Security Policies Profiles for the SDK

Navigation

In the Workspace ONE UEM console, you can find these default SDK settings in Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.

Assign the Default SDK Profile to the Workspace ONE Intelligent Hub

Control and apply SDK functionality with the Workspace ONE Intelligent Hub and the default SDK profile.

Note: You cannot use custom SDK profiles with the Workspace ONE Intelligent Hub. A profile set in Groups & Settings > All Settings > Apps > Settings and Policies > Profiles is a custom SDK profile. It is not the default SDK profile. The Workspace ONE Intelligent Hub only supports the default profile set in either the Security Policies, Settings, or SDK App Compliance sections of Settings and Policies.

The Workspace ONE Intelligent Hub works as a "broker application" for SDK features, such as SSO. You must configure the default SDK profile with the features you want the Workspace ONE Intelligent Hub to apply to apps. If you do not set the Workspace ONE Intelligent Hub to use the default SDK profile, then the system does not apply your settings you configured in the Settings and Policies section.

SDK Profile Configurations Must Match To Work

The configuration in the SDK profile assigned to the productivity app must match the configuration in the default SDK profile you assigned to your Workspace ONE Intelligent Hub. If configurations do not match, than the SDK feature does not work in your Workspace ONE productivity app.

For example, if you want managed apps to use SSO, ensure that the default SDK profile assigned to your Workspace ONE Intelligent Hub has SSO enabled. If you have assigned a custom SDK profile to a productivity app, you must enable SSO in the custom profile. SSO does not work if the profiles assigned to the Hub or the productivity app have SSO deactivated.

Force Token for App Authentication

This setting controls how the system allows users to access SDK-built applications, either initially or through a forgotten-passcode procedure. When enabled, the system forces the user to generate an application token through the Self-Service Portal (SSP) and does not allow user name and password. This setting does not force the reset of the enrollment token.

Authentication Type

Select an authentication method that meets the security needs of your network. The passcode gives device users flexibility while user name and password offers compatibility with the Workspace ONE UEM system. If security is not an issue, then you do not have to require an authentication method.

Table 1. Descriptions of Authentication Items
Setting	Description
Passcode	Designates a local passcode requirement for supported applications. Device users set their passcode on devices at the application level when they first access the application.
User name and Password	Requires users to authenticate to supported applications using their Workspace ONE UEM credentials. Set these credentials when you add users in the Accounts page of the Workspace ONE UEM console.
Disabled	Requires no authentication to access supported applications.

Passcode Setting	Description
Passcode	Enable this option to require a local passcode requirement.
Authentication Timeout	Define the time elapsed, ranging from the last successful authentication to the value set here, that triggers the system to prompt for Workspace ONE UEM credentials. On newer Android applications, authentication timeout prompts for credentials when the session is inactive for the set time.
Maximum Number Of Failed Attempts	Set the maximum times, a user can log in, with an incorrect passcode before the system throws an error. Actions depend on the platform. Android – The system performs an enterprise wipe on the device. iOS – The system performs an enterprise wipe on the device.
Passcode Mode	Select an option depending on your security needs and the platform. Numeric Android - You can enter only numbers. iOS - You can enter numbers and letters. Alphanumeric Android - You can enter numbers and letters. iOS - You can enter numbers and letters.
Allow Simple Value	Set the passcode to allow simple strings. For example, allow strings like 1234 and 1111.
Minimum Passcode Length	Set the minimum number of characters for the passcode.
Minimum Number Of Complex Characters (if Alphanumeric is selected)	Set the minimum number of complex characters for the passcode. For example, allow characters like [], @, and #.
Maximum Passcode Age (days)	Set the number of days the passcode remains valid before you must change it.
Passcode History	Set the number of passcodes the Workspace ONE UEM console stores so that users cannot use recent passcodes.
Use Device Pin for Authentication	Select to require the use of the device passcode (labelled PIN in the UI) to authenticate to and access SDK-built apps and Workspace ONE productivity apps. This setting is part of the Workspace ONE Require Device Passcode (RDP) feature supported by the Workspace ONE SDK.
Biometric Mode	Select the system used to authenticate for access. Enabled – Allow the use of Fingerprint, Touch ID, or Face ID for authentication to the application. Disabled – Does not require biometric authentication systems to access the application.

