Functionality by Device Platform

Functionality by Device Platform for the GO!Enterprise Mobile Device Management System

Last revision: 09/17/14 Current Release: Version 3.6.x

Functionality by Device Platform 1

TABLE OF CONTENTS
Functionality by Device Platform

Policy Rules: All Devices

Policy Rules: iOS Devices

20

Policy Rules: TouchDown

29

Security: All Devices

42

Device Statistics: All Devices

47

Compliance Manager

55

Policy Rules: All Devices

Policy Rules: iOS Devices

Security: All Devices

Audit Tracking

Device Features

Security Commands

Device Control

Applications

Network Connection Security and Configuration

Applications

Safari Browser

Device Features

Ratings

Email

Security

ActiveSync Synchronization

iCloud

File Share Permissions

iOS MDM

Managed Apps Permissions

Supervised Mode

Whitelists/Blacklists Permissions
Resource Control
Security Settings

Password

Encryption

Device Inactivity and Locking

Emergency Calls

Samsung KNOX EMM Policies

S/MIME Settings

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown

Device Statistics: All Devices

Device Statistics

Compliance Manager

Access Policies and Device Restrictions

Non-Access Policy Based Alerts

Installation

Event Based Alerts

General

System Alerts

Signature

Widgets

Phone Book

User Configurable Settings

Suppression Rules

Functionality by Device Platform 2

The information in these tables describes functionality supported by each device platform for GO!Enterprise MDM, version 3.6.x.
rd

Device platforms supported are Android, BlackBerry (OS 4.5-7.1), BlackBerry (OS 10), iOS, Symbian S60 3 edition, webOS, Windows Mobile 6, and Windows
Phone. Supported device operating system versions are listed below.
Anrd

TD/A

BB10

NS/BB

iOS

TD/iOS

S60

Android devices
OS v2.2 4.4

Android devices
OS v2.2 4.4
with TouchDown
v8.4.x

BlackBerry
Devices OS 10

BlackBerry devices
OS v4.5 7.1
with
GO!NotifySync
v4.9 or greater

iOS 5 8.0
multitasking
devices

iOS 5 8.0
multitasking devices
with latest
TouchDown
app version

Symbian S60 3rd

edition devices
OS v 9.1

wOS

WM

WP

WebOS devices
OS v1.4.3/1.4.5,
2.0.0/2.0.1, 2.1.2

Windows Mobile
devices
OS v6.1/6.5

Windows Phone
devices
OS v7,7.5, 8

The GO!Enterprise MDM Device Application

rd

Android, BlackBerry (OS 4.5-7.1), iOS, Symbian S60 3 Edition, and Window Mobile devices use the GO!Enterprise MDM device application to provide additional
functionality and enforce policies that are not handled by ActiveSync.
rd

TM

The device platforms listed above also require a native ActiveSync agent or a 3 party ActiveSync application, such as GO!NotifySync for BlackBerry or
TM
TouchDown for Android.
On Android devices with OS 2.2 or greater, the ActiveSync agent native to the device is sufficient; although the TouchDown application, available from
the Play Store, offers greater functionality. See Policy Rules: TouchDown
On BlackBerry devices (OS 4.5-7.1), GO!NotifySync for BlackBerry v4.9.x or greater is the ActiveSync application required to handle the ActiveSync
policies. The application has a GO!Enterprise MDM component that provides additional functionality.
On iOS 5, 6, 7, 8 devices with multitasking capabilities, the ActiveSync policies are enforced using Apple configuration profiles.
rd
On Symbian S60 3 Edition devices, Mail for Exchange is required to handle the ActiveSync policies.
On Windows Mobile 6.1/6.5 devices, the ActiveSync agent native to the device is sufficient.
Enrolling Android, iOS, Symbian, or Windows Mobile 6 devices without the GO!Enterprise MDM app is not recommended, because only ActiveSync policies
supported by the device platform or model can be enforced. BlackBerry devices do not have native ActiveSync capabilities and are not supported without the
GO!NotifySync app.

ActiveSync Only Devices

BlackBerry (OS 10), webOS and Windows Phone platforms, for which there are no GO!Enterprise MDM applications, are also supported. Because these
devices utilize the native ActiveSync protocol alone, only ActiveSync policies supported by the device platform or model can be enforced.

Last revision: 09/17/14 Current Release: Version 3.6.x

Functionality by Device Platform 3

POLICY RULES: ALL DEVICES

Red text or dots indicate ActiveSync only - Currently, there is no GO!Enterprise MDM app available for BB10, WP, or wOS. Devices support the feature via the
native ActiveSync app on the device. BlackBerry 4.5-7.1 devices that have no native ActiveSync app (NS/BB) are only supported with the GO!NotifySync app.

Policy Suite Rules:

Description

Anrd

All Devices

Anrd
w/ AS

TD/A

NS/BB

Only

iOS

TD/
iOS

iOS
w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

Audit Tracking
Archive Device File List

Requires device to periodically send a list of

all folders and files stored on the device and
the SD card to the server. Displayed in the
User Profile: File Archive on the dashboard.
Administrator defines frequency of the file
archiving.

Symbian: Sends most files, with the

exception of those in the devices X:\private
and X:\sys folders, which normally contain
system files or sensitive application data.

Record Phone Log

Requires the device to send all telephone

log information to the server.
Future development may include call times
and lengths; whether the call was roaming,
incoming, or outgoing; usage tracking for
work related calls versus personal, defined
by a list of approved work numbers on the
server.
BlackBerry: Tracks only calls made after
GO!Enterprise MDM enrollment.

Record Text Message Log

Requires the device to send all Short

Message Service (SMS) and Multimedia
Messaging Service (MMS) information to
server.
BlackBerry: Tracks only texts made after
GO!Enterprise MDM enrollment

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 4

Policy Suite Rules:

Description

Anrd

All Devices

Anrd
w/ AS

TD/A

NS/BB

iOS

Only

TD/
iOS

iOS
w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

Does not track MMS messages, therefore,

on devices that use only MMS, text
messaging is not tracked
Android: Text and MMS logging
functionality may vary based on device
manufacturer or carrier. (See Android SMS
& MMS Capabilities.)
Symbian S60 3 and Windows Mobile:
Record only SMS messages.

Record Installed
Applications

Record Managed
Applications

Record Location of Device

(Latitude / Longitude)

GPS Location Accuracy

Requires the device to send app information

with data usage statistics for all applications
installed on the device. Usage statistics are
displayed in the Apps section of the User
Profile.

Requires the device to send app information

with data usage statistics for managed
applications. Usage statistics are displayed
in the Apps section of the User Profile.

Uses GPS or triangulation on the device to

locate where a users device is at all times.
Information is displayed using Google Maps.
The device reports longitude and latitude as
two separate values.

Allows administrators to specify a level of

location accuracy. Accuracy primarily
depends on using a cell tower vs. GPS
(satellite) location methods; additional
factors may be involved depending on the
device type. Because improved accuracy
generally results in increased battery usage,
the level can be adjusted to facilitate a more
efficient use of device battery. Set levels via
the policy suite.

Determines whether the user has access to

Device Controls: Device

Features
Allow access to clipboard

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 5

Policy Suite Rules:

Description

Anrd

All Devices

Anrd
w/ AS

TD/A

NS/BB

iOS

Only

TD/
iOS

iOS
w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

the device clipboard.

Android devices: Requires KNOX EMM
compatibility.

Allow sharing clipboard

between applications

Determines whether the user can

copy/paste data between applications.
Android devices: Requires KNOX EMM
compatibility.

Allow Bluetooth
(ActiveSync)

Determines whether Bluetooth is allowed to

admin@dc03.notify.netoperate on the
device.
There are three settings:
Dont allow Bluetooth
Allow only Bluetooth headsets
Allow all Bluetooth

Allow Browser
(ActiveSync)

Determines whether the use of the native

Web browser is allowed on the device. This
setting can also prevent the use of thirdparty browsers that use the native browser
as a basis for operation.

Android devices: Requires KNOX EMM

compatibility.

Allow Camera
(ActiveSync)

Determines whether the use of the device

camera is allowed. Disabling the camera
can limit the functionality of 3rd party apps
that use the camera, such as Photoshop.

Android: Supported on devices with OS 4.0

and KNOX EMM compatible devices.
Android (native): See knowledge base.

Allow Infrared
(ActiveSync)

Allow installation of
applications from sources

Determines whether infrared connections

are allowed to and from the device.
Determines whether the user is able to
install applications from sources other than
the Google Play Store. This includes

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 6

Policy Suite Rules:

Anrd

other than Google Play

TD/A

iOS

Determines whether the device can be used

as a modem for a desktop or a portable
computer.

Determines whether a remote desktop

connection can be created from the device.

Determines whether the device can

synchronize with a computer through a
cable, Bluetooth, or IrDA connection.

Determines whether the device can send or

receive text messages.

Only

TD/
iOS

iOS
w/ AS

iOS
Config
/DEP
Devices

WM
w/ AS
Only

All Devices

Anrd
w/ AS

NS/BB

WM

Description

Only

S60

S60
w/ AS
Only

AS
Only

enterprise applications.
Android devices: Requires KNOX EMM
compatibility.

Allow Internet Sharing from

the Device (Tethering)
(ActiveSync)

Allow Remote Desktop

(ActiveSync)

Allow screen capture

Determines whether the user can capture a

screen shot with the device.
Android devices: Requires KNOX EMM
compatibility.

Allow SD Card
(ActiveSync)

Determines whether the use of an SD Card

is allowed on the device.

Android w/ TouchDown: Allows or disallows

SD card access for the TouchDown
application only.

Allow Synchronization from

a Desktop
(ActiveSync)

Allow Text Messaging

(ActiveSync)

Allow Wi-Fi
(ActiveSync)

Determines whether wireless Internet

access is permitted on the device.
Android devices: Requires KNOX EMM
compatibility.

Allow user to remove

enrollment

Determines whether the user is permitted to

remove the MDM user account from the
device.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 7

AS
Only

BB10

Determines whether the user can use

Windows Live services, such as Hotmail,
Office, or Spaces.

(ActiveSync)

Determines whether the device can access

POP3 or IMAP4 email on the device.

Maximum plain text email

body truncation size (in KB)

Defines the maximum email body size of

plain text messages received on the device.

All Devices

Initiate Selective Wipe

when user removes MDM
app account

Anrd
w/ AS

TD/A

iOS

Only

If the user removes the MDM account on

the device, a selective wipe is executed.
Selective Wipe functionality varies by device
platform.

TD/
iOS

iOS
w/ AS

iOS
Config
/DEP
Devices

WM
w/ AS
Only

Description

Anrd

NS/BB

WM

Policy Suite Rules:

Only

S60

S60
w/ AS
Only

Device Controls: Email

Allow HTML formatted
Email
(ActiveSync)

Maximum HTML email body

truncation size (in KB)
(ActiveSync)

Allow Consumer Email

(ActiveSync)

Allow POP/IMAP Email

Determines whether email synchronized to

the device can be in HTML format.
Not supported on systems operating with
ActiveSync protocol 2.5, such as Exchange
2003.

