How to create a policy from scratch?
Please note that it is possible to create a policy even if no user were created beforehand but you won’t be able to apply it to any device: we recommend you to create users first (have a look on how to add users one by one or import a list of users from a CSV file).
The policies tab is one of the most important of the software. This is where you can configure the applications, files and contacts to be pushed to devices, but also where you can configure or restrict access to different settings on devices. In order to create a new policy, go to the Policies tab and click on Create a policy:
1. Users in policy
The first step is to add users to the policy by ticking the box next to their name (or next to the group if several users belong to the same group). To manage groups, click on the icon showing a group of users at the right of the group name: a popup will appear so you can change group names if needed.
2. Device policy
In this section, you can:
- Set the password type (letter/numeric/special character password, pattern, PIN…), its minimum size and its timeout delay to force end-users updating it regularly. You can also set the number of times before an old password can be reused and set a maximum number of incorrect password entries before resetting the device. More info about security settings here.
- Disable finger print and face recognition authentications
In a Work Profile setup: you will be able to enforce a security password to access the secure folder containing all business apps and data. Whenever the employee needs to access the Work Profile’s content, he will be prompted to enter a password compliant with the policy.
3. Apps management
In here, you will find all the features related to the applications: you will be able to turn your devices in kiosk mode by clicking on Enable lock task mode (learn more) and you will also see all the apps that you approved in the Enterprise approved apps tab. If you didn’t approve apps already, follow this tutorial to help you.
When an app is greyed out, it’s because it is approved business-wide but not in this specific policy. Click on the menu at top right of an application () to approve, install it and discover the other features available.
To turn your device into a kiosk, tick the checkbox Enable lock task mode. What is Kiosk mode?
4. Internet filtering
TinyMDM’s web filtering technology helps you create a safe for work internet environment. From here you can choose between four levels of restriction:
- No restriction
- Anti-phishing/malware
- Safre for work: forbid inappropriate websites (drugs, porn, gambling, violence…)
- Whitelist only: block access to all websites except those specified in the Allowed sites tab
If you want to forbid some websites in particular, go to the Forbidden sites tab and enter its name (ex: www.facebook.com). You will have to choose between forbidding only www.thisurl.com or all websites of this domain.
By clicking on the Visited sites tab, you have a list of the visited websites on the last 15 days for all the devices of the policy.
In a Work Profile setup: Please note that in a Work Profile setup this option is not available since the end user can access an internal browser outside his or her professional container, which is not managed by TinyMDM.
5. Wi-Fi configuration
From this sub-tab, you can disable Wi-Fi, only unsecured networks or select the Wi-Fi networks users of this policy will have access to (whether they are in fully managed or BYOD mode). When you tick a Wi-Fi network, it will automatically be configured on all the devices of the policy, without the end-users having to know or type the password. If you didn’t have any Wi-Fi networks visible on your policy, click here to configure them.
6. Connectivity management
From this section, you can:
- Disable internet connection sharing
- Disable Bluetooth
- Disable NFC to beam out data from apps
- Disable data roaming
- Disable airplane mode
- Disable mobile data settings
- Select a preconfigured APN. To learn more about APN, click here
In a Work Profile setup: Please note that this option is not available in a Work Profile setup as connectivity management is only accessible in a Fully Managed mode.
7. CA Certificates management
From this section, you can add a CA certificate to validate the identity of an entity (website, email address, company, etc.) and links it to cryptographic keys via the publication of an electronic document.To be able to push a CA certificate on the policy, you have to add it from the dedicated tab and then push it from the policy. Click here to discover how to do it.
8. VPN configuration
You can set a VPN application that will always be active on the devices. Discover how to do it by clicking here
9. Device-wide controls
From this section, you can:
- Select when Android OS will be updated: automatically, after midnight, or 30 days later
- Prevent end users from adding their own Google account on the devices
- Allow installation of all Play Store applications of added google account
- Automatically install the remote control plugin when available
- Prevent factory reset: when enabled, a temporary code will be displayed and the end user will need it to be able to reset his device.
- Disable Google FRP or enable it and configure a Google recovery account.
- Disable camera
- Block access to location settings
- Manage geolocation: per policy (enable or disable) / per device
- Disable usb files access
- Disable screen capture
- Hide policy change message
- Set a volume level
- Allow the device to start automatically when it is charging (Samsung only)
- Modify the language of the device (Samsung only)
- Modify device’s timezone
- Allow TinyMDM to handle downloads via the network
- Select the frequency at which device information is sent to the console
In a Work Profile setup: Please note that this option is not available in a Work Profile setup as device-wide controls are only accessible in a Fully Managed mode.
10. Screen control
From this section, you can:
- Remove swipe screen to unlock
- Set a wallpaper
- Show user and device identifiers on device wallpaper
- Set a sleep mode delay
- Set brightness level: default/adaptative/specific
- Set up a maximum speed beyond which the device screen will not respond (display only)
- Disable user consent popup for remote control
In a Work Profile setup: Please note that this option is not available in a Work Profile setup as screen settings are only accessible in a Fully Managed mode.
11. Shared contacts and files
In the last two sections Shared Contacts and Shared files, you can add or remove contacts and files on all the devices within the policy. You need to add contacts from the shared contacts tab (click here to learn more) and add files from the shared files tab (click here to learn more).
Important: any change you make to the policy will automatically apply to all users (and their devices) linked to that policy.