Supported by: ALL
In this field you can specify the number of minutes after which the DME client automatically logs the user out of the DME client. By default, the permitted range for superusers is from 0 (never) to 600 minutes, but you can change this. Recommended value: 10.
Note that on Android, Symbian, and Windows Mobile, the DME logout timer starts when the screen times out. On iOS, the timer starts after any action in DME.
Supported by: (
)(
)
In this field you can choose how the DME client should react when a new SIM card is inserted into the device. A user may need more than one SIM card, for instance if the user travels and uses local prepaid SIM cards, or if the user switches between a private and a company SIM card. However, simply allowing SIM card changes poses a security threat, as a malevolent user might steal a device and insert his own SIM card in order to (potentially) gain access to files and other data on the device. Therefore you can choose among three options in this field:
- None
If you select this option, the DME client will do nothing when a user changes SIM cards. This is usually not recommended for the above stated reasons.
- Lock device (Note: limited support by Android or Apple iOS devices or Basic MDM clients)
When the DME client detects the SIM card change, the client automatically switches to Lock device mode (Shell protection). The user now has to log in to DME in order to use the device. It is recommended to use the option Limit on password attempts to deter malevolent users from trying to guess a password. Just before logging in, DME checks if the current SIM card has been used before. If it has not, the user is prompted to enter the phone number for the new SIM card. This phone number and the SIM card identification number are stored and thus recognized the next time the SIM card is inserted. A maximum of 62 pairs of phone numbers and SIM card IDs can be stored in this way. This option does not apply to the Basic MDM client.
As of DME version 3.6.x, Apple iOS and Android devices have limited support for this feature: they are able to detect a change of SIM cards if the new SIM card is from a different operator, and then lock the device.
- Flush data
If you select this option, the DME client will flush (delete all data from) the device if another SIM card is inserted. The device will be flushed as if you had pushed the Destroy all device data command to the device (see Delete device data).
As of DME version 3.6.x, Apple iOS and Android devices have limited support for this feature: they are able to detect a change of SIM cards if the new SIM card is from a different operator, and then flush the device.
On Java devices, only devices running Java Platform 7.2 or above support this functionality as described above. Devices running older versions of the Java Platform can only detect a change of SIM cards if the new SIM card is from a different operator.
This setting was removed from DME for Apple iOS version 4.0.
Supported by:
If this setting is On, the device messaging (SMS/MMS) application can only be opened if you are logged in to the DME client.
Supported by:
If this setting is On, the device calendar can only be opened if you are logged in to the DME client. On Symbian devices, this is the Calendar application. On Windows Mobile, this is the Outlook Pocket PC, which also locks Contacts and To-dos (Tasks).
Supported by:
If this setting is On, the device contacts application can only be opened if you are logged in to the DME client. On Symbian devices, this is the Contacts application. On Windows Mobile, this is the Outlook Pocket PC, which also locks Calendar and To-dos (Tasks).
Supported by:
If this setting is On, the device to-do application can only be opened if you are logged in to the DME client. On Symbian devices, this is the To-Do application. On Windows Mobile, this is the Outlook Pocket PC (Tasks), which also locks Calendar and Contacts.
Supported by:
If this setting is On, the device will be locked when you log out of the DME client. This is also known as shell protection. Locked means that you are only able to receive voice calls, make emergency calls, receive (but not view) text messages, and respond to calendar alarm messages. If this setting is enabled, you must enable the setting Launch on startup in the General group of settings also. This way, this level of security is maintained even if the device is rebooted. Furthermore, the DME client will automatically restart if it should crash.
Supported by: ALL
If this setting is On, the user name remains visible in the Login screen after the user has logged out.
Supported by: ALL
In this field you can specify the permitted number of login attempts to the DME client. "0" is no limit. Note that when the limit is reached, the DME client will flush (delete all data from) the device. The device will be flushed as if you had pushed the Destroy all device data command to the device (see Delete device data). By default, the permitted range for superusers is from 0 (none) to 10 attempts, but you can change this.
