REST Resource: enterprises.policies

Resource: Policy

A policy resource represents a group of settings that govern the behavior of a managed device and the apps installed on it.

JSON representation
{
  "name": string,
  "version": string,
  "applications": [
    {
      object (ApplicationPolicy)
    }
  ],
  "maximumTimeToLock": string,
  "screenCaptureDisabled": boolean,
  "cameraDisabled": boolean,
  "keyguardDisabledFeatures": [
    enum (KeyguardDisabledFeature)
  ],
  "defaultPermissionPolicy": enum (PermissionPolicy),
  "persistentPreferredActivities": [
    {
      object (PersistentPreferredActivity)
    }
  ],
  "openNetworkConfiguration": {
    object
  },
  "systemUpdate": {
    object (SystemUpdate)
  },
  "accountTypesWithManagementDisabled": [
    string
  ],
  "addUserDisabled": boolean,
  "adjustVolumeDisabled": boolean,
  "factoryResetDisabled": boolean,
  "installAppsDisabled": boolean,
  "mountPhysicalMediaDisabled": boolean,
  "modifyAccountsDisabled": boolean,
  "safeBootDisabled": boolean,
  "uninstallAppsDisabled": boolean,
  "statusBarDisabled": boolean,
  "keyguardDisabled": boolean,
  "minimumApiLevel": integer,
  "statusReportingSettings": {
    object (StatusReportingSettings)
  },
  "bluetoothContactSharingDisabled": boolean,
  "shortSupportMessage": {
    object (UserFacingMessage)
  },
  "longSupportMessage": {
    object (UserFacingMessage)
  },
  "passwordRequirements": {
    object (PasswordRequirements)
  },
  "wifiConfigsLockdownEnabled": boolean,
  "bluetoothConfigDisabled": boolean,
  "cellBroadcastsConfigDisabled": boolean,
  "credentialsConfigDisabled": boolean,
  "mobileNetworksConfigDisabled": boolean,
  "tetheringConfigDisabled": boolean,
  "vpnConfigDisabled": boolean,
  "wifiConfigDisabled": boolean,
  "createWindowsDisabled": boolean,
  "networkResetDisabled": boolean,
  "outgoingBeamDisabled": boolean,
  "outgoingCallsDisabled": boolean,
  "removeUserDisabled": boolean,
  "shareLocationDisabled": boolean,
  "smsDisabled": boolean,
  "unmuteMicrophoneDisabled": boolean,
  "usbFileTransferDisabled": boolean,
  "ensureVerifyAppsEnabled": boolean,
  "permittedInputMethods": {
    object (PackageNameList)
  },
  "stayOnPluggedModes": [
    enum (BatteryPluggedMode)
  ],
  "recommendedGlobalProxy": {
    object (ProxyInfo)
  },
  "setUserIconDisabled": boolean,
  "setWallpaperDisabled": boolean,
  "choosePrivateKeyRules": [
    {
      object (ChoosePrivateKeyRule)
    }
  ],
  "alwaysOnVpnPackage": {
    object (AlwaysOnVpnPackage)
  },
  "frpAdminEmails": [
    string
  ],
  "deviceOwnerLockScreenInfo": {
    object (UserFacingMessage)
  },
  "dataRoamingDisabled": boolean,
  "locationMode": enum (LocationMode),
  "networkEscapeHatchEnabled": boolean,
  "bluetoothDisabled": boolean,
  "complianceRules": [
    {
      object (ComplianceRule)
    }
  ],
  "blockApplicationsEnabled": boolean,
  "installUnknownSourcesAllowed": boolean,
  "debuggingFeaturesAllowed": boolean,
  "funDisabled": boolean,
  "autoTimeRequired": boolean,
  "permittedAccessibilityServices": {
    object (PackageNameList)
  },
  "appAutoUpdatePolicy": enum (AppAutoUpdatePolicy),
  "kioskCustomLauncherEnabled": boolean,
  "androidDevicePolicyTracks": [
    enum (AppTrack)
  ],
  "skipFirstUseHintsEnabled": boolean,
  "privateKeySelectionEnabled": boolean,
  "encryptionPolicy": enum (EncryptionPolicy),
  "usbMassStorageEnabled": boolean,
  "permissionGrants": [
    {
      object (PermissionGrant)
    }
  ],
  "playStoreMode": enum (PlayStoreMode),
  "setupActions": [
    {
      object (SetupAction)
    }
  ],
  "passwordPolicies": [
    {
      object (PasswordRequirements)
    }
  ],
  "policyEnforcementRules": [
    {
      object (PolicyEnforcementRule)
    }
  ],
  "kioskCustomization": {
    object (KioskCustomization)
  },
  "advancedSecurityOverrides": {
    object (AdvancedSecurityOverrides)
  },
  "personalUsagePolicies": {
    object (PersonalUsagePolicies)
  },
  "autoDateAndTimeZone": enum (AutoDateAndTimeZone),
  "oncCertificateProviders": [
    {
      object (OncCertificateProvider)
    }
  ],
  "crossProfilePolicies": {
    object (CrossProfilePolicies)
  },
  "preferentialNetworkService": enum (PreferentialNetworkService),
  "usageLog": {
    object (UsageLog)
  },
  "cameraAccess": enum (CameraAccess),
  "microphoneAccess": enum (MicrophoneAccess),
  "deviceConnectivityManagement": {
    object (DeviceConnectivityManagement)
  },
  "deviceRadioState": {
    object (DeviceRadioState)
  },
  "credentialProviderPolicyDefault": enum (CredentialProviderPolicyDefault),
  "printingPolicy": enum (PrintingPolicy)
}
Fields
name

string

The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}.

version

string (int64 format)

The version of the policy. This is a read-only field. The version is incremented each time the policy is updated.

applications[]

object (ApplicationPolicy)

Policy applied to apps. This can have at most 3,000 elements.

maximumTimeToLock

string (int64 format)

Maximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction.

screenCaptureDisabled

boolean

Whether screen capture is disabled.

cameraDisabled
(deprecated)

boolean

If cameraAccess is set to any value other than CAMERA_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether cameras are disabled: If true, all cameras are disabled, otherwise they are available. For fully managed devices this field applies for all apps on the device. For work profiles, this field applies only to apps in the work profile, and the camera access of apps outside the work profile is unaffected.

keyguardDisabledFeatures[]

enum (KeyguardDisabledFeature)

Disabled keyguard customizations, such as widgets.

defaultPermissionPolicy

enum (PermissionPolicy)

The default permission policy for runtime permission requests.

persistentPreferredActivities[]

object (PersistentPreferredActivity)

Default intent handler activities.

openNetworkConfiguration

object (Struct format)

Network configuration for the device. See configure networks for more information.

systemUpdate

object (SystemUpdate)

The system update policy, which controls how OS updates are applied. If the update type is WINDOWED, the update window will automatically apply to Play app updates as well.

accountTypesWithManagementDisabled[]

string

Account types that can't be managed by the user.

addUserDisabled

boolean

Whether adding new users and profiles is disabled.

adjustVolumeDisabled

boolean

Whether adjusting the master volume is disabled. Also mutes the device.

factoryResetDisabled

boolean

Whether factory resetting from settings is disabled.

installAppsDisabled

boolean

Whether user installation of apps is disabled.

mountPhysicalMediaDisabled

boolean

Whether the user mounting physical external media is disabled.

modifyAccountsDisabled

boolean

Whether adding or removing accounts is disabled.

safeBootDisabled
(deprecated)

boolean

Whether rebooting the device into safe boot is disabled.

uninstallAppsDisabled

boolean

Whether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed using applications

statusBarDisabled
(deprecated)

boolean

Whether the status bar is disabled. This disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. DEPRECATED. To disable the status bar on a kiosk device, use InstallType KIOSK or kioskCustomLauncherEnabled.

keyguardDisabled

boolean

If true, this disables the Lock Screen for primary and/or secondary displays.

minimumApiLevel

integer

The minimum allowed Android API level.

statusReportingSettings

object (StatusReportingSettings)

Status reporting settings

bluetoothContactSharingDisabled

boolean

Whether bluetooth contact sharing is disabled.

shortSupportMessage

object (UserFacingMessage)

A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. If the message is longer than 200 characters it may be truncated.

longSupportMessage

object (UserFacingMessage)

A message displayed to the user in the device administators settings screen.

passwordRequirements
(deprecated)

object (PasswordRequirements)

Password requirements. The field passwordRequirements.require_password_unlock must not be set. DEPRECATED - Use passwordPolicies.

Note:

Complexity-based values of PasswordQuality, that is, COMPLEXITY_LOW, COMPLEXITY_MEDIUM, and COMPLEXITY_HIGH, cannot be used here. unifiedLockSettings cannot be used here.

wifiConfigsLockdownEnabled
(deprecated)

boolean

DEPRECATED - Use wifiConfigDisabled.

bluetoothConfigDisabled

boolean

Whether configuring bluetooth is disabled.

cellBroadcastsConfigDisabled

boolean

Whether configuring cell broadcast is disabled.

credentialsConfigDisabled

boolean

Whether configuring user credentials is disabled.

mobileNetworksConfigDisabled

boolean

Whether configuring mobile networks is disabled.

tetheringConfigDisabled
(deprecated)

boolean

Whether configuring tethering and portable hotspots is disabled. If tetheringSettings is set to anything other than TETHERING_SETTINGS_UNSPECIFIED, this setting is ignored.

vpnConfigDisabled

boolean

Whether configuring VPN is disabled.

wifiConfigDisabled
(deprecated)

boolean

Whether configuring Wi-Fi networks is disabled. Supported on fully managed devices and work profiles on company-owned devices. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured using openNetworkConfiguration. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. If configureWifi is set to anything other than CONFIGURE_WIFI_UNSPECIFIED, this setting is ignored. Note: If a network connection can't be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see networkEscapeHatchEnabled).

createWindowsDisabled

boolean

Whether creating windows besides app windows is disabled.

networkResetDisabled

boolean

Whether resetting network settings is disabled.

outgoingBeamDisabled

boolean

Whether using NFC to beam data from apps is disabled.

