许s account to be added to in work profile and managed devices. Default isOff．
  • 允许cross profile copy and paste:IfOn, users can copy and paste between apps in the Android Enterprise profile and apps in the personal area. Default isOff．
  • 允许screen capture:允许s users to record or take a screen capture of the device screen. Default isOff．
  • 允许use of camera:允许s users to take pictures and make videos with the device camera. Default isOff．
  • 允许VPN configuration:允许s users to create VPN configurations. For work profile devices running Android 6 and later and for fully managed devices. Default isOn．
  • 允许备份服务:允许s users to back up application and system data on their devices. Default isOn．
  • 允许NFC:允许users to send webpages, photos, videos, or other content from their devices to another device using Near Field Communication (NFC). For MDM 4.0 and later. Default isOn．
  • 允许configuring location provider:允许s users to turn on GPS on their devices. For Android API 28 and later. Default isOn．

  • 允许location sharing:For managed profiles, the device owner can override this setting. Default isOff．

    Tip:

    You can create Location device policies in XenMobile to enforce geographic boundaries. SeeLocation device policy．

  • 允许user to configure user credentials:Specify whether users can configure credentials in the managed keystore. Default isOn．
  • 允许printing:IfOn, the setting allows users to print to any printer accessible from the user device. The default isOff．Available for: Android 9 and later.
  • 允许USB debugging:Default isOff．

• Apps

  • Enable system apps:允许s users to run pre-installed device apps. Default isOff．To enable specific apps, clickAddin theSystem apps listtable.
    • System apps list:A list of the system apps you want to enable on the device. SetEnable system appstoOnand add the app package name. To look up the package name for a system app, you can use the Android Debug Bridge (adb) to call the Android package manager (pm) command. For example,adb shell "pm list packages -f name", where “name” is part of the package name. For more information, seehttps://developer.android.com/studio/command-line/adb．For Android Enterprise devices, you can restrict app permissions using theAndroid Enterprise app permissionspolicy.
  • Disable applications:Blocks a specified list of apps from running on devices. Default isOff．To disable an installed app, change the setting toOnand then clickAddin theApplication listtable.
    • Application list:A list of the apps you want to block. SetDisable applicationstoOnand add the app. Type the app package name. Changing and deploying an app list overwrites the prior app list. For example: If you disable com.example1 and com.example2, and then later change the list to com.example1 and com.example3, XenMobile enables com.example.2.
  • Enable app verification:Enables the OS to scan apps to detect malicious behavior. Default isOn．
  • Enable Google apps:允许s users to download apps from Google Mobile Services onto the device. Default isOn．
  • 允许non-Google Play apps:允许s the installation of apps from stores other than Google Play. Default isOff．
  • 允许user control of application settings:允许s users to uninstall apps, disable apps, clear cache and data, force stop any app, and clear defaults. Users perform these actions from the Settings app. Default isOff．
  • 允许app uninstall:允许s users to uninstall apps from within the Managed Google Play Store. Default isOff．To show this setting, enable the server propertyafw.restriction.policy.v2．For more information about server properties, seeServer properties．

• BYOD work profile

  • 允许work profile app widgets on home screen:If this setting isOn, users can place work profile app widgets on the device home screen. If this setting isOff, users cannot place work profile app widgets on the device home screen. Default isOff．
    • Apps with allowed widgets:A list of the apps you want to allow on the home screen. Set允许work profile app widgets on home screentoOnand add the app. ClickAddand select an app whose widgets you want to allow on the home screen from the list. ClickSave．Repeat that process to allow more app widgets.
  • 允许work profile contacts in device contacts:Shows contacts from the managed Android Enterprise profile in the parent profile, for incoming calls (Android 7.0 and later). Default isOff．

