Esper’s Compliance Policy vs. Settings vs. Provisioning Templates: What’s the Difference?
We’re often asked about the difference between Compliance Policy, Device Settings, and the Provisioning Templates used by Esper for remotely managing enterprise Android devices for dedicated use cases. The question comes up during conversations with our customers – both present and future.
Here’s the difference between Esper’s Compliance Policy, Settings, and Provisioning Templates.
- Compliance Policy is fixed and inaccessible by end users, but can be changed remotely using Esper.
- Settings may be accessible to end users, but it depends.
- Provisioning Templates include initial Compliance Policy, Settings, and Apps for enrollment.
The best way to apply these concepts is thinking about what should be exposed to the end user.
If something should never be exposed to end users, it’s probably Compliance Policy. If it should be accessible to a select group of users with a password or all end users, it will be a part of Settings (depending on other setup factors). Creating a Compliance Policy and determining initial Settings is part of the Provisioning Templates workflow.
These terms represent Esper’s view for the best ease of use for an Android MDM and opens up moving to DevOps. We have a fundamentally different approach than traditional MDMs since we cover multiple dedicated device use cases. Sometimes, this can throw off newcomers to Esper.
Keep reading for a more detailed explanation of Esper’s Compliance Policy, Settings, and Provisioning Templates. Learn more about templates, policy, and settings.
Compliance Policy is a set of rules that define how an enterprise device can be used. Compliance Policy is fixed and not accessible to the end user.
More specifically, it’s a set of security and usability guidelines for the device, operating system, applications, and user configurations.
What’s defined in a compliance policy cannot be changed by an end-user on the device, it is fixed by Esper and can only be changed by pushing an updated Compliance Policy from Esper.
A completed set of policies will address rules for:
- System updates pushed out by device makers to GMS devices
- Device password and lock screen requirements and restrictions
- Certain UX elements including Notification bar and Lock screen
- Telephony and SMS behavior, including limiting incoming and outbound calls
- External interfaces to the device including USB and NFC
- Camera and screenshots accessibility by the user (apps can still use the camera)
- Availability of the Google Play Store using a Managed Google Play account on GMS devices
- Allowing factory-reset on the device, and preventing unauthorized hard key factory reset on GMS devices
- For GMS devices you can control how GSuite or individual Google Accounts can be added to the device for business use
If you are provisioning a non-GMS device, the GMS specific policy settings will not be applied. As an example, Google Play is unavailable on AOSP devices – these settings are not applied to an AOSP device. But you don’t need to worry about that from a perspective of trying to understand Compliance Policy, it’s taken care of via Esper’s cloud platform.
Esper’s Compliance Policy also includes an overall switch for enabling the Android Debugging Bridge (ADB) on the device. Some customers do not want to allow ADB at all, so you can simply turn it off here.
Settings is the section where admins can define the “state” of device settings. Settings may or may not be accessible to the end user, depending on other parts of the setup process.
It is the same as physically going to the Settings on your personal Android device and making a change to your Bluetooth or Wi-Fi setting.
This can be done both at an individual device level by going to Devices:
- Selecting Details > Grid view
- Choose the Device Name in List view or the specific device pin
- Or click Details > Map view for the chosen device
Now you click “Settings” from the menu bar options.
Alternatively, you can perform changes pushed to a group of devices using the same commands at a Group level.
This is important: Adjusting Settings does not restrict device users.
Device users can adjust settings, unless this action is prevented by hiding the Android Settings app so it is inaccessible to the user. With the Esper Settings app, only a limited subset of settings are available to users. These can be protected by requiring a password to access.
Device settings available for both GMS and AOSP devices include:
- Bluetooth and Wi-Fi
- Timezone (for supported devices, noting system time is used otherwise)
- Screen brightness
- Screen timeout
- GPS (which can only be High accuracy for Android 10 GMS devices)
- Ring and notification volumes
- If allowed by Compliance Policy, setting the session duration for using ADB on the device including secure remote ADB sessions
- Pushing new WiFi access point credentials to devices
A template is a complete collection of device configurations (including the Compliance Policy, Device Settings, and Android apps) for the purpose of enrolling and provisioning Android dedicated devices.
Templates include configurations for:
- Compliance Policy
- Apps (Esper Cloud “Enterprise” apps, Google Managed Play apps, and in-ROM apps using package names)
- Settings on the Device, which include a special case of including WiFi AP credentials to be used for Android 9 devices via QR code provisioning
- Device Group in which the enrolled device will be placed
- Wallpaper for an enhanced branding experience on non-Kiosk mode devices
Device templates can be created, saved, and re-used for future provisioning. It gives you a uniform means to both enroll and provision new devices into your fleet. By having different Provisioning Templates you can create specific ones for different customers (unique app loads and settings), as well as for internal use by your team (for the dev and test teams versus production). This is also what you use to set up devices for locked-down Kiosk mode. Learn more about templates, policy, and settings.
How to Efficiently Deploy Secure Enterprise Android Devices
The Esper Compliance Policy addresses settings for acceptable and secure device use that can only be changed in the Esper Cloud Console. The device user cannot change Compliance Policy settings.
Device Settings create a default state for a device that users can change if the Android Settings app is available to users.
To securely provision and deploy Android dedicated devices like tablets, mPoS, or kiosks, the key is to create a Provisioning Template in Esper. The Provisioning template should include both Compliance Policy and Settings to fit your use case, users, and risks.
To efficiently deploy Android dedicated devices, it’s best to keep Provisioning Templates so your initial policy and settings can be reused as you onboard additional devices.
Enroll Android devices and create your own Provisioning Templates, Compliance Policy and Settings. Start working on the Esper platform.