Policies Guide Part II: Configure Policy

Overview

Policies are designed for the Android Enterprise device management with the Android Management API and are the core resource of the Android Management API. When you create a policy, you create the ability to provision your devices using a QR code or enrollment token, and you can create a complete device configuration for managing your devices. This means that a policy not only contains settings and restrictions that you distribute to your devices to configure the device, but you can also deploy applications with different distribution options via the policy and, of course, further configure the applications with the Managed Configurations if the application vendors make this option available.

In general, Android Enterprise offers the great ability to perform a full device configuration using a single OEMConfig application provided by device manufacturers that you can add and configure in a policy. For example, if you are missing a setting or an option in the profiles section, you can refer to the OEMConfiguration application, as demonstrated in the Manage Android Enterprise with Android Management API article with the Knox Service Plugin provided by Samsung.

During policy creation, you should have enabled either the Profile feature or the App feature, and depending on which you enabled, you can toggle between the features in the left panel inside the Policy and configure your target devices and add and configure applications in the policy. All available settings are covered and described in this guide.

Enrollment

With the policy creation and specifying the necessary information in the Definition tab and saving the policy, the policy is registered with the Android Management API. This generates an enrollment token with the appropriate device ownership in the Android Management API that is displayed in the Enrollment section. The QR code contains the enrollment token and other additional information needed to enroll the device. In addition, the Enrollment tab contains information about device ownership and how to enroll devices with this policy. After your first policy creation, you can already enroll and manage devices with the policy that has not been further configured. To populate your blank policy with additional settings and applications, use the Profile and Apps features presented and described in this guide.

Profile

The profile section in a policy gives you the ability to provide different features to your users or restrict certain types of device usage for the user to increase security. A profile represents logically related functions for configuring specific areas or features on your managed devices, and these settings are sent coherently in a single policy to the Android Management API, which ultimately performs the device configuration on the devices. Depending on the ownership selected in the Definition tab, only supported profiles and settings are displayed in the policy for configuration. When changing profiles, ensure the settings are correct as these will be applied immediately to all applicable devices. Additionally, ensure to click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Restrictions

Restrictions typically represent configurations that can be either explicitly allowed or prohibited. For example, you can use restrictions to configure security-related settings such as preventing users from using Bluetooth or configuring hotspots on devices, and it is usually not possible for users to circumvent these restrictions.

