Overview

Policies are designed for the Android Enterprise device management with the Android Management API and are the core resource of the Android Management API. When you create a policy, you create the ability to provision your devices using a QR code or enrollment token, and you can create a complete device configuration for managing your devices. This means that a policy not only contains settings and restrictions that you distribute to your devices to configure the device, but you can also deploy applications with different distribution options via the policy and, of course, further configure the applications with the Managed Configurations if the application vendors make this option available.

In general, Android Enterprise offers the great ability to perform a full device configuration using a single OEMConfig application provided by device manufacturers that you can add and configure in a policy. For example, if you are missing a setting or an option in the profiles section, you can refer to the OEMConfiguration application, as demonstrated in the Manage Android Enterprise with Android Management API article with the Knox Service Plugin provided by Samsung.

During policy creation, you should have enabled either the Profile feature or the App feature, and depending on which you enabled, you can toggle between the features in the left panel inside the Policy and configure your target devices and add and configure applications in the policy. All available settings are covered and described in this guide. 

Enrollment

With the policy creation and specifying the necessary information in the Definition tab and saving the policy, the policy is registered with the Android Management API. This generates an enrollment token with the appropriate device ownership in the Android Management API that is displayed in the Enrollment section. The QR code contains the enrollment token and other additional information needed to enroll the device. In addition, the Enrollment tab contains information about device ownership and how to enroll devices with this policy. After your first policy creation, you can already enroll and manage devices with the policy that has not been further configured. To populate your blank policy with additional settings and applications, use the Profile and Apps features presented and described in this guide.

Profile

The profile section in a policy gives you the ability to provide different features to your users or restrict certain types of device usage for the user to increase security. A profile represents logically related functions for configuring specific areas or features on your managed devices, and these settings are sent coherently in a single policy to the Android Management API, which ultimately performs the device configuration on the devices. Depending on the ownership selected in the Definition tab, only supported profiles and settings are displayed in the policy for configuration. When changing profiles, ensure the settings are correct as these will be applied immediately to all applicable devices. Additionally, ensure to click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Passcode

Passcode settings are a foundational layer of security and help protect managed devices from unauthorized access by enforcing the use of a passcode.
You can define security policies such as password length, complexity, and expiration, as well as configure actions like automatically wiping a device after a specified number of failed unlock attempts. Depending on the management scenario, policies can be applied at the device or work profile level. Enforcement of specific requirements may vary based on Android version, device capabilities, and the selected password quality or complexity level.

Setting Availability Options Description
Scope
Device scope
  • Company-owned
  • Company-owned with personal usage
  • Personally-owned
  • Enabled
Enables the scope that the password requirement applies to.
Profile scope
  • Company-owned with personal usage
  • Personally-owned
  • Enabled
Enables the scope that the password requirement applies to.
Quality and Complexity
Rule
  • Company-owned
  • Company-owned with personal usage
  • Personally-owned
  • None
  • Complexity
  • Quality
Defines which Password rule should be applied.
Complexity
  • Company-owned
  • Company-owned with personal usage
  • Personally-owned
  • Low
  • Medium
  • High

Sets the minimum complexity band which the password must meet:

  • Low: Defines the low password complexity band as pattern or PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences. 
  • Medium: Defines the medium password complexity band as: 
    • PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 4
    • alphabetic, length at least 4
    • alphanumeric, length at least 4
  • High: Defines the high password complexity band on Android 12 and above as:
    • PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 8
    • alphabetic, length at least 6
    • alphanumeric, length at least 6

Enforcement varies among different Android versions, management modes and password scopes.

