Creating Policies

This guide walks you through creating a new policy from start to finish.

Before You Begin

Consider these questions:

Who will use these devices? Employees, contractors, customers?
What is the primary use case? General work, kiosk, field work?
What security level is needed? Basic, standard, or high security?
What apps are required? Email, CRM, custom apps?

Creating a New Policy

Step 1: Start Policy Creation

Navigate to Policies in the top navigation bar
Click Create New Policy (orange button in top right)
The policy editor opens where you can configure all settings

Step 2: Basic Information

Enter policy details:

Field	Example
Policy Name	Sales Team Standard
Device Mode	Personally Owned (BYOD), Fully Managed, Dedicated, or COPE
Description	Standard policy for sales department devices

The version number is automatically managed and increments each time you save changes.

Naming Convention

Use a consistent naming pattern: [Department/Group] - [Purpose] - [Security Level]

Examples:

"Engineering - Development - Standard"
"Retail - Kiosk - POS Terminal"
"Executive - Mobile - High Security"

Step 3: Security Settings

Configure device security:

Password Policy

# Recommended minimum settings
Password Required: Yes
Minimum Length: 8
Require Complexity: Yes
  - At least one letter
  - At least one number
Password Expiration: 90 days
Lock Timeout: 5 minutes after inactivity
Failed Attempts Before Wipe: 10

Biometrics

Fingerprint Unlock: Allowed
Face Unlock: Allowed (Class 3 only)
Biometric Timeout: 72 hours
Require Password Fallback: Yes

Encryption

Device Encryption: Required (Enforced)
SD Card Encryption: Required
Encrypt Backups: Yes

Step 4: Device Restrictions

Control what users can access:

Common Restrictions

Setting	Recommended	Notes
Camera	✅ Enabled	Disable only if required by compliance
Screenshots	✅ Enabled	Disable for sensitive data apps
USB File Transfer	⚠️ Block	Enable only for development
App Installs	⚠️ Admin Only	Prevent unapproved apps
Factory Reset	❌ Block	Prevent data loss
Developer Options	❌ Block	Security risk
Unknown Sources	❌ Block	Prevent sideloading

Advanced Restrictions

Network Restrictions:
  Bluetooth: Allowed
  Bluetooth Sharing: Blocked
  NFC: Allowed
  Mobile Hotspot: Blocked
  Wi-Fi Direct: Blocked

Data Restrictions:
  Copy to Clipboard: Work apps only
  Share via: Managed apps only
  Backup to Google: Blocked
  Print: Allowed

Step 5: Application Management

Required Applications

Add apps that must be installed:

Click Add Required App
Search for the app
Configure installation settings:

App: Microsoft Outlook
Package: com.microsoft.office.outlook
Installation: Force Install (Auto)
Update Mode: High Priority
Allow Uninstall: No
Default App For: Email

Managed Configuration:
  email_address: ${user.email}
  server: outlook.office365.com

Blocked Applications

Add apps to block:

Blocked Apps:
  # Social Media
  - com.facebook.katana
  - com.instagram.android
  - com.twitter.android

  # Games
  - "*games*"  # Wildcard to block game packages

  # File Sharing
  - com.dropbox.android
  - com.google.android.apps.docs  # Personal Google Drive

System Apps

Control built-in apps:

System App Visibility:
  Calculator: Show
  Calendar: Show
  Camera: Show
  Chrome: Hide (use managed browser)
  Contacts: Show
  Files: Hide
  Gmail: Hide (use Outlook)
  Maps: Show
  Phone: Show
  Play Store: Hide
  Settings: Show (limited)
  YouTube: Hide

Step 6: Network Configuration

Wi-Fi Setup

Add corporate Wi-Fi networks:

Wi-Fi Network 1:
  SSID: Corporate-Secure
  Security: WPA2-Enterprise
  EAP Method: PEAP
  Phase 2: MSCHAPv2
  Identity: ${user.email}
  Anonymous Identity: anonymous@company.com
  Certificate: DigiCert-Root
  Auto Connect: Yes
  Connect When Hidden: Yes

VPN Configuration

Set up always-on VPN:

VPN Provider: Cisco AnyConnect
Package: com.cisco.anyconnect.vpn.android.avf
Always On: Yes
Lockdown Mode: Yes (block non-VPN traffic)

Connection Settings:
  Server: vpn.company.com
  Protocol: IKEv2
  Certificate Auth: Yes
  User Certificate: ${cert.user}

Step 7: System Settings

Display Settings

Display:
  Wallpaper: https://cdn.company.com/wallpaper.png
  Lock Screen Message: "Property of Company Inc."
  Brightness: 50% (user adjustable)
  Screen Timeout: 2 minutes
  Always On Display: Disabled

System Updates

System Updates:
  Policy: Automatic
  Window Start: 02:00
  Window End: 06:00
  Freeze Period: None

Security Patches:
  Policy: Automatic
  Maximum Age: 30 days (warn after)

Date and Time

Date/Time:
  Auto Timezone: Yes
  Auto Time: Yes
  Manual Override: No
  Time Format: 12-hour

Step 8: Compliance Rules

Define what makes a device non-compliant:

Compliance Rules:
  - Rule: Password Set
    Severity: Critical
    Action: Block access
    Grace Period: 1 hour

  - Rule: Encryption Enabled
    Severity: Critical
    Action: Lock device
    Grace Period: None

  - Rule: OS Version >= 12
    Severity: Warning
    Action: Notify user
    Grace Period: 7 days

  - Rule: Security Patch < 90 days old
    Severity: Medium
    Action: Notify admin
    Grace Period: 30 days

Step 9: Review and Save

Review all settings in each configuration tab
Click Save Policy (orange button in top right)
The policy version will auto-increment and sync to assigned devices

Testing Your Policy

Before deploying widely:

Create a test group with 1-2 devices
Assign the policy to the test group
Verify settings are applied correctly
Test user experience - is it usable?
Check compliance reporting
Iterate based on findings

Policy Templates Reference

Basic Security Template

Minimal restrictions for trusted users:

Security: Password required, 6+ characters
Restrictions: Minimal (camera, bluetooth enabled)
Apps: No force-installed apps
Network: No pre-configured networks

Standard Enterprise Template

Balanced security for most organizations:

Security: Password 8+ chars, complexity, encryption
Restrictions: Block unknown sources, developer options
Apps: Email, security agent required
Network: Corporate Wi-Fi pre-configured

High Security Template

Maximum protection for sensitive environments:

Security: Password 12+ chars, biometric, encryption
Restrictions: Block camera, USB, bluetooth, screenshots
Apps: Approved apps only, no Play Store
Network: Always-on VPN, managed Wi-Fi only

Kiosk Template

Single-purpose device configuration:

Security: No user password (device locked to app)
Restrictions: Everything blocked except kiosk apps
Apps: Kiosk app(s) only
Network: Pre-configured, no user access

Before You Begin​

Creating a New Policy​

Step 1: Start Policy Creation​

Step 2: Basic Information​

Step 3: Security Settings​

Password Policy​

Biometrics​

Encryption​

Step 4: Device Restrictions​

Common Restrictions​

Advanced Restrictions​

Step 5: Application Management​

Required Applications​

Blocked Applications​

System Apps​

Step 6: Network Configuration​

Wi-Fi Setup​

VPN Configuration​

Step 7: System Settings​

Display Settings​

System Updates​

Date and Time​

Step 8: Compliance Rules​

Step 9: Review and Save​

Testing Your Policy​

Policy Templates Reference​

Basic Security Template​

Standard Enterprise Template​

High Security Template​

Kiosk Template​

Next Steps​