Menu

Android Management API policies

This page describes the policies that you can configure for Android devices through the Android Management API.

In order to help reduce potential confusion, settings labelled (default) in a policy description indicate default system and user account behavior. There may also be notation that describes unique default behavior when a policy is unset, or system behavior that by default the device user has control over.

System

Policy Description Supported system
Camera

Enables all cameras.

Values

  • Allow (default)
  • Disallow

Work Profile on personally-owned device

Work Profile on company-owned device

Screen Capture

Allows the device user to take screenshots on the device.

Values

  • Allow (default)
  • Disallow

Work Profile on personally-owned device

Work Profile on company-owned device

Account Modification

Allows the device user to add or remove accounts on the device.

Values

  • Allow (default) — The device user can modify all accounts except those specified by the Account Blocklist policy.
  • Disallow (Work Profile only) — The device user can't modify any accounts.

Work Profile on personally-owned device

Work Profile on company-owned device

> Account Blocklist

Specifies account names that the device user can't modify or remove. Only available if the Account Modification policy is set to Allow.

Values

To add an account, enter the name, then click add. To remove an account, click delete next to it.

Work Profile on personally-owned device

Work Profile on company-owned device

System Update

Controls the behavior of system updates on the device.

Values

  • Automatic — When a system update is available, it downloads and installs immediately.
  • Postpone — When a system update is available, it's delayed for 30 days. If the Freeze Period policy defines any freeze periods, the update also won't install during them.
  • Windowed — When a system update is available, it downloads and installs during the next time window in the day, as defined by the Windowed policy.

When this policy is unset, the default system update behavior applies. On typical device setups, this means the device user decides when to download and install updates.

Work Profile on company-owned device
> Windowed

Specifies a time range during the day when system updates are permitted. Only available if the System Update policy is set to Windowed.

Values

Enter a start and end time for the update window, in 24-hour time format.

Work Profile on company-owned device
> Freeze Period

Specifies one or more date ranges during which system updates are postponed. When the device's system time is within a freeze period, all incoming system updates, including security patches, are blocked. Only available if the System Update policy is set to Postpone or Windowed.

Values

A freeze period can be a maximum of 90 days long, and there must be a 60-day gap between each period. Freeze periods can't overlap.

To add a freeze period, enter a month and day for the Start Date, enter a month and day for the End Date, then click add.

To delete a freeze period, click delete next to it.

Work Profile on company-owned device — Android 9 and higher
Mount Physical Media

Allows the device user to mount physical media and media devices.

Values

  • Allow (default)
  • Disallow
Work Profile on company-owned device
Set a Message for Lock Screen

Specifies the custom message on the lock screen.

Values

Enter the message in the text field. The message can be up to 4096 characters long. Click Lookup to browse and select available lookup items to add to the message.

Work Profile on company-owned device
Developer Mode

Allows the device user to enable and use developer options and safe boot.

Values

  • Allow
  • Disallow (default)
Work Profile on company-owned device

Interface

Policy Description Supported system
Mobile Network Setting

Allows the device user to configure settings related to mobile network and data.

Values

  • Allow (default)
  • Disallow
Work Profile on company-owned device
Tethering Setting

Allows the device user to configure settings releated to portable hotspot mode and tethering.

Values

  • Allow (default)
  • Disallow
Work Profile on company-owned device
Wi-Fi Setting

Allows the device user to configure settings related to Wi-Fi access points.

Values

  • Allow (default)
  • Disallow
Work Profile on company-owned device
Bluetooth

Enables connecting to Bluetooth devices.

Values

  • Allow (default) — Enables Bluetooth.
  • Disable On — Disables Bluetooth.
Work Profile on company-owned device
Bluetooth Setting

Allows the device user to configure settings related to Bluetooth.

Values

  • Allow (default)
  • Disallow
Work Profile on company-owned device
USB File Transfer

Enables transferring files over a USB connection.

Values

  • Allow (default)
  • Disallow
Work Profile on company-owned device

Security

Policy Description Supported system
Maximum Screen Timeout

Specifies how long the device can idle before the screen locks.

Values

  • 15 sec
  • 30 sec
  • 1 min
  • 2 min
  • 5 min
  • 10 min

If this value is unset, then the screen lock timeout falls back to the duration specified in the device settings.

Work Profile on company-owned device

Password

Policy Description Supported system
Password

Applies and enforces password rules and restrictions.

Values

  • Apply

If this value is unset, then the password has no restrictions.

