string

The name of the policy in the formenterprises/{enterpriseId}/policies/{policyId}.

string (int64 format)

The version of the policy. This is a read-only field. The version is incremented each time the policy is updated.

object (ApplicationPolicy)

Policy applied to apps. This can have at most 3,000 elements.

string (int64 format)

Maximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction.

boolean

Whether screen capture is disabled.

boolean

UsecameraAccess instead.

IfcameraAccess is set to any value other thanCAMERA_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether cameras are disabled: If true, all cameras are disabled, otherwise they are available. For fully managed devices this field applies for all apps on the device. For work profiles, this field applies only to apps in the work profile, and the camera access of apps outside the work profile is unaffected.

enum (KeyguardDisabledFeature)

Disabled keyguard customizations, such as widgets.

enum (PermissionPolicy)

The default permission policy for runtime permission requests.

object (PersistentPreferredActivity)

Default intent handler activities.

object (Struct format)

Network configuration for the device. Seeconfigure networks for more information.

object (SystemUpdate)

The system update policy, which controls how OS updates are applied. If the update type isWINDOWED, the update window will automatically apply to Play app updates as well.

Note:Google Play system updates (also called Mainline updates) are automatically downloaded and require a device reboot to be installed. Refer to the mainline section inManage system updates for further details.

string

Account types that can't be managed by the user.

boolean

Whether adding new users and profiles is disabled. For devices wheremanagementMode isDEVICE_OWNER this field is ignored and the user is never allowed to add or remove users.

boolean

Whether adjusting the master volume is disabled. Also mutes the device. The setting has effect only on fully managed devices.

boolean

Whether factory resetting from settings is disabled.

boolean

Whether user installation of apps is disabled.

boolean

Whether the user mounting physical external media is disabled.

boolean

Whether adding or removing accounts is disabled.

boolean

safeBootDisabled is deprecated. Please useadvancedSecurityOverrides.developerSettings instead.

Whether rebooting the device into safe boot is disabled.

boolean

Whether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed usingapplications

boolean

Whether the status bar is disabled. This disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. DEPRECATED. To disable the status bar on a kiosk device, useInstallTypeKIOSK orkioskCustomLauncherEnabled.

boolean

If true, this disables theLock Screen for primary and/or secondary displays. This policy is supported only in dedicated device management mode.

integer

The minimum allowed Android API level.

object (StatusReportingSettings)

Status reporting settings

boolean

Whether bluetooth contact sharing is disabled.

object (UserFacingMessage)

A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. If the message is longer than 200 characters it may be truncated.

object (UserFacingMessage)

A message displayed to the user in the device administators settings screen.

object (PasswordRequirements)

Password requirements. The fieldpasswordRequirements.require_password_unlock must not be set. DEPRECATED - UsepasswordPolicies.

Note:

Complexity-based values ofPasswordQuality, that is,COMPLEXITY_LOW,COMPLEXITY_MEDIUM, andCOMPLEXITY_HIGH, cannot be used here.unifiedLockSettings cannot be used here.

boolean

Please usedeviceConnectivityManagement.configureWifi instead.

This is deprecated.

boolean

Whether configuring bluetooth is disabled.

boolean

Whether configuring cell broadcast is disabled.

boolean

Whether configuring user credentials is disabled.

boolean

Whether configuring mobile networks is disabled.

boolean

Please usedeviceConnectivityManagement.tetheringSettings instead.

Whether configuring tethering and portable hotspots is disabled. IftetheringSettings is set to anything other thanTETHERING_SETTINGS_UNSPECIFIED, this setting is ignored.

boolean

Whether configuring VPN is disabled.

boolean

Please usedeviceConnectivityManagement.configureWifi instead.

Whether configuring Wi-Fi networks is disabled. Supported on fully managed devices and work profiles on company-owned devices. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured usingopenNetworkConfiguration. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. IfconfigureWifi is set to anything other thanCONFIGURE_WIFI_UNSPECIFIED, this setting is ignored.Note: If a network connection can't be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (seenetworkEscapeHatchEnabled).

boolean

Whether creating windows besides app windows is disabled.

boolean

Whether resetting network settings is disabled.

boolean

Whether using NFC to beam data from apps is disabled.

boolean

Whether outgoing calls are disabled.

boolean

Whether removing other users is disabled.

boolean

Whether location sharing is disabled.

boolean

Whether sending and receiving SMS messages is disabled.

boolean

UsemicrophoneAccess instead.

IfmicrophoneAccess is set to any value other thanMICROPHONE_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether microphones are disabled: If true, all microphones are disabled, otherwise they are available. This is available only on fully managed devices.

boolean

usbFileTransferDisabled is deprecated. Please usedeviceConnectivityManagement.usbDataAccess instead.

Whether transferring files over USB is disabled. This is supported only on company-owned devices.

boolean

ensureVerifyAppsEnabled is deprecated. Please useadvancedSecurityOverrides.googlePlayProtectVerifyApps instead.

