Create a policy

A policy is a group of settings that determine the behavior of a managed device and the apps installed on it. Each Policies resource represents a unique group of device and app settings and can be applied to one or more devices. Once a device is linked to a policy, any updates to the policy are automatically applied to the device.

To create or update a Policies resource, call enterprises.policies.patch. You can use enterprises.policies.delete to delete a policy.

Relationship between a policy and a device

You can apply a policy to a device or multiple devices during enrollment by including the policyName when creating an enrollment token. You need to provide an enrollment token when you set up a device. If a policy is included, it's applied to a device at the time of enrollment. A device can only have one policy at any given time.

To change how a device is managed, update the policy using enterprises.policies.patch or apply a different policy to the device using enterprises.devices.patch. When you update a policy using enterprises.policies.patch, the update is enforced on all devices with that policy assigned.

The Android Management API also allows you to set a default policy. An enterprise can define a single default policy by setting the name of a policy to "default". After setting a policy as default, that policy is applied to all new devices at the time of enrollment unless another policyName is specified in the device's enrollment token.

Devices enrolled without a policy are blocked from all functions until a policy is applied. If a policy is not applied within five minutes, then the enrollment fails and the device is factory reset.

Include apps in a policy

You can include apps and app management settings in a policy. This allows enterprise admins to manage an app or group of apps at a policy level rather than on individual devices. Policies are capable of enforcing a range of app settings and configurations on devices (see the API reference for a full list), including:

  • Automatically installing apps and preventing uninstalls.
  • Determining how to handle permission requests (automatically grant, automatically deny, or prompt the user).
  • Allowing or preventing an app from locking itself in full-screen mode.
  • Set managed configurations.

Apply a policy to newly enrolled devices

The method you use to apply policies to newly enrolled devices is up to you and the requirements of your customers. Here we present three different approaches.

A. When creating an enrollment token, you can specify the name of the policy (policyName) that will be initially linked to the device. When you enroll a device with the token, the policy is automatically applied to the device.

B. Set a policy as the default policy for an enterprise. If no policy name is specified in the enrollment token and there is a policy with the name enterprises/<enterprise_id>/policies/default, each new device is automatically linked to the default policy at the time of enrollment.

C. Subscribe to a Cloud Pub/Sub topic to receive notifications about newly enrolled devices. In response to an enrollment message, call enterprises.devices.patch to link the device with a policy.

Policy compliance

If a device is not in compliance with a policy setting, the device will generate a non-compliance detail indicating:

  • The setting that the device is not in compliance with.
  • The reason that the device is not in compliance with the setting.

Non-compliance details don't trigger any action on a device by default. However, you can include compliance rules in a policy. Compliance rules define the action taken on a device when a specified condition is met. Each rule contains:

  • A condition: A specific non-compliance detail or minimum API level. Each compliance rule can only have one condition.
  • Mitigating action: The action triggered on a device if the specified condition is met (for example, disable apps). A rule can have any number of mitigating actions. If no mitigating actions are set, Android Device Policy will display a non-compliance message on the device.

Receive non-compliance detail notifications

To configure an enterprise to receive notifications of noncompliant devices:

Send feedback about...

Android Management API (beta)
Android Management API (beta)