Username and Password Setting	Description
Username and Password	Enable this option to set authentication to use the Workspace ONE UEM credentials.
Authentication Timeout	Define the time elapsed, ranging from the last successful authentication to the value set here, that triggers the system to prompt for Workspace ONE UEM credentials. On newer Android applications, authentication timeout prompts for credentials when the session is inactive for the set time.
Maximum Number Of Failed Attempts	Set the maximum times, a user can log in, with an incorrect passcode before the system throws an error. Actions depend on the platform. Android – The system performs an enterprise wipe on the device. iOS – The system performs an enterprise wipe on the device.
Use Device Pin for Authentication	Select to require the use of the device passcode (labelled PIN in the UI) to authenticate to and access SDK-built apps and Workspace ONE productivity apps. This setting is part of the Workspace ONE Require Device Passcode (RDP) feature supported by the Workspace ONE SDK.
Biometric Mode	Select the system used to authenticate for access. Enabled – Allow the use of Fingerprint, Touch ID, or Face ID for authentication to the application. Disabled – Does not require biometric authentication systems to access the application.

Disabled Setting	Description
Disabled	Select to require no authentication to access the application.

Authentication Type and SSO

Authentication Type and SSO can work together or alone.

Alone – If you enable an Authentication Type (passcode or user name/password) without SSO, then users must enter a separate passcode or credentials for each individual application. The exception to this configuration is the Workspace ONE Intelligent Hub for Android. This productivity app does not prompt users to create a passcode or PIN. See the section SSO, the Workspace ONE Intelligent Hub for Android, and Forced PINs for details.
Together – If you enable both Authentication Type and SSO, then users enter either their passcode or credentials (whichever you configure as the Authentication Type) once. They do not have to reenter them until the SSO session ends.

SSO, the Workspace ONE Intelligent Hub for Android, and Forced PINs

If you deactivate SSO and use Authentication Type > Passcode and you are deploying the Workspace ONE Intelligent Hub for Android (which uses the Workspace ONE SDK framework), the Workspace ONE Intelligent Hub for Android does not prompt the user to create a PIN for access. If you want to protect the Workspace ONE Intelligent Hub with a passcode, you must either enable SSO or assign a Passcode profile under Resources and apply it to the whole device in the Workspace ONE UEM console.

Single Sign-On

If you want to require a single sign-on (SSO) passcode on devices, enable Single Sign-On and set Authentication Type to Passcode and set the Passcode Mode to either Numeric or Alphanumeric.

Using either the Workspace ONE Intelligent Hub or Workspace ONE as a "broker application," end users can authenticate once using either their normal credentials or an SSO passcode. They gain access to other applications so long as the SSO session is active.

If you enable SSO but do not enable an Authentication Type, the system does not prompt end users with any recurring authentication. An exception to this behavior occurs when end users must authenticate during an initial installation of the application. They use their normal credentials to authenticate in this instance.

SSO Sessions and SDK App Login Behaviors

An SSO session establishes when a user authenticates with an application participating in SSO. Although SSO sessions help streamline the login experience for the user, the variables that impact the SSO mechanism and the login behavior of the SDK app are varied and complex. The session is active until it reaches the Authentication Timeout value or the user manually locks the application (includes forcing it closed). The SDK app prompts for credentials depending on multiple variables including but not limited to the platform, SSO setting, SSO session status, and Authentication Type.

Platform
- Android
- iOS
SSO configuration
- Enabled
- Disabled
SSO session status
- Active
- Inactive
Authentication Type configuration
- Username and Password
- Passcode
- Disabled
Authentication Type state
- Credential value exists (Passcode or Username and Password)
- Credential value does not exist
- Authentication Timeout is active or expired
SDK app state
- App forcibly closed
- SDK upgraded

On iOS devices, the existence of a valid identity sent from the Workspace ONE UEM console also influences the login behaviors in SDK apps. This identity is a one-time use token and it establishes the user identity in the SDK app. If the identity exists in the SDK app, then the system does not prompt for credentials.

The system displays specific prompts in the SDK app depending on the Authentication Type and the request sent from the Workspace ONE UEM console.

