Device Trust from Android Enterprise - Available signals

AI-generated Key Takeaways

Device Trust from Android Enterprise provides device posture signals to registered applications for computing a device trust score.
Access to device trust signals is restricted via an allowlist, requiring registration.
Available signals include OS version, pending updates, security patch levels, critical app details, device model/brand, screen lock complexity, management state, disk encryption, network state, Google Play Protect status, DNS over TLS status, and WebView package.
The management state signals vary depending on whether the application is running within the personal or work profile and the device ownership type.
Specific management state signals like Device.WorkProfileState are available starting from particular AMAPI SDK versions.

Device Trust from Android Enterprise makes available a set of device posture signals that registered application can access to compute a trust score of the device.

For information on how to integrate the Android Management API SDK in your application see Device Trust from Android Enterprise - Integration guide.

Signals
OS Version	`SoftwareInfo` includes the OS version of the device. Older OS versions typically have more vulnerabilities.
Does the device have pending OTA	`SoftwareInfo.SystemUpdateInfo` returns if there is a pending OS update for the device. Proxy for if the device is vulnerable to exploits.
Device Security Patch Level	`SoftwareInfo#getDeviceSecurityPatchInfos()` returns the current security patch level of the device for different updatable components: `SYSTEM` `KERNEL` `SYSTEM_MODULES` (also known as Android's mainline modules)
Published Security Patch Level	`SoftwareInfo#getPublishedSecurityPatchInfos()` returns the current published security patch level of the device for different updatable components: `SYSTEM` `KERNEL` `SYSTEM_MODULES` (also known as Android's mainline modules)
Critical App Details	`Device#getApplicationReports()` returns details on all installed applications to extensibility apps and calling application with role `COMPANION_APP` on a managed device. For all other use cases `Device#getApplicationReports()` returns details on the following critical apps: `com.android.chrome` `com.google.android.gms` `com.google.android.apps.work.clouddpc` `com.android.vending` `com.google.android.webview` The provided details are shared with a list of `ApplicationReport`.
Device Model / Brand	`HardwareInfo#getModel()` returns the device model and `HardwareInfo#getBrand()` returns the device brand.
Screen lock complexity	`DeviceSettings#getScreenLockComplexity()` returns how complex the current user's screen lock is. Req. `REQUEST_PASSWORD_COMPLEXITY` permission.
Management State (and managing app)	`Device#getManagementMode()` returns the management state and `Device#getManagementAppPackageName()` returns the management app. The returned information depends on the profile the application is running in. For details see the Management state table.
Disk encryption	`DeviceSettings#getEncryptionStatus()` returns if the device's storage is encrypted.
Access Network State (Network state and Wi-Fi state)	You can use `Device#getNetworkInfo()` to get details about all active networks on the device: Network transport (cellular / Wi-Fi) Wi-Fi Security level (`OPEN`, `PERSONAL`, `ENTERPRISE_EAP`, `ENTERPRISE_192`) Private DNS state Req. `ACCESS_NETWORK_STATE` permission
Google Play Protect VerifyApps	`DeviceSettings#getGooglePlayProtectVerifyAppsState()` returns the current `GooglePlayProtectVerifyAppsState`.
Is DNS over TLS enabled	`NetworkParams#getPrivateDnsState()` returns whether private DNS is used on the network.
WebView package	`SoftwareInfo#getWebviewPackage()` returns the name of the current WebView package.
Human-readable business name of the management provider	On AMAPI-managed device, `ManagementProviderInfo` can be used to retrieve the human-readable business name of the management provider. This signal is available starting from AMAPI SDK v1.7.0-rc01.

Management state

The values returned for the management signals depends on the profile that your application is running in.

Management state	Signals when called from within the Personal Profile	Signals when called from within the Work Profile
Non-managed device	ownership: `PERSONALLY_OWNED` managementMode: `UNMANAGED` managementAppPackageName: `N/A` workProfileState: A13+: `WORK_PROFILE_NOT_PRESENT` A9-12: `WORK_PROFILE_STATE_UNSPECIFIED`	`N/A`
Work Profile on personally-owned device (BYOD)	ownership: `PERSONALLY_OWNED` managementMode: `UNMANAGED` managementAppPackageName: `N/A` workProfileState: A13+: `WORK_PROFILE_PRESENT` A9-12 (AMAPI): `WORK_PROFILE_PRESENT` A9-12 (CustomDPC): `WORK_PROFILE_STATE_UNSPECIFIED`	ownership: `PERSONALLY_OWNED` managementMode: `PROFILE_OWNER` managementAppPackageName: `Package name of the Profile Owner application` workProfileState: A9+: `WORK_PROFILE_PRESENT`
Work Profile on company-owned device	ownership: `COMPANY_OWNED` managementMode: `UNMANAGED` managementAppPackageName:`N/A` workProfileState: A13+: `WORK_PROFILE_PRESENT` A9-12 (AMAPI): `WORK_PROFILE_PRESENT` A9-12 (CustomDPC): `WORK_PROFILE_STATE_UNSPECIFIED`	ownership: `COMPANY_OWNED` managementMode: `PROFILE_OWNER` managementAppPackageName: `Package name of the Profile Owner application` workProfileState: A9+: `WORK_PROFILE_PRESENT`
Fully managed device	`N/A`	ownership: `COMPANY_OWNED` managementMode: `DEVICE_OWNER` managementAppPackageName: `Package name of the Device Owner application` workProfileState: A11+: `WORK_PROFILE_NOT_PRESENT` A9-10: `WORK_PROFILE_STATE_UNSPECIFIED`

Device Trust from Android Enterprise - Available signals Stay organized with collections Save and categorize content based on your preferences.

AI-generated Key Takeaways

Management state

Device Trust from Android Enterprise - Available signals