How to configure Policies in Android Enterprise
There are many different settings and configurations that you can apply, and the following eight sections will explain all of the Policy options available:
- Reporting Settings
- Application Control
- Password Requirements
- System Updates
- Enforcement Rules
- Kiosk Customization
- Stay On Modes
- User Facing Messages
- Setup Actions
- Private Key Rules
- Intent Handler Activities
The general settings section of Android Enterprise policies allows you to configure
things like the device’s settings. The following items can be configured (if an
explanation is needed, it will be included):
- Version: This is show the version number of the policy. Every change you
make to a policy, increases the number by a factor of 1
- Default Permission Policy: This setting defines the default permission policy
for requests for runtime permissions. The possible values include:
- Default: If the policy is left blank, it will use the default device setting
- Prompt: Users are prompted to approve the permission
- Grant: Permissions are automatically granted
- Deny: Permissions are automatically denied
- Location Mode: This setting allows you to select the permission policy for location services. The possible values include:
- Default: If the policy is left blank, it will use the default device setting
- High Accuracy: GPS is turned on and set to the most accurate setting
- Sensors Only: This will activate the GPS only and will not utilize network-provided location
- Battery Saving: This will limit the update frequency of the GPS to save battery
- Off: GPS and location tracking will be turned off
- App Auto Update Policy: This setting controls when automatic app updates can be applied. The possible values include:
- Default:If the policy is left blank, it will use the default device setting
- User Choice: The end user can control auto-updates
- Never: Apps are never updated
- WiFi Only: Apps are auto-updated over Wi-Fi only
- Always: Apps are auto-updated at any time. Data charges may apply
- Encryption Policy:This setting allows you to create and enforce an encryption policy on the device for internal and external storage. The possible values include:
- Default: If the policy is left blank, it will use the default device setting
- Enable Without Password
- Enable With Password
- Play Store Mode: This setting will allow you to whitelist and blacklist applications installed on the device. The possible values include:
- Default: If the policy is left blank, it will default to Whitelist
- Whitelist: Only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device
- Blacklist: All apps are available and any app that should not be on the device should be explicitly marked as 'Blocked' in the applications policy
- Screen Capture Disabled: Ability to screenshot is disabled
- Camera Disabled: Camera app is disabled
- Add User Disabled: The ability to add users is disabled
- Adjust Volume Disabled: The ability to change volume is disabled
- Factory Reset Disabled: Users can not reset the device
It is highly recommended the Factory Reset Disabled is turned on to prevent any undesired reset of your devices.
- Install App Disabled: Users are not allowed to Install apps
- Mount Physical Media Disabled: Users will not be able to use external media devices such as SD card or USB storage
- Modify Accounts Disabled: Users will not be able to change any separate accounts
- Safe Boot Disabled: This setting is disabled when adopted
- Uninstall Apps Disabled: This setting takes away the ability for the user to uninstall
- Keyguard Disabled: This setting will disable the device’s lock screen password requirements, allowing the device to auto-launch into an application
- Bluetooth Contact Sharing Disabled: This setting with disable the ability to share contacts
- Bluetooth Config Disabled: Bluetooth is disabled
- Cell Broadcasts Config Disabled: Cell broadcasts is disabled
- Credentials Config Disabled: Credentials disabled
- Mobile Networks Config Disabled: Mobile data is turned off
- Tethering Config Disabled: Tethering is disabled
- VPN Config Disabled: VPN is disabled
- Create Windows Disabled: This setting will prevent a window from being created and launched when users use multi-window
- Network Reset Disabled: The ability to change Networks is taken away
- Outgoing Beam Disabled: This setting will disable users from using NFC to beam out data from applications
- Outgoing Calls Disabled: Ability to perform outgoing calls is taken away
- Remove User Disabled: Share Location Disabled
- SMS Disabled: This setting will take away the ability of SMS
- Unmute Microphone Disabled: This setting takes away the ability to unmute the microphone on the device
- USB File Transfer Disabled: This setting takes away the ability to transfer files
- Ensure Verify Apps Enabled: This setting scans apps installed on devices for
malware before and after they are installed, helping to ensure that corporate
data can't be compromised by malicious apps
- Set User Icon Disabled: This setting will prevent end users from changing or
setting their user icon of the device
- Set Wallpaper Disabled: This disables the ability to change the wallpaper on the device
- Data Roaming Disabled: Data Roaming function is disabled within the device
- There is not a suitable network in the last policy
- The device boots into an app in lock task mode
- The user is unable to reach the device settings. Network Escape Hatch Enabled: This setting will enable the escape hatch feature on your device. If a network connection is not established when a device boots, then the escape hatch asks to temporarily connect to a network and refresh the device policy. After applying the policy, the temporary network is forgotten and the device continues booting.
