- Resource: Policy
- ApplicationPolicy
- InstallType
- PermissionPolicy
- PermissionGrant
- DelegatedScope
- ManagedConfigurationTemplate
- ConnectedWorkAndPersonalApp
- AutoUpdateMode
- ExtensionConfig
- AlwaysOnVpnLockdownExemption
- WorkProfileWidgets
- CredentialProviderPolicy
- InstallConstraint
- NetworkTypeConstraint
- ChargingConstraint
- DeviceIdleConstraint
- UserControlSettings
- KeyguardDisabledFeature
- PersistentPreferredActivity
- SystemUpdate
- SystemUpdateType
- FreezePeriod
- Date
- StatusReportingSettings
- ApplicationReportingSettings
- PackageNameList
- BatteryPluggedMode
- ProxyInfo
- ChoosePrivateKeyRule
- AlwaysOnVpnPackage
- LocationMode
- ComplianceRule
- NonComplianceDetailCondition
- ApiLevelCondition
- AppAutoUpdatePolicy
- AppTrack
- EncryptionPolicy
- PlayStoreMode
- SetupAction
- LaunchAppAction
- PolicyEnforcementRule
- BlockAction
- BlockScope
- WipeAction
- KioskCustomization
- PowerButtonActions
- SystemErrorWarnings
- SystemNavigation
- StatusBar
- DeviceSettings
- AdvancedSecurityOverrides
- UntrustedAppsPolicy
- GooglePlayProtectVerifyApps
- DeveloperSettings
- CommonCriteriaMode
- MtePolicy
- ContentProtectionPolicy
- PersonalUsagePolicies
- PlayStoreMode
- PersonalApplicationPolicy
- InstallType
- AutoDateAndTimeZone
- OncCertificateProvider
- ContentProviderEndpoint
- CrossProfilePolicies
- ShowWorkContactsInPersonalProfile
- CrossProfileCopyPaste
- CrossProfileDataSharing
- WorkProfileWidgetsDefault
- PreferentialNetworkService
- UsageLog
- LogType
- CameraAccess
- MicrophoneAccess
- DeviceConnectivityManagement
- UsbDataAccess
- ConfigureWifi
- WifiDirectSettings
- TetheringSettings
- WifiSsidPolicy
- WifiSsidPolicyType
- WifiSsid
- WifiRoamingPolicy
- WifiRoamingSetting
- WifiRoamingMode
- DeviceRadioState
- WifiState
- AirplaneModeState
- UltraWidebandState
- CellularTwoGState
- MinimumWifiSecurityLevel
- CredentialProviderPolicyDefault
- PrintingPolicy
- DisplaySettings
- ScreenBrightnessSettings
- ScreenBrightnessMode
- ScreenTimeoutSettings
- ScreenTimeoutMode
- AssistContentPolicy
- Methods
Resource: Policy
A policy resource represents a group of settings that govern the behavior of a managed device and the apps installed on it.
JSON representation |
---|
{ "name": string, "version": string, "applications": [ { object ( |
Fields | |
---|---|
name |
The name of the policy in the form |
version |
The version of the policy. This is a read-only field. The version is incremented each time the policy is updated. |
applications[] |
Policy applied to apps. This can have at most 3,000 elements. |
maximumTimeToLock |
Maximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction. |
screenCaptureDisabled |
Whether screen capture is disabled. |
cameraDisabled |
If |
keyguardDisabledFeatures[] |
Disabled keyguard customizations, such as widgets. |
defaultPermissionPolicy |
The default permission policy for runtime permission requests. |
persistentPreferredActivities[] |
Default intent handler activities. |
openNetworkConfiguration |
Network configuration for the device. See configure networks for more information. |
systemUpdate |
The system update policy, which controls how OS updates are applied. If the update type is Note: Google Play system updates (also called Mainline updates) are automatically downloaded and require a device reboot to be installed. Refer to the mainline section in Manage system updates for further details. |
accountTypesWithManagementDisabled[] |
Account types that can't be managed by the user. |
addUserDisabled |
Whether adding new users and profiles is disabled. |
adjustVolumeDisabled |
Whether adjusting the master volume is disabled. Also mutes the device. |
factoryResetDisabled |
Whether factory resetting from settings is disabled. |
installAppsDisabled |
Whether user installation of apps is disabled. |
mountPhysicalMediaDisabled |
Whether the user mounting physical external media is disabled. |
modifyAccountsDisabled |
Whether adding or removing accounts is disabled. |
safeBootDisabled |
Whether rebooting the device into safe boot is disabled. |
uninstallAppsDisabled |
Whether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed using |
statusBarDisabled |
Whether the status bar is disabled. This disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. DEPRECATED. To disable the status bar on a kiosk device, use InstallType |
keyguardDisabled |
If true, this disables the Lock Screen for primary and/or secondary displays. |
minimumApiLevel |
The minimum allowed Android API level. |
statusReportingSettings |
Status reporting settings |
bluetoothContactSharingDisabled |
Whether bluetooth contact sharing is disabled. |
shortSupportMessage |
A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. If the message is longer than 200 characters it may be truncated. |
longSupportMessage |
A message displayed to the user in the device administators settings screen. |
passwordRequirements |
Password requirements. The field Note: Complexity-based values of |
wifiConfigsLockdownEnabled |
This is deprecated. |
bluetoothConfigDisabled |
Whether configuring bluetooth is disabled. |
cellBroadcastsConfigDisabled |
Whether configuring cell broadcast is disabled. |
credentialsConfigDisabled |
Whether configuring user credentials is disabled. |
mobileNetworksConfigDisabled |
Whether configuring mobile networks is disabled. |
tetheringConfigDisabled |
Whether configuring tethering and portable hotspots is disabled. If |
vpnConfigDisabled |
Whether configuring VPN is disabled. |
wifiConfigDisabled |
Whether configuring Wi-Fi networks is disabled. Supported on fully managed devices and work profiles on company-owned devices. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured using |
createWindowsDisabled |
Whether creating windows besides app windows is disabled. |
networkResetDisabled |
Whether resetting network settings is disabled. |
outgoingBeamDisabled |
Whether using NFC to beam data from apps is disabled. |
outgoingCallsDisabled |
Whether outgoing calls are disabled. |
removeUserDisabled |
Whether removing other users is disabled. |
shareLocationDisabled |
Whether location sharing is disabled. |
smsDisabled |
Whether sending and receiving SMS messages is disabled. |
unmuteMicrophoneDisabled |
If |
usbFileTransferDisabled |
Whether transferring files over USB is disabled. This is supported only on company-owned devices. |
ensureVerifyAppsEnabled |
Whether app verification is force-enabled. |
permittedInputMethods |
If present, only the input methods provided by packages in this list are permitted. If this field is present, but the list is empty, then only system input methods are permitted. |
stayOnPluggedModes[] |
The battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear |
recommendedGlobalProxy |
The network-independent global HTTP proxy. Typically proxies should be configured per-network in |
setUserIconDisabled |
Whether changing the user icon is disabled. |
setWallpaperDisabled |
Whether changing the wallpaper is disabled. |
choosePrivateKeyRules[] |
Rules for determining apps' access to private keys. See |
alwaysOnVpnPackage |
Configuration for an always-on VPN connection. Use with |
frpAdminEmails[] |
Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won't provide factory reset protection. |
deviceOwnerLockScreenInfo |
The device owner information to be shown on the lock screen. |
dataRoamingDisabled |
Whether roaming data services are disabled. |
locationMode |
The degree of location detection enabled. |
networkEscapeHatchEnabled |
Whether the network escape hatch is enabled. If a network connection can't be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings. Note: Setting |
bluetoothDisabled |
Whether bluetooth is disabled. Prefer this setting over |
complianceRules[] |
Rules declaring which mitigating actions to take when a device is not compliant with its policy. When the conditions for multiple rules are satisfied, all of the mitigating actions for the rules are taken. There is a maximum limit of 100 rules. Use policy enforcement rules instead. |
blockApplicationsEnabled |
Whether applications other than the ones configured in |
installUnknownSourcesAllowed |
This field has no effect. |
debuggingFeaturesAllowed |
Whether the user is allowed to enable debugging features. |
funDisabled |
Whether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled. |
autoTimeRequired |
Whether auto time is required, which prevents the user from manually setting the date and time. If |
permittedAccessibilityServices |
Specifies permitted accessibility services. If the field is not set, any accessibility service can be used. If the field is set, only the accessibility services in this list and the system's built-in accessibility service can be used. In particular, if the field is set to empty, only the system's built-in accessibility servicess can be used. This can be set on fully managed devices and on work profiles. When applied to a work profile, this affects both the personal profile and the work profile. |
appAutoUpdatePolicy |
Recommended alternative: When The app auto update policy, which controls when automatic app updates can be applied. |
kioskCustomLauncherEnabled |
Whether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the |
androidDevicePolicyTracks[] |
This setting is not supported. Any value is ignored. |
skipFirstUseHintsEnabled |
Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up. |
privateKeySelectionEnabled |
Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application has |
encryptionPolicy |
Whether encryption is enabled |
usbMassStorageEnabled |
Whether USB storage is enabled. Deprecated. |
permissionGrants[] |
Explicit permission or group grants or denials for all apps. These values override the |
playStoreMode |
This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy. |
setupActions[] |
Action to take during the setup process. At most one action may be specified. |
passwordPolicies[] |
Password requirement policies. Different policies can be set for work profile or fully managed devices by setting the |
policyEnforcementRules[] |
