1. Features and Purpose
The System Settings module serves as the central governance entry point for enterprises on the KiwiCloud platform, enabling unified configuration of platform-wide rules that affect the entire system. These include account security policies, compliance requirements, default device policies, and system function switches.
Through this module, administrators can:
Establish and enforce enterprise account security requirements (e.g., two-factor authentication, password complexity, account lockout policy);
Define the handling method when a device fails security compliance checks (e.g., lock the device, restore factory settings);
Specify the default management policy for new devices joining the platform, reducing initial configuration workload;
Control certain global business rules and system switches (e.g., device naming rules, KC app configuration, approval process toggles).
Notes:
The configurations in this module apply to all users and devices within the enterprise.
Only users with Enterprise Administrator permissions can access and modify System Settings.
Configuration changes take effect immediately. It is recommended to adjust settings during off-peak business hours.
Module Structure:
Function Tab | Description |
Security Settings | Includes security management configurations such as two-factor authentication (2FA), account security policies, and password policies. |
Compliance Settings | Defines how to handle non-compliant devices and related rules, affecting the enforcement logic of all compliance strategies. |
Default Device Policy | Configures the default GMA/KMA policy bound to newly connected devices, enabling quick standardized management. |
Others | Includes system behavior and function control items such as device naming rules, KC app configuration, and approval process switches. |
Typical Use Cases
Before enterprise go-live, administrators preset account and password policies in System Settings to ensure all newly created accounts meet security standards;
For store or business terminal devices, define “Restore Factory Settings” in Compliance Settings as the handling method for non-compliance to prevent misuse;
During bulk device deployment, automatically bind management policies via the Default Device Policy to reduce manual assignment workload;
Maintain consistent asset naming through device naming rules, facilitating later maintenance and statistical analysis.
2. Security Settings
2.1 Two-Factor Authentication (2FA)
Description
Two-Factor Authentication (2FA) adds an extra layer of security during KiwiCloud login. After entering the password, the user must also provide a one-time passcode (OTP) to verify identity. The system supports sending the verification code via email and allows setting the code input frequency (e.g., every login, daily, every seven days). Once enabled, 2FA applies to all user accounts in the organization, significantly reducing the risk of account compromise.
Notes
This is a global configuration and takes effect immediately for all users in the organization.
Currently, only email is supported for sending verification codes.
It is recommended to set the OTP input frequency according to the security level required:
Every login: Highest security level, suitable for highly sensitive operations.
Daily: Verification is required for the first login of each day.
Every seven days: Verification is required for the first login every 7 days.
Enabling 2FA may increase login steps for users, so inform them in advance.
Disabling 2FA lowers account security and should be done with caution.
Steps
Go to System Settings → Security Settings → 2FA.
Enable the Two-Factor Authentication toggle.
Under Verification Code Delivery Method, select Email (currently the only option).
In OTP Input Frequency, choose the desired option (Every login / Daily / Every seven days).
Click Save — the setting takes effect immediately.
2.2 Account Security Policy
Description
The Account Security Policy enhances account security by managing inactive accounts, session expiration, maximum concurrent sessions, login failure protection, and console access IP whitelists, reducing the risk of unauthorized access. Administrators can enable relevant policies and set actions for failed login attempts (e.g., send alerts, lock accounts).
Notes
When Inactive Accounts is enabled, accounts that have not logged in for the set number of days will be automatically disabled.
Session expiration and concurrent session limits apply only to Web Console logins.
Once enabled, the policy applies to all users in the organization.
Login failure handling options include Send alert email or Temporarily lock account.
The console access whitelist only allows specified IP addresses to access the admin console. It is recommended to open access only to fixed office networks.
Steps
Go to System Settings → Security Settings → Account Security Policy.
(Optional) Enable Inactive Accounts and set the disable period (days).
(Optional) Configure Session Expiration:
Validity period for Web Console sessions.
Maximum number of concurrent sessions.
(Optional) Enable Account Security Policy:
Set the maximum number of failed login attempts.
Set post-failure actions (Send alert email / Lock account temporarily).
If sending alerts, specify the recipient email address.
(Optional) Add allowed IP addresses in the Console Access Whitelist.
Click Save to apply settings.
2.3 Password Policy
Description
The Password Policy enforces organization-wide password security requirements by specifying password length, character types, reuse restrictions, and change cycles, improving overall account protection. Once enabled, all users must meet these requirements when setting or changing their passwords.
Notes
This is a global setting and applies to all accounts in the organization.
The minimum password length should be at least 8 characters.
The required number of special and numeric characters should be adjusted according to security needs.
Number of previous passwords that cannot be reused prevents frequent reuse of old passwords.
Minimum password change interval (days) is recommended to be 30 days or more in high-security environments.
Steps
Go to System Settings → Security Settings → Password Policy.
Enable the Password Policy toggle.
Configure the following parameters:
Minimum password length.
Minimum number of special characters.
Minimum number of numeric characters.
Number of previous passwords that cannot be reused.
Minimum password change interval (days).
Click Save — the policy takes effect immediately.
3. Compliance Settings
Description
Compliance Settings define the automated actions taken when a device fails to meet policy requirements or is detected as non-compliant. Actions include “Disable Device” and “Factory Reset Device”. Administrators can configure the time threshold (in days) for triggering these actions, ensuring devices complete remediation within the specified period; otherwise, the system will execute the corresponding action.
This feature applies to non-compliance handling scenarios across various device policies on the platform and serves as the baseline configuration for enterprise compliance governance. Although non-compliance handling is a global setting, individual policy modules (such as Device Policy, App Distribution Policy, App Update Policy) can independently enable or disable non-compliance handling through in-policy switches.
