Release notes | Android Management API

December 2022

Android Management API

Management capabilities over Work Profile Widgets have been improved with the addition of two new API fields: workProfileWidgets on the application level and workProfileWidgetsDefault on the device level. These allow greater control over whether an application running in the work profile can create widgets on the parent profile e.g. the home screen. This functionality is disallowed by default, but can be set to allowed using workProfileWidgets and workProfileWidgetsDefault, and is only supported for work profiles.
We have added support to set MAC address randomization settings while configuring WiFi networks. Admins can now specify whether MACAddressRandomizationMode is set to Hardware or Automatic while configuring WiFi networks which takes effect on devices with OS version Android 13 and above and is applicable on all management modes. If set to Hardware the factory MAC address will be configured to the WiFi network, whereas Automatic the MAC address will be random.
Various items of our documentation have been updated:

Understanding Security Posture has been created to provide clarity on the potential responses from devicePosture and securityRisk evaluations.
autoUpdateMode has been provided for autoUpdatePolicy as a recommended alternative due to greater flexibility with update frequency.
We have provided clarification that BlockAction and WipeAction are restricted to company-owned devices.
The Pub/Sub notifications page has been updated to accurately reflect the resource types for different notification types.
For Android 13+, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket.

October 2022

Android Management API

Various items of our documentation have been updated:

We recommend having one policy per device, to enable granular device-level management capabilities.
In order for FreezePeriods to work as expected, system update policy cannot be set as SYSTEM_UPDATE_TYPE_UNSPECIFIED.
Additional suggestions have been provided for policy updates regarding visibility of password steps during company-owned device provisioning.
shareLocationDisabled is supported for fully managed devices and personally owned work profiles.
We have provided an updated description on the usage of enterprises.devices.delete and its effects on device visibility.
Maximum enrollment token duration is now 10,000 years, where it was previously 90 days.

July 12 2022

Android Management API

Added NETWORK_ACTIVITY_LOGS and SECURITY_LOGS values to the DelegatedScope to grant device policy applications access to the corresponding logs.

June 14 2022

Android Management API

Added specificNonComplianceReason and specificNonComplianceContext to NonComplianceDetail to provide detailed context for policy application errors.

June 6 2022

Android Management API

Added a command to allow the admin to remotely clear the application data of an app.
Enrollment tokens can now be created with a longer duration than the previous maximum of 90 days, up to approximately 10,000 years. Enrollment tokens that last longer than 90 days will have a length of 24 characters, while tokens that last 90 days or less will continue to have 20 characters.

May 24 2022

Android Management API

Hardware-backed security features such as key attestation will now be used in device integrity evaluations, when supported by the device. This provides a strong guarantee of system integrity. Devices that fail these evaluations or do not support such hardware-backed security features will report the new HARDWARE_BACKED_EVALUATION_FAILED SecurityRisk.

May 16 2022

Android Management API

Added unifiedLockSettings in PasswordPolicies to allow the admin to configure if the work profile needs a separate lock.

March 25 2022

Android Management API

Added alwaysOnVpnLockdownExemption to specify which apps should be exempt from the AlwaysOnVpnPackage setting.
Added all available fields from the Play EMM API Products resource to the Application resource.

February 22 2022

Android Management API

Added cameraAccess to control the use of camera and camera toggle, and microphoneAccess, to control the use of microphone and microphone toggle. These fields replace newly deprecated cameraDisabled and unmuteMicrophoneDisabled, respectively.

February 15 2022

AMAPI SDK

Minor bug fixes. See Google's Maven Repository for more details.

November 15 2021

Android Device Policy

Apps that are marked as unavailable in personalApplications will now be uninstalled from the personal profile of company-owned devices if already installed, as they are in the ApplicationPolicy for work profile and fully managed devices.

