Feature List
Entgra UEM server comes with a variety of features optimally catering for every enterprise mobility need that you are likely to encounter in your enterprise.
Accredited as a Google Enterprise EMM Partner, for Android devices the available features of our EMM server include forced confinement to specific WiFi networks, remote keyboard/mouse inputs on screen-share mode, pre-approved connected peripherals and allow listed applications.
The reporting functionality of the server extends to reports for tracking devices that do not have a mandatory application installed, changed SIM details and reports on enrolled as well as unenrolled devices.
Our support for Android, iOS & macOS and Windows operating systems enables wider reach over a range of platforms.
For the available features and policies in each of the operating systems, click on the relevant section below:
Platform
Platform Features
Feature | Description |
---|---|
Tenant deletion | Delete obsolete tenants conveniently by clearing out all related data including that of subtenants. |
Conditional Email Access (CEA) | Control and manage access to corporate email accounts on mobile devices based on specific conditions or policies, and/or restrict access via unauthorized/non-compliant devices. |
Disenroll multiple devices at once | Ability to select and disenroll multiple devices at once. |
Custom logs for specific modifications | Custom logs are created for user activities relating to group modification events, device group assignments, user modification events, role modification events, and user login events. |
Trigger operations simultaneously in a device group | It is possible to send one or more operations to a device group at once. This feature is available on Android, iOS and Windows devices. |
Direct publishing of app releases | This feature allows approved users to publish app releases promptly without going through all steps of the application lifecycle. |
Hierarchical Grouping | Enhanced UI functionality for creating groups and sub groups in a hierarchical manner. |
Email Notifications for SIM Removal | Automatic email generation for registered email accounts whenever an approved SIM card is removed from the device. |
Per-Tenant Theming | Per tenant UI theming support facilitates convenient corporate branding for cloud users. The feature enables you to customize branding assets such as logos, favicons, app title/footer, etc. to create a seamless, unified, personalized experience for your tenants. |
Live Chat | Instant access to our Support Team to get all evaluation user queries answered. |
Device Tracking Enhancements | Traccar-enabled, scalable, real-time, location tracking for your device fleet complete with device location historical data for analysis. |
Android
Entgra UEM 6.2.0 is a Google Enterprise Partner for Android. Entgra EMM therefore supports the Android Enterpise, COPE, Legacy BYOD and COSU (Kiosk) types of Google recommended enrollments.
Android Features
The table below summarizes the supported features for Android devices:
Feature Description | Legacy (BYOD) | Android Enterprise | COSU (Kiosk) | COPE Enrollment | System App |
---|---|---|---|---|---|
Wi-Fi AllowList/BlockList Policy | ✓ | ✓ | ✓ | ✓ | X |
Enable/Disable Notification Panel in Kiosk Mode | X | X | ✓ | X | X |
Allow only pre-approved input methods | ✓ | ✓ | ✓ | ✓ | |
Block metered connection for specific applications | ✓ | ✓ | ✓ | ||
Android login support for Azure AD | ✓ | ✓ | ✓ | ✓ | |
MS Exchange Online support for Android | X | ✓ | ✓ | ✓ | |
Live Feed | X | ✓ | X | ✓ | ✓ |
FTP file transferring | X | ✓ | X | ✓ | ✓ |
Entgra App catalog | ✓ | ✓ | X | ✓ | ✓ |
Hardware properties | ✓ | ✓ | X | ✓ | ✓ |
Block App uninstall | ✓ | ✓ | X | ✓ | ✓ |
Device theme policy | ✓ | ✓ | X | ✓ | ✓ |
Remotely clear app data | ✓ | ✓ | X | ✓ | ✓ |
Grafana based dashboards | X | ✓ | X | ✓ | ✓ |
Remote screen keyboard and mouse inputs in screen-sharing mode. | ✓ | ✓ | ✓ | ✓ | ✓ |
Allow-list/Block-list connected peripherals plugged-in. | ✓ | ✓ | ✓ | ✓ | ✓ |
Force devices to be locked on to a given WiFi network. | ✓ | ✓ | ✓ | ✓ | ✓ |
Entgra secure browser application with remote settings | ✓ | ✓ | ✓ | ✓ | ✓ |
Device location history view to track the fleet’s history. | ✓ | ✓ | ✓ | ✓ | ✓ |
Display a custom message when the device is locked and for locked settings. | ✓ | ✓ | ✓ | ✓ | ✓ |
Offline un-enrollement via a special per device admin pin code. | ✓ | ✓ | ✓ | ✓ | ✓ |
Get Device Information - Fetch the device's runtime information. | ✓ | ✓ | ✓ | ✓ | ✓ |
Get Device Location Information - Fetch the device's current location. | ✓ | ✓ | ✓ | ✓ | ✓ |
Get Installed Applications - Fetch the device's installed application list. | ✓ | ✓ | ✓ | ✓ | ✓ |
Ring Device - Ring the device for the purpose of locating the device in case of misplacement. | ✓ | ✓ | ✓ | ✓ | ✓ |
Transfer files from a remote server(FTP) to device folder. | ✓ | ✓ | ✓ | ✓ | ✓ |
Transfer files from a device folder to an FTP location. | ✓ | ✓ | ✓ | ✓ | ✓ |
Mute Device - Put the device in silent mode. | ✓ | ✓ | ✓ | ✓ | ✓ |
Change Lock Code - Changes the device's currently set lock code. From Android N upwards, clear passcode will not work. | X | X | ✓ | ✓ | ✓ |
Clear Password - Remove any password that the device owner has put. From Android N upwards, clear passcode will not work. | X | X | ✓ | ✓ | ✓ |
Send Notifications/Messages - Send a notification (message) to the device. | ✓ | ✓ | ✓ | ✓ | ✓ |
Enterprise Wipe - Wipe the entreprise portion of the device. | ✓ | ✓ | ✓ | ✓ | ✓ |
Device Lock (soft lock) - Lock the device remotely. Similar to pressing the power button on the device and locking it. | ✓ | ✓ | ✓ | ✓ | ✓ |
Reboot Device - Restart the phone for example for troubleshooting purposes. | X | X | ✓ | ✓ | ✓ |
Upgrade Firmware - Upgrade Android operating firmware ensuring that firmware and the device has to be compatible and only applicable in OEM scenarios. | X | X | X | X | ✓ |
Execute Shell Command - Remotely execute the shell commands on the device's command prompt. | X | X | X | X | ✓ |
Hard Lock - Lock a device remotely by an admin and only the admin can unlock the device. | X | X | ✓ | ✓ | ✓ |
Manage Web Clip - Install a shortcut link to a web page/web app on the phone's home screen. | ✓ | ✓ | ✓ | ✓ | ✓ |
Trigger Google Play App - Install an app from the google play store. | ✓ | ✓ | ✓ | ✓ | ✓ |
Install/Uninstall/update applications - Capability to perform various application management tasks such as install, uninstall and update apps. - Install an app from the google play store. | ✓ | ✓ | ✓ | ✓ | ✓ |
View Device Screen - Screen sharing with the Admin. - Install an app from the google play store. | ✓ | ✓ | ✓ | ✓ | ✓ |
Remote Control Device - Allow Admin to remotely control the device. | ✓ | ✓ | ✓ | ✓ | ✓ |
Get Logcat - View the log of the operating system. | ✓ | ✓ | ✓ | ✓ | ✓ |
Silent App Install - Install apps on the device without prompting the user to click install. | ✓ | ✓ | ✓ | ✓ | ✓ |
Remote Kiosk Enable - Enable or disable kiosk mode remotely for maintenance reasons, troubleshooting etc. | X | X | X | ✓ | X |
Email Notifications for SIM Removal. | ✓ | ✓ | X | ✓ | X |
Android Supported Operations
Entgra UEM Server facilitates one time operations that can be performed remotely via the Endpoint Management Console. These operations are useful for runtime maintenance of devices.
