Policy Management

About the feature

The Policy Management features provide a way for organizations to manage and configure devices seamlessly at scale.

It is an administrative tool for remote device configuration. Lunar Control Center interacts with devices through a collection of APIs integrated with the managed devices through a System application.

Lunar Control Center does not rely on any third-party infrastructure of services, such as Google Play Store or Android Enterprise. It delivers its functionality through services hosted by the organization.

Lunar Control Center admins can manage the following device policies through the Console:

Device policies

Those represent a group of policies, including hardware, device, sync, wipe lock screen, and encryption policies.

Hardware policies

Includes settings related to the availability of functions delivered by hardware components. When disabled, applications will not be able to provide functions that require the use of these components even if applications are granted access to these components.

Camera

Allows to enable or disable device cameras. Admins can disable only the front camera, only the rear cameras, or all device cameras.

Location access

Allows to enable or disable access to location services by the device.

USB

Allows to enable or disable USB functions including File Transfer, MIDI, PTP for connected devices. Deices with disabled USB by policy can still be charged through their USB port.

Bluetooth

Allows to enable or disable Bluetooth connection on the device.

WiFi

Allows to enable or disable WiFi connection on the device.

Screenshots

Allows to enable or disable screenshot taking on the device. The screenshot taking permissions affects screenshot taking through any application, including system or third party applications.

Microphone

Allows to enable or disable the usage of a microphone on the device. Disabling the microphone will prevent all voice functionality including calls, push-to-talk messages, audio recording, and audio feed on recorded videos.

Fingerprint

Allows to enable or disable the usage of the fingerprint sensor as authentication on the device.

Device sensors

Allows to enable or disable the functionality of all device sensors such as accelerometer, geomagnetic field, gravity, gyroscope, light, proximity, and more sensors. Device sensors depend on the device model used.

Kill switch

Allows to enable or disable the functionality of a custom device component used for disabling services such as connectivity, bluetooth, WiFi from the user. Kill switch functions are only available for specific device models.

Developer options

Allows to enable or disable access to Android Developer Options on the device.

Service Policies

Includes settings related to the availability of different device functions. When disabled the functions will not be accessible by any application.

Voice service

Allows to enable or disable voice services on the device. When disabled it restricts all incoming and outgoing telephony calls on the device. VoIP calls made through external apps are not restricted.

SMS/MMS

Allows to enable or disable SMS and MMS services on the device. When disabled it restricts all incoming and outgoing SMS or MMS messages, including silent SMS or MMS.

Installation of 3rd party apps

Allows to enable or disable the installation of 3rd party applications on the device. Disabling it prevents installation of any applications through 3rd party app stores or local APK installation. When disabled, users will only be able to install applications allowed in their application policy.

Send debugging information

When disabled, prevents users from sending device software bug reports to Lunar Control Center.

Emergency center

Allows to enable or disable access of the device user to the emergency center functionality on Lunar OS. When enabled the user can activate an SOS sound alarm or initiate an SOS device Wipe, including sending an SOS message to their organization and triggering instant device wipe.

Can manage Screen timeout

Allows to enable or disable the option for users to change their screen timeout setting on the device.

SIM logs

When disabled, Lunar Control Center can not get SIM logs from the device.

Top-up

When enabled, it adds a top-up option for users in their My Account menu on their device. Top up menu function depends on the custom implementation on the OS side.

Update account password

Allows to enable or disable the function for device users to update the account password used to enroll the device. If disabled, the account password can only be changed from Lunar Control Center.

MicroG Services

When enabled, devices get MicroG service installed and configured on their device. Read more about MicroG functionality here.

Sync Policies

Includes settings related to the frequency of automated device syncs to the server and sync wipe rules.

Allow accounts to manage "sync" section in personal account settings

If enabled, users will be able to select the sync interval and the max failed sync to wipe settings.

Sync interval [s]

Determines how frequently would the device attempt to sync with the Lunar Control Center.

Wipe Policies

Includes settings related to device wipe functions.

Max failed sync to wipe

Determines the maximum unsuccessful sync attempts a device is allowed before a local device wipe triggers. If the device fails to sync with Lunar Control Center server for the set interval, an automated factory reset will be triggered, wiping all device data and logging out of the account.

Count missed offline syncs

If disabled, the max failed sync to wipe will not trigger a device wipe.

Allow accounts to manage "wipe password" section in personal account settings

If enabled, users will be able to set up a duress wipe PIN/Password on their device.

Wipe password

Allows Lunar Control Center administrators to set up a wipe password for the device. The device wipe password is used to wipe the device when entered in the lock screen menu.

Lock Screen Policies

Includes settings related to the lock screen function for devices.

Lock Screen Method

Determines if the user is allowed to use a PIN code or a Password when setting up their lock screen protection.

For PIN code method, administrators can set minimum PIN symbols required.

For Password method, administrators can set a pass quality requirement.

Pass history restriction

Determines if the user is allowed to use a PIN code or a Password when setting up their lock screen protection.

For PIN code method, administrators can set minimum PIN symbols required.

