Xcitium Enterprise Admin Guide - Profiles for Android Devices

Profiles for Android Devices

Android profiles let you configure a device's network access rights, security restrictions, scan schedule and other settings.

Process in brief:

Click 'Assets' > 'Configuration Templates' > 'Profiles'

Click 'Create' > 'Create Android Profile'

Type a name and description for your profile then click the 'Create' button. The profile now appears in 'Assets' > 'Configuration Templates' > 'Profiles'

New profiles have only one section - 'General'. Click 'Add Profile Section' to add settings for various security and management features. Each section you add will appear as a new tab

Once you have fully configured your profile you can apply it to devices, device groups, users and user groups

You can make any profile a 'Default' profile by selecting the 'General' tab then clicking the 'Edit' button.

This part of the guide explains the processes above in more detail, and includes in-depth descriptions of the settings available for each profile section.

Create an Android profile

Click 'Assets' > 'Configuration Templates' > 'Profiles'

Click the 'Create' button > 'Create Android Profile':

Enter a name and description for the profile

Click the 'Create' button

The Android profile is created and the 'General Settings' section is shown. The new profile is not a 'Default Profile' by default.

A 'default' profile is one that is applied automatically to any device which matches its operating system. You can have multiple 'default' profiles per operating system.

Click the 'Make Default' button if you want this profile to be a default.

Alternatively, click the 'Edit' button on the right of the 'General' settings screen and enable 'Is Default'.

Click 'Save'.

Tip: You can set any profile as a default in the 'Profiles' screen. See Edit Configuration Profiles for more details.

The next step is to add profile sections.

Each profile section contains a range of settings for a specific security or management feature.

For example, there are profile sections for 'Browser Restrictions', 'Antivirus Settings', 'Network Restrictions', 'VPN' and so on.

You can add as many different sections as you want when building your device profile.

To get started:

Click 'Add Profile Section'

Select the security component that you want to include in the profile:

Note: Many Android profile settings have small information boxes next to them which indicate the OS and/or device required for the setting to work correctly.

For example, the following box indicates that the setting supports KNOX 2.0+ (Samsung For Enterprises) devices and tablets only

The settings screen for the selected component is shown. After saving, it is available as a link at the top.

The following sections explain more about each of the sections:

Antivirus

Bluetooth Restrictions

Browser Restrictions

Certificate

Active Sync

Kiosk

Native App Restrictions

Network Restrictions

Passcode

Restrictions

Wi-Fi

Other Restrictions
Updates

Configure Antivirus settings

Click 'Antivirus Settings' in the 'Add Profile Section' drop-down

Antivirus Settings - Table of Parameters
Form Element	Description
AV scanning exclusion list	Lets you add trusted apps. Trusted apps are excluded from real-time, on-demand and scheduled antivirus scans run on the devices. Enter the bundle identifier of the app that you want to exclude from antivirus scanning. For more details on getting the bundle identifier for an app, see the explanation given below this table. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables. Click to add more 'AV scanning exclusions list' fields. Click to remove an item from the 'AV scanning exclusion list ' field.
Automatically terminate malware process	If enabled, any malware found is stopped from running. From this point it might be ignored (allowed to remain on the device) or uninstalled, depending on the settings in Configure Android Client Antivirus Settings. To view these settings, click 'Settings' > 'Settings' > 'Portal Set-Up' > 'Client Settings' > 'Android' > 'Antivirus'
Schedule scan	Select if you want to automate the process of antivirus scanning. Select the checkbox beside the day(s) that you want the scheduled scan to run.

Click the 'Save' button.

The settings are saved and shown under the 'Antivirus Settings' tab. You can edit settings or remove the 'Antivirus Settings' section from the profile at anytime. See Edit Configuration Profiles for more details.

Obtain Bundle/Package Identifier

The bundle identifier is a string that identifies the .apk package used to install the app.

For Google Play Apps:

The bundle identifier can be found at the end of the app's Google Play download URL.