Whether app verification is force-enabled.

object (PackageNameList)

If present, only the input methods provided by packages in this list are permitted. If this field is present, but the list is empty, then only system input methods are permitted.

enum (BatteryPluggedMode)

The battery plugged in modes for which the device stays on. When using this setting, it is recommended to clearmaximumTimeToLock so that the device doesn't lock itself while it stays on.

object (ProxyInfo)

The network-independent global HTTP proxy. Typically proxies should be configured per-network inopenNetworkConfiguration. However for unusual configurations like general internal filtering a global HTTP proxy may be useful. If the proxy is not accessible, network access may break. The global proxy is only a recommendation and some apps may ignore it.

boolean

Whether changing the user icon is disabled. This applies only on devices running Android 7 and above.

boolean

Whether changing the wallpaper is disabled.

object (ChoosePrivateKeyRule)

Rules for determining apps' access to private keys. SeeChoosePrivateKeyRule for details. This must be empty if any application hasCERT_SELECTION delegation scope.

object (AlwaysOnVpnPackage)

Configuration for an always-on VPN connection. Use withvpnConfigDisabled to prevent modification of this setting.

string

Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won't provide factory reset protection.

object (UserFacingMessage)

The device owner information to be shown on the lock screen.

boolean

Whether roaming data services are disabled.

enum (LocationMode)

The degree of location detection enabled.

boolean

Whether the network escape hatch is enabled. If a network connection can't be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.

Note: SettingwifiConfigDisabled to true will override this setting under specific circumstances. Please seewifiConfigDisabled for further details. SettingconfigureWifi toDISALLOW_CONFIGURING_WIFI will override this setting under specific circumstances. Please seeDISALLOW_CONFIGURING_WIFI for further details.

boolean

Whether bluetooth is disabled. Prefer this setting overbluetoothConfigDisabled becausebluetoothConfigDisabled can be bypassed by the user.

object (ComplianceRule)

boolean

boolean

boolean

debuggingFeaturesAllowed is deprecated. Please useadvancedSecurityOverrides.developerSettings instead.

Whether the user is allowed to enable debugging features.

boolean

Whether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled.

boolean

UseautoDateAndTimeZone instead.

Whether auto time is required, which prevents the user from manually setting the date and time. IfautoDateAndTimeZone is set, this field is ignored.

object (PackageNameList)

Specifies permitted accessibility services. If the field is not set, any accessibility service can be used. If the field is set, only the accessibility services in this list and the system's built-in accessibility service can be used. In particular, if the field is set to empty, only the system's built-in accessibility servicess can be used. This can be set on fully managed devices and on work profiles. When applied to a work profile, this affects both the personal profile and the work profile.

enum (AppAutoUpdatePolicy)

Recommended alternative:autoUpdateMode which is set per app, provides greater flexibility around update frequency.

WhenautoUpdateMode is set toAUTO_UPDATE_POSTPONED orAUTO_UPDATE_HIGH_PRIORITY, this field has no effect.

The app auto update policy, which controls when automatic app updates can be applied.

boolean

Whether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via theapplications setting. Apps appear on a single page in alphabetical order. UsekioskCustomization to further configure the kiosk device behavior.

enum (AppTrack)

boolean

Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.

boolean

Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application hasCERT_SELECTION delegation scope.

enum (EncryptionPolicy)

Whether encryption is enabled

boolean

object (PermissionGrant)

Explicit permission or group grants or denials for all apps. These values override thedefaultPermissionPolicy.

enum (PlayStoreMode)

This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.

object (SetupAction)

Action to take during the setup process. At most one action may be specified.

object (PasswordRequirements)

Password requirement policies. Different policies can be set for work profile or fully managed devices by setting thepasswordScope field in the policy.

object (PolicyEnforcementRule)

Rules that define the behavior when a particular policy can not be applied on device

object (KioskCustomization)

Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, setkioskCustomLauncherEnabled totrue or specify an app in the policy withinstallTypeKIOSK.

object (AdvancedSecurityOverrides)

Advanced security settings. In most cases, setting these is not needed.

object (PersonalUsagePolicies)

Policies managing personal usage on a company-owned device.

enum (AutoDateAndTimeZone)

Whether auto date, time, and time zone are enabled on a company-owned device. If this is set, thenautoTimeRequired is ignored.

object (OncCertificateProvider)

This feature is not generally available.

object (CrossProfilePolicies)

Cross-profile policies applied on the device.

enum (PreferentialNetworkService)

Controls whether preferential network service is enabled on the work profile or on fully managed devices. For example, an organization may have an agreement with a carrier that all of the work data from its employees' devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This policy has no effect ifpreferentialNetworkServiceSettings orApplicationPolicy.preferentialNetworkId is set on devices running Android 13 or above.

object (UsageLog)

Configuration of device activity logging.

enum (CameraAccess)

Controls the use of the camera and whether the user has access to the camera access toggle.

enum (MicrophoneAccess)

Controls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices.

object (DeviceConnectivityManagement)

Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.

object (DeviceRadioState)

Covers controls for radio state such as Wi-Fi, bluetooth, and more.

enum (CredentialProviderPolicyDefault)

Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, seethis andthis for details. See alsocredentialProviderPolicy.

enum (PrintingPolicy)

Optional. Controls whether printing is allowed. This is supported on devices running Android 9 and above. .

object (DisplaySettings)

Optional. Controls for the display settings.

enum (AssistContentPolicy)