The following table lists out the operations that can be applied to an Android device.
For details on each, click here.
Operation Type | Description |
---|---|
Ring | Ability to Ring the device via Entgra UEM Server. |
Device Lock | Ability to Lock the device via Entgra UEM Server. |
When Hard lock enabled (OEM Mode Only) is selected, the device can be unlocked only through EMM. This is available only in COPE enrollment. | |
Optionally, messege can be sent to the device via Entgra UEM Server while applying this operation. | |
Device Lock | Ability to Lock the device via Entgra UEM Server. |
When Hard lock enabled (OEM Mode Only) is selected, the device can be unlocked only through EMM. This is available only in COPE enrollment. | |
Optionally, messege can be sent to the device via Entgra UEM Server while applying this operation. | |
Location | Ability to request coordinates of device location via Entgra UEM Server. |
Clear Password | Ability to clear current password via Entgra UEM Server. |
(This functionality is only working with profile owners from Android 7.0 API 24 onwards.). | |
Mute | Ability to enable mute in the device via Entgra UEM Server. |
Message | Ability to send message operation via Entgra UEM Server. The title of the message can be defined seperately in the Title box. The message can be defined in the message box. |
Change Lock-code | Ability to enable or disable current lock code via Entgra UEM Server. |
(This functionality is only working with profile owners from Android 7.0 API 24 onwards.) | |
File Transfer | Ability to Transfer file via Entgra UEM Server. |
Enterprise Wipe | Ability to remove enterprise applications via Entgra UEM Server. |
Wipe Data | Ability to Factory reset the device via Entgra UEM Server. |
Enter the Pin code of the device to complete this operation. | |
Send app restriction | Ability to send remote configurations to an app via Entgra UEM Server. |
Reboot | Ability to reboot the device via Entgra UEM Server. |
This configuration will be available only for COPE/COSU enrollment types. | |
Change LockTask | Ability to change LockTask mode of KIOSK device via Entgra UEM Server. |
This configuration will be available only for COSU enrollment type. | |
Change LockTask | Ability to change LockTask mode of KIOSK device via Entgra UEM Server. |
This configuration will be available only for COSU enrollment type. | |
Upgrade Firmware | Ability to upgrade firmware via Entgra UEM Server. |
Android Supported Policies
The policies that can be applied on an Android device depends on the way the device is enrolled with the server.
Accordingly, the table below indicates the policies applicable for each type of enrollment.
Policy Description | Legacy (BYOD) | Android Enterprise | COSU (Kiosk) | COPE Enrollment | System App |
---|---|---|---|---|---|
Account restriction settings - Define the types of accounts permitted on the device and the number of accounts per type. | X | ✓ | ✓ | ✓ | ✓ |
Display changed device name - Displays the device name changed by admin via APIs in the agent. | ✓ | ✓ | ✓ | ✓ | ✓ |
Alternate app installing capability - an alternative mechanism in the agent that enables installing apps hosted in environments other than the app store, and/or to be used if standard installation fails. | ✓ | ✓ | ✓ | ✓ | ✓ |
File access permissions - enables external file storage write-access for Android 11. | ✓ | ✓ | ✓ | ✓ | ✓ |
Passcode Policy - Add a passcode strength policy to the device or to work profile | ✓ | ✓ | ✓ | ✓ | ✓ |
Encryption Settings - Execute the encypt device storage. | ✓ | ✓ | ✓ | ✓ | ✓ |
WiFi Settings - Push a configuration contaning the wifi profile of the company. | ✓ | ✓ | ✓ | ✓ | ✓ |
Virtual Private network (VPN Settings) - Push a configuration contaning the VPN profile of the company. | ✓ | ✓ | ✓ | ✓ | ✓ |
Device Profile Policy - Decides which system apps must be enabled or disabled in a device | X | ✓ | ✓ | ✓ | ✓ |
COSU Profile Configuration - Configure the behaviour of the Kiosk | X | X | ✓ | ✓ | ✓ |
Application Restriction Settings - Decides which apps are allowed do be in a device. | X | ✓ | ✓ | ✓ | ✓ |
App Screen Usage Time - policy to track/restrict screen usage per app. | ✓ | ✓ | ✓ | ✓ | ✓ |
Runtime permissions - Permissions that are required for the app to work can be granted automatically and defined. | X | ✓ | ✓ | ✓ | ✓ |
System Update Policy (COSU) - Specify the strategy or the time windows to perform OS updates. | X | X | ✓ | ✓ | ✓ |
Monitor/Revoke Policies - Continuously monitor the policies of the device to detect any policy violations. | ✓ | ✓ | ✓ | ✓ | ✓ |
Certificate Install Settings - Install certificate to devices remotely. | ✓ | ✓ | ✓ | ✓ | ✓ |
Global Proxy Settings - Reroute all the http communication of a device via a global http proxy. | X | X | ✓ | ✓ | ✓ |
Enrollment App Install - Decides which apps need to be installed upon enrollment. | ✓ | ✓ | ✓ | ✓ | ✓ |
Remote App Configurations - Send app configurations for the user's installed apps. | ✓ | ✓ | ✓ | ✓ | ✓ |
Disable Profile Removal - Disable the user's ability to unenroll from EMM. | X | ✓ | ✓ | ✓ |
Android Restriction Policies
Restriction Policies are those that can be applied on a device restricting or controlling the use of certain specific device features. There are a large number of restrictions that can be applied on an Android device.