Rules that define the behavior when a particular policy can not be applied on device |
kioskCustomization |
Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set |
advancedSecurityOverrides |
Advanced security settings. In most cases, setting these is not needed. |
personalUsagePolicies |
Policies managing personal usage on a company-owned device. |
autoDateAndTimeZone |
Whether auto date, time, and time zone are enabled on a company-owned device. If this is set, then |
oncCertificateProviders[] |
This feature is not generally available. |
crossProfilePolicies |
Cross-profile policies applied on the device. |
preferentialNetworkService |
Controls whether preferential network service is enabled on the work profile. For example, an organization may have an agreement with a carrier that all of the work data from its employees' devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This has no effect on fully managed devices. |
usageLog |
Configuration of device activity logging. |
cameraAccess |
Controls the use of the camera and whether the user has access to the camera access toggle. |
microphoneAccess |
Controls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices. |
deviceConnectivityManagement |
Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more. |
deviceRadioState |
Covers controls for radio state such as Wi-Fi, bluetooth, and more. |
credentialProviderPolicyDefault |
Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this and this for details. See also |
printingPolicy |
Optional. Controls whether printing is allowed. This is supported on devices running Android 9 and above. . |
displaySettings |
Optional. Controls for the display settings. |
assistContentPolicy |
Optional. Controls whether AssistContent is allowed to be sent to a privileged app such as an assistant app. AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above. |
ApplicationPolicy
Policy for an individual app. Note: Application availability on a given device cannot be changed using this policy if
is enabled. The maximum number of applications that you can specify per policy is 3,000.installAppsDisabled
JSON representation |
---|
{ "packageName": string, "installType": enum ( |
Fields | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
packageName |
The package name of the app. For example, |
||||||||||||||||
installType |
The type of installation to perform. |
||||||||||||||||
lockTaskAllowed |
Whether the app is allowed to lock itself in full-screen mode. DEPRECATED. Use InstallType |
||||||||||||||||
defaultPermissionPolicy |
The default policy for all permissions requested by the app. If specified, this overrides the policy-level |
||||||||||||||||
permissionGrants[] |
Explicit permission grants or denials for the app. These values override the |
||||||||||||||||
managedConfiguration |
Managed configuration applied to the app. The format for the configuration is dictated by the
|
||||||||||||||||
disabled |
Whether the app is disabled. When disabled, the app data is still preserved. |
||||||||||||||||
minimumVersionCode |
The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a |
||||||||||||||||
delegatedScopes[] |
The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to. |
||||||||||||||||
managedConfigurationTemplate |
The managed configurations template for the app, saved from the managed configurations iframe. This field is ignored if managedConfiguration is set. |
||||||||||||||||
accessibleTrackIds[] |
List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo. |
||||||||||||||||
connectedWorkAndPersonalApp |
Controls whether the app can communicate with itself across a device’s work and personal profiles, subject to user consent. |
||||||||||||||||
autoUpdateMode |
Controls the auto-update mode for the app. |
||||||||||||||||
extensionConfig |
Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline. This field can be set for at most one app. |
||||||||||||||||
alwaysOnVpnLockdownExemption |
Specifies whether the app is allowed networking when the VPN is not connected and |
||||||||||||||||
workProfileWidgets |
Specifies whether the app installed in the work profile is allowed to add widgets to the home screen. |
||||||||||||||||
credentialProviderPolicy |
Optional. Whether the app is allowed to act as a credential provider on Android 14 and above. |
||||||||||||||||
installConstraint[] |
Optional. The constraints for installing the app. You can specify a maximum of one |
||||||||||||||||
installPriority |
Optional. Amongst apps with this controls the relative priority of installation. A value of 0 (default) means this app has no priority over other apps. For values between 1 and 10,000, a lower value means a higher priority. Values outside of the range 0 to 10,000 inclusive are rejected. |
||||||||||||||||
userControlSettings |
Optional. Specifies whether user control is permitted for the app. User control includes user actions like force-stopping and clearing app data. Supported on Android 11 and above. |
InstallType
The type of installation to perform for an app. If
references an app, they must have setupAction
set as installType
REQUIRED_FOR_SETUP
or the setup will fail.
Enums | |
---|---|
INSTALL_TYPE_UNSPECIFIED |
Unspecified. Defaults to AVAILABLE. |
PREINSTALLED |
The app is automatically installed and can be removed by the user. |
FORCE_INSTALLED |
The app is automatically installed regardless of a set maintenance window and can't be removed by the user. |
BLOCKED |
The app is blocked and can't be installed. If the app was installed under a previous policy, it will be uninstalled. This also blocks its instant app functionality. |
AVAILABLE |
The app is available to install. |
REQUIRED_FOR_SETUP |
The app is automatically installed and can't be removed by the user and will prevent setup from completion until installation is complete. |
KIOSK |
The app is automatically installed in kiosk mode: it's set as the preferred home intent and whitelisted for lock task mode. Device setup won't complete until the app is installed. After installation, users won't be able to remove the app. You can only set this installType for one app per policy. When this is present in the policy, status bar will be automatically disabled. |
PermissionPolicy
The policy for granting permission requests to apps.
Enums | |
---|---|
PERMISSION_POLICY_UNSPECIFIED |
Policy not specified. If no policy is specified for a permission at any level, then the PROMPT behavior is used by default. |
PROMPT |
Prompt the user to grant a permission. |
GRANT |
Automatically grant a permission. On Android 12 and above, |
DENY |
Automatically deny a permission. |
PermissionGrant
Configuration for an Android permission and its grant state.
JSON representation |
---|
{
"permission": string,
"policy": enum ( |
Fields | |
---|---|
permission |
The Android permission or group, e.g. |
policy |
The policy for granting the permission. |
DelegatedScope
Delegation Scopes that another package can acquire from Android Device Policy. These provide additional privileges for the applications they are applied to.
Scopes can be applied to multiple applications, with the exception of SECURITY_LOGS and NETWORK_ACTIVITY_LOGS, which can be delegated to only one app at a time.
Enums | |
---|---|
DELEGATED_SCOPE_UNSPECIFIED |
No delegation scope specified. |
CERT_INSTALL |
Grants access to certificate installation and management. |
MANAGED_CONFIGURATIONS |
Grants access to managed configurations management. |
BLOCK_UNINSTALL |
Grants access to blocking uninstallation. |
PERMISSION_GRANT |
Grants access to permission policy and permission grant state. |
PACKAGE_ACCESS |
Grants access to package access state. |
ENABLE_SYSTEM_APP |
Grants access for enabling system apps. |
NETWORK_ACTIVITY_LOGS |
Grants access to network activity logs. Allows the delegated application to call setNetworkLoggingEnabled , isNetworkLoggingEnabled and retrieveNetworkLogs methods. This scope can be delegated to at most one application. Supported for fully managed devices on Android 10 and above. Supported for a work profile on Android 12 and above. When delegation is supported and set, is ignored. |
SECURITY_LOGS |
Grants access to security logs. Allows the delegated application to call setSecurityLoggingEnabled , isSecurityLoggingEnabled , retrieveSecurityLogs and retrievePreRebootSecurityLogs methods. This scope can be delegated to at most one application. Supported for fully managed devices and company-owned devices with a work profile on Android 12 and above. When delegation is supported and set, is ignored. |
CERT_SELECTION |
Grants access to selection of KeyChain certificates on behalf of requesting apps. Once granted, the delegated application will start receiving DelegatedAdminReceiver#onChoosePrivateKeyAlias . Allows the delegated application to call grantKeyPairToApp and revokeKeyPairFromApp methods. There can be at most one app that has this delegation. must be empty and has no effect if certificate selection is delegated to an application. |
ManagedConfigurationTemplate
The managed configurations template for the app, saved from the managed configurations iframe.
JSON representation |
---|
{ "templateId": string, "configurationVariables": { string: string, ... } } |
Fields | |
---|---|
templateId |
The ID of the managed configurations template. |
configurationVariables |
Optional, a map containing <key, value> configuration variables defined for the configuration. An object containing a list of |
ConnectedWorkAndPersonalApp
Controls whether the app can communicate with itself cross-profile, subject to user consent.
Enums | |
---|---|
CONNECTED_WORK_AND_PERSONAL_APP_UNSPECIFIED |
Unspecified. Defaults to CONNECTED_WORK_AND_PERSONAL_APPS_DISALLOWED. |
CONNECTED_WORK_AND_PERSONAL_APP_DISALLOWED |
Default. Prevents the app from communicating cross-profile. |
CONNECTED_WORK_AND_PERSONAL_APP_ALLOWED |
Allows the app to communicate across profiles after receiving user consent. |
AutoUpdateMode
Controls the auto-update mode for the app. If a device user makes changes to the device settings manually, these choices are ignored by AutoUpdateMode
as it takes precedence.
