Skip to main content

policies

Overview

Namepolicies
TypeResource
Idgoogledevelopers.androidmanagement.policies

Fields

NameDatatypeDescription
namestringThe name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}.
addUserDisabledbooleanWhether adding new users and profiles is disabled.
setWallpaperDisabledbooleanWhether changing the wallpaper is disabled.
cameraDisabledbooleanIf camera_access is set to any value other than CAMERA_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether cameras are disabled: If true, all cameras are disabled, otherwise they are available. For fully managed devices this field applies for all apps on the device. For work profiles, this field applies only to apps in the work profile, and the camera access of apps outside the work profile is unaffected.
playStoreModestringThis mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.
mountPhysicalMediaDisabledbooleanWhether the user mounting physical external media is disabled.
maximumTimeToLockstringMaximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction.
bluetoothConfigDisabledbooleanWhether configuring bluetooth is disabled.
privateKeySelectionEnabledbooleanAllows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable.
wifiConfigDisabledbooleanWhether configuring Wi-Fi access points is disabled. Note: If a network connection can't be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see networkEscapeHatchEnabled).
blockApplicationsEnabledbooleanWhether applications other than the ones configured in applications are blocked from being installed. When set, applications that were installed under a previous policy but no longer appear in the policy are automatically uninstalled.
safeBootDisabledbooleanWhether rebooting the device into safe boot is disabled.
usageLogobjectControls types of device activity logs collected from the device and reported via Pub/Sub notification (https://developers.google.com/android/management/notifications).
systemUpdateobjectConfiguration for managing system updates
complianceRulesarrayRules declaring which mitigating actions to take when a device is not compliant with its policy. When the conditions for multiple rules are satisfied, all of the mitigating actions for the rules are taken. There is a maximum limit of 100 rules. Use policy enforcement rules instead.
mobileNetworksConfigDisabledbooleanWhether configuring mobile networks is disabled.
credentialsConfigDisabledbooleanWhether configuring user credentials is disabled.
adjustVolumeDisabledbooleanWhether adjusting the master volume is disabled. Also mutes the device.
networkResetDisabledbooleanWhether resetting network settings is disabled.
statusReportingSettingsobjectSettings controlling the behavior of status reports.
bluetoothContactSharingDisabledbooleanWhether bluetooth contact sharing is disabled.
personalUsagePoliciesobjectPolicies controlling personal usage on a company-owned device with a work profile.
kioskCustomizationobjectSettings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK.
removeUserDisabledbooleanWhether removing other users is disabled.
outgoingCallsDisabledbooleanWhether outgoing calls are disabled.
autoDateAndTimeZonestringWhether auto date, time, and time zone are enabled on a company-owned device. If this is set, then autoTimeRequired is ignored.
applicationsarrayPolicy applied to apps.
smsDisabledbooleanWhether sending and receiving SMS messages is disabled.
autoTimeRequiredbooleanWhether auto time is required, which prevents the user from manually setting the date and time. If autoDateAndTimeZone is set, this field is ignored.
preferentialNetworkServicestringControls whether preferential network service is enabled on the work profile. For example, an organization may have an agreement with a carrier that all of the work data from its employees' devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This has no effect on fully managed devices.
passwordRequirementsobjectRequirements for the password used to unlock a device.
microphoneAccessstringControls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices.
deviceOwnerLockScreenInfoobjectProvides a user-facing message with locale info. The maximum message length is 4096 characters.
keyguardDisabledFeaturesarrayDisabled keyguard customizations, such as widgets.
statusBarDisabledbooleanWhether the status bar is disabled. This disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. DEPRECATED. To disable the status bar on a kiosk device, use InstallType KIOSK or kioskCustomLauncherEnabled.
minimumApiLevelintegerThe minimum allowed Android API level.
wifiConfigsLockdownEnabledbooleanDEPRECATED - Use wifi_config_disabled.
funDisabledbooleanWhether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled.
dataRoamingDisabledbooleanWhether roaming data services are disabled.
advancedSecurityOverridesobjectSecurity policies set to secure values by default. To maintain the security posture of a device, we don't recommend overriding any of the default values.
permittedInputMethodsobjectA list of package names.
kioskCustomLauncherEnabledbooleanWhether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. Use kioskCustomization to further configure the kiosk device behavior.
shortSupportMessageobjectProvides a user-facing message with locale info. The maximum message length is 4096 characters.
policyEnforcementRulesarrayRules that define the behavior when a particular policy can not be applied on device
defaultPermissionPolicystringThe default permission policy for runtime permission requests.
installUnknownSourcesAllowedbooleanThis field has no effect.
openNetworkConfigurationobjectNetwork configuration for the device. See configure networks for more information.
androidDevicePolicyTracksarrayThe app tracks for Android Device Policy the device can access. The device receives the latest version among all accessible tracks. If no tracks are specified, then the device only uses the production track.
setupActionsarrayAction to take during the setup process. At most one action may be specified.
screenCaptureDisabledbooleanWhether screen capture is disabled.
encryptionPolicystringWhether encryption is enabled
cellBroadcastsConfigDisabledbooleanWhether configuring cell broadcast is disabled.
recommendedGlobalProxyobjectConfiguration info for an HTTP proxy. For a direct proxy, set the host, port, and excluded_hosts fields. For a PAC script proxy, set the pac_uri field.
factoryResetDisabledbooleanWhether factory resetting from settings is disabled.
installAppsDisabledbooleanWhether user installation of apps is disabled.
keyguardDisabledbooleanIf true, this disables the Lock Screen (https://source.android.com/docs/core/display/multi_display/lock-screen) for primary and/or secondary displays.
unmuteMicrophoneDisabledbooleanIf microphone_access is set to any value other than MICROPHONE_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether microphones are disabled: If true, all microphones are disabled, otherwise they are available. This is available only on fully managed devices.
alwaysOnVpnPackageobjectConfiguration for an always-on VPN connection.
oncCertificateProvidersarrayThis feature is not generally available.
stayOnPluggedModesarrayThe battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear maximum_time_to_lock so that the device doesn't lock itself while it stays on.
frpAdminEmailsarrayEmail addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won't provide factory reset protection.
shareLocationDisabledbooleanWhether location sharing is disabled. share_location_disabled is supported for both fully managed devices and personally owned work profiles.
skipFirstUseHintsEnabledbooleanFlag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.
bluetoothDisabledbooleanWhether bluetooth is disabled. Prefer this setting over bluetooth_config_disabled because bluetooth_config_disabled can be bypassed by the user.
crossProfilePoliciesobjectCross-profile policies applied on the device.
permittedAccessibilityServicesobjectA list of package names.
debuggingFeaturesAllowedbooleanWhether the user is allowed to enable debugging features.
usbFileTransferDisabledbooleanWhether transferring files over USB is disabled. This is supported only on company-owned devices.
permissionGrantsarrayExplicit permission or group grants or denials for all apps. These values override the default_permission_policy.
uninstallAppsDisabledbooleanWhether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed using applications
longSupportMessageobjectProvides a user-facing message with locale info. The maximum message length is 4096 characters.
accountTypesWithManagementDisabledarrayAccount types that can't be managed by the user.
createWindowsDisabledbooleanWhether creating windows besides app windows is disabled.
appAutoUpdatePolicystringDeprecated. Use autoUpdateMode instead.When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.The app auto update policy, which controls when automatic app updates can be applied.
locationModestringThe degree of location detection enabled.
usbMassStorageEnabledbooleanWhether USB storage is enabled. Deprecated.
setUserIconDisabledbooleanWhether changing the user icon is disabled.
modifyAccountsDisabledbooleanWhether adding or removing accounts is disabled.
passwordPoliciesarrayPassword requirement policies. Different policies can be set for work profile or fully managed devices by setting the password_scope field in the policy.
outgoingBeamDisabledbooleanWhether using NFC to beam data from apps is disabled.
choosePrivateKeyRulesarrayRules for determining apps' access to private keys. See ChoosePrivateKeyRule for details.
cameraAccessstringControls the use of the camera and whether the user has access to the camera access toggle.
ensureVerifyAppsEnabledbooleanWhether app verification is force-enabled.
persistentPreferredActivitiesarrayDefault intent handler activities.
tetheringConfigDisabledbooleanWhether configuring tethering and portable hotspots is disabled.
versionstringThe version of the policy. This is a read-only field. The version is incremented each time the policy is updated.
networkEscapeHatchEnabledbooleanWhether the network escape hatch is enabled. If a network connection can't be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.Note: Setting wifiConfigDisabled to true will override this setting under specific circumstances. Please see wifiConfigDisabled for further details.
vpnConfigDisabledbooleanWhether configuring VPN is disabled.

Methods

NameAccessible byRequired ParamsDescription
enterprises_policies_getSELECTenterprisesId, policiesIdGets a policy.
enterprises_policies_listSELECTenterprisesIdLists policies for a given enterprise.
enterprises_policies_deleteDELETEenterprisesId, policiesIdDeletes a policy. This operation is only permitted if no devices are currently referencing the policy.
enterprises_policies_patchEXECenterprisesId, policiesIdUpdates or creates a policy.