• Fully managed device only

  • 允许adding users:允许s users to add new users on a device. Default isOn．
  • 允许data roaming:允许s users to use cellular data while roaming. The default is Off, which disables roaming on users’ devices. Default isOff．
  • 允许SMS:允许s users to send and receive SMS messages. Default isOff．
  • 允许use of the status bar:IfOn, this setting enables the status bar on managed devices and dedicated devices (also known as COSU devices). This setting disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. Users can go to system settings and see notifications. For Android 6.0 and later. Default isOff．
  • 允许蓝牙:允许s users to use Bluetooth. Default isOn．
    • 允许蓝牙sharing:If unselected, users can’t establish outgoing Bluetooth sharing on their device. The default is selected. To show this setting, enable the server propertyafw.restriction.policy.v2．For more information about server properties, seeServer properties．
  • 允许configuring date and time:允许s users to change the date and time on their devices. Default isOn．
  • 允许factory reset:允许s users to do a factory reset on their devices. Default isOn．
  • Keep the device screen on:If this setting is set toOn, the device screen remains on when the device is plugged in. Default isOff．
  • 允许USB mass storage:允许s transfer of large data files between users’ devices and a computer over a USB connection. Default isOn．
  • 允许microphone:允许s users to use the microphone on their devices. Default isOn．
  • 允许tethering:允许s users to configure portable hotspots and tether data. Default isOff．
  • Keep the keyguard from locking the device:IfOn, this setting disables the keyguard on the lock screen on managed devices and dedicated devices (also known as COSU devices). Default isOff．
  • 允许Wi-Fi changes:IfOn, users can turn Wi-Fi on or off and connect to Wi-Fi networks. Default isOn．
  • 允许file transfer:允许s file transfers over USB. Default isOff．

• Samsung

  • Enable TIMA Keystore:The TIMA Keystore provides TrustZone-based secure key storage for the symmetric keys. RSA key pairs and certificates are routed to the default key store provider for storage. Default isOff．
  • 允许share list:允许s users to share content between apps in the Share Via list. Default isOn．
  • Enable audit log:Enables creation of event audit logs for forensic analysis of a device. Default isOff．