September 17 2021

Android Management API

You can now designate an app as an extension app using ExtensionConfig. Extension apps can communicate directly with Android Device Policy and in future will be able to interact with the complete set of management features offered in the Android Management API, enabling a local interface for managing the device that does not require server connectivity.
- This initial release includes support for local execution of Commands, and currently only the ClearAppData command. See the extensibility integration guide for more details.
- The remaining commands will be added over time, as well as additional extension app features designed to expose the breadth of device management features to the extension app.

June 30 2021

Android Device Policy

Minor bug fixes

June 2 2021

Android Device Policy

Minor bug fixes

May 5 2021

Android Device Policy

Minor bug fixes

April 6 2021

Android Device Policy

Minor bug fixes

March 2021

Android Management API

Added two new AdvancedSecurityOverrides. These policies enable Android Enterprise security best practices by default, while allowing organizations to override the default values for advanced use cases.

googlePlayProtectVerifyApps enables Google Play's app verification by default.
developerSettings prevents users from accessing developer options and safe mode by default, capabilities that would otherwise introduce risk of corporate data exfiltration.

ChoosePrivateKeyRule now supports the direct grant of specific KeyChain keys to managed apps.

This allows the target app(s) to access specified keys by calling getCertificateChain() and getPrivateKey() without having to first call choosePrivateKeyAlias().
Android Management API defaults to granting direct access to the keys specified in policy, but otherwise falls back to granting access after the specified app has called choosePrivateKeyAlias(). See ChoosePrivateKeyRule for more details.

Deprecations

ensureVerifyAppsEnabled is now deprecated. Use the googlePlayProtectVerifyApps AdvancedSecurityOverrides instead.

Existing API users (Google Cloud projects with Android Management API enabled as of April 15, 2021) can continue to use ensureVerifyAppsEnabled until October 2021, but are encouraged to migrate to AdvancedSecurityOverrides as soon as possible. In October ensureVerifyAppsEnabled will no longer function.

debuggingFeaturesAllowed and safeBootDisabled are now deprecated. Use the developerSettings AdvancedSecurityOverrides instead.

Existing API users (Google Cloud projects with Android Management API enabled as of April 15, 2021) can continue to use debuggingFeaturesAllowed and safeBootDisabled until October 2021, but are encouraged to use AdvancedSecurityOverrides as soon as possible. In October debuggingFeaturesAllowed and safeBootDisabled will no longer function.

February 2021

Android Management API

Added personalApplications support for company-owned devices starting from Android 8. The feature is now supported on all company-owned devices with a work profile.
Device phone number is now reported on Fully Managed Devices as part of the Device resource.

January 2021

Android Device Policy

Minor bug fixes

December 2020

Android Management API

Added personalApplications to PersonalUsagePolicies. On company-owned devices, IT can specify an allow or blocklist of applications in the personal profile. This feature is currently available only on Android 11 devices, but will be backported to Android 8 in a future release.

Android Device Policy

Minor updates to the provisioning UI

November 2020

Android Management API

Added AutoDateAndTimeZone, replacing the deprecated autoTimeRequired, to control auto date, time, and time zone configuration on a company-owned device.
Starting in Android 11, users can no longer clear app data or force stop applications when the device is configured as a kiosk (that is, when the InstallType of one application in ApplicationPolicy is set to KIOSK).
Added new LocationMode controls to replace deprecated location detection method controls. On company-owned devices, IT can now choose between enforcing location, disabling location, or allowing users to toggle location on and off.
Added support for CommonCriteriaMode, a new feature in Android 11. Can be enabled to address specific Common Criteria Mobile Device Fundamentals Protection Profile (MDFPP) requirements.

Deprecations

autoTimeRequired is now deprecated, following the deprecation of specific auto time controls in Android 11. Use AutoDateAndTimeZone instead.
The following LocationMode options are now deprecated, following their deprecation in Android 9: HIGH_ACCURACY, SENSORS_ONLY, BATTERY_SAVING, and OFF. Use LOCATION_ENFORCED, LOCATION_DISABLED, and LOCATION_USER_CHOICE instead.