Optional. Controls whetherAssistContent is allowed to be sent to a privileged app such as an assistant app. AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above.

object (WorkAccountSetupConfig)

Optional. Controls the work account setup configuration, such as details of whether a Google authenticated account is required.

enum (WipeDataFlag)

Optional. Wipe flags to indicate what data is wiped when a device or profile wipe is triggered due to any reason (for example, non-compliance). This does not apply to theenterprises.devices.delete method. . This list must not have duplicates.

enum (EnterpriseDisplayNameVisibility)

Optional. Controls whether theenterpriseDisplayName is visible on the device (e.g. lock screen message on company-owned devices).

enum (AppFunctions)

Optional. Controls whether apps on the device for fully managed devices or in the work profile for devices with work profiles are allowed to expose app functions.

object (DefaultApplicationSetting)

Optional. The default application setting for supported types. If the default application is successfully set for at least one app type on a profile, users are prevented from changingany default applications on that profile.

Only oneDefaultApplicationSetting is allowed for eachDefaultApplicationType.

SeeDefault application settings guide for more details.

string

The package name of the app. For example,com.google.android.youtube for the YouTube app.

enum (InstallType)

The type of installation to perform.

boolean

Whether the app is allowed to lock itself in full-screen mode. DEPRECATED. UseInstallTypeKIOSK orkioskCustomLauncherEnabled to configure a dedicated device.

enum (PermissionPolicy)

The default policy for all permissions requested by the app. If specified, this overrides the policy-leveldefaultPermissionPolicy which applies to all apps. It does not override thepermissionGrants which applies to all apps.

object (PermissionGrant)

Explicit permission grants or denials for the app. These values override thedefaultPermissionPolicy andpermissionGrants which apply to all apps.

object (Struct format)

Managed configuration applied to the app. The format for the configuration is dictated by theManagedProperty values supported by the app. Each field name in the managed configuration must match thekey field of theManagedProperty. The field value must be compatible with thetype of theManagedProperty:

boolean

Whether the app is disabled. When disabled, the app data is still preserved.

integer

The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain aNonComplianceDetail withnonComplianceReason set toAPP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.

enum (DelegatedScope)

The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to.

object (ManagedConfigurationTemplate)

The managed configurations template for the app, saved from themanaged configurations iframe. This field is ignored if managedConfiguration is set.

string

List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available inAppTrackInfo.

enum (ConnectedWorkAndPersonalApp)

Controls whether the app can communicate with itself across a device’s work and personal profiles, subject to user consent.

enum (AutoUpdateMode)

Controls the auto-update mode for the app.

object (ExtensionConfig)

extensionConfig is deprecated - useCOMPANION_APP role instead.

Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline.

This field can be set for at most one app. If there is any app withCOMPANION_APP role, this field cannot be set.

The signing key certificate fingerprint of the app on the device must match one of the entries inApplicationPolicy.signingKeyCerts orExtensionConfig.signingKeyFingerprintsSha256 (deprecated) or the signing key certificate fingerprints obtained from Play Store for the app to be able to communicate with Android Device Policy. If the app is not on Play Store and ifApplicationPolicy.signingKeyCerts andExtensionConfig.signingKeyFingerprintsSha256 (deprecated) are not set, aNonComplianceDetail withINVALID_VALUE is reported.

enum (AlwaysOnVpnLockdownExemption)

Specifies whether the app is allowed networking when the VPN is not connected andalwaysOnVpnPackage.lockdownEnabled is enabled. If set toVPN_LOCKDOWN_ENFORCED, the app is not allowed networking, and if set toVPN_LOCKDOWN_EXEMPTION, the app is allowed networking. Only supported on devices running Android 10 and above. If this is not supported by the device, the device will contain aNonComplianceDetail withnonComplianceReason set toAPI_LEVEL and a fieldPath. If this is not applicable to the app, the device will contain aNonComplianceDetail withnonComplianceReason set toUNSUPPORTED and a fieldPath. The fieldPath is set toapplications[i].alwaysOnVpnLockdownExemption, wherei is the index of the package in theapplications policy.

enum (WorkProfileWidgets)

Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.

enum (CredentialProviderPolicy)

Optional. Whether the app is allowed to act as a credential provider on Android 14 and above.

object (CustomAppConfig)

Optional. Configuration for this custom app.

installType must be set toCUSTOM for this to be set.

object (InstallConstraint)

Optional. The constraints for installing the app. You can specify a maximum of oneInstallConstraint. Multiple constraints are rejected.

integer

Optional. Amongst apps withinstallType set to:

• FORCE_INSTALLED
• PREINSTALLED

this controls the relative priority of installation. A value of 0 (default) means this app has no priority over other apps. For values between 1 and 10,000, a lower value means a higher priority. Values outside of the range 0 to 10,000 inclusive are rejected.

enum (UserControlSettings)

Optional. Specifies whether user control is permitted for the app. User control includes user actions like force-stopping and clearing app data. Certain types of apps have special treatment, seeUSER_CONTROL_SETTINGS_UNSPECIFIED andUSER_CONTROL_ALLOWED for more details.

enum (PreferentialNetworkId)

Optional. ID of the preferential network the application uses. There must be a configuration for the specified network ID inpreferentialNetworkServiceConfigs. If set toPREFERENTIAL_NETWORK_ID_UNSPECIFIED, the application will use the default network ID specified indefaultPreferentialNetworkId. See the documentation ofdefaultPreferentialNetworkId for the list of apps excluded from this defaulting. This applies on both work profiles and fully managed devices on Android 13 and above.

object (ApplicationSigningKeyCert)

Optional. Signing key certificates of the app.

This field is required in the following cases:

• The app hasinstallType set toCUSTOM (i.e. a custom app).
• The app hasroles set to a nonempty list and the app does not exist on the Play Store.
• The app hasextensionConfig set (i.e. an extension app) butExtensionConfig.signingKeyFingerprintsSha256 (deprecated) is not set and the app does not exist on the Play Store.

If this field is not set for a custom app, the policy is rejected. If it is not set when required for a non-custom app, aNonComplianceDetail withINVALID_VALUE is reported.

For other cases, this field is optional and the signing key certificates obtained from Play Store are used.

See following policy settings to see how this field is used:

• choosePrivateKeyRules
• ApplicationPolicy.InstallType.CUSTOM
• ApplicationPolicy.extensionConfig
• ApplicationPolicy.roles

object (Role)

Optional. Roles the app has.

Apps having certain roles can be exempted from power and background execution restrictions, suspension and hibernation on Android 14 and above. The user control can also be disallowed for apps with certain roles on Android 11 and above. Refer to the documentation of eachRoleType for more details.

The app is notified about the roles that are set for it if the app has a notification receiver service with<meta-data android:name="com.google.android.managementapi.notification.NotificationReceiverService.SERVICE_APP_ROLES" android:value="" />. The app is notified whenever its roles are updated or after the app is installed when it has nonempty list of roles. The app can use this notification to bootstrap itself after the installation. SeeIntegrate with the AMAPI SDK andManage app roles guides for more details on the requirements for the service.

For the exemptions to be applied and the app to be notified about the roles, the signing key certificate fingerprint of the app on the device must match one of the signing key certificate fingerprints obtained from Play Store or one of the entries inApplicationPolicy.signingKeyCerts. Otherwise, aNonComplianceDetail withAPP_SIGNING_CERT_MISMATCH is reported.

There must not be duplicate roles with the sameroleType. Multiple apps cannot hold a role with the sameroleType. A role with typeROLE_TYPE_UNSPECIFIED is not allowed.

The app is automatically installed in kiosk mode: it's set as the preferred home intent and whitelisted for lock task mode. Device setup won't complete until the app is installed. After installation, users won't be able to remove the app. You can only set thisinstallType for one app per policy. When this is present in the policy, status bar will be automatically disabled.

If there is any app withKIOSK role, then this install type cannot be set for any app.

KIOSK install type is deprecated - useREQUIRED_FOR_SETUP orCUSTOM depending on the use case and useKIOSK role instead.

The app can only be installed and updated viaAMAPI SDK command.

Note:

• This only affects fully managed devices.
• Play related fieldsminimumVersionCode,accessibleTrackIds,autoUpdateMode,installConstraint andinstallPriority cannot be set for the app.
• The app isn't available in the Play Store.
• The app installed on the device hasapplicationSource set toCUSTOM.
• When the currentinstallType isCUSTOM, the signing key certificate fingerprint of the existing custom app on the device must match one of the entries inApplicationPolicy.signingKeyCerts . Otherwise, aNonComplianceDetail withAPP_SIGNING_CERT_MISMATCH is reported.
• Changing theinstallType fromCUSTOM to another value must match the playstore version of the application signing key certificate fingerprint. Otherwise aNonComplianceDetail withAPP_SIGNING_CERT_MISMATCH is reported.
• Changing theinstallType toCUSTOM uninstalls the existing app if its signing key certificate fingerprint of the installed app doesn't match the one from theApplicationPolicy.signingKeyCerts .
• Removing the app fromapplications doesn't uninstall the existing app if it conforms toplayStoreMode.
• See alsocustomAppConfig.
• This is different from theGoogle Play Custom App Publishing feature.

Automatically grant a permission.

On Android 12 and above,READ_SMS and following sensor-related permissions can only be granted on fully managed devices:

• ACCESS_FINE_LOCATION
• ACCESS_BACKGROUND_LOCATION
• ACCESS_COARSE_LOCATION
• CAMERA
• RECORD_AUDIO
• ACTIVITY_RECOGNITION
• BODY_SENSORS

string

The Android permission or group, e.g.android.permission.READ_CALENDAR orandroid.permission_group.CALENDAR.

enum (PermissionPolicy)

The policy for granting the permission.

string

The ID of the managed configurations template.

map (key: string, value: string)

Optional, a map containing <key, value> configuration variables defined for the configuration.

An object containing a list of"key": value pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }.

The default update mode.

The app is automatically updated with low priority to minimize the impact on the user.

The app is updated when all of the following constraints are met:

• The device is not actively used.
• The device is connected to an unmetered network.
• The device is charging.
• The app to be updated is not running in the foreground.

The device is notified about a new update within 24 hours after it is published by the developer, after which the app is updated the next time the constraints above are met.