• Samsung: Fully managed device only

  • Enable ODE Trusted Boot verification:Use ODE trusted boot verification to establish a chain of trust from the bootloader to the system image. Default isOn．
  • 允许emergency calls only:允许s users to enable Emergency Call Only mode on their devices. Default isOff．
  • 允许firmware recovery:允许s users to recover the firmware on their devices. Default isOn．
  • 允许fast encryption:允许s encryption of only used memory space. This encryption contrasts full disk encryption, which encrypts all data. That data includes settings, application data, downloaded files and applications, media, and other files. Default isOn．
  • Enable Common Criteria mode:Places device into Common Criteria Mode. The Common Criteria configuration enforces stringent security processes. Default isOn．
  • Enable reboot banner:Displays a DoD approved system use notification message or banner when users’ devices are restarted. Default isOff．
  • 允许settings changes:允许s users to change settings on their fully managed devices. Default isOn．
  • Enable background data usage:允许s apps to sync data in the background. for fully managed devices. Default isOn．
  • 允许clipboard:允许users to copy data to the clipboard on their devices.
    • 允许clipboard share:允许users to share clipboard content between their devices and a computer (MDM 4.0 and later).
  • 允许home key:允许s users to use theHomekey on their fully managed devices. Default isOn．
  • 允许mock location:允许s users to fake their GPS location. For fully managed devices. Default isOff．
  • NFC:允许s users to use NFC on their fully managed devices (MDM 3.0 and later). Default isOn．
  • 允许power off:允许s users to power off their fully managed devices (MDM 3.0 and later). Default isOn．
  • 允许Wi-Fi direct:允许s users to connect directly to another device through their Wi-Fi connection. Default isOn．IfOn, you must enable the允许Wi-Fi changessetting.
  • 允许SD card:允许s users to use an SD card, if available, with their devices. Default isOn．
  • 允许USB host storage:允许s users’ devices to act as the USB host when a USB device connects to their devices. Users’ devices then supply power to the USB device. Default isOn．
  • 允许voice dialer:允许s users to use the voice dialer on their devices (MDM 4.0 and later). Default isOn．
  • 允许S beam:允许用户使用NF与他人分享内容C and Wi-Fi Direct (MDM 4.0 and later). Default isOn．
  • 允许S voice:允许s users to use the intelligent personal assistant and knowledge navigator on their devices (MDM 4.0 and later). Default isOn．
  • 允许USB tethering:允许s users to share a mobile data connection with another device using their USB connection. The default isOff．IfOnthe允许tetheringsetting must beOnas well.
  • 允许蓝牙tethering:允许s users to share a mobile data connection with another device using their Bluetooth connection. The default isOff．IfOnthe允许tetheringsetting must beOnas well.
    • 允许蓝牙sharing:If unselected, users can’t establish outgoing Bluetooth sharing on their device. The default is selected. To show this setting, enable the server propertyafw.restriction.policy.v2．For more information about server properties, seeServer properties．
  • 允许wi - fi网络共享:允许s users to share a mobile data connection with another device using their Wi-Fi connection. The default isOff．IfOnthe允许tetheringsetting must beOnas well.
  • 允许incoming MMS:允许s users to receive MMS messages. Default isOff．IfOn, you must turn on the允许SMSsetting.
  • 允许outgoing MMS:允许s users to send MMS messages. Default isOff．IfOn, you must turn on the允许SMSsetting.
  • 允许incoming SMS:允许s users to receive SMS messages. Default isOff．IfOn, you must turn on the允许SMSsetting.
  • 允许outgoing SMS:允许s users to send SMS messages. Default isOff．IfOn, you must turn on the允许SMSsetting.
  • Configure mobile networks:允许s users to use their cellular data connection. Default isOff．
  • Limit by day (MB):Enter the number of MB of mobile data users can use each day. The default is 0, which disables this feature (MDM 4.0 and later).
  • Limit by week (MB):Enter the number of MB of mobile data users can use each week. The default is 0, which disables this feature (MDM 4.0 and later).
  • Limit by month (MB):Enter the number of MB of mobile data users can use each month. The default is 0, which disables this feature (MDM 4.0 and later).
  • 允许only secure VPN connections:允许s users to only use secure connections (MDM 4.0 and later). Default isOn．
  • 允许audio recording:允许s users to record audio with their devices (MDM 4.0 and later). Default isOn．IfOnyou must turn on the允许microphonesetting.
  • 允许video recording:允许s users to record video with their devices (MDM 4.0 and later). Default isOff．IfOnyou must turn on the允许use of camerasetting.
  • 允许push messages when roaming:允许users to use cellular data for pushing. Default isOff．IfOn, you must enable the允许data roamingsetting.
  • 允许自动synchronization when roaming:允许users to use cellular data for syncing. Default isOff．IfOn, you must enable the允许data roamingsetting.
  • 允许voice calls when roaming:允许users to use cellular data for voice calls. Default isOff．IfOn, you must enable the允许data roamingsetting.

• Samsung: Knox container/Fully managed device

  • Enable revocation check:Enables checking for revoked certificates. Default isOff．

• Samsung: Knox container only

  • Move apps to container:允许s users to move apps between the Knox container and the personal area on their devices. Default isOn．
  • Enforce multi-factor authentication:Users must use a fingerprint and one other authentication method, such as password or PIN, to open their devices. Default isOn．
  • Enforce authentication for container:Use a different authentication method from the method used to unlock the device to open the KNOX container. Default isOn．
  • Enable secure keypad:Forces users to use a secure keyboard inside the Knox container. Default isOn．

