Configure OEMConfig Policy Profile (Android Enterprise)

SureMDM empowers IT administrators to remotely manage OEM devices (Samsung, Datalogic, Zebra, and Kyocera) using the OEMConfig Policy Profile for Android. This feature enables fine-grained control, enhances security, and offers customization options. With advanced control over these devices, administrators can enforce restrictions, optimize configurations, and ensure a secure and tailored experience for end-users, ensuring consistency across the device fleet.

1. Configure Android Enterprise (Profile Owner/Device Owner) in SureMDM. 
2. On the SureMDM Web Console, navigate to Profiles > Android > Add > Primary Profile > OEMConfig Policy > Configure.
3. Enter a Profile Name and select an app from the following options:

• Lenovo OEMConfig (Lenovo OEM)
• Knox Service Plugin (Samsung)
• Legacy Zebra OEMConfig (Zebra)
• Zebra OEMConfig powered by MX (Zebra)
• DataLogic OEMConfig (DataLogic)
• Device Config Plugin (Kyocera)
• Honeywell UEMConnect (Honeywell)
• TOUGHBOOK OEMConfig (Panasonic)
• Bluebird OEMConfig (Bluebird)
• Moto OEMConfig (Motorola)
• ASCOM OEMConfig (ASCOM)

note

Legacy Zebra OEMConfig (Zebra) is supported only in Device Owner mode.

4.  Configure the desired restriction settings. The settings for the respective applications are given in the following table:

