Android Restrictions with MDM Platforms#

Introduction#

This guide explains how to configure and manage Android restrictions using various Mobile Device Management (MDM) platforms. MDM solutions such as Workspace ONE, Intune, Test DPC, and Miradore enable IT administrators to enforce security policies, manage applications, and control device settings remotely. By leveraging an MDM platform, organizations can ensure compliance and maintain security across all managed Android devices.

Integrating Android restrictions with an MDM platform allows IT administrators to define and enforce policies that enhance security, protect sensitive data, and optimize device functionality. This document outlines key configuration options, including the use of PROFILE_CODE, LOG_POLICY, DEVICE_NAME, DNS_MODE and ALWAYS_ON_VPN variables to customize restriction settings.

Enrolling Android Devices with MDM#

Before applying restrictions, the Android device must be enrolled with an MDM platform. Enrollment ensures that the device is recognized and managed by the organization's IT policies. The enrollment process may vary depending on the chosen MDM solution but generally includes the following steps:

  1. Register the device with the MDM platform.
  2. Install the MDM agent or configure enrollment settings via QR code, NFC, or Zero-Touch Enrollment.
  3. Assign the device to a management profile based on company policies.
  4. Deploy configurations and restrictions to the enrolled device.

Work Profile vs. Fully Managed Devices#

Depending on the management model, different installation and configuration rules apply:

  • Fully Managed with Work Profile:

  • The device is company-owned but allows a separate personal profile.

  • The DoHzel application must be installed on the work profile and not on the personal profile.

  • Fully Managed (Company-Controlled Only):

  • The entire device is managed by the company.

  • There is no personal profile, so DoHzel can be installed directly without distinction.
  • The installation is directly done when you deploy app configs on the device. 

By following these guidelines, organizations can ensure that security policies are enforced correctly, and corporate data remains protected.

Configuring Android Restrictions#

MDM platforms allow administrators to configure various restriction settings to control device behavior and enhance security. five key variables used in these configurations are PROFILE_CODE, LOG_POLICY, DEVICE_NAME, DNS_MODE and ALWAYS_ON_VPN.

PROFILE_CODE#

The PROFILE_CODE variable represents the freedom code assigned to a specific profile. This code determines the level of restrictions applied to a device and enables customized policy enforcement.

LOG_POLICY#

The LOG_POLICY variable defines the logging behavior for managed devices. It supports three possible values:

  • all – Logs all activities, including system events and user actions.
  • onlySecurity – Logs only security-related events, such as unauthorized access attempts or policy violations.
  • none – Disables logging entirely, preventing any event tracking on the device.

DEVICE_NAME#

The DEVICE_NAME variable defines the name displayed for the device within DoHzel. By default, or if no value is set, the current device name is used.

You can also use one of the reserved values below to dynamically assign the device name:

  • SERIAL – Uses the device's serial number.
  • ANDROID_ID – Uses the device's Android ID.

If any other string is provided, it will be used directly as the device name.
For example: setting DEVICE_NAME to "FooBarBaz" will make the device appear as "FooBarBaz" in DoHzel.

DNS_MODE#

The DNS_MODE variable defines the DNS resolution method to be used:

  • DOT (default) – Uses DNS over TLS.
  • DOH – Uses DNS over HTTPS.

ALWAYS_ON_VPN#

The ALWAYS_ON_VPN variable enforces whether the VPN is always active:

  • OFF (default) – The VPN can be toggled on or off.
  • ON – Forces the VPN to always stay connected.

Administrators must define these variables within the MDM platform and deploy the configuration to the user's device.

Implementing Restrictions with MDM (e.g., Miradore)#

To apply Android restrictions using an MDM platform, follow these steps:

  1. Log in to the MDM console (e.g., Miradore, Intune, Workspace ONE, etc.).
  2. Navigate to the Management section
  3. Select Applications.
  4. Click on Add button and select Android application.
  5. Select Managed Google Play Store and click on next.
  6. Search for Dohzel and select it.
  7. Navigate to the Configurations sections
  8. Create a config and set yours variable values
  9. Deploy the configuration to the enrolled devices by selecting the created config and devices.

Once configured, the restrictions will be enforced across all targeted Android devices, ensuring compliance with company policies.

Conclusion#

Using an MDM platform to manage Android restrictions enables organizations to maintain security, control application usage, and enforce compliance policies efficiently. By leveraging the PROFILE_CODE, LOG_POLICY, DEVICE_NAME, DNS_MODE and ALWAYS_ON_VPN variables, IT administrators can customize restrictions to meet their specific requirements while ensuring a seamless user experience.