Defines the maximum HTML email body

size of messages received on the device.

Not supported on systems operating with

ActiveSync protocol 2.5, such as Exchange
2003.

(ActiveSync)

Device Control:
ActiveSync
Synchronization
Maximum calendar age for
synchronization
(ActiveSync)

Defines the maximum look-back age of

calendar events. Events older than the
maximum age are automatically removed
from the device.

BB10
WP

Not supported on systems operating with

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 8

Policy Suite Rules:

Description

Anrd

All Devices

Anrd
w/ AS

TD/A

NS/BB

iOS

Only

TD/
iOS

iOS
w/ AS

iOS
Config
/DEP
Devices

Only

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

ActiveSync protocol 2.5, such as Exchange

2003.

Specific calendar age for

synchronization

Maximum email age for

synchronization
(ActiveSync)

Determines a specific number of calendar

days that can be synchronized. The value
should be lower than the Maximum calendar
age for synchronization.

Defines the maximum age of email on the

device. Emails older than the maximum age
are automatically removed from the device.

Not supported on systems operating with

ActiveSync protocol 2.5, such as Exchange
2003.

Specific Email age for

synchronization

Require manual sync when

roaming
(ActiveSync)

Determines a specific age for emails to

synchronize. The value should be lower
than the Maximum Email age for
synchronization.

Enforces the use of manual synchronization

on the device while roaming to avoid the
higher data costs that are often incurred
with automatic synchronization.

BB10
WP

Device Controls:
Applications
Allow Google Play

Determines whether the user is able to

install Play Store applications. If disabled,
any managed Play Store app that is
recommended or forced will not push to the
device. Enterprise apps will be pushed to
the device.

Android devices: Requires KNOX EMM

compatibility.

Allow Unsigned
Applications

Determines whether unsigned applications

which already exist on the device are
permitted to run.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 9

Policy Suite Rules:

Description

Anrd

All Devices

Anrd
w/ AS

TD/A

NS/BB

iOS

Only

Allow Unsigned Package

Installation

Determines whether the device permits

unsigned installers to install applications.

Allow YouTube

Determines whether the user is able to use

YouTube. If disabled, the YouTube icon is
removed from the device Home screen.

TD/
iOS

iOS
w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

Android devices: Requires KNOX EMM

compatibility.

File and Application

Management
File Share Permissions

Managed Apps Permissions

Create a directory of folders and files to

make accessible to users. Users access
files directly through the GO!Enterprise
MDM app. Set permissions for access per
policy suite.
Create a list of recommended apps. The list
may consist of apps that users access
directly through GO!Enterprise MDM or
through links to the apps in device
application stores. Available mobile
applications are determined by device type.
Administrators can force push apps on the
list to Android and iOS users.

iOS Configurator devices: Apps can only be

made available on the device by an
administrator via force push.

Whitelists/Blacklists
Permissions

Create a list of strings that will filter either by

blacklisting or whitelisting applications.
Blacklist - When one or more blacklisted
applications are installed on a device, the
users access to email, shared files, app
lists, or other organization resources can be
blocked.

Whitelist When one or more applications

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 10

Policy Suite Rules:

Description

Anrd

All Devices

Anrd
w/ AS

TD/A

NS/BB

iOS

Only

TD/
iOS

iOS
w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

are installed on a device that are not on the

Whitelist, the users access to email, shared
files, app lists, or other organization
resources can be blocked.

Resource Control
Allow ActiveSync

Determines whether users are permitted to

make ActiveSync connections.

BB10

wOS
WP

Allow File Share

Allow Managed Apps

Determines whether users are permitted to

access the File Share.

Determines whether users are permitted to

access the Managed Apps list.

Samsung KNOX EMM

Policies
Kiosk Mode

Allows administrators to specify a single

application to which KNOX EMM devices
will be locked. The device returns to the
specified app upon wake or reboot and
blocks device features that permit
navigation and task management.

There can only be one kiosk app named at

a time. Since device navigation buttons are
disabled, the kiosk app should be one that is
completely navigable from within the app.

Security: Password
Require Device Password
(ActiveSync)

Forces the device to require a password to

unlock the device.

BB10

wOS
WP

Require TouchDown PIN

Determines whether a PIN is required to

access the TouchDown app. Can be used in
addition to or in place of the Require Device
Password option.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 11

Policy Suite Rules:

Description

Anrd

All Devices

Enable password recovery

(ActiveSync)

Anrd
w/ AS

TD/A

NS/BB

iOS

Only

TD/
iOS

iOS
w/ AS

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

WP

Only

This allows or disallows a user to issue,

from the device, a request for a temporary
recovery password if they have forgotten
their unlock password. The recovery
password can be retrieved from the MDM
User Self Administration Portal or the
administrative dashboard.
Not supported on systems operating with
ActiveSync protocol 2.5, such as Exchange
2003.

Android w/TouchDown, gives temporary

unlock password for only the TouchDown
application; does not provide temporary
unlock password when lock is imposed by
the devices native OS.

Allow Simple Password

(ActiveSync)

Determines whether or not a password can

consist of only repeating or sequential
characters, such as 1111 or abcd.
Not supported on systems operating with
ActiveSync protocol 2.5, such as Exchange
2003.

Require Minimum
Password Length

Forces the device to require a password

with a specified minimum length.

BB10

(ActiveSync)

wOS
WP

Minimum Password Length

BB10

Defines the minimum password length.

(ActiveSync)

wOS
WP

Require complex password

User must create a password containing at

least a letter, a numerical digit, and a
special symbol.
Requires Android OS 3.0 or greater. If this
requirement is set and a device does not
support it, the next level of security, which is
alphanumeric, will be implemented.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 12

Policy Suite Rules:

Anrd

(ActiveSync)

Minimum Number of
Complex Characters
(ActiveSync)

TD/
iOS

iOS
w/ AS

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

wOS

TD/A

User must create a password containing at

least alphabetic (or other symbol)
characters.

User must create a password containing at

least numeric characters.

All Devices

Require Alphanumeric
Password

NS/BB

Anrd
w/ AS

Description

iOS

Only

Forces the device to require a device

password to contain both letters and
numbers.

Only

Forces the device to require a minimum

number of complex characters (symbols) in
the alphanumeric password. This is disabled
when alphanumeric password is not
required.
Android (native): Supported on devices with
OS 3.0, selected OS 2.x devices, and
KNOX EMM compatible devices.
BlackBerry: Minimum number of each type
of character required in an alphanumeric
password. (Example: If minimum is 2,
password must have 2 uppercase, 2
lowercase, 2 numeric, and 2 symbol
characters.)

Require alphabetic
password
Require numeric password
Require biometric password

Allows for low-security biometric (face)

recognition technology. Uses technologies
that can recognize the identity of an
individual to about a 3 digit PIN (false
detection is less than 1 in 1,000).
Requires Android OS 4.0 or greater.

Require Device Password

Expiration
(ActiveSync)

Forces the device to require users to update

their passwords after a number of days.
Not supported on systems operating with
ActiveSync protocol 2.5, such as Exchange
2003.

BB10
WP

Android: Supported on devices with OS 3.0,

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 13

Policy Suite Rules:

TD/
iOS

iOS
w/ AS

iOS
Config
/DEP
Devices

Defines the number of device passwords

stored to prevent users from reusing them
too soon.

After the specified number of password

entry attempts are made, the last password

Description

Anrd

NS/BB

Anrd
w/ AS

TD/A

All Devices

iOS

Only

WM

WM
w/ AS
Only

Only

S60

S60
w/ AS
Only

AS
Only

selected devices with OS 2.x, and KNOX

EMM compatible devices.
Android (native): See knowledge base.
BlackBerry 10: Not supported on Q5 and
Z30

Password expiration in days

(ActiveSync)

Defines the number of days a password can

be used before it expires.
Not supported on systems operating with
ActiveSync protocol 2.5, such as Exchange
2003.
Android: Supported on devices with OS 3.0,
selected devices with OS 2.x, and KNOX
EMM compatible devices.

BB10
WP

Android (native): See knowledge base.

BlackBerry 10: Not supported on Q5 and
Z30

Require Device Password

History
(ActiveSync)

Forces the device to disallow passwords

that have been used in the recent past to be
re-used. The number of stored past
passwords is configurable.
Not supported on systems operating with
ActiveSync protocol 2.5, such as Exchange
2003.
Android (native): Supported on devices with
OS 3.0 or greater, selected OS 2.x devices,
and KNOX EMM compatible devices.

BB10
WP

Android w/ TouchDown: Applies to the

password associated with the TouchDown
application only.

Number of passwords
stored
(ActiveSync)

Enable Password Echo

Last revision: 09/17/14 Current Release: Version 3.6.x

BB10
WP

Policy Rules: All Devices 14

Policy Suite Rules:

Description

Anrd

All Devices

Anrd
w/ AS

TD/A

NS/BB

iOS

Only

TD/
iOS

iOS
w/ AS

iOS
Config
/DEP
Devices

Only

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

BB10

BB10

entered is unmasked to allow the user to

see the error they are making.

Begin password echo after

attempts

Define the number of unlock attempts

before echoing begins.

Security: Encryption
Require Encryption on the
Device
(ActiveSync)

Determines whether the device encrypts

stored data.
Not supported on systems operating with
ActiveSync protocol 2.5, such as Exchange
2003.
iOS devices (iPhone and iPad) have
hardware encryption that is always enabled.
The ActiveSync policy is not used to
enable/disable.
Android (native): Supported on devices with
OS 3.0 or greater, selected devices with OS
2.2 and devices compatible with KNOX
EMM. Gives repeated reminders until the
user initiates encryption.

Android w/ TouchDown: TouchDown data is

encrypted (email, calendar, contacts, tasks)
as well. Use Require TouchDown encryption
instead, to require encryption of TouchDown
data only. Gives repeated reminders until
the user initiates encryption.
BlackBerry: Only GO!NotifySync data is
encrypted (email).

Require Encryption on the

Storage Card
(ActiveSync)

Forces the device to encrypt the file system

of a storage card.
Android: Requires KNOX EMM
compatibility.

Android w/ TouchDown: Only TouchDown

files are encrypted (email attachments that
have been downloaded are encrypted using
AES (256); attachments are still unreadable
Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 15

Policy Suite Rules:

Description

Anrd

All Devices

Anrd
w/ AS

TD/A

NS/BB

iOS

Only

TD/
iOS

iOS
w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

if the card is moved to another device).

Security: Device Inactivity

and Locking
Require Max Inactivity Time
Device Lock
(ActiveSync)

Forces the device to lock after a set number

of minutes of user inactivity. This value
serves as a maximum.

BB10

This is also known as Time without user

input before password must be re-entered.

