Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune

Screen capture (work profile-level) : Block prevents screenshots or screen captures on the device. It also prevents the content from being shown on display devices that don't have a secure video output. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might let users capture the screen contents as an image.

Camera (work profile-level) : Block prevents access to the camera on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow access to the camera.

Intune only manages access to the device camera. It doesn't have access to pictures or videos.

Default permission policy (work profile-level) : This setting defines the default permission policy for requests for runtime permissions. Your options

Date and Time changes : Block prevents users from manually setting the date and time. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to the set date and time on the device.

Roaming data services : Block prevents data roaming over the cellular network. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow data roaming when the device is on a cellular network.

Wi-Fi access point configuration : Block prevents users from creating or changing any Wi-Fi configurations. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to change the Wi-Fi settings on the device.

Bluetooth configuration : Block prevents users from configuring Bluetooth on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using Bluetooth on the device.

Tethering and access to hotspots : Block prevents tethering and access to portable hotspots. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow tethering and access to portable hotspots.

USB file transfer : Block prevents transferring files over USB. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow transferring files.

External media : Block prevents using or connecting any external media on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow external media on the device.

Beam data using NFC (work-profile level) : Block prevents using the Near Field Communication (NFC) technology to beam data from apps. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using NFC to share data between devices.

Developer settings : Choose Allow to let users access developer settings on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might prevent users from accessing developer settings on the device.

Microphone adjustment : Block prevents users from unmuting the microphone and adjusting the microphone volume. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to use and adjust the volume of the microphone on the device.

Factory reset protection emails : Choose Google account email addresses . Enter the email addresses of device administrators that can unlock the device after it's wiped. Be sure to separate the email addresses with a semi-colon, such as [email protected];[email protected] . These emails only apply when a non-user factory reset is run, such as running a factory reset using the recovery menu.

When set to Not configured (default), Intune doesn't change or update this setting.

System update : Choose an option to define how the device handles over-the-air updates. Your options

Device Default (default): Use the device's default setting. By default, if the device is connected to Wi-Fi, is charging, and is idle, then the OS updates automatically. For app updates, the OS also validates if the app isn't running in the foreground.

Automatic : Updates are automatically installed without user interaction. Setting this policy immediately installs any pending updates.

Postponed : Updates are postponed for 30 days. At the end of the 30 days, Android prompts users to install the update. It's possible for device manufacturers or carriers to prevent (exempt) important security updates from being postponed. An exempted update shows a system notification to users on the device.

Maintenance window : Installs updates automatically during a daily maintenance window that you set in Intune. Installation tries daily for 30 days, and can fail if there's insufficient space or battery levels. After 30 days, Android prompts users to install.

This setting applies to operating system and Play Store app updates. Any maintenance window takes precedence over in-progress device changes.

Use this option for dedicated devices, such as kiosks, as single-app dedicated device foreground apps can be updated.

Freeze periods for system updates : Optional. When you set the System update setting to Automatic , Postponed , or Maintenance window , use this setting to create a freeze period:

Location : Block disables the Location setting on the device and prevents users from turning it on. When this setting is disabled, then any other setting that depends on the device location is affected, including the Locate device remote action that admins use. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using location on the device.

Fully managed and dedicated devices

Volume changes : Block prevents users from changing the device's volume, and also mutes the main volume. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using the volume settings on the device.

Factory reset : Block prevents users from using the factory reset option in the device's settings. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to use this setting on the device.

Status bar : Block prevents access to the status bar, including notifications and quick settings. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users access to the status bar.

Wi-Fi setting changes : Block prevents users from changing Wi-Fi settings created by the device owner. Users can create their own Wi-Fi configurations. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to change the Wi-Fi settings on the device.

USB storage : Choose Allow to access USB storage on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might prevent access to USB storage.

Network escape hatch : Enable allows users to turn on the network escape hatch feature. If a network connection isn't made when the device boots, then the escape hatch asks to temporarily connect to a network and refresh the device policy. After you apply the policy, the temporary network is forgotten and the device continues booting. This feature connects devices to a network if:

Notification windows : When set to Disable , window notifications, including toasts, incoming calls, outgoing calls, system alerts, and system errors aren't shown on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might show notifications.

