Restricted Console Actions provides an added layer of protection against malicious actions that are potentially destructive. Configure settings for restricted actions by navigating to Groups & Settings > All Settings > System > Security > Restricted Actions.

You can require that certain actions require admins to enter a PIN. For each action you choose to protect, select the appropriate Password Protect Actions button for Enabled or Disabled as appropriate. This requirement provides you with granular control over which actions you want to make more secure.

Note:

Some actions always require a PIN and as a result cannot be disabled. Denoted by * below.

You can set the maximum number of failed attempts the system accepts before automatically logging out the session. If you reach the set number of attempts, you need to log into the Workspace ONE UEM console and set a new security PIN.

Setting Description
Admin Account Delete Prevents the deletion of an admin user account in Accounts > Administrators > List View.
* Regenerate VMware Enterprise Systems Connector Certificate Prevents the regeneration of the VMware Enterprise Systems Connector certificate in Groups & Settings > All Settings > System > Enterprise Integration > VMware Enterprise Systems Connector .
* APNs Certificate Change Prevents the disabling of APNs for MDM in Groups & Settings > All Settings > Devices & Users > Apple > APNs For MDM.
Application Delete/Deactivate/Retire Prevents the deletion, deactivation, or retirement of an application in Apps & Books > Applications > List View.
Content Delete/Deactivate Prevents the deletion or deactivation of a content file in Content > List View.
* Data Encryption Toggle Prevents the Encryption of user information setting in Groups & Settings > All Settings > System > Security > Data Security.
Device Delete Prevents the deletion of a device in Devices > List View. Admin security PIN is still required for bulk actions even when this setting is disabled.
* Device Wipe Prevents any attempt to perform a device wipe from the Device List View or Device Details screens.
Enterprise Reset Prevents any attempt to perform an enterprise reset on a device from the Devices Details page of a Windows Rugged, Rugged Android, or QNX device.
Enterprise Wipe Prevents any attempt to perform an enterprise wipe on a device from the Devices Details page of a device.
Enterprise Wipe (Based on User Group Membership Toggle) Prevents any attempt to perform an enterprise wipe on a device when it is removed from a user group. This is an optional setting that you can configure under Groups & Settings > All Settings > Devices & Users > General > Enrollment on the Restrictions tab. If you Restrict Enrollment to Configured Groups on this tab, you then have the added option of performing an enterprise wipe a device when it is removed from a group. For more information, see the Configure Enrollment Restrictions.
* Organization Group Delete Prevents any attempt to delete the current organization group from Groups & Settings > Groups > Organization Groups > Organization Group Details.
Profile Delete/Deactivate Prevents any attempt to delete or deactivate a profile from Devices > Profiles & Resources > Profiles.
Provisioning Product Delete Prevents any attempt to delete a provisioning product from Devices > Staging & Provisioning > Products List View.
Revoke Certificate Prevents any attempt to revoke a certificate from Devices > Certificates > List View.
* Secure Channel Certificate Clear Protects from any attempt to clear an existing secure channel certificate from Groups & Settings > All Settings > System > Advanced > Secure Channel Certificate.
User Account Delete Prevents any attempt to delete a user account from Accounts > Users > List View.
Change in Privacy Settings Prevents any attempt to alter the privacy settings in Groups & Settings > All Settings > Devices & Users > General > Privacy.
Delete Telecom Plan Prevents the deletion of a telecom plan in Telecom > Plan List.
Override Job Log Level Prevents attempts to override the currently-selected job log level from Groups & Settings > Admin > Diagnostics > Logging. Overriding the Job Log Level is useful when a device or group of devices is having an issue. In this case, the admin can override those device settings by forcing an elevated log level to Verbose, which logs the maximum level of console activity, making it ideal for troubleshooting.
* App Scan Vendor Reset/Toggle Prevents the resetting (and subsequent wiping) of your app scan integration settings. This action is performed in Groups & Settings > All Settings > Apps > App Scan.
Shut Down Prevents any attempt to shut down the device in Devices > List View > Device Details.
Maximum invalid PIN attempts Defines the maximum number of invalid attempts at entering a PIN before the console locks down. This setting must be between 1 and 5.