outgoingCallsDisabled

boolean

Whether outgoing calls are disabled.

removeUserDisabled

boolean

Whether removing other users is disabled.

shareLocationDisabled

boolean

Whether location sharing is disabled. shareLocationDisabled is supported for both fully managed devices and personally owned work profiles.

smsDisabled

boolean

Whether sending and receiving SMS messages is disabled.

unmuteMicrophoneDisabled
(deprecated)

boolean

If microphoneAccess is set to any value other than MICROPHONE_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether microphones are disabled: If true, all microphones are disabled, otherwise they are available. This is available only on fully managed devices.

usbFileTransferDisabled
(deprecated)

boolean

Whether transferring files over USB is disabled. This is supported only on company-owned devices.

ensureVerifyAppsEnabled
(deprecated)

boolean

Whether app verification is force-enabled.

permittedInputMethods

object (PackageNameList)

If present, only the input methods provided by packages in this list are permitted. If this field is present, but the list is empty, then only system input methods are permitted.

stayOnPluggedModes[]

enum (BatteryPluggedMode)

The battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear maximumTimeToLock so that the device doesn't lock itself while it stays on.

recommendedGlobalProxy

object (ProxyInfo)

The network-independent global HTTP proxy. Typically proxies should be configured per-network in openNetworkConfiguration. However for unusual configurations like general internal filtering a global HTTP proxy may be useful. If the proxy is not accessible, network access may break. The global proxy is only a recommendation and some apps may ignore it.

setUserIconDisabled

boolean

Whether changing the user icon is disabled.

setWallpaperDisabled

boolean

Whether changing the wallpaper is disabled.

choosePrivateKeyRules[]

object (ChoosePrivateKeyRule)

Rules for determining apps' access to private keys. See ChoosePrivateKeyRule for details. This must be empty if any application has CERT_SELECTION delegation scope.

alwaysOnVpnPackage

object (AlwaysOnVpnPackage)

Configuration for an always-on VPN connection. Use with vpnConfigDisabled to prevent modification of this setting.

frpAdminEmails[]

string

Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won't provide factory reset protection.

deviceOwnerLockScreenInfo

object (UserFacingMessage)

The device owner information to be shown on the lock screen.

dataRoamingDisabled

boolean

Whether roaming data services are disabled.

locationMode

enum (LocationMode)

The degree of location detection enabled.

networkEscapeHatchEnabled

boolean

Whether the network escape hatch is enabled. If a network connection can't be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.

Note: Setting wifiConfigDisabled to true will override this setting under specific circumstances. Please see wifiConfigDisabled for further details. Setting configureWifi to DISALLOW_CONFIGURING_WIFI will override this setting under specific circumstances. Please see DISALLOW_CONFIGURING_WIFI for further details.

bluetoothDisabled

boolean

Whether bluetooth is disabled. Prefer this setting over bluetoothConfigDisabled because bluetoothConfigDisabled can be bypassed by the user.

complianceRules[]
(deprecated)

object (ComplianceRule)

Rules declaring which mitigating actions to take when a device is not compliant with its policy. When the conditions for multiple rules are satisfied, all of the mitigating actions for the rules are taken. There is a maximum limit of 100 rules. Use policy enforcement rules instead.

blockApplicationsEnabled
(deprecated)

boolean

Whether applications other than the ones configured in applications are blocked from being installed. When set, applications that were installed under a previous policy but no longer appear in the policy are automatically uninstalled.

installUnknownSourcesAllowed
(deprecated)

boolean

This field has no effect.

debuggingFeaturesAllowed
(deprecated)

boolean

Whether the user is allowed to enable debugging features.

funDisabled

boolean

Whether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled.

autoTimeRequired
(deprecated)

boolean

Whether auto time is required, which prevents the user from manually setting the date and time. If autoDateAndTimeZone is set, this field is ignored.

permittedAccessibilityServices

object (PackageNameList)

Specifies permitted accessibility services. If the field is not set, any accessibility service can be used. If the field is set, only the accessibility services in this list and the system's built-in accessibility service can be used. In particular, if the field is set to empty, only the system's built-in accessibility servicess can be used. This can be set on fully managed devices and on work profiles. When applied to a work profile, this affects both the personal profile and the work profile.

appAutoUpdatePolicy

enum (AppAutoUpdatePolicy)

Recommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.

When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.

The app auto update policy, which controls when automatic app updates can be applied.

kioskCustomLauncherEnabled

boolean

Whether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. Use kioskCustomization to further configure the kiosk device behavior.

androidDevicePolicyTracks[]
(deprecated)

enum (AppTrack)

This setting is not supported. Any value is ignored.

skipFirstUseHintsEnabled

boolean

Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.

privateKeySelectionEnabled

boolean

Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application has CERT_SELECTION delegation scope.

encryptionPolicy

enum (EncryptionPolicy)

Whether encryption is enabled

usbMassStorageEnabled
(deprecated)

boolean

Whether USB storage is enabled. Deprecated.

permissionGrants[]

object (PermissionGrant)

Explicit permission or group grants or denials for all apps. These values override the defaultPermissionPolicy.

playStoreMode

enum (PlayStoreMode)

This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.

setupActions[]

object (SetupAction)

Action to take during the setup process. At most one action may be specified.

passwordPolicies[]

object (PasswordRequirements)

Password requirement policies. Different policies can be set for work profile or fully managed devices by setting the passwordScope field in the policy.

policyEnforcementRules[]

object (PolicyEnforcementRule)

Rules that define the behavior when a particular policy can not be applied on device

kioskCustomization

object (KioskCustomization)

Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK.

advancedSecurityOverrides

object (AdvancedSecurityOverrides)

Advanced security settings. In most cases, setting these is not needed.

personalUsagePolicies

object (PersonalUsagePolicies)

Policies managing personal usage on a company-owned device.

autoDateAndTimeZone

enum (AutoDateAndTimeZone)

Whether auto date, time, and time zone are enabled on a company-owned device. If this is set, then autoTimeRequired is ignored.

oncCertificateProviders[]

object (OncCertificateProvider)

This feature is not generally available.

crossProfilePolicies

object (CrossProfilePolicies)

Cross-profile policies applied on the device.

preferentialNetworkService

enum (PreferentialNetworkService)

Controls whether preferential network service is enabled on the work profile. For example, an organization may have an agreement with a carrier that all of the work data from its employees' devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This has no effect on fully managed devices.

usageLog

object (UsageLog)

Configuration of device activity logging.

cameraAccess

enum (CameraAccess)

Controls the use of the camera and whether the user has access to the camera access toggle.

microphoneAccess

enum (MicrophoneAccess)

Controls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices.

deviceConnectivityManagement

object (DeviceConnectivityManagement)

Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.

deviceRadioState

object (DeviceRadioState)

Covers controls for radio state such as Wi-Fi, bluetooth, and more.

credentialProviderPolicyDefault

enum (CredentialProviderPolicyDefault)

Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this and this for details. See also credentialProviderPolicy.

printingPolicy

enum (PrintingPolicy)

Optional. Controls whether printing is allowed. This is supported on devices running Android 9 and above. .

ApplicationPolicy

Policy for an individual app. Note: Application availability on a given device cannot be changed using this policy if installAppsDisabled is enabled. The maximum number of applications that you can specify per policy is 3,000.

JSON representation
{
  "packageName": string,
  "installType": enum (InstallType),
  "lockTaskAllowed": boolean,
  "defaultPermissionPolicy": enum (PermissionPolicy),
  "permissionGrants": [
    {
      object (PermissionGrant)
    }
  ],
  "managedConfiguration": {
    object
  },
  "disabled": boolean,
  "minimumVersionCode": integer,
  "delegatedScopes": [
    enum (DelegatedScope)
  ],
  "managedConfigurationTemplate": {
    object (ManagedConfigurationTemplate)
  },
  "accessibleTrackIds": [
    string
  ],
  "connectedWorkAndPersonalApp": enum (ConnectedWorkAndPersonalApp),
  "autoUpdateMode": enum (AutoUpdateMode),
  "extensionConfig": {
    object (ExtensionConfig)
  },
  "alwaysOnVpnLockdownExemption": enum (AlwaysOnVpnLockdownExemption),
  "workProfileWidgets": enum (WorkProfileWidgets),
  "credentialProviderPolicy": enum (CredentialProviderPolicy),
  "installConstraint": [
    {
      object (InstallConstraint)
    }
  ],
  "installPriority": integer
}
Fields
packageName

string

The package name of the app. For example, com.google.android.youtube for the YouTube app.

installType

enum (InstallType)

The type of installation to perform.

lockTaskAllowed
(deprecated)

boolean

Whether the app is allowed to lock itself in full-screen mode. DEPRECATED. Use InstallType KIOSK or kioskCustomLauncherEnabled to configure a dedicated device.

defaultPermissionPolicy

enum (PermissionPolicy)

The default policy for all permissions requested by the app. If specified, this overrides the policy-level defaultPermissionPolicy which applies to all apps. It does not override the permissionGrants which applies to all apps.

permissionGrants[]

object (PermissionGrant)

Explicit permission grants or denials for the app. These values override the defaultPermissionPolicy and permissionGrants which apply to all apps.

managedConfiguration

object (Struct format)

Managed configuration applied to the app. The format for the configuration is dictated by the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the ManagedProperty. The field value must be compatible with the type of the ManagedProperty:

typeJSON value
BOOLtrue or false
STRINGstring
INTEGERnumber
CHOICEstring
MULTISELECTarray of strings
HIDDENstring
BUNDLE_ARRAYarray of objects

disabled

boolean

Whether the app is disabled. When disabled, the app data is still preserved.

minimumVersionCode

integer

The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a NonComplianceDetail with nonComplianceReason set to APP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.

delegatedScopes[]

enum (DelegatedScope)

The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to.

managedConfigurationTemplate

object (ManagedConfigurationTemplate)

The managed configurations template for the app, saved from the managed configurations iframe. This field is ignored if managedConfiguration is set.

accessibleTrackIds[]

string

List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo.

connectedWorkAndPersonalApp

enum (ConnectedWorkAndPersonalApp)

Controls whether the app can communicate with itself across a device’s work and personal profiles, subject to user consent.

autoUpdateMode

enum (AutoUpdateMode)

Controls the auto-update mode for the app.

extensionConfig

object (ExtensionConfig)

Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline.