Enums | |
---|---|
AUTO_UPDATE_MODE_UNSPECIFIED |
Unspecified. Defaults to . |
AUTO_UPDATE_DEFAULT |
The default update mode. The app is automatically updated with low priority to minimize the impact on the user. The app is updated when all of the following constraints are met:
The device is notified about a new update within 24 hours after it is published by the developer, after which the app is updated the next time the constraints above are met. |
AUTO_UPDATE_POSTPONED |
The app is not automatically updated for a maximum of 90 days after the app becomes out of date. 90 days after the app becomes out of date, the latest available version is installed automatically with low priority (see The user can still manually update the app from the Play Store at any time. |
AUTO_UPDATE_HIGH_PRIORITY |
The app is updated as soon as possible. No constraints are applied. The device is notified as soon as possible about a new update after it becomes available. NOTE: Updates to apps with larger deployments across Android's ecosystem can take up to 24h. |
ExtensionConfig
Configuration to enable an app as an extension app, with the capability of interacting with Android Device Policy offline. For Android versions 13 and above, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket. Extensions apps are also protected against users clearing their data or force-closing the application, although admins can continue to use the clear app data command
on extension apps if needed for Android 13 and above.
JSON representation |
---|
{ "signingKeyFingerprintsSha256": [ string ], "notificationReceiver": string } |
Fields | |
---|---|
signingKeyFingerprintsSha256[] |
Hex-encoded SHA-256 hash of the signing certificate of the extension app. Only hexadecimal string representations of 64 characters are valid. If not specified, the signature for the corresponding package name is obtained from the Play Store instead. If this list is empty, the signature of the extension app on the device must match the signature obtained from the Play Store for the app to be able to communicate with Android Device Policy. If this list is not empty, the signature of the extension app on the device must match one of the entries in this list for the app to be able to communicate with Android Device Policy. In production use cases, it is recommended to leave this empty. |
notificationReceiver |
Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates. |
AlwaysOnVpnLockdownExemption
Controls whether an app is exempt from the
setting.alwaysOnVpnPackage.lockdownEnabled
Enums | |
---|---|
ALWAYS_ON_VPN_LOCKDOWN_EXEMPTION_UNSPECIFIED |
Unspecified. Defaults to VPN_LOCKDOWN_ENFORCED . |
VPN_LOCKDOWN_ENFORCED |
The app respects the always-on VPN lockdown setting. |
VPN_LOCKDOWN_EXEMPTION |
The app is exempt from the always-on VPN lockdown setting. |
WorkProfileWidgets
Controls if a work profile application is allowed to add widgets to the home screen.
Enums | |
---|---|
WORK_PROFILE_WIDGETS_UNSPECIFIED |
Unspecified. Defaults to
|
WORK_PROFILE_WIDGETS_ALLOWED |
Work profile widgets are allowed. This means the application will be able to add widgets to the home screen. |
WORK_PROFILE_WIDGETS_DISALLOWED |
Work profile widgets are disallowed. This means the application will not be able to add widgets to the home screen. |
CredentialProviderPolicy
Whether the app is allowed to act as a credential provider on Android 14 and above.
Enums | |
---|---|
CREDENTIAL_PROVIDER_POLICY_UNSPECIFIED |
Unspecified. The behaviour is governed by . |
CREDENTIAL_PROVIDER_ALLOWED |
App is allowed to act as a credential provider. |
InstallConstraint
Amongst apps with
set to:InstallType
this defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.
JSON representation |
---|
{ "networkTypeConstraint": enum ( |
Fields | |
---|---|
networkTypeConstraint |
Optional. Network type constraint. |
chargingConstraint |
Optional. Charging constraint. |
deviceIdleConstraint |
Optional. Device idle constraint. |
NetworkTypeConstraint
Network type constraint.
Enums | |
---|---|
NETWORK_TYPE_CONSTRAINT_UNSPECIFIED |
Unspecified. Default to INSTALL_ON_ANY_NETWORK . |
INSTALL_ON_ANY_NETWORK |
Any active networks (Wi-Fi, cellular, etc.). |
INSTALL_ONLY_ON_UNMETERED_NETWORK |
Any unmetered network (e.g. Wi-FI). |
ChargingConstraint
Charging constraint.
Enums | |
---|---|
CHARGING_CONSTRAINT_UNSPECIFIED |
Unspecified. Default to CHARGING_NOT_REQUIRED . |
CHARGING_NOT_REQUIRED |
Device doesn't have to be charging. |
INSTALL_ONLY_WHEN_CHARGING |
Device has to be charging. |
DeviceIdleConstraint
Device idle state constraint.
Enums | |
---|---|
DEVICE_IDLE_CONSTRAINT_UNSPECIFIED |
Unspecified. Default to DEVICE_IDLE_NOT_REQUIRED . |
DEVICE_IDLE_NOT_REQUIRED |
Device doesn't have to be idle, app can be installed while the user is interacting with the device. |
INSTALL_ONLY_WHEN_DEVICE_IDLE |
Device has to be idle. |
UserControlSettings
Specifies whether user control is permitted for a given app. User control includes user actions like force-stopping and clearing app data. Supported on Android 11 and above. If
is set for an app, user control is disallowed for it regardless of the value set. For kiosk apps, extensionConfig
can be used to allow user control.USER_CONTROL_ALLOWED
Enums | |
---|---|
USER_CONTROL_SETTINGS_UNSPECIFIED |
Uses the default behaviour of the app to determine if user control is allowed or disallowed. For most apps, user control is allowed by default, but for some critical apps such as companion apps ( set to true), kiosk apps and other critical system apps, user control is disallowed. |
USER_CONTROL_ALLOWED |
User control is allowed for the app. Kiosk apps can use this to allow user control. |
USER_CONTROL_DISALLOWED |
User control is disallowed for the app. is reported if the Android version is less than 11. |
KeyguardDisabledFeature
Keyguard (lock screen) features that can be disabled..
Enums | |
---|---|
KEYGUARD_DISABLED_FEATURE_UNSPECIFIED |
This value is ignored. |
CAMERA |
Disable the camera on secure keyguard screens (e.g. PIN). |
NOTIFICATIONS |
Disable showing all notifications on secure keyguard screens. |
UNREDACTED_NOTIFICATIONS |
Disable unredacted notifications on secure keyguard screens. |
TRUST_AGENTS |
Ignore trust agent state on secure keyguard screens. |
DISABLE_FINGERPRINT |
Disable fingerprint sensor on secure keyguard screens. |
DISABLE_REMOTE_INPUT |
On devices running Android 6 and below, disables text entry into notifications on secure keyguard screens. Has no effect on Android 7 and above. |
FACE |
Disable face authentication on secure keyguard screens. |
IRIS |
Disable iris authentication on secure keyguard screens. |
BIOMETRICS |
Disable all biometric authentication on secure keyguard screens. |
SHORTCUTS |
Disable all shortcuts on secure keyguard screen on Android 14 and above. |
ALL_FEATURES |
Disable all current and future keyguard customizations. |
PersistentPreferredActivity
A default activity for handling intents that match a particular intent filter. Note: To set up a kiosk, use InstallType to KIOSK
rather than use persistent preferred activities.
JSON representation |
---|
{ "receiverActivity": string, "actions": [ string ], "categories": [ string ] } |
Fields | |
---|---|
receiverActivity |
The activity that should be the default intent handler. This should be an Android component name, e.g. |
actions[] |
The intent actions to match in the filter. If any actions are included in the filter, then an intent's action must be one of those values for it to match. If no actions are included, the intent action is ignored. |
categories[] |
The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent. |
SystemUpdate
Configuration for managing system updates
Note: Google Play system updates (also called Mainline updates) are automatically downloaded but require a device reboot to be installed. Refer to the mainline section in Manage system updates for further details.
JSON representation |
---|
{ "type": enum ( |
Fields | |
---|---|
type |
The type of system update to configure. |
startMinutes |
If the type is |
endMinutes |
If the type is |
freezePeriods[] |
An annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days. |
SystemUpdateType
The type of system update configuration.
Enums | |
---|---|
SYSTEM_UPDATE_TYPE_UNSPECIFIED |
Follow the default update behavior for the device, which typically requires the user to accept system updates. |
AUTOMATIC |
Install automatically as soon as an update is available. |
WINDOWED |
Install automatically within a daily maintenance window. This also configures Play apps to be updated within the window. This is strongly recommended for kiosk devices because this is the only way apps persistently pinned to the foreground can be updated by Play. If |
POSTPONE |
Postpone automatic install up to a maximum of 30 days. This policy does not affect security updates (e.g. monthly security patches). |
FreezePeriod
A system freeze period. When a device’s clock is within the freeze period, all incoming system updates (including security patches) are blocked and won’t be installed.
When the device is outside any set freeze periods, the normal policy behavior (automatic, windowed, or postponed) applies.
Leap years are ignored in freeze period calculations, in particular:
- If Feb. 29th is set as the start or end date of a freeze period, the freeze period will start or end on Feb. 28th instead.
- When a device’s system clock reads Feb. 29th, it’s treated as Feb. 28th.
- When calculating the number of days in a freeze period or the time between two freeze periods, Feb. 29th is ignored and not counted as a day.