Max Inactivity Timeout

(in minutes)
(ActiveSync)

Require Device Challenge

Timeout

Max Device Challenge

Timeout

Enable Customizable Lock

Message
Customizable lock message
Lock message phone
number

Defines the maximum value a user can set

for the number of minutes of inactivity
before the device locks. If Challenge
Timeout is being enforced, the Max
Inactivity Timeout should be less than
Challenge Timeout.

WP

BB10

Defines the maximum value a user can set

for the number of minutes before the device
initiates a challenge lock. This lock is
initiated regardless of activity and is
intended to challenge the use of a lost or
stolen device. If Max Inactivity Timeout is
being enforced, the Challenge Timeout
should be greater than Max Inactivity
Timeout.

Enable the lock message and enter the text

to be displayed when device is locked.

Enter text to be displayed when device

locks.

Last revision: 09/17/14 Current Release: Version 3.6.x

wOS
WP

Forces the device to enable a challenge

timeout. A lock is initiated regardless of
activity and is intended to challenge the use
of a lost or stolen device.

Enter a contact phone number to be

displayed when the device locks. A user can
tap the displayed phone to initiate dialing.

wOS

Policy Rules: All Devices 16

Policy Suite Rules:

Description

Anrd

All Devices

Anrd
w/ AS

TD/A

NS/BB

iOS

Only

TD/
iOS

iOS
w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

Requires iOS 7 or later.

Audible Alert On Lock

Maximum grace period

(in minutes)

Causes a device to constantly emit a loud

noise when a server-initiated device lock
has been issued. The intent is to draw
attention to a missing device and the device
thief. The noise continues while the device
is powered on, until the device is unlocked.
Determines how soon the device can be
unlocked again after use, without reprompting for the password. Administrator
can also disallow a grace period by
selecting Immediately or choose not to
impose a limit by selecting None.

Android native: Requires KNOX EMM

compatibility.

Wipe device on Failed

Number of Unlock Attempts
(ActiveSync)

After the specified number of password

entry attempts are made, data is cleared
from the device. Functionality varies by
device.
Android or Android w/TouchDown: Device
returns to factory settings. This entails
deleting all data and applications from the
device. Does not erase SD card.
BlackBerry: Removes all mail and PIM data
associated with the GO!NotifySync
application and removes the GO!NotifySync
/ GO!Enterprise MDM accounts. Locks the
device if Require Password is enabled.
Erases GO!NotifySync data from SD card,
including saved attachments.

BB10

wOS
WP

iOS: Device returns to factory settings. This

entails deleting all data and applications
from the device.
Symbian: Device returns to factory settings.
This entails deleting all data and apps from
the device. Erases the SD card.
WM: Device returns to factory settings. This
Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 17

Policy Suite Rules:

Description

Anrd

All Devices

Anrd
w/ AS

TD/A

NS/BB

iOS

Only

TD/
iOS

iOS
w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

entails deleting all data and applications

from the device. Erases SD card only on
Professional devices.
BB10, webOS, and WP or any device
without GO!Enterprise MDM app: Device
returns to factory settings. This entails
deleting all data and applications from the
device.

Maximum number of unlock

attempts

Defines the number of unlock attempts

before a device-initiated wipe is performed.

BB10

(ActiveSync)

wOS
WP

Security: Emergency
Calls
Enable emergency calls
when locked

Allow dialing of any number

Allows the device to make emergency calls

in a locked state. Allows emergency
numbers to be specified for allowed calls on
a locked device: ambulance, fire, police, and
one other emergency number.

Gives the user an option to manually enter

and call any number when the device is
locked.

S/MIME Settings
Require signed SMIME
messages

When enabled, this setting forces the device

to send digitally signed S/MIME messages.

WP

Require encrypted SMIME

messages

When enabled, this setting forces the device

to send encrypted S/MIME messages.

WP

This setting specifies the algorithm to be

used for signing messages. Options are
SHA1, MD5.

WP

This setting specifies the algorithm to be

used for encrypting messages. Options are

WP

Require signed SMIME

algorithm
Require encryption SMIME

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 18

Policy Suite Rules:

algorithm
Allow S/MIME Encryption
algorithm negotiation

Allow SMIME soft certs

Anrd
w/ AS

AS
Only

This setting enables/disables the device

from negotiating the encryption algorithm
used for signing messages. Options are Do
not negotiate, Negotiate only strong
algorithms, Negotiate any algorithm.

WP

Enables or disables the device from using

soft certificates to sign outgoing messages.

WP

Only

TD/A

iOS

TD/
iOS

iOS
w/ AS

iOS
Config
/DEP
Devices

WM
w/ AS
Only

All Devices

Anrd

NS/BB

WM

Description

Only

S60

S60
w/ AS
Only

TripleDES, DES, RC2128bit, RC264bit,

RC240bit.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: All Devices 19

POLICY RULES: IOS DEVICES

Policy Suite Rules:

TD/
iOS

Determines whether the user can receive or place video calls. Allow Camera
in the Device Controls must be enabled as well.

Determines whether the user can dial their phone using voice commands.
Require Password in Security Settings must be enabled as well.

Determines whether or not the user can save a screenshot of the device
display.

Determines whether or not explicit music or video content purchased from the
iTunes store is hidden.

When disabled, devices that are roaming sync only when an account is
accessed by the user.

Determines whether iPhone 4S devices allow the Siri speech recognition

personal assistant.

iOS Specific

iOS

iOS
Config
/DEP
Devices

iOS

Description

w/ AS
Only

Device Features
Allow FaceTime
Allow Voice Dialing
Allow Screenshot
Allow Explicit Content
Allow Automatic Sync When Roaming
Allow Siri
Allow Siri Profanity Filter

Allow Siri while device locked

Determines whether profanity is filtered on the device. Functional on devices

in Supervised mode only. Allow Siri must be enabled in order to enable this
policy.
Determines whether Siri is disabled when the device is locked with a
password.
Enabling Allow Siri is a prerequisite for enabling this option.

Requires iOS 5.1 or greater

Allow Game Center

Determines whether the Game Center is accessible. When disabled, the icon
is removed from the Home screen. Functional on devices in Supervised mode
only. Disabling this policy also disables Allow Multiplayer Gaming and Allow
Adding Game Center Friends.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: iOS Devices 20

Policy Suite Rules:

TD/
iOS

Determines whether the device allows multiplayer gaming between iOS

devices via Bluetooth or WiFi. When this option is disabled, users cannot play
multiplayer games in the Game Center.

Determines whether the device allows adding friends or building a social

gaming network associated with the Game Center app.

Determines whether the device requires a password to access the iTunes

store. Requires users to enter their Apple ID before making any purchase.
Normally, there is a brief grace period after a purchase is made before users
must authenticate for subsequent purchases.

When disabled, users can choose whether or not device backups, performed
in iTunes, are stored in encrypted format on their computer.

iOS Specific
Allow Multiplayer Gaming

Allow Adding Game Center Friends

Force iTunes Store Password Entry

Force Encrypted Backup

Allow Passbook while device locked

Allows use of the Apple Passbook app when the device is locked, giving users
access to their boarding passes, tickets, store cards, coupons, etc.

iOS

iOS
Config
/DEP
Devices

iOS

Description

w/ AS
Only

Requires iOS 6.0 or higher.

Allow Over-the-Air PKI Updates

Determines if over-the-air if Public Key Infrastructure (PKI) updates are

permitted.
Requires iOS 7 or later.

Force Limited Ad Tracking

Determines if advertisers tracking of a users habits is limited. Enabling this

does not eliminate ad tracking, but may reduce it to some degree.
Requires iOS 7 or later.

Allow Fingerprint for Unlock

Determines whether the users Touch ID can be used to unlock the device.
iOS 7 or later required

Allow Lock Screen Control Center

Determines whether Control Center appears on the Lock screen. Control

Center appears with a swipe up from any screen giving the user quick access
to controls and apps.
iOS 7 or later required

Allow Lock Screen Notification View

Determines whether the Notifications view in Notification Center can be

accessed from the Lock screen.
iOS 7 or later required

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: iOS Devices 21

Policy Suite Rules:

Description

TD/
iOS

iOS Specific
Allow Lock Screen Today View

Determines whether the Today view in Notification Center can be accessed

from the Lock screen.

iOS

iOS
Config
/DEP
Devices

iOS

w/ AS
Only

iOS 7 or later required

Applications
Allow Application Installation

Allow App Management

When disabled, the App Store is disabled and the icon is removed from the
device Home screen. In addition, users are prevented from installing
applications made available through the GO!Enterprise MDM Managed Apps
list.
Determines whether an administrator has the ability to give user access to iOS
apps or force push iOS apps to users in a particular policy suite.
iOS Configurator devices: Apps can only be made available on the device by
an administrator via force push.

Allow Bookstore

Allow Bookstore Erotica

Allow In App Purchases
Allow YouTube
Allow iTunes

Allow Managed App Documents to

Open in Unmanaged Apps

When disabled, iBookstore is disabled and users are prevented from

accessing it from the iBooks app. Functional on devices in Supervised mode
only. Disabling this policy also disables the non-supervised policy Allow
Bookstore Erotica.

Determines whether users can purchase books categorized as Erotica from

iBookstore.

Determines whether or not users can make in-app purchases.

Determines whether the use of YouTube is allowed on the device. If disabled,

the icon is removed from the Home screen.

Determines whether the use of iTunes is allowed on the device. If disabled,

the icon is removed from the Home screen and users cannot preview,
purchase, or download content.

Determines if documents in managed apps and accounts will only open in

other managed apps and accounts.
Requires iOS 7 or later.

Allow Unmanaged App Documents to

Open in Managed Apps

Determines if documents in unmanaged apps and accounts will only open in

other unmanaged apps and accounts.
Requires iOS 7 or later.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: iOS Devices 22

Policy Suite Rules:

TD/
iOS

Determines the Safari cookie policy Whether the device accepts all cookies,
no cookies, or only cookies from sites that were directly accessed.

Determines whether Safari remembers what users enter in web forms.

Determines whether Safari ignores JavaScript on Websites.

Determines whether Safaris pop-up blocking feature is enabled.

Determines whether Safari attempts to prevent the user form visiting websites
identified as being fraudulent of compromised.

Determines the media content rating scale used by a particular region.

If rating restrictions are enabled, items that violate the restrictions cannot be
downloaded over-the-air and those installed via iTunes are hidden. Items
violating the restriction that existed on the device before rating restrictions
were imposed will be hidden.

iOS Specific
Record Installed Applications

Access and record applications installed on devices.

iOS

iOS
Config
/DEP
Devices

iOS

Description

w/ AS
Only

Safari Browser
Allow Safari

Determines whether use of the Safari Web browser is allowed on the device. If
disabled, the Safari icon is removed from the Home screen and it prevents
users from opening web clips. Disabling Safari can also prevent the use of
third-party browsers.
Allow Browser in the Device Controls must also be enabled.

Accept Cookies
Allow Auto-fill
Allow JavaScript
Block Pop-ups
Force Fraud Warning

Ratings
Rating Region

Application Ratings

Determines the maximum allowed ratings for apps.

