Recommended restrictions and app configurations for Android devices

With Safetica Mobile, you can protect company data by combining restrictions and managed app configurations. Using different policies, you can achieve various levels of security. Safetica Mobile automates this process via managed app configurations, permissions, and restrictions, which pre-configure app settings without any user intervention.

Recommended restrictions

The first thing you can do to secure company data is to set up restrictions properly. Restrictions allow the administrator to disable some of the device apps or features. The list of all possible restrictions can be found in Safetica Knowledge Base. The fundamental restrictions are:

  • Disable cross profile copy and paste (Work profile mode)
    Users are not allowed to paste clipboard data from managed work profiles and apps to a personal profile.
  • Disable install from unknown sources
    Users are not allowed to enable the Unknown Sources settings, which allows the installation of apps from unknown sources.



  • Disable account modification
    Users are not allowed to add or remove accounts. The setting prevents users from adding personal accounts and sending company sensitive data through it.


  • Disable Bluetooth sharing and Disable outgoing Android Beam
    This setting prevents users from sending files via Bluetooth and/or NFC.
    You can see the difference on the screenshots below. On the first screenshot, NFC and Bluetooth are disabled. Users can only send files via apps managed by administrators (small briefcase icon). The second screenshot shows an example of when users can send files through these channels.



Recommended app configurations

The security of mobile devices can be increased by configuring managed apps. Each app has its own set of configurations. You can learn more about this topic in Safetica Knowledge Base.



Recommended configuration:

  • Email Address
    A field that supports either a specific email address ( ) or a variable value $email$ (email from invitation) to set up user’s email address dynamically.
  • Hostname or Host
    The complete hostname of an ActiveSync server, such as
  • Allow Unmanaged Accounts
    Allow users to add or remove any Exchange accounts other than the account specified in the managed configuration. If this setting is enabled, you cannot prevent users from adding other Exchange accounts to Gmail. You also cannot control data sharing between other apps and Exchange accounts added by users. This setting should be enabled only if users need to maintain more than one work-related Exchange account in Gmail.


Recommended configuration:

  • Email address
    A field that supports either a specific email address ( or a variable value $email$ (email from invitation) to set up user’s email address dynamically.
  • Exchange server URL
    Specify the fully qualified domain name (FQDN) of your Exchange On-Premises server.
  • Domain of user account
    Specify your domain name.
  • Username
    Specify the username of the Exchange account. You can use one of the dynamic variables ($email$, $username$, or $fullname$)
  • Allowed accounts
    Specify this setting to restrict the sign-in option to specific accounts.

Web browsers

Chrome and Edge

Recommended configuration:

  • Block access to a list of URLs
    This setting prevents the user from loading web pages from blacklisted URLs. The blacklist is a list of URL patterns that specify which URLs cannot be accessed.

    A URL pattern must be in the format [“*”].
    [""] – is blocked
    [“*”] – all websites are blocked

    You can find more information about using blacklists and whitelists in

  • Allow access to a list of URLs
    Allows access to listed URLs, which serve as exceptions to restrictive URL blacklists. For example, [“*”] can be blacklisted to block all URLs, and this setting can be used to allow access to a limited list of addresses. See the description of URL blacklists for the format of entries.
  • Define domains allowed to access G Suite
    Enables Google Chrome's restricted log-in feature in G Suite and prevents users from changing this setting. If you define this setting, the user will only be able to access Google Apps using accounts from specified domains (note that to allow accounts, you should add \consumer accounts\ (without quotes) to the list of domains). This setting will prevent the user from logging in and adding a Secondary Account on a managed device that requires Google authentication if that account does not belong to the aforementioned list of allowed domains. If you leave this setting empty, the user will be able to access G Suite with any account.
  • Allowed Accounts (Edge only)
    Only the listed accounts may sign-in.

Doc apps

Google Docs, Sheets, and Slides

Recommended configuration:

  • App is allowed to use local printing APIs
  • Enables the app to run on devices without Google accounts

Microsoft Office: Word, Excel, PowerPoint, and More

Recommended configuration:

  • Allowed Accounts
    Only the listed accounts may sign-in.