For example, 'com.Xcitium.batterysaver' is the Xcitium Battery Saver app id in the URL

https://play.google.com/store/apps/details?id=com.Xcitium.batterysaver

Configure Bluetooth Restrictions settings

The feature is supported for Samsung for Enterprise (KNOX) devices only.

Click 'Bluetooth Restrictions' from the 'Add Profile Section' drop-down

Bluetooth Restrictions Settings - Table of Parameters
Form Element	Description
Allow Device discovery via Bluetooth	Allows discovery of other devices via Bluetooth.
Allow Bluetooth Pairing	Allows users' devices to pair with other their devices via Bluetooth.
Allow Outgoing Calls	Allows users to make calls using Bluetooth enabled devices (eg. hands-free devices)
Allow Bluetooth Tethering	Allows users to enable/disable Bluetooth tethering option.
Allow connection to Desktop or Laptop via Bluetooth	Allow users to enable/disable Bluetooth connection with Desktop or Laptop.
Allow data transfer	Allows data transfer between devices via Bluetooth.

Click the 'Save' button.

The settings are saved and shown under the 'Bluetooth Restrictions' tab. You can edit the settings or remove the section from the profile at anytime. See Edit Configuration Profiles for more details.

Configure Browser Restrictions settings

The feature is supported for Samsung for Enterprise (KNOX) devices only.

Click 'Browser Restrictions' from the 'Add Profile Section' drop-down

The 'Browser Restrictions' settings screen will be displayed.

Browser Restrictions Settings - Table of Parameters
Form Element	Description
Allow Pop-ups	Pop-ups in browsers will be allowed on user devices.
Allow Javascript	Java scripts will be allowed on user devices
Accept Cookies	Users will be allowed to modify Cookies settings on their devices.
Remember Form Data for later use	Users will be allowed to use Auto Fill settings on their devices.
Show Fraud Warning Settings	Users will be allowed to view Fraud Warning Settings on their devices.

Click the 'Save' button.

The settings are saved and shown under the 'Browser Restrictions' tab. You can edit the settings or remove the section from the profile at anytime. See Edit Configuration Profiles for more details.

Configure Certificate settings

The 'Certificate' settings section is used to upload certificates and will act as a repository from which certificates can be selected for use in other areas like 'Wi-Fi, 'Exchange Active Sync' and 'VPN'.

Click 'Certificate' from the 'Add Profile Section' drop-down

Certificate Settings - Table of Parameters
Form Element	Description
Name	Enter the label of the certificate. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
Description	Enter an appropriate description for the certificate.
Data	Browse to the location of the stored certificate and select the certificate. Note: Only certificate files with extensions 'pub', 'crt' or 'key' can be uploaded.

Click the 'Save' button.

The certificate will be added to the certificate store.

Click 'Add Certificate' and repeat the process to add more certificates.

Click on the name of the certificate to view the certificate key and edit the name

You can add any number of certificates to the profile and remove certificates at anytime. See Edit Configuration Profiles for more details.

Configure Email settings

Note: The feature is supported for Samsung for Enterprise (KNOX) devices only. This area allows administrators to configure email settings on devices.