October 2020

Android Device Policy

Added RELINQUISH_OWNERSHIP as a new type of device command. When deploying work profile, admins can relinquish ownership of company-owned devices to employees, wiping the work profile and reseting any device policies to factory state, while leaving personal data intact. In doing so, IT loses claim to the ownership of the device now and in the future and should not expect the device to re-enroll. To factory reset a device while maintaining ownership, use the devices.delete method instead.

August 2020

Android Management API

Improvements to the work profile experience on company-owned devices were announced in the Android 11 developer preview. Android Management API adds support for these improvements for devices running Android 8.0+ or higher. Enterprises can now designate work profile devices as company-owned, allowing management of a device's work profile, personal usage policies, and certain device-wide settings while still maintaining privacy in the personal profile.
- For a high-level overview of enhancement to the work profile experience, see Work profile: the new standard for employee privacy.
- See Company-owned devices for work and personal use to learn how to set up a work profile on a company-owned device.
- An example policy for a company-owned device with a work profile is available in Devices with work profiles.
- Added blockScope to blockAction. Use blockScope to specify whether a block action applies to an entire company-owned device or to its work profile only.
Added connectedWorkAndPersonalApp to applicationPolicy. Starting in Android 11, some core apps can connect across a device's work and personal profiles. Connecting an app across profiles can provide a more unified experience for users. For example, by connecting a calendar app, users could view their work and personal events displayed together.

Some apps (for example, Google Search) may be connected on devices by default. A list of connected apps on a device is available in Settings > Privacy > Connected work & personal apps.

Use connectedWorkAndPersonalApp to allow or disallow connected apps. Allowing an app to connect cross-profile only gives the user the option to connect the app. Users can disconnect apps at any time.
Added systemUpdateInfo to devices to report information on pending system updates.

July 2020

Android Device Policy

[July 23] Minor bug fixes

June 2020

Android Device Policy

[June 17] Minor bug fixes.

May 2020

Android Device Policy

[May 12] Minor bug fixes.

April 2020

Android Device Policy

[April 14] Minor bug fixes.

March 2020

Android Device Policy

[March 16] Minor bug fixes.

February 2020

Android Device Policy

[Feb 24] Minor bug fixes.

January 2020

Android Device Policy

[Jan 15] Minor bug fixes.

December 2019

Android Management API

A new policy for blocking untrusted apps (apps from unknown sources) is available. Use advancedSecurityOverrides.untrustedAppsPolicy to:
- Block untrusted app installs device-wide (including work profiles).
- Block untrusted app installs in a work profile only.
- Allow untrusted app installed device-wide.
advancedSecurityOverrides.untrustedAppsPolicy replaces installUnknownSourcesAllowed, which is now deprecated. For more details, see the Deprecations section below.
A timeout period for allowing non-strong screen lock methods (e.g. fingerprint and face unlock) can now be enforced on a device or work profile using requirePasswordUnlock. After the timeout period expires, a user must use a strong form of authentication (password, PIN, pattern) to unlock a device or work profile.
Added kioskCustomization to support the ability to enable or disable the following system UI features in kiosk mode devices:
- Global actions launched from the power button (see powerButtonActions).
- System info and notifications (see statusBar).
- Home and overview buttons (see systemNavigation).
- Status bar (see statusBar).
- Error dialogs for crashed or unresponsive apps (see systemErrorWarnings).
Added freezePeriod policy to support blocking system updates annually over a specified freeze period.
A new parameter is available in devices.delete: wipeReasonMessage lets you specify a short message to display to a user before wiping the work profile from their personal device.

