Create a policy

Policies are the core resource of the Android Management API. You use them to build groups of settings for your customers to apply to devices. The settings available in the policies resource include everything from password protection requirements, to installing apps. Example policy snippets are available for:

Each policies resource can be applied to one or more devices. After a device is linked to a policy, any updates to the policy are automatically applied to the device.

A policies resource that’s not linked to any device for over seven days may be deleted automatically by the API.

Relationship between a policy and a device

You can associate a policies resource with a device during enrollment by including the policyName when creating an enrollment token. After a device is enrolled with the enrollment token, the policies resource linked to the policyName is applied to the device or work profile, depending on the provisioning method used.

To update the policy associated with the device, call enterprises.policies.patch. When you update a policies resource, the update is enforced on all devices associated with that policy.

To apply a different policy to the device, call enterprises.devices.patch.

Set a default policy

You can define a single default policy for an enterprise by setting the name of a policy to "default". The default policy will be applied to all newly enrolled devices unless another policyName is specified in the device's enrollment token.

Devices enrolled without a policy are blocked from all functions until a policy is applied. If a policy is not applied within five minutes, then the enrollment will fail and the device will be factory reset.


Policy compliance

Android Device Policy enforces the following policy settings by default:

If a device or work profile is noncompliant with any of the above-listed settings, Android Device Policy takes the following action:

Immediately After 10 days
Device Blocks device usage. Where possible, displays a message with guidance on how to comply with the policy setting(s). Factory-resets the device. Factory-reset protection data is not preserved.
Work profile Blocks work profile usage. Where possible, displays a message with guidance on how to comply with the policy setting(s). Deletes the work profile.

These default enforcement actions are modifiable. To set up custom compliance enforcement rules, see the section below.

Custom policy enforcement

To set custom actions for any top-level policy violation, define policyEnforcementRules. Each rule contains the policy setting (settingName), and must specify the number of days a device or work profile can remain noncompliant with the setting before it's blocked (blockAfterDays) and then wiped (wipeAfterDays).

{
   "policyEnforcementRules":[
      {
         "settingName":"alwaysOnVpnPackage",
         "blockAction":{
            "blockAfterDays":3
         },
         "wipeAction":{
            "wipeAfterDays":10,
            "preserveFrp":true
         }
      }
   ]
}

In the above example of policyEnforcementRules:

  • If the device violates the settings specified in alwaysOnVpnPackage, then usage of the device will be blocked after three days.

  • If the device remains noncompliant with the setting for 10 days, then it will be wiped. However, in this case, factory-reset protection data will be preserved (preserveFrp).

Best practices

  • wipeAfterDays must be greater than blockAfterDays.
  • To block usage of a device or work profile immediately, set blockAfterDays to 0.
  • We recommend setting blockAfterDays and wipeAfterDays to no greater than 30.

Receive noncompliant notifications

If a device is noncompliant with any policy setting (regardless of enforcement rules), it generates a non-compliance detail indicating:

  • The policy setting that the device (or work profile) is not in compliance with.
  • The reason that the device (or work profile) is not in compliance with the setting.

To configure an enterprise to receive non-compliance detail notifications:

Transition to policyEnforcementRules

If you enabled the Android Management API before May 7, 2019, Android Device Policy doesn't enforce any policy settings by default.

To update your policies, define your compliance logic using policyEnforcementRules. policyEnforcementRules overrides complianceRules (now deprecated). However, do not remove complianceRules from policies.