This page contains example policies for devices with work profiles.
Personally-owned devices
After provisioning a personally-owned device with a work profile, Android Device Policy automatically applies policy settings to the work profile only. This makes it possible to apply the same policy to devices with work profiles and fully managed devices.
// Applies to the work profile.
"passwordRequirements": {
"passwordMinimumLength": 6,
"passwordQuality": "ALPHABETIC"
},
"applications": [{
"defaultPermissionPolicy": "GRANT",
"installType": "FORCE_INSTALLED", // Auto-installs app in the work profile
"packageName": "com.google.android.gm"
},
{
"installType": "AVAILABLE", // Adds app to the work profile's managed Play Store
"packageName": "com.google.android.apps.docs"
}],
// Applies to the whole device.
"parentProfilePasswordRequirements": {
"passwordMinimumLength": 4,
"passwordQuality": "NUMERIC_COMPLEX"
}
Company-owned devices
After a provisioning a company-owned device with a work profile, Android Device Policy automatically applies most policy settings to the work profile only. While the personal profile maintains user privacy, enterprises can enforce select restrictions and settings in the personal profile and across the whole the device.
Work Profile Widgets
workProfilewidgets provides greater control for IT admins over what widgets display on the home screen of a device.
This is currently set to disallowed as default but can be allowed using the application level workProfileWidgets and device level workProfileWidgetsDefault APIs.
Personal usage policies
Enterprise can enforce certain restrictions in the personal profile of a
company-owned device, such as blocking the installation of specific apps,
disabling the camera, and setting a limit for how long a user can pause their
work profile. See personalUsagePolicies
for more information.
Device-wide policies
The policies in this table apply to an entire device.
| Policy name | ||
|---|---|---|
frpAdminEmails |
deviceOwnerLockScreenInfo |
systemUpdate |
addUserDisabled |
bluetoothDisabled |
bluetoothConfigDisabled |
cellBroadcastsConfigDisabled |
mobileNetworksConfigDisabled |
tetheringConfigDisabled |
wifiConfigDisabled |
dataRoamingDisabled |
shareLocationDisabled |
smsDisabled |
usbFileTransferDisabled |
autoTimeRequired |
mountPhysicalMediaDisabled |
outgoingCallsDisabled |
setWallpaperDisabled |
unmuteMicrophoneDisabled |
Example policy
// Applies to the work profile
"passwordRequirements": {
"passwordMinimumLength": 6,
"passwordQuality": "ALPHABETIC"
},
"applications": [{
"defaultPermissionPolicy": "GRANT",
"installType": "FORCE_INSTALLED", // Auto-installs app in the work profile
"packageName": "com.google.android.gm"
},
{
"installType": "AVAILABLE", // Adds app to the work profile's managed Play Store
"packageName": "com.google.android.apps.docs"
}],
// Applies to the personal profile
"personalUsagePolicies": {
"personalPlayStoreMode": "BLACKLIST",
"personalApplicationPolicy": [{
"packageName": "com.example.app",
"installType": "BLOCKED"
}],
"maxDaysWithWorkOff": 3,
"cameraDisabled": true,
"screenCaptureDisabled": true
},
// Applies to the whole device.
"bluetoothDisabled": true,
"usbFileTransferDisabled": true
Known Issue
On a company-owned device, retrieving and updating the personal usage policy may not be immediate (the delay should be no longer than ten minutes); until this has occured the "No result found" screen is displayed. Otherwise a user could install any app from the Play store, between phone start up and the personal usage policy being loaded and applied.
After applying a personal usage policy, wait ten minutes, then trigger a cache update (e.g. by selecting an app) and then re-open the personal Play app. The personal usage policy should then have been applied correctly.