For Password method, administrators can set:

pass quality requirement
password history restriction (determines the number of unique new passwords that must be associated with a user account before an old password can be reused)
Password minimum length
Password expiration [days]

Timeout for screen lock [s]

Used to set value for screen timeout before automatic device lock. Available values include 15s, 30s, 1min, 2min, 5 min, 10 min, and 30 min.

Can manage Screen timeout

Allows to enable or disable the option for users to change their screen timeout setting on the device.

Application Policies

Application policies determine the access to applications for device users. By using application policies, administrators can select to install and/or uninstall applications from devices.

OS policies

Includes settings related to the OS running on the device. Admins can set the OS version the device will be running on. Can include a specific OS or be set to the latest OS build made available through OS Updater.

Software policies

Includes settings related to the software version of applications on devices.

Policy Levels and Creation of Policies

Lunar Control Center allows the management of policies on multiple levels, including Default System, Group, and Personal policies.

Default System level

Each LCC instance has a set of Default System Policies. Those are the default policies for all users unless a Group or Personal policy overwrites them.

Administrators can set up Default System policies for Device, Applications, OS, and Software Policies.

Click on Manage
Click on Device Policy / Application Policy / OS Policy / Software Policy (depending on what policy you want to create)
Click on + Default Policies
Select OS type
Select policies
Click on Create

Group level

Groups are objects created by Lunar Control Center administrators in order to manage policies for a collection of accounts. Group policies overwrite Default System policies and are applied to all users part of the Group.

To start you will have to create a group, by following the steps below:

Hover over the Config icon in the top right corner.
Click on Groups
Click + Create
Fill up fields, including: - Name: the name the group will be identified with - Parent group: allows you to create a group under an already existing parent group. - Group disk quota [MB]: allows you to set up a quota different than the default for the maximum amount of backup each account can use. - Group traffic quota [MB]: allows you to set up a traffic quota different than the default for the maximum network traffic a device can make.

Once you have a group created, you can set up Device, Applications, OS, and Software Policies for it by following the steps:

Click on Manage
Click on Device Policy / Application Policy / OS Policy / Software Policy (depending on what policy you want to create)
Click on + Create
Find your group in the Search for Group field
Select OS type
Enter a policy name
Select policies
Click on Create

Personal level

Personal policies are created for each user account. Personal policies overwrite Group and Default System policies.

You can do that by following the steps:

Click on Manage
Click on Device Policy / Application Policy / OS Policy / Software Policy (depending on what policy you want to create)
Click on + Create
Find your group in the Search for Group field
Select OS type
Enter a policy name
Select policies
Click on Create

Assignment of Policies

Newly enrolled devices are automatically assigned with their Group Policies if a group exists, or assigned with the Default System Policies if they are not part of a group.

If the same Policies (Default System or Group) are being edited, the changes will affect devices under those policies.

As a Lunar Control Center admin, you can change the policy for each user account, by following the steps:

Click on Manage
Click on Accounts
Click on the User's username under the "Username" section
Select from the dropdown the Device, Application or OS policy you want to reassign.
Click on Save

User Access Level

The access level of the user determines how much control users can have on their device policies.

There are 3 access levels:

Limited user: users are not able to change their own device policies. Policies assigned to them are forced.
Power-user: power users' devices receive the policies assigned to them, but they can also change those via their Phone Manager application (installed on their device), or through the Lunar Control Center User Portal if such is enabled.
Group administrator: group administrators have all the rights of power users, plus the ability to manage policies for devices that are in their group. Management of group policies is only available in the Lunar Control Center User Portal if such is enabled.

As an administrator, you can change user access level by following the steps:

Click on Manage
Click on Accounts
Click on the User's username under the "Username" section
Select an option from the access level dropdown.
Click on Save

Permission Groups

Permission groups allow additional policy control for Lunar Control Center administrators.

Permission Groups are used to set restrictions for Power Users, limiting what policies they can manage themselves and what policies are restricted and can not be changed.

To use Permission Groups, you first have to create one by following the steps below:

Click on Manage
Click on Permission Groups
Click + Create
Fill up fields, including: - Name: the name of the permission group - Group: choose a group associated with the permission group. (users in this group will not be automatically added to the permission) - OS version: select OS version
Configure your permission group rules
Click Create

Once the permission group is created, you can add user accounts to it by following the steps:

Click on Manage
Click on Permission Groups
Click on Manage Users
Select users to be added to the permission group by clicking on the checkmark next to the username (only users that are part to the linked Group will be shown as available)
Press Add All Checked Users
Press Save

The Manage Users menu also allows you to remove Users from the Permission Group.

PreviousUser Management NextApplication management

Last updated 1 year ago

Was this helpful?

hashtagAbout the feature

hashtagDevice policies

hashtagHardware policies

hashtagService Policies

hashtagSync Policies

hashtagWipe Policies

hashtagLock Screen Policies

hashtagApplication Policies

hashtagOS policies

hashtagSoftware policies

hashtag

hashtagPolicy Levels and Creation of Policies

hashtagDefault System level

hashtagGroup level

hashtagPersonal level

hashtagAssignment of Policies

hashtagUser Access Level

hashtagPermission Groups