Create a policy using TinyMDM

How to create a policy from scratch?

Please note that it is possible to create a policy even if no user were created beforehand but you won’t be able to apply it to any device: we recommend you to create users first (have a look on how to add users one by one or import a list of users from a CSV file).

The “Policies” tab is one of the most important in the software. It is where you can configure the applications, files and contacts that will be available on the devices, and also configure or restrict access to various settings. To create a new policy, go to the Policies tab and click on Create a policy.

In each sub-tab of the policy, you will see the icons below. They indicate which management modes are compatible with the functionality displayed. Hover over each icon in your admin console to see which management mode it refers to:

Work Profile
Fully Managed
WPCO

A. Users in policy

The first step is to add users to the policy. Simply tick the box next to their name (or next to the group if several users belong to the same group). It is possible to create a policy without first creating any users, but this means that it will not apply to any devices. We therefore recommend that you create users first, following the tutorials below if necessary.

Tutorials: How to create a user / How to import a list of users from a CSV file

B. Device policy

Under Device Policy, you can disable the user’s ability to unlock the screen by fingerprint and facial recognition, and choose different settings for passwords:

  • the type of password
  • minimum password size
  • password timeout
  • number of times a previously used password can be reused to access the device or work profile
  • maximum number of password errors before factory reset

You can set a password for unlocking devices regardless of the management mode. However, the settings for accessing the work profile do not apply in Fully Managed mode, as it does not contain a work profile.

Tutorial: Passwords management

C. Apps management

In this sub-tab, you’ll find all the features related to your enterprise approved apps: public applications, private applications, web applications and the manufacturers applications. They all appear here, and you can manage them policy by policy.

In the Policy approved apps list, when an app is greyed out, it means that it has not yet been approved for this policy. To authorise an application in this policy, simply click on it, and it will turn green and be authorised.

By clicking on the menu at the top right of each application, you will find a number of options: approve / disapprove, install / uninstall, clear data, manage permissions, manage configurations, etc.

In the Advanced apps management drop-down list, you’ll find advanced settings for your applications.

Some application management settings are not compatible with all management modes. Check the icon that appears next to each feature.

Tutorials: Manage apps permissions, manage configurations, advanced apps management

D. Internet Filtering

In this section, you can apply internet filtering to devices using one of four levels:

  • Whitelist: block access to all websites except those specified in the Allowed sites tab
  • Safe for work: forbid inappropriate websites (drugs, porn, gambling, violence…)
  • Anti-Phising, anti-malware
  • Transparent (No filtering)

You can also see the list of sites visited on devices covered by this policy over the last 15 days by clicking on the Visited sites tab.

Internet filtering is only available in Fully Managed mode.

Tutorial: Set up the secure browser

E. Wi-Fi configuration

In this tab, you can manage the Wi-Fi configurations of your mobile devices. In particular, you can disable access to unsecured Wi-Fi networks or restrict Wi-Fi to networks registered on TinyMDM.

Some Wi-Fi configuration settings are not compatible with all management modes. Check the icon that appears next to each feature.

Tutorial: Wi-Fi networks management

7. Connectivity management

This section covers the management of connectivity parameters:

  • Disable internet connection sharing
  • Disable Bluetooth
  • Disable NFC to beam out data from apps
  • Disable data roaming
  • Disable airplane mode
  • Disable mobile data settings
  • Select a preconfigured APN

Some connectivity settings are compatible with only one management mode. Check the icon that appears next to each feature.

Tutorial: APN configuration

G. CA Certificates management

From this section, you can add a CA certificate to validate the identity of an entity (website, email address, company, etc.) and links it to cryptographic keys via the publication of an electronic document.

CA certificate management is available regardless of the management mode applied to your devices.

Tutorial: CA certificate configuration

H. VPN configuration

You can set a VPN application that will always be active on the devices linked to the policy.

VPN configuration is only available in Fully Managed mode.

Tutorial: Define a VPN application

I. Device-wide controls

From this section, you can:

  • Select when Android OS will be updated: automatically, after midnight, or 30 days later
  • Prevent end users from adding their own Google account on the devices
  • Allow installation of all Play Store applications of added google account
  • Automatically install the remote control plugin when available
  • Prevent factory reset: when enabled, a temporary code will be displayed and the end user will need it to be able to reset his device.
  • Disable Google FRP or enable it and configure a Google recovery account. 
  • Disable camera
  • Block access to location settings
  • Manage geolocation: per policy (enable or disable) / per device
  • Disable usb files access
  • Disable screen capture
  • Hide policy change message
  • Set a volume level
  • Allow the device to start automatically when it is charging (Samsung only)
  • Modify the language of the device (Samsung only)
  • Modify device’s timezone
  • Allow TinyMDM to handle downloads via the network
  • Select the frequency at which device information is sent to the console

Some parameters in the device-wide controls are compatible with only one management mode. Check the icon that appears next to each feature.

Tutorials: Manage Android OS updates / Prevent factory reset / Manage Google FRP / Geolocate a device

J. Screen control

In this sub-tab, you can manage all the settings relating to the device’s screen:

  • Remove swipe screen to unlock
  • Set a wallpaper
  • Show user and device identifiers on device wallpaper
  • Set a sleep mode delay
  • Set brightness level: default/adaptative/specific
  • Set up a maximum speed beyond which the device screen will not respond (display only)
  • Disable user consent popup for remote control

Some screen control settings are only compatible with one management mode. Check the icon that appears next to each feature.

K. Shared contacts and files

In the last two sections Shared Contacts and Shared files, you can add or remove contacts and files on all the devices within the policy. You need to add contacts from the shared contacts tab (click here to learn more) and add files from the shared files tab (click here to learn more).

File sharing and contact sharing are compatible with all management modes.

Tutorials: Share contacts / Share files