Android

Android Mobile Device Management

Enforce filtering and device settings by managing an Android device

Tech Lockdown Team

Updated March 19, 2026

Android smartphones have limited ways that you can block unwanted content and restrict easy bypass of those content restrictions.

However, it's possible to configure a fully managed Android smartphone, which gives you much more control over content blocking and bypass prevention.

Businesses will often use Mobile Device Managers (MDM) to completely control smartphones that they issue to employees for business purposes.

As a result, Mobile Device Managers unlock powerful capabilities that allow you to block unwanted content and prevent bypass much more effectively.

The best part is that once a setting is enforced with a Mobile Device Manager, these settings cannot be changed from the device itself. The settings can only be changed in the MDM dashboard.

You don't need to be a business to access Mobile Device Management capabilities. In fact, you can get access to Device Management for free!

Capability Overview

Here are some capabilities that you unlock using a mobile device manager:

Remote Management

With an MDM, you can remotely configure a fully managed device. This means that you can make policy changes and those changes will be automatically synced with the Android device you are managing. You don't need physical access to the device to make changes.

Prevent App Uninstall and Remotely Install Apps

When you use the "silent installation mode," you can remotely install an app on a device. This remotely installed app can't be deleted by the user on the device. It has to be uninstalled using the MDM.

This is a powerful feature when combined with a DNS Filtering application or a content blocking application.

Content Filtering

Enforce built-in browser content filtering to block Adult and malicious content. You can even set up a restrictive "allow-only" mode where all websites in the browser are blocked by default unless you specifically added them to the allow list.

App Management

Create an app policy such that a user cannot download apps that haven't been explicitly approved.

Alternatively, you can allow all apps other than the ones you explicitly block.

Remote Lock and Wipe

In case of a lost or stolen device, adults can remotely lock or wipe their smartphones to safeguard personal data and prevent unauthorized access. This feature provides an extra layer of security and peace of mind.

Geolocation Tracking

Mobile device managers often offer location tracking capabilities, allowing adults to keep tabs on the whereabouts of their smartphones. This feature can be useful in case of misplaced devices or for ensuring the safety of family members.

Setup Video

The below video shows the entire process from start to finish with some explanations of some steps.

Outdated content

This video was created several years ago, so the Manage Engine interface has changed since then. This is mostly useful if you are confused about the enrollment process.

Use this video as a supplement to the rest of the guide.

(1) Enroll Device

This section explains how you connect your Android device to a Mobile Device Manager. Note that your Android smartphone needs to be completely reset, so we recommend first backing up your data.

Backing up your data

Important

To enable full control over a device, you need to hard reset the phone. A hard reset will delete everything on the device, but you shouldn't need to reactivate your phone's service.

Modern phones use cloud backups to simplify the process of restoring files on a phone. Make sure you understand how your phone is backed up and how you can restore it. This is a standard process with modern phones.

If you use two-factor authentication apps (2FA), make sure you have a way to restore your 2FA access. This is not backed up in the cloud.

The process might look different depending on which vendor your smartphone is from, but you can often search for Backup settings online or from the Settings app.

First, open your smartphone's settings and search for "backup":

Look at the backup options available.

You typically have at least one of these options:

Backup with Google Drive
Use Dropbox for a cloud storage backup
Connect your smartphone to a computer and save your files that way

Enroll with ManageEngine

In your ManageEngine account, go to Enrollment > Devices

Select the type of Android device you're using. Either a Samsung device or Non-Samsung for all other Android phones.

In either case, you'll select the "EMM Token Enrollment" method because it gives you the most control over the device.

Get QR Code

Choose an option depending on your Android version. If you have a newer phone then you'll select 9.0

Hard Reset your Phone

It's now time to Factory Reset/Hard Reset your smartphone.

Make sure that your files are correctly backed up before proceeding; the factory reset option will permanently delete files from your smartphone. You will also be signed out of your accounts.

Hard Reset your phone. Make sure you know how to restore your files from the cloud after you restore the phone. All files are deleted with a hard reset.

After you restart the phone, tap the welcome screen repeatedly until the camera scanner appears. This should work on any kind of device.

Bring up the QR code in the MDM dashboard and scan it with the phone camera.