Work Profile on personally-owned device

Work Profile on company-owned device

> Password Quality

Specifies the minimum strength or complexity of the device's lock. Only available if the Password policy is set to Apply.

Values

For Android 11 and lower devices, choose a minimum strength level for the lock. Each strength level uses a lock type with minimum strength requirements. For PINs and passwords, you can specify the minimum length. The strength levels are:

  • Weak Biometric — A biometric recognition method.
  • Pattern — A pattern.
  • Numeric — A PIN.
  • Numeric Complex — A pin with no repeating (4444) or ordered (1234, 4321, 2468) sequences.
  • Alphabetic — A password with letter characters.
  • Alphanumeric — A password with alphanumeric characters.
  • Complex — A password with alphanumeric and special characters.

NOTE — The security of lock strength levels, ordered from weakest to strongest, is as follows:

Weak Biometric < Pattern < Numeric < Numeric Complex < Alphabetic < Alphanumeric < Complex

For the primary profile on Android 12 and higher devices, choose a complexity level for the lock. Each complexity level uses a lock type with escalating pre-defined restrictions. The device user can't set a lock that's less complex than the chosen level. You must also define all additional minimum restrictions of the complexity by setting every password sub-policy, such as Minimum Number of Letters and so on. The complexity levels are:

  • Complexity Low — A pattern or PIN, with repeating (4444) and ordered (1234, 4321, 2468) sequences allowed.
  • Complexity Medium — A PIN without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 4 or more characters.
  • Complexity High — A PIN with 8 or more characters, without repeating (4444) or ordered (1234, 4321, 2468) sequences. Or, a password with 6 or more characters.

Work Profile on personally-owned device

Work Profile on company-owned device

>> Minimum Length

Specifies the minimum number of points (in the case of a pattern) or characters (in the case of a PIN or password) required in the lock. Only available if the Password Quality policy is set to PIN, Numeric Complex, Alphabetic, Alphanumeric, Complex, Complexity Low, Complexity Medium, or Complexity High.

Values

Enter a minimum length. The value can be 4–16.

Work Profile on personally-owned device

Work Profile on company-owned device

>> Minimum Number of Letters

Specifies the minimum number of letters required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of letters. The value can be 1–10.

Work Profile on personally-owned device

Work Profile on company-owned device

>> Minimum Number of Non-Letters

Specifies the minimum number of non-letter characters required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of non-letters. The value can be 2–10.

Work Profile on personally-owned device

Work Profile on company-owned device

>> Minimum Number of Lowercase Letters

Specifies the minimum number of lowercase letters required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of lowercase letters. The value can be 3–10.

Work Profile on personally-owned device

Work Profile on company-owned device

>> Minimum Number of Capital Letters

Specifies the minimum number of uppercase letters required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of uppercase letters. The value can be 1–10.

Work Profile on personally-owned device

Work Profile on company-owned device

>> Minimum Number of Numeric Characters

Specifies the minimum number of digits required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of digits. The value can be 1–10.

Work Profile on personally-owned device

Work Profile on company-owned device

>> Minimum Number of Special Characters

Specifies the minimum number of special characters required in the password. Only available if the Password Quality policy is set to Complexity Low, Complexity Medium, or Complexity High.

Values

Enter the minimum number of special characters. The value can be 1–10.

Work Profile on personally-owned device

Work Profile on company-owned device

> Password Lifecycle Settings

Specifies rules about how the lock changes over time, such as user changes to the lock, expiration, and minimum unlock parameters. Automatically enabled if the Password Quality policy is set.

Values

  • Apply (automatic) — Enables password lifecycle settings. If the Password Quality policy is set, then this value is automatically selected.

Work Profile on personally-owned device

Work Profile on company-owned device

>> Password History (Times)

Specifies the minimum number of new locks that must be used before the device user can reuse a previous lock.

For example, if the lock is the password Knox123! and this policy is set to 10, the user must use ten other passwords before they can reuse Knox123!.

Values

Enter the minimum number of new locks before reuse is allowed. The value can be 1–10.

Work Profile on personally-owned device

Work Profile on company-owned device

>> Password Expiration Timeout (Days)

Specifies the number of days before the lock must be reset.

Values

Enter a number of days. The value can be 0–365.

Work Profile on personally-owned device

Work Profile on company-owned device

>> Maximum Failed Attempts

Specifies the maximum number of incorrect unlock attempts before access is restricted.

