Use the Android Management API MCP server

Model Context Protocol (MCP) standardizes the way large language models (LLMs) and AI applications or agents connect to outside data sources. MCP servers let you use their tools, resources, and prompts to take actions and get updated data from their backend service.

Local MCP servers typically run on your local machine and use the standard input and output streams (stdio) for communication between services on the same device. Remote MCP servers run on the service's infrastructure and offer an HTTP endpoint to AI applications for communication between the AI MCP client and the MCP server. For more information on MCP architecture, see MCP architecture.

Google and Google Cloud remote MCP servers have the following features and benefits:

Simplified, centralized discovery.
Managed global or regional HTTP endpoints.
Fine-grained authorization.
Centralized audit logging.

For information about other MCP servers and information about security and governance controls available for Google Cloud MCP servers, see Google Cloud MCP servers overview.

Before you begin

To use the Android Management API remote MCP server, you must create a Google Cloud project and enable the Android Management API.

In your Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector
Enable the Android Management API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.
Enable the API

Required roles

To get the permissions that you need to use the Android Management API remote MCP server, ask your admin to grant you the following Identity and Access Management roles on the Google Cloud project where you want to enable the Android Management API MCP server:

Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
Make MCP tool calls: MCP Tool User (roles/mcp.toolUser)
Access Android Management resources: Android Management User (roles/androidmanagement.user)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to use the Android Management API remote MCP server. To see the exact permissions that are required, expand the Required permissions section.

Required permissions

The following permissions are required to use the Android Management remote MCP server:

serviceusage.mcppolicy.get
serviceusage.mcppolicy.update
Make MCP tool calls: mcp.tools.call
Access Android Management resources:
- androidmanagement.enterprises.get
- androidmanagement.devices.list

You might also be able to get these permissions with custom roles or other predefined roles.

Enable or disable the Android Management API MCP server

You can enable or disable the Android Management API MCP server in a project with the gcloud beta services mcp enable command. For more information, see the following sections.

Enable the Android Management API MCP server in a project

If you are using different projects for your client credentials, such as service account keys, OAuth client ID or API keys, and for hosting your resources, then you must enable the Android Management API service and the Android Management API remote MCP server on both projects.

To enable the Android Management API MCP server in your Google Cloud project, run the following command:

gcloud beta services mcp enable SERVICE \
    --project=PROJECT_ID

Replace the following:

PROJECT_ID: the Google Cloud project ID.
SERVICE: androidmanagement.googleapis.com.

The Android Management API remote MCP server is enabled for use in your Google Cloud project. If the Android Management API service isn't enabled for your Google Cloud project, you are prompted to enable the service before enabling the Android Management API remote MCP server.

As a security best practice, we recommend that you enable MCP servers only for the services required for your AI application to function.

Disable the Android Management API MCP server in a project

To disable the Android Management API MCP server in your Google Cloud project, run the following command:

gcloud beta services mcp disable SERVICE \
    --project=PROJECT_ID

The Android Management API MCP server is disabled for use in your Google Cloud project.

Authentication and authorization

Android Management API MCP servers use the OAuth 2.0 protocol with Identity and Access Management for authentication and authorization. All Google Cloud identities are supported for authentication to MCP servers.

The Android Management API remote MCP server does not accept API keys.

We recommend creating a separate identity for agents using MCP tools so that access to resources can be controlled and monitored. For more information on authentication, see Authenticate to MCP servers.

Android Management API MCP OAuth scopes

OAuth 2.0 uses scopes and credentials to determine if an authenticated principal is authorized to take a specific action on a resource. For more information about OAuth 2.0 scopes at Google, read Using OAuth 2.0 to access Google APIs.

Android Management API has the following MCP tool OAuth scopes:

Scope URI for gcloud	Description
`https://www.googleapis.com/auth/androidmanagement`	Manage Android devices and apps.

Additional scopes might be required on the resources accessed during a tool call. To view a list of scopes required for Android Management API, see Android Management API.

Configure an MCP client to use the Android Management API MCP server

Host programs, such as Claude or Gemini CLI, can instantiate MCP clients that connect to a single MCP server. A host program can have multiple clients that connect to different MCP servers. To connect to a remote MCP server, the MCP client must know at a minimum the URL of the remote MCP server.

In your host, look for a way to connect to a remote MCP server. You are prompted to enter details about the server, such as its name and URL.

For the Android Management API MCP server, enter the following as required:

Server name: Android Management API MCP server
Server URL or Endpoint: https://androidmanagement.googleapis.com/mcp
Transport: HTTP
Authentication details: Depending on how you want to authenticate, you can enter your Google Cloud credentials, your OAuth Client ID and secret, or an agent identity and credentials. For more information on authentication, see Authenticate to MCP servers.

For host specific guidance, see the following:

For more general guidance, see Connect to remote MCP servers.

Available tools

MCP Tools that are read-only have the MCP attribute mcp.tool.isReadOnly set to true. You might want to only allow read-only tools in certain environments through your organization policy.

To view details of available MCP tools and their descriptions for the Android Management API MCP server, see the Android Management API MCP reference.

List tools

Use the MCP inspector to list tools, or send a tools/list HTTP request directly to the Android Management API remote MCP server. The tools/list method doesn't require authentication.

POST /mcp HTTP/1.1
Host: androidmanagement.googleapis.com
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "tools/list",
}

Sample use cases

The following are sample use cases for the Android Management API MCP server:

Natural Language Queries: Ask complex questions about your device fleet without writing code—for example, "Which of my devices are not compliant with the latest security patch?"
Automated Audits: Periodically fetch data and compile reports on device status and policy adherence.
Intelligent Alerting: Monitor fleet data to flag anomalies or potential issues based on real-time insights.

Sample prompts

You can use the following sample prompts to get information about Android Management API resources:

List the devices in enterprise ENTERPRISE_ID.
Get details for device DEVICE_ID in enterprise ENTERPRISE_ID.
Show the policy details for policy POLICY_NAME.
Which applications are available in enterprise ENTERPRISE_ID?

In the prompts, replace the following:

ENTERPRISE_ID: the resource name of the enterprise—for example, enterprises/LC012345.
DEVICE_ID: the resource name of the device.
POLICY_NAME: the resource name of the policy.

Optional security and safety configurations

MCP introduces new security risks and considerations due to the wide variety of actions that can be taken with MCP tools. To minimize and manage these risks, Google Cloud offers defaults and customizable policies to control the use of MCP tools in your Google Cloud organization or project.

For more information about MCP security and governance, see AI security and safety.

Organization level MCP control

You can create custom organization policies to control the use of MCP servers in your Google Cloud organization using the gcp.managed.allowedMCPService constraint. For more information and usage examples, see Google Cloud MCP servers Access control with IAM.

What's next

Read the Android Management API MCP reference documentation.
Learn more about Google Cloud MCP servers.