Detailed Device Security Level Features
This page provides a detailed overview of the Device Security Levels across all supported operating systems. It supplements the general overview of Device Security Levels on the beem Device Management page to provide administrators with a more detailed insight into the policies.
Features are grouped by category for practical reference and are not configurable individually; policies are applied exclusively through the selected overall Device Security Level. Unless otherwise stated, a value of True indicates that the policy is enforced by the corresponding Device Security Level, while False indicates that it is not enforced.
INFO
Setting the Device Security Level to “0” disables all beem Device Management policies. This allows policies to be temporarily deactivated for testing or troubleshooting purposes without removing the existing device management configuration.
Android One UI
Passcode and Device Access Controls
| Feature | Description | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|---|
| Passcode Complexity | This dictates the type of characters required. Numeric means only numbers are allowed (like a bank PIN). Alphanumeric forces the user to use a combination of letters and numbers (a true password). | Numeric | Numeric | Alphanumeric | Alphanumeric |
| Minimum Length | The minimum number of characters or digits the user must enter when creating their Work Profile lock. | 6 Digits | 6 Digits | 6 Characters | 8 Characters |
| Max. Failed Attempts (Wipe) | The "self-destruct" sequence. If a user enters the wrong passcode this many times in a row, beem Device Management automatically wipes the Work Profile and all corporate data inside it. | 10 | 8 | 6 | 4 |
| Inactivity Timeout | The screen timeout. If the phone is left untouched for this many minutes, the Work Profile automatically locks itself, requiring a passcode or biometric to re-enter. | 5 Minutes | 3 Minutes | 2 Minutes | 1 Minute |
| Passcode History | Prevents users from reusing their old passwords. A value of "5" means they must create 5 entirely new passcodes before they can reuse their favorite one. | 3 | 4 | 5 | 6 |
| Passcode Expiration | Forces the user to change their passcode after 90 days. | True | True | True | True |
| Strong Authentication Timeout | A defense-in-depth timer. Even if a user relies on a fingerprint all day, this timer forces them to manually type their primary passcode every X hours (e.g., every 24 hours) to prove they are the actual owner and haven't just bypassed the biometric sensor. | No Timer | 24 Hours | 8 Hours | 4 Hours |
| Passcode Separation | By default, Android allows users to use one single passcode to unlock both their personal phone and their Work Profile. Setting this to True breaks that link, forcing the user to maintain a completely separate, dedicated passcode just for the Work Profile. | False | False | True | True |
Keyguard and Biometrics
| Feature | Description | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|---|
| Fingerprint Unlock | The user is allowed to unlock the Work Profile using these specific biometric sensors instead of typing their passcode. | True | True | True | False |
| Face Unlock | The user is allowed to unlock the Work Profile using these specific biometric sensors instead of typing their passcode. | True | True | False | False |
| Iris Scan | The user is allowed to unlock the Work Profile using these specific biometric sensors instead of typing their passcode. | True | True | False | False |
| Trust Agents (Smart Lock) | The phone stays unlocked (Smart Lock) if it detects it is at a "trusted location" (like the user's home) or is connected to a "trusted Bluetooth device" (like their car). | True | False | False | False |
Data Protection and Restrictions
| Feature | Description | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|---|
| Cross-Profile Copy/Paste | The user cannot copy text from a corporate email in Outlook and paste it into their personal WhatsApp or Notepad. | False | True | True | True |
| Share into Work Profile | Prevents personal apps from sending data into the work container. | False | True | True | True |
| Modify Accounts | Prevents the user from manually adding or removing corporate email accounts or identities within the Work Profile; only the administrator can control the accounts. | False | True | True | True |
| Screenshots/Screen Capture | Blocks the user from taking screenshots or recording the screen while a Work Profile app is open. | False | False | True | True |
| Autofill Services | Prevents third-party password managers or browser autofill services from injecting credentials into work applications. | False | False | True | True |
| Printing | Disables the native Android print spooler for work apps, preventing users from printing sensitive documents to unmanaged Wi-Fi printers. | False | False | True | True |
| Outgoing Beam (NFC) | Disables sharing corporate data via physical NFC (tapping two phones together). | False | False | True | True |
Privacy and System Security
| Feature | Description | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|---|
| Share Location (Work Apps) | All GPS and network location access for apps inside the Work Profile are cut off, meaning corporate apps cannot track the user's physical movements. | False | False | True | True |
| Contacts Search | Prevents the personal side of the phone's dialer from searching the corporate address book to identify incoming callers. | False | False | True | True |
| Bluetooth Contact Sharing | Prevents the Work Profile contacts from syncing to a Bluetooth-connected car dashboard. | False | False | False | True |