App Name	Settings
Lenovo OEMConfig (Lenovo OEM)	Device Management Policy: Allows to Enable/Disable Device Management Policies  App Management Policy: Allows to Enable/Disable App Management Policies Connectivity Group: Allows to Enable/Disable Connectivity Group settings Kiosk Mode Group: Allows to Enable/Disable Kiosk Mode Group settings Custom UI Group: Allows to Enable/Disable Custom UI Group Policies Security Group: Allows to Enable/Disable Security Group Policies
Knox Service Plugin(Samsung)	Separated Apps Policy: A group of policies and restrictions that are applicable to Separated apps. Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company-owned devices (WP-C) mode as noted): A global group of policies and restrictions that are applicable to all users of the device. This list includes items that impact all users on the device, whether they fall under personal or work profiles. Availability: Knox 3.0 and above. Work profile policy: A group of policies and restrictions that are applicable to the Work profile user of the device. Starting with Knox 3.0, a KPE Premium license activation is required for using any policy in the work profile. Advanced Wi-Fi Configurations: A group of controls for Advanced Wi-Fi configurations. Allowed Apps for reading private keys configurations: A group of controls that drive “Allowed Apps for reading private keys configurations”. Allowed USB devices for application configuration: A group of controls that drive “Access for USB Devices for Applications”. APN configuration: A group of policies to specify one or more Access Point Name configurations. For example, APN name, APN type, authentication type, and more. Certificates (premium): A group of policies to specify one or more Certificate configurations. Device account policy configuration: A group of controls to Enable Device account policies. Device and settings customization profile: A group of controls to configure and customize the device user's experience. These features are available only with a KPE Premium license with customization permissions. Device Key Mapping to launch application configuration: A group of controls for device key mapping configurations DeX customization profile: A group of settings that help customize the Samsung DeX experience for the user. These features are available only with a KPE Premium license. Firewall Configuration Profile:  A group of controls that drive the firewall configuration on the device. Manual Proxy Configuration: A group of policies to specify the global proxy setting using a specified server host and port. Contact your network administrator for this information. NPA Data Point Profile: A group of controls that drive the Network Platform Analytics (NPA) data points configuration at a device-wide or Work profile level. Availability: Knox v3.3 or higher. Peripheral Configuration: A group of controls for peripheral configuration profiles Proxy auto-config: A group of policies to specify the Proxy auto-config (PAC) based proxy setting, for example, the server, port details, and more RCP Data Sync Profile Configuration: A group of controls that drive RCP Policy data sync configurations at the Work profile level. UCM Plugin Configuration: A group of controls to specify the configuration of one or more UCM plugins that access credential storage. VPN Profile: A group of configuration settings for the VPN profiles used to drive the device's primary and secondary VPN clients. You can define up to two VPN profiles used for VPN Chaining. Wi-Fi Configuration: A group of controls for Wi-Fi configurations.
Legacy Zebra OEMConfig (Zebra)	Transaction Steps: Specifies a series of Steps to be performed by OemConfig as part of a single transaction(s).
Zebra OEMConfig powered by MX(Zebra)	Application Configuration : Open to configure Device Central Configuration. Files Configuration : Add element(s) to configure one or more File(s). Keyboard Mappings : Add element(s) to configure one or more Keyboard Mapping(s). License Configuration : Open to configure Enterprise Reset Persistence, Licenses, and Features. Package Configuration : Add element(s) to configure one or more Package(s). Security and Privacy Configuration : Open to configure Encryption, Screen Lock, and SD Card Setup Notification. System Configuration : Open to configure Analytics, Clock, Data Wipe, GMS, Lifeguard, Power, Remote Scanner Configurations, Wake-Up, Pass-Through Command, and Logs. UI Configuration : Open to configure Audio, DataWedge, Display, Event-Triggered Intents, General UI, Keyboard, Settings UI, Touch Panel, and Volume UI Profiles. Wireless and Network Configuration : Open to configure Bluetooth, DHCP, Enterprise NFC, Ethernet, Host Name, Network Connection, RFID, Wireless General, Wireless LAN, and Wireless WAN.
Datalogic OEMConfig(Datalogic)	Scanner settings: The Scanner settings allow users to configure Notification, Formatting, Symbol settings, and more for the scanning functionality. Power and charging settings: enable users to set power and charging options. Keyboard and Scan Buttons: allow users to configure Keyboard and scan-related settings. Dock settings: Dock settings offer options to set Firmware update policies, Cradle unlock policies, Cradle unlock notification policies, and Cradle failure policies. Network settings: provide the ability to enable or disable airplane mode. System settings: allow users to set date, time, display language, and other system-related configurations. Firmware Update: Allow users to specify the type of reset to perform after firmware update completion and the path to the OTA update file. Launch Activities: Launch Activities settings involve providing the package name of the app and the Component Name of the activity to launch. This is useful for specifying the default activity to be launched for the app.