Note: For Freeze Periods to take effect,
cannot be specified as SystemUpdateType
, because freeze periods require a defined policy to be specified.SYSTEM_UPDATE_TYPE_UNSPECIFIED
JSON representation |
---|
{ "startDate": { object ( |
Fields | |
---|---|
startDate |
The start date (inclusive) of the freeze period. Note: |
endDate |
The end date (inclusive) of the freeze period. Must be no later than 90 days from the start date. If the end date is earlier than the start date, the freeze period is considered wrapping year-end. Note: |
Date
Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following:
- A full date, with non-zero year, month, and day values.
- A month and day, with a zero year (for example, an anniversary).
- A year on its own, with a zero month and a zero day.
- A year and month, with a zero day (for example, a credit card expiration date).
Related types:
google.type.TimeOfDay
google.type.DateTime
google.protobuf.Timestamp
JSON representation |
---|
{ "year": integer, "month": integer, "day": integer } |
Fields | |
---|---|
year |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
month |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
day |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
StatusReportingSettings
Settings controlling the behavior of status reports.
JSON representation |
---|
{
"applicationReportsEnabled": boolean,
"deviceSettingsEnabled": boolean,
"softwareInfoEnabled": boolean,
"memoryInfoEnabled": boolean,
"networkInfoEnabled": boolean,
"displayInfoEnabled": boolean,
"powerManagementEventsEnabled": boolean,
"hardwareStatusEnabled": boolean,
"systemPropertiesEnabled": boolean,
"applicationReportingSettings": {
object ( |
Fields | |
---|---|
applicationReportsEnabled |
Whether app reports are enabled. |
deviceSettingsEnabled |
Whether device settings reporting is enabled. |
softwareInfoEnabled |
Whether software info reporting is enabled. |
memoryInfoEnabled |
Whether memory event reporting is enabled. |
networkInfoEnabled |
Whether network info reporting is enabled. |
displayInfoEnabled |
Whether displays reporting is enabled. Report data is not available for personally owned devices with work profiles. |
powerManagementEventsEnabled |
Whether power management event reporting is enabled. Report data is not available for personally owned devices with work profiles. |
hardwareStatusEnabled |
Whether hardware status reporting is enabled. Report data is not available for personally owned devices with work profiles. |
systemPropertiesEnabled |
Whether system properties reporting is enabled. |
applicationReportingSettings |
Application reporting settings. Only applicable if applicationReportsEnabled is true. |
commonCriteriaModeEnabled |
Whether |
ApplicationReportingSettings
Settings controlling the behavior of application reports.
JSON representation |
---|
{ "includeRemovedApps": boolean } |
Fields | |
---|---|
includeRemovedApps |
Whether removed apps are included in application reports. |
PackageNameList
A list of package names.
JSON representation |
---|
{ "packageNames": [ string ] } |
Fields | |
---|---|
packageNames[] |
A list of package names. |
BatteryPluggedMode
Modes for plugging in the battery.
Enums | |
---|---|
BATTERY_PLUGGED_MODE_UNSPECIFIED |
This value is ignored. |
AC |
Power source is an AC charger. |
USB |
Power source is a USB port. |
WIRELESS |
Power source is wireless. |
ProxyInfo
Configuration info for an HTTP proxy. For a direct proxy, set the host
, port
, and excludedHosts
fields. For a PAC script proxy, set the pacUri
field.
JSON representation |
---|
{ "host": string, "port": integer, "excludedHosts": [ string ], "pacUri": string } |
Fields | |
---|---|
host |
The host of the direct proxy. |
port |
The port of the direct proxy. |
excludedHosts[] |
For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com. |
pacUri |
The URI of the PAC script used to configure the proxy. |
ChoosePrivateKeyRule
Controls apps' access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias
(or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern
is not set, or set to the empty string or .*
) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey
, without first having to call KeyChain.choosePrivateKeyAlias
.
When an app calls KeyChain.choosePrivateKeyAlias
if more than one
matches, the last matching rule defines which key alias to return.choosePrivateKeyRules
JSON representation |
---|
{ "urlPattern": string, "packageNames": [ string ], "privateKeyAlias": string } |
Fields | |
---|---|
urlPattern |
The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax of |
packageNames[] |
The package names to which this rule applies. The hash of the signing certificate for each app is verified against the hash provided by Play. If no package names are specified, then the alias is provided to all apps that call |
privateKeyAlias |
The alias of the private key to be used. |
AlwaysOnVpnPackage
Configuration for an always-on VPN connection.
JSON representation |
---|
{ "packageName": string, "lockdownEnabled": boolean } |
Fields | |
---|---|
packageName |
The package name of the VPN app. |
lockdownEnabled |
Disallows networking when the VPN is not connected. |
LocationMode
The degree of location detection enabled on work profile and fully managed devices.
Enums | |
---|---|
LOCATION_MODE_UNSPECIFIED |
Defaults to LOCATION_USER_CHOICE . |
HIGH_ACCURACY |
On Android 8 and below, all location detection methods are enabled, including GPS, networks, and other sensors. On Android 9 and above, this is equivalent to |
SENSORS_ONLY |
On Android 8 and below, only GPS and other sensors are enabled. On Android 9 and above, this is equivalent to |
BATTERY_SAVING |
On Android 8 and below, only the network location provider is enabled. On Android 9 and above, this is equivalent to |
OFF |
On Android 8 and below, location setting and accuracy are disabled. On Android 9 and above, this is equivalent to |
LOCATION_USER_CHOICE |
Location setting is not restricted on the device. No specific behavior is set or enforced. |
LOCATION_ENFORCED |
Enable location setting on the device. |
LOCATION_DISABLED |
Disable location setting on the device. |
ComplianceRule
A rule declaring which mitigating actions to take when a device is not compliant with its policy. For every rule, there is always an implicit mitigating action to set policyCompliant
to false for the Device
resource, and display a message on the device indicating that the device is not compliant with its policy. Other mitigating actions may optionally be taken as well, depending on the field values in the rule.
JSON representation |
---|
{ "disableApps": boolean, "packageNamesToDisable": [ string ], // Union field |
Fields | |
---|---|
disableApps |
If set to true, the rule includes a mitigating action to disable apps so that the device is effectively disabled, but app data is preserved. If the device is running an app in locked task mode, the app will be closed and a UI showing the reason for non-compliance will be displayed. |
packageNamesToDisable[] |
If set, the rule includes a mitigating action to disable apps specified in the list, but app data is preserved. |
Union field condition . The condition, which when satisfied, triggers the mitigating actions defined in the rule. Exactly one of the conditions must be set. condition can be only one of the following: |
|
nonComplianceDetailCondition |
A condition which is satisfied if there exists any matching |
apiLevelCondition |
A condition which is satisfied if the Android Framework API level on the device doesn't meet a minimum requirement. |
NonComplianceDetailCondition
A compliance rule condition which is satisfied if there exists any matching NonComplianceDetail
for the device. A NonComplianceDetail
matches a NonComplianceDetailCondition
if all the fields which are set within the NonComplianceDetailCondition
match the corresponding NonComplianceDetail
fields.
JSON representation |
---|
{
"settingName": string,
"nonComplianceReason": enum ( |
Fields | |
---|---|
settingName |
The name of the policy setting. This is the JSON field name of a top-level |
nonComplianceReason |
The reason the device is not in compliance with the setting. If not set, then this condition matches any reason. |
packageName |
The package name of the app that's out of compliance. If not set, then this condition matches any package name. |
ApiLevelCondition
A compliance rule condition which is satisfied if the Android Framework API level on the device doesn't meet a minimum requirement. There can only be one rule with this type of condition per policy.
JSON representation |
---|
{ "minApiLevel": integer } |
Fields | |
---|---|
minApiLevel |
The minimum desired Android Framework API level. If the device doesn't meet the minimum requirement, this condition is satisfied. Must be greater than zero. |
AppAutoUpdatePolicy
Recommended alternative:
which is set per app, provides greater flexibility around update frequency.autoUpdateMode
When
is set to autoUpdateMode
or AUTO_UPDATE_POSTPONED
, this field has no effect.AUTO_UPDATE_HIGH_PRIORITY
The app auto-update policy, which controls when automatic app updates can be applied.
Enums | |
---|---|
APP_AUTO_UPDATE_POLICY_UNSPECIFIED |
The auto-update policy is not set. Equivalent to CHOICE_TO_THE_USER . |
CHOICE_TO_THE_USER |
The user can control auto-updates. |
NEVER |
Apps are never auto-updated. |
WIFI_ONLY |
Apps are auto-updated over Wi-Fi only. |
ALWAYS |
Apps are auto-updated at any time. Data charges may apply. |
AppTrack
A Google Play app release track.
Enums | |
---|---|
APP_TRACK_UNSPECIFIED |
This value is ignored. |
PRODUCTION |
The production track, which provides the latest stable release. |
BETA |
The beta track, which provides the latest beta release. |
EncryptionPolicy
Type of encryption
Enums | |
---|---|
ENCRYPTION_POLICY_UNSPECIFIED |
This value is ignored, i.e. no encryption required |
ENABLED_WITHOUT_PASSWORD |
Encryption required but no password required to boot |
ENABLED_WITH_PASSWORD |
Encryption required with password required to boot |
PlayStoreMode
Possible values for Play Store mode policy.