| AI Assist | Prevents Google Assistant (or other AI voice assistants) from reading or interacting with data inside the Work Profile. | False | False | False | True |
| Configure Credentials | Prevents the user from manually installing custom security certificates into the Work Profile keystore, which helps prevent Man-in-the-Middle (MitM) attacks. | False | False | False | True |
| Share Admin Configured Wi-Fi | If beem Device Management pushes a corporate Wi‑Fi password to the device, this prevents the user from using Android's native "Share via QR code" feature to give that Wi‑Fi password to someone else. | False | False | False | True |
| Unknown Sources Policy | Blocks the user from downloading and installing raw .apk files from the internet directly into the Work Profile, forcing them to only use the approved Google Play Store. | False | False | False | True |
| Work App Notifications (UI) | "All" silences notifications completely. "System Only" allows critical system alerts but blocks standard app notifications from appearing in the personal notification shade. | All | All | All | System Only |
iOS
Passcode and Access Controls
| Feature | Description | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|---|
| Passcode Complexity | Mandates letters and numbers to exponentially increase entry complexity. | False | True | True | True |
| Minimum Length | Enforces a minimum character count (6) to expand the physical key space against brute force. | True | True | True | True |
| Inactivity Timeout | Automatically locks the screen (after 2 minutes) to protect data on unattended devices. | True | True | True | True |
| Grace Period | Eliminates the unlock delay time to block unauthenticated access during instant wakeups. | True | True | True | True |
| Max. Failed Attempts | Triggers a hardware cryptographic wipe after (10) repeated bad attempts. | False | True | True | True |
| Passcode History | Disallows the reuse of (10) previous codes to force periodic credential rotation. | False | True | True | True |
| Passcode Expiration | Sets a maximum lifespan (90 days) for the code to limit exposure of leaked pins. | False | True | True | True |
| Min. Complex Chars | Sets a minimum number (1) of special characters/numbers required. | False | True | True | True |
Privacy and Restrictions
| Feature | Description | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|---|
| Wrist Detection | Locks a paired Apple Watch instantly when removed from the wrist to stop secondary access. | False | True | True | True |
| AirDrop Destination | Forces any allowed AirDrop instances to be evaluated as an unmanaged pathway. | False | False | True | True |
| AutoFill Re-Auth | Forces FaceID/TouchID checking before every login transaction as strict presence confirmation. | False | False | False | True |
| Encrypted Backups | Mandates that any local iTunes/Finder backups are cryptographically locked against forensic extraction. | False | False | False | True |
Safari Browser
| Feature | Description | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|---|
| Safari Cookies | Controls cookie acceptance policies (restricts tracking to visited sites only). | True | True | True | True |
| Fraud Warning | Automatically enforces anti-phishing lookup warnings within mobile Safari browser workflows. | False | True | True | True |
macOS
Passcode and Authentication
| Feature | Description | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|---|
| Minimum Length | Enforces minimum character volume (6) to expand the physical key space. | True | True | True | True |
| Inactivity Timeout | Automatically enforces mobile device passcode inactivity lockouts (2 minutes). | True | True | True | True |
| Grace Period | Eliminates the unlock delay time to block unauthenticated access on wake. | True | True | True | True |
| Max Failed Attempts | Triggers a hardware wipe after repeated bad attempts (10) to defeat brute-force. | False | True | True | True |
| Passcode Expiration | Sets a maximum lifespan (90 days) for the code to limit exposure of leaked pins. | False | True | True | True |
| Passcode History | Disallows the reuse of previous codes (10) to force periodic credential rotation. | False | True | True | True |
| Min Complex Chars | Sets a minimum number (1) of special characters/numbers required. | False | True | True | True |
System Security and Firewall
| Feature | Description | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|---|
| Application Firewall | Globally activates the internal host software-based socket firewall. | True | True | True | True |
| FileVault Disabling | Explicitly strips away local administrative rights to turn off disk encryption. | False | True | True | True |
| Gatekeeper | Enforces application signature checks via native Gatekeeper inspection. | False | False | True | True |
| Guest Account | Shuts down standard ambient sandbox user profiles to remove anonymous access. | False | False | True | True |
| Firewall Stealth Mode | Configures firewall to drop unverified ICMP requests and ignore network scans. | False | False | False | True |
| Bonjour Multicast | Deactivates local network service indexing/advertisements over mDNS. | False | False | False | True |
| Media Backups | Intercepts local application connections to suppress consumer iTunes backups. | False | False | False | True |
Safari Browser
| Feature | Description | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|---|
| Safari Cookies | Controls cookie acceptance policies (restricts tracking to visited sites only). | True | True | True | True |
| Fraud Warning | Activates lookup checks against cataloged phishing endpoints before load. | False | True | True | True |
| Full URL View | Unmasks the entire URL directory to prevent domain obfuscation/spoofing. | False | True | True | True |