Click 'Email' from the 'Add Profile Section' drop-down

Email Settings - Table of Parameters
Form Element	Description
Configure for Type*	Choose the protocol for incoming mail server from IMAP and POP.
Email address*	Enter the email address of the user at the incoming mail server If the profile is for a single user. Click the variables button to insert dynamic values if the profile is for several users. The email address of the users to whom the profile is associated are automatically added to the profile while rolling out the same to the devices. See Create and Manage Custom Variables for more details on variables.
Account Display Name	Enter a label to identify the user's email account at the incoming mail server, if the profile is for a single user. Click the variables button to insert dynamic values if the profile is for several users. See Create and Manage Custom Variables for more details on variables. The email address of the users to whom the profile is associated are automatically added to the profile while rolling out the same to the devices.
Set as Default Account	The email account is set as default for the users.
Mail Server Host Name (for Incoming Mail) *	Enter the host name or IP address of the incoming mail server, if the profile is for a single user. Click the variables button to insert dynamic values if the profile is for several users. See Create and Manage Custom Variables for more details on variables.
Mail Server Port Number (for Incoming Mail) *	Enter the server port number used for incoming mail service for a single user. For POP3, it is usually 110 and if SSL is enabled it is 995. For IMAP, it is usually 143 and if SSL is enabled it is 993. Click the variables button to insert dynamic values if the profile is for several users. See Create and Manage Custom Variables for more details on variables.
Login (for Incoming Mail)*	Enter the username for the email account of the user at the incoming mail server if the profile is for a single user. Click the variables button to insert dynamic values if the profile is for several users. See Create and Manage Custom Variables for more details on variables. The email usernames of the users to whom the profile is associated are automatically added to the profile while rolling out to the devices.
Password (for Incoming Mail)*	Enter the password for the email account of the user at the incoming mail server if the profile is for a single user. Click the variables button to insert dynamic values if the profile is for several users. See Create and Manage Custom Variables for more details on variables. The email passwords of the users to whom the profile is associated are automatically added to the profile while rolling out to the devices.
Use SSL Incoming	Communication between incoming mail server and devices is encrypted using SSL (Secure Socket Layer Protocol).
Accept All Certificates (for Incoming Mail)	The device automatically accepts all SSL certificates from the incoming mails.
Accept TLS Certificates (for Incoming Mail)	The device automatically accepts all secure certificates for TLS (Transport Secure Layer Protocol) from the incoming mails.
Mail Server Host Name (for Outgoing mail)*	Enter the host name or IP address of the outgoing (SMTP) mail server for a single user. Click the variables button to insert dynamic values if the profile is for several users. See Create and Manage Custom Variables for more details on variables.
Mail Server Port Number (for Outgoing Mail) *	Enter the server port number used for outgoing (SMTP) mail service, if the profile is for single user. If no port number is specified then ports 25, 587 and 465 are used in the given order. Click the variables button to insert dynamic values if the profile is for several users. See Create and Manage Custom Variables for more details on variables.
Login (for outgoing Mail)*	Enter the username for the email account of the user at the outgoing (SMTP) mail server if the profile is for a single user. Click the variables button to insert dynamic values if the profile is for several users. See Create and Manage Custom Variables for more details on variables. The email usernames of the users to whom the profile is associated are automatically added to the profile while rolling out to the devices.
Password (for outgoing Mail)*	Enter the password for the email account of the user at the outgoing (SMTP) mail server if the profile is for a single user. Click the variables button to insert dynamic values if the profile is for several users. See Create and Manage Custom Variables for more details on variables. The email passwords of the users to whom the profile is associated are automatically added to the profile while rolling out to the devices.
Use SSL (for Outgoing Mail)	Communication between outgoing mail server and devices is encrypted using SSL.
Accept All Certificates (for Outgoing Mail)	The device automatically accepts all SSL certificates from outgoing mails.
Accept TLS Certificates (for Outgoing Mail)	The device automatically accepts all secure certificates for TLS (Transport Secure Layer Protocol) from outgoing mails.
Sender Name	Enter the name that should appear in the 'From' field of the sent emails from the device if the profile is for a single user. Click the variables button to insert dynamic values if the profile is for several users. See Create and Manage Custom Variables for more details on variables.
Set Signature	Enter the signature and other details that appears at the end of the mails sent from the device. Click the variables button to insert dynamic values if the profile is for several users. See Create and Manage Custom Variables for more details on variables.
Prevent Moving Mail to other Accounts	The user cannot move sent or received mails to another account.
Always Vibrate on New Email Notification	The device vibrates in addition to sound alert when a new email is received.
Vibrate on New Email Notification if device is silent	The device vibrates when a new email is received, when the device is in silent mode.

Click the 'Save' button.

The settings are saved and shown under the 'Email' tab. You can edit the settings or remove the section from the profile at anytime. See Edit Configuration Profiles for more details.

Configure ActiveSync settings

ActiveSync settings allows you to configure user access to Exchange Server mail accounts.

