Skip to content

Detailed Device Security Level Features

This page provides a detailed overview of the Device Security Levels across all supported operating systems. It supplements the general overview of Device Security Levels on the beem Device Management page to provide administrators with a more detailed insight into the policies.

Features are grouped by category for practical reference and are not configurable individually; policies are applied exclusively through the selected overall Device Security Level. Unless otherwise stated, a value of True indicates that the policy is enforced by the corresponding Device Security Level, while False indicates that it is not enforced.


INFO

Setting the Device Security Level to “0” disables all beem Device Management policies. This allows policies to be temporarily deactivated for testing or troubleshooting purposes without removing the existing device management configuration.

Android One UI

Passcode and Device Access Controls

FeatureDescriptionLevel 1Level 2Level 3Level 4
Passcode ComplexityThis dictates the type of characters required. Numeric means only numbers are allowed (like a bank PIN). Alphanumeric forces the user to use a combination of letters and numbers (a true password).NumericNumericAlphanumericAlphanumeric
Minimum LengthThe minimum number of characters or digits the user must enter when creating their Work Profile lock.6 Digits6 Digits6 Characters8 Characters
Max. Failed Attempts (Wipe)The "self-destruct" sequence. If a user enters the wrong passcode this many times in a row, beem Device Management automatically wipes the Work Profile and all corporate data inside it.10864
Inactivity TimeoutThe screen timeout. If the phone is left untouched for this many minutes, the Work Profile automatically locks itself, requiring a passcode or biometric to re-enter.5 Minutes3 Minutes2 Minutes1 Minute
Passcode HistoryPrevents users from reusing their old passwords. A value of "5" means they must create 5 entirely new passcodes before they can reuse their favorite one.3456
Passcode ExpirationForces the user to change their passcode after 90 days.TrueTrueTrueTrue
Strong Authentication TimeoutA defense-in-depth timer. Even if a user relies on a fingerprint all day, this timer forces them to manually type their primary passcode every X hours (e.g., every 24 hours) to prove they are the actual owner and haven't just bypassed the biometric sensor.No Timer24 Hours8 Hours4 Hours
Passcode SeparationBy default, Android allows users to use one single passcode to unlock both their personal phone and their Work Profile. Setting this to True breaks that link, forcing the user to maintain a completely separate, dedicated passcode just for the Work Profile.FalseFalseTrueTrue

Keyguard and Biometrics

FeatureDescriptionLevel 1Level 2Level 3Level 4
Fingerprint UnlockThe user is allowed to unlock the Work Profile using these specific biometric sensors instead of typing their passcode.TrueTrueTrueFalse
Face UnlockThe user is allowed to unlock the Work Profile using these specific biometric sensors instead of typing their passcode.TrueTrueFalseFalse
Iris ScanThe user is allowed to unlock the Work Profile using these specific biometric sensors instead of typing their passcode.TrueTrueFalseFalse
Trust Agents (Smart Lock)The phone stays unlocked (Smart Lock) if it detects it is at a "trusted location" (like the user's home) or is connected to a "trusted Bluetooth device" (like their car).TrueFalseFalseFalse

Data Protection and Restrictions

FeatureDescriptionLevel 1Level 2Level 3Level 4
Cross-Profile Copy/PasteThe user cannot copy text from a corporate email in Outlook and paste it into their personal WhatsApp or Notepad.FalseTrueTrueTrue
Share into Work ProfilePrevents personal apps from sending data into the work container.FalseTrueTrueTrue
Modify AccountsPrevents the user from manually adding or removing corporate email accounts or identities within the Work Profile; only the administrator can control the accounts.FalseTrueTrueTrue
Screenshots/Screen CaptureBlocks the user from taking screenshots or recording the screen while a Work Profile app is open.FalseFalseTrueTrue
Autofill ServicesPrevents third-party password managers or browser autofill services from injecting credentials into work applications.FalseFalseTrueTrue
PrintingDisables the native Android print spooler for work apps, preventing users from printing sensitive documents to unmanaged Wi-Fi printers.FalseFalseTrueTrue
Outgoing Beam (NFC)Disables sharing corporate data via physical NFC (tapping two phones together).FalseFalseTrueTrue

Privacy and System Security

FeatureDescriptionLevel 1Level 2Level 3Level 4
Share Location (Work Apps)All GPS and network location access for apps inside the Work Profile are cut off, meaning corporate apps cannot track the user's physical movements.FalseFalseTrueTrue
Contacts SearchPrevents the personal side of the phone's dialer from searching the corporate address book to identify incoming callers.FalseFalseTrueTrue
Bluetooth Contact SharingPrevents the Work Profile contacts from syncing to a Bluetooth-connected car dashboard.FalseFalseFalseTrue
AI AssistPrevents Google Assistant (or other AI voice assistants) from reading or interacting with data inside the Work Profile.FalseFalseFalseTrue
Configure CredentialsPrevents the user from manually installing custom security certificates into the Work Profile keystore, which helps prevent Man-in-the-Middle (MitM) attacks.FalseFalseFalseTrue
Share Admin Configured Wi-FiIf beem Device Management pushes a corporate Wi‑Fi password to the device, this prevents the user from using Android's native "Share via QR code" feature to give that Wi‑Fi password to someone else.FalseFalseFalseTrue
Unknown Sources PolicyBlocks the user from downloading and installing raw .apk files from the internet directly into the Work Profile, forcing them to only use the approved Google Play Store.FalseFalseFalseTrue
Work App Notifications (UI)"All" silences notifications completely. "System Only" allows critical system alerts but blocks standard app notifications from appearing in the personal notification shade.AllAllAllSystem Only