This field can be set for at most one app.

alwaysOnVpnLockdownExemption

enum (AlwaysOnVpnLockdownExemption)

Specifies whether the app is allowed networking when the VPN is not connected and alwaysOnVpnPackage.lockdownEnabled is enabled. If set to VPN_LOCKDOWN_ENFORCED, the app is not allowed networking, and if set to VPN_LOCKDOWN_EXEMPTION, the app is allowed networking. Only supported on devices running Android 10 and above. If this is not supported by the device, the device will contain a NonComplianceDetail with nonComplianceReason set to API_LEVEL and a fieldPath. If this is not applicable to the app, the device will contain a NonComplianceDetail with nonComplianceReason set to UNSUPPORTED and a fieldPath. The fieldPath is set to applications[i].alwaysOnVpnLockdownExemption, where i is the index of the package in the applications policy.

workProfileWidgets

enum (WorkProfileWidgets)

Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.

credentialProviderPolicy

enum (CredentialProviderPolicy)

Optional. Whether the app is allowed to act as a credential provider on Android 14 and above.

installConstraint[]

object (InstallConstraint)

Optional. The constraints for installing the app. You can specify a maximum of one InstallConstraint. Multiple constraints are rejected.

installPriority

integer

Optional. Amongst apps with installType set to:

this controls the relative priority of installation. A value of 0 (default) means this app has no priority over other apps. For values between 1 and 10,000, a lower value means a higher priority. Values outside of the range 0 to 10,000 inclusive are rejected.

InstallType

The type of installation to perform for an app. If setupAction references an app, they must have installType set as REQUIRED_FOR_SETUP or the setup will fail.

Enums
INSTALL_TYPE_UNSPECIFIED Unspecified. Defaults to AVAILABLE.
PREINSTALLED The app is automatically installed and can be removed by the user.
FORCE_INSTALLED The app is automatically installed regardless of a set maintenance window and can't be removed by the user.
BLOCKED The app is blocked and can't be installed. If the app was installed under a previous policy, it will be uninstalled. This also blocks its instant app functionality.
AVAILABLE The app is available to install.
REQUIRED_FOR_SETUP The app is automatically installed and can't be removed by the user and will prevent setup from completion until installation is complete.
KIOSK The app is automatically installed in kiosk mode: it's set as the preferred home intent and whitelisted for lock task mode. Device setup won't complete until the app is installed. After installation, users won't be able to remove the app. You can only set this installType for one app per policy. When this is present in the policy, status bar will be automatically disabled.

PermissionPolicy

The policy for granting permission requests to apps.

Enums
PERMISSION_POLICY_UNSPECIFIED Policy not specified. If no policy is specified for a permission at any level, then the PROMPT behavior is used by default.
PROMPT Prompt the user to grant a permission.
GRANT

Automatically grant a permission.

On Android 12 and above, Manifest.permission.READ_SMS and following sensor-related permissions can only be granted on fully managed devices:

DENY Automatically deny a permission.

PermissionGrant

Configuration for an Android permission and its grant state.

JSON representation
{
  "permission": string,
  "policy": enum (PermissionPolicy)
}
Fields
permission

string

The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.

policy

enum (PermissionPolicy)

The policy for granting the permission.

DelegatedScope

Delegation Scopes that another package can acquire from Android Device Policy. These provide additional privileges for the applications they are applied to.

Scopes can be applied to multiple applications, with the exception of SECURITY_LOGS and NETWORK_ACTIVITY_LOGS, which can be delegated to only one app at a time.

Enums
DELEGATED_SCOPE_UNSPECIFIED No delegation scope specified.
CERT_INSTALL Grants access to certificate installation and management.
MANAGED_CONFIGURATIONS Grants access to managed configurations management.
BLOCK_UNINSTALL Grants access to blocking uninstallation.
PERMISSION_GRANT Grants access to permission policy and permission grant state.
PACKAGE_ACCESS Grants access to package access state.
ENABLE_SYSTEM_APP Grants access for enabling system apps.
NETWORK_ACTIVITY_LOGS Grants access to network activity logs. Allows the delegated application to call setNetworkLoggingEnabled, isNetworkLoggingEnabled and retrieveNetworkLogs methods. This scope can be delegated to at most one application. Supported for fully managed devices on Android 10 and above. Supported for a work profile on Android 12 and above. When delegation is supported and set, NETWORK_ACTIVITY_LOGS is ignored.
SECURITY_LOGS Grants access to security logs. Allows the delegated application to call setSecurityLoggingEnabled, isSecurityLoggingEnabled, retrieveSecurityLogs and retrievePreRebootSecurityLogs methods. This scope can be delegated to at most one application. Supported for fully managed devices and company-owned devices with a work profile on Android 12 and above. When delegation is supported and set, SECURITY_LOGS is ignored.
CERT_SELECTION Grants access to selection of KeyChain certificates on behalf of requesting apps. Once granted, the delegated application will start receiving DelegatedAdminReceiver#onChoosePrivateKeyAlias. Allows the delegated application to call grantKeyPairToApp and revokeKeyPairFromApp methods. There can be at most one app that has this delegation. choosePrivateKeyRules must be empty and privateKeySelectionEnabled has no effect if certificate selection is delegated to an application.

ManagedConfigurationTemplate

The managed configurations template for the app, saved from the managed configurations iframe.

JSON representation
{
  "templateId": string,
  "configurationVariables": {
    string: string,
    ...
  }
}
Fields
templateId

string

The ID of the managed configurations template.

configurationVariables

map (key: string, value: string)

Optional, a map containing <key, value> configuration variables defined for the configuration.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

ConnectedWorkAndPersonalApp

Controls whether the app can communicate with itself cross-profile, subject to user consent.

Enums
CONNECTED_WORK_AND_PERSONAL_APP_UNSPECIFIED Unspecified. Defaults to CONNECTED_WORK_AND_PERSONAL_APPS_DISALLOWED.
CONNECTED_WORK_AND_PERSONAL_APP_DISALLOWED Default. Prevents the app from communicating cross-profile.
CONNECTED_WORK_AND_PERSONAL_APP_ALLOWED Allows the app to communicate across profiles after receiving user consent.

AutoUpdateMode

Controls the auto-update mode for the app. If a device user makes changes to the device settings manually, these choices are ignored by AutoUpdateMode as it takes precedence.

Enums
AUTO_UPDATE_MODE_UNSPECIFIED Unspecified. Defaults to AUTO_UPDATE_DEFAULT.
AUTO_UPDATE_DEFAULT

The default update mode.

The app is automatically updated with low priority to minimize the impact on the user.

The app is updated when all of the following constraints are met:

  • The device is not actively used.
  • The device is connected to an unmetered network.
  • The device is charging.
  • The app to be updated is not running in the foreground.

The device is notified about a new update within 24 hours after it is published by the developer, after which the app is updated the next time the constraints above are met.

AUTO_UPDATE_POSTPONED

The app is not automatically updated for a maximum of 90 days after the app becomes out of date.

90 days after the app becomes out of date, the latest available version is installed automatically with low priority (see AUTO_UPDATE_DEFAULT). After the app is updated it is not automatically updated again until 90 days after it becomes out of date again.

The user can still manually update the app from the Play Store at any time.

AUTO_UPDATE_HIGH_PRIORITY

The app is updated as soon as possible. No constraints are applied.

The device is notified immediately about a new update after it becomes available.

ExtensionConfig

Configuration to enable an app as an extension app, with the capability of interacting with Android Device Policy offline. For Android versions 13 and above, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket. Extensions apps are also protected against users clearing their data or force-closing the application, although admins can continue to use the clear app data command on extension apps if needed for Android 13 and above.

JSON representation
{
  "signingKeyFingerprintsSha256": [
    string
  ],
  "notificationReceiver": string
}
Fields
signingKeyFingerprintsSha256[]

string

Hex-encoded SHA-256 hash of the signing certificate of the extension app. Only hexadecimal string representations of 64 characters are valid.

If not specified, the signature for the corresponding package name is obtained from the Play Store instead.

If this list is empty, the signature of the extension app on the device must match the signature obtained from the Play Store for the app to be able to communicate with Android Device Policy.

If this list is not empty, the signature of the extension app on the device must match one of the entries in this list for the app to be able to communicate with Android Device Policy.

In production use cases, it is recommended to leave this empty.

notificationReceiver

string

Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates.

AlwaysOnVpnLockdownExemption

Controls whether an app is exempt from the alwaysOnVpnPackage.lockdownEnabled setting.

Enums
ALWAYS_ON_VPN_LOCKDOWN_EXEMPTION_UNSPECIFIED Unspecified. Defaults to VPN_LOCKDOWN_ENFORCED.
VPN_LOCKDOWN_ENFORCED The app respects the always-on VPN lockdown setting.
VPN_LOCKDOWN_EXEMPTION The app is exempt from the always-on VPN lockdown setting.

WorkProfileWidgets

Controls if a work profile application is allowed to add widgets to the home screen.

Enums
WORK_PROFILE_WIDGETS_UNSPECIFIED Unspecified. Defaults to workProfileWidgetsDefault
WORK_PROFILE_WIDGETS_ALLOWED Work profile widgets are allowed. This means the application will be able to add widgets to the home screen.
WORK_PROFILE_WIDGETS_DISALLOWED Work profile widgets are disallowed. This means the application will not be able to add widgets to the home screen.

CredentialProviderPolicy

Whether the app is allowed to act as a credential provider on Android 14 and above.

Enums
CREDENTIAL_PROVIDER_POLICY_UNSPECIFIED Unspecified. The behaviour is governed by credentialProviderPolicyDefault.
CREDENTIAL_PROVIDER_ALLOWED App is allowed to act as a credential provider.

InstallConstraint

Amongst apps with InstallType set to:

this defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.