Note: Please make sure users are not blocked from using the email client on their devices in Native App Restrictions

Click 'ActiveSync Settings' from the 'Add Profile Section' drop-down.

Form Element	Description
Email Address *	Click the 'Variables' button and click beside '%u.mail' from the User Variables' list. The email address of the users to whom the profile is associated are automatically filled. For more details on variables, see Create and Manage Custom Variables.
User Name *	Click the 'Variables' button and click beside '%u.login' from the User Variables' list. The username of the users to whom the profile is associated are automatically filled. For more details on variables, see Create and Manage Custom Variables.
Domain *	Enter the domain name in the field. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
Server Address *	Enter the server address of the ActiveSync. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
Password	Leave the field blank. The user needs to enter the password while configuring the email account for the first time. After it is validated, the users can access the email account without entering the password.
Account Display Name	Enter a label to identify the user's email account at the exchange server. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
Email Signature	Enter the signature and other details that appears at the end of the mails sent from the device. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
Maximum Email Size	The maximum size of email that the user can download from the server. Use the controls or enter the value in the field. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
Sync Emails	Choose the period for which the emails are to be kept synchronized between the device and the exchange server from the recent past, from the drop-down.
Sync Calendar	Select the period for which the calendar events are to be synchronized between the device and the exchange server, from the drop-down.
Use SSL	Communication between the device and the exchange server is encrypted using SSL (Secure Socket Layer Protocol).
As default account	The email address is used as default for sending out emails.
Accept all certificates	The device automatically accepts all SSL certificates.
Can sync contacts	Allows synchronization of user contacts between device and exchange server.
Can sync calendar	Allows synchronization user created calendar events between the device and the exchange server.
Can sync tasks	Allows synchronization of user scheduled tasks between the device and the exchange server.
Manual roaming sync	The user can use the sync feature manually while away from the home network.
Always vibro on new email	The device will vibrate when a new email is received.

Fields with * are mandatory.

Click the 'Save' button.

The settings are saved and shown under the 'ActiveSync Settings' tab. You can edit the settings or remove the section from the profile at anytime. See Edit Configuration Profiles for more details.

Configure Kiosk settings

Note:This feature is only supported by Samsung for Enterprise (KNOX) devices.

Background: Kiosk mode is a feature intended to help administrators lock-down mobile devices by limiting the applications that are able to run on a device. 'Locking' a device to particular applications can prevent users from opening other applications or straying into important device configuration areas. You can also block aspects of the OS should you wish. An example is a retail or school environment where only certain apps should be used on the device.

Click 'Kiosk' from the 'Add Profile Section' drop-down

Form Element	Description
Kiosk Mode Type	The two Kiosk modes are: Default mode - Run multiple apps in Kiosk mode. Users will not be able to run non-kiosk applications. Kiosk mode can only be exited by entering the admin bypass password. Single App mode - Users can only run the single application that you specify. Users will not be able to run non-kiosk applications. Kiosk mode can only be exited if the admin disables it in the Xcitium console. Restrictions on access to other device functions, such as task manager and the status bar, can also be configured for either mode.
If 'Single App' is selected as Kiosk Mode Type:
Enter ID of Kiosk Apps	Enter the Package ID of the app that will run in Kiosk mode. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables. See Obtain Bundle/Package Identifier for more details on Package ID.
If 'Default mode' is selected as Kiosk Mode Type:
Enter ID of Kiosk Apps	Enter the package IDs of the apps that will run in Kiosk mode. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables. See Obtain Bundle/Package Identifier for more details on Package ID. Click to add more app IDs. Click the button to remove an item from the list
Block Multi-Window Mode	Users cannot open multiple windows.
Block Task Manager	Users cannot access task manager screen.
Hide Navigation Bar	The navigation bar is not shown on the devices.
Hide System Bar	The system bar is not shown on the devices.
SMS/MMS blocking	All SMSs and MMSs to the device are blocked.
Block Keys	This feature lets you selectively block touch keys and icons available on device screen. For example, if you do not want the device owners to use 'Caps Lock' key you can block it. Click in the 'Block Keys' field: Scroll down to view the full list and select the key. Repeat the process to add more keys to the blocked keys list.
The following features are visible if 'Default mode' is selected as Kiosk Mode Type:
Show messenger App	Allows the messenger app on the device.
Show email App	Allows the email app on the device.
Show dialer App	Allows the phone dialer app on the device.
Show admin bypass button	Adds the 'Admin bypass' button to the device screen. The user can tap the button and enter the password to exit from the Kiosk mode.
Admin bypass password	Enter the password required to exit the Kiosk mode. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.