• Samsung: DeX

  • Enable Samsung DeX:使支持Knox-enabled设备运行amsung DeX mode. Requires Samsung Knox 3.1 (minimum version). Default isOn．For information about Samsung DeX device requirements and setting up Samsung DeX, see the Samsung Developers documentation.
    • 允许Ethernet in DeX mode only:Enables use of Ethernet in Samsung DeX mode. Cellular data, Wi-Fi, and tethering (Wi-Fi, Bluetooth, and USB) are restricted in DeX mode. Default is unselected.
    • Upload DeX logo image:Select this setting to specify a .png image to use as an icon for Samsung DeX.
    • DeX screen timeout (seconds):指定数量的空闲时间,在几秒钟内,之后which the DeX screen turns off. To disable the timeout, type0．Default is1200seconds (20 minutes).
    • Add app shortcut in Samsung DeX:Specify an app package name to add a shortcut for the app to DeX. To look up an app package name, go to Google Play and select the app. The URL includes the package name:https://play.google.com/store/apps/details?id=．
    • Remove app shortcut in Samsung DeX:Specify an app package name to remove a shortcut from DeX. Go to Google Play to look up app package names.
    • App packages to disable in Samsung DeX:Specify a comma-separated list of the app packages that you want to block from Samsung DeX mode. For example:"com.android.chrome", "com.google.android.gm"．

WhenApply to fully managed devices with a work profileis on andFor fully managed devices with a work profile, apply the policy tois set toWork profile, configure these settings:

• Security

  • 允许account management:允许s account to be added to in work profile and managed devices. Default isOff．
  • 允许cross profile copy and paste:IfOn, users can copy and paste between apps in the Android Enterprise profile and apps in the personal area. Default isOff．
  • 允许screen capture:允许s users to record or take a screen capture of the device screen. Default isOff．
  • 允许use of camera:允许s users to take pictures and make videos with the device camera. Default isOff．
  • 允许configuring location provider:允许s users to turn on GPS on their devices. For Android API 28 and later. Default isOn．

  • 允许location sharing:For managed profiles, the device owner can override this setting. Default isOff．

    Tip:

    You can create Location device policies in XenMobile to enforce geographic boundaries. SeeLocation device policy．

  • 允许user to configure user credentials:Specify whether users can configure credentials in the managed keystore. Default isOn．
  • 允许printing:IfOn, the setting allows users to print to any printer accessible from the user device. The default isOff．Available for: Android 9 and later.

• Apps

  • Enable system apps:允许s users to run pre-installed device apps. Default isOff．To enable specific apps, clickAddin theSystem apps listtable.
    • System apps list:A list of the system apps you want to enable on the device. SetEnable system appstoOnand add the app package name. To look up the package name for a system app, you can use the Android Debug Bridge (adb) to call the Android package manager (pm) command. For example,adb shell "pm list packages -f name", where “name” is part of the package name. For more information, seehttps://developer.android.com/studio/command-line/adb．For Android Enterprise devices, you can restrict app permissions using theAndroid Enterprise app permissionspolicy.
  • Disable applications:Blocks a specified list of apps from running on devices. Default isOff．To disable an installed app, change the setting toOnand then clickAddin theApplication listtable.
    • Application list:A list of the apps you want to block. SetDisable applicationstoOnand add the app. Type the app package name. Changing and deploying an app list overwrites the prior app list. For example: If you disable com.example1 and com.example2, and then later change the list to com.example1 and com.example3, XenMobile enables com.example.2.
  • Enable app verification:Enables the OS to scan apps to detect malicious behavior. Default isOn．
  • Enable Google apps:允许s users to download apps from Google Mobile Services onto the device. Default isOn．
  • 允许non-Google Play apps:允许s the installation of apps from stores other than Google Play. Default isOff．
  • 允许user control of application settings:允许s users to uninstall apps, disable apps, clear cache and data, force stop any app, and clear defaults. Users perform these actions from the Settings app. Default isOff．
  • 允许app uninstall:允许s users to uninstall apps from within the Managed Google Play Store. Default isOff．To show this setting, enable the server propertyafw.restriction.policy.v2．For more information about server properties, seeServer properties．