 
Quality
  • Company-owned
  • Company-owned with personal usage
  • Personally-owned
  • Biometric Weak
  • Something
  • Numeric
  • Numeric Complex
  • Alphabetic
  • Alphanumeric
  • Complex

Sets the required password quality. The following options are configurable: 

  • Biometric Weak: The device must be secured with a low-security biometric recognition technology, at minimum. This includes technologies that can recognize the identity of an individual that are roughly equivalent to a 3-digit PIN (false detection is less than 1 in 1,000).
  • Something: A password is required, but there are no restrictions on what the password must contain.
  • Numeric: The password must contain numeric characters.
  • Numeric Complex: The password must contain numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
  • Alphabetic: The password must contain alphabetic (or symbol) characters.
  • Alphanumeric: The password must contain both numeric and alphabetic (or symbol) characters.
  • Complex: The password must meet the minimum requirements specified in Quality Related Settings.
Quality Related Settings
Minimum length
  • Numeric
  • Numeric Complex
  • Alphabetic
  • Alphanumeric
  • Complex
Example: 10 The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when Quality is set to Numeric, Numeric Complex, Alphabetic, Alphanumeric, or Complex
Minimum letters
  • Complex
Example: 1 Minimum number of letters required in the password. This setting is enforced only when the password quality is set to Complex.
Minimum lower case
  • Complex
Example: 1 Minimum number of lower case letters required in the password. This setting is enforced only when the password quality is set to Complex.
Minimum upper case
  • Complex
Example: 1 Minimum number of upper case letters required in the password. This setting is enforced only when the password quality is set to Complex.
Minimum numeric
  • Complex
Example: 1 Minimum number of numerical digits required in the password. This setting is enforced only when the password quality is set to Complex.
Minimum characters
  • Complex
Example: 1 Minimum number of symbols required in the password. This setting is enforced only when the password quality is set to Complex.
Minimum non-letters
  • Complex
Example: 0 Minimum number of non-letter characters (numerical digits or symbols) required in the password. This setting is enforced only when the password quality is set to Complex.
Password Lifecycle and Protection
Passcode history
  • Profile Scope
  • Device Scope
Example: 5 The length of the password history. After setting this field, the user won't be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
Maximum failed attempts for wipe
  • Device Scope
  • Profile Scope
Example: 10 Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
Maximum passcode age
  • Profile Scope
  • Device Scope
Example: 60 Defines the Password expiration timeout.
Lock and Unlock Behavior
Require strong unlock
  • Profile Scope
  • Device Scope
  • Device default
  • 24 hours
The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
Unified Lock
  • Profile Scope
  • Common Lock
  • Separate Lock
Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This has no effect on other devices.

Restrictions

Restrictions typically represent configurations that can be either explicitly allowed or prohibited. For example, you can use restrictions to configure security-related settings such as preventing users from using Bluetooth or configuring hotspots on devices, and it is usually not possible for users to circumvent these restrictions. 

Restriction Availability Options Description
Applications
Permission policy
  • Company-owned
  • Personally-owned
  • Company-owned with personal usage
  • Not configured
  • Prompt the user to grant a permission
  • Automatically grant a permission
  • Automatically deny a permission
The default permission policy for runtime permission requests.
Play Store mode
  • Company-owned
  • Personally-owned
  • Company-owned with personal usage
  • Not configured
  • Only Policy Apps
  • All except blocked

This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.

  • Only Policy Apps: Only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device.
  • All except blocked: All apps are available and any app that should not be on the device should be explicitly marked as 'BLOCKED' in the policy.
Unknown sources installations
  • Company-owned
  • Personally-owned
  • Company-owned with personal usage
  • Not configured
  • Not allowed (device-wide)
  • Allow only in personal profile
  • Allow (device-wide)

Defines the policy for untrusted apps (apps from unknown sources) enforced on the device. 