Finish the setup process using whatever settings you want.

Once the phone setup finishes, you can add your personal Google account or Google Play store account in addition to the managed account.

If you use 2FA on your smartphone, you will need to move this 2FA access to another device first. Hard resetting your smartphone will revoke any 2FA apps you've connected.

The exact instructions for how you do this will depend on which authenticator app you've installed. Please refer to the support section on each authenticator app's website:

For other Authenticator apps, you'll need to check their official website for more information.

(2) Configure Profile

A mobile device manager uses profiles to set device restrictions and enforce settings.

To start applying policies and restrictions to your smartphone, you need to create a profile in your Mobile Device Manager.

Navigate to Device Mgmt > Profiles.

Click the Create Profile dropdown and select Android

Select the MDM Profile Profile type, enter any name in the Profile name field, and set Customize profile toDevice. Then click continue

If you plan to manage multiple devices that use the same device restrictions, I recommend creating a device group.

Creating a device group simplifies the process of distributing apps and profiles to multiple devices at the same time.

Navigate to Device Mgmt > Groups & Devices and create a Device Group

In the Group Name or Description, specify the types of devices that will be added to that group. If you are managing devices for other people (like family members), you might consider naming this group something like "Teenage Android Devices" or "Pre-teen Android Devices" if you plan to enforce different restrictions depending on the age group.

Click Add device and then find the device you enrolled previously, then finish by clicking Create Group.

After creating the group, select the checkbox for the group, click Actions > Associate Profile and then select the profile you created previously.

The profile should automatically sync to the devices that are associated with that group. It might take a few minutes to sync.

(3) Distribute profile to device

Update the device to use the restrictions you specified in the profile you created.

In order for changes to be applied to your Android device, you will need to also upgrade your profile on your device. Publishing it alone doesn't automatically update changes.

First, make sure that your profile has it's most recent changes saved and published:

Once the profile is saved/published and you are directed back to the screen that lists all of the profiles, open up the profile again and click the Upgrade All link under the Devices with older version section

Here is another method for upgrading a changed profile:

Navigate to Device Mgmt > Groups & Devices then select the group associated with your profile and click the Profiles tab.

Select the profile you updated and click Upgrade Profile

Your devices should sync with the profile changes.

(4) Managed Google Play

Configure managed Google Play so that you can install apps on your device using the MDM. This will allow you to force app configurations and prevent uninstall while also preventing certain apps from being installed.

Navigate to App Repository > Managed Google Play

Select Google account unless you have a Google Workspace account. You might have a workspace account if you followed the Chromebook mobile devices management guide.

Select Configure Now and register with a Google account that isn't already connected to your Google Play store. You might need to make a new Google account specifically used for this.

How to

Prevent App Uninstall

If you want to prevent a specific app from being uninstalled (for example, an app that filters content), go to Restrictions > Applications:

Set Uninstalling Apps to Restrict

Similar to Uninstalling apps, you can consider setting Stop System Apps to Restrict. This will prevent users from force-stopping certain apps.

Set Stop system apps to Restrict

Whitelist Apps

You might want to ensure that some apps cannot be installed on your smartphone. Here's how you would do this:

From Device Management, go to App Repository

From here, you can choose apps that you want installed onto your device. Other apps will be denied after we change a setting in your profile.

After you're done, go back to Profiles and select the Android device profile

Go to Restrictions > Applications

Set Users can install only approved apps to Yes

Prevent VPN Creation

You can prevent users from adding their own custom VPN configurations.

In a profile, go to Restrictions > Network and Roaming

Set Allow users to configure VPN to No.

Manage Security Restrictions

Security restrictions allow you to create a profile that prevents bypass.

Restore Factory Settings

This setting is useful for some people, who might go to great lengths to access an unfiltered device. Keep in mind that you can still reset the device using the MDM.

Lock Screen Notification Preferences

Consider enforcing either option: Hide Sensitive Content or Don't show notifications at all. This is useful if you are trying to reduce your smartphone usage and don't want to be constantly interrupted by app notifications. Enforcing this setting means that you don't have to manually customize this option.

Safe Mode

Some bypass methods utilize the device's safe mode. I recommend disabling safe mode.