If rating restrictions are enabled, applications that violate the restrictions
cannot be downloaded over-the-air and those installed via iTunes are hidden.
Applications violating the restriction that existed on the device before rating
restrictions were imposed will be hidden. Caution: If you choose the Dont
Allow Apps option, the GO!Enterprise MDM app will be hidden on iOS devices.
Rating settings determine the highest rating permissible. For example a policy
with the U.S. application rating of 9+ will allow the installation of applications
with a rating of 4+ or 9+, but will block applications with a rating of 12+ or 17+.

Movie Ratings

Determines the maximum allowed ratings for movies.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: iOS Devices 23

Policy Suite Rules:

TD/
iOS

Determines the maximum allowed ratings for TV shows.

If rating restrictions are enabled, TV shows that violate the restrictions cannot
be downloaded over-the-air and those installed via iTunes are hidden. TV
shows violating the restriction that existed on the device before rating
restrictions were imposed will be hidden.

Determines whether or not an iOS user can delete individual profiles delivered
after the MDM configuration profile. Should the MDM configuration profile be
removed, all other individual profiles will be removed as well. Includes an
option to allow deletion with the use of a password.
Note: This option is disabled when an APNs certificate is in use, since
individual profiles would automatically resynchronize to the device on the next
sync cycle.

Defines the password with which a user can remove the profile.

Determines whether users are asked if they want to trust certifications that
cannot be verified. This setting applies to Safari and to Mail, Contacts, and
Calendar accounts.

Determines whether the device is permitted to back up to and restore from

iCloud.

Determines whether the device allows document synchronization to iCloud.

When this option is enabled, users can store documents in iCloud.

Determines whether iCloud automatically pushes (via WiFi) a copy of any

photo taken on or imported to an iOS device, to the users other iOS devices,
iPhoto or Aperture on a Mac, Pictures Library on a PC, and Apple TV.

iOS Specific

iOS

iOS
Config
/DEP
Devices

iOS

Description

w/ AS
Only

If rating restrictions are enabled, movies that violate the restrictions cannot be
downloaded over-the-air and those installed via iTunes are hidden. Movies
violating the restriction that existed on the device before rating restrictions
were imposed will be hidden.

TV Show Ratings

Security
Allow Profile Removal

Profile Removal Password

Allow Untrusted TLS Prompt

Allow Diagnostic Submission Text

Determines whether the device sends iOS diagnostic data to Apple. When this
option is disabled, iOS diagnostic information is not sent to Apple.
Requires iOS 6.0 or higher.

iCloud
Allow iCloud Backup
Allow Document Sync
Allow Photo Stream

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: iOS Devices 24

Policy Suite Rules:

Description

TD/
iOS

iOS Specific

iOS

iOS
Config
/DEP
Devices

iOS

w/ AS
Only

When this option is disabled, installing a configuration profile with this

restriction can erase Photo Stream photos from the users device and prevents
photos from the Camera Roll from being sent to Photo Stream. If there are no
other copies of these photos, they may be lost.

Allow Shared Photo Streams

Determines whether the user can post and share a Photo Stream album with
other iOS users or through the iCloud Web site.
Requires iOS 6.0 or later.

Allow Cloud Keychain Sync

Determines if iCloud Keychain sync is permitted. Stores 256-bit AES

encrypted user passwords in iCloud so they can be synced across trusted
devices. Helps users create strong passwords.
Requires iOS 7 or later.

Management
Allow Management of Settings

Determines whether the voice and data roaming settings can be managed.
Applies only to iPhone 4 devices.

Allow Voice Roaming

Determines if the device will allow voice calls and SMS messages while
roaming.
Applies only to iPhone 4 devices.

Allow Data Roaming

Determines if the device will allow data or video while roaming.

Applies only to iPhone 4 devices.

Enable personal hotspot

Enables the personal hotspot feature on user devices, which allows the user to
connect computers and other devices to the Internet using the devices cellular
data connection. A user can change this setting on the device, but it will revert
back to the setting from the server each time the device synchronizes.
Requires iOS 7 or later.

Supervised Mode
Allow Account Modification

Determines if the user can modify the iTunes & App Stores account.
Requires iOS 7 or later.

Allow App Cellular Data Modification

Determines if changes to cellular data usage settings for apps are permitted.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: iOS Devices 25

Policy Suite Rules:

Description

iOS Specific

iOS

TD/
iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

Requires iOS 7 or later.

Allow App Removal

Allow Configuration Profile Installation

Allow Find My Friends Modification

Determines whether users can remove apps from the device. This does not
include apps that are included with iOS, such as App Store and iTunes.
Functional on devices in Supervised mode only. If this is disabled, it does not
prevent managed apps from being removed via the MDM API.

Determines whether users can install additional configuration profiles onto the
device. Functional on devices in Supervised mode only. If this is disabled, it
does not prevent the MDM API from installing configuration profiles on the
device.

Determines if changes to Find My Friends settings are permitted. Allows users

to locate friends and family that also have the Find My Friends app.

Requires iOS 7 or later.

Allow Host Pairing

Determines if host pairing, other than the supervision host, is disabled. If a

supervision host has not been configured, all pairing is disabled.

Requires iOS 7 or later.

Allow iMessage

Allow AirDrop

Determines whether users can send or receive messages using iMessage. It

does not prevent messaging through third party apps. If the device does not
support text messaging, disabling this policy will remove the Messages icon
from the Home screen. Functional on devices in Supervised mode only.
Determines whether AirDrop is enabled or disabled. AirDrop allows users to
easily share, via Wi-Fi or Bluetooth, photos, videos, contacts or anything else
from any app with a Share button.

iOS 7 or later required

Allow Assistant User Generated

Content

Determines whether Siri can query web sources, such as Bing, Wikipedia, and
Twitter, to answer user questions.

iOS 7 or later required

Global HTTP Proxy

This payload allows the administrator to specify global HTTP proxy settings:
Proxy Type, Proxy Server, Proxy Server Port, Proxy Username, and Proxy
Password. Configuring the settings incorrectly can prevent the Apple API from
functioning altogether on the device.

There can only be one of this payload at any time and it can only be installed
on supervised devices.
Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: iOS Devices 26

Policy Suite Rules:

Description

iOS Specific
Single App Mode

iOS

TD/
iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

This payload allows administrators to specify an app to which supervised

devices will be locked. The device is locked to a single application until the
payload is removed. The Home button is disabled and the device returns to
the specified application automatically upon wake or reboot.
There can only be one of this payload at any time and it can only be installed
on supervised devices.

Requires iOS 6.0 or later.

Several options associated with Single App Mode are listed below
Single App Mode:

Disable Touch Screen

Single App Mode:

Disable Device Rotation

Single App Mode:

Disable Volume Buttons

Single App Mode:

Disable Ringer Switch

Single App Mode:

Disable Sleep/Wake Button

Single App Mode:

Disable AutoLock
Single App Mode:

Enable VoiceOver

Determines if the touch screen is operational.

Requires iOS 7 or later.
Determines if device rotation sensing is operational.
Requires iOS 7 or later.
Determines if volume buttons are operational.
Requires iOS 7 or later.
Determines if the ringer switch is operational.
Requires iOS 7 or later.
Determines if the sleep/wake button is operational.
Requires iOS 7 or later.
Determines if the device will automatically go to sleep after an idle period.
Requires iOS 7 or later.
Determines if VoiceOver, a feature that audibly assists a user in navigating the
touch screen, is on or off. VoiceOver enables a blind or low vision user to
touch the screen to hear what is under their finger, then gesture to control the
device. Works with apps that come with the iOS device.

Requires iOS 7 or later.

Single App Mode:

Allow VoiceOver Adjustments

Determines if the user is permitted to adjust VoiceOver settings. Enable Voice

Over must be on.

Requires iOS 7 or later.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: iOS Devices 27

Policy Suite Rules:

Description

iOS Specific
Single App Mode:

Enable Zoom

Determines if Zoom, an assistive built in magnifier is turned on or off. A double

tap with three fingers instantly zooms 100-500 percent.

iOS

TD/
iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

Requires iOS 7 or later.

Single App Mode:

Allow Zoom Adjustments

Determines if the user is permitted to adjust Zoom settings. Enable Zoom must
be on.

Requires iOS 7 or later.

Single App Mode:

Enable Invert Colors

Determines if Invert Colors, an assistive feature that inverts colors for a higher
contrast, is turned on or off. Once colors are set, the settings apply
systemwide, even to video.

Requires iOS 7 or later.

Single App Mode:

Allow Invert Colors Adjustments

Determines if the user is permitted to adjust Invert Colors settings. Enable

Invert Colors must be on.

Requires iOS 7 or later.

Single App Mode:

Enable Assistive Touch

Determines if the AssistiveTouch, a feature that provides alternatives to the

standard navigation gestures, is turned on or off. Alternatives or customization
can be created for gestures such as pinch, pressing the Home button, rotate,
or shake.

Requires iOS 7 or later.

Single App Mode:

Allow Assistive Touch Adjustments

Determines if the user is permitted to adjust Assistive Touch. Enable Assistive

Touch must be on.

Requires iOS 7 or later.

Single App Mode:

Enable Speak Selection

Determines if Speak Selection, an assistive feature that reads text, is turned

on or off. Speak Selection allows a user to highlight text in any application and
tap Speak to have the selection read aloud.

Requires iOS 7 or later.

Single App Mode:

Enable Mono Audio

Determines if Mono Audio, an assistive feature that plays left and right audio
channels in both headphone earbuds, is turned on or off.

Requires iOS 7 or later.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: iOS Devices 28

POLICY RULES: TOUCHDOWN

Policy Suite Rules:

Description

TD/A

TouchDown Specific

TD/A

w/ AS
Only

TD/iOS

TD/iOS
w/ AS
Only

Installation
Allow any server certificate

Initiate enrollment

Require TouchDown encryption

Currently, GO!Enterprise MDM requires a CA signed certificate and does not

support self-signed certificates. For the present, this option should be
disabled.

At the completion of the GO!Enterprise MDM enrollment, the user is prompted

to configure TouchDown. When the user confirms, this automatically registers
TouchDown and creates an ActiveSync account with the user credentials
provided during GO!Enterprise MDM enrollment. If disabled, the user is not
prompted and must initiate the TouchDown configuration by opening
GO!Enterprise MDM and selecting Settings > TouchDown Settings.

Allows an organization to require the encryption of TouchDown data only on

the device. Enable this option and disable the Require encryption on the
device option, under Security Settings, so that the entire device is not
encrypted. Gives repeated reminders until the user initiates encryption.

Determines whether users can copy text from a received email and paste it
elsewhere.

Allows users to reset the TouchDown PIN (password) by using their Exchange
account password. With Exchange 2007 or 2010, this does not function when
Security Settings > Enable Password Recovery is enabled. The ActiveSync
password recovery method is used instead.

When enabled, users can choose to have the device issue spoken email and
appointment notifications. When disabled, the option is not visible and the
function is disabled.

iOS devices (iPhone and iPad) have hardware encryption that is always
enabled. The policy is not used to enable/disable.