Click the 'Save' button.

The settings are saved and shown under the 'Kiosk' tab. You can edit the settings or remove the section from the profile at anytime.See Edit Configuration Profiles for more details.

Configure Native App Restriction settings

Native applications are those applications that come with the device operating system. Examples include the email and gallery apps. Admins can restrict users from accessing these native applications if required.

Note: Native app restrictions are only available on Samsung which support KNOX 2.0 +

Click 'Add Profile Section' > 'Native App Restrictions'

Form Element	Description
Allow Gmail	Users can the access Gmail app.
Allow Email	Users can the access the default email app.
Allow Browser	Users can access the default Android browser on their devices.
Allow Gallery	Users can access Gallery on their devices.
Allow Settings	Users can change their device settings.
Allow Google Play	Users can access Google Play on their mobile devices.
Allow YouTube App	Users can access the YouTube app.
Allow Google Maps & Navigation	Users can access Google Maps and Navigation app on their devices.
Allow Google and Voice Search	Users can use Google and Voice Search services.

Click the 'Save' button.

The settings are saved and shown under the 'Native App Restriction' tab. You can edit the settings or remove the section from the profile at anytime. See Edit Configuration Profiles for more details.

Configure Network Restriction settings

The feature is supported for Samsung for Enterprise (KNOX) devices only.

Click 'Network Restrictions' from the 'Add Profile Section' drop-down

Form Element	Description
Allow Emergency Calls only	Allows users to make only emergency calls.
Allow Voice Roaming	Allows users to make/receive voice call during roaming.
Allow Sync during Roaming	Allows the use of Sync feature while roaming.
Allow Data Roaming	Allows users to enable 'Data Roaming' option on their devices to access data services during roaming.
Allow USB Tethering	Allows users to enable 'USB Tethering' option for sharing their data connection through USB tethering.
Allow Wi-Fi access point settings editing	Allows users to edit the Wi-Fi access point settings to create a Wi-Fi hotspot for sharing their data connection.
Allow user to add Wi-Fi networks	Allows users to add additional Wi-Fi networks.
Wi-Fi Network Minimum Security Level	Select the minimum security level required for the user to access the Wi-Fi network. The options available are: Open WEP WPA 802.1x EAP (LEAP) 802.1x EAP (FAST) 802.1x EAP (PEAP) 802.1x EAP (TTLS) 802.1x EAP (TLS)
Allow SMS	Allows text messages as per the option selected: All - Allows both incoming and outgoing text messages. Incoming Only - Allows incoming text messages only. Outgoing Only - Allows outgoing text messages only. None - Both incoming and outgoing text messages are blocked.
Allow MMS	Allows multimedia messages as per the option selected: All - Allows both incoming and outgoing multimedia messages. Incoming Only - Allows incoming multimedia messages only. Outgoing Only - Allows outgoing multimedia messages only. None - Both incoming and outgoing multimedia messages are blocked.
Blacklisted SSIDs	Specify the name (SSID) of the wireless network that should be blacklisted. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables. Click the button to add more 'Blacklisted SSID' fields. Click the button beside an SSID to remove it from the list

Click the 'Save' button.

The settings are saved and shown under the 'Network Restrictions' tab. You can edit the settings or remove the section from the profile at anytime See Edit Configuration Profiles for more details.