• BYOD work profile

  • 允许work profile app widgets on home screen:If this setting isOn, users can place work profile app widgets on the device home screen. If this setting isOff, users cannot place work profile app widgets on the device home screen. Default isOff．
    • Apps with allowed widgets:A list of the apps you want to allow on the home screen. Set允许work profile app widgets on home screentoOnand add the app. ClickAddand select an app whose widgets you want to allow on the home screen from the list. ClickSave．Repeat that process to allow more app widgets.
  • 允许work profile contacts in device contacts:Shows contacts from the managed Android Enterprise profile in the parent profile, for incoming calls (Android 7.0 and later). Default isOff．

• Samsung

  • Enable TIMA Keystore:The TIMA Keystore provides TrustZone-based secure key storage for the symmetric keys. RSA key pairs and certificates are routed to the default key store provider for storage. Default isOff．
  • 允许share list:允许s users to share content between apps in the Share Via list. Default isOn．
  • Enable audit log:Enables creation of event audit logs for forensic analysis of a device. Default isOff．

• Samsung: Knox container/Fully managed device

  • Enable revocation check:Enables checking for revoked certificates. Default isOff．

• Samsung: Knox container only

  • Move apps to container:允许s users to move apps between the Knox container and the personal area on their devices. Default isOn．
  • Enforce multi-factor authentication:Users must use a fingerprint and one other authentication method, such as password or PIN, to open their devices. Default isOn．
  • Enforce authentication for container:Use a different authentication method from the method used to unlock the device to open the KNOX container. Default isOn．
  • Enable secure keypad:Forces users to use a secure keyboard inside the Knox container. Default isOn．

WhenApply to fully managed devices with a work profileis on andFor fully managed devices with a work profile, apply the policy tois set toManaged device, configure these settings:

• Security

  • 允许account management:允许s account to be added to in work profile and managed devices. Default isOff．
  • 允许cross profile copy and paste:IfOn, users can copy and paste between apps in the Android Enterprise profile and apps in the personal area. Default isOff．
  • 允许screen capture:允许s users to record or take a screen capture of the device screen. Default isOff．
  • 允许use of camera:允许s users to take pictures and make videos with the device camera. Default isOff．
  • 允许VPN configuration:允许s users to create VPN configurations. For work profile devices running Android 6 and later and for fully managed devices. Default isOn．
  • 允许备份服务:允许s users to back up application and system data on their devices. Default isOn．
  • 允许NFC:允许users to send webpages, photos, videos, or other content from their devices to another device using Near Field Communication (NFC). For MDM 4.0 and later. Default isOn．
  • 允许configuring location provider:允许s users to turn on GPS on their devices. For Android API 28 and later. Default isOn．

  • 允许location sharing:For managed profiles, the device owner can override this setting. Default isOff．

    Tip:

    You can create Location device policies in XenMobile to enforce geographic boundaries. SeeLocation device policy．

  • 允许user to configure user credentials:Specify whether users can configure credentials in the managed keystore. Default isOn．
  • 允许printing:IfOn, the setting allows users to print to any printer accessible from the user device. The default isOff．Available for: Android 9 and later.
  • 允许USB debugging:Default isOff．

• Apps

  • Enable system apps:允许s users to run pre-installed device apps. Default isOff．To enable specific apps, clickAddin theSystem apps listtable.
    • System apps list:A list of the system apps you want to enable on the device. SetEnable system appstoOnand add the app package name. To look up the package name for a system app, you can use the Android Debug Bridge (adb) to call the Android package manager (pm) command. For example,adb shell "pm list packages -f name", where “name” is part of the package name. For more information, seehttps://developer.android.com/studio/command-line/adb．For Android Enterprise devices, you can restrict app permissions using theAndroid Enterprise app permissionspolicy.
  • Disable applications:Blocks a specified list of apps from running on devices. Default isOff．To disable an installed app, change the setting toOnand then clickAddin theApplication listtable.
    • Application list:A list of the apps you want to block. SetDisable applicationstoOnand add the app. Type the app package name. Changing and deploying an app list overwrites the prior app list. For example: If you disable com.example1 and com.example2, and then later change the list to com.example1 and com.example3, XenMobile enables com.example.2.
  • Enable app verification:Enables the OS to scan apps to detect malicious behavior. Default isOn．
  • Enable Google apps:允许s users to download apps from Google Mobile Services onto the device. Default isOn．
  • 允许non-Google Play apps:允许s the installation of apps from stores other than Google Play. Default isOff．
  • 允许user control of application settings:允许s users to uninstall apps, disable apps, clear cache and data, force stop any app, and clear defaults. Users perform these actions from the Settings app. Default isOff．
  • 允许app uninstall:允许s users to uninstall apps from within the Managed Google Play Store. Default isOff．To show this setting, enable the server propertyafw.restriction.policy.v2．For more information about server properties, seeServer properties．