Enums | |
---|---|
PLAY_STORE_MODE_UNSPECIFIED |
Unspecified. Defaults to WHITELIST. |
WHITELIST |
Only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device. |
BLACKLIST |
All apps are available and any app that should not be on the device should be explicitly marked as 'BLOCKED' in the applications policy. |
SetupAction
An action executed during setup.
JSON representation |
---|
{ "title": { object ( |
Fields | |
---|---|
title |
Title of this action. |
description |
Description of this action. |
Union field action . The action to execute during setup. action can be only one of the following: |
|
launchApp |
An action to launch an app. The app will be launched with an intent containing an extra with key |
LaunchAppAction
An action to launch an app.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field launch . Description of launch action to be executed launch can be only one of the following: |
|
packageName |
Package name of app to be launched |
PolicyEnforcementRule
A rule that defines the actions to take if a device or work profile is not compliant with the policy specified in settingName
. In the case of multiple matching or multiple triggered enforcement rules, a merge will occur with the most severe action being taken. However, all triggered rules are still kept track of: this includes initial trigger time and all associated non-compliance details. In the situation where the most severe enforcement rule is satisfied, the next most appropriate action is applied.
JSON representation |
---|
{ "blockAction": { object ( |
Fields | |
---|---|
blockAction |
An action to block access to apps and data on a company owned device or in a work profile. This action also triggers a user-facing notification with information (where possible) on how to correct the compliance issue. Note: |
wipeAction |
An action to reset a company owned device or delete a work profile. Note: |
Union field trigger . Condition which will trigger this rule. trigger can be only one of the following: |
|
settingName |
The top-level policy to enforce. For example, |
BlockAction
An action to block access to apps and data on a fully managed device or in a work profile. This action also triggers a device or work profile to displays a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction
must also be specified.
JSON representation |
---|
{
"blockAfterDays": integer,
"blockScope": enum ( |
Fields | |
---|---|
blockAfterDays |
Number of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0. |
blockScope |
Specifies the scope of this |
BlockScope
Specifies the scope of BlockAction
. Only applicable to devices that are company-owned.
Enums | |
---|---|
BLOCK_SCOPE_UNSPECIFIED |
Unspecified. Defaults to BLOCK_SCOPE_WORK_PROFILE . |
BLOCK_SCOPE_WORK_PROFILE |
Block action is only applied to apps in the work profile. Apps in the personal profile are unaffected. |
BLOCK_SCOPE_DEVICE |
Block action is applied to the entire device, including apps in the personal profile. |
WipeAction
An action to reset a company owned device or delete a work profile. Note: blockAction
must also be specified.
JSON representation |
---|
{ "wipeAfterDays": integer, "preserveFrp": boolean } |
Fields | |
---|---|
wipeAfterDays |
Number of days the policy is non-compliant before the device or work profile is wiped. |
preserveFrp |
Whether the factory-reset protection data is preserved on the device. This setting doesn’t apply to work profiles. |
KioskCustomization
Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled
to true
or specify an app in the policy with installType
KIOSK
.
JSON representation |
---|
{ "powerButtonActions": enum ( |
Fields | |
---|---|
powerButtonActions |
Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button. |
systemErrorWarnings |
Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode. When blocked, the system will force-stop the app as if the user chooses the "close app" option on the UI. |
systemNavigation |
Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode. |
statusBar |
Specifies whether system info and notifications are disabled in kiosk mode. |
deviceSettings |
Specifies whether the Settings app is allowed in kiosk mode. |
PowerButtonActions
Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.
Enums | |
---|---|
POWER_BUTTON_ACTIONS_UNSPECIFIED |
Unspecified, defaults to POWER_BUTTON_AVAILABLE . |
POWER_BUTTON_AVAILABLE |
The power menu (e.g. Power off, Restart) is shown when a user long-presses the Power button of a device in kiosk mode. |
POWER_BUTTON_BLOCKED |
The power menu (e.g. Power off, Restart) is not shown when a user long-presses the Power button of a device in kiosk mode. Note: this may prevent users from turning off the device. |
SystemErrorWarnings
Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode.
Enums | |
---|---|
SYSTEM_ERROR_WARNINGS_UNSPECIFIED |
Unspecified, defaults to ERROR_AND_WARNINGS_MUTED . |
ERROR_AND_WARNINGS_ENABLED |
All system error dialogs such as crash and app not responding (ANR) are displayed. |
ERROR_AND_WARNINGS_MUTED |
All system error dialogs, such as crash and app not responding (ANR) are blocked. When blocked, the system force-stops the app as if the user closes the app from the UI. |
StatusBar
Specifies whether system info and notifications are disabled in kiosk mode.
Enums | |
---|---|
STATUS_BAR_UNSPECIFIED |
Unspecified, defaults to INFO_AND_NOTIFICATIONS_DISABLED . |
NOTIFICATIONS_AND_SYSTEM_INFO_ENABLED |
System info and notifications are shown on the status bar in kiosk mode. Note: For this policy to take effect, the device's home button must be enabled using |
NOTIFICATIONS_AND_SYSTEM_INFO_DISABLED |
System info and notifications are disabled in kiosk mode. |
SYSTEM_INFO_ONLY |
Only system info is shown on the status bar. |
DeviceSettings
Specifies whether a user can access the device's Settings app while in kiosk mode.
Enums | |
---|---|
DEVICE_SETTINGS_UNSPECIFIED |
Unspecified, defaults to SETTINGS_ACCESS_ALLOWED . |
SETTINGS_ACCESS_ALLOWED |
Access to the Settings app is allowed in kiosk mode. |
SETTINGS_ACCESS_BLOCKED |
Access to the Settings app is not allowed in kiosk mode. |
AdvancedSecurityOverrides
Advanced security settings. In most cases, setting these is not needed.
JSON representation |
---|
{ "untrustedAppsPolicy": enum ( |
Fields | |
---|---|
untrustedAppsPolicy |
The policy for untrusted apps (apps from unknown sources) enforced on the device. Replaces |
googlePlayProtectVerifyApps |
Whether Google Play Protect verification is enforced. Replaces |
developerSettings |
Controls access to developer settings: developer options and safe boot. Replaces |
commonCriteriaMode |
Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (CC). Enabling Common Criteria Mode increases certain security components on a device, see Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. If Common Criteria Mode is turned off after being enabled previously, all user-configured Wi-Fi networks may be lost and any enterprise-configured Wi-Fi networks that require user input may need to be reconfigured. |
personalAppsThatCanReadWorkNotifications[] |
Personal apps that can read work profile notifications using a NotificationListenerService. By default, no personal apps (aside from system apps) can read work notifications. Each value in the list must be a package name. |
mtePolicy |
Optional. Controls Memory Tagging Extension (MTE) on the device. The device needs to be rebooted to apply changes to the MTE policy. |
contentProtectionPolicy |
Optional. Controls whether content protection, which scans for deceptive apps, is enabled. This is supported on Android 15 and above. |
UntrustedAppsPolicy
The policy for untrusted apps (apps from unknown sources) enforced on the device. Replaces installUnknownSourcesAllowed (deprecated).
Enums | |
---|---|
UNTRUSTED_APPS_POLICY_UNSPECIFIED |
Unspecified. Defaults to DISALLOW_INSTALL. |
DISALLOW_INSTALL |
Default. Disallow untrusted app installs on entire device. |
ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY |
For devices with work profiles, allow untrusted app installs in the device's personal profile only. |
ALLOW_INSTALL_DEVICE_WIDE |
Allow untrusted app installs on entire device. |
GooglePlayProtectVerifyApps
Whether Google Play Protect verification is enforced. Replaces
(deprecated).ensureVerifyAppsEnabled
Enums | |
---|---|
GOOGLE_PLAY_PROTECT_VERIFY_APPS_UNSPECIFIED |
Unspecified. Defaults to VERIFY_APPS_ENFORCED. |
VERIFY_APPS_ENFORCED |
Default. Force-enables app verification. |
VERIFY_APPS_USER_CHOICE |
Allows the user to choose whether to enable app verification. |
DeveloperSettings
Controls access to developer settings: developer options and safe boot. Replaces
(deprecated) and safeBootDisabled
(deprecated).debuggingFeaturesAllowed
Enums | |
---|---|
DEVELOPER_SETTINGS_UNSPECIFIED |
Unspecified. Defaults to DEVELOPER_SETTINGS_DISABLED. |
DEVELOPER_SETTINGS_DISABLED |
Default. Disables all developer settings and prevents the user from accessing them. |
DEVELOPER_SETTINGS_ALLOWED |
Allows all developer settings. The user can access and optionally configure the settings. |
CommonCriteriaMode
Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (CC). Enabling Common Criteria Mode increases certain security components on a device, including:
- AES-GCM encryption of Bluetooth Long Term Keys
- Wi-Fi configuration stores
- Additional network certificates validation requiring the use of TLSv1.2 to connect to AM API destination hosts
- Cryptographic policy integrity check. It is recommended to set
to true to obtain the status of policy integrity check. If the policy signature verification fails, then the policy is not applied on the device andstatusReportingSettings.commonCriteriaModeEnabled
is set tocommonCriteriaModeInfo.policy_signature_verification_status
.POLICY_SIGNATURE_VERIFICATION_FAILED
Common Criteria Mode is only supported on company-owned devices running Android 11 or above.
Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. If Common Criteria Mode is turned off after being enabled previously, all user-configured Wi-Fi networks may be lost and any enterprise-configured Wi-Fi networks that require user input may need to be reconfigured.
Enums | |
---|---|
COMMON_CRITERIA_MODE_UNSPECIFIED |
Unspecified. Defaults to COMMON_CRITERIA_MODE_DISABLED. |
COMMON_CRITERIA_MODE_DISABLED |
Default. Disables Common Criteria Mode. |
COMMON_CRITERIA_MODE_ENABLED |
Enables Common Criteria Mode. |
MtePolicy
Controls Memory Tagging Extension (MTE) on the device.
Enums | |
---|---|
MTE_POLICY_UNSPECIFIED |
Unspecified. Defaults to . |
MTE_USER_CHOICE |
The user can choose to enable or disable MTE on the device if the device supports this. |
MTE_ENFORCED |
MTE is enabled on the device and the user is not allowed to change this setting. This can be set on fully managed devices and work profiles on company-owned devices. A Supported on Android 14 and above. A |
MTE_DISABLED |
MTE is disabled on the device and the user is not allowed to change this setting. This applies only on fully managed devices. In other cases, a Supported on Android 14 and above. A |
ContentProtectionPolicy
Controls whether content protection, which scans for deceptive apps, is enabled. This is supported on Android 15 and above.
Enums | |
---|---|
CONTENT_PROTECTION_POLICY_UNSPECIFIED |
Unspecified. Defaults to . |
CONTENT_PROTECTION_DISABLED |
Content protection is disabled and the user cannot change this. |
CONTENT_PROTECTION_ENFORCED |
Content protection is enabled and the user cannot change this. Supported on Android 15 and above. A |
CONTENT_PROTECTION_USER_CHOICE |
Content protection is not controlled by the policy. The user is allowed to choose the behavior of content protection. Supported on Android 15 and above. A |
PersonalUsagePolicies
Policies controlling personal usage on a company-owned device with a work profile.
JSON representation |
---|
{ "cameraDisabled": boolean, "screenCaptureDisabled": boolean, "accountTypesWithManagementDisabled": [ string ], "maxDaysWithWorkOff": integer, "personalPlayStoreMode": enum ( |
Fields | |
---|---|
cameraDisabled |
If true, the camera is disabled on the personal profile. |
screenCaptureDisabled |
If true, screen capture is disabled for all users. |
accountTypesWithManagementDisabled[] |
Account types that can't be managed by the user. |
maxDaysWithWorkOff |
Controls how long the work profile can stay off. The minimum duration must be at least 3 days. Other details are as follows:
|
personalPlayStoreMode |
Used together with |
personalApplications[] |
Policy applied to applications in the personal profile. |
PlayStoreMode
Used together with personalApplications
to control how apps in the personal profile are allowed or blocked.
Enums | |
---|---|
PLAY_STORE_MODE_UNSPECIFIED |
Unspecified. Defaults to BLOCKLIST . |
BLACKLIST |
All Play Store apps are available for installation in the personal profile, except those whose |
BLOCKLIST |
All Play Store apps are available for installation in the personal profile, except those whose installType is BLOCKED in personalApplications . |
ALLOWLIST |
Only apps explicitly specified in personalApplications with installType set to AVAILABLE are allowed to be installed in the personal profile. |
PersonalApplicationPolicy
Policies for apps in the personal profile of a company-owned device with a work profile.
JSON representation |
---|
{
"packageName": string,
"installType": enum ( |
Fields | |
---|---|
packageName |
The package name of the application. |
installType |
The type of installation to perform. |
InstallType
Types of installation behaviors a personal profile application can have.
Enums | |
---|---|
INSTALL_TYPE_UNSPECIFIED |
Unspecified. Defaults to AVAILABLE . |
BLOCKED |
The app is blocked and can't be installed in the personal profile. If the app was previously installed in the device, it will be uninstalled. |
AVAILABLE |
The app is available to install in the personal profile. |
AutoDateAndTimeZone
Whether auto date, time, and time zone is enabled on a company-owned device.
Enums | |
---|---|
AUTO_DATE_AND_TIME_ZONE_UNSPECIFIED |
Unspecified. Defaults to AUTO_DATE_AND_TIME_ZONE_USER_CHOICE . |
AUTO_DATE_AND_TIME_ZONE_USER_CHOICE |
Auto date, time, and time zone are left to user's choice. |
AUTO_DATE_AND_TIME_ZONE_ENFORCED |
Enforce auto date, time, and time zone on the device. |
OncCertificateProvider
This feature is not generally available.
JSON representation |
---|
{ "certificateReferences": [ string ], // Union field |
Fields | |
---|---|
certificateReferences[] |
This feature is not generally available. |
Union field This feature is not generally available. |
|
contentProviderEndpoint |
This feature is not generally available. |
ContentProviderEndpoint
This feature is not generally available.
JSON representation |
---|
{ "uri": string, "packageName": string, "signingCertsSha256": [ string ] } |
Fields | |
---|---|
uri |
This feature is not generally available. |
packageName |
This feature is not generally available. |
signingCertsSha256[] |
Required. This feature is not generally available. |
CrossProfilePolicies
Controls the data from the work profile that can be accessed from the personal profile and vice versa. A
with nonComplianceDetail
is reported if the device does not have a work profile.MANAGEMENT_MODE
JSON representation |
---|
{ "showWorkContactsInPersonalProfile": enum ( |
Fields | |
---|---|
showWorkContactsInPersonalProfile |
Whether personal apps can access contacts stored in the work profile. |
crossProfileCopyPaste |
Whether text copied from one profile (personal or work) can be pasted in the other profile. |
crossProfileDataSharing |
Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work & personal apps, are configured separately. |
workProfileWidgetsDefault |
Specifies the default behaviour for work profile widgets. If the policy does not specify |
exemptionsToShowWorkContactsInPersonalProfile |
List of apps which are excluded from the
Supported on Android 14 and above. A |
ShowWorkContactsInPersonalProfile
Whether personal apps can access work profile contacts including contact searches and incoming calls
Note: Once a work contact is accessed by any personal app, it cannot be guaranteed to stay with the same app, as the contact could be shared or transferred to any other app, depending on the allowed app’s behaviour.
Enums | |
---|---|
SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_UNSPECIFIED |
Unspecified. Defaults to When this is set, |
SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED |
Prevents personal apps from accessing work profile contacts and looking up work contacts. When this is set, personal apps specified in Supported on Android 7.0 and above. A |
SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED |
Default. Allows apps in the personal profile to access work profile contacts including contact searches and incoming calls. When this is set, personal apps specified in Supported on Android 7.0 and above. A |
SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM |
Prevents most personal apps from accessing work profile contacts including contact searches and incoming calls, except for the OEM default Dialer, Messages, and Contacts apps. Neither user-configured Dialer, Messages, and Contacts apps, nor any other system or play installed apps, will be able to query work contacts directly. When this is set, personal apps specified in Supported on Android 14 and above. If this is set on a device with Android version less than 14, the behaviour falls back to |
CrossProfileCopyPaste
Whether text copied from one profile (personal or work) can be pasted in the other profile.
Enums | |
---|---|
CROSS_PROFILE_COPY_PASTE_UNSPECIFIED |
Unspecified. Defaults to COPY_FROM_WORK_TO_PERSONAL_DISALLOWED |
COPY_FROM_WORK_TO_PERSONAL_DISALLOWED |
Default. Prevents users from pasting into the personal profile text copied from the work profile. Text copied from the personal profile can be pasted into the work profile, and text copied from the work profile can be pasted into the work profile. |
CROSS_PROFILE_COPY_PASTE_ALLOWED |
Text copied in either profile can be pasted in the other profile. |
CrossProfileDataSharing
Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work & personal apps, are configured separately.
Enums | |
---|---|
CROSS_PROFILE_DATA_SHARING_UNSPECIFIED |
Unspecified. Defaults to DATA_SHARING_FROM_WORK_TO_PERSONAL_DISALLOWED. |
CROSS_PROFILE_DATA_SHARING_DISALLOWED |
Prevents data from being shared from both the personal profile to the work profile and the work profile to the personal profile. |
DATA_SHARING_FROM_WORK_TO_PERSONAL_DISALLOWED |
Default. Prevents users from sharing data from the work profile to apps in the personal profile. Personal data can be shared with work apps. |
CROSS_PROFILE_DATA_SHARING_ALLOWED |
Data from either profile can be shared with the other profile. |
WorkProfileWidgetsDefault
Controls if work profile applications are allowed to add widgets to the home screen, where no app-specific policy is defined. Otherwise, the app-specific policy will have priority over this.
Enums | |
---|---|
WORK_PROFILE_WIDGETS_DEFAULT_UNSPECIFIED |
Unspecified. Defaults to WORK_PROFILE_WIDGETS_DEFAULT_DISALLOWED. |
WORK_PROFILE_WIDGETS_DEFAULT_ALLOWED |
Work profile widgets are allowed by default. This means that if the policy does not specify as for the application, it will be able to add widgets to the home screen. |
WORK_PROFILE_WIDGETS_DEFAULT_DISALLOWED |
Work profile widgets are disallowed by default. This means that if the policy does not specify as for the application, it will be unable to add widgets to the home screen. |
PreferentialNetworkService
Controls whether preferential network service is enabled on the work profile. See
for details.preferentialNetworkService
Enums | |
---|---|
PREFERENTIAL_NETWORK_SERVICE_UNSPECIFIED |
Unspecified. Defaults to PREFERENTIAL_NETWORK_SERVICES_DISABLED . |
PREFERENTIAL_NETWORK_SERVICE_DISABLED |
Preferential network service is disabled on the work profile. |
PREFERENTIAL_NETWORK_SERVICE_ENABLED |
Preferential network service is enabled on the work profile. |
UsageLog
Controls types of device activity logs collected from the device and reported via Pub/Sub notification.