The following table lists the available Restriction Policies for Android devices.
Policy Description | Legacy (BYOD) | Android Enterprise | COSU (Kiosk) | COPE Enrollment | System App |
---|---|---|---|---|---|
Disable access to camera | ✓ | ✓ | ✓ | ✓ | ✓ |
Disable modifying certificates in the device | X | ✓ | ✓ | ✓ | ✓ |
Disable configuring VPN settings | X | ✓ | ✓ | ✓ | ✓ |
Disable configuring App control by hiding the status bar of App Control | X | ✓ | ✓ | ✓ | ✓ |
Disable cross-profile copy-paste - Copying text between profiles is blocked. | X | ✓ | ✓ | ✓ | ✓ |
Disable debugging - Disable usb debuging | X | ✓ | ✓ | ✓ | ✓ |
Disable installing apps to the device | X | ✓ | ✓ | ✓ | ✓ |
Disable installing apps from unknown sources | X | ✓ | ✓ | ✓ | ✓ |
Disable modifying accounts such as Google, Facebook from being modified/ added/ removed | X | ✓ | ✓ | ✓ | ✓ |
Disable outgoing beams - Disable using NFC to transfer data. | X | ✓ | ✓ | ✓ | ✓ |
Disable sharing device location. | X | ✓ | ✓ | ✓ | ✓ |
Disable uninstalling apps | X | ✓ | ✓ | ✓ | ✓ |
Disable parent profile app linking - Disable apps in the personal profile to handle web links from the work profile. | X | ✓ | ✓ | ✓ | ✓ |
Ensure verifying apps - Enforce only verified apps can be installed on the device. | X | ✓ | ✓ | ✓ | ✓ |
Disable screen capture - Disable capturing the screen of the device. | X | ✓ | ✓ | ✓ | ✓ |
Enable auto timing - Enable or diable using time from mobile network as system time. | X | X | ✓ | ✓ | ✓ |
Disable SMS - Disable access to SMS. | X | X | ✓ | ✓ | ✓ |
Disable volume adjust - Disable adjusting the volume of the device. | X | X | ✓ | ✓ | ✓ |
Disable cell broadcast - Disables cell broadcasting messages of the network. | X | X | ✓ | ✓ | ✓ |
Disable configuring bluetooth settings. | X | X | ✓ | ✓ | ✓ |
Disable configuring moble network settings. | X | X | ✓ | ✓ | ✓ |
Disable configuring tethering settings. | X | X | ✓ | ✓ | ✓ |
Disable configuring WiFi settings. | X | X | ✓ | ✓ | ✓ |
Disable safe boot - Disable booting into safe mode. | X | X | ✓ | ✓ | ✓ |
Disable outgoing calls | X | X | ✓ | ✓ | ✓ |
Disable mount physical media - Disable plugging into different media devices. | X | X | ✓ | ✓ | ✓ |
Disable create window - Disable showing certain notifications, toasts and alert by apps. | X | X | ✓ | ✓ | ✓ |
Disable factory resetting of devices. | X | X | ✓ | ✓ | ✓ |
Disable removing users from device. | X | X | ✓ | ✓ | ✓ |
Disable adding new users to device. | X | X | ✓ | ✓ | ✓ |
Disable network reset - Disable user from performing network setting reset. | X | X | ✓ | ✓ | ✓ |
Disable USB file transfer - Disable transfering data over USB. | X | X | ✓ | ✓ | ✓ |
Disable unmute microphone - Configure access to microphone. | X | X | ✓ | ✓ | ✓ |
Disable status bar - Block user from opening the notification bar and access to status bar. | X | X | ✓ | ✓ | ✓ |
Disable set wallpaper - Disable changing wallpapers. | X | X | ✓ | ✓ | ✓ |
Disable auto fill - Disable auto filling forms. | X | X | ✓ | ✓ | ✓ |
Disable bluetooth - Disable bluetooth. | X | X | ✓ | ✓ | ✓ |
Disable bluetooth sharing - Disable sharing via bluetooth. | X | X | ✓ | ✓ | ✓ |
Disable data roaming - Disable data roaming. | X | X | ✓ | ✓ | ✓ |
Disallow changing default SIM - Users are disallowed from changing the default corporate SIM card. | X | X | ✓ | ✓ | ✓ |
Disallow changing default SIM - Users are not allowed to change the default corporate SIM card. | X | X | ✓ | ✓ | ✓ |
Force uninstall applications not allowed - When installing apps to the device which have not been allow-listed, users are forced to uninstall the apps from the device. | X | X | ✓ | ✓ | ✓ |
iOS & macOS
iOS & macOS Features
iOS & macOS Supported Operations
Entgra UEM Server facilitates one time operations that can be performed remotely via the Endpoint Management Console. These operations are useful for runtime maintenance of devices.
Available operations for iOS and macOS vary according to how Apple defines the protocol and also depending on whether the device is a Bring Your Own Device (BYOD) or a Company Owned Personally Enabled (COPE) device.