• Fully managed device only

  • 允许adding users:允许s users to add new users on a device. Default isOn．
  • 允许data roaming:允许s users to use cellular data while roaming. The default is Off, which disables roaming on users’ devices. Default isOff．
  • 允许SMS:允许s users to send and receive SMS messages. Default isOff．
  • 允许use of the status bar:IfOn, this setting enables the status bar on managed devices and dedicated devices (also known as COSU devices). This setting disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. Users can go to system settings and see notifications. For Android 6.0 and later. Default isOff．
  • 允许蓝牙:允许s users to use Bluetooth. Default isOn．
    • 允许蓝牙sharing:If unselected, users can’t establish outgoing Bluetooth sharing on their device. The default is selected. To show this setting, enable the server propertyafw.restriction.policy.v2．For more information about server properties, seeServer properties．
  • 允许configuring date and time:允许s users to change the date and time on their devices. Default isOn．
  • 允许factory reset:允许s users to do a factory reset on their devices. Default isOn．
  • Keep the device screen on:If this setting is set toOn, the device screen remains on when the device is plugged in. Default isOff．
  • 允许USB mass storage:允许s transfer of large data files between users’ devices and a computer over a USB connection. Default isOn．
  • 允许microphone:允许s users to use the microphone on their devices. Default isOn．
  • 允许tethering:允许s users to configure portable hotspots and tether data. Default isOff．When this setting is on, these settings are available for Samsung devices:
  • Keep the keyguard from locking the device:IfOn, this setting disables the keyguard on the lock screen on managed devices and dedicated devices (also known as COSU devices). Default isOff．
  • 允许Wi-Fi changes:IfOn, users can turn Wi-Fi on or off and connect to Wi-Fi networks. Default isOn．
  • 允许file transfer:允许s file transfers over USB. Default isOff．

• Samsung

  • Enable TIMA Keystore:The TIMA Keystore provides TrustZone-based secure key storage for the symmetric keys. RSA key pairs and certificates are routed to the default key store provider for storage. Default isOff．
  • 允许share list:允许s users to share content between apps in the Share Via list. Default isOn．
  • Enable audit log:Enables creation of event audit logs for forensic analysis of a device. Default isOff．