Deprecations

installUnknownSourcesAllowed is now marked as deprecated. Support for the policy will continue until Q2 2020 for users who enabled Android Management API before 2:00pm GMT on December 19, 2019. The policy is not supported for users who enabled the API after this date.

advancedSecurityOverrides.untrustedAppsPolicy replaces installUnknownSourcesAllowed. The table below provides a mapping between the two policies. Developers should update their solutions with the new policy as soon as possible*.

installUnknownSourcesAllowed	advancedSecurityOverrides.untrustedAppsPolicy
`TRUE`	`ALLOW_INSTALL_DEVICE_WIDE`
`FALSE`	`ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY` Note: Applied to all device types (work profiles and fully managed). Because fully managed devices don't have a personal profile, untrusted apps are blocked across the entire device. To block untrusted apps across an entire device with a work profile, use `DISALLOW_INSTALL` instead.

*For users who enabled Android Management API before 2:00pm GMT on December 19, 2019: The default value of untrustedAppsPolicy (DISALLOW_INSTALL) is not applied if untrustedAppsPolicy is set to UNTRUSTED_APPS_POLICY_UNSPECIFIED or if the policy is left unspecified. To block untrusted apps across an entire device, you must explicitly set the policy to DISALLOW_INSTALL.

November 2019

Android Device Policy

[Nov 27] Minor bug fixes.

October 2019

Android Management API

New IframeFeature options allow you to specify which Managed Google Play iframe features to enable/disable in your console.

Android Device Policy

[Oct 16] Minor bug fixes and performance optimization.

September 04, 2019

Features

The policies resource is now capable of distributing closed app releases (closed app tracks), allowing organizations to test pre-release versions of apps. For details, see Distribute apps for closed testing.
Added permittedAccessibilityServices to policies, which can be used to:
- disallow all non-system accessibility services on a device, or
- only allow specified apps access to these services.

August 6, 2019

Features

The Android Management API now evaluates the security of a device and reports findings in device reports (under securityPosture). securityPosture returns the security posture status of a device (POSTURE_UNSPECIFIED, SECURE, AT_RISK, or POTENTIALLY_COMPROMISED), as evaluated by SafetyNet and other checks, along with details of any identified security risks for you to share with customers through your management console.
To enable this feature for a device, ensure its policy has least one field from statusReportingSettings enabled.

July 02, 2019

Features

To distinguish that an app is launched from launchApp in setupActions, the activity that's first launched as part of the app now contains the boolean intent extra com.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION (set to true). This extra allows you to customize your app based on whether it's launched from launchApp or by a user.

May 31, 2019

Maintenance release

Minor bug fixes and performance optimization.

May 7, 2019

Features

Added policyEnforcementRules to replace complianceRules, which has been deprecated. See the deprecation notice above for more information.
Added new APIs to create and edit web apps. For more details, see Support web apps.

User experience

Android Device Policy: The app’s icon is no longer visible on devices. Users can still view the policy page previously launched by the icon:

Fully managed devices: Settings > Google > Device Policy
Devices with work profiles: Settings > Google > Work > Device Policy
All devices: Google Play Store app > Android Device Policy

April 16, 2019

Android Device Policy is now available in South Korea.

March 21, 2019

Features

Added new metadata, including alternate serial numbers, to devices.
The number of apps with installType REQUIRED_FOR_SETUP is now limited to five per policy. This is to ensure the best possible user experience during device and work profile provisioning.

February 12, 2019

User experience

Android Device Policy: Added improved non-compliance messaging to help users return their devices to a compliant state or inform them when it isn’t possible.
Android Device Policy: After an enrollment token is registered, a new setup experience guides users through the steps required by their policy to complete their device or work profile configuration.

Figure 1. Guided setup experience.

Features

Added new field to installType
- REQUIRED_FOR_SETUP: If true, the app must be installed before the device or work profile setup completes. Note: If the app isn't installed for any reason (e.g. incompatibility, geo-availability, poor network connection), setup won't complete.
Added SetupAction to policies. With SetupAction, you can specify an app to launch during setup, allowing a user to further configure their device. See Launch an app during setup for more details.
For enterprises with status reports enabled, new device reports are now issued immediately following any failed attempt to unlock a device or work profile.

Deprecations

In policies, wifiConfigsLockdownEnabled has been deprecated. WiFi networks specified is policy are now non-modifiable by default. To make them modifiable, set wifiConfigDisabled to false.