The table below depicts a summary of this information.
iOS | iOS | macOS | |
---|---|---|---|
Operation Type | BYOD | COPE | BYOD |
Get Device Information - Fetch the device's runtime information. | ✓ | ✓ | ✓ |
Get Installed Applications - Fetch the device's installed application list. | ✓ | ✓ | ✓ |
Get Device Location Information - Fetch the device's current location. | ✓ | ✓ | X |
Ring Device - Ring the device for the purpose of locating the device in case of misplace. | ✓ | ✓ | X |
Install/Uninstall/update applications - Manage apps installed on the device. | ✓ | ✓ | X |
Enterprise data wipe - Wipe the entreprise portion of the device. | ✓ | ✓ | ✓ |
Lock Device - Lock the device remotely. Similar to pressing the power button on the device and locking it. | ✓ | ✓ | ✓ |
Send Notification - Send a notification(message) to the device. | ✓ | ✓ | X |
Clear Passcode - Clear the passcode of a mobile device. | ✓ | ✓ | X |
Wipe Device(factory reset) - Factory reset a device. | ✓ | ✓ | ✓ |
Restart - Restart command is issued to restart the device. | ✓ | ✓ | ✓ |
Shutdown - Shutdown command is issued to shutdown the device. | ✓ | ✓ | ✓ |
External profile add and remove APIs | ✓ | ✓ | X |
Fetch security information of devices. | ✓ | ✓ | X |
iOS & macOS Supported Policies
The policies that can be applied on an iOS device depends on the way the device is enrolled with the server.
Accordingly, the table below indicates the policies applicable for each type of enrollment.
iOS | iOS | macOS | |
---|---|---|---|
Policy Description | BYOD | DEP | BYOD |
Virtual Private Network (VPN Settings) - Push a configuration contaning the VPN profile of the company. | ✓ | ✓ | ✓ |
Wi-Fi Settings - Push a configuration contaning the wifi profile of the company. | ✓ | ✓ | ✓ |
Calendar - This payload configures a CalDAV account. | ✓ | ✓ | ✓ |
Calendar Subscription - Adds a subscribed calendar to the userʼs calendars list. | ✓ | ✓ | X |
Cellular Network Settings - Push cellular configurations such as APN settings to a mobile device. | ✓ | ✓ | X |
Email Settings - These configurations can be used to define settings for connecting to your POP or IMAP email accounts. | ✓ | ✓ | ✓ |
LDAP Settings - These configurations can be used to define settings for connecting to your LDAP server. | ✓ | ✓ | ✓ |
Manage Domains - Any document downloaded from the given URLs are marked as managed documents and will be used in managed open in restrictions. | ✓ | ✓ | X |
Unmarked Email Domains - Specify a list of email domains that are enterprise recognised so that the others are marked as unregnised by highlighting in the mail client. | ✓ | ✓ | ✓ |
Passcode Policy - Add a passcode strength policy to the device or to work profile. | ✓ | ✓ | ✓ |
Monitor/Revoke Policies - Continiously monitor the policies of the device to detect any policy violations. | ✓ | ✓ | ✓ |
Certificate Install - Install certificate to devices remotely. | ✓ | ✓ | |
Global Proxy Settings - Reroute all the http communication of a device via a global http proxy. | ✓ | ✓ | |
Disable Profile Removal - Disable the user's ability to unenroll from EMM. | X | ✓ | X |
AirPlay Settings - The AirPrint payload adds AirPrint printers to the user's AirPrint printer list. | ✓ | ✓ | X |
Network Usage Rules - Network Usage Rules allow enterprises to specify how managed apps use networks, such as cellular data networks. | X | ✓ | X |
App Lock (Kiosk mode) - Configure the behaviour of the Kiosk. | X | ✓ | X |
Font Install - Install fonts to an iOS device remotely. | X | ✓ | X |
Exchange - Exchange active sync contacts and mails to devices. | X | ✓ | ✓ |
Managed Settings command - Send the app configurations for user's installed apps. | X | ✓ | X |
AppStore Payload - Enforce restrictions on the App store in macOS. | X | X | ✓ |
Loginwindow Payload - Behaviour of the login screen and users are controlled with this policy. | X | X | ✓ |
Firewall Policy - A Firewall payload manages the Application Firewall settings that are accessible in the Security Preferences pane. | X | X | ✓ |
iOS & macOS Restrictions Policies
Restrictions Policies are those that can be applied on a device restricting or controlling the use of certain specific device features.
There are a large number of restrictions that can be applied on an iOS device. The following table lists the available Restriction Policies for iOS devices.
iOS | iOS | macOS | |
---|---|---|---|
Policy Description | BYOD | COPE | BYOD |
Allow App Removal - When false, disables removal of apps from iOS device. This key is deprecated on unsupervised devices. | ✓ | ✓ | X |
Allow Assistant - When false, disables Siri. Defaults to true. | ✓ | ✓ | X |
Allow Assistant WhileLocked - When false, the user is unable to use Siri when the device is locked. Defaults to true. This restriction is ignored if the device does not have a passcode set. Availability: Available only in iOS 5.1 and later. | ✓ | ✓ | ✓ |
Allow Camera - When false, the camera is completely disabled and its icon is removed from the Home screen. Users are unable to take photographs. Availability: Available in iOS and in macOS 10.11 and later. | ✓ | ✓ | ✓ |
Allow Cloud DocumentSync - When false, disables document and key-value syncing to iCloud. This key is deprecated on unsupervised devices.Availability: Available in iOS 5.0 and later and in macOS 10.11 and later. | ✓ | ✓ | ✓ |
Allow CloudKeychainSync - When false, disables iCloud keychain synchronization. Default is true. Availability: Available in iOS 7.0 and later and macOS 10.12 and later. | ✓ | ✓ | ✓ |
Allow DiagnosticSubmission - When false, this prevents the device from automatically submitting diagnostic reports to Apple. Defaults to true. Availability: Available only in iOS 6.0 and later. | ✓ | ✓ | X |
Allow ExplicitContent - When false, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. This key is deprecated on unsupervised devices. | ✓ | ✓ | X |
Allow FingerprintForUnlock - If false, prevents Touch ID from unlocking a device. Availability: Available in iOS 7 and later and in macOS 10.12.4 and later. | ✓ | ✓ | ✓ |
Allow GlobalBackgroundFetchWhenRoaming - When false, disables global background fetch activity when an iOS phone is roaming. | ✓ | ✓ | X |
Allow LockScreenNotificationsView - If set to false, the Notifications view in Notification Center on the lock screen is disabled and users cannot receive notifications when the screen is locked. Availability: Available only in iOS 7.0 and later. | ✓ | ✓ | X |
Allow LockScreenTodayView - If set to false, the Today view in Notification Center on the lock screen is disabled. Availability: Available only in iOS 7.0 and later. | ✓ | ✓ | X |