• Samsung: Fully managed device only

  • Enable ODE Trusted Boot verification:Use ODE trusted boot verification to establish a chain of trust from the bootloader to the system image. Default isOn．
  • 允许emergency calls only:允许s users to enable Emergency Call Only mode on their devices. Default isOff．
  • 允许firmware recovery:允许s users to recover the firmware on their devices. Default isOn．
  • 允许fast encryption:允许s encryption of only used memory space. This encryption contrasts full disk encryption, which encrypts all data. That data includes settings, application data, downloaded files and applications, media, and other files. Default isOn．
  • Enable Common Criteria mode:Places device into Common Criteria Mode. The Common Criteria configuration enforces stringent security processes. Default isOn．
  • Enable reboot banner:Displays a DoD approved system use notification message or banner when users’ devices are restarted. Default isOff．
  • 允许settings changes:允许s users to change settings on their fully managed devices. Default isOn．
  • Enable background data usage:允许s apps to sync data in the background. for fully managed devices. Default isOn．
  • 允许clipboard:允许users to copy data to the clipboard on their devices. Default isOn．
    • 允许clipboard share:允许users to share clipboard content between their devices and a computer (MDM 4.0 and later).
  • 允许home key:允许s users to use theHomekey on their fully managed devices. Default isOn．
  • 允许mock location:允许s users to fake their GPS location. For fully managed devices. Default isOff．
  • NFC:允许s users to use NFC on their fully managed devices (MDM 3.0 and later). Default isOn．
  • 允许power off:允许s users to power off their fully managed devices (MDM 3.0 and later). Default isOn．
  • 允许Wi-Fi direct:允许s users to connect directly to another device through their Wi-Fi connection. Default isOn．IfOn, you must enable the允许Wi-Fi changessetting.
  • 允许SD card:允许s users to use an SD card, if available, with their devices. Default isOn．
  • 允许USB host storage:允许s users’ devices to act as the USB host when a USB device connects to their devices. Users’ devices then supply power to the USB device. Default isOn．
  • 允许voice dialer:允许s users to use the voice dialer on their devices (MDM 4.0 and later). Default isOn．
  • 允许S beam:允许用户使用NF与他人分享内容C and Wi-Fi Direct (MDM 4.0 and later). Default isOn．
  • 允许S voice:允许s users to use the intelligent personal assistant and knowledge navigator on their devices (MDM 4.0 and later). Default isOn．
  • 允许USB tethering:允许s users to share a mobile data connection with another device using their USB connection. The default isOff．IfOnthe允许tetheringsetting must beOnas well.
  • 允许蓝牙tethering:允许s users to share a mobile data connection with another device using their Bluetooth connection. The default isOff．IfOnthe允许tetheringsetting must beOnas well.
  • 允许wi - fi网络共享:允许s users to share a mobile data connection with another device using their Wi-Fi connection. The default isOff．IfOnthe允许tetheringsetting must beOnas well.
  • 允许incoming MMS:允许s users to receive MMS messages. Default isOff．IfOn, you must turn on the允许SMSsetting.
  • 允许outgoing MMS:允许s users to send MMS messages. Default isOff．IfOn, you must turn on the允许SMSsetting.
  • 允许incoming SMS:允许s users to receive SMS messages. Default isOff．IfOn, you must turn on the允许SMSsetting.
  • 允许outgoing SMS:允许s users to send SMS messages. Default isOff．IfOn, you must turn on the允许SMSsetting.
  • Configure mobile networks:允许s users to use their cellular data connection. Default isOff．
  • Limit by day (MB):Enter the number of MB of mobile data users can use each day. The default is 0, which disables this feature (MDM 4.0 and later).
  • Limit by week (MB):Enter the number of MB of mobile data users can use each week. The default is 0, which disables this feature (MDM 4.0 and later).
  • Limit by month (MB):Enter the number of MB of mobile data users can use each month. The default is 0, which disables this feature (MDM 4.0 and later).
  • 允许only secure VPN connections:允许s users to only use secure connections (MDM 4.0 and later). Default isOn．
  • 允许audio recording:允许s users to record audio with their devices (MDM 4.0 and later). Default isOn．IfOnyou must turn on the允许microphonesetting.
  • 允许video recording:允许s users to record video with their devices (MDM 4.0 and later). Default isOff．IfOnyou must turn on the允许use of camerasetting.
  • 允许push messages when roaming:允许users to use cellular data for pushing. Default isOff．IfOn, you must enable the允许data roamingsetting.
  • 允许自动synchronization when roaming:允许users to use cellular data for syncing. Default isOff．IfOn, you must enable the允许data roamingsetting.
  • 允许voice calls when roaming:允许users to use cellular data for voice calls. Default isOff．IfOn, you must enable the允许data roamingsetting.