Skip first use hints : Enable hides or skips suggestions from apps that step through tutorials, or hints when the app starts. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might show these suggestions when the app starts.

Fully managed and corporate-owned work profile devices

Power button menu : Block hides the power options when users hold down the power button when in kiosk mode. Hiding these options prevents users from accidentally or intentionally shutting down devices. When set to Not configured (default), Intune doesn't change or update this setting. By default, when users hold down the power button on a device, they're shown power options, such as Restart and Power off.

This setting applies to:

System error warnings : Allow shows system warnings on the screen when in kiosk mode, including unresponsive apps and system warnings. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might hide these warnings. When one of these events occurs, the system forces the app to close.

This setting applies to:

Enabled system navigation features : Allow users to access the device home and overview buttons when in kiosk mode. Your options:

Not configured (default): Intune doesn't change or update this setting. By default, the OS might disable the device home and overview buttons.

Home button only : Users can see and select the home button. They can't see or select the overview buttons.

Home and overview buttons : Users can see and select the home and overview buttons.

When a device is enrolled and using the Managed Home Screen app, enabling the Overview button allows end users to skip or ignore the sign in and session PIN screens. The screens are still shown, but users can ignore them, and aren't required to enter anything.

This setting applies to:

System notifications and information : Allow users to access the device status bar, and receive notifications from the status bar when in kiosk mode. Your options:

End-user access to device settings : Block prevents users from accessing the Settings app and prevents other apps in kiosk mode from opening the Settings app. If the device is a kiosk, then set this setting to Block .

When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to access the Settings and allow apps in Kiosk mode to open the Settings app.

This setting applies to:

Contact sharing via Bluetooth (work profile-level) : Block prevents users from sharing their work profile contacts with devices over Bluetooth. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow users to share their contacts via Bluetooth.

Search work contacts and display work contact caller-id in personal profile : In the personal profile, Block prevents users from searching work contacts, and showing work caller ID information.

When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow searching work contacts, and show work caller IDs.

ShowWorkContactsInPersonalProfile

Copy and paste between work and personal profiles : Allow lets users copy and paste data between the work and personal profiles.

When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might:

Data sharing between work and personal profiles : Choose if data can be shared between work and personal profiles. Your options:

Threat scan on apps : Require (default) enables Google Play Protect to scan apps before and after they're installed. If it detects a threat, it might warn users to remove the app from the device. When set to Not configured , Intune doesn't change or update this setting. By default, the OS might not enable or run Google Play Protect to scan apps.

Common Criteria mode : Require enables an elevated set of security standards that are most often used in highly sensitive organizations, such as government establishments. Those settings include but aren't limited to:

Not configured : Intune doesn't change or update this setting. By default, users might see the device's default home screen experience.

Kiosk mode (dedicated and fully managed) : Configure a kiosk-style experience on your dedicated and fully managed devices. You can configure devices to run one app, or run many apps. When a device is set with kiosk mode, only the apps you add are available. Before you configure these settings, be sure to add , and assign the apps you want on the devices.

Kiosk mode : Choose if the device runs one app or runs multiple apps.

When using kiosk mode (single-app or multi-app), by default, the platform disables familiar user interfaces and workflows. Some of these features can be re-enabled on OS 9 and newer. For example, when a device is operating in a kiosk state, the system changes some behaviors, including:

Not configured : Intune doesn't change or update this setting.

Single app : When users are on the devices, they can only access the app you selected. When the device starts, only the specific app starts. Users are restricted from changing the running app.

Select an app to use for kiosk mode : Select the Managed Google Play or Android Enterprise system app from the list. For single-app dedicated and fully managed devices, the app you select must be :

Added in Intune .

Assigned to the device group created for your dedicated or fully managed devices.

On fully managed devices, the only selected app that will apply is Managed Home Screen. All other apps will be treated as a required app instead.

Multi-app : Users can access a limited set of apps on the device. When the device starts, only the apps you add start. You can also add some web links that users can open. When the policy is applied, users see icons for the allowed apps on the home screen.

For multi-app dedicated and fully managed devices, the Managed Home Screen app isn't required to be in the configuration profile, but the Managed Home Screen app from Google Play must be :

Custom app layout : Enable lets you put apps and folders in different places on the Managed Home Screen. When set to Not configured , Intune doesn't change or update this setting. By default, the apps and folders you add are shown on the home screen in alphabetical order.

Grid size : Select the size of your home screen. An app or folder takes one place on the grid.

Home screen : Select the add button, and select an app from the list. Select the Folder option to create a folder, enter the Folder name , and add apps from your list to the folder.

When you add items, select the context menu to remove items, or move them to different positions:

Add : Select your apps from the list.

If the Managed Home Screen app isn't listed, then add it from Google Play . Be sure to assign the app to the device group created for your dedicated or fully managed devices.

You can also add other Android apps and web apps created by your organization to the device. Be sure to assign the app to the device group created for your dedicated or fully managed devices .

Important

When using multi-app mode, every app in the policy must be a required app, and must be assigned to the devices. If an app isn't required, or isn't assigned, then the devices can lock out users, and show a Contact your IT admin. This phone will be erased. message.

Applications added within MHS are not prevented from launching other applications installed on the device. Admins should ensure that all applications allowed within MHS do not launch other applications users should not have access to and uninstall any applications which are not necessary on the device.

Lock home screen : Enable prevents users from moving app icons and folders. They're locked, and can't be dragged-and-dropped to different places on the grid. When set to Not configured , Intune doesn't change or update this setting. By default, users can move these items.

Folder icon : Select the color and shape of the folder icon that's on the Managed Home Screen. Your options:

App and Folder icon size : Select the size of the folder icon that's on the Managed Home Screen. Your options:

Not configured

Extra small

Small

Average

Large

Extra large

Depending on the screen size, the actual icon size can be different.

Screen orientation : Select the direction the Managed Home Screen is shown on devices. Your options:

App notification badges : Enable shows the number of new and unread notifications on app icons. When set to Not configured , Intune doesn't change or update this setting.

Virtual home button : A soft-key button that returns users to the Managed Home Screen so users can switch between apps. Your options:

Leave kiosk mode : Enable allows Administrators to temporarily pause kiosk mode to update the device. To use this feature, the administrator:

Leave kiosk mode code : Enter a 4-6 digit numeric PIN. The administrator uses this PIN to temporarily pause kiosk mode.

Set custom URL background : Enter a URL to customize the background screen on the dedicated or fully managed device. For example, enter http://contoso.com/backgroundimage.jpg .

For most cases, we recommend starting with images of at least the following sizes:

Shortcut to settings menu : Disable hides the Managed Settings shortcut on the Managed Home Screen. Users can still swipe down to access the settings. On the updated Managed Home Screen workflow, the Managed Settings menu is available from the top bar. When set to Not configured (default), Intune doesn't change or update this setting. By default, the Managed Settings shortcut is shown on devices. Users can also swipe down to access these settings. On the updated Managed Home Screen workflow, users can select the settings icon to access settings.

Quick access to debug menu : This setting controls how users access the debug menu. Your options:

Wi-Fi configuration : Enable shows the Wi-Fi control on the Managed Home Screen, and allows users to connect the device to different WiFi networks. Enabling this feature also turns on device location. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not show the Wi-Fi control on the Managed Home Screen. It prevents users from connecting to Wi-Fi networks while using the Managed Home Screen.

Wi-Fi allow list : Create a list of valid wireless network names, also known as the service set identifier (SSID). Managed Home Screen users can only connect to the SSIDs you enter.

Wi-Fi SSIDs are case sensitive. If the SSID is valid but the capitalization you enter doesn't match the network name, then the network isn't shown.

When left blank, Intune doesn't change or update this setting. By default, all available Wi-Fi networks are allowed.

Import a .csv file that includes a list of valid SSIDs.

Export your current list to a .csv file.

SSID : You can also enter the Wi-Fi network names (SSID) that Managed Home Screen users can connect to. Be sure to enter valid SSIDs.

Important

In the October 2020 release, the Managed Home Screen API was updated to be compliant with the Google Play Store requirements. The following changes impact Wi-Fi configuration policies in the Managed Home Screen:

Users can't enable or disable Wi-Fi connections on devices. Users can switch between Wi-Fi networks, but can't turn Wi-Fi on or off.

If a Wi-Fi network is password protected, then users must enter the password. After they enter the password, the configured network automatically connects. If they disconnect and then reconnect to the Wi-Fi network, then users might need to enter the password again.

On Android 11 devices, when users connect to a network using the Managed Home Screen, they're prompted to consent. This prompt comes from Android, and isn't specific to the Managed Home Screen.

On Android 10 devices, when users connect to a network using the Managed Home Screen, a notification prompts them to consent. So, users need access to the status bar and notifications to consent. To enable system notifications, see General settings for fully managed and dedicated devices (in this article).

On Android 10 devices, when users connect to a password protected Wi-Fi network using the Managed Home Screen, they're prompted for the password. If the device is connected to an unstable network, then the Wi-Fi network changes. This behavaior happens even when users enter the correct password.

Bluetooth configuration : Enable shows the Bluetooth control on the Managed Home Screen, and allows users to pair devices over Bluetooth. Enabling this feature also turns on device location. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not show the Bluetooth control on the Managed Home Screen. It prevents users from configuring Bluetooth and pairing devices while using the Managed Home Screen.

Important

For devices running on Android 10+ and using Managed Home Screen, for Bluetooth pairing to successfully work on devices that require a pairing key, admins must enable the following Android system apps:

Flashlight access : Enable shows the flashlight control on the Managed Home Screen, and allows users to turn the flashlight on or off. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not show the flashlight control on Managed Home Screen. It prevents users from using the flashlight while using the Managed Home Screen.

Media volume control : Enable shows the media volume control on the Managed Home Screen, and allows users to adjust the device's media volume using a slider. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not show the media volume control on Managed Home Screen. It prevents users from adjusting the device's media volume while using the Managed Home Screen, unless their hardware buttons support it.

Quick access to device information : Enable allows users to swipe down to see the device information on the Managed Home Screen, such as the serial number, make and model number, and SDK level. When set to Not configured (default), Intune doesn't change or update this setting. By default, the device information might not be shown.

Screen saver mode : Enable shows a screensaver on the Managed Home Screen when the device is locked or times out. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might not show a screensaver on the Managed Home Screen.

When enabled, also configure:

Set custom screen saver image : Enter the URL to a custom PNG, JPG, JPEG, GIF, BMP, WebP, or ICOimage. If you don't enter a URL, then the device's default image is used, if there's a default image.

For example, enter:

Number of seconds the device shows screen saver before turning off screen : Choose how long the device shows the screensaver. Enter a value between 0-9999999 seconds. Default is 0 seconds. When left blank, or set to zero ( 0 ), the screen saver is active until a user interacts with the device.

Number of seconds the device is inactive before showing screen saver : Choose how long the device is idle before showing the screensaver. Enter a value between 1-9999999 seconds. Default is 30 seconds. You must enter a number greater than zero ( 0 ).

Detect media before starting screen saver : Enable (default) doesn't show the screen saver if audio or video is playing on the device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might show the screen saver, even if audio or video is playing.

Managed Home Screen starts the screensaver whenever the lock screen appears:

MHS Sign-in screen ( Dedicated devices only ): Enable shows a sign-in screen on the Managed Home Screen. When set to Not configured (default), Intune doesn't change or update this setting. This sign-in screen and related settings are intended for use on dedicated devices enrolled with Microsoft Entra shared device mode.

When enabled, also configure:

Choose complexity of PIN for sign-in session : Select the complexity of the session PIN. Your options:

Require user to enter session PIN if screensaver has appeared : Select Enable to require the user to enter their session PIN to resume using the Managed Home Screen after the screensaver shows.

Microsoft launcher (fully managed only) : Configures the Microsoft Launcher app on fully managed devices. This option is best suited for devices which should provide the end user access to all applications and settings on the device.

Make Microsoft Launcher the default launcher : Enable sets Microsoft Launcher as the default launcher on the home screen. If you make Launcher the default, users can't use another launcher. When set to Not configured (default), Intune doesn't change or update this setting. By default, the Microsoft Launcher isn't forced as the default launcher.

Configure custom wallpaper : In the Microsoft Launcher app, Enable lets you apply your own image as the home screen wallpaper, and choose if users can change the image. When set to Not configured (default), Intune doesn't change or update this setting. By default, the device keeps its current wallpaper.

Enable launcher feed : Enable turns on the launcher feed, which shows calendars, documents, and recent activities. When set to Not configured (default), Intune doesn't change or update this setting. By default, this feed isn't shown.

Dock presence : The dock gives users quick access to their apps and tools. Your options:

Allow user to change dock presence : Enable allows users to show or hide the dock. Enable only forces this setting the first time the profile is assigned. Any future profile assignments don't force this setting. When set to Not configured (default), Intune doesn't change or update this setting. By default, users aren't allowed to change the device dock configuration.

Search bar replacement : Choose where to put the search bar. Your options:

Required password type : Enter the required password complexity level, and whether biometric devices can be used. Your options:

Device default (default): Most devices don't require a password when set to Device default . If you want to require users to set up a passcode on their devices, configure this setting to something more secure than Device default .

Password required, no restrictions

Weak biometric : Strong vs. weak biometrics (opens Android's web site)

Numeric : Password must only be numbers, such as 123456789 . Also enter:

Numeric complex : Repeated or consecutive numbers, such as 1111 or 1234 , aren't allowed. Also enter:

Alphabetic : Letters in the alphabet are required. Numbers and symbols aren't required. Also enter:

Alphanumeric : Includes uppercase letters, lowercase letters, and numeric characters. Also enter:

Alphanumeric with symbols : Includes uppercase letters, lowercase letters, numeric characters, punctuation marks, and symbols. Also enter:

Number of days until password expires : Enter the number of days, until the device password must be changed, from 1-365. For example, enter 90 to expire the password after 90 days. When the password expires, users are prompted to create a new password. When the value is blank, Intune doesn't change or update this setting.

Number of passwords required before user can reuse a password : Use this setting to restrict users from creating previously used passwords. Enter the number of previously used passwords that can't be used, from 1-24. For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. When the value is blank, Intune doesn't change or update this setting.

Number of sign-in failures before wiping device : Enter the number of wrong passwords allowed before the device is wiped, from 4-11. When the value is blank, Intune doesn't change or update this setting.

Users on fully managed, and corporate-owned work profile devices are not prompted to set a password. The settings are required, but users might not be notified. Users need to set the password manually. The policy reports as failed until the user sets a password that meets your requirements.

To apply the device password settings during device enrollment, assign the device restriction profile to users, not devices. During enrollment, users are asked to set a screen lock. Then, they must choose a device password that meets all the requirements in this device restriction profile.

On dedicated devices, if the device is set up with single or multi-app kiosk mode, then users are prompted to set a password. Screens force and guide users to create a compliant password before they can continue using the device.

On dedicated devices that are not using kiosk mode, users are not notified of any password requirement. Users need to set the password manually. The policy reports as failed until the user sets a password that meets your requirements.

Disabled lock screen features : When the device is locked, choose the features that can't be used. For example, when Secure camera is checked, the camera feature is disabled on the device. Any features not checked are enabled on the device.

These features are available to users when the device is locked. Users won't see or access the features that you check.

Required unlock frequency : Strong authentication is when users unlock a device using a password, PIN, or pattern. Non-strong authentication methods are when users unlock a device using some biometric options, such as a fingerprint or face scan.

Select how long users have before they're required to unlock the device using a strong authentication method. Your options:

Allow installation from unknown sources : Allow lets users turn on Unknown sources . This setting allows apps to install from unknown sources, including sources other than the Google Play Store. It allows users to side-load apps on the device using means other than the Google Play Store. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might prevent users from turning on Unknown sources .