Allow MultiplayerGaming - When false, prohibits multiplayer gaming. This key is deprecated on unsupervised devices. | ✓ | ✓ | X |
Allow OpenFromManagedToUnmanaged - If false, documents in managed apps and accounts only open in other managed apps and accounts. Default is true. Availability: Available only in iOS 7.0 and later. | ✓ | ✓ | X |
Allow OpenFromUnmanagedToManaged - If set to false, documents in unmanaged apps and accounts will only open in other unmanaged apps and accounts. Default is true. Availability: Available only in iOS 7.0 and later. | ✓ | ✓ | X |
Allow ScreenShot - If set to false, users can't save a screenshot of the display and are prevented from capturing a screen recording; it also prevents the Classroom app from observing remote screens. Defaults to true. Availability: Updated in iOS 9.0 to include screen recordings. | ✓ | ✓ | X |
Allow PhotoStream - When false, disables Photo Stream. Availability: Available in iOS 5.0 and later. | ✓ | ✓ | X |
Allow Safari - When false, the Safari web browser application is disabled and its icon removed from the Home screen. This also prevents users from opening web clips. This key is deprecated on unsupervised devices. | ✓ | ✓ | X |
Safari AllowAutoFill - When false, Safari auto-fill is disabled. Defaults to true. | ✓ | ✓ | X |
Safari ForceFraudWarning - When true, Safari fraud warning is enabled. Defaults to false. | ✓ | ✓ | X |
Safari AllowJavaScript - When false, Safari will not execute JavaScript. Defaults to true. | ✓ | ✓ | X |
Safari AllowPopups - When false, Safari will not allow pop-up tabs. Defaults to true. | ✓ | ✓ | X |
Safari AcceptCookies - Determines conditions under which the device will accept cookies. The user facing settings changed in iOS 11, though the possible values remain the same. | ✓ | ✓ | X |
Allow SharedStream - If set to false, Shared Photo Stream will be disabled. This will default to true. Availability: Available in iOS 6.0 and later. | ✓ | ✓ | X |
Allow UntrustedTLSPrompt - When false, automatically rejects untrusted HTTPS certificates without prompting the user. Availability: Available in iOS 5.0 and later. | ✓ | ✓ | X |
Allow VideoConferencing - When false, disables video conferencing. This key is deprecated on unsupervised devices. | ✓ | ✓ | X |
AllowVoiceDialing - When false, disables voice dialing if the device is locked with a passcode. Default is true. | ✓ | ✓ | X |
AllowYouTube - When false, the YouTube application is disabled and its icon is removed from the Home screen. | ✓ | ✓ | X |
This key is ignored in iOS 6 and later because the YouTube app is not provided. | ✓ | ✓ | X |
Allow iTunes - When false, the iTunes Music Store is disabled and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. This key is deprecated on unsupervised devices. | ✓ | ✓ | X |
Allow EnterpriseAppTrust - If set to false removes the Trust Enterprise Developer button in Settings->General->Profiles & Device Management, preventing apps from being provisioned by universal provisioning profiles. This restriction applies to free developer accounts but it does not apply to enterprise app developers who are trusted because their apps were pushed via MDM, nor does it revoke previously granted trust. Defaults to true. Availability: Available in iOS 9.0 and later. | ✓ | ✓ | X |
force EncryptedBackup - When true, encrypts all backups. | ✓ | ✓ | X |
force ITunesStorePasswordEntry - When true, forces user to enter their iTunes password for each transaction. Availability: Available in iOS 5.0 and later. | ✓ | ✓ | X |
force LimitAdTracking - If true, limits ad tracking. Default is false. Availability: Available only in iOS 7.0 and later. | ✓ | ✓ | X |
force AirPlayOutgoingRequestsPairingPassword - If set to true, forces all devices receiving AirPlay requests from this device to use a pairing password. Default is false. Availability: Available only in iOS 7.1 and later. | ✓ | ✓ | X |
force AirPlayIncomingRequestsPairingPassword - If set to true, forces all devices sending AirPlay requests to this device to use a pairing password. Default is false. Availability: Available only in Apple TV 6.1 and later. | ✓ | ✓ | X |
Allow ActivityContinuation - If set to false, Activity Continuation will be disabled. Defaults to true. | ✓ | ✓ | X |
Allow EnterpriseBookBackup - If set to false, Enterprise books will not be backed up. Defaults to true. | ✓ | ✓ | X |
Allow EnterpriseBookMetadataSync - If set to false, Enterprise books notes and highlights will not be synced. Defaults to true. | |||
Allow CloudPhotoLibrary - If set to false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device will be removed from local storage. Availability: Available in iOS 9.0 and later and in macOS 10.12 and later. | ✓ | ✓ | X |
force AirDropUnmanaged - If set to true, causes AirDrop to be considered an unmanaged drop target. Defaults to false. Availability: Available in iOS 9.0 and later. | ✓ | ✓ | X |
force WatchWristDetection - If set to true, a paired Apple Watch will be forced to use Wrist Detection. Defaults to false. Availability: Available in iOS 8.2 and later. | ✓ | ✓ | X |
Allow AddingGameCenterFriends - When false, prohibits adding friends to Game Center. This key is deprecated on unsupervised devices. | ✓ | ✓ | X |
Allow InAppPurchases - When false, prohibits in-app purchasing. | ✓ | ✓ | X |
Allow LockScreenControlCenter - If false, prevents Control Center from appearing on the Lock screen. Availability: Available in iOS 7 and later. | ✓ | ✓ | X |
Allow OTAPKIUpdates - If false, over-the-air PKI updates are disabled. Setting this restriction to false does not disable CRL and OCSP checks. Default is true. Availability: Available only in iOS 7.0 and later. | ✓ | ✓ | X |
Allow PassbookWhileLocked - If set to false, Passbook notifications will not be shown on the lock screen.This will default to true. Availability: Available in iOS 6.0 and later. | ✓ | ✓ | X |
Allow ManagedAppsCloudSync - If set to false, prevents managed applications from using iCloud sync. | ✓ | ✓ | X |
Allow Podcasts - Not available. Need DEP. If set to false, disables podcasts. Defaults to true. Availability: Available in iOS 8.0 and later. | X | ✓ | X |
Allow DefinitionLookup - Not available. Need DEP. If set to false, disables definition lookup. Defaults to true. Availability: Available in iOS 8.1.3 and later and in macOS 10.11.2 and later. | X | ✓ | ✓ |
Allow PredictiveKeyboard - Not available. Need DEP. If set to false, disables predictive keyboards. Defaults to true. Availability: Available in iOS 8.1.3 and later. | X | ✓ | X |
Allow AutoCorrection - Not available. Need DEP. If set to false, disables keyboard auto-correction. Defaults to true. Availability: Available in iOS 8.1.3 and later. | X | ✓ | X |