  • Not allowed (device-wide): Disallows untrusted app installs on entire device.
  • Allow only in personal profile: For devices with work profiles, allows untrusted app installs in the device's personal profile only.
  • Allow (device-wide): Allow untrusted app installs on entire device.
Network & Connection
Disable bluetooth 
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • True
  • False
Defines whether bluetooth is disabled. Prefer this setting over Disable configuring bluetooth because Disable configuring bluetooth can be bypassed by the user.
Disable cell broadcast
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • True
  • False
Defines whether configuring cell broadcast is disabled.
Disable configuring bluetooth
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • True
  • False
Defines whether configuring bluetooth is disabled.
Disable configuring mobile networks
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • True
  • False
Defines whether configuring mobile networks is disabled.
Tethering Settings
  • Company-owned
  • Company-owned with personal usage
  • Allow all Tethering
  • Disallow Wi-Fi Tethering
  • Disallow all Tethering

Controls wether the user is allowed to use different forms of tethering like Wi-Fi tethering, Bluetooth tethering, etc.

  • Allow all Tethering: Allows configuration and use of all forms of tethering.
  • Disallow Wi-Fi Tethering: Disallows the user from using Wi-Fi tethering. Supported Android 13 and newer. If the setting is not supported by the device, Allow all Tethering will be set and a Non-Compliance is reported.
  • Disallow all Tethering: Disallows all forms of tethering.
Disable location sharing
  • Company-owned
  • Personally-owned
  • Company-owned with personal usage
  • Not configured
  • True
  • False
Defines whether location sharing is disabled.
Disable roaming data services
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • True
  • False
Defines whether roaming data services are disabled.
Preferential network service
  • Personally-owned
  • Company-owned with personal usage
  • Not configured (disabled)
  • Disabled
  • Enabled
Controls whether preferential network service is enabled on the work profile. For example, an organization may have an agreement with a carrier that all of the work data from its employees' devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This has no effect on fully managed devices.
USB Data Access
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • Allow USB data transfer
  • Disallow USB file transfer
  • Disallow USB data transfer

Controls what files and/or data can be transferred via USB. Does not impact charging functions. 

  • Allow USB Data transfer: All types of USB data transfers are allowed.
  • Disallow USB file transfer: Transferring files over USB is disallowed. Other types of USB data connections, such as mouse and keyboard connection, are allowed.
  • Disallow USB data transfer: When selected, all types of USB data transfers are prohibited. Supported for devices running Android 12 or above with USB HAL 1.3 or above. If the setting is not supported, Disallow USB file transfer will be set. A Non-Compliance is reported if the Android version is less than 12 and a device incompatible information is reported if the device does not have USB HAL 1.3 or above. 
Privacy & Security
Default credentials manager policy
  • Company-owned
  • Personally-owned
  • Company-owned with personal usage
  • Not configured
  • Block all credentials managers
  • Allow only system credential managers

Controls which apps are allowed to act as credential providers on Android 14 and above.

  • Block all credentials managers: Apps with the App Management option Credential manager access set to Default are not allowed to act as credential providers. This includes apps that are not explicitly managed or configured.
  • Allow only system credential managers:  Apps with the App Management option Credential manager access set to Default are not allowed to act as a credential provider except for the OEM default credential providers. OEM default credential providers are always allowed to act as credential providers.
Developer settings
  • Company-owned
  • Personally-owned
  • Company-owned with personal usage
  • Not configured
  • Disabled 
  • Allowed
Controls whether users can access developer settings such as Developer Options and Safe Boot. On personally owned devices with a work profile, Safe Boot cannot be disabled by this policy. A non-compliance warning is reported in this scenario.
Disabled keyguard customizations
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • Camera
  • Notifications
  • Unredacted notifications
  • Trust agent state
  • Fingerprint sensor
  • Text entry into notifications
  • Face authentication
  • Iris authentication
  • All biometric authentication
  • All current and future keyguard customizations

This configuration disables selected keyguard (lock screen) features: 

