Create a policy

Policies are the core resource of the Android Management API. You use them to build groups of settings for your customers to apply to devices. The settings available in the policies resource include everything from password protection requirements, to installing apps. Example policy snippets are available for:

Each policies resource can be applied to one or more devices. After a device is linked to a policy, any updates to the policy are automatically applied to the device.

A policies resource that’s not linked to any device for over seven days may be deleted automatically by the API.

Relationship between a policy and a device

You can associate a policies resource with a device during enrollment by including the policyName when creating an enrollment token. After a device is enrolled with the enrollment token, the policies resource linked to the policyName is applied to the device or work profile, depending on the provisioning method used.

To update the policy associated with the device, call enterprises.policies.patch. When you update a policies resource, the update is enforced on all devices associated with that policy.

To apply a different policy to the device, call enterprises.devices.patch.

Set a default policy

You can define a single default policy for an enterprise by setting the name of a policy to "default". The default policy will be applied to all newly enrolled devices unless another policyName is specified in the device's enrollment token.

Devices enrolled without a policy are blocked from all functions until a policy is applied. If a policy is not applied within five minutes, then the enrollment will fail and the device will be factory reset.

Policy compliance

A new policy enforcement model was introduced in May 2019 to replace complianceRules, which is now deprecated. All EMMs must update their implementations:

  1. Remove complianceRules from all policies.
  2. Review the default policy enforcement rules described in the section below.
  3. Set up custom policy enforcement using policyEnforcementRules.

Default policy enforcement

Android Device Policy enforces the following policy settings by default:

If a device or work profile is noncompliant with any of the above-listed settings, Android Device Policy takes the following action.

Device Work profile
Immediately Blocks device usage. Where possible, displays a message with guidance on how to comply with the policy setting(s). Blocks work profile usage. Where possible, displays a message with guidance on how to comply with the policy setting(s).
After 10 days Factory-resets the device. Factory-reset protection data is not preserved. Deletes the work profile.

These default enforcement actions are modifiable. To set up custom compliance enforcement rules, see the section below.

Custom policy enforcement

Use policyEnforcementRules to set custom actions for any top-level policy violation. Each rule contains the policy setting (settingName), and must specify the number of days a device or work profile can remain noncompliant with the setting before it is blocked (blockAfterDays) and then wiped (wipeAfterDays).

In this example of policyEnforcementRules, if the degree of location detection enabled on a device does not match the value specified in the locationMode policy setting, then usage of the device will be blocked after three days. If the device remains noncompliant with the setting for 10 days, then it will be wiped. However, in this case, factory-reset protection data will be preserved (preserveFrp).

"policyEnforcementRules": [
    {
      "settingName": "locationMode",
      "blockAction": {
        "blockAfterDays": 3
      },
      "wipeAction": {
        "wipeAfterDays": 10,
        "preserveFrp": true
      }
    }
  ]

Best practices

  • wipeAfterDays must be greater than blockAfterDays.
  • To block usage of a device or work profile immediately, set blockAfterDays to 0.
  • We recommend setting blockAfterDays and wipeAfterDays to no greater than 30.

Noncompliant Notifications

If a device is noncompliant with any policy setting (regardless of enforcement rules), it generates a non-compliance detail indicating:

  • The policy setting that the devices (or work profile) is not in compliance with.
  • The reason that the device (or work profile) is not in compliance with the setting.

To configure an enterprise to receive non-compliance detail notifications:

Enviar comentarios sobre…

Android Management API
Android Management API