Values

Enter the number of acceptable number of failed unlocks. The value can be 0–10.

Work Profile on personally-owned device

Work Profile on company-owned device

> Block After Days (If Password Compliance is Violated)

Specifies how long, in days, that a lock can violate the restrictions set by the Password Quality policy before the device user is blocked from accessing the device or Work Profile.

Values

Enter the number of days before the device blocks the user. The minimum value is 0. If set to 0, then the device user is immediately blocked. Must be less than the value of the Wipe After Days policy.

If this value is unset, then the device user isn't blocked for violating the lock restrictions.

Work Profile on personally-owned device

Work Profile on company-owned device

> Wipe After Days (If Password Compliance is Violated)

Specifies how long, in days, that a lock can violate the restrictions set by the Password Quality policy before the device is remotely wiped.

Values

Enter the number of days before the device blocks the user. The minimum value is 1. Must be greater than the value of the Block After Days policy.

If this value is unset, then the device user isn't blocked for violating the lock restrictions.

Work Profile on personally-owned device

Work Profile on company-owned device

KeyGuard (Block Functions on the Lock Screen)

Blocks device features and functionality are blocked when the screen is locked. This policy doesn't take effect until after a lock is set on the device.

Values

  • Apply

If this value is unset, then KeyGuard is disabled.

Work Profile on personally-owned device

Work Profile on company-owned device

> Select Functions to Block

Specifies which device features and functionality are disabled when KeyGuard is enabled. Only available if the Keyguard policy is set to Apply.

Values

Select the features and functionality to disable:

  • Trust Agent — Blocks the Smart Lock function, which unlocks the screen in certain conditions, such as during physical activity, at a specific geographic location, or when devices are added.
  • Fingerprint — Blocks screen unlock through fingerprint scanning.
  • Previews in Pop-ups — Hides content in app notifications on the lock screen.
  • Face — Blocks screen unlock through face scanning.
  • Biometric — Blocks screen unlock through iris scanning.

Work Profile on personally-owned device

Work Profile on company-owned device

Application

Policy Description Supported system
Play Store Mode

Determines how to restrict apps on Google Play. In order to restrict an app, it must have a profile in the KM tenant.

Values

  • Allowlist — Defines an allowlist that specifies all the apps that the device user can install. If an app isn't specified, the user can't install it from Google Play.
  • Blocklist — Defines a blocklist that specifies which apps the device user can't install. If an app is specified, the user can't install it from Google Play. All other apps on Google Play can be installed.

If this value is not set, then no apps are restricted on Google Play.

Work Profile on company-owned device
> App list

Defines the allowlist or blocklist to restrict apps based on the value of the Play Store Mode policy. Only available if the Play Store Mode policy is set.

Values

Add apps to include or exclude. If the Play Store Mode policy is set to Allowlist, then this list defines an exclusive list of allowed apps. If that policy is set to Blocklist, then this list only defines apps that aren't allowed.

To add one or more apps:

  1. Click Add. The Select Application dialog opens.
  2. Select one or more apps, then click OK.

To remove an app, click delete next to it.

Work Profile on company-owned device
Untrusted Apps Policy

Allows the device user to install apps from unknown sources.

Values

  • Allow Install Device Wide — The device user can install untrusted apps to the primary and Work Profile.
  • Allow Install In Personal Profile Only — The device user can install untrusted apps on the primary profile.
  • Disallow Install (default) — The device user can't install untrusted apps.

Work Profile on personally-owned device

Work Profile on company-owned device

Skip App Tutorial

Instructs apps to skip any first-time user tutorials and hints, when available.

Values

  • Allow — User tutorials and hints are hidden.
  • Disallow (default) — User tutorials and hints show on first use.

Work Profile on personally-owned device

Work Profile on company-owned device

App Installation

Allows the device user to install apps.

Values

  • Allow (default)
  • Disallow

Work Profile on personally-owned device

Work Profile on company-owned device

App Uninstallation

Allows the device user to remove apps.

Values

  • Allow (default)
  • Disallow

Work Profile on personally-owned device

Work Profile on company-owned device

Google Play Protect Verify Apps

Controls the use of Google Play Protect on the device.

Values

  • User Choice — The device user can enable and disable Google Play Protect.
  • Enforced — Enables Google Play Protect, and the user can't disable it.

Work Profile on personally-owned device

Work Profile on company-owned device

App Permission

Controls how permissions are granted to apps.