Allow SpellCheck - Not available. Need DEP. If set to false, disables keyboard spell-check. Defaults to true. Availability: Available in iOS 8.1.3 and later. | X | ✓ | X |
Allow MusicService - Not available. Need DEP. If set to false, Music service is disabled and Music app reverts to classic mode. Defaults to true. Availability: Available in iOS 9.3 and later and macOS 10.12 and later. | |||
Allow News - Not available. Need DEP. If set to false, disables News. Defaults to true. Availability: Available in iOS 9.0 and later. | |||
Allow UIAppInstallation - When false, the App Store is disabled and its icon is removed from the Home screen. However, users may continue to use Host apps (iTunes, Configurator) to install or update their apps. Defaults to true. Availability: Available in iOS 9.0 and later. | X | ✓ | X |
Allow KeyboardShortcuts - If set to false, keyboard shortcuts cannot be used. Defaults to true. Availability: Available in iOS 9.0 and later. | X | ✓ | X |
Allow PairedWatch - If set to false, disables pairing with an Apple Watch. Any currently paired Apple Watch is unpaired and erased. Defaults to true. Availability: Available in iOS 9.0 and later. | X | ✓ | X |
Allow PasscodeModification - If set to false, prevents the device passcode from being added, changed, or removed. Defaults to true. This restriction is ignored by shared iPads. Availability: Available in iOS 9.0 and later. | X | ✓ | X |
Allow DeviceNameModification - If set to false, prevents device name from being changed. Defaults to true. Availability: Available in iOS 9.0 and later. | X | ✓ | X |
Allow WallpaperModification - If set to false, prevents wallpaper from being changed. Defaults to true. Availability: Available in iOS 9.0 and later. | X | ✓ | X |
Allow AutomaticAppDownloads - If set to false, prevents automatic downloading of apps purchased on other devices. Does not affect updates to existing apps. Defaults to true. Availability: Available in iOS 9.0 and later. | X | ✓ | X |
Allow RadioService - If set to false, Apple Music Radio is disabled. Defaults to true. Availability: Available in iOS 9.3 and later. | X | ✓ | X |
Blocked AppBundleIDs - If present, prevents bundle IDs listed in the array from being shown or launchable. Availability: Available in iOS 9.3 and later. | X | ✓ | X |
Allowed AppBundleIDs - If present, allows only bundle IDs listed in the array from being shown or launchable. Availability: Available in iOS 9.3 and later. | X | ✓ | X |
Allow NotificationsModification - If set to false, notification settings cannot be modified. Defaults to true. Availability: Available in iOS 9.3 and later. | X | ✓ | X |
Allow RemoteScreenObservation - If set to false, remote screen observation by the Classroom app is disabled. Defaults to true. | X | ✓ | X |
This key should be nested beneath allowScreenShot as a sub-restriction. If allowScreenShot is set to false, it also prevents the Classroom app from observing remote screens. Availability: Available in iOS 9.3 and later. | X | ✓ | X |
Allow DiagnosticSubmissionModification - If set to false, the diagnostic submission and app analytics settings in the Diagnostics & Usage pane in Settings cannot be modified. Defaults to true. Availability: Available in iOS 9.3.2 and later. | X | ✓ | X |
Allow BluetoothModification - If set to false, prevents modification of Bluetooth settings. Defaults to true. Availability: Available in iOS 10.0 and later. | X | ✓ | X |
Allow Dictation - If set to false, disallows dictation input. Defaults to true. Availability: Available only in iOS 10.3 and later. | X | ✓ | X |
Force WiFiWhitelisting - If set to true, the device can join Wi-Fi networks only if they were set up through a configuration profile. Defaults to false. Availability: Available only in iOS 10.3 and later. | X | ✓ | X |
Force UnpromptedManaged- ClassroomScreenObservation - If set to true, and ScreenObservationPermissionModificationAllowed is also true in the Education payload, a student enrolled in a managed course via the Classroom app will automatically give permission to that course's teacher's requests to observe the student's screen without prompting the student. Defaults to false. Availability: Available only in iOS 10.3 and later. | X | X | X |
Allow AirPrint - If set to false, disallow AirPrint. Defaults to true. Availability: Available only in iOS 11.0 and macOS 10.13 and later. | X | ✓ | ✓ |
Allow AirPrintCredentialsStorage - If set to false, disallows keychain storage of username and password for Airprint. Defaults to true. Availability: Available only in iOS 11.0 and later. | X | ✓ | X |
Force AirPrintTrustedTLSRequirement - If set to false, disables iBeacon discovery of AirPrint printers. This prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. Defaults to true. Availability: Available only in iOS 11.0 and macOS 10.13 and later. | X | ✓ | ✓ |
Allow AirPrintiBeaconDiscovery - If set to false, disables iBeacon discovery of AirPrint printers. This prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. Defaults to true. Availability: Available only in iOS 11.0 and macOS 10.13 and later. | X | ✓ | ✓ |
Allow SystemAppRemoval - If set to false, disables the removal of system apps from the device. Defaults to true. Availability: Available only in iOS 11.0 and later. | X | ✓ | X |
Allow VPNCreation - If set to false, disallow the creation of VN configurations. Defaults to true. Availability: Available only in iOS 11.0 and later. | X | ✓ | X |
Allow ProximitySetupToNewDevice - Supervised only. If set to false, disables the prompt to setup new devices that are nearby. Defaults to true. Availability: Available only in iOS 11.0 and later. | X | ✓ | X |
Allow AccountModification - If set to false, account modification is disabled. Availability: Available only in iOS 7.0 and later. | X | ✓ | X |
Allow AppCellularDataModification - If set to false, changes to cellular data usage for apps are disabled. Availability: Available only in iOS 7.0 and later. | X | ✓ | X |
Allow AppInstallation - When false, the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their applications. This key is deprecated on unsupervised devices. allowAssistantUserGeneratedContent - When false, prevents Siri from querying user-generated content from the web. Availability: Available in iOS 7 and later. | X | ✓ | X |
AllowBookstore - If set to false, iBookstore will be disabled. This will default to true. Availability: Available in iOS 6.0 and later. | X | ✓ | X |
Allow BookstoreErotica - Not available prior to iOS 6.1. If set to false, the user will not be able to download media from the iBookstore that has been tagged as erotica. This will default to true. Availability: Available in iOS 6.0 and later. | X | ✓ | X |