JSON representation
{
  "networkTypeConstraint": enum (NetworkTypeConstraint),
  "chargingConstraint": enum (ChargingConstraint),
  "deviceIdleConstraint": enum (DeviceIdleConstraint)
}
Fields
networkTypeConstraint

enum (NetworkTypeConstraint)

Optional. Network type constraint.

chargingConstraint

enum (ChargingConstraint)

Optional. Charging constraint.

deviceIdleConstraint

enum (DeviceIdleConstraint)

Optional. Device idle constraint.

NetworkTypeConstraint

Network type constraint.

Enums
NETWORK_TYPE_CONSTRAINT_UNSPECIFIED Unspecified. Default to INSTALL_ON_ANY_NETWORK.
INSTALL_ON_ANY_NETWORK Any active networks (Wi-Fi, cellular, etc.).
INSTALL_ONLY_ON_UNMETERED_NETWORK Any unmetered network (e.g. Wi-FI).

ChargingConstraint

Charging constraint.

Enums
CHARGING_CONSTRAINT_UNSPECIFIED Unspecified. Default to CHARGING_NOT_REQUIRED.
CHARGING_NOT_REQUIRED Device doesn't have to be charging.
INSTALL_ONLY_WHEN_CHARGING Device has to be charging.

DeviceIdleConstraint

Device idle state constraint.

Enums
DEVICE_IDLE_CONSTRAINT_UNSPECIFIED Unspecified. Default to DEVICE_IDLE_NOT_REQUIRED.
DEVICE_IDLE_NOT_REQUIRED Device doesn't have to be idle, app can be installed while the user is interacting with the device.
INSTALL_ONLY_WHEN_DEVICE_IDLE Device has to be idle.

KeyguardDisabledFeature

Keyguard (lock screen) features that can be disabled..

Enums
KEYGUARD_DISABLED_FEATURE_UNSPECIFIED This value is ignored.
CAMERA Disable the camera on secure keyguard screens (e.g. PIN).
NOTIFICATIONS Disable showing all notifications on secure keyguard screens.
UNREDACTED_NOTIFICATIONS Disable unredacted notifications on secure keyguard screens.
TRUST_AGENTS Ignore trust agent state on secure keyguard screens.
DISABLE_FINGERPRINT Disable fingerprint sensor on secure keyguard screens.
DISABLE_REMOTE_INPUT On devices running Android 6 and below, disables text entry into notifications on secure keyguard screens. Has no effect on Android 7 and above.
FACE Disable face authentication on secure keyguard screens.
IRIS Disable iris authentication on secure keyguard screens.
BIOMETRICS Disable all biometric authentication on secure keyguard screens.
SHORTCUTS Disable all shortcuts on secure keyguard screen on Android 14 and above.
ALL_FEATURES Disable all current and future keyguard customizations.

PersistentPreferredActivity

A default activity for handling intents that match a particular intent filter. Note: To set up a kiosk, use InstallType to KIOSK rather than use persistent preferred activities.

JSON representation
{
  "receiverActivity": string,
  "actions": [
    string
  ],
  "categories": [
    string
  ]
}
Fields
receiverActivity

string

The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent.

actions[]

string

The intent actions to match in the filter. If any actions are included in the filter, then an intent's action must be one of those values for it to match. If no actions are included, the intent action is ignored.

categories[]

string

The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent.

SystemUpdate

Configuration for managing system updates

JSON representation
{
  "type": enum (SystemUpdateType),
  "startMinutes": integer,
  "endMinutes": integer,
  "freezePeriods": [
    {
      object (FreezePeriod)
    }
  ]
}
Fields
type

enum (SystemUpdateType)

The type of system update to configure.

startMinutes

integer

If the type is WINDOWED, the start of the maintenance window, measured as the number of minutes after midnight in the device's local time. This value must be between 0 and 1439, inclusive.

endMinutes

integer

If the type is WINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device's local time. This value must be between 0 and 1439, inclusive. If this value is less than startMinutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.

freezePeriods[]

object (FreezePeriod)

An annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days.

SystemUpdateType

The type of system update configuration.

Enums
SYSTEM_UPDATE_TYPE_UNSPECIFIED Follow the default update behavior for the device, which typically requires the user to accept system updates.
AUTOMATIC Install automatically as soon as an update is available.
WINDOWED

Install automatically within a daily maintenance window. This also configures Play apps to be updated within the window. This is strongly recommended for kiosk devices because this is the only way apps persistently pinned to the foreground can be updated by Play.

If autoUpdateMode is set to AUTO_UPDATE_HIGH_PRIORITY for an app, then the maintenance window is ignored for that app and it is updated as soon as possible even outside of the maintenance window.

POSTPONE Postpone automatic install up to a maximum of 30 days. This policy does not affect security updates (e.g. monthly security patches).

FreezePeriod

A system freeze period. When a device’s clock is within the freeze period, all incoming system updates (including security patches) are blocked and won’t be installed.

When the device is outside any set freeze periods, the normal policy behavior (automatic, windowed, or postponed) applies.

Leap years are ignored in freeze period calculations, in particular:

  • If Feb. 29th is set as the start or end date of a freeze period, the freeze period will start or end on Feb. 28th instead.
  • When a device’s system clock reads Feb. 29th, it’s treated as Feb. 28th.
  • When calculating the number of days in a freeze period or the time between two freeze periods, Feb. 29th is ignored and not counted as a day.

Note: For Freeze Periods to take effect, SystemUpdateType cannot be specified as SYSTEM_UPDATE_TYPE_UNSPECIFIED, because freeze periods require a defined policy to be specified.

JSON representation
{
  "startDate": {
    object (Date)
  },
  "endDate": {
    object (Date)
  }
}
Fields
startDate

object (Date)

The start date (inclusive) of the freeze period. Note: year must not be set. For example, {"month": 1,"date": 30}.

endDate

object (Date)

The end date (inclusive) of the freeze period. Must be no later than 90 days from the start date. If the end date is earlier than the start date, the freeze period is considered wrapping year-end. Note: year must not be set. For example, {"month": 1,"date": 30}.

Date

Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following:

  • A full date, with non-zero year, month, and day values.
  • A month and day, with a zero year (for example, an anniversary).
  • A year on its own, with a zero month and a zero day.
  • A year and month, with a zero day (for example, a credit card expiration date).

Related types:

JSON representation
{
  "year": integer,
  "month": integer,
  "day": integer
}
Fields
year

integer

Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

month

integer

Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

day

integer

Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

StatusReportingSettings

Settings controlling the behavior of status reports.

JSON representation
{
  "applicationReportsEnabled": boolean,
  "deviceSettingsEnabled": boolean,
  "softwareInfoEnabled": boolean,
  "memoryInfoEnabled": boolean,
  "networkInfoEnabled": boolean,
  "displayInfoEnabled": boolean,
  "powerManagementEventsEnabled": boolean,
  "hardwareStatusEnabled": boolean,
  "systemPropertiesEnabled": boolean,
  "applicationReportingSettings": {
    object (ApplicationReportingSettings)
  },
  "commonCriteriaModeEnabled": boolean
}
Fields
applicationReportsEnabled

boolean

Whether app reports are enabled.

deviceSettingsEnabled

boolean

Whether device settings reporting is enabled.

softwareInfoEnabled

boolean

Whether software info reporting is enabled.

memoryInfoEnabled

boolean

Whether memory event reporting is enabled.

networkInfoEnabled

boolean

Whether network info reporting is enabled.

displayInfoEnabled

boolean

Whether displays reporting is enabled. Report data is not available for personally owned devices with work profiles.

powerManagementEventsEnabled

boolean

Whether power management event reporting is enabled. Report data is not available for personally owned devices with work profiles.

hardwareStatusEnabled

boolean

Whether hardware status reporting is enabled. Report data is not available for personally owned devices with work profiles.

systemPropertiesEnabled

boolean

Whether system properties reporting is enabled.

applicationReportingSettings

object (ApplicationReportingSettings)

Application reporting settings. Only applicable if applicationReportsEnabled is true.

commonCriteriaModeEnabled

boolean

Whether Common Criteria Mode reporting is enabled.

ApplicationReportingSettings

Settings controlling the behavior of application reports.

JSON representation
{
  "includeRemovedApps": boolean
}
Fields
includeRemovedApps

boolean

Whether removed apps are included in application reports.

PackageNameList

A list of package names.

JSON representation
{
  "packageNames": [
    string
  ]
}
Fields
packageNames[]

string

A list of package names.

BatteryPluggedMode

Modes for plugging in the battery.

Enums
BATTERY_PLUGGED_MODE_UNSPECIFIED This value is ignored.
AC Power source is an AC charger.
USB Power source is a USB port.
WIRELESS Power source is wireless.

ProxyInfo

Configuration info for an HTTP proxy. For a direct proxy, set the host, port, and excludedHosts fields. For a PAC script proxy, set the pacUri field.

JSON representation
{
  "host": string,
  "port": integer,
  "excludedHosts": [
    string
  ],
  "pacUri": string
}
Fields
host

string

The host of the direct proxy.

port

integer

The port of the direct proxy.

excludedHosts[]

string

For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.

pacUri

string

The URI of the PAC script used to configure the proxy.

ChoosePrivateKeyRule

Controls apps' access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias (or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern is not set, or set to the empty string or .*) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey, without first having to call KeyChain.choosePrivateKeyAlias.

When an app calls KeyChain.choosePrivateKeyAlias if more than one choosePrivateKeyRules matches, the last matching rule defines which key alias to return.

JSON representation
{
  "urlPattern": string,
  "packageNames": [
    string
  ],
  "privateKeyAlias": string
}
Fields
urlPattern

string

The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax of java.util.regex.Pattern.

packageNames[]

string

The package names to which this rule applies. The hash of the signing certificate for each app is verified against the hash provided by Play. If no package names are specified, then the alias is provided to all apps that call KeyChain.choosePrivateKeyAlias or any overloads (but not without calling KeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they call KeyChain.choosePrivateKeyAlias.

privateKeyAlias

string

The alias of the private key to be used.

AlwaysOnVpnPackage

Configuration for an always-on VPN connection.

JSON representation
{
  "packageName": string,
  "lockdownEnabled": boolean
}
Fields
packageName

string

The package name of the VPN app.

lockdownEnabled

boolean

Disallows networking when the VPN is not connected.