Values

  • Grant — Automatically grants all requested permissions to apps. On Android 12 and higher devices, the camera, microphone, and location permissions can't be automatically granted without user consent.
  • Deny — Automatically denies all requested permissions to apps.
  • Prompt (default) — The app prompts the device user to grant or deny permissions.

Work Profile on personally-owned device

Work Profile on company-owned device

> App Permission Exception Policy List

Specifies a list of apps that are exempt from the permission behavior defined by the App Permission policy. Only available if the App Permission policy is set.

Values

To add one or more apps:

  1. Click Add. The Select Application dialog opens.
  2. Select one or more apps, then click OK.

To remove an app, click delete next to it.

Work Profile on personally-owned device

Work Profile on company-owned device

App Delegation Scope Management

Enables delegated scopes for apps, which is a device policy controller function that grants elevated API and policy control to an app. An app with delegated scopes can dictate policies and configuration settings to other apps.

Values

  • Allow — Enables delegation scopes.

If this value is unset, then delegation scopes are disabled.

Work Profile on personally-owned device

Work Profile on company-owned device

> App Delegation Scope

Configures delegated scopes for apps. Each configuration targets an app with a profile in the KM tenant and assigns scopes to it. You can only manage one delegation configuration per app. Only available if the App Delegation Scope Management policy is set to Apply.

Values

To assign delegated scopes to an app:

  1. Click Select, then choose an app from the list in the Select Application window.
    • To add a system app, click Add Control Application to select it or Bulk Add to specify a list of them with an XLS file.
  2. Select scopes to assign to the app from the Delegation Scopes list.
  3. Click add to add the configuration.

The available scopes are:

  • Certificate installation and management
  • Managed configurations management
  • Blocking uninstallation
  • Permission policy and permission grant state
  • Package access state
  • Enabling system apps

To remove the delegated scopes for an app:

  • Click delete next to the configuration.

Work Profile on personally-owned device

Work Profile on company-owned device

Work and Personal Apps Connection

Allows apps to communicate across device profiles. For example, if the same calculator app were simultaneously installed on the device's personal profile and Work Profile, then both instances of the app could share data. This data sharing requires consent from the device user.

Values

  • Allowlist — A list defined by the App List policy specifies which apps can communicate between profiles.

If this value is unset, then app connections are disabled.

Work Profile on personally-owned device

Work Profile on company-owned device

> App List

Specifies an allowlist of apps that can connect across device profiles. Only available if the Work and Personal Apps Connection policy is set to Allowlist.

Values

To add one or more apps:

  1. Click Add. The Select Application dialog opens.
  2. Select one or more apps, then click OK.

To remove an app, click delete next to it.

Work Profile on personally-owned device

Work Profile on company-owned device

Location

Policy Description Supported system
Location Mode

Controls location data gathering on the device.

Values

  • User Choice — Allows the device user to choose location data preferences.
  • Enforced — Forces location data gathering.
  • Disable — Blocks location data gathering.

Work Profile on personally-owned device

Work Profile on company-owned device

Phone

Policy Description Supported system
Call Broadcasting Setting

Enables the reception of Cell Broadcast messages on the device. Carriers use these messages to broadcast public warnings and emergencies to device users across entire regions, so you should exercise caution before disabling this technology.

Values

  • Allow (default)
  • Disallow
Work Profile on company-owned device
Microphone

Allows the device user to mute the microphone and adjust its input level.

Values

  • Allow
  • Disallow
Work Profile on company-owned device
Outgoing Calls

Allows the user to make outgoing phone calls.

Values

  • Allow (default)
  • Disallow
Work Profile on company-owned device
SMS

Allows the user to send and receive messages through SMS.

Values

  • Allow (default)
  • Disallow
Work Profile on company-owned device
Data Roaming

Enables data roaming on the device.

Values

  • Allow (default)
  • Disallow
Work Profile on company-owned device

Container

Policy Description Supported system
Copy and Paste Clipboard per Profile

Allows the device user to copy and paste data between the personal profile and Work Profile.

Values

  • Allow
  • Disallow (default)

Work Profile on personally-owned device

Work Profile on company-owned device

Set a Maximum Period for Profile Turned Off (Days)

Specifies the maximum duration, in days, that the device user can pause the Work Profile before their access is suspended. If the profile is paused for longer than this duration, all personal apps except for critical system apps (Phone, Messages, Google Play) are suspended and hidden. Work Profile apps are unaffected.

Values

Enter a pause timeout, in days. The value can be 3–30.

If this value is unset, then there is no maximum duration.

Work Profile on personally-owned device

Work Profile on company-owned device

Factory Reset Protection

Policy Description Supported system
Factory Reset Protection

Enables factory reset protection. When this security measure is enabled, if the device undergoes a factory reset it can't be reactivated without the previous user's Google Account.

Values

  • Allow — Enables factory reset protection for all devices that use this profile.
  • Disallow (default) — Disables factory reset protection.

To enable factory reset protection:

  1. Set this value to Allow.
  2. For the the Google Account ID field, enter the email address of Google Account that will protect the devices that use this profile. This account must be appropriate for use by support providers.

    CAUTION — As this account email and password might be shared with support providers, do not use your Google Account associated with Android Enterprise.
  3. Click Go to Google API Webpage to generate user ID. The people.get operation page from Google's People API reference opens.
  4. If you haven't already, sign in to the Google Account you specified earlier.
  5. In the Try this method dialog, enter:

    • resourceName field — people/me
    • personalFields field — metadata
  6. Click EXECUTE.

    • You might be prompted to grant permission for the Google APIs Explorer to access the Google Account. If so, click Allow to grant all access.

    A 200 OK message shows, which contains the account's detailed information as JSON values.

  7. Copy the value of the "ID" field in the message.
  8. Back on the KM console, paste the copied ID value in the Google User ID field.
  9. Click add.
Work Profile on company-owned device

Wi-Fi

Configures the Wi-Fi settings, such as SSID, security type, and proxy.

To add a Wi-Fi configuration, click add.

Configuration setting Description
Configuration ID

Assigns the name of the Wi-Fi configuration.

Values

Enter a name. The name must be unique among Wi-Fi configurations.

Description

Adds a text description of the configuration for other admins.

Values

Enter a description.

Network Name (SSID)

Enter the SSID of the target Wi-Fi access point.

Values

Enter an SSID.

Hidden Network (SSID)

Hides the access point from the list of Wi-Fi networks on the device.

Values

  • Allow
  • Disallow (default)
Security Type

Specifies the Wi-Fi security protocol and authentication scheme of the access point.

Values

  • WEP-PSK
  • WPA-PSK
  • WPA-EAP
Password

Specifies the password of the target Wi-Fi access point. Only available if the Security Type configuration setting is set to WEP-PSK or WPA-PSK.

Values

Enter a password.

EAP Outer

Specifies the outer EAP authentication method. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

  • PEAP
  • EAP-FAST
  • EAP-TLS
  • EAP-TTLS
EAP Inner

Specifies the inner, tunneled EAP authentication method. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

  • PAP
  • MSCHAP
  • MSCHAPv2
User Information Input Method

Specifies how the user information and credentials are delivered. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

  • Manual Input
  • Connector Interworking
  • User Information
ID

Specifies the user name to submit during authentication. Only available if the Security Type configuration setting is set to WPA-EAP and the User Information Input Method configuration setting is set to Manual Input.

Values

Enter a user name. Click Lookup to browse and select available lookup items to add to the name.

Password

Specifies the password to submit during authentication. Only available if the Security Type configuration setting is set to WPA-EAP and the User Information Input Method configuration setting is set to Manual Input.

Values

Enter a password.

User Information Connector

Specifies the directory connector to employ for the user. To learn more about directory connectors in KM, see Add sync services. Only available if the Security Type configuration setting is set to WPA-EAP and the User Information Input Method configuration setting is set to Connector Interworking.

Values

Select a connector from the list.

Anonymous Identity

Specifies an anonymous ID for the user. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

Enter a name

User Certificate Input Method

Specifies the confirmation method for the user certificate. Register an external certificate for each network configuration, and then verify each network configuration using that certificate. All users share this one certificate for each network configuration. Go to Advanced > Certificate > External Certificate to register network settings for each purpose. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

  • EMM Management Certificate (default)
User Certificate (Alias)

Specifies the certificate to apply for the user. The user certificate (P12 or PFX file) corresponding to the obtained user information is applied along with a profile to verify the user. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

Select a certificate from the list.

CA Certificate (Alias)

Specifies the root certificate to apply. The available certificates are those registered in Advanced > Certificate > External Certificate with the Purpose set to Wi-Fi and the Type set to Root. For more information on how to add an external certificate, see External certificates. Only available if the Security Type configuration setting is set to WPA-EAP.

Values

Select a certificate from the list.