December 10, 2018

Features

Added support for work profile devices to the sign-in URL provisioning method. Work profile device owners can now sign in with their corporate credentials to complete provisioning.

User experience

Added support for dark mode in Android Device Policy. Dark mode is a display theme available in Android 9 Pie, which can be enabled in Settings > Display > Advanced > Device theme > Dark.

Figure 1. (L) Normal display mode (R) Dark mode

November 2, 2018

Features

A new enrollment method is available for fully managed devices. The method uses a sign-in URL to prompt users to enter their credentials, allowing you to assign a policy and provision users' devices based on their identity.
Added support for the managed configurations iframe, a UI you can add to your console for IT admins to set and save managed configurations. The iframe returns a unique mcmId for each saved configuration, which you can add to policies.
Added passwordPolicies and PasswordPolicyScope to policies:
- passwordPolicies sets the password requirements for the specified scope (device or work profile).
- If PasswordPolicyScope isn't specified, the default scope is SCOPE_PROFILE for work profile devices, and SCOPE_DEVICE for fully managed or dedicated devices.
- passwordPolicies overrides passwordRequirements if PasswordPolicyScope is unspecified (default), or PasswordPolicyScope is set to the same scope as passwordRequirements

September 20, 2018

Bug fixes

Fixed issue that made kiosk devices incorrectly appear out of compliance following provisioning, for a subset of policy configurations

August 28, 2018

Features

Updates to support work profile and fully managed device provisioning and management:

New provisioning methods are available for work profiles:
- Provide users with an enrollment token link.
- Go to Settings > Google > Set up work profile.
Added new fields to enrollmentTokens.
- oneTimeOnly: If true, the enrollment token will expire after it's first used.
- userAccountIdentifier: Identifies a specific managed Google Play Account.
  - If not specified: The API silently creates a new account each time a device is enrolled with the token.
  - If specified: The API uses the specified account each time a device is enrolled with the token. You can specify the same account across multiple tokens. See Specify a user for more information.
Added managementMode (read-only) to devices.
- Devices with work profiles: managementMode is set to PROFILE_OWNER.
- Dedicated devices and fully managed devices: managementMode is set to DEVICE_OWNER.

Updates to the policies resource to improve app management capabilities:

Added new field playStoreMode.
- WHITELIST (default): Only apps added to policy are available in the work profile or on the managed device. Any app not in policy is unavailable, and uninstalled if previously installed.
- BLACKLIST: Apps added to policy are unavailable. All other apps listed in Google Play are available.
Added BLOCKED as an InstallType option, which makes an app unavailable to install. If the app is already installed, it will be uninstalled.
- You can use installType BLOCKED together with playStoreMode BLACKLIST to prevent a managed device or work profile from installing specific apps.

User experience

Updated Android Device Policy settings to match device settings.

July 12, 2018

User experience

Merged the status and device details pages in Android Device Policy into a single page.
Improved setup UI consistency with Android setup wizard.

Features

Added PermissionGrants at the policy level. You can now control runtime permissions at four levels:
- Global, across all apps: set defaultPermissionPolicy at the policy level.
- Per permission, across all apps: set permissionGrant at the policy level.
- Per app, across all permissions: set defaultPermissionPolicy within ApplicationPolicy.
- Per app, per permission: set permissionGrant within ApplicationPolicy.
When factory resetting a device, the new WipeDataFlag allows you to:
- WIPE_EXTERNAL_STORAGE: wipe the device's external storage (e.g. SD cards).
- PRESERVE_RESET_PROTECTION_DATA: preserve the factory reset protection data on the device. This flag ensures that only an authorized user can recover a device if, for instance, the device is lost. Note: Only enable this feature if you've set frpAdminEmails[] in policy.

Bug fixes

Fixed issue with Android Device Policy exiting lock task mode when updating in the foreground.