Allow Chat - When false, disables the use of the Messages app with supervised devices. Availability: Available in iOS 6.0 and later. | X | ✓ | X |
Allow FindMyFriendsModification - If set to false, changes to Find My Friends are disabled. Availability: Available only in iOS 7.0 and later. | X | ✓ | X |
Allow GameCenter - When false, Game Center is disabled and its icon is removed from the Home screen. Default is true. Availability: Available only in iOS 6.0 and later. | X | ✓ | X |
Allow HostPairing - If set to false, host pairing is disabled with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Host pairing lets the administrator control which devices an iOS 7 device can pair with. Availability: Available only in iOS 7.0 and later. | X | ✓ | X |
Allow UIConfigurationProfileInstallation - If set to false, the user is prohibited from installing configuration profiles and certificates interactively. This will default to true. Availability: Available in iOS 6.0 and later. | X | ✓ | X |
Autonomous SingleAppModePermittedAppIDs - If present, allows apps identified by the bundle IDs listed in the array to autonomously enter Single App Mode. Availability: Available only in iOS 7.0 and later. | X | X | X |
Force AssistantProfanityFilter - When true, forces the use of the profanity filter assistant. | X | ✓ | X |
Allow EraseContentAndSettings - If set to false, disables the Erase All Content And Settings option in the Reset UI. | X | ✓ | X |
Allow SpotlightInternetResults - If set to false, Spotlight will not return Internet search results. Availability: Available in iOS and in macOS 10.11 and later. | X | ✓ | ✓ |
Allow EnablingRestrictions - If set to false, disables the "Enable Restrictions" option in the Restrictions UI in Settings. | X | ✓ | X |
Windows
Windows Features
The table below summarizes the supported features for Windows devices:
Feature | Description |
---|---|
Microsoft Store Integration | Publish Microsoft Store apps to Entgra App Publisher as public apps, allowing synchronization of app inventory. This integration ensures seamless and efficient management of free apps, similar to the approach used by Microsoft Store in Intune using Windows Package Manager. |
OS Update Management | Advanced features to display available Windows updates and retrieve update details using the Windows Update Agent (WUA) API. This allows IT administrators to manage and control the rollout of updates efficiently with seamless integration within the existing system infrastructure. |
Advanced Browser Management Support | Implement browser restrictions using Microsoft Edge Browser policies to configure how Microsoft Edge runs within your organization. These policies cover a wide range of categories including Application Guard settings, content settings, extensions, HTTP authentication, identity and sign-in, kiosk mode settings, password manager and protection, performance, screen capture permissions, printing, proxy server settings, SmartScreen settings, and more. This feature ensures comprehensive control over browser behavior, enhancing security, performance, and manageability within the organization. |
Autopilot enrollment | Ready-to-use corporate devices with zero admin intervention for users. Streamlined bulk deployment, setup and configuration of Windows devices by registering with the Windows Autopilot deployment service. Automatic retrieval of relevant configurations from Windows Autopilot servers upon booting up devices for the first time will simplify the enrollment process significantly while enhancing the user experience remarkably. |
Remote screen share support | Solve technical problems in real-time and improve customer engagement while saving time and money with better average resolution time using remote screen share for Windows devices. |
Group policy support (ADMX) | Support for implementing over 200 group policies for Windows devices enrolled to the UEM server, similar to Active Directory (AD) environment group policy application. Enables administrators to execute group security and application settings across devices conveniently. |
Bulk enrollment support | Enroll Windows devices conveniently and seamlessly in bulk by remotely deploying device configuration settings for the entire enrollment process, using Provisioning Packages (PPKGs). |
Azure AD (Entra ID) integrated enrollment support | Support for Azure AD registered and joined Windows devices for enrollment into Entgra UEM server via Microsoft Entra ID integration. Enables streamlined and efficient provisioning of devices in bulk for large-scale implementation of enterprise devices. |
Windows Supported Operations
Entgra UEM Server facilitates one time operations that can be performed remotely via the Endpoint Management Console.
The following operations can be executed on a Windows device.
Operation Type | Description |
---|---|
Disenroll | Remove selected devices |
Wipe data | Wipe the enterprise portion of the device |
Location | Fetch the device's current location |
Reboot | Reboot the device remotely |
Windows Supported Policies
The following policies can be executed on a Windows device.
Policy | Description |
---|---|
App Locker Policy | Set an app lock policy to a Windows Device. |
Application Management Policy | Set an application management policy to a Windows Device. |
Assigned access settings | Set up Windows OS to allow only one application to run above the lock screen. |
Background Intelligent Transfer Service | Transfers files in the background using idle network bandwidth |
BitLocker settings | This configuration can encrypt data using BitLocker when the device is locked and make it readable when the passcode is entered. |
Bluetooth | Allows to define setting of windows bluetooth app and its scanning parameters |
Defender | Allows to define settings of the Windows defender app and its scanning parameters. |
Encryption settings | Encrypt data on the device, when the device is locked and make it readable when the passcode is entered. |
Firewall Settings | Configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device |
Messaging | Configure Messaging settings on Windows devices |
Passcode policy | Define a password policy for the devices. |
Setting App Policy | Setting app controlling policy |
Update settings | Configure update settings on Windows devices. |
WiFi Policy | Configure settings for accessing wireless networks. |
Windows Restriction Policies
Restrictions policies are those that can be applied on a device restricting or controlling the use of certain specific device features.