LocationMode

The degree of location detection enabled on work profile and fully managed devices.

Enums
LOCATION_MODE_UNSPECIFIED Defaults to LOCATION_USER_CHOICE.
HIGH_ACCURACY

On Android 8 and below, all location detection methods are enabled, including GPS, networks, and other sensors. On Android 9 and above, this is equivalent to LOCATION_ENFORCED.

SENSORS_ONLY

On Android 8 and below, only GPS and other sensors are enabled. On Android 9 and above, this is equivalent to LOCATION_ENFORCED.

BATTERY_SAVING

On Android 8 and below, only the network location provider is enabled. On Android 9 and above, this is equivalent to LOCATION_ENFORCED.

OFF

On Android 8 and below, location setting and accuracy are disabled. On Android 9 and above, this is equivalent to LOCATION_DISABLED.

LOCATION_USER_CHOICE Location setting is not restricted on the device. No specific behavior is set or enforced.
LOCATION_ENFORCED Enable location setting on the device.
LOCATION_DISABLED Disable location setting on the device.

ComplianceRule

A rule declaring which mitigating actions to take when a device is not compliant with its policy. For every rule, there is always an implicit mitigating action to set policyCompliant to false for the Device resource, and display a message on the device indicating that the device is not compliant with its policy. Other mitigating actions may optionally be taken as well, depending on the field values in the rule.

JSON representation
{
  "disableApps": boolean,
  "packageNamesToDisable": [
    string
  ],

  // Union field condition can be only one of the following:
  "nonComplianceDetailCondition": {
    object (NonComplianceDetailCondition)
  },
  "apiLevelCondition": {
    object (ApiLevelCondition)
  }
  // End of list of possible types for union field condition.
}
Fields
disableApps

boolean

If set to true, the rule includes a mitigating action to disable apps so that the device is effectively disabled, but app data is preserved. If the device is running an app in locked task mode, the app will be closed and a UI showing the reason for non-compliance will be displayed.

packageNamesToDisable[]

string

If set, the rule includes a mitigating action to disable apps specified in the list, but app data is preserved.

Union field condition. The condition, which when satisfied, triggers the mitigating actions defined in the rule. Exactly one of the conditions must be set. condition can be only one of the following:
nonComplianceDetailCondition

object (NonComplianceDetailCondition)

A condition which is satisfied if there exists any matching NonComplianceDetail for the device.

apiLevelCondition

object (ApiLevelCondition)

A condition which is satisfied if the Android Framework API level on the device doesn't meet a minimum requirement.

NonComplianceDetailCondition

A compliance rule condition which is satisfied if there exists any matching NonComplianceDetail for the device. A NonComplianceDetail matches a NonComplianceDetailCondition if all the fields which are set within the NonComplianceDetailCondition match the corresponding NonComplianceDetail fields.

JSON representation
{
  "settingName": string,
  "nonComplianceReason": enum (NonComplianceReason),
  "packageName": string
}
Fields
settingName

string

The name of the policy setting. This is the JSON field name of a top-level Policy field. If not set, then this condition matches any setting name.

nonComplianceReason

enum (NonComplianceReason)

The reason the device is not in compliance with the setting. If not set, then this condition matches any reason.

packageName

string

The package name of the app that's out of compliance. If not set, then this condition matches any package name.

ApiLevelCondition

A compliance rule condition which is satisfied if the Android Framework API level on the device doesn't meet a minimum requirement. There can only be one rule with this type of condition per policy.

JSON representation
{
  "minApiLevel": integer
}
Fields
minApiLevel

integer

The minimum desired Android Framework API level. If the device doesn't meet the minimum requirement, this condition is satisfied. Must be greater than zero.

AppAutoUpdatePolicy

Recommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.

When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.

The app auto-update policy, which controls when automatic app updates can be applied.

Enums
APP_AUTO_UPDATE_POLICY_UNSPECIFIED The auto-update policy is not set. Equivalent to CHOICE_TO_THE_USER.
CHOICE_TO_THE_USER The user can control auto-updates.
NEVER Apps are never auto-updated.
WIFI_ONLY Apps are auto-updated over Wi-Fi only.
ALWAYS Apps are auto-updated at any time. Data charges may apply.

AppTrack

A Google Play app release track.

Enums
APP_TRACK_UNSPECIFIED This value is ignored.
PRODUCTION The production track, which provides the latest stable release.
BETA The beta track, which provides the latest beta release.

EncryptionPolicy

Type of encryption

Enums
ENCRYPTION_POLICY_UNSPECIFIED This value is ignored, i.e. no encryption required
ENABLED_WITHOUT_PASSWORD Encryption required but no password required to boot
ENABLED_WITH_PASSWORD Encryption required with password required to boot

PlayStoreMode

Possible values for Play Store mode policy.

Enums
PLAY_STORE_MODE_UNSPECIFIED Unspecified. Defaults to WHITELIST.
WHITELIST Only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device.
BLACKLIST All apps are available and any app that should not be on the device should be explicitly marked as 'BLOCKED' in the applications policy.

SetupAction

An action executed during setup.

JSON representation
{
  "title": {
    object (UserFacingMessage)
  },
  "description": {
    object (UserFacingMessage)
  },

  // Union field action can be only one of the following:
  "launchApp": {
    object (LaunchAppAction)
  }
  // End of list of possible types for union field action.
}
Fields
title

object (UserFacingMessage)

Title of this action.

description

object (UserFacingMessage)

Description of this action.

Union field action. The action to execute during setup. action can be only one of the following:
launchApp

object (LaunchAppAction)

An action to launch an app. The app will be launched with an intent containing an extra with key com.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION set to the boolean value true to indicate that this is a setup action flow. If SetupAction references an app, the corresponding installType in the application policy must be set as REQUIRED_FOR_SETUP or said setup will fail.

LaunchAppAction

An action to launch an app.

JSON representation
{

  // Union field launch can be only one of the following:
  "packageName": string
  // End of list of possible types for union field launch.
}
Fields
Union field launch. Description of launch action to be executed launch can be only one of the following:
packageName

string

Package name of app to be launched

PolicyEnforcementRule

A rule that defines the actions to take if a device or work profile is not compliant with the policy specified in settingName. In the case of multiple matching or multiple triggered enforcement rules, a merge will occur with the most severe action being taken. However, all triggered rules are still kept track of: this includes initial trigger time and all associated non-compliance details. In the situation where the most severe enforcement rule is satisfied, the next most appropriate action is applied.

JSON representation
{
  "blockAction": {
    object (BlockAction)
  },
  "wipeAction": {
    object (WipeAction)
  },

  // Union field trigger can be only one of the following:
  "settingName": string
  // End of list of possible types for union field trigger.
}
Fields
blockAction

object (BlockAction)

An action to block access to apps and data on a company owned device or in a work profile. This action also triggers a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified.

wipeAction

object (WipeAction)

An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified.

Union field trigger. Condition which will trigger this rule. trigger can be only one of the following:
settingName

string

The top-level policy to enforce. For example, applications or passwordPolicies.

BlockAction

An action to block access to apps and data on a fully managed device or in a work profile. This action also triggers a device or work profile to displays a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified.

JSON representation
{
  "blockAfterDays": integer,
  "blockScope": enum (BlockScope)
}
Fields
blockAfterDays

integer

Number of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0. blockAfterDays must be less than wipeAfterDays.

blockScope

enum (BlockScope)

Specifies the scope of this BlockAction. Only applicable to devices that are company-owned.

BlockScope

Specifies the scope of BlockAction. Only applicable to devices that are company-owned.

Enums
BLOCK_SCOPE_UNSPECIFIED Unspecified. Defaults to BLOCK_SCOPE_WORK_PROFILE.
BLOCK_SCOPE_WORK_PROFILE Block action is only applied to apps in the work profile. Apps in the personal profile are unaffected.
BLOCK_SCOPE_DEVICE Block action is applied to the entire device, including apps in the personal profile.

WipeAction

An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified.

JSON representation
{
  "wipeAfterDays": integer,
  "preserveFrp": boolean
}
Fields
wipeAfterDays

integer

Number of days the policy is non-compliant before the device or work profile is wiped. wipeAfterDays must be greater than blockAfterDays.

preserveFrp

boolean

Whether the factory-reset protection data is preserved on the device. This setting doesn’t apply to work profiles.

KioskCustomization

Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK.

JSON representation
{
  "powerButtonActions": enum (PowerButtonActions),
  "systemErrorWarnings": enum (SystemErrorWarnings),
  "systemNavigation": enum (SystemNavigation),
  "statusBar": enum (StatusBar),
  "deviceSettings": enum (DeviceSettings)
}
Fields
powerButtonActions

enum (PowerButtonActions)

Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.

systemErrorWarnings

enum (SystemErrorWarnings)

Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode. When blocked, the system will force-stop the app as if the user chooses the "close app" option on the UI.

systemNavigation

enum (SystemNavigation)

Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode.

statusBar

enum (StatusBar)

Specifies whether system info and notifications are disabled in kiosk mode.

deviceSettings

enum (DeviceSettings)

Specifies whether the Settings app is allowed in kiosk mode.

PowerButtonActions

Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.

Enums
POWER_BUTTON_ACTIONS_UNSPECIFIED Unspecified, defaults to POWER_BUTTON_AVAILABLE.
POWER_BUTTON_AVAILABLE The power menu (e.g. Power off, Restart) is shown when a user long-presses the Power button of a device in kiosk mode.
POWER_BUTTON_BLOCKED The power menu (e.g. Power off, Restart) is not shown when a user long-presses the Power button of a device in kiosk mode. Note: this may prevent users from turning off the device.

SystemErrorWarnings

Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode.

Enums
SYSTEM_ERROR_WARNINGS_UNSPECIFIED Unspecified, defaults to ERROR_AND_WARNINGS_MUTED.
ERROR_AND_WARNINGS_ENABLED All system error dialogs such as crash and app not responding (ANR) are displayed.
ERROR_AND_WARNINGS_MUTED All system error dialogs, such as crash and app not responding (ANR) are blocked. When blocked, the system force-stops the app as if the user closes the app from the UI.

SystemNavigation

Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode.

