Enterprise Policy

On Android devices with a managed work profile (enterprise managed portion of the device), the DevicePolicyManager.setPermittedCrossProfileNotificationListeners method can be used to manage the list of applications (including setting it to an empty list) running within the primary user (personal side of the device) that can see notifications occurring within the managed profile. However, this policy only affects notifications generated within the managed profile, not by the rest of the device. The DevicePolicyManager.setApplicationHidden method can be used to disable unwanted applications that are accessing notifications, but using this method would block that entire application from running.^[1]

On iOS, the allowEnterpriseAppTrust and allowEnterpriseAppTrustModification configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys.

Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).

When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.^[2]

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.

Enterprises can provision policies to mobile devices to require a minimum complexity (length, etc.) for the device passcode. Enterprises can provision policies to mobile devices to cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. If desired, enterprises can provision policies to mobile devices to disallow biometric authentication. However, biometric authentication can help make "using a longer, more complex passcode far more practical because you don't need to enter it as frequently."^[3]

Enterprise policies could be provisioned to devices to control the Wi-Fi access points that they are allowed to connect to.

Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android's accessibility features.