Restriction	Availability	Options	Description
Applications
Permission policy	Company-owned Personally-owned Company-owned with personal usage	Not configured Prompt the user to grant a permission Automatically grant a permission Automatically deny a permission	The default permission policy for runtime permission requests.
Play Store mode	Company-owned Personally-owned Company-owned with personal usage	Not configured Only Policy Apps All except blocked	This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy. Only Policy Apps: Only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device. All except blocked: All apps are available and any app that should not be on the device should be explicitly marked as 'BLOCKED' in the policy.
Network & Connection
Disable bluetooth	Company-owned Company-owned with personal usage	Not configured True False	Defines whether bluetooth is disabled. Prefer this setting over Disable configuring bluetooth because Disable configuring bluetooth can be bypassed by the user.
Disable cell broadcast	Company-owned Company-owned with personal usage	Not configured True False	Defines whether configuring cell broadcast is disabled.
Disable configuring bluetooth	Company-owned Company-owned with personal usage	Not configured True False	Defines whether configuring bluetooth is disabled.
Disable configuring mobile networks	Company-owned Company-owned with personal usage	Not configured True False	Defines whether configuring mobile networks is disabled.
Tethering Settings	Company-owned Company-owned with personal usage	Allow all Tethering Disallow Wi-Fi Tethering Disallow all Tethering	Controls wether the user is allowed to use different forms of tethering like Wi-Fi tethering, Bluetooth tethering, etc. Allow all Tethering: Allows configuration and use of all forms of tethering. Disallow Wi-Fi Tethering: Disallows the user from using Wi-Fi tethering. Supported Android 13 and newer. If the setting is not supported by the device, Allow all Tethering will be set and a Non-Compliance is reported. Disallow all Tethering: Disallows all forms of tethering.
Disable location sharing	Company-owned Personally-owned Company-owned with personal usage	Not configured True False	Defines whether location sharing is disabled.
Disable roaming data services	Company-owned Company-owned with personal usage	Not configured True False	Defines whether roaming data services are disabled.
Preferential network service	Personally-owned Company-owned with personal usage	Not configured (disabled) Disabled Enabled	Controls whether preferential network service is enabled on the work profile. For example, an organization may have an agreement with a carrier that all of the work data from its employees' devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This has no effect on fully managed devices.
USB Data Access	Company-owned Company-owned with personal usage	Not configured Allow USB data transfer Disallow USB file transfer Disallow USB data transfer	Controls what files and/or data can be transferred via USB. Does not impact charging functions. Allow USB Data transfer: All types of USB data transfers are allowed. Disallow USB file transfer: Transferring files over USB is disallowed. Other types of USB data connections, such as mouse and keyboard connection, are allowed. Disallow USB data transfer: When selected, all types of USB data transfers are prohibited. Supported for devices running Android 12 or above with USB HAL 1.3 or above. If the setting is not supported, Disallow USB file transfer will be set. A Non-Compliance is reported if the Android version is less than 12 and a device incompatible information is reported if the device does not have USB HAL 1.3 or above.
Privacy & Security
Disabled keyguard customizations	Company-owned Company-owned with personal usage	Not configured Camera Notifications Unredacted notifications Trust agent state Fingerprint sensor Text entry into notifications Face authentication Iris authentication All biometric authentication All current and future keyguard customizations	This configuration disables selected keyguard (lock screen) features: Camera: Disables the camera on secure keyguard screens (e.g. PIN). Notifications: Disables showing all notifications on secure keyguard screens. Unredacted Notifications: Disables unredacted notifications on secure keyguard screens and the device does not obscure notifications on the lock screen. Trust agent state: Ignores the trust agent state on secure keyguard screens. A trust agent is a service that notifies the system on whether the device is in a safe environment. For example: Google Smart Lock or Profiles Trust Provider. Fingerprint sensor: Disable fingerprint sensor on secure keyguard screens. Text entry into notifications: On devices running Android 6 and below, it disables text entry into notifications on secure keyguard screens.This setting has no effect on Android 7 and newer. Face authentication: Disables face authentication on secure keyguard screens. Iris authentication: Disables iris authentication on secure keyguard screens. All biometric authentication: Disables all biometric authentication on secure keyguard screens. All current and future keyguard customizations: Disables all current and future keyguard customizations.
Encryption policy	Company-owned Company-owned with personal usage	Not configured Required without password to boot Required with password to boot	Defines whether encryption is enabled. Required without password to boot: Encryption required but no password required to boot. Required with password to boot: Encryption required with password required to boot.
System Settings
Auto date and time zone	Company-owned Company-owned with personal usage	Not configured User Choice Enforced	Defines whether auto date, time, and time zone is enabled on a company-owned device. User Choice: Auto date, time, and time zone are left to user's choice. Enforced: Enforce auto date, time, and time zone on the device.
Battery plugged in modes	Company-owned	Not configured AC charger USB port Wireless	Defines the battery plugged in modes for which the device stays on. In future releases, ensure to set the Maximum Time to Lock to 0 when using this so that the device doesn't lock itself while it stays on. AC Charger: Device stays on if power source is an AC charger. USB Port: Device stays on if power source is a USB Port. Wireless: Device stays on if power source is wireless.
Camera access	Company-owned Company-owned with personal usage	Not configured User choice Disabled Enabled	Controls the use of the camera and whether the user has access to the camera access toggle. The camera access toggle exists on Android 12 and above. As a general principle, the possibility of disabling the camera applies device-wide on company-owned device devices and only within the work profile on devices with a work profile. The possibility of disabling the camera access toggle applies only on company-owned devices, in which case it applies device-wide. For specifics, see below: User Choice: All cameras on the device are available. On Android 12 and above, the user can use the camera access toggle. Disabled: All cameras on the device are disabled (for company-owned devices, this applies device-wide and for work profiles this applies only to the work profile.There are no explicit restrictions placed on the camera access toggle on Android 12 and above: on company-owned device, the camera access toggle has no effect as all cameras are disabled. On devices with a work profile, this toggle has no effect on apps in the work profile, but it affects apps outside the work profile. Enabled: All cameras on the device are available. On company-owned device devices running Android 12 and above, the user is unable to use the camera access toggle. On devices which are not company-owned or which run Android 11 or below, this option is equivalent to User Choice.
Degree of location detection enabled	Company-owned Company-owned with personal usage	Not configured User Choice Enabled Disabled	Defines the degree of location detection enabled on work profile and fully managed devices. User Choice: Location setting is not restricted on the device. No specific behavior is set or enforced. Enabled: Enable location setting on the device. Disabled: Disable location setting on the device.
Disable changing the wallpaper	Company-owned Company-owned with personal usage	Not configured True False	Defines whether changing the wallpaper is disabled.
Disallow user to perform factory reset	Company-owned	Not configured True False	Defines whether factory resetting from settings application is disabled.
Disable outgoing calls	Company-owned Company-owned with personal usage	Not configured True False	Defines whether outgoing calls are disabled.
Disable sending and receiving SMS messages	Company-owned Company-owned with personal usage	Not configured True False	Defines whether sending and receiving SMS messages is disabled.
Microphone access	Company-owned	Not configured User Choice Disabled Enabled	Controls the use of the microphone and whether the user has access to the microphone access toggle that exits on Android 12 and above. If configured, it controls the use of the microphone and whether the user has access to the microphone access toggle. User Choice: This is the default device behaviour and the microphone on the device is available. On Android 12 and above, the user can use the microphone access toggle. Disabled: The microphone on the device is disabled and access toggle has no effect as the microphone is disabled. Enabled: The microphone on the device is available. On devices running Android 12 and above, the user is unable to use the microphone access toggle. On devices which run Android 11 or below, this is equivalent to the option User Choice.
Users & Accounts
Disable adding new users and profiles	Company-owned	Not configured True False	Defines whether adding new users and profiles is disabled.
Content & Media
Disable user mounting physical external media	Company-owned Company-owned with personal usage	Not configured True False	Defines whether the user mounting physical external media is disabled.