Table 2. Login Prompts
Authentication Type	Request	Login Prompt
Passcode	Create Credentials	Create Passcode
Passcode	Provide Credentials	Enter Passcode
Username and Password	Create Credentials	Enter Username and Password
Username and Password	Provide Credentials	Enter Username and Password

Android and SSO - Login Prompts for Authentication Modes, Passcode and Username and Password (Login Values)


SSO Setting	SSO Session Status	State (Login Value or App)	Login Behavior
Enabled	Active	Credential exists	The system does not prompt for the login value.
		Credential does not exist	The system prompts to create the login value.
		App closes	When user accesses the app, and another SDK-app is still involved in the SSO session, the system does not prompt for the login value. If the app is stopped or forcibly closed without reaching the Authentication Timeout value, the system does not prompt for the login value.
		SDK upgraded	When user accesses app after upgrade, the system does not prompt for the login value.
	Inactive	Credential exists	The system prompts the user for the login value.
		Credential does not exist	The system prompts the user to create the login value.
		App closes	The system prompts the user for the login value.
		SDK upgraded	The system prompts the user for the login value.
Disabled Authentication Timeout status impacts behavior (active or expired).	NA	Credential exists	The system prompts the user for the login value.
		Credential does not exist	The system prompts the user to the create login value.
		App closes	The system prompts the user for the login value if Authentication Timeout has expired.
		SDK upgraded	The system does not prompt for the login value.

Android and SSO - Login Prompts for Authentication Mode Disabled


SSO Setting	SSO Session Status	Login Behavior
Enabled	Active	The system does not prompt for login values. The SDK app opens with no challenges.
Enabled	Inactive	The system does not prompt for login values. The SDK app opens with no challenges.
Disabled	NA	The system prompts the user for the Workspace ONE UEM credentials as the login values on first start. After the initial start, the system opens the SDK app with no challenges.

iOS and SSO - Login Prompts for Authentication Modes, Passcode and Username and Password (Login Values)


SSO Setting	SSO Session Status	State (Login Value or App)	Login Behavior
Enabled Keychain-sharing apps share the session.	Active	Credential exists	The system does not prompt since the credential exists and the SSO session is active.
		Credential does not exist	The system prompts the user to create credentials.
		App closes	When user accesses app after closing, the system prompts the user for the credential value.
		SDK upgraded	When the user accesses app after upgrade, the system prompts the user for the credential value. iOS quits the app on upgrade.
	Inactive	Credential exists	The system prompts the user for the credential value. When the SSO session expires, credentials are removed and the system prompts for the credentials again.
		Credential does not exist	The system prompts the user to create credentials.
		App closes	When the user accesses the app after closing, the system prompts the user for the credential value.
		SDK upgraded	When the user accesses app after upgrade, the system prompts the user for the credential value. iOS closes the app on upgrade.
Disabled Keychain-sharing apps are not sharing the session. Authentication Timeout status impacts behavior (active or expired).	NA	Credential exists	The system does not prompt since the credential exists and Authentication Timeout session is active. If the Authentication Timeout is expired, the system prompts the user for the credential value. When the session expires, credentials are removed and prompted for again.
		Credential does not exist	The system prompts the user to create credentials no matter if the Authentication Timeout is active or expired.
		App closes	When the user accesses the app after closing, the system prompts the user for the credential value no matter if the Authentication Timeout is active or expired.
		SDK upgraded	If the Authentication Timeout is active, and the user accesses the app after upgrading, the system prompts the user for the credential value. If the Authentication Timeout is expired, and the user accesses app after upgrade, the system prompts the user for the credential value because iOS closes the app after upgrading.

iOS and SSO - Login Prompts for Authentication Mode Disabled


SSO Setting	SSO Session Status	Login Behavior
Enabled	Active	The system does not prompt for login values. The SDK app opens with no challenges.
Enabled	Inactive	The system does not prompt for login values. The SDK app opens with no challenges.
Disabled	NA	If the device is MDM managed, then the system does not prompt for login values. The SDK app opens with no challenges. If the device is in Registered Mode, the system prompts the user for the Workspace ONE UEM credentials as the login values on first start. After the initial start, the system opens the SDK app with no challenges.

iOS and SSO - One Time Login Prompts When the App Is Missing the Identity (Valid Token)


SSO Setting	Scenario	Login Behavior
Enabled	Valid one time token is available through Workspace ONE UEM.	The system does not prompt for Username and Password authentication because it uses a one time token to establish identity.
	A valid one time token is NOT available. The first Keychain-sharing app is installed within a Keychain sharing cluster.	If the one time token is not available to establish identity, the system prompts for the Username and Password authentication to establish identity.
	A valid one time token is NOT available. The second Keychain-sharing app is installed within a Keychain sharing cluster.	The system does not prompt for the Username and Password authentication and establishes the identity silently.
Disabled	Valid one time token is available through Workspace ONE UEM.	The system does not prompt for the Username and Password authentication because it uses a one time token to establish identity.
Disabled	Valid one time token is NOT available.	If the one time token is not available to establish identity, the system prompts for the Username and Password authentication to establish identity.