iOS

Passcode and Access Controls

FeatureDescriptionLevel 1Level 2Level 3Level 4
Passcode ComplexityMandates letters and numbers to exponentially increase entry complexity.FalseTrueTrueTrue
Minimum LengthEnforces a minimum character count (6) to expand the physical key space against brute force.TrueTrueTrueTrue
Inactivity TimeoutAutomatically locks the screen (after 2 minutes) to protect data on unattended devices.TrueTrueTrueTrue
Grace PeriodEliminates the unlock delay time to block unauthenticated access during instant wakeups.TrueTrueTrueTrue
Max. Failed AttemptsTriggers a hardware cryptographic wipe after (10) repeated bad attempts.FalseTrueTrueTrue
Passcode HistoryDisallows the reuse of (10) previous codes to force periodic credential rotation.FalseTrueTrueTrue
Passcode ExpirationSets a maximum lifespan (90 days) for the code to limit exposure of leaked pins.FalseTrueTrueTrue
Min. Complex CharsSets a minimum number (1) of special characters/numbers required.FalseTrueTrueTrue

Privacy and Restrictions

FeatureDescriptionLevel 1Level 2Level 3Level 4
Wrist DetectionLocks a paired Apple Watch instantly when removed from the wrist to stop secondary access.FalseTrueTrueTrue
AirDrop DestinationForces any allowed AirDrop instances to be evaluated as an unmanaged pathway.FalseFalseTrueTrue
AutoFill Re-AuthForces FaceID/TouchID checking before every login transaction as strict presence confirmation.FalseFalseFalseTrue
Encrypted BackupsMandates that any local iTunes/Finder backups are cryptographically locked against forensic extraction.FalseFalseFalseTrue

Safari Browser

FeatureDescriptionLevel 1Level 2Level 3Level 4
Safari CookiesControls cookie acceptance policies (restricts tracking to visited sites only).TrueTrueTrueTrue
Fraud WarningAutomatically enforces anti-phishing lookup warnings within mobile Safari browser workflows.FalseTrueTrueTrue

macOS

Passcode and Authentication

FeatureDescriptionLevel 1Level 2Level 3Level 4
Minimum LengthEnforces minimum character volume (6) to expand the physical key space.TrueTrueTrueTrue
Inactivity TimeoutAutomatically enforces mobile device passcode inactivity lockouts (2 minutes).TrueTrueTrueTrue
Grace PeriodEliminates the unlock delay time to block unauthenticated access on wake.TrueTrueTrueTrue
Max Failed AttemptsTriggers a hardware wipe after repeated bad attempts (10) to defeat brute-force.FalseTrueTrueTrue
Passcode ExpirationSets a maximum lifespan (90 days) for the code to limit exposure of leaked pins.FalseTrueTrueTrue
Passcode HistoryDisallows the reuse of previous codes (10) to force periodic credential rotation.FalseTrueTrueTrue
Min Complex CharsSets a minimum number (1) of special characters/numbers required.FalseTrueTrueTrue

System Security and Firewall

FeatureDescriptionLevel 1Level 2Level 3Level 4
Application FirewallGlobally activates the internal host software-based socket firewall.TrueTrueTrueTrue
FileVault DisablingExplicitly strips away local administrative rights to turn off disk encryption.FalseTrueTrueTrue
GatekeeperEnforces application signature checks via native Gatekeeper inspection.FalseFalseTrueTrue
Guest AccountShuts down standard ambient sandbox user profiles to remove anonymous access.FalseFalseTrueTrue
Firewall Stealth ModeConfigures firewall to drop unverified ICMP requests and ignore network scans.FalseFalseFalseTrue
Bonjour MulticastDeactivates local network service indexing/advertisements over mDNS.FalseFalseFalseTrue
Media BackupsIntercepts local application connections to suppress consumer iTunes backups.FalseFalseFalseTrue

Safari Browser

FeatureDescriptionLevel 1Level 2Level 3Level 4
Safari CookiesControls cookie acceptance policies (restricts tracking to visited sites only).TrueTrueTrueTrue
Fraud WarningActivates lookup checks against cataloged phishing endpoints before load.FalseTrueTrueTrue
Full URL ViewUnmasks the entire URL directory to prevent domain obfuscation/spoofing.FalseTrueTrueTrue