Configure Passcode settings

Click 'Passcode' from the 'Add Profile Section' drop-down

Form Element	Description
Passcode Type	Select the type of passcode from the drop-down that the user should configure for unlocking screen lock. The options available are: No passcode enforcement Only letters Letters and numbers Only numbers Letters, numbers and a special symbol Requires some kind of password
Minimum Passcode Length	Select the minimum number of passcode characters that can be configured by the user. (4-16 characters).
Maximum Idle Time	Select the maximum time period that can be set as idle time out period for device screen lock, from the drop-down.
Maximum Failed Attempts for Wipe	Select the maximum number of allowed unsuccessful login attempts for device wipe (4-16). Set the value as '0' for unlimited. If the number of failed attempts crosses this value, the data in the device will be automatically wiped off. This is useful to prevent the data from the device being stolen, if somebody, other than the user, tries to login to the device by entering guessed passcodes.
Maximum Failed Attempts for Sneak Peek	Select the maximum number of allowed unsuccessful login attempts for 'Sneak Peek' feature (4-16). Set the value as '0' for unlimited. The 'Sneak Peek' feature makes the device take a photograph with the front- facing camera if the wrong passcode is entered a certain number of times - hopefully getting a picture of the person holding a lost/stolen device. Photographs are forwarded to the Xcitium server. The photograph(s) sent by the device can be viewed from the 'Device Details' interface that can be accessed by clicking 'Assets' > 'Devices' > 'Device List' > the device name > 'Sneak Peek' tab. See View Sneak Peek Pictures to Locate Lost Devices for more details. Note: If the device does not have a front camera, the rear camera will capture a photograph and forward to the Xcitium server.
Maximum Passcode Age (days)	Enter the maximum period in days for which a passcode can be valid. After the number of days specified in this field, the passcode will expire. The user needs to change the passcode before the current one expires.
Passcode History Requirements	Set how many unique, new passcodes must be created before the user can re-use an old password. This feature is available for Android 3.0 and later versions only.

Click the 'Save' button.

The settings are saved and shown under the 'Passcode' tab. You can edit the settings or remove the section from the profile at anytime.See Edit Configuration Profiles for more details.

Configure Restriction settings

Click 'Restrictions' from the 'Add Profile Section' drop-down

Form Element	Description
Allow Turn-off background Sync	Select this to allow users to disable background synchronization setting on their devices.
Allow Bluetooth	Select this to allow users to enable/disable Bluetooth on their devices.
Allow Camera	Select this to allow users to use the camera
Allow Un-encrypted devices	Select this to enable users to use device without turning on the storage encryption feature. This feature is available for Android 3.0 and later versions only.
Allow to run Apps installed from unknown sources	Select this to allow users to run installed applications that were download from unknown sources
Cellular Connection Control	Choose whether or not to allow the device to connect to the internet through a cellular network (2G/3G/4G): Cellular Connection on - Maintains the data connection through cellular network enabled, irrespective of user settings under 'Settings' > 'Wireless and Network settings' in the device. Cellular Connection off - Maintains the data connection through cellular network disabled, irrespective of user settings under 'Settings' > 'Wireless and Network settings' in the device. User Choice - The connection is enabled or disabled as per the user's setting under 'Settings' > 'Wireless and Network settings' in the device.
WiFi Connection Control	Choose whether or not to allow the device to connect to WiFi networks and hotspots from the options. WiFi Connection on - Always maintains the WiFi connection enabled, irrespective of user's setting under 'Settings' > 'Wireless and Network settings' in the device. WiFi Connection off - Always maintains the WiFi connection disabled, irrespective of user's setting under 'Settings' > 'Wireless and Network settings' in the device. User Choice - The connection is enabled or disabled as per the user's setting under 'Settings' > 'Wireless and Network settings' in the device.
Location Service Control	Choose whether or not to allow the location services on the device from the options: Location Service Always On - Always maintains the location services enabled, irrespective of the user's setting on the device. Location Service Always Off - Always maintains the location services disabled, irrespective of the user's setting on the device. User Choice - The location service is enabled or disabled as per the user's setting on the device.

Click the 'Save' button.