Device Config Plugin(Kyocera)	Disable NFC: Use this control to disable NFC Disable OTA Update: Use this control to disable OTA update Disable SIM card Lock: Use this control to disable SIM card lock Disable Emergency Alert: Use this control to disable Emergency Alert Disable Vibrate: Use this control to disable all Vibrate Disable Battery Shortcut: Use this control to disable Battery Shortcut on notification Disable Edit Quick Settings: Use this control to disable to edit Quick Settings. Disable Quick Settings: Use this control to disable to use Quick Settings Disable Manage Contacts: Use this control to disable to manage contacts Applications Allowed to Manage Contacts: Allows to enable/disable Disable Power off by User: Use this control to disable to power off by user Disable Mock Location: Use this control to disable Mock Location Disable App Shortcut on Lock Screen: Use this control to disable App Shortcut on Lock Screen Disable Voice Roaming: Use this control to disable Voice Roaming Disable Mobile Data: Use this control to disable Mobile Data Disable USB Tethering: Use this control to disable USB tethering. Disable USB Debug: Use this control to disable USB debug Disable USB Host: Use this control to disable USB host Disable Bluetooth Tethering: Use this control to disable Bluetooth Tethering Disable Wi-Fi: Use this control to disable all Wi-Fi functions. Disable Open Network: Use this control to disable access to non-secure Wi-Fi Disable Wi-Fi Tethering: Use this control to disable Wi-Fi tethering Disable Default Launcher: Use this control to disable all pre-installed launcher applications. This is enabled when other launcher applications are installed. Restrict Incoming Call: Set incoming call restriction Allowlist Phone Number for Incoming Calls: Set the phone numbers to accept incoming callsl. This is enabled when Restrict Incoming Call is set to "Without Allowlist" or "Without Contacts and Allowlist Allowlist Phone Number for Outgoing Calls: Set the phone numbers to accept outgoing calls. This is enabled when Restrict Outgoing Call is set to "Without Allowlist" or "Without Contacts and Allowlist" Disable Clipboard: Use this control to disable clipboard Disable Recovery Mode: Use this control to disable Recovery mode Disable Doze Mode: Use this control to disable Doze mode Force SD card Encryption: Use this control to force encrypt the SD card. Alert Notification Control - AMBER: Allows to enable/disable Alert Notification Control Alert Notification Control - SEVERE: Allows to enable/disable Alert Notification Control Alert Notification Control - EXTREME: Allows to enable/disable Alert Notification Control Key Restrictions: Allows to enable/disable Exchange Key Event: Allows to enable/disable Active Bluetooth Profile: Set active Bluetooth profile. If no item is selected, all profiles are active. If HFP is selected, only HFP, HSP, MAP, and PBAP are allowed. If Audio is selected, only A2DP, AVRCP, HFP, and HSP are allowed. If Data is selected, only GATT, HID, MAP OPP PAN, and PBAP are allowed. Create VPN Profile: Allows to enable/disable Bluetooth Class of Device: Set Bluetooth class of device Launcher Application: Set default launcher application. Please enter a package name. Doze mode allowlist: Set Doze mode allowlist. Data saver allowlist: Set Data saver allowlist. Restrict Carkit Power Settings / Auto power on: Set carkit power settings / Auto power on restriction. Restrict Glove Touch Settings: Set glove touch setting restrictions. Configuration programmable key settings: Configuration programmable key settings on device. Configuration programmable key 2: Configuration programmable key 2 settings on the device. Configuration Camera Key Settings: Configuration SOS key/Body camera key settings on the device. Configuration SOS key/Body camera key settings: Configuration SOS key/Body camera key settings on the device. Disable Call Recording: Use this control to disable call recording. Disable Config Boot Schedule: Use this control to disable config boot schedule
Honeywell UEMConnect (Honeywell)	Configuration Snippet Settings: Setting to use the XML snippets of the configuration you want to modify or add. Download File from Source to Destination: Allows to download file from source to destination Application:  Allows to configure application settings Device Management: Allows configuration of device management settings. Display Settings: Allows to configure display settings. Input and Output Settings: Allows to configure input and output settings Network Settings: Allows to configure network settings. Scanner Settings: Allows to configure the scanner (DCS) settings. System Settings: Allows to configure system settings System Update Settings: Allows to configure system update settings
TOUGHBOOK OEMConfig (Panasonic)	Configuration: Specifies an OemConfig Step by specifying an unordered set of operations.
Bluebird OEMConfig (Bluebird)	Step : Specifies an OEMConfig step
Moto OEMConfig (Motorola)	Debug tools policies : Allows to configure debug tools policies. System policies : Allows to configure system policies Connectivity policies : Allows to configure connectivity policies Smart Connect policies : Allows to configure smart connect policies Software Control policies : Allows to configure software control policies Remote Control policies : Allows to configure remote control policies Customization policies : Allows to configure customization policies
ASCOM OEMConfig (ASCOM)	WiFi : Contains restrictions which affect settings associated with the wifiextensions app Ascom VoIP : Contains restrictions which affect settings associated with the phonesip app DECT : Contains restrictions which affect settings associated with the dect app Button configuration : Contains restrictions which affect settings associated with the extensions app Barcode scanning : Contains restrictions which affect settings associated with the barcodescanner app Location services : Contains restrictions which affect settings associated with the locationmanager app Supervisor : Contains restrictions which affect settings associated with the supervisor app Display setup : Contains restrictions which affect settings associated with the launcher2 app Dock behavior, Profiles & Advanced settings : Contains restrictions which affect settings associated with the settings app Troubleshooting : Contains restrictions which affect settings associated with the devicelogger app System update : Contains restrictions which affect settings associated with the softwareupdate app

5.  Save the profile.

note

Once the profile is saved, the plugin application will get automatically added to the Application Policy profile.

      The newly created profile gets listed under the Profiles section.

6.  Go back to the Home tab and select the OEM (Lenovo/Samsung/DataLogic/Zebra/Kyocera/Honeywell/Panasonic/Bluebird/Notorola/ASCOM) device.

7.  Click Apply to launch the Apply Job/Profile To Device prompt.

8.  In the Apply Job/Profile To Device prompt, select the created profile and click Apply.

The profile gets applied to the OEM (Lenovo/Samsung/DataLogic/Zebra/Kyocera/Honeywell/Panasonic/Bluebird/Notorola/ASCOM) devices.