- Bluetooth Disabled: Bluetooth function is disabled in the device
- Install From Unknown Sources Allowed: This setting allows any source to be able to download material onto the device
- Debugging Features Allowed: This setting allows the device to be searched and fixed of any issues within the device itself
- Fun Disabled: Controls whether the Easter egg game in Settings is disabled
- Auto Time Required: This setting will prevent end users from manually setting the date and time
- Kiosk Custom Launcher Enabled: This setting replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. The status bar is disabled when this is set. Note: applications configured via the “Application Control” section of this profile cannot be set to “Kiosk” under “Install Type” or the policy will fail to install.
- Skip First Use Hints Enabled: This setting can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up
- Private Key Selection Enabled: This setting allows showing UI on a device for an end user to choose a private key alias if there are no matching rules configured.
The following settings control the behavior of application reports.
Note: battery percentage and some other reports will not be displayed in Moki unless they are enabled here.
- Application Reports Enabled: This setting will allow reports to be
generated, which show details of apps installed on the device
- Device Settings Enabled: This setting enables reporting information about
security-related device settings on devices
- Software Info Enabled: This setting enables reporting of device software
- Network Info Enabled: This setting enables reporting of device network
- Power Management Events Enabled: This setting enables reporting of
power management events
- Hardware Status Enabled: This setting enables hardware reporting to
capture device hardware information
Application control allows you to limit application access on your devices. Before
you can figure the policy, all applications that you would like to manage will need to
be added to the “Apps” tab first. Once you have added all of your applications to
the Apps tab, select the + on the “Add policy for an individual app” bar. Now, under
the “General” section, you will configure what applications will do on your devices.
The following options are configurable:
- App: Select your application from the available list of apps.
- Install Type:
- Default: Unspecified. Defaults to Available
- Pre-Installed: The app is automatically installed and can be removed
by the user
- Force Installed: The app is automatically installed and cannot be
removed by the user
- Blocked: The app is blocked and cannot be installed. If the app was
installed under a previous policy, it will be uninstalled
- Available: The app is available to install
- Required For Setup: The app is automatically installed and cannot be
removed by the user and will prevent setup from completion until
installation is complete
- Kiosk:The app is automatically installed in kiosk mode: it is set as the preferred home intent and whitelisted for lock task mode. Device setup won't complete until the app is installed. After installation, users will not be able to remove the app. You can only set this Install Type for one app per policy. When this is present in the policy, status bar will be automatically disabled.
- Managed Config: If you have an app configuration created, you can select it from this drop-down menu
- Permissions: Default Permission Policy
- Default: If no policy is specified for a permission at any level, then the prompt behavior is used by default
- Prompt: Will prompt the end user to grant permissions
- Grant: Will automatically grant permissions
- Deny: Will automatically deny permissions
Note: you can also grant permission for specific requests by selecting the +
icon under “Grants.” You can then select the permission and the policy for
each individual permission
- Minimum Version: Entering a minimum version allows to force the specified app to update immediately if it is below the minimum version on any devices assigned to the Policy.
NOTE: The Version Code should be entered here, not the app Version.
This section will cover the optional requirements that you can use to unlock a
device. The following password requirement options are available:
- Quality: The required password quality.
- Default: There are no password requirements
- Biometric Weak: The device must be secured with a low-security
biometric recognition technology, at minimum. This includes
technologies that can recognize the identity of an individual that are
roughly equivalent to a 3-digit PIN (false detection is less than 1 in
- Something: A password is required, but there are no restrictions on
what the password must contain
- Numeric: The password must contain numeric characters
- Numeric Complex: The password must contain numeric characters
with no repeating (4444) or ordered (1234, 4321, 2468) sequences
- Alphabetic: The password must contain alphabetic (or symbol)
- Alphanumeric: The password must contain both numeric and
alphabetic (or symbol) characters
- Complex: The password must meet the minimum requirements specified in password Minimum Length, password Minimum Letters, password Minimum Symbols, etc
- Minimum Length: The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password Quality is Numeric, Numeric Complex, Alphabetic, Alphanumeric, or Complex
- History Length: The length of the password history. After setting this field, the user will not be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction
- Maximum Failed Passwords For Wipe: Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction
- Expiration Timeout: Password expiration timeout. Duration in days
The type of system update configuration.
- Default: Follow the default update behavior for the device, which typically
requires the user to accept system updates
- Automatic: Install automatically as soon as an update is available
- Windowed: Install automatically within a daily maintenance window. This
also configures Play apps to be updated within the window. This is strongly
recommended for kiosk devices because this is the only way apps
persistently pinned to the foreground can be updated by the Google
- Postpone: Postpone automatic install up to a maximum of 30 days
- Freeze Period: Set up a time window that repeats annually for a freeze period where no system updates will occur in. One Freeze Period can last no longer than 90 days. Multiple Freeze Periods must be separated by at least 60 days.
A rule that defines the actions to take if a device or work profile is not compliant
with the policy specified in setting name
- Setting Name: The top-level policy to enforce. Define the actions to
take if a device is not compliant with the specified setting. The
following options are available:
- Application Policies
- Password Policies
- Encryption Policies
- Block After Days: Number of days the policy is non-compliant before the device is blocked. To block access immediately, set to 0. Block After Days must be less than Wipe After Days
- Wipe After Days: Number of days the policy is non-compliant before the device is wiped. Wipe After Days must be greater than Block After Days
- Preserve Data: Whether the factory-reset protection data is preserved on the device
Additional device configurations available when using the "Kiosk Custom Launcher", or using a single app with an Install Type of "Kiosk" (App Lock)
- Power Button Actions: Controls actions available when the power button is long-pressed (held down)
- Available: When this setting is selected, if the Power button is long-pressed, a user will be given the options to power off the device, or restart the device.
- Blocked: When this setting is selected, if the Power button is long-pressed, nothing will happen.
- System Navigation: Controls access to the Home and Recent Apps buttons
- Enabled: Both the Home and Recent Apps buttons will be enabled
- Disabled: Both the Home and Recent Apps buttons will be disabled.
- Home Button Only: Only the Home button will be enabled. The Recent Apps button will be disabled.
- Device Settings: Controls whether the Device Settings can be accessed
- Enabled: Device Settings can be accessed from any location there is a link to Device Settings
- Blocked: Device Settings access is blocked from any location there is a link to Device Settings
- System Error Warnings: Controls whether system error dialogs for crashed or unresponsive apps are blocked
- Enabled: System error dialogs for crashed and unresponsive apps will be displayed on the device
- Muted: System error dialogs for crashed and unresponsive apps will be blocked from displaying on the device
NOTE: When System Error Warnings are Muted, the system will force-stop the app as if the user chooses the "close app" option on the UI.
- Status Bar: Controls whether ystem info in the top-info bar and notifications are disabled
- System Info Enabled: All system info and notifications are enabled and accessible in the top-info menu bar
- System Info Disabled: All system info and notifications are disabled and access to the top-info menu bar is blocked
- System Info Only: System info, such as time, battery level, WiFi and cellular data signal strength, will be visible in the top-info menu bar. However, notifications and the swipe-down feature will be disabled
STAY ON MODES
Allows a user to set the device screen to always stay on, and never sleep, as long as it is plugged in and charging with one of the selected charging methods
NOTE: When using this setting, it is recommended to clear Max Time To Lock so that the device doesn't lock itself while it stays on.
- AC: Device screen will stay on while charging using an AC charger.
- USB: Device screen will stay on while charging using a USB port power source.
- Wireless: Device screen will stay on while charging using a wireless power source
USER FACING MESSAGES
- Short Support Message: A message displayed to the user in the settings screen wherever functionality has been disabled by the admin
NOTE: If the message is longer than 200 characters it may be truncated
- Long Support Message: Typically used in the same place as a Short Support Message when there is an option for "more details," the Long Support Message will display
- Device Owner Lock Screen Info: Message that will display on the lock screen of the device. Could be used to display the device owner info
Allows you to require the launch and configuration of an app during device enrollment and setup. You can specify one app to be launched during device enrollment and setup. This app must return RESULT_OK to signal completion and allow the remaining device setup and enrollment to complete.
- Title: Title of the action. Will be displayed to the user on the device during setup
- Description: Description of the action needed. Will be displayed to the user on the device during setup
- Launch App (Package Name): The Package Name of the app required to launch and configure during device enrollment and setup
PRIVATE KEY RULES
Rules for automatically choosing a private key and certificate to authenticate the device to a server.
The rules are ordered by increasing precedence, so if an outgoing request matches more than one rule, the last rule defines which private key to use.
- URL Pattern: The URL pattern to match against the URL of the outgoing request. The pattern may contain asterisk (*) wildcards. Any URL is matched if unspecified
- Package Names: The package names for which outgoing requests are subject to this rule. If no package names are specified, then the rule applies to all packages. For each package name listed, the rule applies to that package and all other packages that shared the same Android UID. The SHA256 hash of the signing key signatures of each packageName will be verified against those provided by Play
- Private Key Alias: The alias of the private key to be used.
INTENT HANDLER ACTIVITIES
A default activity for handling intents that match a particular intent filter.
NOTE: To set up a kiosk, use InstallType to KIOSK rather than use persistent preferred activities.
- Receiver Activity: The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent
- Actions: The intent actions to match in the filter. If any actions are included in the filter, then an intent's action must be one of those values for it to match. If no actions are included, the intent action is ignored
- Categories: The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent