With Safetica Mobile, you can protect company data by combining restrictions and managed app configurations. Using different policies, you can achieve various levels of security. Safetica Mobile automates this process via managed app configurations and restrictions, which pre-configure app settings without any user intervention.
The first thing you can do to secure company data is to set up restrictions properly. Restrictions allow the administrator to disable some of the device apps or features. The list of all possible restrictions can be found in Safetica Knowledge Base. The fundamental restrictions are:
- Disable cross profile copy and paste (Work profile mode)
Users are not allowed to paste clipboard data from managed work profiles and apps to a personal profile.
- Disable install from unknown sources
Users are not allowed to enable the Unknown Sources settings, which allows the installation of apps from unknown sources.
- Disable account modification
Users are not allowed to add or remove accounts. The setting prevents users from adding personal accounts and sending company sensitive data through it.
- Disable Bluetooth sharing and Disable outgoing Android Beam
This setting prevents users from sending files via Bluetooth and/or NFC.
You can see the difference on the screenshots below. On the first screenshot, NFC and Bluetooth are disabled. Users can only send files via apps managed by administrators (small briefcase icon). The second screenshot shows an example of when users can send files through these channels.
Recommended app configurations
The security of mobile devices can be increased by configuring managed apps. Each app has its own set of configurations. You can learn more about this topic in Safetica Knowledge Base.
- Email Address
A field that supports either a specific email address (firstname.lastname@example.org ) or a variable value $email$ (email from invitation) to set up user’s email address dynamically.
- Hostname or Host
The complete hostname of an ActiveSync server, such as hostname.company.com:443/path.
- Allow Unmanaged Accounts
Allow users to add or remove any Exchange accounts other than the account specified in the managed configuration. If this setting is enabled, you cannot prevent users from adding other Exchange accounts to Gmail. You also cannot control data sharing between other apps and Exchange accounts added by users. This setting should be enabled only if users need to maintain more than one work-related Exchange account in Gmail.
- Email address
A field that supports either a specific email address (email@example.com) or a variable value $email$ (email from invitation) to set up user’s email address dynamically.
- Exchange server URL
Specify the fully qualified domain name (FQDN) of your Exchange On-Premises server.
- Domain of user account
Specify your domain name.
Specify the username of the Exchange account. You can use one of the dynamic variables ($email$, $username$, or $fullname$)
- Allowed accounts
Specify this setting to restrict the sign-in option to specific accounts.
Chrome and Edge
- Block access to a list of URLs
This setting prevents the user from loading web pages from blacklisted URLs. The blacklist is a list of URL patterns that specify which URLs cannot be accessed.
A URL pattern must be in the format [“*”].
["safetica.com"] – safetica.com is blocked
[“*”] – all websites are blocked
You can find more information about using blacklists and whitelists in https://www.chromium.org/administrators/url-blacklist-filter-format
- Allow access to a list of URLs
Allows access to listed URLs, which serve as exceptions to restrictive URL blacklists. For example, [“*”] can be blacklisted to block all URLs, and this setting can be used to allow access to a limited list of addresses. See the description of URL blacklists for the format of entries.
- Define domains allowed to access G Suite
Enables Google Chrome's restricted log-in feature in G Suite and prevents users from changing this setting. If you define this setting, the user will only be able to access Google Apps using accounts from specified domains (note that to allow gmail.com/googlemail.com accounts, you should add \consumer accounts\ (without quotes) to the list of domains). This setting will prevent the user from logging in and adding a Secondary Account on a managed device that requires Google authentication if that account does not belong to the aforementioned list of allowed domains. If you leave this setting empty, the user will be able to access G Suite with any account.
- Allowed Accounts (Edge only)
Only the listed accounts may sign-in.
Google Docs, Sheets, and Slides
- App is allowed to use local printing APIs
- Enables the app to run on devices without Google accounts
Microsoft Office: Word, Excel, PowerPoint, and More
- Allowed Accounts
Only the listed accounts may sign-in.