The app is not automatically updated for a maximum of 90 days after the app becomes out of date.

90 days after the app becomes out of date, the latest available version is installed automatically with low priority (seeAUTO_UPDATE_DEFAULT). After the app is updated it is not automatically updated again until 90 days after it becomes out of date again.

The user can still manually update the app from the Play Store at any time.

The app is updated as soon as possible. No constraints are applied.

The device is notified as soon as possible about a new update after it becomes available.

NOTE: Updates to apps with larger deployments across Android's ecosystem can take up to 24h.

string

signingKeyFingerprintsSha256 is deprecated - useApplicationPolicy.signingKeyCerts instead. IfApplicationPolicy.signingKeyCerts is set, this field must be empty or must contain the same signing key certificate fingerprints. Otherwise, the policy is rejected.

Hex-encoded SHA-256 hashes of the signing key certificates of the extension app. Only hexadecimal string representations of 64 characters are valid.

The signing key certificate fingerprints are always obtained from the Play Store and this field is used to provide additional signing key certificate fingerprints. However, if the application is not available on the Play Store, this field needs to be set. ANonComplianceDetail withINVALID_VALUE is reported if this field is not set when the application is not available on the Play Store.

The signing key certificate fingerprint of the extension app on the device must match one of the signing key certificate fingerprints obtained from the Play Store or the ones provided in this field for the app to be able to communicate with Android Device Policy.

In production use cases, it is recommended to leave this empty.

string

notificationReceiver is deprecated - useCOMPANION_APP role instead.

Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates. The service must be exported in the extension app'sAndroidManifest.xml and extendNotificationReceiverService (seeIntegrate with the AMAPI SDK guide for more details).

enum (UserUninstallSettings)

Optional. User uninstall settings of the custom app.

enum (NetworkTypeConstraint)

Optional. Network type constraint.

enum (ChargingConstraint)

Optional. Charging constraint.

enum (DeviceIdleConstraint)

Optional. Device idle constraint.

Uses the default behaviour of the app to determine if user control is allowed or disallowed. User control is allowed by default for most apps but disallowed for following types of apps:

• extension apps (seeextensionConfig for more details)
• kiosk apps (seeKIOSK install type for more details)
• apps withroles set to a nonempty list
• other critical system apps

User control is allowed for the app. Kiosk apps can use this to allow user control. For extension apps (seeextensionConfig for more details), user control is disallowed even if this value is set.

For apps withroles set to a nonempty list (exceptroles containing onlyKIOSK role), this value cannot be set.

For kiosk apps (seeKIOSK install type andKIOSK role type for more details), this value can be used to allow user control.

string (bytes format)

Required. The SHA-256 hash value of the signing key certificate of the app. This must be a valid SHA-256 hash value, i.e. 32 bytes. Otherwise, the policy is rejected.

A base64-encoded string.

enum (RoleType)

Required. The type of the role an app can have.

The role type for companion apps. This role enables the app as a companion app with the capability of interacting with Android Device Policy offline. This is the recommended way to configure an app as a companion app. For legacy way, seeextensionConfig.

On Android 14 and above, the app with this role is exempted from power and background execution restrictions, suspension and hibernation. On Android 11 and above, the user control is disallowed for the app with this role.userControlSettings cannot be set toUSER_CONTROL_ALLOWED for the app with this role.

Android Device Policy notifies the companion app of any local command status updates if the app has a service with<meta-dataandroid:name="com.google.android.managementapi.notification.NotificationReceiverService.SERVICE_COMMAND_STATUS"android:value="" />. SeeIntegrate with the AMAPI SDK guide for more details on the requirements for the service.

The role type for kiosk apps. An app can have this role only if it hasinstallType set toREQUIRED_FOR_SETUP orCUSTOM. Before adding this role to an app withCUSTOM install type, the app must already be installed on the device.

The app having this role type is set as the preferred home intent and allowlisted for lock task mode. When there is an app with this role type, status bar will be automatically disabled.

This is preferable to settinginstallType toKIOSK.

On Android 11 and above, the user control is disallowed butuserControlSettings can be set toUSER_CONTROL_ALLOWED to allow user control for the app with this role.

The role type for Mobile Threat Defense (MTD) / Endpoint Detection & Response (EDR) apps.

On Android 14 and above, the app with this role is exempted from power and background execution restrictions, suspension and hibernation. On Android 11 and above, the user control is disallowed anduserControlSettings cannot be set toUSER_CONTROL_ALLOWED for the app with this role.

The role type for system health monitoring apps.

On Android 14 and above, the app with this role is exempted from power and background execution restrictions, suspension and hibernation. On Android 11 and above, the user control is disallowed anduserControlSettings cannot be set toUSER_CONTROL_ALLOWED for the app with this role.

string

The activity that should be the default intent handler. This should be an Android component name, e.g.com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent.

string

The intent actions to match in the filter. If any actions are included in the filter, then an intent's action must be one of those values for it to match. If no actions are included, the intent action is ignored.

string

The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent.

enum (SystemUpdateType)

The type of system update to configure.

integer

If the type isWINDOWED, the start of the maintenance window, measured as the number of minutes after midnight in the device's local time. This value must be between 0 and 1439, inclusive.

integer

If the type isWINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device's local time. This value must be between 0 and 1439, inclusive. If this value is less thanstartMinutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.

object (FreezePeriod)

An annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days.

Install automatically within a daily maintenance window. This also configures Play apps to be updated within the window. This is strongly recommended for kiosk devices because this is the only way apps persistently pinned to the foreground can be updated by Play.

IfautoUpdateMode is set toAUTO_UPDATE_HIGH_PRIORITY for an app, then the maintenance window is ignored for that app and it is updated as soon as possible even outside of the maintenance window.

object (Date)

The start date (inclusive) of the freeze period. Note:day andmonth must be set.year should not be set as it is not used. For example,{"month": 1,"date": 30}.

object (Date)

The end date (inclusive) of the freeze period. Must be no later than 90 days from the start date. If the end date is earlier than the start date, the freeze period is considered wrapping year-end. Note:day andmonth must be set.year should not be set as it is not used. For example,{"month": 1,"date": 30}.

integer

Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

integer

Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

integer

Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

boolean

Whetherapp reports are enabled.

boolean

Whetherdevice settings reporting is enabled.

boolean

Whethersoftware info reporting is enabled.

boolean

Whethermemory event reporting is enabled.

boolean

Whethernetwork info reporting is enabled.

boolean

Whetherdisplays reporting is enabled. Report data is not available for personally owned devices with work profiles.

boolean

Whetherpower management event reporting is enabled. Report data is not available for personally owned devices with work profiles.

boolean

Whetherhardware status reporting is enabled. Report data is not available for personally owned devices with work profiles.

boolean

Whether system properties reporting is enabled.

object (ApplicationReportingSettings)

Application reporting settings. Only applicable if applicationReportsEnabled is true.

boolean

WhetherCommon Criteria Mode reporting is enabled. This is supported only on company-owned devices.

boolean

Optional. WhetherdefaultApplicationInfo reporting is enabled.

boolean

Whether removed apps are included in application reports.

string

A list of package names.

string

The host of the direct proxy.

integer

The port of the direct proxy.

string

For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.

string

The URI of the PAC script used to configure the proxy.

string

The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax ofjava.util.regex.Pattern.

string

The package names to which this rule applies. The signing key certificate fingerprint of the app is verified against the signing key certificate fingerprints provided by Play Store andApplicationPolicy.signingKeyCerts . If no package names are specified, then the alias is provided to all apps that callKeyChain.choosePrivateKeyAlias or any overloads (but not without callingKeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they callKeyChain.choosePrivateKeyAlias.

string

The alias of the private key to be used.

string

The package name of the VPN app.

boolean

Disallows networking when the VPN is not connected.

On Android 8 and below, all location detection methods are enabled, including GPS, networks, and other sensors. On Android 9 and above, this is equivalent toLOCATION_ENFORCED.

On Android 8 and below, only GPS and other sensors are enabled. On Android 9 and above, this is equivalent toLOCATION_ENFORCED.

On Android 8 and below, only the network location provider is enabled. On Android 9 and above, this is equivalent toLOCATION_ENFORCED.

On Android 8 and below, location setting and accuracy are disabled. On Android 9 and above, this is equivalent toLOCATION_DISABLED.

boolean

If set to true, the rule includes a mitigating action to disable apps so that the device is effectively disabled, but app data is preserved. If the device is running an app in locked task mode, the app will be closed and a UI showing the reason for non-compliance will be displayed.

string

If set, the rule includes a mitigating action to disable apps specified in the list, but app data is preserved.

object (NonComplianceDetailCondition)

A condition which is satisfied if there existsany matchingNonComplianceDetail for the device.

object (ApiLevelCondition)

A condition which is satisfied if the Android Framework API level on the device doesn't meet a minimum requirement.

string

The name of the policy setting. This is the JSON field name of a top-levelPolicy field. If not set, then this condition matches any setting name.

enum (NonComplianceReason)

The reason the device is not in compliance with the setting. If not set, then this condition matches any reason.

string

The package name of the app that's out of compliance. If not set, then this condition matches any package name.

integer

The minimum desired Android Framework API level. If the device doesn't meet the minimum requirement, this condition is satisfied. Must be greater than zero.

object (UserFacingMessage)

Title of this action.

object (UserFacingMessage)

Description of this action.

object (LaunchAppAction)

An action to launch an app. The app will be launched with an intent containing an extra with keycom.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION set to the boolean valuetrue to indicate that this is a setup action flow. IfSetupAction references an app, the correspondinginstallType in the application policy must be set asREQUIRED_FOR_SETUP or said setup will fail.

string

Package name of app to be launched

object (BlockAction)

An action to block access to apps and data on a company owned device or in a work profile. This action also triggers a user-facing notification with information (where possible) on how to correct the compliance issue. Note:wipeAction must also be specified.

object (WipeAction)

An action to reset a company owned device or delete a work profile. Note:blockAction must also be specified.

string

The top-level policy to enforce. For example,applications orpasswordPolicies.

integer

Number of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0.blockAfterDays must be less thanwipeAfterDays.

enum (BlockScope)

Specifies the scope of thisBlockAction. Only applicable to devices that are company-owned.

integer

Number of days the policy is non-compliant before the device or work profile is wiped.wipeAfterDays must be greater thanblockAfterDays.

boolean

Whether the factory-reset protection data is preserved on the device. This setting doesn’t apply to work profiles.

enum (PowerButtonActions)

Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.

enum (SystemErrorWarnings)

Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode. When blocked, the system will force-stop the app as if the user chooses the "close app" option on the UI.

enum (SystemNavigation)

Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode.

enum (StatusBar)

Specifies whether system info and notifications are disabled in kiosk mode.

enum (DeviceSettings)

Specifies whether the Settings app is allowed in kiosk mode.

System info and notifications are shown on the status bar in kiosk mode.

Note: For this policy to take effect, the device's home button must be enabled usingkioskCustomization.systemNavigation.

enum (UntrustedAppsPolicy)

The policy for untrusted apps (apps from unknown sources) enforced on the device. ReplacesinstallUnknownSourcesAllowed (deprecated).

enum (GooglePlayProtectVerifyApps)

WhetherGoogle Play Protect verification is enforced. ReplacesensureVerifyAppsEnabled (deprecated).

enum (DeveloperSettings)

Controls access to developer settings: developer options and safe boot. ReplacessafeBootDisabled (deprecated) anddebuggingFeaturesAllowed (deprecated). On personally-owned devices with a work profile, setting this policy will not disable safe boot. In this case, aNonComplianceDetail withMANAGEMENT_MODE is reported.

enum (CommonCriteriaMode)

Controls Common Criteria Mode—security standards defined in theCommon Criteria for Information Technology Security Evaluation (CC). Enabling Common Criteria Mode increases certain security components on a device, seeCommonCriteriaMode for details.

Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. If Common Criteria Mode is turned off after being enabled previously, all user-configured Wi-Fi networks may be lost and any enterprise-configured Wi-Fi networks that require user input may need to be reconfigured.

string

Personal apps that can read work profile notifications using aNotificationListenerService. By default, no personal apps (aside from system apps) can read work notifications. Each value in the list must be a package name.

enum (MtePolicy)

Optional. ControlsMemory Tagging Extension (MTE) on the device. The device needs to be rebooted to apply changes to the MTE policy. On Android 15 and above, aNonComplianceDetail withPENDING is reported if the policy change is pending a device reboot.

enum (ContentProtectionPolicy)

Optional. Controls whether content protection, which scans for deceptive apps, is enabled. This is supported on Android 15 and above.

MTE is enabled on the device and the user is not allowed to change this setting. This can be set on fully managed devices and work profiles on company-owned devices. ANonComplianceDetail withMANAGEMENT_MODE is reported for other management modes. ANonComplianceDetail withDEVICE_INCOMPATIBLE is reported if the device does not support MTE.

Supported on Android 14 and above. ANonComplianceDetail withAPI_LEVEL is reported if the Android version is less than 14.

MTE is disabled on the device and the user is not allowed to change this setting. This applies only on fully managed devices. In other cases, aNonComplianceDetail withMANAGEMENT_MODE is reported. ANonComplianceDetail withDEVICE_INCOMPATIBLE is reported if the device does not support MTE.

Supported on Android 14 and above. ANonComplianceDetail withAPI_LEVEL is reported if the Android version is less than 14.

Content protection is enabled and the user cannot change this.

Supported on Android 15 and above. ANonComplianceDetail withAPI_LEVEL is reported if the Android version is less than 15.

Content protection is not controlled by the policy. The user is allowed to choose the behavior of content protection.

Supported on Android 15 and above. ANonComplianceDetail withAPI_LEVEL is reported if the Android version is less than 15.

boolean

If true, the camera is disabled on the personal profile.

boolean

If true, screen capture is disabled for all users.

string

Account types that can't be managed by the user.

integer

Controls how long the work profile can stay off. The minimum duration must be at least 3 days. Other details are as follows:

• If the duration is set to 0, the feature is turned off.
• If the duration is set to a value smaller than the minimum duration, the feature returns an error.

enum (PlayStoreMode)

Used together withpersonalApplications to control how apps in the personal profile are allowed or blocked.

object (PersonalApplicationPolicy)

Policy applied to applications in the personal profile.

enum (PrivateSpacePolicy)

Optional. Controls whether a private space is allowed on the device.

enum (BluetoothSharing)

Optional. Whether bluetooth sharing is allowed.

All Play Store apps are available for installation in the personal profile, except those whoseinstallType isBLOCKED inpersonalApplications.

string

The package name of the application.

enum (InstallType)

The type of installation to perform.

Bluetooth sharing is allowed on personal profile.

Supported on Android 8 and above. ANonComplianceDetail withMANAGEMENT_MODE is reported if this is set for a personal device.

Bluetooth sharing is disallowed on personal profile.

Supported on Android 8 and above. ANonComplianceDetail withAPI_LEVEL is reported if the Android version is less than 8. ANonComplianceDetail withMANAGEMENT_MODE is reported if this is set for a personal device.

string

This feature is not generally available.

Union fieldendpoint.

This feature is not generally available.endpoint can be only one of the following:

object (ContentProviderEndpoint)

This feature is not generally available.

string

This feature is not generally available.

string

This feature is not generally available.

string

Required. This feature is not generally available.

enum (ShowWorkContactsInPersonalProfile)

Whether personal apps can access contacts stored in the work profile.