App auto-updates (work profile-level) : Devices check for app updates daily. Choose when automatic updates are installed. Your options:

Allow access to all apps in Google Play store :

When set to Block :

When set to Allow :

When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS:

The following settings are part of the Google's delegated scope feature:

Allow other apps to install and manage certificates : Select Add to select existing apps for this permission. You can add multiple apps. The selected apps are granted access to install and manage certificates.

To use this setting, your Managed Google Play app must use delegated scopes. For more information, go to Android's built-in app configurations and Android delegation scopes (opens Android's web site).

Allow this app to access Android security logs : Select the app that should have this permission. You can only select one app. The app is granted access to the security logs.

To use this setting, your Managed Google Play app must use delegated scopes. For more information, go to Android's built-in app configurations and Android delegation scopes (opens Android's web site).

Allow this app to access Android network activity logs : Select the app that should have this permission. You can only select one app. The app is granted access to the network activity logs.

To use this setting, your Managed Google Play app must use delegated scopes. For more information, go to Android's built-in app configurations and Android delegation scopes (opens Android's web site).

If there's a conflict with one of these settings, then the conflict applies to all three settings. Make sure you give the Allow this app to access Android security logs and Allow this app to access Android network activity logs permissions to only one app. You can give these permissions to the same app, but not different apps.

For more information, go to Android Management API - DelegatedScope (opens Google's web site).

Dedicated devices

Clear local data in apps not optimized for Shared device mode : Add any app not optimized for shared device mode to the list. The app's local data is cleared whenever a user signs out of an app that's optimized for shared device mode. Available for dedicated devices enrolled with Shared mode running Android 9 and later.

When you use this setting, users can't initiate sign out from non-optimized apps and don't get single sign out.

Always-on VPN (work profile-level) : Enable sets the VPN client to automatically connect and reconnect to the VPN. Always-on VPN connections stay connected. Or, immediately connect when users lock their device, the device restarts, or the wireless network changes.

Choose Not configured to disable always-on VPN for all VPN clients.

Important

Be sure to deploy only one Always-on VPN policy to a single device. Deploying multiple Always-on VPN policies to a single device isn't supported.

VPN client : Choose a VPN client that supports Always On. Your options:

Lockdown mode : Enable forces all network traffic to use the VPN tunnel. If a connection to the VPN isn't established, then the device won't have network access. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow traffic to flow through the VPN tunnel or through the mobile network.

Fully managed and dedicated devices

Recommended global proxy : Enable adds a global proxy to the devices. When enabled, HTTP and HTTPS traffic use the proxy you enter, including some apps on the device. This proxy is only a recommendation. It's possible some apps won't use the proxy. Not configured (default) doesn't add a recommended global proxy.

For more information on this feature, see setRecommendedGlobalProxy (opens an Android site).

When enabled, also enter the Type of proxy. Your options:

Direct : Manually enter the proxy server details, including:

Proxy Auto-Config : Enter the PAC URL to a proxy autoconfiguration script. For example, enter https://proxy.contoso.com/proxy.pac .

For more information on PAC files, see Proxy Auto-Configuration (PAC) file (opens a non-Microsoft site).

For more information on this feature, see setRecommendedGlobalProxy (opens an Android site).

Work profile password

These settings apply to corporate-owned work profiles.

Required password type : Enter the required password complexity level, and whether biometric devices can be used. Your options:

Device default

Password required, no restrictions

Weak biometric : Strong vs. weak biometrics (opens Android's web site)

Numeric : Password must only be numbers, such as 123456789 . Also enter:

Numeric complex : Repeated or consecutive numbers, such as 1111 or 1234 , aren't allowed. Also enter:

Alphabetic : Letters in the alphabet are required. Numbers and symbols aren't required. Also enter:

Alphanumeric : Includes uppercase letters, lowercase letters, and numeric characters. Also enter:

Alphanumeric with symbols : Includes uppercase letters, lowercase letters, numeric characters, punctuation marks, and symbols. Also enter:

Number of days until password expires : Enter the number of days, until the device password must be changed, from 1-365. For example, enter 90 to expire the password after 90 days. When the password expires, users are prompted to create a new password. When the value is blank, Intune doesn't change or update this setting.