  • Camera: Disables the camera on secure keyguard screens (e.g. PIN).
  • Notifications: Disables showing all notifications on secure keyguard screens.
  • Unredacted Notifications: Disables unredacted notifications on secure keyguard screens and the device does not obscure notifications on the lock screen. 
  • Trust agent state: Ignores the trust agent state on secure keyguard screens. A trust agent is a service that notifies the system on whether the device is in a safe environment. For example: Google Smart Lock or Profiles Trust Provider.
  • Fingerprint sensor: Disable fingerprint sensor on secure keyguard screens.
  • Text entry into notifications: On devices running Android 6 and below, it disables text entry into notifications on secure keyguard screens.This setting has no effect on Android 7 and newer.
  • Face authentication: Disables face authentication on secure keyguard screens.
  • Iris authentication: Disables iris authentication on secure keyguard screens.
  • All biometric authentication: Disables all biometric authentication on secure keyguard screens.
  • All current and future keyguard customizations: Disables all current and future keyguard customizations.
Encryption policy
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • Required without password to boot
  • Required with password to boot

Defines whether encryption is enabled.

  • Required without password to boot: Encryption required but no password required to boot.
  • Required with password to boot: Encryption required with password required to boot.
System Settings
Auto date and time zone
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • User Choice 
  • Enforced

Defines whether auto date, time, and time zone is enabled on a company-owned device.

  • User Choice: Auto date, time, and time zone are left to user's choice.
  • Enforced: Enforce auto date, time, and time zone on the device.
Battery plugged in modes
  • Company-owned
  • Not configured
  • AC charger
  • USB port
  • Wireless

Defines the battery plugged in modes for which the device stays on. In future releases, ensure to set the Maximum Time to Lock to 0 when using this so that the device doesn't lock itself while it stays on.

  • AC Charger: Device stays on if power source is an AC charger.
  • USB Port: Device stays on if power source is a USB Port.
  • Wireless: Device stays on if power source is wireless.
Camera access
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • User choice
  • Disabled
  • Enabled

Controls the use of the camera and whether the user has access to the camera access toggle. The camera access toggle exists on Android 12 and above. As a general principle, the possibility of disabling the camera applies device-wide on company-owned device devices and only within the work profile on devices with a work profile. The possibility of disabling the camera access toggle applies only on company-owned devices, in which case it applies device-wide. For specifics, see below:

  • User Choice: All cameras on the device are available. On Android 12 and above, the user can use the camera access toggle.
  • Disabled: All cameras on the device are disabled (for company-owned devices, this applies device-wide and for work profiles this applies only to the work profile.There are no explicit restrictions placed on the camera access toggle on Android 12 and above: on company-owned device, the camera access toggle has no effect as all cameras are disabled. On devices with a work profile, this toggle has no effect on apps in the work profile, but it affects apps outside the work profile.
  • Enabled: All cameras on the device are available. On company-owned device devices running Android 12 and above, the user is unable to use the camera access toggle. On devices which are not company-owned or which run Android 11 or below, this option is equivalent to User Choice.
Degree of location detection enabled
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • User Choice
  • Enabled
  • Disabled

Defines the degree of location detection enabled on work profile and fully managed devices.

  • User Choice: Location setting is not restricted on the device. No specific behavior is set or enforced.
  • Enabled: Enable location setting on the device.
  • Disabled: Disable location setting on the device.
Disable changing the wallpaper
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • True
  • False
Defines whether changing the wallpaper is disabled.
Disallow user to perform factory reset
  • Company-owned
  • Not configured
  • True
  • False
Defines whether factory resetting from settings application is disabled.
Disable outgoing calls
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • True
  • False
Defines whether outgoing calls are disabled.
Disable sending and receiving SMS messages
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • True
  • False
Defines whether sending and receiving SMS messages is disabled.
Microphone access
  • Company-owned
  • Not configured
  • User Choice
  • Disabled
  • Enabled

Controls the use of the microphone and whether the user has access to the microphone access toggle that exits on Android 12 and above. If configured, it controls the use of the microphone and whether the user has access to the microphone access toggle.