General
Allow copy/paste in emails
Allow easy PIN recovery

Allow speak notification option

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 29

Policy Suite Rules:

Description

TD/A

TouchDown Specific

TD/A

w/ AS
Only

TD/iOS

TD/iOS
w/ AS
Only

At least one of two suppression rules must be enabled in order for this to
function: Allow appointment alert configuration or Allow email alert
configuration.

Require TouchDown PIN

(Link)
Show calendar info on
notification bar

Links to the Require TouchDown PIN option in Security Settings > Password,
which determines whether a PIN is required to access the TouchDown app.
Can be used in addition to or in place of the Require Device Password option.

To successfully display notifications, the following TouchDown settings must

also be configured on the device: In the Advanced TouchDown Settings,
enable the Appointment reminders at non-peak times options and configure
Appointment Alerts to use system settings.

Disables printing from TouchDown.

The timeout interval before a user is required to re-enter an SMIME certificate

PIN, when the certificate has been configured to require a PIN for signing or
encrypting/decrypting messages.

When enabled, allows user to change the signature which accompanies email
sent from the device. This option does not function unless Suppression >
Allow signature line field is enabled.

Allows the entry of a signature determined by the administrator.

Determines whether appointment subjects are displayed in the device

notification bar when reminders are shown.
To successfully display notifications, the following TouchDown settings must
also be configured on the device: In the Advanced TouchDown Settings,
enable the Appointment reminders at non-peak times options and configure
Appointment Alerts to use system settings.

Show email info on

notification bar

Determines whether email sender and subject are displayed in the device
notification bar when email notifications are shown.
To successfully display notifications, the following TouchDown settings must
also be configured on the device: In the Advanced TouchDown Settings,
enable the Notify on new mail option and configure Email Alerts to Use system
settings.

Show task info on

notification bar

Disable Printing
Forced SMIME Pin Timeout

Determines whether task subjects are displayed in the device notification bar
when task notifications are shown.

Signature
Allow change signature on device

Set signature

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 30

Policy Suite Rules:

Description

TD/A

TouchDown Specific

TD/A

w/ AS
Only

TD/iOS

TD/iOS
w/ AS
Only

(Corporate / Individual)
Widgets
Allow export to third party widgets
Allow TouchDown calendar widget
Allow TouchDown email widget
Allow TouchDown task widget
Allow TouchDown universal widget
Show widget data when TouchDown is
locked

Determines whether or not TouchDown data can be communicated to third

party widgets that request it.

Determines whether or not TouchDown calendar widget shows data.

Determines whether or not TouchDown email widget shows data.

Determines whether TouchDown task widget shows data.

Determines whether TouchDown universal widget shows email, calendar and

task data.

Determines whether widget data locks when TouchDown is locked. This option
does not function unless Security Settings >Require Password; TouchDownGeneral > Show TouchDown PIN; and at least one widget (calendar, email,
third party, task, or universal) are enabled.

Phone Book
Phone book fields to copy

Choose which fields of a contact synchronize when users copy contacts to the
device phone book.
Choosing all or some of the fields is a prerequisite for the suppression rules:
Allow copy phone format options and Allow update contact changes to phone
options.

User Configurable Settings:

Calendar

About User Configurable Settings: Users can configure these policies

according to preference. Administrators choose the setting for initial device
configuration. Changes to these settings do affect existing TouchDown users.

Show All-day events in the Calendar

Widget

Determines whether all-day events display in the TouchDown Calendar

Widget.

Show upcoming events only

Determines whether the only appointments displayed in the current day's

Agenda are those that have not passed.

Enable meeting resource field

Determines whether a field is enabled for specifying resources such as

conference rooms or equipment when creating a new meeting.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 31

Policy Suite Rules:

Description

TD/A

TouchDown Specific

TD/A

w/ AS
Only

TD/iOS

Show calendar tasks in the Agenda

Determines whether calendar tasks display in the Agenda view.

Show overdue tasks in the Agenda

Determines whether overdue tasks display in the Agenda view.

Customize the start and end days for

the week

Determines whether user has the ability to define the first and last days of the
week to display in the calendar Week view.

First day of a week to show in

Calendar

Define the first day of the week to display in the calendar Week view.

Last day of a week to show in Calendar

Define the last day of the week to display in the calendar Week view.

Start time of the work day

Times that fall between the work days start time and end time display in a
different color on Day and Week calendar views.

End time of the work day

Times that fall between the work days start time and end time display in a
different color on Day and Week calendar views.

Default reminder for each new event

Defines the default reminder time to assign to each new event unless
otherwise specified for the event.

Default privacy status for each new

event

Defines the default privacy status to assign to each new event unless
otherwise specified for the event.

Default availability status for each new

event

Defines the default availability status to assign to each new event unless
otherwise specified for the event.

Calendar zoom size

Shows the Day and Week calendar views in a larger text size.

Show a compact PIN screen (NEW

7.1)

Determines whether a compact PIN screen is shown, fitting the PIN buttons
over half of the available screen space.

Default theme (NEW 7.1)

Defines a default display theme for the TouchDown User Interface.

TD/iOS
w/ AS
Only

User Configurable Settings: Device

Control

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 32

Policy Suite Rules:

Description

TD/A

TouchDown Specific

TD/A

w/ AS
Only

TD/iOS

TD/iOS
w/ AS
Only

User Configurable Settings: Email

Enable email selectors

Adds a radio button beside each item in the email list, enabling the user to
select multiple emails for various actions, such as delete, mark as read, move,
etc.

Show email summary

Determines whether part of the body of each email displays in the email list.

Highlight email senders

Determines whether the sender of any email displays in a larger and bolder
type than the subject field.

Enable search as you type

Determines whether the search tool used in the email list begins to filter
messages as the user types a string, as opposed to the user having to initiate
the search after typing.

Automatically download embedded

images

Determines whether embedded images automatically download for an HTML

email.

Enable move to any folder option

Determines whether a user can move email messages to folders that have not
been selected for synchronization, as opposed to only being able to move
email to folders that have already synchronized.

Highlight unread messages

When enabled, Email list displays read email in grey and unread email fully lit
and in bold.

Enable preview attachments option

When enabled, a thumbnail view of downloaded attachments displays before

they are opened.

Always expand folders

When enabled, the folder tree automatically expands when Choose Folders is
used or when the user switches folders.

Enable confirm deletes prompt

Determines whether a confirmation prompt displays when the user deletes an

email.

Enable confirm move prompt

Determines whether a confirmation prompt displays when the user moves an

email.

Toolbar mode

Determines whether the tool bar that appears when viewing an email will
display, be hidden, or can be toggled on and off.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 33

Policy Suite Rules:

Description

TD/A

TouchDown Specific

TD/A

w/ AS
Only

TD/iOS

After delete go to

Defines what is displayed after an email is deleted.

Enable email alerts at non-peak times

Determines whether email notifications are sent when email arrives during
non-peak times.

Confirm move to Junk prompt

Determines whether a confirmation prompt displays when the user moves an

email to the Junk folder.

Enable push email mode

When enabled, switches the device from checking email at scheduled

frequencies to a Push Email mode in which the device connects with the
server for sustained intervals to retrieve email.

Off-peak polling interval

Defines the polling interval for retrieving new mail during non-peak times.

TD/iOS
w/ AS
Only

User Configurable Settings:

Synchronization

Suppressions

About Suppressions: An enabled suppression gives the user control of the

setting.
A disabled suppression removes the setting from user devices.
When the suppression has a control setting the administrator can configure it.
When a control setting is not provided, the setting is locked as it was
previously set on the device.

Suppression configuration

Choose which options to hide or expose to TouchDown users. Select All to

enable all suppressions, giving users control. Select None to disable all
suppressions or Custom to set each suppression individually.

Enables users to customize the alerts displayed for appointment reminders.

Suppressions: Calendar, Contacts,

Tasks
Allow appointment alert configuration
Allow appointment reminders at nonpeak times option
Enable appointment reminders at
non-peak times

Enables users to allow appointment reminders during periods when the device
is not synchronizing.
Control setting determines whether appointment reminders display during nonpeak times.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 34

Policy Suite Rules:

Description

TD/A

TouchDown Specific
Allow appointment synchronization
options
Allow category configuration
Allow copy to phone format options

Name format for contacts copied to

phone
Allow enable appointment reminders
option
Enable appointment reminders
Allow include phone contacts in picklist
option
Include phone contacts in picklist
Allow normalize phone numbers option
Normalize phone numbers

TD/A

w/ AS
Only

TD/iOS

Enables users to choose how many days worth of appointments to keep on

the device. From Device Control options, an administrator can set a maximum
or allow users to choose a specific number of days.

Enables users to select colors for contact, event, and task categories.

Enables users to select the format of contacts (First or Last Name placed first)
copied from TouchDown to the Android phone book. Choosing all or some of
the fields in the Phone Book > Phone book fields to copy rule is a prerequisite.

TD/iOS
w/ AS
Only

Control setting defines the format in which contacts are copied to the phone
from TouchDown Exchange contacts. First MI Last, Last First MI, or File as is
Allows users to enable appointment reminders.

Control setting determines whether a notification displays when an

appointment has a reminder.
Enables users to determine whether the contact list is displayed when
composing email or SMS includes contacts from the Android Phone Book.
Control setting determines whether contacts from the Android phone book are
included in the contact picklist that can be accessed while composing email.

Enables users to determine how contact phone numbers retrieved from the
server are formatted.
Control setting defines the format of contact phone numbers retrieved from the
server as follows:

X/x/ext (extension) becomes ;

P/p (pause) becomes ;
W/w (tone wait) becomes ,

Allow reminders configuration

Set reminders (in min)

Enables users to configure repeating reminders for calendar events.

Use the control setting to configure the repeating reminders.
0 = No repeats;
X<0 = reminders start at set reminder time and continue every X minutes until
event starts;
X>0 = reminders repeat every X minutes after event starts

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 35

Policy Suite Rules:

Description

TD/A

TouchDown Specific
Allow update contact changes to phone
option

Update contact changes to phone

TD/A

w/ AS
Only

TD/iOS

TD/iOS
w/ AS
Only

Enables users to determine whether updates made to contacts in TouchDown

also update the phone book database. For iOS devices, updates occur when
the user manually synchronizes contacts.
Choosing all or some of the fields in the Phone Book > Phone book fields to
copy rule is a prerequisite.
Determine whether updates made to contacts in TouchDown also update the
phone book database. For iOS devices, updates occur when the user
manually synchronizes contacts.

Suppressions: Device Control

Allow ActiveSync device type string
field
ActiveSync device type string field

Allow backup database (menu option)

Allow backup settings
Allow disable tablet mode (tablet
devices only) option
Disable tablet mode (tablet devices
only)
Allow exclude attachments from gallery
option
Exclude attachments from gallery
Allow export settings
Allow filtered tasks on home screen
and widgets option

Enables users to modify the ActiveSync device type the device reports to the
GO!Enterprise MDM server. In order for the server to maintain accurate
information, this should be disabled.