Number of passwords required before user can reuse a password : Use this setting to restrict users from creating previously used passwords. Enter the number of previously used passwords that can't be used, from 1-24. For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. When the value is blank, Intune doesn't change or update this setting.

Number of sign-in failures before wiping device : Enter the number of wrong passwords allowed before the device is wiped, from 4-11. 0 (zero) might disable the device wipe functionality. When the value is blank, Intune doesn't change or update this setting.

Fully managed, dedicated, and corporate-owned work profile devices are not prompted to set a password. The settings are required, but users might not be notified. Users need to set the password manually. The policy reports as failed until the user sets a password that meets your requirements.

Required unlock frequency : Strong authentication is when users unlock the work profile using a password, PIN, or pattern. Non-strong authentication methods are when users unlock the work profile using some biometric options, such as a fingerprint or face scan.

Select how long users have before they're required to unlock the work profile using a strong authentication method. Your options:

Short support message : When users try to change a setting that's managed by the organization, a short message is shown.

Using the following settings, you can customize this message and enter a different message for different languages. By default, this message is in English (United States) .

All, except when specified : This message is the Intune default message, and is shown for all languages. If you don't enter a custom message, then this text is automatically shown. This text is also automatically translated to the device's default language.

You can change this message. Any changes aren't translated. If you delete all the text in this message and leave this setting blank, then the following original short Intune default message is used and is translated:

You do not have permission for this action. For more information, contact your IT admin.

Select Locale : Select the locale or region to show a different custom message for that specific locale.

For example, to show a custom message on devices using Spanish as the default language, select Spanish (Spain) . Only devices using the Spanish (Spain) default language see your custom message. All other languages see the All, except when specified message text.

You can add multiple locales and messages.

Message : Enter the text you want shown, a max of 200 characters. The text you enter isn't translated to the device's default language. So if you want to show a message in Spanish, enter the text in Spanish.

Long support message : On the device, in Settings > Security > Device admin apps > Device Policy , a long support message is shown.

Using the following settings, you can customize this message and enter a different message for different languages. By default, this message is in English (United States) .

All, except when specified : This message is the Intune default message, and is shown for all languages. If you don't enter a custom message, then this text is automatically shown, and is automatically translated to the device's default language.

You can change this message. Any changes aren't translated. If you delete all the text in this message and leave this setting blank, then the following original long Intune default message is used and is translated:

The organization's IT admin can monitor and manage apps and data associated with this device, including settings, permissions, corporate access, network activity and the device's location information.

Select Locale : Select the locale or region to show a different custom message for that specific locale.

For example, to show a custom message on devices using Spanish as the default language, select Spanish (Spain) . Only devices using the Spanish (Spain) default language see your custom message. All other languages see the All, except when specified message text.

You can add multiple locales and messages.

Message : Enter the text you want shown, a max of 4096 characters. The text you enter isn't translated to the device's default language. So if you want to show a message in Spanish, enter the text in Spanish.

Lock screen message : Enter the text you want shown on the device lock screen.

Using the following settings, you can customize this message and enter a different message for different languages. By default, this message is in English (United States) .

All, except when specified : Enter the text you want shown for all languages, a max of 4096 characters. This text is automatically translated to the device's default language. If you don't enter a custom message, then Intune doesn't change or update this setting. By default, the OS might not show a lock screen message.

Select Locale : Select the locale or region to show a different custom message for that specific locale.

For example, to show a custom message on devices using Spanish as the default language, select Spanish (Spain) . Only devices using the Spanish (Spain) default language see your custom message. All other languages see the All, except when specified message text.

You can add multiple locales and messages.

Message : Enter the text you want shown, a max of 4096 characters. The text you enter isn't translated to the device's default language. So if you want to show a message in Spanish, enter the text in Spanish.

When you configure the Lock screen message , you can also use the following device tokens to show device-specific information: