![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
Android-Fully Managed High
Overview
The Android-Fully Managed High provides a highly secure baseline for organizations for their corporately owned Android devices. It is recommended for devices used by specific users or groups who are uniquely high risk (for example, users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization).
Intune Description:
High security configuration for a corporately owned enterprise mobile device.
Policy Impact Areas:
When deployed, this policy will impact:
-
Enforcing minimum password length and expiry
-
Enforcing device reset after 5 repeated failed sign-in attempts
-
Block tethering, access to hotspots, file transfer
Deployment Notes
-
Pre-Deployment Considerations:
-
Ensure Android Enterprise configuration has been set (refer to Devicie Android Enterprise documentation for guidance)
-
-
Post-Deployment Validation:
-
Verify lock screen timeout and password enforcement
-
Configuration Settings:
|
Name |
Value |
|
General |
|
|
Fully managed, dedicated, and corporate-owned work profile devices |
|
|
Screen capture (work profile-level) |
Not configured |
|
Camera (work profile-level) |
Not configured |
|
Date and Time changes |
Block |
|
Roaming data services |
Not configured |
|
Wi-Fi access point configuration |
Not configured |
|
Bluetooth configuration |
Not configured |
|
Tethering and access to hotspots |
Block |
|
USB file transfer |
Block |
|
External media |
Block |
|
Beam data using NFC (work profile-level) |
Block |
|
Microphone adjustment |
Not configured |
|
Factory reset protection emails |
Google account email addresses |
|
List of email addresses (Google account email addresses option only) |
|
|
System update |
Automatic |
|
Fully managed and dedicated devices |
|
|
Volume changes |
Not configured |
|
Factory reset |
Block |
|
Status bar |
Not configured |
|
Wi-Fi setting changes |
Not configured |
|
USB storage |
Not configured |
|
Network escape hatch |
Not configured |
|
Notification windows |
Not configured |
|
Skip first use hints |
Not configured |
|
Corporate-owned work profile devices |
|
|
Contact sharing via Bluetooth (work profile-level) |
Not configured |
|
Copy and paste between work and personal profiles. |
Not configured |
|
System security |
|
|
Fully managed, dedicated, and corporate-owned work profile devices |
|
|
Threat scan on apps |
Require |
|
Common Criteria mode |
Not configured |
|
Device experience |
|
|
Fully managed and dedicated devices |
|
|
Enrollment profile type |
Not configured |
|
Device password |
|
|
Fully managed, dedicated, and corporate-owned work profile devices |
|
|
Required password type |
Numeric complex |
|
Minimum password length |
6 |
|
Number of days until password expires |
365 |
|
Number of passwords required before user can reuse a password |
5 |
|
Number of sign-in failures before wiping device |
5 |
|
Disabled lock screen features |
Trust agents (work profile-level);Unredacted notifications |
|
Fully managed and dedicated devices |
|
|
Disable lock screen |
Not configured |
|
Power Settings |
|
|
Fully managed, dedicated, and corporate-owned work profile devices |
|
|
Time to lock screen (work profile-level) |
5 Minutes |
|
Fully managed and dedicated devices |
|
|
Screen on while device plugged in |
|
|
Users and Accounts |
|
|
Fully managed, dedicated, and corporate-owned work profile devices |
|
|
Add new users |
Block |
|
User can configure credentials (work profile-level) |
Block |
|
Fully managed and dedicated devices |
|
|
User removal |
Block |
|
Personal Google accounts |
Block |
|
Dedicated devices |
|
|
Account changes |
Not configured |
|
Applications |
|
|
Fully managed, dedicated, and corporate-owned work profile devices |
|
|
Allow installation from unknown sources |
Not configured |
|
App auto-updates (work profile-level) |
Always |
|
Allow access to all apps in Google Play store |
Not configured |
|
Connectivity |
|
|
Fully managed, dedicated, and corporate-owned work profile devices |
|
|
Always-on VPN (work profile-level) |
Not configured |
|
Lockdown mode |
Not configured |
|
Fully managed and dedicated devices |
|
|
Recommended global proxy |
Not configured |
|
Work profile password |
|
|
Corporate-owned work profile devices |
|
|
Required password type |
Numeric complex |
|
Minimum password length |
6 |
|
Number of days until password expires |
365 |
|
Number of passwords required before user can reuse a password |
5 |
|
Number of sign-in failures before wiping device |
5 |
|
Personal profile |
|
|
Corporate-owned work profile devices |
|
|
Camera |
Not configured |
|
Screen capture |
Not configured |
|
Allow users to enable app installation from unknown sources in the personal profile |
Not configured |
|
Type of restricted apps list |
Not configured |
|
Devicie Template Name |
Android-Fully Managed High |
|
Default Intune Deployed Name |
DEVICIE-PROD-Android-Fully Managed High |
|
Template Last Updated |
|
|
Document Last Updated: |
Jun 17, 2025 |