See alsoexemptionsToShowWorkContactsInPersonalProfile.

enum (CrossProfileCopyPaste)

Whether text copied from one profile (personal or work) can be pasted in the other profile.

enum (CrossProfileDataSharing)

Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work & personal apps, are configured separately.

enum (WorkProfileWidgetsDefault)

Specifies the default behaviour for work profile widgets. If the policy does not specifyworkProfileWidgets for a specific application, it will behave according to the value specified here.

enum (CrossProfileAppFunctions)

Optional. Controls whether personal profile apps can invoke app functions exposed by apps in the work profile.

object (PackageNameList)

List of apps which are excluded from theShowWorkContactsInPersonalProfile setting. For this to be set,ShowWorkContactsInPersonalProfile must be set to one of the following values:

• SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED. In this case, these exemptions act as a blocklist.
• SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED. In this case, these exemptions act as an allowlist.
• SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM. In this case, these exemptions act as an allowlist, in addition to the already allowlisted system apps.

Supported on Android 14 and above. ANonComplianceDetail withAPI_LEVEL is reported if the Android version is less than 14.

Unspecified. Defaults toSHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED.

When this is set,exemptionsToShowWorkContactsInPersonalProfile must not be set.

Prevents personal apps from accessing work profile contacts and looking up work contacts.

When this is set, personal apps specified inexemptionsToShowWorkContactsInPersonalProfile are allowlisted and can access work profile contacts directly.

Supported on Android 7.0 and above. ANonComplianceDetail withAPI_LEVEL is reported if the Android version is less than 7.0.

Default. Allows apps in the personal profile to access work profile contacts including contact searches and incoming calls.

When this is set, personal apps specified inexemptionsToShowWorkContactsInPersonalProfile are blocklisted and can not access work profile contacts directly.

Supported on Android 7.0 and above. ANonComplianceDetail withAPI_LEVEL is reported if the Android version is less than 7.0.

Prevents most personal apps from accessing work profile contacts including contact searches and incoming calls, except for the OEM default Dialer, Messages, and Contacts apps. Neither user-configured Dialer, Messages, and Contacts apps, nor any other system or play installed apps, will be able to query work contacts directly.

When this is set, personal apps specified inexemptionsToShowWorkContactsInPersonalProfile are allowlisted and can access work profile contacts.

Supported on Android 14 and above. If this is set on a device with Android version less than 14, the behaviour falls back toSHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED and aNonComplianceDetail withAPI_LEVEL is reported.

enum (LogType)

Specifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled.

enum (LogType)

Specifies which of the enabled log types can be uploaded over mobile data. By default logs are queued for upload when the device connects to WiFi.

The fieldcameraDisabled is ignored. All cameras on the device are disabled (for fully managed devices, this applies device-wide and for work profiles this applies only to the work profile).

There are no explicit restrictions placed on the camera access toggle on Android 12 and above: on fully managed devices, the camera access toggle has no effect as all cameras are disabled. On devices with a work profile, this toggle has no effect on apps in the work profile, but it affects apps outside the work profile.

The fieldunmuteMicrophoneDisabled is ignored. The microphone on the device is disabled (for fully managed devices, this applies device-wide).

The microphone access toggle has no effect as the microphone is disabled.

enum (UsbDataAccess)

Controls what files and/or data can be transferred via USB. Supported only on company-owned devices.

enum (ConfigureWifi)

Controls Wi-Fi configuring privileges. Based on the option set, user will have either full or limited or no control in configuring Wi-Fi networks.

enum (WifiDirectSettings)

Controls configuring and using Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above.

enum (TetheringSettings)

Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering.

object (WifiSsidPolicy)

Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above.

object (WifiRoamingPolicy)

Optional. Wi-Fi roaming policy.

enum (BluetoothSharing)

Optional. Controls whether Bluetooth sharing is allowed.

object (PreferentialNetworkServiceSettings)

Optional. Preferential network service configuration. Setting this field will overridepreferentialNetworkService. This can be set on both work profiles and fully managed devices on Android 13 and above. See5G network slicing guide for more details.

object (ApnPolicy)

Optional. Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. SeeOVERRIDE_APNS_ENABLED andoverrideApns for details.

enum (WifiSsidPolicyType)

Type of the Wi-Fi SSID policy to be applied.

object (WifiSsid)

Optional. List of Wi-Fi SSIDs that should be applied in the policy. This field must be non-empty when WifiSsidPolicyType is set toWIFI_SSID_ALLOWLIST. If this is set to a non-empty list, then aNonComplianceDetail detail withAPI_LEVEL is reported if the Android version is less than 13 and aNonComplianceDetail withMANAGEMENT_MODE is reported for non-company-owned devices.

string

Required. Wi-Fi SSID represented as a string.

object (WifiRoamingSetting)

Optional. Wi-Fi roaming settings. SSIDs provided in this list must be unique, the policy will be rejected otherwise.

string

Required. SSID of the Wi-Fi network.

enum (WifiRoamingMode)

Required. Wi-Fi roaming mode for the specified SSID.