JSON representation |
---|
{ "enabledLogTypes": [ enum ( |
Fields | |
---|---|
enabledLogTypes[] |
Specifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled. |
uploadOnCellularAllowed[] |
Specifies which of the enabled log types can be uploaded over mobile data. By default logs are queued for upload when the device connects to WiFi. |
LogType
The types of device activity logs that are reported from the device.
Enums | |
---|---|
LOG_TYPE_UNSPECIFIED |
This value is not used. |
SECURITY_LOGS |
Enable logging of on-device security events, like when the device password is incorrectly entered or removable storage is mounted. See for a complete description of the logged security events. Supported for fully managed devices on Android 7 and above. Supported for company-owned devices with a work profile on Android 12 and above, on which only security events from the work profile are logged. Can be overridden by the application delegated scope
|
NETWORK_ACTIVITY_LOGS |
Enable logging of on-device network events, like DNS lookups and TCP connections. See for a complete description of the logged network events. Supported for fully managed devices on Android 8 and above. Supported for company-owned devices with a work profile on Android 12 and above, on which only network events from the work profile are logged. Can be overridden by the application delegated scope
|
CameraAccess
Controls the use of the camera and whether the user has access to the camera access toggle. The camera access toggle exists on Android 12 and above. As a general principle, the possibility of disabling the camera applies device-wide on fully managed devices and only within the work profile on devices with a work profile. The possibility of disabling the camera access toggle applies only on fully managed devices, in which case it applies device-wide. For specifics, see the enum values.
Enums | |
---|---|
CAMERA_ACCESS_UNSPECIFIED |
If is true, this is equivalent to . Otherwise, this is equivalent to . |
CAMERA_ACCESS_USER_CHOICE |
The field is ignored. This is the default device behaviour: all cameras on the device are available. On Android 12 and above, the user can use the camera access toggle. |
CAMERA_ACCESS_DISABLED |
The field There are no explicit restrictions placed on the camera access toggle on Android 12 and above: on fully managed devices, the camera access toggle has no effect as all cameras are disabled. On devices with a work profile, this toggle has no effect on apps in the work profile, but it affects apps outside the work profile. |
CAMERA_ACCESS_ENFORCED |
The field is ignored. All cameras on the device are available. On fully managed devices running Android 12 and above, the user is unable to use the camera access toggle. On devices which are not fully managed or which run Android 11 or below, this is equivalent to . |
MicrophoneAccess
On fully managed devices, controls the use of the microphone and whether the user has access to the microphone access toggle. This setting has no effect on devices which are not fully managed. The microphone access toggle exists on Android 12 and above.
Enums | |
---|---|
MICROPHONE_ACCESS_UNSPECIFIED |
If is true, this is equivalent to . Otherwise, this is equivalent to . |
MICROPHONE_ACCESS_USER_CHOICE |
The field is ignored. This is the default device behaviour: the microphone on the device is available. On Android 12 and above, the user can use the microphone access toggle. |
MICROPHONE_ACCESS_DISABLED |
The field The microphone access toggle has no effect as the microphone is disabled. |
MICROPHONE_ACCESS_ENFORCED |
The field is ignored. The microphone on the device is available. On devices running Android 12 and above, the user is unable to use the microphone access toggle. On devices which run Android 11 or below, this is equivalent to . |
DeviceConnectivityManagement
Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.
JSON representation |
---|
{ "usbDataAccess": enum ( |
Fields | |
---|---|
usbDataAccess |
Controls what files and/or data can be transferred via USB. Supported only on company-owned devices. |
configureWifi |
Controls Wi-Fi configuring privileges. Based on the option set, user will have either full or limited or no control in configuring Wi-Fi networks. |
wifiDirectSettings |
Controls configuring and using Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above. |
tetheringSettings |
Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering. |
wifiSsidPolicy |
Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above. |
wifiRoamingPolicy |
Optional. Wi-Fi roaming policy. |
UsbDataAccess
Controls what files and/or data can be transferred via USB. Does not impact charging functions. Supported only on company-owned devices.
Enums | |
---|---|
USB_DATA_ACCESS_UNSPECIFIED |
Unspecified. Defaults to . |
ALLOW_USB_DATA_TRANSFER |
All types of USB data transfers are allowed. is ignored. |
DISALLOW_USB_FILE_TRANSFER |
Transferring files over USB is disallowed. Other types of USB data connections, such as mouse and keyboard connection, are allowed. is ignored. |
DISALLOW_USB_DATA_TRANSFER |
When set, all types of USB data transfers are prohibited. Supported for devices running Android 12 or above with USB HAL 1.3 or above. If the setting is not supported, will be set. A with is reported if the Android version is less than 12. A with is reported if the device does not have USB HAL 1.3 or above. is ignored. |
ConfigureWifi
Controls Wi-Fi configuring privileges. Based on the option set, the user will have either full or limited or no control in configuring Wi-Fi networks.
Enums | |
---|---|
CONFIGURE_WIFI_UNSPECIFIED |
Unspecified. Defaults to unless is set to true. If is set to true, this is equivalent to . |
ALLOW_CONFIGURING_WIFI |
The user is allowed to configure Wi-Fi. is ignored. |
DISALLOW_ADD_WIFI_CONFIG |
Adding new Wi-Fi configurations is disallowed. The user is only able to switch between already configured networks. Supported on Android 13 and above, on fully managed devices and work profiles on company-owned devices. If the setting is not supported, is set. A with is reported if the Android version is less than 13. is ignored. |
DISALLOW_CONFIGURING_WIFI |
Disallows configuring Wi-Fi networks. The setting is ignored when this value is set. Supported on fully managed devices and work profile on company-owned devices, on all supported API levels. For fully managed devices, setting this removes all configured networks and retains only the networks configured using policy. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. Note: If a network connection can't be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see ). |
WifiDirectSettings
Controls Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above.
Enums | |
---|---|
WIFI_DIRECT_SETTINGS_UNSPECIFIED |
Unspecified. Defaults to
|
ALLOW_WIFI_DIRECT |
The user is allowed to use Wi-Fi direct. |
DISALLOW_WIFI_DIRECT |
The user is not allowed to use Wi-Fi direct. A with is reported if the Android version is less than 13. |
TetheringSettings
Controls the extent to which the user is allowed to use different forms of tethering like Wi-Fi tethering, bluetooth tethering, etc.
Enums | |
---|---|
TETHERING_SETTINGS_UNSPECIFIED |
Unspecified. Defaults to unless is set to true. If is set to true, this is equivalent to . |
ALLOW_ALL_TETHERING |
Allows configuration and use of all forms of tethering. is ignored. |
DISALLOW_WIFI_TETHERING |
Disallows the user from using Wi-Fi tethering. Supported on company owned devices running Android 13 and above. If the setting is not supported, will be set. A with is reported if the Android version is less than 13. is ignored. |
DISALLOW_ALL_TETHERING |
Disallows all forms of tethering. Supported on fully managed devices and work profile on company-owned devices, on all supported android versions. The setting is ignored. |
WifiSsidPolicy
Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above.
JSON representation |
---|
{ "wifiSsidPolicyType": enum ( |
Fields | |
---|---|
wifiSsidPolicyType |
Type of the Wi-Fi SSID policy to be applied. |
wifiSsids[] |
Optional. List of Wi-Fi SSIDs that should be applied in the policy. This field must be non-empty when WifiSsidPolicyType is set to |
WifiSsidPolicyType
The types of Wi-Fi SSID policy that can be applied on the device.
Enums | |
---|---|
WIFI_SSID_POLICY_TYPE_UNSPECIFIED |
Defaults to . must not be set. There are no restrictions on which SSID the device can connect to. |
WIFI_SSID_DENYLIST |
The device cannot connect to any Wi-Fi network whose SSID is in , but can connect to other networks. |
WIFI_SSID_ALLOWLIST |
The device can make Wi-Fi connections only to the SSIDs in . must not be empty. The device will not be able to connect to any other Wi-Fi network. |
WifiSsid
Represents a Wi-Fi SSID.
JSON representation |
---|
{ "wifiSsid": string } |
Fields | |
---|---|
wifiSsid |
Required. Wi-Fi SSID represented as a string. |
WifiRoamingPolicy
Wi-Fi roaming policy.
JSON representation |
---|
{
"wifiRoamingSettings": [
{
object ( |
Fields | |
---|---|
wifiRoamingSettings[] |
Optional. Wi-Fi roaming settings. SSIDs provided in this list must be unique, the policy will be rejected otherwise. |
WifiRoamingSetting
Wi-Fi roaming setting.
JSON representation |
---|
{
"wifiSsid": string,
"wifiRoamingMode": enum ( |
Fields | |
---|---|
wifiSsid |
Required. SSID of the Wi-Fi network. |
wifiRoamingMode |
Required. Wi-Fi roaming mode for the specified SSID. |
WifiRoamingMode
Wi-Fi roaming mode.
Enums | |
---|---|
WIFI_ROAMING_MODE_UNSPECIFIED |
Unspecified. Defaults to . |
WIFI_ROAMING_DEFAULT |
Default Wi-Fi roaming mode of the device. |
WIFI_ROAMING_AGGRESSIVE |
Aggressive roaming mode which allows quicker Wi-Fi roaming. Supported on Android 15 and above on fully managed devices and work profiles on company-owned devices. A with is reported for other management modes. A with is reported if the Android version is less than 15. A with is reported if the device does not support aggressive roaming mode. |
DeviceRadioState
Controls for device radio settings.
JSON representation |
---|
{ "wifiState": enum ( |
Fields | |
---|---|
wifiState |
Controls current state of Wi-Fi and if user can change its state. |
airplaneModeState |
Controls whether airplane mode can be toggled by the user or not. |
ultraWidebandState |
Controls the state of the ultra wideband setting and whether the user can toggle it on or off. |
cellularTwoGState |
Controls whether cellular 2G setting can be toggled by the user or not. |
minimumWifiSecurityLevel |
The minimum required security level of Wi-Fi networks that the device can connect to. |
WifiState
Controls whether the Wi-Fi is on or off as a state and if the user can change said state. Supported on company-owned devices running Android 13 and above.
Enums | |
---|---|
WIFI_STATE_UNSPECIFIED |
Unspecified. Defaults to
|
WIFI_STATE_USER_CHOICE |
User is allowed to enable/disable Wi-Fi. |
WIFI_ENABLED |
Wi-Fi is on and the user is not allowed to turn it off. A with is reported if the Android version is less than 13. |
WIFI_DISABLED |
Wi-Fi is off and the user is not allowed to turn it on. A with is reported if the Android version is less than 13. |
AirplaneModeState
Controls the state of airplane mode and whether the user can toggle it on or off. Supported on Android 9 and above. Supported on fully managed devices and work profiles on company-owned devices.
Enums | |
---|---|
AIRPLANE_MODE_STATE_UNSPECIFIED |
Unspecified. Defaults to . |
AIRPLANE_MODE_USER_CHOICE |
The user is allowed to toggle airplane mode on or off. |
AIRPLANE_MODE_DISABLED |
Airplane mode is disabled. The user is not allowed to toggle airplane mode on. A with is reported if the Android version is less than 9. |
UltraWidebandState
Controls the state of the ultra wideband setting and whether the user can toggle it on or off. Supported on Android 14 and above. Supported on fully managed devices and work profiles on company-owned devices.
Enums | |
---|---|
ULTRA_WIDEBAND_STATE_UNSPECIFIED |
Unspecified. Defaults to . |
ULTRA_WIDEBAND_USER_CHOICE |
The user is allowed to toggle ultra wideband on or off. |
ULTRA_WIDEBAND_DISABLED |
Ultra wideband is disabled. The user is not allowed to toggle ultra wideband on via settings. A with is reported if the Android version is less than 14. |
CellularTwoGState
Controls the state of cellular 2G setting and whether the user can toggle it on or off. Supported on Android 14 and above. Supported on fully managed devices and work profiles on company-owned devices.
Enums | |
---|---|
CELLULAR_TWO_G_STATE_UNSPECIFIED |
Unspecified. Defaults to . |
CELLULAR_TWO_G_USER_CHOICE |
The user is allowed to toggle cellular 2G on or off. |
CELLULAR_TWO_G_DISABLED |
Cellular 2G is disabled. The user is not allowed to toggle cellular 2G on via settings. A with is reported if the Android version is less than 14. |
MinimumWifiSecurityLevel
Defines the different minimum Wi-Fi security levels required to connect to Wi-Fi networks. Supported on Android 13 and above. Supported on fully managed devices and work profiles on company-owned devices.
Enums | |
---|---|
MINIMUM_WIFI_SECURITY_LEVEL_UNSPECIFIED |
Defaults to , which means the device will be able to connect to all types of Wi-Fi networks. |
OPEN_NETWORK_SECURITY |
The device will be able to connect to all types of Wi-Fi networks. |
PERSONAL_NETWORK_SECURITY |
A personal network such as WEP, WPA2-PSK is the minimum required security. The device will not be able to connect to open wifi networks. This is stricter than . A with is reported if the Android version is less than 13. |
ENTERPRISE_NETWORK_SECURITY |
An enterprise EAP network is the minimum required security level. The device will not be able to connect to Wi-Fi network below this security level. This is stricter than . A with is reported if the Android version is less than 13. |
ENTERPRISE_BIT192_NETWORK_SECURITY |
A 192-bit enterprise network is the minimum required security level. The device will not be able to connect to Wi-Fi network below this security level. This is stricter than . A with is reported if the Android version is less than 13. |
CredentialProviderPolicyDefault
Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this and this for details. See also
.credentialProviderPolicy
Enums | |
---|---|
CREDENTIAL_PROVIDER_POLICY_DEFAULT_UNSPECIFIED |
Unspecified. Defaults to CREDENTIAL_PROVIDER_DEFAULT_DISALLOWED. |
CREDENTIAL_PROVIDER_DEFAULT_DISALLOWED |
Apps with unspecified are not allowed to act as a credential provider. |
CREDENTIAL_PROVIDER_DEFAULT_DISALLOWED_EXCEPT_SYSTEM |
Apps with unspecified are not allowed to act as a credential provider except for the OEM default credential providers. OEM default credential providers are always allowed to act as credential providers. |
PrintingPolicy
Controls whether printing is allowed. This is supported on devices running Android 9 and above.
Enums | |
---|---|
PRINTING_POLICY_UNSPECIFIED |
Unspecified. Defaults to . |
PRINTING_DISALLOWED |
Printing is disallowed. A with is reported if the Android version is less than 9. |
PRINTING_ALLOWED |
Printing is allowed. |
DisplaySettings
Controls for the display settings.
JSON representation |
---|
{ "screenBrightnessSettings": { object ( |
Fields | |
---|---|
screenBrightnessSettings |
Optional. Controls the screen brightness settings. |
screenTimeoutSettings |
Optional. Controls the screen timeout settings. |
ScreenBrightnessSettings
Controls for the screen brightness settings.
JSON representation |
---|
{
"screenBrightnessMode": enum ( |
Fields | |
---|---|
screenBrightnessMode |
Optional. Controls the screen brightness mode. |
screenBrightness |
Optional. The screen brightness between 1 and 255 where 1 is the lowest and 255 is the highest brightness. A value of 0 (default) means no screen brightness set. Any other value is rejected. |
ScreenBrightnessMode
Controls the screen brightness mode.
Enums | |
---|---|
SCREEN_BRIGHTNESS_MODE_UNSPECIFIED |
Unspecified. Defaults to . |
BRIGHTNESS_USER_CHOICE |
The user is allowed to configure the screen brightness. must not be set. |
BRIGHTNESS_AUTOMATIC |
The screen brightness mode is automatic in which the brightness is automatically adjusted and the user is not allowed to configure the screen brightness. can still be set and it is taken into account while the brightness is automatically adjusted. Supported on Android 9 and above on fully managed devices. A with is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above. |
BRIGHTNESS_FIXED |
The screen brightness mode is fixed in which the brightness is set to and the user is not allowed to configure the screen brightness. must be set. Supported on Android 9 and above on fully managed devices. A with is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above. |
ScreenTimeoutSettings
Controls the screen timeout settings.
JSON representation |
---|
{
"screenTimeoutMode": enum ( |
Fields | |
---|---|
screenTimeoutMode |
Optional. Controls whether the user is allowed to configure the screen timeout. |
screenTimeout |
Optional. Controls the screen timeout duration. The screen timeout duration must be greater than 0, otherwise it is rejected. Additionally, it should not be greater than A duration in seconds with up to nine fractional digits, ending with ' |
ScreenTimeoutMode
Controls whether the user is allowed to configure the screen timeout.
Enums | |
---|---|
SCREEN_TIMEOUT_MODE_UNSPECIFIED |
Unspecified. Defaults to . |
SCREEN_TIMEOUT_USER_CHOICE |
The user is allowed to configure the screen timeout. must not be set. |
SCREEN_TIMEOUT_ENFORCED |
The screen timeout is set to and the user is not allowed to configure the timeout. must be set. Supported on Android 9 and above on fully managed devices. A with is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above. |
AssistContentPolicy
Controls whether AssistContent is allowed to be sent to a privileged app such as an assistant app. AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above.
Enums | |
---|---|
ASSIST_CONTENT_POLICY_UNSPECIFIED |
Unspecified. Defaults to . |
ASSIST_CONTENT_DISALLOWED |
Assist content is blocked from being sent to a privileged app. Supported on Android 15 and above. A |
ASSIST_CONTENT_ALLOWED |
Assist content is allowed to be sent to a privileged app. Supported on Android 15 and above. |
Methods |
|
---|---|
|
Deletes a policy. |
|
Gets a policy. |
|
Lists policies for a given enterprise. |
|
Updates or creates a policy. |