Integrated Authentication

Allow access to corporate resources, such as content repositories, through the Workspace ONE Intelligent Hub using Workspace ONE UEM SSO credentials.

Setting	Description
Use Enrollment Credentials	Access corporate resources listed in the Allowed Sites field with the SSO credentials. Enter systems in the Allowed Sites text box to control access to a specific set of sites and domains. You must complete this setting for Integrated Authentication to work. This setting ensures that Workspace ONE UEM does not expose credentials to non-trusted resources.
Use Certificate	Upload the Credential Source or set a Defined Certificate Authority to access corporate resources listed in the Allowed Sites text box with the SSO credentials. Enter systems in the Allowed Sites text box to control access to a specific set of sites and domains. You must complete this setting for Integrated Authentication to work. This setting ensures that Workspace ONE UEM does not expose credentials to non-trusted resources.

Setting

Description

Use Enrollment Credentials

Access corporate resources listed in the Allowed Sites field with the SSO credentials.

Enter systems in the Allowed Sites text box to control access to a specific set of sites and domains. You must complete this setting for Integrated Authentication to work. This setting ensures that Workspace ONE UEM does not expose credentials to non-trusted resources.

Use Certificate

Upload the Credential Source or set a Defined Certificate Authority to access corporate resources listed in the Allowed Sites text box with the SSO credentials.

Enter systems in the Allowed Sites text box to control access to a specific set of sites and domains. You must complete this setting for Integrated Authentication to work. This setting ensures that Workspace ONE UEM does not expose credentials to non-trusted resources.

Offline Access

The SDK restricts or allows offline access depending on the configurations.


Offline Access	Behavior
Enabled Maximum Period Allowed = time	The SDK allows offline access and then restricts access when time offline meets the maximum period allowed value.
Enabled Maximum Period Allowed = 0	The SDK allows offline access indefinitely.
Disabled	The SDK prevents offline access.

Compromised Protection

Protect your mobile network from compromised resources with an enterprise wipe. It clears privileged corporate data off devices. The system does not perform wipe actions on data unrelated to the enterprise.

AirWatch App Tunnel

Allow an application to communicate through a VPN or reverse proxy to access internal resources, such as a SharePoint or intranet sites. To use Allow all non-FQDN URLs through App tunnel, applications must use Workspace ONE SDK v19.3+ (both Android and iOS Swift).

The Per-App Tunnel provides Device Traffic Rules. Device Traffic Rules allow you to set individual traffic policies for tunneling, blocking, and bypassing traffic for each of your apps.

Before you can use VMware Tunnel - Proxy or VMware Tunnel menu items, you must install these tunnels. See VMware Tunnel.

If you are switching from VMware Tunnel - Proxy to VMware Tunnel, migrate the App Tunnel URLs entries.

If users access an internal resource through a non-standard port (a port that is not port 80 or 443), explicitly list the port number in the URL you enter in App Tunnel URLs. For example, if the resource URL is data.company.com and it is accessed through port 7777, you must add data.company.com:7777 in the App Tunnel URLs field.

