Skip to content
  • There are no suggestions because the search field is empty.

Android-Fully Managed Enhanced

Overview

The Android-Fully Managed Enhanced provides a strong baseline for organizations to uplift security for their corporately owned Android devices.

Intune Description:

Enhanced configuration for a corporately owned enterprise mobile device.

Policy Impact Areas:

When deployed, this policy will impact:

  • Enforcing minimum password length and expiry

  • Enforcing device reset after repeated failed sign-in attempts

  • Enforcing lock screen timeouts

  • Block file transfer

Deployment Notes

  1. Pre-Deployment Considerations:

    • Ensure Android Enterprise configuration has been set (refer to Devicie Android Enterprise documentation for guidance)

  2. Post-Deployment Validation:

    • Attempt file transfer to and from the device

    • Verify lock screen timeout and password enforcement

Configuration Settings:

Name

Value

General

Fully managed, dedicated, and corporate-owned work profile devices

Screen capture (work profile-level)

Not configured

Camera (work profile-level)

Not configured

Date and Time changes

Not configured

Roaming data services

Not configured

Wi-Fi access point configuration

Not configured

Bluetooth configuration

Not configured

Tethering and access to hotspots

Not configured

USB file transfer

Block

External media

Block

Beam data using NFC (work profile-level)

Not configured

Microphone adjustment

Not configured

Factory reset protection emails

Google account email addresses

  List of email addresses (Google account email addresses option only)

example@gmail.com

System update

Automatic

Fully managed and dedicated devices

Volume changes

Not configured

Factory reset

Block

Status bar

Not configured

Wi-Fi setting changes

Not configured

USB storage

Not configured

Network escape hatch

Not configured

Notification windows

Not configured

Skip first use hints

Not configured

Corporate-owned work profile devices

Contact sharing via Bluetooth (work profile-level)

Not configured

Copy and paste between work and personal profiles.

Not configured

System security

Fully managed, dedicated, and corporate-owned work profile devices

Threat scan on apps​

Require

Common Criteria mode​

Not configured

Device experience

Fully managed and dedicated devices

Enrollment profile type

Not configured

Device password

Fully managed, dedicated, and corporate-owned work profile devices

Required password type

Numeric complex

  Minimum password length

6

Number of days until password expires

365

Number of passwords required before user can reuse a password

5

Number of sign-in failures before wiping device

5

Disabled lock screen features

 

Fully managed and dedicated devices

Disable lock screen

Not configured

Power Settings

Fully managed, dedicated, and corporate-owned work profile devices

Time to lock screen (work profile-level)

5 Minutes

Fully managed and dedicated devices

Screen on while device plugged in

 

Users and Accounts

Fully managed, dedicated, and corporate-owned work profile devices

Add new users

Block

User can configure credentials (work profile-level)

Block

Fully managed and dedicated devices

User removal

Block

Personal Google accounts

Block

Dedicated devices

Account changes

Not configured

Applications

Fully managed, dedicated, and corporate-owned work profile devices

Allow installation from unknown sources

Not configured

App auto-updates (work profile-level)

Wi-Fi only

Allow access to all apps in Google Play store

Not configured

Connectivity

Fully managed, dedicated, and corporate-owned work profile devices

Always-on VPN (work profile-level)

Not configured

  Lockdown mode

Not configured

Fully managed and dedicated devices

Recommended global proxy

Not configured

Work profile password

Corporate-owned work profile devices

Required password type

Numeric complex

  Minimum password length

6

Number of days until password expires

365

Number of passwords required before user can reuse a password

5

Number of sign-in failures before wiping device

10

Personal profile

Corporate-owned work profile devices

Camera

Not configured

Screen capture

Not configured

Allow users to enable app installation from unknown sources in the personal profile

Not configured

Devicie Template Name

Android-Fully Managed Enhanced

Default Intune Deployed Name

DEVICIE-PROD-Android-Fully Managed Enhanced

Template Last Updated

Nov 18, 2024

Document Last Updated:

Jun 17, 2025