Supported by:
If this setting is On, the user is not permitted to forward attachments on the device by Bluetooth, Infrared etc.
Apple iOS devices: If this option is Off (meaning that the Send button is enabled in the attachments view), a user can export and print attachments from iOS devices.
Supported by: 
If this setting is On, the user is permitted to download attachments in e-mails, meeting invitations, to-dos, and notes.
Supported by:
If this setting is On, the user is permitted to add attachments from the device in e-mails and other items. The maximum file size is by default 16 MB, but this limit may be changed in the Data section of the Server configuration page.
Supported by:
This setting controls if the user is able to uninstall the DME client from his or her device.
Disabled: The user can freely remove the DME client from the device.
Enabled - Unless when logged in: The user can only uninstall the client, if the user is able to log in to the DME client and thus prove that he or she is a registered user of the system. Note that this option is not available for DME Basic MDM clients.
Enabled - Always: The user is never able to uninstall the DME client.
Supported by: ALL
If this setting is On, the user is permitted to use the Change password functionality in the client. Note that to use this feature, certain requirements must be fulfilled.
- LDAPS is required. GCS does not support users changing password using the DME client.
- Domino: Users need write access to the LDAP. See the Domino Integration Guide for details.
- Exchange: You need secure access to the AD, using the LDAPS protocol. Furthermore, to allow users to change passwords when the password has expired (and not only during the grace period), you must enter an administrator user name and password on the Exchange connector. See Authentication.
Supported by: ALL
In this field you can specify the number of days a user should be warned that he must change his network password. On the client, the user can then choose the Change password function and change the password remotely, making direct access to the network unnecessary. Note: This is only supported on systems based on Active Directory, using LDAP or LDAPS. By default, the permitted range for superusers is from 0 (never) to 30 days, but you can change this.
Supported by:
If this setting is On, the user is permitted to perform searches in the global address book.
Supported by:
Your company security rules may require users to enter a long, complex password with a mix of letters and special symbols to gain access to the network and collaboration system. This may be easy to enter on a full PC keyboard, but can be difficult to enter using your phone keypad.
Instead of using the collaboration system password for logging in, it is possible to substitute the password for a fingerprint scan on the device. If this setting is On, users are allowed to use fingerprints to log in.
iOS: This requires an iOS device that supports Touch ID.
After 3 faulty scans, the Unlock method is changed back to Password, and the user has to change this in settings afterwards.
Android: Requires an Android 6 device with a fingerprint scanner. Please note that some devices do not support Android 6 fingerprint, and on these devices, the fingerprint scanner can only be used to unlock the device itself. For example: Samsung S5 does not support this, but newer Samsung phones, like S6 and S7, and the Samsung S2 tablet does.
After 5 faulty scans, the fingerprint scanner will be disabled for 30 seconds, and the user will not be able to use the fingerprint scanner in these 30 seconds.
Please note that:
- The network password is kept in memory, so if the device shuts down the DME client in the background, it is necessary for the user to log in again using username and password.
- The lock out time for fingerprint is exactly the same as for swipe, meaning that the user has to use password to login when lock out period has expired.
Supported by: ALL
It is also possible to substitute the password for an unlock pattern (previously called swipe code) of your choice - a pattern drawn with the finger across a set of tiles shown on the screen. This is possible on Android, Apple iOS, Windows Phone, Windows Mobile, and Symbian 3rd Edition devices.
On Symbian S60 and Windows Mobile devices, you can define a PIN code instead.
As an administrator, you can set the minimum number of tiles required for the unlock pattern (or the minimum length of the PIN code). See PIN code/swipe minimum length below. In order to maintain high security on the device, the following special conditions apply when using the unlock pattern/PIN code instead of the regular password:
- The unlock pattern/PIN code defined by the user will expire after some time, which you specify (see below).
- If the user attempts to log in using his or her unlock pattern, but he or she enters the code wrongly twice, the user must use his or her regular password for the next attempt to log in. (For PIN codes only one attempt is allowed). The unlock pattern/PIN code is not invalidated, however, and can be used again after the user has logged in using the regular password.