  • User Choice: This is the default device behaviour and the microphone on the device is available. On Android 12 and above, the user can use the microphone access toggle.
  • Disabled: The microphone on the device is disabled and access toggle has no effect as the microphone is disabled.
  • Enabled: The microphone on the device is available. On devices running Android 12 and above, the user is unable to use the microphone access toggle. On devices which run Android 11 or below, this is equivalent to the option User Choice.
Users & Accounts
Disable adding new users and profiles
  • Company-owned
  • Not configured
  • True
  • False
Defines whether adding new users and profiles is disabled.
Content & Media
Disable user mounting physical external media
  • Company-owned
  • Company-owned with personal usage
  • Not configured
  • True
  • False
Defines whether the user mounting physical external media is disabled.

Permitted Accessibility Services

Accessibility settings allow administrators to control which accessibility services can be used on managed devices. While accessibility services enable important assistive features, they can also access sensitive device data and user interactions. By restricting permitted services, you can ensure that only trusted or approved accessibility tools are used, helping to reduce potential security and privacy risks.

Setting Availability Options Description
Permitted accessibility services mode
  • Company-owned
  • Personally-owned
  • Company-owned with personal usage
  • Allow any
  • Only system built-ins
  • Only specified

 

Specifies permitted accessibility services. If the option is not set, any accessibility service can be used. If the option is set, only the accessibility services in this list and the system's built-in accessibility service can be used. In particular, if the field is set to empty, only the system's built-in accessibility services can be used. When applied to a work profile, this affects both the personal profile and the work profile.
Package names
  • Company-owned
  • Personally-owned
  • Company-owned with personal usage

Example:

  • com.matrix42.connect.addons.generic
Add the package names of the accessibility services you want to allow. Use the search icon to select apps from Managed Google Play, or add package names manually using the add (+) button. Existing entries can be removed using the remove (–) button. This section is only available when “Only specified” is selected.

Apps

You can use the Apps feature in a policy to add applications and to define their distribution options of applications and their individual application configuration. Before you can begin assigning apps to the policy, you must first integrate the apps into the App Portal. In general, the Android Management API supports Managed Play applications as app types. This includes public available application from Google Play and also Web Apps and Enterprise Apps. Once you have added apps in the App Portal, you can configure and distribute them using the Apps Feature associated with your policy. 

When you add an application to a policy, the default configuration values are taken from the App Portal and you can override them in a policy. After adding an application to a policy, the application state is initially set to inactive and can be activated by pressing the Edit button and saving the application deployments, which will break the link between the default configuration from the App Portal and the configuration in the policy. 

Assign Apps 

Once Apps are uploaded into the App Portal Tab, they can be individually configured and distributed to devices via the policy. To assign apps and configure them, perform the following steps:

  • Press the Edit button from the App Portal next to your policy or create a new Policy
     
  • From the Definition tab, make sure you have enabled the Apps feature
  • Navigate to Apps
  • Click Assign More Apps
  • Select any applications from the shown Assign Applications page 
  • Click Add Selected Apps
  • Now proceed with reviewing the Overview information below, followed by configuring your App Management Options.

Overview

Already assigned applications are displayed in the Apps section of any Policy with the following information: 

Column Description
Type Displays the app type.
Name Displays the application name given in the App Portal.
Description Displays the application description given in App Portal.
State  When you add an application to the policy, the Not Active state is used as a security mechanism because you may have added the application to the App Portal with a Preinstalled or Forced installation type that should not be applied in this policy. To activate the application in the policy, click the Edit button and confirm the App Management settings by clicking the Save button.
Remove Press the remove button to the App from the Tag.
Manage Config Click edit to change deployment options and to configure the application with the Managed Configuration.

Change App Management Options

By default, configurations are inherited from the App Portal and the app is set to inactive after it is added to a policy. To activate the app in your policy and to customize your App Management settings, perform the following steps for each application:

  • Press the Edit button in the Manage Config column
  • Confirm or update your App Management options
  • Click Save
  • After saving the App Management Option, the application will change the state from not active to active.