Android Mobile Device Management
Enforce filtering and device settings by managing an Android device
Android smartphones have limited ways that you can block unwanted content and restrict easy bypass of those content restrictions.
However, it's possible to configure a fully managed Android smartphone, which gives you much more control over content blocking and bypass prevention.
Businesses will often use Mobile Device Managers (MDM) to completely control smartphones that they issue to employees for business purposes.
As a result, Mobile Device Managers unlock powerful capabilities that allow you to block unwanted content and prevent bypass much more effectively.
The best part is that once a setting is enforced with a Mobile Device Manager, these settings cannot be changed from the device itself. The settings can only be changed in the MDM dashboard.
You don't need to be a business to access Mobile Device Management capabilities. In fact, you can get access to Device Management for free!
Here are some capabilities that you unlock using a mobile device manager:
With an MDM, you can remotely configure a fully managed device. This means that you can make policy changes and those changes will be automatically synced with the Android device you are managing. You don't need physical access to the device to make changes.
When you use the "silent installation mode," you can remotely install an app on a device. This remotely installed app can't be deleted by the user on the device. It has to be uninstalled using the MDM.
This is a powerful feature when combined with a DNS Filtering application or a content blocking application.
Enforce built-in browser content filtering to block Adult and malicious content. You can even set up a restrictive "allow-only" mode where all websites in the browser are blocked by default unless you specifically added them to the allow list.
Create an app policy such that a user cannot download apps that haven't been explicitly approved.
Alternatively, you can allow all apps other than the ones you explicitly block.
In case of a lost or stolen device, adults can remotely lock or wipe their smartphones to safeguard personal data and prevent unauthorized access. This feature provides an extra layer of security and peace of mind.
Mobile device managers often offer location tracking capabilities, allowing adults to keep tabs on the whereabouts of their smartphones. This feature can be useful in case of misplaced devices or for ensuring the safety of family members.
This setup guide uses the Mobile Device Manager called Manage Engine. The free tier is perfect for home use. The interface is a bit rough, but usable.
Signup for ManageEngine
The below video shows the entire process from start to finish with some explanations of some steps.
Use this video as a supplement to the rest of the guide.
This section explains how you connect your Android device to a Mobile Device Manager.
A mobile device manager uses profiles to set device restrictions and enforce settings.
This setting is useful for some people, who might go to great lengths to access an unfiltered device. Keep in mind that you can still reset the device using the MDM.
Consider enforcing either option:
Hide Sensitive Content or
Don't show notifications at all. This is useful if you are trying to reduce your smartphone usage and don't want to be constantly interrupted by app notifications. Enforcing this setting means that you don't have to manually customize this option.
Some bypass methods utilize the device's safe mode. I recommend disabling safe mode.
Similar to safe mode, developer mode can be used to bypass some restrictions. However, these methods are more difficult than safe mode. Consider disabling this.
This is a powerful feature because it allows you to blocklist any app (excluding system apps) that aren't specifically approved in your MDM. Consider checking this option if you need a much more restrictive device setup.
Preventing app uninstall is useful but not required. If you want to enforce the use of an application and prevent uninstalling, you'll just distribute the app with the MDM. However, you might find it useful to prevent uninstalling apps.
I recommend disabling this option so that the users can't force-stop certain apps.
Consider setting this to auto deny.
Restricting the android browser will remove the ability to use any kind of internet browser on the android device. This setup is incredibly restrictive, but useful for people who want a "dumb phone" without sacrificing GPS and music players.
You could potentially restrict the device so that it can only connect to an approved Wifi connection, such as your home network, which uses a content filter. If you choose this option, you must set Wi-Fi to
Always on, otherwise, the user can bypass this restriction by disabling Wi-Fi and browsing on the phone's roaming connection (3g, 4g, 5g internet).
This setting should be
disabled since a VPN can be used to bypass DNS Filtering.
Enabling Kiosk mode gives you access to even more device restrictions.