Apps

You can use the Apps feature in a policy to add applications and to define their distribution options of applications and their individual application configuration. Before you can begin assigning apps to the policy, you must first integrate the apps into the App Portal. In general, the Android Management API supports Managed Play applications as app types. This includes public available application from Google Play and also Web Apps and Enterprise Apps. Once you have added apps in the App Portal, you can configure and distribute them using the Apps Feature associated with your policy.

When you add an application to a policy, the default configuration values are taken from the App Portal and you can override them in a policy. After adding an application to a policy, the application state is initially set to inactive and can be activated by pressing the Edit button and saving the application deployments, which will break the link between the default configuration from the App Portal and the configuration in the policy.

Assign Apps

Once Apps are uploaded into the App Portal Tab, they can be individually configured and distributed to devices via the policy. To assign apps and configure them, perform the following steps:

Press the Edit button from the App Portal next to your policy or create a new Policy
From the Definition tab, make sure you have enabled the Apps feature
Navigate to Apps
Click Assign More Apps
Select any applications from the shown Assign Applications page
Click Add Selected Apps
Now proceed with reviewing the Overview information below, followed by configuring your App Management Options.

Overview

Already assigned applications are displayed in the Apps section of any Policy with the following information:

Column	Description
Type	Displays the app type.
Name	Displays the application name given in the App Portal.
Description	Displays the application description given in App Portal.
State	When you add an application to the policy, the Not Active state is used as a security mechanism because you may have added the application to the App Portal with a Preinstalled or Forced installation type that should not be applied in this policy. To activate the application in the policy, click the Edit button and confirm the App Management settings by clicking the Save button.
Remove	Press the remove button to the App from the Tag.
Manage Config	Click edit to change deployment options and to configure the application with the Managed Configuration.

Change App Management Options

By default, configurations are inherited from the App Portal and the app is set to inactive after it is added to a policy. To activate the app in your policy and to customize your App Management settings, perform the following steps for each application:

Press the Edit button in the Manage Config column
Confirm or update your App Management options
Click Save
After saving the App Management Option, the application will change the state from not active to active.