Setting	Description
VMware Tunnel	Sets devices to access corporate resources using the Per-App Tunnel component of VMware Tunnel. For this option to work, install VMware Tunnel. Also, the Per-App Tunnel component of VMware Tunnel uses rules to set policies for tunneling, blocking, or bypassing specific domains. Ensure that you have setup web and other SDK-enabled apps on the Device Traffic Rules page before enabling it here. If you have some SDK applications that still use VMware Tunnel - Proxy, enable Tunnel Proxy for Backward Compatibility. This menu item allows those SDK applications that have not migrated to Per-App Tunnel to continue to work using Proxy. This setting does not act as a backup. If your Tunnel gateway is not available, applications do not fall back to Proxy.
VMware Tunnel - Proxy	Sets devices to access corporate resources using the proxy component of the VMware Tunnel, also called Proxy. Consider migrating to the Per-App Tunnel component for better performance and new features. For this option to work, install VMware Tunnel. If this feature is not installed and configured, use the UI links to go to the configuration pages. Select Configure VMware Tunnel - Proxy Settings to enable Proxy if you have not already set this feature. Use Allow all non-FQDN URLs through App tunnel to control traffic to non-FQDN (fully qualified domain name) URLs through the tunnel. YES - All non-FQDN URLs use the tunnel. NO - Only non-FQDN that are explicitly listed in the App Tunnel URLs use the tunnel. To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet. Use wildcards to allow access to any site with a domain subset. For example, .<example > .com allows traffic to any site that contains .<example > .com in its domain. Similarly, it allows access to any port on that site with an implementation similar to .<example > .com. If nothing is listed in this text box, all traffic directs through the app tunnel.
Standard Proxy	Sets devices to request resources using a proxy server that allows or denies connections to enterprise systems. To access your internal network, select an App Tunnel Proxy from the menu . Add standard proxies by selecting Configure Standard Proxy Settings. Use Allow all non-FQDN URLs through App tunnel to control traffic to non-FQDN (fully qualified domain name) URLs through the tunnel. YES - All non-FQDN URLs use the tunnel. NO - Only non-FQDN that are explicitly listed in the App Tunnel URLs use the tunnel. To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet. Use wildcards to allow access to any site with a domain subset. For example, .<example > .com allows traffic to any site that contains .<example > .com in its domain. Similarly, it allows access to any port on that site with an implementation similar to .<example > .com. If nothing is listed in this text box, all traffic directs through the app tunnel.

Setting

Description

VMware Tunnel

Sets devices to access corporate resources using the Per-App Tunnel component of VMware Tunnel.

For this option to work, install VMware Tunnel.

Also, the Per-App Tunnel component of VMware Tunnel uses rules to set policies for tunneling, blocking, or bypassing specific domains. Ensure that you have setup web and other SDK-enabled apps on the Device Traffic Rules page before enabling it here.

If you have some SDK applications that still use VMware Tunnel - Proxy, enable Tunnel Proxy for Backward Compatibility. This menu item allows those SDK applications that have not migrated to Per-App Tunnel to continue to work using Proxy.

This setting does not act as a backup. If your Tunnel gateway is not available, applications do not fall back to Proxy.

VMware Tunnel - Proxy

Sets devices to access corporate resources using the proxy component of the VMware Tunnel, also called Proxy. Consider migrating to the Per-App Tunnel component for better performance and new features.

For this option to work, install VMware Tunnel. If this feature is not installed and configured, use the UI links to go to the configuration pages.

Select Configure VMware Tunnel - Proxy Settings to enable Proxy if you have not already set this feature.
Use Allow all non-FQDN URLs through App tunnel to control traffic to non-FQDN (fully qualified domain name) URLs through the tunnel.
- YES - All non-FQDN URLs use the tunnel.
- NO - Only non-FQDN that are explicitly listed in the App Tunnel URLs use the tunnel.
To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet.
Use wildcards to allow access to any site with a domain subset. For example, *.<example > .com allows traffic to any site that contains .<example > .com in its domain. Similarly, it allows access to any port on that site with an implementation similar to *.<example > .com.
If nothing is listed in this text box, all traffic directs through the app tunnel.

Standard Proxy

Sets devices to request resources using a proxy server that allows or denies connections to enterprise systems.

To access your internal network, select an App Tunnel Proxy from the menu . Add standard proxies by selecting Configure Standard Proxy Settings.
Use Allow all non-FQDN URLs through App tunnel to control traffic to non-FQDN (fully qualified domain name) URLs through the tunnel.
- YES - All non-FQDN URLs use the tunnel.
- NO - Only non-FQDN that are explicitly listed in the App Tunnel URLs use the tunnel.
To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet.
Use wildcards to allow access to any site with a domain subset. For example, *.<example > .com allows traffic to any site that contains .<example > .com in its domain. Similarly, it allows access to any port on that site with an implementation similar to *.<example > .com.
If nothing is listed in this text box, all traffic directs through the app tunnel.

Migrate Proxy App Tunnel URLs to Per-App Tunnel

If you migrate from VMware Tunnel - Proxy to VMware Tunnel (Per-App Tunnel) and want to keep the domains that use the tunnel, enter the App Tunnel URLs from the Proxy to the Device Traffic Rules settings for Per-App Tunnel.