Enums
SYSTEM_NAVIGATION_UNSPECIFIED Unspecified, defaults to NAVIGATION_DISABLED.
NAVIGATION_ENABLED Home and overview buttons are enabled.
NAVIGATION_DISABLED The home and Overview buttons are not accessible.
HOME_BUTTON_ONLY Only the home button is enabled.

StatusBar

Specifies whether system info and notifications are disabled in kiosk mode.

Enums
STATUS_BAR_UNSPECIFIED Unspecified, defaults to INFO_AND_NOTIFICATIONS_DISABLED.
NOTIFICATIONS_AND_SYSTEM_INFO_ENABLED

System info and notifications are shown on the status bar in kiosk mode.

Note: For this policy to take effect, the device's home button must be enabled using kioskCustomization.systemNavigation.

NOTIFICATIONS_AND_SYSTEM_INFO_DISABLED System info and notifications are disabled in kiosk mode.
SYSTEM_INFO_ONLY Only system info is shown on the status bar.

DeviceSettings

Specifies whether a user can access the device's Settings app while in kiosk mode.

Enums
DEVICE_SETTINGS_UNSPECIFIED Unspecified, defaults to SETTINGS_ACCESS_ALLOWED.
SETTINGS_ACCESS_ALLOWED Access to the Settings app is allowed in kiosk mode.
SETTINGS_ACCESS_BLOCKED Access to the Settings app is not allowed in kiosk mode.

AdvancedSecurityOverrides

Advanced security settings. In most cases, setting these is not needed.

JSON representation
{
  "untrustedAppsPolicy": enum (UntrustedAppsPolicy),
  "googlePlayProtectVerifyApps": enum (GooglePlayProtectVerifyApps),
  "developerSettings": enum (DeveloperSettings),
  "commonCriteriaMode": enum (CommonCriteriaMode),
  "personalAppsThatCanReadWorkNotifications": [
    string
  ],
  "mtePolicy": enum (MtePolicy)
}
Fields
untrustedAppsPolicy

enum (UntrustedAppsPolicy)

The policy for untrusted apps (apps from unknown sources) enforced on the device. Replaces installUnknownSourcesAllowed (deprecated).

googlePlayProtectVerifyApps

enum (GooglePlayProtectVerifyApps)

Whether Google Play Protect verification is enforced. Replaces ensureVerifyAppsEnabled (deprecated).

developerSettings

enum (DeveloperSettings)

Controls access to developer settings: developer options and safe boot. Replaces safeBootDisabled (deprecated) and debuggingFeaturesAllowed (deprecated).

commonCriteriaMode

enum (CommonCriteriaMode)

Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (CC). Enabling Common Criteria Mode increases certain security components on a device, including AES-GCM encryption of Bluetooth Long Term Keys, and Wi-Fi configuration stores.

Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required.

personalAppsThatCanReadWorkNotifications[]

string

Personal apps that can read work profile notifications using a NotificationListenerService. By default, no personal apps (aside from system apps) can read work notifications. Each value in the list must be a package name.

mtePolicy

enum (MtePolicy)

Optional. Controls Memory Tagging Extension (MTE) on the device. The device needs to be rebooted to apply changes to the MTE policy.

UntrustedAppsPolicy

The policy for untrusted apps (apps from unknown sources) enforced on the device. Replaces installUnknownSourcesAllowed (deprecated).

Enums
UNTRUSTED_APPS_POLICY_UNSPECIFIED Unspecified. Defaults to DISALLOW_INSTALL.
DISALLOW_INSTALL Default. Disallow untrusted app installs on entire device.
ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY For devices with work profiles, allow untrusted app installs in the device's personal profile only.
ALLOW_INSTALL_DEVICE_WIDE Allow untrusted app installs on entire device.

GooglePlayProtectVerifyApps

Whether Google Play Protect verification is enforced. Replaces ensureVerifyAppsEnabled (deprecated).

Enums
GOOGLE_PLAY_PROTECT_VERIFY_APPS_UNSPECIFIED Unspecified. Defaults to VERIFY_APPS_ENFORCED.
VERIFY_APPS_ENFORCED Default. Force-enables app verification.
VERIFY_APPS_USER_CHOICE Allows the user to choose whether to enable app verification.

DeveloperSettings

Controls access to developer settings: developer options and safe boot. Replaces safeBootDisabled (deprecated) and debuggingFeaturesAllowed (deprecated).

Enums
DEVELOPER_SETTINGS_UNSPECIFIED Unspecified. Defaults to DEVELOPER_SETTINGS_DISABLED.
DEVELOPER_SETTINGS_DISABLED Default. Disables all developer settings and prevents the user from accessing them.
DEVELOPER_SETTINGS_ALLOWED Allows all developer settings. The user can access and optionally configure the settings.

CommonCriteriaMode

Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (CC). Enabling Common Criteria Mode increases certain security components on a device, including AES-GCM encryption of Bluetooth Long Term Keys, and Wi-Fi configuration stores.

Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. If Common Criteria Mode is turned off after being enabled previously, all user-configured Wi-Fi networks may be lost and any enterprise-configured Wi-Fi networks that require user input may need to be reconfigured.

Enums
COMMON_CRITERIA_MODE_UNSPECIFIED Unspecified. Defaults to COMMON_CRITERIA_MODE_DISABLED.
COMMON_CRITERIA_MODE_DISABLED Default. Disables Common Criteria Mode.
COMMON_CRITERIA_MODE_ENABLED Enables Common Criteria Mode.

MtePolicy

Controls Memory Tagging Extension (MTE) on the device.

Enums
MTE_POLICY_UNSPECIFIED Unspecified. Defaults to MTE_USER_CHOICE.
MTE_USER_CHOICE The user can choose to enable or disable MTE on the device if the device supports this.
MTE_ENFORCED

MTE is enabled on the device and the user is not allowed to change this setting. This can be set on fully managed devices and work profiles on company-owned devices. A nonComplianceDetail with MANAGEMENT_MODE is reported for other management modes. A nonComplianceDetail with DEVICE_INCOMPATIBLE is reported if the device does not support MTE.

Supported on Android 14 and above. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 14.

MTE_DISABLED

MTE is disabled on the device and the user is not allowed to change this setting. This applies only on fully managed devices. In other cases, a nonComplianceDetail with MANAGEMENT_MODE is reported. A nonComplianceDetail with DEVICE_INCOMPATIBLE is reported if the device does not support MTE.

Supported on Android 14 and above. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 14.

PersonalUsagePolicies

Policies controlling personal usage on a company-owned device with a work profile.

JSON representation
{
  "cameraDisabled": boolean,
  "screenCaptureDisabled": boolean,
  "accountTypesWithManagementDisabled": [
    string
  ],
  "maxDaysWithWorkOff": integer,
  "personalPlayStoreMode": enum (PlayStoreMode),
  "personalApplications": [
    {
      object (PersonalApplicationPolicy)
    }
  ]
}
Fields
cameraDisabled

boolean

If true, the camera is disabled on the personal profile.

screenCaptureDisabled

boolean

If true, screen capture is disabled for all users.

accountTypesWithManagementDisabled[]

string

Account types that can't be managed by the user.

maxDaysWithWorkOff

integer

Controls how long the work profile can stay off. The minimum duration must be at least 3 days. Other details are as follows:

  • If the duration is set to 0, the feature is turned off.
  • If the duration is set to a value smaller than the minimum duration, the feature returns an error.
Note: If you want to avoid personal profiles being suspended during long periods of off-time, you can temporarily set a large value for this parameter.

personalPlayStoreMode

enum (PlayStoreMode)

Used together with personalApplications to control how apps in the personal profile are allowed or blocked.

personalApplications[]

object (PersonalApplicationPolicy)

Policy applied to applications in the personal profile.

PlayStoreMode

Used together with personalApplications to control how apps in the personal profile are allowed or blocked.

Enums
PLAY_STORE_MODE_UNSPECIFIED Unspecified. Defaults to BLOCKLIST.
BLACKLIST

All Play Store apps are available for installation in the personal profile, except those whose installType is BLOCKED in personalApplications.

BLOCKLIST All Play Store apps are available for installation in the personal profile, except those whose installType is BLOCKED in personalApplications.
ALLOWLIST Only apps explicitly specified in personalApplications with installType set to AVAILABLE are allowed to be installed in the personal profile.

PersonalApplicationPolicy

Policies for apps in the personal profile of a company-owned device with a work profile.

JSON representation
{
  "packageName": string,
  "installType": enum (InstallType)
}
Fields
packageName

string

The package name of the application.

installType

enum (InstallType)

The type of installation to perform.

InstallType

Types of installation behaviors a personal profile application can have.

Enums
INSTALL_TYPE_UNSPECIFIED Unspecified. Defaults to AVAILABLE.
BLOCKED The app is blocked and can't be installed in the personal profile. If the app was previously installed in the device, it will be uninstalled.
AVAILABLE The app is available to install in the personal profile.

AutoDateAndTimeZone

Whether auto date, time, and time zone is enabled on a company-owned device.

Enums
AUTO_DATE_AND_TIME_ZONE_UNSPECIFIED Unspecified. Defaults to AUTO_DATE_AND_TIME_ZONE_USER_CHOICE.
AUTO_DATE_AND_TIME_ZONE_USER_CHOICE Auto date, time, and time zone are left to user's choice.
AUTO_DATE_AND_TIME_ZONE_ENFORCED Enforce auto date, time, and time zone on the device.

OncCertificateProvider

This feature is not generally available.

JSON representation
{
  "certificateReferences": [
    string
  ],

  // Union field endpoint can be only one of the following:
  "contentProviderEndpoint": {
    object (ContentProviderEndpoint)
  }
  // End of list of possible types for union field endpoint.
}
Fields
certificateReferences[]

string

This feature is not generally available.

Union field endpoint.

This feature is not generally available. endpoint can be only one of the following:

contentProviderEndpoint

object (ContentProviderEndpoint)

This feature is not generally available.

ContentProviderEndpoint

This feature is not generally available.

JSON representation
{
  "uri": string,
  "packageName": string,
  "signingCertsSha256": [
    string
  ]
}
Fields
uri

string

This feature is not generally available.

packageName

string

This feature is not generally available.

signingCertsSha256[]

string

Required. This feature is not generally available.