Developer Mode

Similar to safe mode, developer mode can be used to bypass some restrictions. However, these methods are more difficult than safe mode. Consider disabling this.

Manage Wi-Fi Settings for your smartphone

If you've set up your home router to filter content using a content policy , you'll want to ensure that your Android smartphone can't bypass it and use an unprotected internet connection.

A common way that Android users bypass WiFi content filtering is to simply turn off WiFi and use an unfiltered roaming internet connection (4g/5g), but you can prevent this with a managed device.

This is how you would do it:

Prevent the smartphone from turning off WiFi
Configure the smartphone to auto-connect to your home WiFi network.

Prevent your smartphone from turning off Wi-Fi

Go to the Network and Roaming section of your profile editor (in Manage Engine)

Set the Wi-Fi option to Always on:

Configure your home Wi-Fi network

Go to Wi-Fi in the Manage Engine profile editor:

You'll need to enter the information from your home's Wi-Fi network. You can usually find this information on your computer's taskbar:

Enter the SSID and password for you selected Wi-Fi network:

Frequently Asked Questions

Prevent deleting an app

You can configure your Profile to disable allowing the user to uninstall apps on the device in Your Profile > Restrictions > Applications > set Uninstalling Apps to Restrict.

Alternatively, you can prevent app uninstall on a case-by-case basis by distributing the app with your MDM and modifying the app's permissions to block app uninstallation. In Device Mgmt > App Repository, add the app that you want to enforce. Then, select the app and go to the permissions tab > advanced permissions. Then, set Block App Uninstallation to Allow. Distribute the app to the devices in your group.

Block VPNs, Proxies, or other apps that configure DNS?

How to block VPNs and proxies on Android.

There are a few approaches to doing this. First, make sure that your profile restrictions > Network and Roaming has Allow users to configure VPN set to No.

Next, consider updating your profile to only allow a user to install an app that has been explicitly approved via your MDM. This will blocklist all apps by default and only allow the user to select from apps that are on your approved list. You can update your approved list by adding apps to your app repository in Inventory > Apps. Then, update your profile > restrictions > Applications and set User can install unapproved apps to Restrict.

You can also manually block each one of these kinds of apps, but this solution can be time-consuming and not comprehensive. However, it will significantly slow someone down because they won't know which apps are blocked until they try to install the app and it is automatically deleted. If you are managing a device for another person (like a child), they might assume that all VPNs/DNS apps are blocked and won't attempt to find an unblocked app.

You can also set an always-on VPN in your profile > VPN > check Always on VPN after configuring VPN settings.

Alternatively, you can configure Kiosk mode.

What are the most restrictive setups?

The recommended options are indicated in the above profile configuration section. However, here are some specific call-outs:

Kiosk mode

Kiosk mode lets you customize and limit the use of the phone to a small subset of features. For example, In Multi-App mode, the user only has access to approved apps even if unapproved apps are installed on the device previously. The apps aren't deleted, but they can't be opened.

You can also use Kiosk mode to enable Single App Mode, which lets you enforce the usage of a Kiosk app or any other app. The user can't close or switch out of the app specified in Single App Mode. This is useful when combined with a parental control kiosk app.

You can also further restrict WiFi and Network access with kiosk mode. In my opinion, the main use case for Kiosk mode is combining it with a parental control kiosk app. Otherwise, I don't think it's a viable option for most people.

Restricting/Enforcing WiFi

Restrict Wifi to only your home network. This requires that you update your MDM Profile > WiFi to include your Wifi network name in the Wi-Fi SSID field, the security type specified (usually this is WPA/WPA2) with the Wifi password entered. Then, in your profile > Restrictions > Network and Roaming, you set AWiFi:Always On and Connect to Wi-Fi if distributed via MDM:Yes.

Disabling the android browser

You can completely disable the ability to use internet browsers on your device. This is a great alternative to a dumb phone because you can still use apps like GPS/Maps, Spotify, etc., but you don't have to worry about plugging all the browsing loopholes.

Web Content Filter

Enabling the "allowlist" mode in the web content filter will restrict access to all URLs other than the ones you specify. This is also called a "default-deny" approach where you can't visit a URL unless it is specifically allowed.