The following restriction policies are applicable on a Windows device.
Policy | Description |
---|---|
Disable camera | Disable the camera on the device |
Disable location | Disable fetching location details |
Disable storage card | Disable plugging of storage cards in the device |
Disable device reset | Disable resetting the device |
Disable OneDrive sync | Disable syncing files with OneDrive |
Disable manual root certificate install | Disable installing root certificates and intermediate certificates |
Disable Bluetooth | Disable Bluetooth control in the device |
Disable cellular data | Disable mobile data (only for mobile) |
Disable data roaming | Disable mobile data roaming on the device (only for mobile) |
Disable connected devices | Disable connecting with other devices |
Disable connect with PC | Disable connection with a PC of the device |
Disable NFC | Disable NFC in the device |
Disable USB connection | Disable USB connection on the device (only for mobile) |
Disable VPN configuration | Disable VPN configurations on the device (only for mobile) |
Disable VPN roaming | Disable VPN roaming on the device(only for mobile) |
Disable date time | Disable changing date and time settings |
Disable non Microsoft accounts | Disable adding non-Microsoft based accounts to the device |
Disable private window in browser | Decides if private browsing is allowed on the device |
Disable indexing of removable drives | Decides if the search results contain files from removable devices |
Disable language settings | Disable language settings |
Disable region settings | Disable region settings |
Disable cortana | Decides if cortana is allowed on the device |
Windows Group Policies (ADMX)
Windows Group Policies in Entgra UEM offer administrators a familiar interface and functionality similar to traditional Group Policy management in Active Directory environments. By leveraging Administrative Template (ADMX) files, administrators can define registry-based policy settings to control various aspects of device behavior and configuration.
The following is a list of available Group Policies in Entgra UEM:
- ActiveX Installer Service
- Add or Remove Programs
- App Privacy
- App runtime
- App-V
- Application Compatibility
- Application Diagnostics
- Appx
- Attachment Manager
- Auditing
- AutoPlay Policies
- Background Intelligent Transfer Service
- Camera
- Cloud Content
- Component Object Model
- Connect
- Control Panel
- ControlAltDelete
- Control Panel 2
- Credential User Interface
- Credentials SSP
- DECOM
- DNS Client
- Delivery Optimization
- Desktop Window Manager
- Device Guard
- Device Installation
- Device and Driver Compatibility
- Device Software Setup
- Digital Locker
- Digital Rights 2
- Disk Diagnostic
- Disk Non-Volatile Cache
- Disk Quotas
- Display
- Distributed File System
- Distributed Link Tracking
- Drive Encryption
- Early Launch Antimalware
- Edge UI
- Encrypted Files
- Enhanced Storage Access
- Event Forwarding
- Event Logging
- Event Viewer
- Event Logs
- Fault Tolerant Heap
- File Classification Infrastructure
- File Explorer
- File Recovery
- File History
- File Revocation
- File Share Shadow Copy
- File Sys
- Find My Device
- Folder Redirection
- Frame Panes
- Game DVR
- Group Policy
- Handwriting
- Hotspot Authentication
- Instant Search
- Internet Communication Management
- Internet Explorer
- Internet Information Services
- KDC
- Kerberos
- Kernel DMA Protection
- Lanman Workstation
- Lanman Server
- Leak Diagnostics
- Link Layer Topology
- Location and Sensors
- MMC Snap Ins
- MSI File Recovery
- Maintenance Scheduler
- Management Console
- Media Player
- Messaging
- Microsoft Defender Antivirus
- Microsoft Defender Application Guard
- Microsoft Defender Exploit Guard
- Microsoft Edge
- Microsoft Input Method Editor
- Microsoft Support Diagnostic Tool
- Microsoft User Experience Virtualization
- Microsoft Account
- Mobile PC Mobility Center
- Mobile PC Presentation Settings
- Multitasking
- Net Logon
- Network Connections
- Network Connectivity Status Indicator
- Network Connectivity Assistant
- Network Isolation
- Network Provider
- Network Sharing
- News and interests
- Notifications
- OOBE
- OS Policy
- Offline Files
- OneDrive
- Online Assistance
- Performance Diagnostics
- Performance Perftrack
- Personalization
- Policies Content Windows Branch Cache
- Portable Operating System
- Power Management
- Previous Versions
- Printing
- Programs
- Push To Install
- Quality of Service
- Regional and Language Options
- Reliability
- Remote Assistance
- Remote Procedure Call
- Removable Storage Access
- Resource Exhaustion Diagnostics
- SNMP
- SSL Configuration Settings
- Scheduled Diagnostics
- Scripted Diagnostics
- Scripts
- Search
- Secondary Authentication Factor
- Security Center
- Server Manager
- Service Control Manager Settings
- Servicing
- Shared Folders
- Shutdown Resolver
- Smart Card
- Software Protection Platform
- Sound Recorder
- Speech
- Start Menu and Taskbar
- Storage Health
- Storage Sense
- Store
- Sync your settings
- System Restore
- TCPIP Settings
- Tablet PC Pen Training
- Tablet PC Shell
- Tablet PC Input Panel
- Taskbar
- Telemetry
- Tenant Restrictions
- Terminal Server
- Terminal Server
- Text Input
- Thumbnails
- Toggle user control over Insider builds
- Touch Input
- Trusted Platform Module Services
- User Profiles
- WinMaps
- Windows Calendar
- Windows Color System
- Windows Defender SmartScreen
- Windows Diagnostics
- Windows Feedback
- Windows Ink Workspace
- Windows Installer
- Windows Logon Options
- Windows Mobile Broadband Service
- Windows PowerShell
- Windows Remote Management
- Windows Security
- Windows iSCSI
- Windows Connect Now
- Windows Connection Manager
- Windows Desktop
- Windows Error Reporting
- Windows Explorer 2
- Windows Help
- Windows Initialization
- Windows Logon
- Windows Logon 2
- Windows Remote Shell
- Windows Time Service
- Windows Tools
- Windows Update
- WlanSvc
- Work Folders