Notes
The day values for Disable Device and Factory Reset Device must not exceed 30 days.
The Factory Reset Device day value must be greater than the Disable Device day value.
To configure immediate action, set the corresponding days to
0(meaning no waiting, immediate execution).Modifications take effect immediately for newly detected non-compliance events but will not affect events already in progress.
For KMA devices, parameters are synced to the device in real time.
For GMA devices, parameters are sent to the device during the next policy update.
Steps
Go to System Settings → Compliance Settings.
In the Disable Device input box, set the number of days:
0means disable immediately.Any other value means the device will be disabled after the specified number of days from non-compliance detection.
In the Factory Reset Device input box, set the number of days:
Must be greater than the Disable Device day value.
0means execute factory reset immediately.
Click Save — the configuration takes effect immediately.
4. Default Device Policy
Description
The Default Device Policy is used to automatically apply a set of basic management configurations to devices newly enrolled in the platform, ensuring that devices meet enterprise security and management requirements from the moment they are first managed. These policies serve as global defaults, and devices will inherit them unless a dedicated policy is assigned to an individual device or group.
The system supports separate default policy configurations for GMA and KMA devices:
Default GMA Device Policy: Uses global configurations, including modules such as Password, Restrictions, Wi-Fi, and more.
Default KMA Device Policy: Supports preset configurations for selected modules (e.g., System Settings, Permission Settings, Custom Wallpaper).
Notes
Once saved, the default device policy will apply immediately to newly enrolled devices.
Impact on existing devices:
GMA devices: Policy changes are updated to devices during the next policy deployment.
KMA devices: Policy changes are synced to devices in real time.
The default policy is a global configuration; if a device or group already has an assigned policy, that policy will take priority.
Enabling the Prompt User Before Applying option will display a confirmation prompt when modifying or applying the policy to prevent accidental changes.
Steps
4.1 Default GMA Device Policy
Navigate to System Settings → Default Device Policy → Default GMA Device Policy.
Configure each sub-tab as needed:
Password: Set password complexity, maximum failed attempts, password history count, password expiration period, etc.
Restrictions: Configure allowed/blocked functions (e.g., camera, developer mode) according to GMA Device Policy specifications.
Wi-Fi: Configure Wi-Fi connection policies as required.
Click Save — the policy takes effect immediately and will be applied to new GMA devices upon enrollment.
4.2 Default KMA Device Policy
Navigate to System Settings → Default Device Policy → Default KMA Device Policy.
In System Settings, choose preset configurations such as Wi-Fi, Bluetooth, screen timeout, and volume. Optionally, enable Compliance Check to automatically correct non-compliant device settings.
Enable additional policy modules as needed:
Permission Settings Policy: Enables centralized management of device permissions.
Custom Wallpaper Policy: Distributes enterprise-branded wallpapers to devices.
Click Save — the policy will be immediately synced to KMA devices.
5. Others
5.1 Device Naming Rule
Description
Device Naming Rules are used to automatically generate device names in a uniform format when devices are imported or first registered to the platform, making it easier to manage assets and identify devices during operations. Administrators can customize the prefix text, delimiter, and sequence type to form a standardized naming template.
Notes
This rule only applies when the device is first registered on the platform; it will not batch update names of existing devices.
Supported delimiters:
-,.,_.Supported sequence types: Auto-increment Number, SN, IMEI, Wi-Fi MAC Address.
The naming format will be previewed in real time during configuration to confirm it meets requirements.
Steps
Go to System Settings → Others → Device Naming Rules.
In Custom Text, enter a naming prefix (e.g.,
KMA,STORE).Select a delimiter (
-,., or_).Select a sequence type (Auto-increment Number / SN / IMEI / Wi-Fi MAC Address).
Check the preview area to confirm the format (e.g.,
KMA-SN1).Click Save — new devices will be automatically named according to the rule.
5.2 KC App Configuration
Description
KC App Configuration is used to set the data reporting and location reporting frequency of the KiwiCloud Application on devices, ensuring the platform can receive timely device operation and location information.
Notes
This configuration applies to all devices under the enterprise that have the KiwiCloud Application installed.
Settings take effect immediately after saving.
Higher frequency settings may increase device power consumption and data usage.
Location reporting frequency options: 15 minutes, 30 minutes, 1 hour, 2 hours.
Steps
Go to System Settings → Others → KC App Configuration.
Set KC App Reporting Frequency (in minutes, default 15 minutes).
Set Device Location Reporting Frequency (15 minutes / 30 minutes / 1 hour / 2 hours).
Click Save — settings take effect immediately.
5.3 Approval Flow Switch
Description
The Approval Flow Switch controls whether tasks such as policy deployment, app distribution, and file distribution require approval before execution. When enabled, related tasks must be reviewed and approved by the system administrator before being issued. When disabled, approvals are automatically executed by the system without manual confirmation.
Notes
Disabling the approval flow does not skip approval steps — they are automatically approved by the system instead.
You can control approval flow independently for different task types: Device Policy, App Library, App Release Policy, Kiosk Policy, File Distribution Policy.
It is recommended to keep approval flow enabled in high-security environments to prevent accidental changes.
Steps
Go to System Settings → Others → Approval Flow Switch.
Enable or disable approval flow for the following task types as needed:
Device Policy Approval Flow
App Library Approval Flow
App Release Policy Approval Flow
Kiosk Policy Approval Flow
File Distribution Policy Approval Flow
Click Save — settings take effect immediately.