Use the control setting to set the ActiveSync device type string to the
TouchDown option.
Enables users to back up the TouchDown database to the SD card.

Enables users to back up the TouchDown settings to the SD card.

Allows tablet users to disable the automatic switch to tablet mode.

Use the control setting to disable the automatic switch to Tablet Mode for
tablet users.
Enables users to determine whether Android Gallery scans the SD card for
TouchDown media files.
Control setting determines whether or not Android Gallery scans the SD card
for TouchDown media files.

Enables users to export to the SD card, a .pcf configuration file with the
settings required to connect to the server.

Enables users to filter tasks shown on the Home screen and on the Task
Widget just as they are on the TouchDown Tasks screen.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 36

Policy Suite Rules:

Description

TD/A

TouchDown Specific
Display tasks on home screen and
widgets
Allow login ID, email address, domain
fields
Allow quick configuration
Allow restore database
(menu option)
Allow restore settings
Allow server name fields

Allow show emails on startup option

Show email list on startup

Allow use system background data

setting option
Use system background data
setting

TD/A

w/ AS
Only

TD/iOS

TD/iOS
w/ AS
Only

Control setting determines whether tasks shown on the Home screen and on
the Task Widget are filtered just as they are on the TouchDown Tasks screen.

Displays the user's ActiveSync account information enabling users to edit it.

Enables users to use the Quick Configuration option to create the ActiveSync
account.

Enables users to restore a backup of the TouchDown database from the SD

card.

Enables users to restore TouchDown settings they have backed up to the SD

card.

Displays the address of the GO!Enterprise MDM server enabling users to edit
it. This option also controls the following device options: Uses SSL and Fetch
and Trust Certificate.

Enables users to open TouchDown to the email list instead of the main display
pane.
Control setting determines whether TouchDown will open to the Email list
instead of TouchDown's main screen.
Determines whether TouchDown honors how the user has configured the
Android Background Data setting, which controls whether the app updates in
the background or only on demand.

When control setting is disabled, TouchDown synchronizes in the background

regardless of how the Android Background Data setting is configured.

Suppressions: Email
Allow always BCC myself option
Enable always BCC myself option

Allow choose folders

Enables the user to send a copy of all outgoing emails to his or her own email
address.
Control setting determines whether a copy of all outgoing email is sent to the
user's own email address.
Enables users to select the folders TouchDown synchronizes with the server.
In addition to Choose Folders, this also controls the following device options:
Selected Email Folders and Refresh Folders.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 37

Policy Suite Rules:

Description

TD/A

TouchDown Specific
Allow disable SmartReplies and
SmartForwards option
Disable SmartReplies and
SmartForwards
Allow dont delete emails on server
option
Do not delete email on server
Allow dont mark read on server
Do not mark email read on server

Allow email alerts configuration

Allow email body style options
Email body style
(Corporate/Individual)
Allow email checking frequency options
Email checking frequency (in
minutes)

Allow email download size options

Allow email view text size options

TD/A

w/ AS
Only

TD/iOS

TD/iOS
w/ AS
Only

Enables users to turn off SmartReplies and SmartForwards.

Control setting disables the SmartReplies/SmartForwards functionality. This

should only be disabled if the server does not support Smart
Replies/Forwards.
Enables users to prevent email they delete on the device from being deleted
on the server.
Control setting determines whether email on the server will be deleted when
email is deleted on the device.
Enables users to prevent email, marked read/unread on the device, from being
marked as read/unread on the server.
Control setting determines whether email marked read/unread on the device
will be marked as read/unread on the server.
Enables users to customize the alerts displayed for new email.
Enables users to choose font, size, color, and style of the HTML email they
compose.
Use control setting to define the font, size, color, and style of text used for
composing HTML email.

Enables users to determine how often the device checks for new email.

When Push Email is not enabled, this control setting defines the frequency at
which the device checks the server for new mail. The recommended value is
15 minutes, as more frequent checks can increase battery drain.
Enables users to determine the size of downloaded email messages An
email larger than this value displays an option to download the remainder.
(Zimbra users - value must be no greater than 10 KB.)

Enables users to select the text size of email they view.

Email text size

Use the control setting to define the text size for viewing emails.

Allow email synchronization options

Enables users to set the age of email to be synchronized to the device. From

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 38

Policy Suite Rules:

Description

TD/A

TouchDown Specific

TD/A

w/ AS
Only

TD/iOS

TD/iOS
w/ AS
Only

Device Control options, an administrator can set a maximum or allow users to

choose a specific age.

Allow enable HTML email options

Allow folder language options
Allow manage rules option
Allow notify on new mail option
Send new mail notifications

Allow out of office configuration

Allow signature line field

TouchDown attempts to download and display email in HTML format. Mail

servers other than Exchange should leave this disabled.

Enables users to choose the language used for folder labeling.

Enables users to create and manage rules for incoming email.

Enables users to determine whether a notification displays when new email

arrives.
Control setting determines whether a notification displays when new mail
arrives.

Enables users to configure automatic Out of Office replies.

Enables users to enter their own signature for email sent from the device.

Suppressions: Security
Allow clean SD card on remote wipe
option
Clean SD card on remote wipe
Allow client certs configuration
Allow remote kill configuration

Remote kill code

Allow security policy display

Enables users to determine whether all files on the SD card are deleted when
a remote Wipe is issued.
Control setting determines whether all files on the SD card are deleted when a
remote Wipe is issued.
Enables users to import a client certificate, which TouchDown uses to
authenticate with the server.
Enables users to configure the device to allow a remote wipe of TouchDown
data. An email sent to the device with a designated code in the subject field
initiates the wipe.

Define the designated code that will initiate a wipe.

Displays the security policies imposed by the server, which are governing the
device.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 39

Policy Suite Rules:

Description

TD/A

TouchDown Specific
Allow S/MIME settings configuration
Allow wipe data (menu option)

TD/A

w/ AS
Only

TD/iOS

Enables users to adjust the settings of the S/MIME options for their device.

Enables users to choose a device option to erase all TouchDown data and
return TouchDown to a pre-registration state.

TD/iOS
w/ AS
Only

Suppressions: Synchronization
Allow defer server updates option

Enable defer server updates

Enables users to determine whether TouchDown updates will synchronize to

the server in batches or as they occur. Batches are sent only when the next
scheduled sync occurs, an item arrives via direct push, or the user initiates a
manual sync.
When control setting is enabled, TouchDown updates synchronize to the
server in batches instead of as they occur. Batches are sent only when the
next scheduled sync occurs, an item arrives via direct push, or the user
initiates a manual sync.

Allow enable SMS syncing (Exchange

2010 Only) option

Enables users to synchronize SMS messages to Outlook.

Allow manual sync when roaming

option

When enabled, automatic synchronization stops when device is roaming, but

users can initiate a manual sync.

Allow notify on password failure option

Enables users to determine whether a notification displays if synchronization

fails due to a user password issue.

Send password failure notifications

Allow notify on polling failure option

Send failed polling notifications

Allow notify on successful polling

option

Control setting determines whether a notification displays if synchronization

fails due to a user password issue.
Enables users to determine whether a notification displays if synchronization
has failed.
Control setting determines whether a notification displays if synchronization
has failed.

Enables users to determine whether a notification displays when

synchronization is successful.

Send successful polling

notifications

Control setting determines whether a notification displays when

synchronization is successful.

Last revision: 09/17/14 Current Release: Version 3.6.x

Policy Rules: TouchDown 40

Policy Suite Rules:

Description

TD/A

TouchDown Specific
Allow peak time configuration

Enables users to set the hours during which TouchDown synchronizes with
the server.

Allow poll during off-peak times option

Enables users to determine whether TouchDown synchronizes with the server

during non-peak times when email is sent, replied to, or forwarded from the
device.

Enable polling at off-peak times

Control setting determines whether TouchDown synchronizes with the server

during non-peak times when the user sends an email, a reply, or forward from
the device.

Last revision: 09/17/14 Current Release: Version 3.6.x

TD/A

w/ AS
Only

TD/iOS

TD/iOS
w/ AS
Only

Policy Rules: TouchDown 41

SECURITY: ALL DEVICES

Security: All Devices

Description

Anrd

Anrd

w/ AS
Only

TD/A

NS/BB

iOS
or
TD/iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

Security Commands
Disable/Enable Device

Suspend/Resume
Device

Selective Wipe

Device is unmanaged while disabled and

thus blocked from all communication
with the server. It does not occupy a
license seat in this state.
Device is managed (it can be wiped and
continues to send statistics) while
suspended, but blocked from corporate
resources. User cannot access the
applications Config, Managed Apps, and
File Share options and must enter a
password to gain full functionality when
suspension is lifted.

BB10

wOS
WP

BB10

wOS
WP

Un-enrolls the device. Un-enrollment

selectively wipes the device, removing
mail/PIM associated with the mail
application, along with any managed
apps or profiles; clears the
GO!Enterprise MDM account; and
deletes the device from the grid.
Functionality varies by device platform.
Android (native): Devices with native
mail app only wipe the GO!Enterprise
MDM account. Mail/PIM is not wiped.

Android (native) KNOX EMM devices:

Native mail accounts that have been set
up automatically through the KNOX
EMM API wipe the GO!Enterprise MDM
Last revision: 09/17/14 Current Release: Version 3.6.x

Security: All Devices 42

Security: All Devices

Description

Anrd

Anrd

w/ AS
Only

TD/A

NS/BB

iOS
or
TD/iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

account and mail/PIM data associated

with the native mail app.
Android (TouchDown): Returns
TouchDown to a pre-registration state.
Erases only the TouchDown data from
the SD card. If the Clean SD Card on
Remote Wipe option in the TouchDown
Advanced Settings is enabled, then the
SD card is completely erased.
BlackBerry (OS 4.5-7.1): Removes mail
and PIM data associated with the
GO!NotifySync application. Locks the
device if Require Password is enabled.
iOS: Removes managed iOS profiles,
thus removing corporate resources and
managed apps designated to be
removed when the APN profile is
removed. (Manually created mail profiles
and user-installed apps are not
removed.)
iOS 7.0.3+ devices enrolled in the
Volume Purchase Program: VPP
licenses are reclaimed and the user is
retired from the program when it is the
last iOS 7.0.3+ device associated with
the user.
Symbian and WM: Wipes only the
GO!Enterprise MDM account. Mail/PIM
are not wiped.

Remove User

Stops managing all devices associated

with the user and subsequently removes
the user account and all device records
from the GO!Enterprise MDM server and
dashboard grid.

Last revision: 09/17/14 Current Release: Version 3.6.x

BB10

wOS
WP

Security: All Devices 43

Security: All Devices

Description

Anrd

Anrd

w/ AS
Only

TD/A

NS/BB

iOS
or
TD/iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

iOS 7.0.3+ devices enrolled in the

Volume Purchase Program : VPP
licenses are reclaimed and the user is
retired from the program.