You can enforce Kiosk mode. Here's my phone running in kiosk mode in Multi App Mode:
Consider blocking access to the following Android features by not including them in the Allowed Apps list:
- General Settings app
- Web Browsers
- Google Play store or Android App Store
Allowlist - Allow-only mode
This is also known as "default deny" and will block access to everything other than the URLs you specify here. This is the most restrictive content filtering setup, so use this with caution.
Blocklist - Block specific URLs
This is a more common content filtering approach.
Update the device to use the restrictions you specified in the profile you created.
If you plan to manage multiple devices that use the same device restrictions, I recommend creating a device group.
Creating a device group simplifies the process of distributing apps and profiles to multiple devices at the same time.
The profile should automatically sync to the devices that are associated with that group. It might take a few minutes to sync.
Configure managed Google play so that you can install apps on your device using the MDM. This will allow you to force app configurations and prevent uninstall while also preventing certain apps from being installed.
Enforce apps on Android / Prevent deleting app on Android
Distribute an app to all devices associated with a group. This is a great way to enforce app settings, prevent app uninstall, and also automatically install an app on all devices enrolled in your MDM (and associated with your group).
Blacklist apps / Blocklist apps / App Blocking techniques
Blocking an app using the MDM will uninstall the app from the device if it was previously installed and prevent it from being installed in the future.
You can configure your Profile to disable allowing the user to uninstall apps on the device in Your Profile > Restrictions > Applications > set
Uninstalling Apps to
Alternatively, you can prevent app uninstall on a case-by-case basis by distributing the app with your MDM and modifying the app's permissions to block app uninstallation. In Device Mgmt > App Repository, add the app that you want to enforce. Then, select the app and go to the permissions tab > advanced permissions. Then, set
Block App Uninstallation to
Allow. Distribute the app to the devices in your group.
How to block VPNs and proxies on Android.
There are a few approaches to doing this. First, make sure that your
profile restrictions > Network and Roaming has
Allow users to configure VPN set to
Next, consider updating your profile to only allow a user to install an app that has been explicitly approved via your MDM. This will blocklist all apps by default and only allow the user to select from apps that are on your approved list. You can update your approved list by adding apps to your app repository in
Inventory > Apps. Then, update your
profile > restrictions > Applications and set
User can install unapproved apps to
You can also manually block each one of these kinds of apps, but this solution can be time-consuming and not comprehensive. However, it will significantly slow someone down because they won't know which apps are blocked until they try to install the app and it is automatically deleted. If you are managing a device for another person (like a child), they might assume that all VPNs/DNS apps are blocked and won't attempt to find an unblocked app.
You can also set an always-on VPN in your profile > VPN > check Always on VPN after configuring VPN settings.
Alternatively, you can configure Kiosk mode.
The recommended options are indicated in the above profile configuration section. However, here are some specific call-outs:
Kiosk mode lets you customize and limit the use of the phone to a small subset of features. For example, In Multi-App mode, the user only has access to approved apps even if unapproved apps are installed on the device previously. The apps aren't deleted, but they can't be opened.
You can also use Kiosk mode to enable
Single App Mode, which lets you enforce the usage of a Kiosk app or any other app. The user can't close or switch out of the app specified in Single App Mode. This is useful when combined with a parental control kiosk app.
You can also further restrict WiFi and Network access with kiosk mode. In my opinion, the main use case for Kiosk mode is combining it with a parental control kiosk app. Otherwise, I don't think it's a viable option for most people.
Restrict Wifi to only your home network. This requires that you update your MDM
Profile > WiFi to include your Wifi network name in the
Wi-Fi SSID field, the security type specified (usually this is WPA/WPA2) with the Wifi password entered. Then, in your
profile > Restrictions > Network and Roaming, you set
AWiFi:Always On and
Connect to Wi-Fi if distributed via MDM:Yes.
Disabling the android browser
You can completely disable the ability to use internet browsers on your device. This is a great alternative to a dumb phone because you can still use apps like GPS/Maps, Spotify, etc., but you don't have to worry about plugging all the browsing loopholes.
Web Content Filter
Enabling the "allowlist" mode in the web content filter will restrict access to all URLs other than the ones you specify. This is also called a "default-deny" approach where you can't visit a URL unless it is specifically allowed.