The settings are saved and shown under the 'Restrictions' tab. You can edit the settings or remove the section from the profile at anytime.See Edit Configuration Profiles for more details.

Configure VPN settings

Note: The feature is supported for only Samsung for Enterprise (KNOX) devices.

Click 'VPN' from the 'Add Profile Section' drop-down

Form Element	Description
Configure for type	Choose the VPN connection type from drop-down. The options available are: L2TP, PPTP, L2TP/IPSec PSK, IPSec, XAuth PSK IPSec XAuth RSA.
VPN Connection Name	Enter a label for the connection. This is shown on the device. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
Host name of the VPN Server	Enter the IP address or host name of the VPN server. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
Username / Password	Enter the login credentials for the device to connect to the VPN server. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
DNS Search Domains	Enter the IP address or hostname of the DNS server that devices will use for searching domain names. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
For L2TP
Enable L2TP Secret	If enabled, the pre-shared L2TP should be entered in the next field L2TP Secret
L2TP Secret	If L2TP Secret is enabled, then the pre-shared key should be entered here by the user or selected from 'Variables'
For PPTP
Enable Encryption	If selected, the connection is encrypted between the devices and the VPN server.
For L2TP/IPSec PSK
Enable L2TP Secret	If enabled, the pre-shared L2TP should be entered in the next field L2TP Secret
L2TP Secret	If L2TP Secret is enabled, then the pre-shared key should be entered here by the user or selected from 'Variables'
IPSec Pre-Shared Key	If IP Sec Identifier is enabled, then the pre-shared key should be entered here by the user or selected from 'Variables'
For IPSec Xauth PSK
IP Sec Identifier	Enter the IPSec identifier in the field. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
IPSec Pre-Shared Key	If IP Sec Identifier is enabled, then the pre-shared key should be entered here by the user or selected from 'Variables'.
Use for persistent connect	Forcibly maintains the VPN connection always at the enabled state, irrespective of user's settings through 'Settings' > 'Wireless and Networks' in the device. In order to enable this feature, the following conditions are to be satisfied: The profile should have been created already and rolled out to the devices. Hence the administrator will be able to enable this feature after rolling out the profile and then by editing the profile. See Edit Configuration Profiles for more details. Suits to all VPN connections types, except PPTP The VPN server and the DNS server should have been specified by their IP addresses in IPv4.

Click the 'Save' button after entering or selecting the parameters.

The VPN connection setting is added to the profile.

Click 'Add VPN' and repeat the process to add more VPN connections.

Click the name of a connection to view and edit its settings

You can add any number of VPN connection settings to the profile at anytime. See Edit Configuration Profiles for more details.

Configure Wi-Fi settings

Click 'Wi-Fi' from the 'Add Profile Section' drop-down

Type	Description
Text Field	Enter the Service Set Identifier (SSID), the name of the wireless network that a device should connect to. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
Checkbox	If enabled, users will be able to access the hidden wireless network too. Users must know the hidden SSID details and the required credentials.
Drop-down	Select the type of encryption used by the wireless network from the drop-down. The options available are: Open WEP WPA / WPA2 - PSK 802.1x EAP The settings for each type is explained in the next table Wi-Fi configuration type settings.

Type

Description

Text Field

Enter the Service Set Identifier (SSID), the name of the wireless network that a device should connect to.

Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.

Checkbox

If enabled, users will be able to access the hidden wireless network too. Users must know the hidden SSID details and the required credentials.

Drop-down

Select the type of encryption used by the wireless network from the drop-down. The options available are:

Open

WPA / WPA2 - PSK

802.1x EAP

The settings for each type is explained in the next table Wi-Fi configuration type settings.