Wipe Storage Card

Administrators or end users can

remotely wipe all data from the devices
storage card.
Android w/ native ActiveSync account
and Android w/ TouchDown using OS
3.2-4.1.2: Wipes the internal storage
card, but does not wipe the external
storage card - an OS limitation.

Full Wipe

Administrators or end users can issue a

full wipe command. Once the wipe is
completed, the device is removed from
the dashboard User Grid. Functionality
varies by device platform.
(Once the device has been wiped, the
administrator might also want to issue
the Disable or Suspend Device
command to temporarily block the
device.)
Android w/ native ActiveSync account:
Device returns to factory settings. This
entails deleting all data and applications
from the device. Does not erase SD
card. KNOX EMM compatible devices
wipe both internal and external memory.

BB10

wOS
WP

Android w/TouchDown: Device returns to

factory settings. This entails deleting all
data and applications from the device.
Does not erase SD card. When the
Clean SD card on Remote Wipe option
in the TouchDown Advanced Settings is
enabled, SD card is completely erased.
BlackBerry: Removes all mail and PIM
data associated with the GO!NotifySync
application and removes the
GO!NotifySync / GO!Enterprise MDM
Last revision: 09/17/14 Current Release: Version 3.6.x

Security: All Devices 44

Security: All Devices

Description

Anrd

Anrd

w/ AS
Only

TD/A

NS/BB

iOS
or
TD/iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

accounts. Locks the device if Require

Password is enabled. Erases the entire
SD card, including saved attachments.
iOS: Device returns to factory settings.
This entails deleting all data and
applications from the device.
iOS 7.0.3+ devices enrolled in the
Volume Purchase Program : VPP
licenses are reclaimed and the user is
retired from the program when it is the
last iOS 7.0.3+ device associated with
the user.
Symbian: Device returns to factory
settings. This entails deleting all data
and applications from the device. Some
models (N95 and 6120c) wipe only Mail
for Exchange data. Erases the SD card.
WM: Device returns to factory settings.
This entails deleting all data and
applications from the device. Erases SD
card only on Professional devices.
BB10, webOS and WP or any device
without GO!Enterprise MDM app:
Device returns to factory settings. This
entails deleting all data and applications
from the device.

Lock Device

Administrators or end users can

remotely lock the device, requiring an
unlock password to be entered before
the device can be used.
WM: Lock is initiated only if the device
has a device security password enabled
and only when device syncs with the
server.

Clear Passcode

Passcode is cleared. If passcode is

required by the users policy, the user is
prompted to enter a new passcode.

Last revision: 09/17/14 Current Release: Version 3.6.x

Security: All Devices 45

Security: All Devices

Description

Anrd

Anrd

w/ AS
Only

TD/A

NS/BB

iOS
or
TD/iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

Network Connection
Security and
Configuration
SCEP (Simple
Certification Enrollment
Protocol
VPN (Virtual Private
Network)

Set up SCEP settings for devices.

Set up VPNs for devices.

Current Functionality: IPSec (Cisco
protocol)

Wi-Fi

Setup WiFi settings, using various levels

of security including WEP, WPA, and
WPA2.

Last revision: 09/17/14 Current Release: Version 3.6.x

46

DEVICE STATISTICS: ALL DEVICES

Device Statistics:

Description

Anrd

All Devices

Anrd

w/ AS
Only

TD/A

NS/BB

iOS
or
TD/iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

NA

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

Status:
Last Connections
Device App

ActiveSync

iOS APN Sent

iOS APN Check-In

The date and time of the last

successful synchronization with the
GO!Enterprise MDM server.
The date and time of the last
successful synchronization with the
ActiveSync server.

BB10

wOS
WP

The last date and time an APN was

sent from the Apple Push Notification
server.

The last date and time the device

acknowledged an APN from the Apple
Push Notification server.

Status: Battery
Level
Status
Last Boot Time

Displays the percentage of battery life

left for the device.

Displays whether the device battery is

charging or unplugged.

The date and time of the last device

boot.

Whether the data stored in the

Status: Encryption
Device Encrypted

Last revision: 09/17/14 Current Release: Version 3.6.x

Device Statistics: All Devices 47

Device Statistics:

Description

Anrd

All Devices

Anrd

w/ AS
Only

TD/A

NS/BB

iOS
or
TD/iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

devices local memory is encrypted.

Storage Card Encrypted

Whether the data stored on the

devices storage card is encrypted.

iOS devices do not have SD Card

capability.

Status: Device Memory

Capacity
Available
Percent Free

Displays the total of the used and

unused memory on the device.

Displays the amount of free memory

left on the device.

Displays the percentage of free

memory left on the device.

Status:
External Storage Card
Capacity

Displays the total of the used and

unused memory on the device storage
card.
iOS devices do not have SD Card
capability.

Available

Displays the amount of free memory

left on the devices storage card.
iOS devices do not have SD Card
capability.

Percent Free

Displays the percentage of free

memory left on the devices storage
card.
iOS devices do not have SD Card
capability.

Status: Jailbroken
Jailbroken

Whether or not an iOS or Android

Last revision: 09/17/14 Current Release: Version 3.6.x

Device Statistics: All Devices 48

Device Statistics:

Anrd

S60

Current setting for Voice Roaming.

Current setting for Data Roaming.

Whether or not the device is in

Supervised mode.

All Devices

Anrd

w/ AS
Only

TD/A

NS/BB

iOS
Config
/DEP
Devices

Description

iOS
or
TD/iOS

iOS

w/ AS
Only

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

device has been jailbroken/rooted.

Status: TouchDown
TouchDown Enrolled

Whether the TouchDown application

is registered on an Android device.

Displays a simple yes or no if the

device is roaming.

Status: Roaming
Currently Roaming
Voice Roaming Enabled
Data Roaming Enabled

Status: Supervised
Is Supervised

Requires iOS 6 or later.

Status: Device Locator

Service
Device Locator Service
Enabled

Whether the device has a device

locator service (such as Find My
iPhone) enabled.
Requires iOS 7 or later.

Status: Do Not Disturb

Is Do Not Disturbed in
Effect

Whether the devices Do Not Disturb

option is enabled, silencing calls,
alerts, and notifications.
Requires iOS 7 or later.

Network:
Downloaded Data
Any

Data usage statistics for data going

Last revision: 09/17/14 Current Release: Version 3.6.x

Device Statistics: All Devices 49

Device Statistics:

Description

Anrd

All Devices

Anrd

w/ AS
Only

TD/A

NS/BB

iOS
or
TD/iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

out from the device over the network

since the last device boot time. It is
the sum-total of all networks.
BlackBerry: Limited to GSM devices.

Cellular

Downloaded Data: WiFi

Data usage statistics for data coming

in to the device over the network since
the last device boot time. It is the
subtotal for the cellular network alone.

Data usage statistics for data coming

in to the device over the network since
the last device boot time; the subtotal
for WiFi alone.

Data usage statistics for data going

out from the device over the network
since the last device boot time; the
subtotal for the cellular network alone.

Data usage statistics for data going

out from the device over the network
since the last device boot time; the
subtotal for WiFi alone.

Displays the network type the device

is using.

Displays the signal strength using a

percentage value.

Network:
Uploaded Data
Any

Data usage statistics for data going

out from the device over the network
since the last device boot time; the
sum-total of all networks.

BlackBerry: Limited to GSM devices.

Cellular

WiFi

Network:
Network Details
Network Type
Signal Strength

Last revision: 09/17/14 Current Release: Version 3.6.x

Device Statistics: All Devices 50

Device Statistics:

Description

Anrd

All Devices
SIM Card IMSI Number

Cellular Technology

Current Carrier Network

The ID number of the SIM card:

International Mobile Subscriber
Identity.

Carrier Settings Version

Ethernet MACs

TD/A

NS/BB

Cellular technology
0 = none
1 = GSM
2 = CDMA

iOS
or
TD/iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

Name of home carrier network. (Note:

Applies to CDMA in spite of its name.)

Version of the currently installed

carrier settings file.

Name of current carrier network.

Android devices: Requires KNOX
EMM compatibility

SIM Carrier Network

Anrd

w/ AS
Only

Ethernet MAC addresses.

Requires iOS 7 or later.

Network: Hotspot
Personal Hotspot Enabled

Whether the device connected to the

Internet over a cellular data network is
sharing the Internet connection with a
computer or other iOS device
connected to it via Wi-Fi or a
computer connected to it via Bluetooth
or USB.
Requires iOS 7 or later.

About:
Device Application
Device Application:
Version
Device Application:

Displays the version number of the

GO!Enterprise MDM device
application.

Name of the language the

Last revision: 09/17/14 Current Release: Version 3.6.x

Device Statistics: All Devices 51

Device Statistics:

Description

Anrd

All Devices
Language

Anrd

TD/A

NS/BB

w/ AS
Only

iOS
or
TD/iOS

w/ AS
Only

iOS

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

GO!Enterprise MDM device

application is using.

About: ActiveSync
ActiveSync: Version

ActiveSync protocol version used by

the device.

BB10

wOS
WP

ActiveSync: User Agent

The devices native ActiveSync

application version that corresponds
to the devices operating system
version.

Name of the language the device OS

is using.

Displays the device OS version.

BB10

wOS
WP

About:
Operating System
Operating System:
Language
Operating System:
Version
Operating System:
OS

The base operating system used for

the device platform.
Android devices: Requires KNOX
EMM compatibility.

Operating System:
Kernel Version

The version of the kernel portion of

the device platforms base operating
system.

Android devices: Requires KNOX

EMM compatibility.

About: Device
Model

Devices internal model number.

Android devices: Requires KNOX
EMM compatibility.

Model Name

Name of the device model.

Last revision: 09/17/14 Current Release: Version 3.6.x

Device Statistics: All Devices 52

Device Statistics:

Description

Anrd

All Devices

Anrd

w/ AS
Only

TD/A

NS/BB

iOS
or
TD/iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

Android devices: Requires KNOX

EMM compatibility.

Device Name

The name of the device.

iOS devices: Given via iTunes
Android devices: Given via KNOX
EMM API; Requires KNOX EMM
compatibility.

Maker

Platform
Platform Version Name

Displays the device platform type as

reported by the device.

Displays the devices phone number.

The time zone setting on the device.

The time difference between the

The name of the device platform

version.

BB10

Displays the device UID.

Symbian: Device UID is the same as
Device IMEI.

IMEI

Tracks whether the device is a

company device or personal device.

Android devices: Requires KNOX

EMM compatibility.

UID

The device manufacturer.

Android devices: Requires KNOX
EMM compatibility.

Ownership

The International Mobile Equipment

Identify number. See
http://en.wikipedia.org/wiki/Internation
al_Mobile_Equipment_Identity

WP

BlackBerry: Limited to GSM devices.