May 25, 2018

User experience

Instead of hiding disabled apps from the launcher, Android 7.0+ devices now display icons for disabled apps in gray:

Features

Updated policies to support the following certificate management capabilities:
- Automatic granting of certificate access to apps.
- Delegating all certificate management features supported by Android Device Policy to another app (see CERT_INSTALL).
Individual apps can now be disabled in ApplicationPolicy (set disabled to true), independent of compliance rules.
It's now possible to disable system apps.
Added application reports to devices. For each managed app installed on a device, the report returns the app's package name, version, install source, and other detailed information. To enable, set applicationReportsEnabled to true in the device's policy.
Updated enterprises to include terms and conditions. An enterprise's terms and conditions are displayed on devices during provisioning.

Bug fixes

Updated provisioning flow to disable access to settings, except when access is required to complete setup (e.g. creating a passcode).

April 3, 2018

User experience

Updated the design of Android Device Policy and the device provisioning flow to improve overall user experience.

Features

Added support for Direct Boot, allowing you to remotely wipe Android 7.0+ devices that haven't been unlocked since they were last rebooted.
Added a location mode setting to the policies resource, allowing you to configure the location accuracy mode on a managed device.
Added an error response field to the Command resource.

Bug fixes

Provisioning performance has been improved.
Compliance reports are now generated immediately after a device is provisioned. To configure an enterprise to receive compliance reports, see Receive non-compliance detail notifications.

Known issues

Lock Screen Settings crashes on Android 8.0+ LG devices (e.g. LG V30) managed by Android Device Policy.

February 14, 2018

User experience

Updated the validation text for the "code" field, which is displayed if a user chooses to manually enter a QR code to enroll a device.

Features

You can now set a policy to trigger force-installed apps to auto-update if they don't meet a specified minimum app version. In ApplicationPolicy:
- Set installType to FORCE_INSTALLED
- Specify a minimumVersionCode.
Updated the Devices resource with new fields containing information that may be useful to IT admins, such as the device's carrier name (see NetworkInfo for more details), whether the device is encrypted, and whether Verify Apps is enabled (see DeviceSettings for more details).

Bug fixes

The RESET_PASSWORD and LOCK commands now work with Android 8.0 Oreo devices.
Fixed issue with DeviceSettings not being populated.
Fixed issue with stayOnPluggedModes policy handling.

December 12, 2017

Features

Android Device Policy now supports a basic kiosk launcher , which can be enabled via policy. The launcher locks down a device to a set of predefined apps and blocks user access to device settings. The specified apps appear on a single page in alphabetical order. To report a bug or request a feature, tap the feedback icon on the launcher.
Updated device setup with new retry logic. If a device is rebooted during setup, the provisioning process now continues where it left off.

The following new policies are now available. See the API reference for full details:

`keyguardDisabledFeatures`	`accountTypesWithManagementDisabled`
`installAppsDisabled`	`mountPhysicalMediaDisabled`
`uninstallAppsDisabled`	`bluetoothContactSharingDisabled`
`shortSupportMessage`	`longSupportMessage`
`bluetoothConfigDisabled`	`cellBroadcastsConfigDisabled`
`credentialsConfigDisabled`	`mobileNetworksConfigDisabled`
`tetheringConfigDisabled`	`vpnConfigDisabled`
`createWindowsDisabled`	`networkResetDisabled`
`outgoingBeamDisabled`	`outgoingCallsDisabled`
`smsDisabled`	`usbFileTransferDisabled`
`ensureVerifyAppsEnabled`	`permittedInputMethods`
`recommendedGlobalProxy`	`setUserIconDisabled`
`setWallpaperDisabled`	`alwaysOnVpnPackage`
`dataRoamingDisabled`	`bluetoothDisabled`

Updated Android Device Policy's target SDK to Android 8.0 Oreo.

Bug Fixes

It's now possible to skip the network picker display if a connection can't be made at boot. To enable the network picker on boot, use the networkEscapeHatchEnabled policy.