CrossProfilePolicies

Controls the data from the work profile that can be accessed from the personal profile and vice versa. A nonComplianceDetail with MANAGEMENT_MODE is reported if the device does not have a work profile.

JSON representation
{
  "showWorkContactsInPersonalProfile": enum (ShowWorkContactsInPersonalProfile),
  "crossProfileCopyPaste": enum (CrossProfileCopyPaste),
  "crossProfileDataSharing": enum (CrossProfileDataSharing),
  "workProfileWidgetsDefault": enum (WorkProfileWidgetsDefault),
  "exemptionsToShowWorkContactsInPersonalProfile": {
    object (PackageNameList)
  }
}
Fields
showWorkContactsInPersonalProfile

enum (ShowWorkContactsInPersonalProfile)

Whether personal apps can access contacts stored in the work profile.

See also exemptionsToShowWorkContactsInPersonalProfile.

crossProfileCopyPaste

enum (CrossProfileCopyPaste)

Whether text copied from one profile (personal or work) can be pasted in the other profile.

crossProfileDataSharing

enum (CrossProfileDataSharing)

Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work & personal apps, are configured separately.

workProfileWidgetsDefault

enum (WorkProfileWidgetsDefault)

Specifies the default behaviour for work profile widgets. If the policy does not specify workProfileWidgets for a specific application, it will behave according to the value specified here.

exemptionsToShowWorkContactsInPersonalProfile

object (PackageNameList)

List of apps which are excluded from the ShowWorkContactsInPersonalProfile setting. For this to be set, ShowWorkContactsInPersonalProfile must be set to one of the following values:

Supported on Android 14 and above. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 14.

ShowWorkContactsInPersonalProfile

Whether personal apps can access work profile contacts including contact searches and incoming calls

Note: Once a work contact is accessed by any personal app, it cannot be guaranteed to stay with the same app, as the contact could be shared or transferred to any other app, depending on the allowed app’s behaviour.

Enums
SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_UNSPECIFIED

Unspecified. Defaults to SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED.

When this is set, exemptionsToShowWorkContactsInPersonalProfile must not be set.

SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED

Prevents personal apps from accessing work profile contacts and looking up work contacts.

When this is set, personal apps specified in exemptionsToShowWorkContactsInPersonalProfile are allowlisted and can access work profile contacts directly.

Supported on Android 7.0 and above. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 7.0.

SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED

Default. Allows apps in the personal profile to access work profile contacts including contact searches and incoming calls.

When this is set, personal apps specified in exemptionsToShowWorkContactsInPersonalProfile are blocklisted and can not access work profile contacts directly.

Supported on Android 7.0 and above. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 7.0.

SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM

Prevents most personal apps from accessing work profile contacts including contact searches and incoming calls, except for the OEM default Dialer, Messages, and Contacts apps. Neither user-configured Dialer, Messages, and Contacts apps, nor any other system or play installed apps, will be able to query work contacts directly.

When this is set, personal apps specified in exemptionsToShowWorkContactsInPersonalProfile are allowlisted and can access work profile contacts.

Supported on Android 14 and above. If this is set on a device with Android version less than 14, the behaviour falls back to SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED and a nonComplianceDetail with API_LEVEL is reported.

CrossProfileCopyPaste

Whether text copied from one profile (personal or work) can be pasted in the other profile.

Enums
CROSS_PROFILE_COPY_PASTE_UNSPECIFIED Unspecified. Defaults to COPY_FROM_WORK_TO_PERSONAL_DISALLOWED
COPY_FROM_WORK_TO_PERSONAL_DISALLOWED Default. Prevents users from pasting into the personal profile text copied from the work profile. Text copied from the personal profile can be pasted into the work profile, and text copied from the work profile can be pasted into the work profile.
CROSS_PROFILE_COPY_PASTE_ALLOWED Text copied in either profile can be pasted in the other profile.

CrossProfileDataSharing

Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work & personal apps, are configured separately.

Enums
CROSS_PROFILE_DATA_SHARING_UNSPECIFIED Unspecified. Defaults to DATA_SHARING_FROM_WORK_TO_PERSONAL_DISALLOWED.
CROSS_PROFILE_DATA_SHARING_DISALLOWED Prevents data from being shared from both the personal profile to the work profile and the work profile to the personal profile.
DATA_SHARING_FROM_WORK_TO_PERSONAL_DISALLOWED Default. Prevents users from sharing data from the work profile to apps in the personal profile. Personal data can be shared with work apps.
CROSS_PROFILE_DATA_SHARING_ALLOWED Data from either profile can be shared with the other profile.

WorkProfileWidgetsDefault

Controls if work profile applications are allowed to add widgets to the home screen, where no app-specific policy is defined. Otherwise, the app-specific policy will have priority over this.

Enums
WORK_PROFILE_WIDGETS_DEFAULT_UNSPECIFIED Unspecified. Defaults to WORK_PROFILE_WIDGETS_DEFAULT_DISALLOWED.
WORK_PROFILE_WIDGETS_DEFAULT_ALLOWED Work profile widgets are allowed by default. This means that if the policy does not specify workProfileWidgets as WORK_PROFILE_WIDGETS_DISALLOWED for the application, it will be able to add widgets to the home screen.
WORK_PROFILE_WIDGETS_DEFAULT_DISALLOWED Work profile widgets are disallowed by default. This means that if the policy does not specify workProfileWidgets as WORK_PROFILE_WIDGETS_ALLOWED for the application, it will be unable to add widgets to the home screen.

PreferentialNetworkService

Controls whether preferential network service is enabled on the work profile. See preferentialNetworkService for details.

Enums
PREFERENTIAL_NETWORK_SERVICE_UNSPECIFIED Unspecified. Defaults to PREFERENTIAL_NETWORK_SERVICES_DISABLED.
PREFERENTIAL_NETWORK_SERVICE_DISABLED Preferential network service is disabled on the work profile.
PREFERENTIAL_NETWORK_SERVICE_ENABLED Preferential network service is enabled on the work profile.

UsageLog

Controls types of device activity logs collected from the device and reported via Pub/Sub notification.

JSON representation
{
  "enabledLogTypes": [
    enum (LogType)
  ],
  "uploadOnCellularAllowed": [
    enum (LogType)
  ]
}
Fields
enabledLogTypes[]

enum (LogType)

Specifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled.

uploadOnCellularAllowed[]

enum (LogType)

Specifies which of the enabled log types can be uploaded over mobile data. By default logs are queued for upload when the device connects to WiFi.

LogType

The types of device activity logs that are reported from the device.

Enums
LOG_TYPE_UNSPECIFIED This value is not used.
SECURITY_LOGS Enable logging of on-device security events, like when the device password is incorrectly entered or removable storage is mounted. See UsageLogEvent for a complete description of the logged security events. Supported for fully managed devices on Android 7 and above. Supported for company-owned devices with a work profile on Android 12 and above, on which only security events from the work profile are logged. Can be overridden by the application delegated scope SECURITY_LOGS
NETWORK_ACTIVITY_LOGS Enable logging of on-device network events, like DNS lookups and TCP connections. See UsageLogEvent for a complete description of the logged network events. Supported for fully managed devices on Android 8 and above. Supported for company-owned devices with a work profile on Android 12 and above, on which only network events from the work profile are logged. Can be overridden by the application delegated scope NETWORK_ACTIVITY_LOGS

CameraAccess

Controls the use of the camera and whether the user has access to the camera access toggle. The camera access toggle exists on Android 12 and above. As a general principle, the possibility of disabling the camera applies device-wide on fully managed devices and only within the work profile on devices with a work profile. The possibility of disabling the camera access toggle applies only on fully managed devices, in which case it applies device-wide. For specifics, see the enum values.

Enums
CAMERA_ACCESS_UNSPECIFIED If cameraDisabled is true, this is equivalent to CAMERA_ACCESS_DISABLED. Otherwise, this is equivalent to CAMERA_ACCESS_USER_CHOICE.
CAMERA_ACCESS_USER_CHOICE The field cameraDisabled is ignored. This is the default device behaviour: all cameras on the device are available. On Android 12 and above, the user can use the camera access toggle.
CAMERA_ACCESS_DISABLED

The field cameraDisabled is ignored. All cameras on the device are disabled (for fully managed devices, this applies device-wide and for work profiles this applies only to the work profile).

There are no explicit restrictions placed on the camera access toggle on Android 12 and above: on fully managed devices, the camera access toggle has no effect as all cameras are disabled. On devices with a work profile, this toggle has no effect on apps in the work profile, but it affects apps outside the work profile.

CAMERA_ACCESS_ENFORCED The field cameraDisabled is ignored. All cameras on the device are available. On fully managed devices running Android 12 and above, the user is unable to use the camera access toggle. On devices which are not fully managed or which run Android 11 or below, this is equivalent to CAMERA_ACCESS_USER_CHOICE.

MicrophoneAccess

On fully managed devices, controls the use of the microphone and whether the user has access to the microphone access toggle. This setting has no effect on devices which are not fully managed. The microphone access toggle exists on Android 12 and above.

Enums
MICROPHONE_ACCESS_UNSPECIFIED If unmuteMicrophoneDisabled is true, this is equivalent to MICROPHONE_ACCESS_DISABLED. Otherwise, this is equivalent to MICROPHONE_ACCESS_USER_CHOICE.
MICROPHONE_ACCESS_USER_CHOICE The field unmuteMicrophoneDisabled is ignored. This is the default device behaviour: the microphone on the device is available. On Android 12 and above, the user can use the microphone access toggle.
MICROPHONE_ACCESS_DISABLED

The field unmuteMicrophoneDisabled is ignored. The microphone on the device is disabled (for fully managed devices, this applies device-wide).

The microphone access toggle has no effect as the microphone is disabled.

MICROPHONE_ACCESS_ENFORCED The field unmuteMicrophoneDisabled is ignored. The microphone on the device is available. On devices running Android 12 and above, the user is unable to use the microphone access toggle. On devices which run Android 11 or below, this is equivalent to MICROPHONE_ACCESS_USER_CHOICE.