Wi-Fi Configuration Type settings

Wi-Fi Configuration Type Settings - Table of Parameters
Security Configuration Type	Description
Open	No password is required for accessing the Wi-Fi network by the user.
WEP	Authentication Password - Enter the password to access the Wi-Fi network. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
WPA / WPA2 - PSK	Authentication Password - Enter the password to access the Wi-Fi network. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.
802.1x EAP	1. EAP Authentication Protocol - Select the EAP authentication protocol from the drop-down. Applicable for Samsung for Enterprise devices KNOX 2.0 + version. PEAP TLS TTLS 2. Phase 2 Authentication Protocol - Select the Phase 2 authentication protocol from the drop-down. Applicable for Samsung for Enterprise devices KNOX 2.0 + version. None PAP MSCHAP MSCHAPV2 GTC 3. Certificate - Select the user certificate from the drop-down or upload it using the 'Add New' button. 4. CA Certificate - Select the CA certificate from the drop-down or upload it using the 'Add New' button. 5. Authentication Username - Enter the username for Wi-Fi authentication. Applicable for Samsung for Enterprise devices KNOX 2.0 + version. 6. Authentication Password - Enter the password for Wi-Fi authentication. Applicable for Samsung for Enterprise devices KNOX 2.0 + version. 7. Authentication Domain - Enter the details for RADIUS Server authentication. Applicable for Samsung for Enterprise devices KNOX 2.0 + version. 8. Anonymous Identity - Enter the username that can be used for anonymous access. Applicable for Samsung for Enterprise devices KNOX 2.0 + version. 9. Encryption Key - Enter the encryption key to access the Wi-Fi network. Click the variables button to insert dynamic values. See Create and Manage Custom Variables for more details on variables.

Click the 'Save' button after entering or selecting the parameters.

The 'Wi-Fi' network' is saved to the profile.

Click 'Add Wi-Fi' and repeat the process to add more Wi-Fi networks.

Click the SSID of the network to view and edit its settings.

You can add or remove Wi-Fi networks at any time. See Edit Configuration Profiles for more details.

Configure 'Other Restrictions' settings

The feature is supported for Samsung for Enterprise (KNOX) devices only.

Click 'Other Restrictions' from the 'Add Profile Section' drop-down

Form Element	Description
Allow USB	Allows users to establish connections via USB ports.
Use Network Time	Allows users to enable/disable network provided values in Date & Time settings.
Allow Microphone	Allows users to use microphone. If this is disabled, users can use microphone for receiving and making calls only.
Allow Near Field Communication (NFC)	Allows devices to establish connection via NFC
Allow Mock Locations	Allows users to enable/disable 'Mock Location' in developer mode settings.
Allow SD Card	Users can use SD card on their devices.
Allow SD Card Write	Users can store data on the SD card
Allow Screen Capture	Users can take screenshot of the device screen.
Allow Clipboard	Users will be allowed to use clipboard memory.
Backup my data	Users will be allowed to take a backup of data in their devices.
Visible Passwords	Allows users to enable/disable show password feature.
Allow USB Debugging	Allows users to enable/disable 'USB Debugging' option in developer mode settings.
Allow Factory Reset	Allows users to reset the device to factory settings.
Allow OTA Upgrade	Allows devices to receive Over-the-air (OTA) upgrade for software updates.

Click the 'Save' button.

The settings are saved and shown under 'Other Restrictions' tab. You can edit the settings or remove the section from the profile at anytime. See Edit Configuration Profiles for more details.

Configure Update Settings

The updates section of a Android profile lets you configure when managed devices should check for new version updates.

Click 'Updates' from the 'Add Profile Section' drop-down

The Updates settings screens will be displayed.

Allow agent to show new version availability pop-up - Forces the endpoint to check the new version update pop-up. Deselect if you want to disable auto-updates.(Default = Enabled)
Update Check Period - Choose how often the agent should check for updates. (Default = 1 hour, Maximum = 1 day)

The available options are:

Choice of every one hour to 1 day.You can increase the update check period by moving the blue coloured dot icon.
The agent checks for a new version update within the selected period.

Click the 'Save' button.
The settings are saved and shown under 'Updates' tab. You can edit the settings or remove the section from the profile at anytime. See Edit Configuration Profiles for more details.

Xcitium Enterprise

Xcitium Enterprise Administrator Guide

English

Profiles for Android Devices