• Samsung: Knox container/Fully managed device

  • Enable revocation check:Enables checking for revoked certificates. Default isOff．

• Samsung: Knox container only

  • Move apps to container:允许s users to move apps between the Knox container and the personal area on their devices. Default isOn．
  • Enforce multi-factor authentication:Users must use a fingerprint and one other authentication method, such as password or PIN, to open their devices. Default isOn．
  • Enforce authentication for container:Use a different authentication method from the method used to unlock the device to open the KNOX container. Default isOn．
  • Enable secure keypad:Forces users to use a secure keyboard inside the Knox container. Default isOn．

Samsung KNOX settings

These options are available only under Samsung KNOX Premium (KNOX 2.0).

• 允许Use of Camera:允许users to use the camera on their devices.
• 允许Revocation Check:Enable checking for revoked certificates.
• Move Apps To Container:允许users to move apps between the KNOX container and the personal area on their devices.
• Enforce Multifactor Authentication:Users must use a fingerprint and one other authentication method, such as password or PIN, to open their devices.
• Enable TIMA Key store:The TIMA KeyStore provides TrustZone-based secure key storage for the symmetric keys. RSA key pairs and certificates are routed to the default key store provider for storage.
• Enforce Auth For Container:Use separate, and different, authentication to open the KNOX container from that used to unlock the device.
• Share List:允许users to share content between apps in the Share Via list.
• Enable Audit Log:使创建活动为法医审计日志nalysis of a device.
• Use Secure Keypad:Force users to use a secure keyboard inside the KNOX container.
• Enable Google Apps:允许users to download apps from Google Mobile Services into the KNOX container.
• Authentication Smart Card Browser:Enable browser authentication on devices equipped with a smart card reader.

Windows Desktop/Tablet settings

• WiFi Settings
  • 允许Internet sharing:允许a device to share its internet connection with other devices by turning it into a WiFi hotspot.
• Connectivity
  • 允许VPN over cellular:允许the device to connect over VPN to a cellular network.
  • 允许VPN over cellular while roaming:允许the device to connect over VPN when the device roams over cellular networks.
  • 允许cellular data roaming:允许users to use cellular data while roaming.
• Accounts
  • 允许微软账户连接:允许the device to use a Microsoft account for non-email related connection authentication and services.
  • 允许non-Microsoft email:允许user to add non-Microsoft email accounts.
• System
  • 允许storage card:允许the device to use a storage card.
  • Telemetry:In the list, click an option to allow or restrict the device from sending telemetry information. The default is允许ed．Other options are没有t allowedand允许ed, except for secondary data request．
  • 允许location services:允许location services.
  • 允许preview of internal builds:允许users to preview Microsoft internal builds.
• Camera:
  • 允许use of camera:允许users to use their device camera.
• 蓝牙:
  • 允许discoverable mode:允许蓝牙devices to find the local device.
  • Local device name:A name for the local device.
• Experience:
  • 允许Cortana:允许users access to Cortana, the intelligent personal assistant and knowledge navigator.
  • 允许device discovery:允许network discovery of the device.
  • 允许manual MDM unenrollment:允许users to manually unenroll their device from XenMobile MDM.
  • 允许sync of device settings:允许users to sync settings between Windows 10 and Windows 11 devices when roaming.
• Above Lock:
  • 允许toasts:允许toast notifications on the lock screen.
• Apps
  • 允许appstore auto update:允许apps from the app store to automatically update.
• Privacy:
  • 允许input personalization:允许s the input personalization service to run, to improve predictive inputs such as pen and touch keyboard, based on what a user types.
• Settings:
  • 允许auto play:允许s users to change Auto Play settings.
  • 允许data sense:允许s users to change Data Sense settings.
  • 允许date time:允许s users to change date and time settings.
  • 允许language:允许s users to change language settings.
  • 允许power sleep:允许s users to change power and sleep settings.
  • 允许region:允许s users to change region settings.
  • 允许sign-in options:允许s users to change signin settings.
  • 允许workplace:允许s users to change workplace settings.
  • 允许your account:允许s users to change account settings.