Policies Guide Part II: Configure Policy
Overview
Policies are designed for the Android Enterprise device management with the Android Management API and are the core resource of the Android Management API. When you create a policy, you create the ability to provision your devices using a QR code or enrollment token, and you can create a complete device configuration for managing your devices. This means that a policy not only contains settings and restrictions that you distribute to your devices to configure the device, but you can also deploy applications with different distribution options via the policy and, of course, further configure the applications with the Managed Configurations if the application vendors make this option available.
In general, Android Enterprise offers the great ability to perform a full device configuration using a single OEMConfig application provided by device manufacturers that you can add and configure in a policy. For example, if you are missing a setting or an option in the profiles section, you can refer to the OEMConfiguration application, as demonstrated in the Manage Android Enterprise with Android Management API article with the Knox Service Plugin provided by Samsung.
During policy creation, you should have enabled either the Profile feature or the App feature, and depending on which you enabled, you can toggle between the features in the left panel inside the Policy and configure your target devices and add and configure applications in the policy. All available settings are covered and described in this guide.
Enrollment
With the policy creation and specifying the necessary information in the Definition tab and saving the policy, the policy is registered with the Android Management API. This generates an enrollment token with the appropriate device ownership in the Android Management API that is displayed in the Enrollment section. The QR code contains the enrollment token and other additional information needed to enroll the device. In addition, the Enrollment tab contains information about device ownership and how to enroll devices with this policy. After your first policy creation, you can already enroll and manage devices with the policy that has not been further configured. To populate your blank policy with additional settings and applications, use the Profile and Apps features presented and described in this guide.
Profile
The profile section in a policy gives you the ability to provide different features to your users or restrict certain types of device usage for the user to increase security. A profile represents logically related functions for configuring specific areas or features on your managed devices, and these settings are sent coherently in a single policy to the Android Management API, which ultimately performs the device configuration on the devices. Depending on the ownership selected in the Definition tab, only supported profiles and settings are displayed in the policy for configuration. When changing profiles, ensure the settings are correct as these will be applied immediately to all applicable devices. Additionally, ensure to click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.
Restrictions
Restrictions typically represent configurations that can be either explicitly allowed or prohibited. For example, you can use restrictions to configure security-related settings such as preventing users from using Bluetooth or configuring hotspots on devices, and it is usually not possible for users to circumvent these restrictions.
Restriction | Availability | Options | Description |
---|---|---|---|
Applications | |||
Permission policy |
|
|
The default permission policy for runtime permission requests. |
Play Store mode |
|
|
This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.
|
Network & Connection | |||
Disable bluetooth |
|
|
Defines whether bluetooth is disabled. Prefer this setting over Disable configuring bluetooth because Disable configuring bluetooth can be bypassed by the user. |
Disable cell broadcast |
|
|
Defines whether configuring cell broadcast is disabled. |
Disable configuring bluetooth |
|
|
Defines whether configuring bluetooth is disabled. |
Disable configuring mobile networks |
|
|
Defines whether configuring mobile networks is disabled. |
Tethering Settings |
|
|
Controls wether the user is allowed to use different forms of tethering like Wi-Fi tethering, Bluetooth tethering, etc.
|
Disable location sharing |
|
|
Defines whether location sharing is disabled. |
Disable roaming data services |
|
|
Defines whether roaming data services are disabled. |
Preferential network service |
|
|
Controls whether preferential network service is enabled on the work profile. For example, an organization may have an agreement with a carrier that all of the work data from its employees' devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This has no effect on fully managed devices. |
USB Data Access |
|
|
Controls what files and/or data can be transferred via USB. Does not impact charging functions.
|
Privacy & Security | |||
Disabled keyguard customizations |
|
|
This configuration disables selected keyguard (lock screen) features:
|
Encryption policy |
|
|
Defines whether encryption is enabled.
|
System Settings | |||
Auto date and time zone |
|
|
Defines whether auto date, time, and time zone is enabled on a company-owned device.
|
Battery plugged in modes |
|
|
Defines the battery plugged in modes for which the device stays on. In future releases, ensure to set the Maximum Time to Lock to 0 when using this so that the device doesn't lock itself while it stays on.
|
Camera access |
|
|
Controls the use of the camera and whether the user has access to the camera access toggle. The camera access toggle exists on Android 12 and above. As a general principle, the possibility of disabling the camera applies device-wide on company-owned device devices and only within the work profile on devices with a work profile. The possibility of disabling the camera access toggle applies only on company-owned devices, in which case it applies device-wide. For specifics, see below:
|
Degree of location detection enabled |
|
|
Defines the degree of location detection enabled on work profile and fully managed devices.
|
Disable changing the wallpaper |
|
|
Defines whether changing the wallpaper is disabled. |
Disallow user to perform factory reset |
|
|
Defines whether factory resetting from settings application is disabled. |
Disable outgoing calls |
|
|
Defines whether outgoing calls are disabled. |
Disable sending and receiving SMS messages |
|
|
Defines whether sending and receiving SMS messages is disabled. |
Microphone access |
|
|
Controls the use of the microphone and whether the user has access to the microphone access toggle that exits on Android 12 and above. If configured, it controls the use of the microphone and whether the user has access to the microphone access toggle.
|
Users & Accounts | |||
Disable adding new users and profiles |
|
|
Defines whether adding new users and profiles is disabled. |
Content & Media | |||
Disable user mounting physical external media |
|
|
Defines whether the user mounting physical external media is disabled. |
Apps
You can use the Apps feature in a policy to add applications and to define their distribution options of applications and their individual application configuration. Before you can begin assigning apps to the policy, you must first integrate the apps into the App Portal. In general, the Android Management API supports Managed Play applications as app types. This includes public available application from Google Play and also Web Apps and Enterprise Apps. Once you have added apps in the App Portal, you can configure and distribute them using the Apps Feature associated with your policy.
When you add an application to a policy, the default configuration values are taken from the App Portal and you can override them in a policy. After adding an application to a policy, the application state is initially set to inactive and can be activated by pressing the Edit button and saving the application deployments, which will break the link between the default configuration from the App Portal and the configuration in the policy.
Assign Apps
Once Apps are uploaded into the App Portal Tab, they can be individually configured and distributed to devices via the policy. To assign apps and configure them, perform the following steps:
- Press the Edit button from the App Portal next to your policy or create a new Policy
- From the Definition tab, make sure you have enabled the Apps feature
- Navigate to Apps
- Click Assign More Apps
- Select any applications from the shown Assign Applications page
- Click Add Selected Apps
- Now proceed with reviewing the Overview information below, followed by configuring your App Management Options.
Overview
Already assigned applications are displayed in the Apps section of any Policy with the following information:
Column | Description |
---|---|
Type | Displays the app type. |
Name | Displays the application name given in the App Portal. |
Description | Displays the application description given in App Portal. |
State | When you add an application to the policy, the Not Active state is used as a security mechanism because you may have added the application to the App Portal with a Preinstalled or Forced installation type that should not be applied in this policy. To activate the application in the policy, click the Edit button and confirm the App Management settings by clicking the Save button. |
Remove | Press the remove button to the App from the Tag. |
Manage Config | Click edit to change deployment options and to configure the application with the Managed Configuration. |
Change App Management Options
By default, configurations are inherited from the App Portal and the app is set to inactive after it is added to a policy. To activate the app in your policy and to customize your App Management settings, perform the following steps for each application:
- Press the Edit button in the Manage Config column
- Confirm or update your App Management options
- Click Save
- After saving the App Management Option, the application will change the state from not active to active.