DeviceConnectivityManagement

Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.

JSON representation
{
  "usbDataAccess": enum (UsbDataAccess),
  "configureWifi": enum (ConfigureWifi),
  "wifiDirectSettings": enum (WifiDirectSettings),
  "tetheringSettings": enum (TetheringSettings)
}
Fields
usbDataAccess

enum (UsbDataAccess)

Controls what files and/or data can be transferred via USB. Supported only on company-owned devices.

configureWifi

enum (ConfigureWifi)

Controls Wi-Fi configuring privileges. Based on the option set, user will have either full or limited or no control in configuring Wi-Fi networks.

wifiDirectSettings

enum (WifiDirectSettings)

Controls configuring and using Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above.

tetheringSettings

enum (TetheringSettings)

Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering.

UsbDataAccess

Controls what files and/or data can be transferred via USB. Does not impact charging functions. Supported only on company-owned devices.

Enums
USB_DATA_ACCESS_UNSPECIFIED Unspecified. Defaults to DISALLOW_USB_FILE_TRANSFER.
ALLOW_USB_DATA_TRANSFER All types of USB data transfers are allowed. usbFileTransferDisabled is ignored.
DISALLOW_USB_FILE_TRANSFER Transferring files over USB is disallowed. Other types of USB data connections, such as mouse and keyboard connection, are allowed. usbFileTransferDisabled is ignored.
DISALLOW_USB_DATA_TRANSFER When set, all types of USB data transfers are prohibited. Supported for devices running Android 12 or above with USB HAL 1.3 or above. If the setting is not supported, DISALLOW_USB_FILE_TRANSFER will be set. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 12. A nonComplianceDetail with DEVICE_INCOMPATIBLE is reported if the device does not have USB HAL 1.3 or above. usbFileTransferDisabled is ignored.

ConfigureWifi

Controls Wi-Fi configuring privileges. Based on the option set, the user will have either full or limited or no control in configuring Wi-Fi networks.

Enums
CONFIGURE_WIFI_UNSPECIFIED Unspecified. Defaults to ALLOW_CONFIGURING_WIFI unless wifiConfigDisabled is set to true. If wifiConfigDisabled is set to true, this is equivalent to DISALLOW_CONFIGURING_WIFI.
ALLOW_CONFIGURING_WIFI The user is allowed to configure Wi-Fi. wifiConfigDisabled is ignored.
DISALLOW_ADD_WIFI_CONFIG Adding new Wi-Fi configurations is disallowed. The user is only able to switch between already configured networks. Supported on Android 13 and above, on fully managed devices and work profiles on company-owned devices. If the setting is not supported, ALLOW_CONFIGURING_WIFI is set. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 13. wifiConfigDisabled is ignored.
DISALLOW_CONFIGURING_WIFI Disallows configuring Wi-Fi networks. The setting wifiConfigDisabled is ignored when this value is set. Supported on fully managed devices and work profile on company-owned devices, on all supported API levels. For fully managed devices, setting this removes all configured networks and retains only the networks configured using openNetworkConfiguration policy. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. Note: If a network connection can't be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see networkEscapeHatchEnabled).

WifiDirectSettings

Controls Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above.

Enums
WIFI_DIRECT_SETTINGS_UNSPECIFIED Unspecified. Defaults to ALLOW_WIFI_DIRECT
ALLOW_WIFI_DIRECT The user is allowed to use Wi-Fi direct.
DISALLOW_WIFI_DIRECT The user is not allowed to use Wi-Fi direct. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.

TetheringSettings

Controls the extent to which the user is allowed to use different forms of tethering like Wi-Fi tethering, bluetooth tethering, etc.

Enums
TETHERING_SETTINGS_UNSPECIFIED Unspecified. Defaults to ALLOW_ALL_TETHERING unless tetheringConfigDisabled is set to true. If tetheringConfigDisabled is set to true, this is equivalent to DISALLOW_ALL_TETHERING.
ALLOW_ALL_TETHERING Allows configuration and use of all forms of tethering. tetheringConfigDisabled is ignored.
DISALLOW_WIFI_TETHERING Disallows the user from using Wi-Fi tethering. Supported on company owned devices running Android 13 and above. If the setting is not supported, ALLOW_ALL_TETHERING will be set. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 13. tetheringConfigDisabled is ignored.
DISALLOW_ALL_TETHERING Disallows all forms of tethering. Supported on fully managed devices and work profile on company-owned devices, on all supported android versions. The setting tetheringConfigDisabled is ignored.

DeviceRadioState

Controls for device radio settings.

JSON representation
{
  "wifiState": enum (WifiState),
  "airplaneModeState": enum (AirplaneModeState),
  "ultraWidebandState": enum (UltraWidebandState),
  "cellularTwoGState": enum (CellularTwoGState),
  "minimumWifiSecurityLevel": enum (MinimumWifiSecurityLevel)
}
Fields
wifiState

enum (WifiState)

Controls current state of Wi-Fi and if user can change its state.

airplaneModeState

enum (AirplaneModeState)

Controls whether airplane mode can be toggled by the user or not.

ultraWidebandState

enum (UltraWidebandState)

Controls the state of the ultra wideband setting and whether the user can toggle it on or off.

cellularTwoGState

enum (CellularTwoGState)

Controls whether cellular 2G setting can be toggled by the user or not.

minimumWifiSecurityLevel

enum (MinimumWifiSecurityLevel)

The minimum required security level of Wi-Fi networks that the device can connect to.

WifiState

Controls whether the Wi-Fi is on or off as a state and if the user can change said state. Supported on company-owned devices running Android 13 and above.

Enums
WIFI_STATE_UNSPECIFIED Unspecified. Defaults to WIFI_STATE_USER_CHOICE
WIFI_STATE_USER_CHOICE User is allowed to enable/disable Wi-Fi.
WIFI_ENABLED Wi-Fi is on and the user is not allowed to turn it off. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
WIFI_DISABLED Wi-Fi is off and the user is not allowed to turn it on. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.

AirplaneModeState

Controls the state of airplane mode and whether the user can toggle it on or off. Supported on Android 9 and above. Supported on fully managed devices and work profiles on company-owned devices.

Enums
AIRPLANE_MODE_STATE_UNSPECIFIED Unspecified. Defaults to AIRPLANE_MODE_USER_CHOICE.
AIRPLANE_MODE_USER_CHOICE The user is allowed to toggle airplane mode on or off.
AIRPLANE_MODE_DISABLED Airplane mode is disabled. The user is not allowed to toggle airplane mode on. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 9.

UltraWidebandState

Controls the state of the ultra wideband setting and whether the user can toggle it on or off. Supported on Android 14 and above. Supported on fully managed devices and work profiles on company-owned devices.

Enums
ULTRA_WIDEBAND_STATE_UNSPECIFIED Unspecified. Defaults to ULTRA_WIDEBAND_USER_CHOICE.
ULTRA_WIDEBAND_USER_CHOICE The user is allowed to toggle ultra wideband on or off.
ULTRA_WIDEBAND_DISABLED Ultra wideband is disabled. The user is not allowed to toggle ultra wideband on via settings. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 14.

CellularTwoGState

Controls the state of cellular 2G setting and whether the user can toggle it on or off. Supported on Android 14 and above. Supported on fully managed devices and work profiles on company-owned devices.

Enums
CELLULAR_TWO_G_STATE_UNSPECIFIED Unspecified. Defaults to CELLULAR_TWO_G_USER_CHOICE.
CELLULAR_TWO_G_USER_CHOICE The user is allowed to toggle cellular 2G on or off.
CELLULAR_TWO_G_DISABLED Cellular 2G is disabled. The user is not allowed to toggle cellular 2G on via settings. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 14.

MinimumWifiSecurityLevel

Defines the different minimum Wi-Fi security levels required to connect to Wi-Fi networks. Supported on Android 13 and above. Supported on fully managed devices and work profiles on company-owned devices.

Enums
MINIMUM_WIFI_SECURITY_LEVEL_UNSPECIFIED Defaults to OPEN_NETWORK_SECURITY, which means the device will be able to connect to all types of Wi-Fi networks.
OPEN_NETWORK_SECURITY The device will be able to connect to all types of Wi-Fi networks.
PERSONAL_NETWORK_SECURITY A personal network such as WEP, WPA2-PSK is the minimum required security. The device will not be able to connect to open wifi networks. This is stricter than OPEN_NETWORK_SECURITY. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
ENTERPRISE_NETWORK_SECURITY An enterprise EAP network is the minimum required security level. The device will not be able to connect to Wi-Fi network below this security level. This is stricter than PERSONAL_NETWORK_SECURITY. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
ENTERPRISE_BIT192_NETWORK_SECURITY A 192-bit enterprise network is the minimum required security level. The device will not be able to connect to Wi-Fi network below this security level. This is stricter than ENTERPRISE_NETWORK_SECURITY. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.

CredentialProviderPolicyDefault

Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this and this for details. See also credentialProviderPolicy.

Enums
CREDENTIAL_PROVIDER_POLICY_DEFAULT_UNSPECIFIED Unspecified. Defaults to CREDENTIAL_PROVIDER_DEFAULT_DISALLOWED.
CREDENTIAL_PROVIDER_DEFAULT_DISALLOWED Apps with credentialProviderPolicy unspecified are not allowed to act as a credential provider.
CREDENTIAL_PROVIDER_DEFAULT_DISALLOWED_EXCEPT_SYSTEM Apps with credentialProviderPolicy unspecified are not allowed to act as a credential provider except for the OEM default credential providers. OEM default credential providers are always allowed to act as credential providers.

PrintingPolicy

Controls whether printing is allowed. This is supported on devices running Android 9 and above.

Enums
PRINTING_POLICY_UNSPECIFIED Unspecified. Defaults to PRINTING_ALLOWED.
PRINTING_DISALLOWED Printing is disallowed. A nonComplianceDetail with API_LEVEL is reported if the Android version is less than 9.
PRINTING_ALLOWED Printing is allowed.

Methods

delete

Deletes a policy.

get

Gets a policy.

list

Lists policies for a given enterprise.

patch

Updates or creates a policy.