Phone Number
Time Zone
GMT Offset

Last revision: 09/17/14 Current Release: Version 3.6.x

Device Statistics: All Devices 53

Device Statistics:

Description

Anrd

All Devices

Anrd

w/ AS
Only

TD/A

NS/BB

iOS
or
TD/iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM

w/ AS
Only

AS
Only

devices time zone and Greenwich

Mean Time.

Build Version
Product Name
Serial Number
Modem Firmware Version

iOS build number.

The model code for the device.

Devices serial number.

ICCID
Bluetooth MAC

Subscriber MCC
Subscriber MNC
Current MCC
Current MNC
iTunes Account Active

The devices MEID (CDMA).

The ICC identifier for the installed SIM

card (if applicable)

Home Mobile Country Code

Home Mobile Network Code

Current Mobile Country Code

Current Mobile Network Code

Whether the device is currently using

an iTunes account.

Bluetooth MAC address.

Android devices: Requires KNOX
EMM compatibility.

WiFi MAC

The baseband firmware version.

Android devices: Requires KNOX
EMM compatibility.

MEID

WiFi MAC address.

Requires iOS 7 or later.

Last revision: 09/17/14 Current Release: Version 3.6.x

Device Statistics: All Devices 54

COMPLIANCE MANAGER
Compliance Manager

Description

Anrd

Anrd

w/ AS
Only

TD/A

NS/BB

iOS

TD/
iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

Access Restriction
A device cannot support sufficient
ActiveSync policies, because of ActiveSync
version support limitations with the device or
server.

Restrict BlackBerrys without

GO!NotifySync

A BlackBerry device that does not have the

GO!NotifySync application has enrolled.
Devices that have the GO!NotifySync app,
but not the GO!Enterprise MDM app also
trigger this restriction.

NA

Restrict cellular connection

A device is using a cellular network

connection and is in violation of the enabled
Restrict Cellular Connection access policy.

Restrict if Android user

disables Device
Administrators

An Android user has not granted device

administration privileges to the
GO!Enterprise MDM app.

Restrict if roaming detected

A device is roaming and is in violation of the

Restrict if Roaming Detected access policy.

Restrict if SIM Card

removed or changed

A user has removed or changed the SIM

card in a device and is in violation of the
Restrict if SIM Card is Removed or
Changed access policy.

Restrict Liability

A device enrolls with a liability status

specifically restricted by the Restrict Liability
access policy.

Restrict ActiveSync protocol

Last revision: 09/17/14 Current Release: Version 3.6.x

BB10

wOS
WP

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

BB10

BB10

wOS
WP

Compliance Manager 55

Anrd

Anrd

TD/A

NS/BB

iOS

TD/
iOS

iOS

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

Compliance Manager

Description

Restrict on ActiveSync
authorization failures

A device passes invalid credentials for the

ActiveSync account of a known user to the
server a number of times that exceeds the
set limit.

Restrict on GO!Enterprise
MDM MDM authorization
failures

A device passes invalid credentials for the

GO!Enterprise MDM account of a known
user to the server a number of times that
exceeds the set limit.

NA

NA

NA

NA

NA

NA

Restrict TouchDown for

Android

TouchDown is required and either an

Android device does not have the
TouchDown application or the TouchDown
version does not meet the minimum
requirement.

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

Restrict user ActiveSync

connections

A devices Last ActiveSync Sync time stamp

has not updated within the set interval.

w/ AS
Only

w/ AS
Only

BB10

wOS
WP

BB10

wOS
WP

Restrict when Blacklist App

detected

A device has a blacklisted application

installed.

Restrict when non-Whitelist

App detected

A device has an application that does not

match the whitelist criteria.

Restrict Wi-Fi connection

A device is using a Wi-Fi connection and is

in violation of the enabled Restrict Wi-Fi
Connection access policy.

Single Devices

A specific device, identified by phone

number or UID number, has been denied
access.

Single Users

A specific user, identified by User Name,

has been denied access.

BB10

wOS
WP

Last revision: 09/17/14 Current Release: Version 3.6.x

Compliance Manager 56

Compliance Manager

Description

Anrd

Anrd

w/ AS
Only

TD/A

NS/BB

iOS

TD/
iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

Device Platform
Restriction
BB10

A device enrolls via the native ActiveSync

agent alone and without the GO!Enterprise
MDM application.

Restrict if location services

are off

A devices location has not updated within

the defined interval.

Restrict user GO!Enterprise

MDM connections

A devices Last GO!Enterprise MDM Sync

time stamp has not updated within the set
interval.

Restrict if policy out of date

A policy has been updated on the server,

but a device has not updated within the set
grace period.

Restrict rooted devices

A rooted Android device connects to the

server.

Restrict jailbroken devices

A jailbroken iOS device connects to the

server.

NA

Restrict if iOS passcode not

initiated

The users policy suite requires a password,

but the iOS device does not have a
passcode initiated.

Restrict if iOS passcode is

not compliant with
requirements

Restrict if GO!Enterprise
MDM app is not enrolled

wOS
WP

NA

BB10

wOS
WP

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

The users policy suite requires a password,

but the iOS device does not have a
passcode compliant with the requirements.

NA

NA

NA

NA

Restrict if iOS passcode is

not compliant with data
protection

The iOS device does not have a passcode

and thus is not compliant with iOS data
protection, which enhances the built-in
hardware encryption by protecting the
hardware encryption keys with the
passcode.

NA

NA

NA

NA

Restrict if iOS unmanaged

An iOS device has an unmanaged

NA

NA

NA

NA

Last revision: 09/17/14 Current Release: Version 3.6.x

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

Compliance Manager 57

Anrd

TD/A

NS/BB

NA

NA

NA

NA

A devices Last iOS APN Sync time stamp

has not updated within the set interval.

NA

NA

NA

NA

Low battery detection

A devices battery level has fallen below a

specified warning level.

Low memory detection

A devices memory level has fallen below

the greater of the two specified levels.

Low on redemption codes

Low application availability

The number of redemption codes (for iOS

devices installing an app obtained through
the Apple Volume Purchase Program)
available on the server has fallen below a
specified amount.

Compliance Manager

Description

configuration profile is on
device

configuration profile.

Restrict if iOS APN profiles

are not enrolled

An iOS device has not loaded the iOS APN

configuration profile and has never
synchronized through the Apple MDM API.

Restrict if no iOS APN

connectivity

Anrd

w/ AS
Only

iOS

TD/
iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

NA

NA

NA

NA

NA

NA

NA

NA

NA

NA

Non-Access Policy Based

Alerts

A managed application purchased in

bulk is close to its availability limit
(download limit or number of available
licenses/redemption codes).
GO!Enterprise MDM app is
not enrolled

Organization-wide
ActiveSync connectivity

Organization-wide
GO!Enterprise MDM

A device of any platform type connects to

the server via ActiveSync and does not
have the GO!Enterprise MDM application
enrolled.

BB10

wOS
WP
BB10

The Last ActiveSync Sync time stamp has

not updated for any users within the set
interval.

The Last GO!Enterprise MDM Sync time

stamp has not updated for any users within
the set interval.

Last revision: 09/17/14 Current Release: Version 3.6.x

wOS
WP

BB10

Compliance Manager 58

Compliance Manager

Description

Anrd

Anrd

w/ AS
Only

TD/A

NS/BB

iOS

TD/
iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

connectivity
Watch List

User's e-mail not set

A device/user or policy suite on the Watch

List grid has exceeded the time for which it
was being monitored.
A users email address has not been set.
Because a users email address cannot
always be determined during Hands-Off
provisioning, this alerts the administrator
that an email address for the user should be
manually set.

BB10

wOS
WP

BB10

wOS
WP

Event Based Alerts

ActiveSync Account Already
Enrolled

Reset for enrollment

An iOS profile included an ActiveSync

payload that could not be installed because
an identical ActiveSync account was already
enrolled.

An administrator has issued a Reset for

Enrollment from the dashboard to a device.

NA

NA

NA

NA

NA

NA

NA

NA

NA

BB10

wOS
WP

Clear passcode issued by

Admin

An administrator has issued a Clear

Passcode command from the dashboard to
an iOS device.

Full wipe issued by Admin

An administrator has issued a Full Wipe

command from the dashboard to a device.

NA

NA

NA

NA

NA

NA

NA

NA

NA

BB10

wOS
WP

Full wipe issued by user

Lock device issued by

BB10

A user has issued a Full Wipe command

from the User Self Administration Portal to
their device.

An administrator has issued a Lock Device

Last revision: 09/17/14 Current Release: Version 3.6.x

wOS
WP

Compliance Manager 59

Compliance Manager

Description

Admin

command from the dashboard to a device.

Lock device issued by user

A user has issued a Lock Device command

from the User Self Administration Portal to
their device.

New Hands-Off Enrolled

device

Any time a new device uses Hands-Off

enrollment to connect to the system.

Anrd

Anrd

w/ AS
Only

TD/A

NS/BB

iOS

TD/
iOS

iOS

w/ AS
Only

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

BB10

wOS
WP

New Hands-Off Enrolled

user

Any time a new user uses Hands-Off

enrollment to connect to the system.

BB10

wOS
WP

Recovery password
requested by device

A user requests a temporary recovery

password form a devices locked screen.

Recovery Password viewed

by Admin

An administrator has attempted to view a

temporary recovery password issued for a
user from the dashboard.

Recovery Password viewed

by user

A user has attempted to view a temporary

recovery password from the User Self
Administration Portal. (This does not detect
when the recovery password has been
viewed through OWA.)

Restricted device attempts

to connect

A restricted device tries to access

ActiveSync, File Share, or Managed Apps
when these resources have been blocked.

An administrator has issued a Selective

Wipe command from the dashboard to a
device.

A user has issued a Selective Wipe

command from the User Self Administration
Portal to a device.

Selective wipe issued by

Admin

Selective wipe issued by

user

Last revision: 09/17/14 Current Release: Version 3.6.x

BB10

wOS
WP
BB10

wOS
WP
BB10

wOS
WP

Compliance Manager 60

Compliance Manager

Description

Anrd

TouchDown policy override

detection

The system issues a warning if it detects

that a user has overridden the TouchDown
settings governed by GO!Enterprise MDM.

NA

User restricted

A user becomes restricted for any reason.

Anrd

TD/A

NS/BB

NA

NA

w/ AS
Only

iOS

TD/
iOS

NA

w/ AS
Only

iOS

iOS
Config
/DEP
Devices

S60

S60
w/ AS
Only

WM

WM
w/ AS
Only

AS
Only

NA

NA

NA

NA

NA

NA

NA

BB10

wOS
WP

Wipe storage card

An administrator has issued a Wipe Storage

Card command from the dashboard to a
device.

Enable and set parameters to keep

track of the APNs certificate expiration.
Default settings are to issue the
reminder 30 days prior to the expiration
and repeat it every day.

NA

NA

NA

NA

NA

NA

NA

System Alerts
Apple Push Notification
(APNs) Certificate
Expiration

Last revision: 09/17/14 Current Release: Version 3.6.x

NA

NA

NA

NA

NA

NA

Compliance Manager 61