TDM

Install Guide

  • Overview
  • Installing with NFC and the Internet
  • Installing using QR code
  • Installing without the Internet
  • Installing without NFC, camera or Wi-Fi
  • Automated install
  • Factory resetting the device
  • How licence activation works

Administration Guide

  • Overview
  • Changing policies
  • Installing apps
  • Hiding apps
  • Backing up and restoring policies
  • Remote SMS wipe
  • Auditing

Policy Guide

  • Overview
    • Policy sections
    • Pre-configured policies
      • United States' Defence Information Systems Agency's (DISA) Security Technical Implementation Guide (STIG) for Android 12
      • United Kingdom's National Cyber Security Centre's (NCSC) End User Device (EUD) Guidance for Android
      • Xewli's recommended device policy for tactical devices
        • Policy Summary
        • Considerations
  • Configuration permissions
  • Feature permissions
  • Applications
  • General
  • Lock screen
  • Password policy
  • Threat detection
TDM
  • Overview
  • Xewli recommended policy

Xewli recommended policy

Xewli provides a recommended policy. We’ve applied almost all of the policy items from both the DISA STIG and NCSC EUD Guidance with the exceptions of:

  • the Location sharing device feature because tactical devices are commonly used for shared situational awareness applications and require location.

  • Configuring Location is allowed to support situational awareness usage.

  • the Use US DoD certificate security feature, as it is specific to US DoD usage.

  • USB data signaling is enabled to facilitate use of tactical radios and hubs.

Policy Summary

Users may not configure:

  • Bluetooth

  • Credentials

  • Date and time

  • Tethering

  • VPN

The following device features are disabled:

  • App installs

  • Autofill

  • Debugging

  • Screen capture

  • Modifying user accounts

  • Mount physical media

  • Unknown app sources

  • USB file transfers

  • Disable safe boot mode

The policy applies the security features:

  • Common Criteria mode

  • Automatically apply system updates

  • Automatic time required

  • Only allow system input methods

  • Disable Google backup services

  • Disable Chrome search suggestions

  • Enable security logging

  • Disallow trust agents

  • Disallow all notifications on the lockscreen

  • Disable sensitive notifications

  • Disable camera shortcut at the lockscreen

  • Enforce Google Play Protect

  • Disallow fingerprint unlock

  • Disallow face unlock

  • Disallow iris unlock

Users are required to use an 8 digit, non-repeating, non-sequential PIN. On devices running Android 12+, the user may optionally choose a 6 character password (8 characters on Android 11 and lower). The screen lock time is set to 1 minute.

Considerations

Remote SMS Wipe

If the devices have cellular connectivity, we encourage administrators to consider configuring the remote SMS wipe capability.

US DoD use

US DoD administrators who choose to apply our recommended policy should enable the DoD certificate to force their devices to trust the server certificates generated by the US DoD.

Previous Next

© Copyright 2022, Xewli.

Built with Sphinx using a theme provided by Read the Docs.