Go to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies > App Tunnel Mode > VMware Tunnel - Proxy and record the entries in the App Tunnel URLs field.

The Per-App Tunnel provides Device Traffic Rules. Device Traffic Rules allow you to set individual traffic policies for tunneling, blocking, and bypassing traffic for each of your apps.

Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Network Traffic Rules > Device Traffic Rules.
Select the applicable SDK application (like Workspace ONE Web). This configuration differs from the default SDK setting because you must enter the domains to tunnel by the app rather than as a blanket entry for all SDK-built apps. Use Add to enter multiple applications.
Select Tunnel for the Action.
Enter the app tunnel URLs from the VMware Tunnel - Proxy option in Destination Hostname. Define a default policy for domains that do not match patterns with your destination host names.
Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies, select App Tunnel Mode, and change from VMware Tunnel - Proxy to VMware Tunnel.

Content Filtering

Integrates your Forcepoint (Websense) content filtering service and the Workspace ONE Web. This integration requires settings on multiple pages in the console.

This integration requires configurations on different pages in the Workspace ONE UEM console.

Third-Party Proxies – Add information on the Third-Party Proxies page for your content filtering system so Workspace ONE UEM can communicate with it. Configure your Forcepoint information in Groups & Settings > All Settings > System > Enterprise Integration > Third Party Proxies.
Settings and Policies – Used for content filtering on the Settings and Policies page. Using the Settings and Policies, you can filter traffic in the Workspace ONE Web with the policies and rules set in your Forcepoint service.

Integration results in the system filtering the Workspace ONE Web traffic with the settings in the content filtering system. If you use another application tunnel, Workspace ONE UEM sends data that is not going through your content filtering service to the configured app tunnel.

Geofencing

Restrict access to applications depending on the distances set in Geofencing settings in the Workspace ONE UEM console.

Data Loss Prevention (DLP)

Protect sensitive data in applications. DLP options control how and what data transmits back and forth.

Setting	Description
Enable Bluetooth	Allows applications to access Bluetooth functionality on devices when set to Yes.
Enable Camera	Allows applications to access the device camera when set to Yes.
Enable Composing Email	Allows an application to use the native email client to send emails when set to Yes.
Enable Copy and Paste Out	Allows users to copy and paste content from SDK-built applications to external destinations when set to Yes. When you set it to No, the system allows copy and paste only between Workspace ONE UEM applications. Encryption of the pasted content depends upon the configurations for authentication and SSO. If you enable authentication and SSO, the system encrypts the content with a user pin-based key. Otherwise, the system encrypts content with a randomly generated key. The system migrates the setting configured previously in the option to Enable Copy and Paste to this feature.
Enable Copy and Paste Into	Allows users to copy and paste content from external destinations into SDK-built applications when set to Yes. When you set it to No, the system allows copy and paste only between Workspace ONE UEM applications.
Enable Data Backup	Allows wrapped iOS applications to sync data with a storage service like iCloud when set to Yes.
Enable Location Services	Allows wrapped applications to receive the latitude and longitude of the device when set to Yes.
Enable Printing	Allows an application to print from devices when set to Yes.
Enable Screenshot	Allows applications to access screenshot functionality on devices when set to Yes.
Enable Third-Party Keyboards	On iOS devices when set to No, SDK-built applications always open in the native keyboard and prevent the use of third-party keyboards. On Android devices when set to No and the user did not set the system keyboard as the primary keyboard, SDK-built applications prevent user access.
Enable Watermark	Displays text in a watermark in documents in the VMware Content Locker when set to Yes. Enter the content to display in the Overlay Text text box or use lookup values. You cannot change the design of a watermark from the Workspace ONE UEM console.
Limit Documents to Open Only in Approved Apps	Enter options to control the applications used to open resources on devices.
Allowed Applications List	Enter the applications that you allow to open documents.

Network Access Control

Allow applications to access the mobile network.

Setting	Description
Allow Cellular Connection	Controls cellular connections by allowing them all the time, allowing connections when the device is not roaming, or never allowing cellular connections.
Allow Wi-Fi Connection	Allows connections using Wi-Fi networks, or limits connections by Service Set Identifier (SSID).
Allowed SSIDs	Enter the Service Set Identifiers (SSIDs) that devices can use to access the Wi-Fi network during limiting connections.