This page summarizes all changes (new features, bug fixes, updates) to the Android Management API and Android Device Policy each month.
Join the Android Management API mailing list to receive monthly updates and service advisories directly to your inbox.
December 2024
Android Management API
-
For Android 15 and later, IT admins can now use the
privateSpacePolicy
to allow or disallow the creation of a Private Space. -
For Android 15 and later, we introduced
WifiRoamingMode
inWifiRoamingPolicy
, allowing IT admins to disable Wi-Fi roaming for specific SSIDs on fully managed devices and on work profiles on company-owned devices. - Various items of our documentation have been updated:
-
The description of the
keyguardDisable
field now includes information about management mode. -
The
securityPosture
documentation now includes a table that shows the equivalent Play Integrity API verdict for each AM API verdict.
-
The description of the
November 2024
Android Management API
-
We now prevent users from changing their email address during customers
signup. We also introduced validation for
admin_email
when creating a signup URL. - Various items of our documentation have been updated:
-
We updated the description for the
addUserDisabled
policy. For devices wheremanagementMode
isDEVICE_OWNER
this field is ignored and the user is never allowed to add or remove users. -
We updated the
ExtensionConfig
to clarify that exempt from battery restrictions applies to Android 11 and above. -
We updated the description of the
PermissionPolicy
. -
We clarified to how many applications a scope can be delegated in the
DelegatedScope
enum.
-
We updated the description for the
October 2024
Android Management API
- We updated the behavior of the
CommonCriteriaMode
policy.
COMMON_CRITERIA_MODE_ENABLED
will now enable cryptographic policy integrity check and additional network certificate validation. The result of the policy integrity check is set toPolicySignatureVerificationStatus
ifstatusReportingSettings.commonCriteriaModeEnabled
is set totrue
.
There are no changes to the behaviour of the default value (COMMON_CRITERIA_MODE_UNSPECIFIED
) or when explicitly disabling it withCOMMON_CRITERIA_MODE_DISABLED
. - We updated the documentation for
PERSONAL_USAGE_DISALLOWED_USERLESS
to remind developers that this change is necessary before January 2025. If this change is omitted, users may encounter an "Authenticate with Google" prompt during enrollment, when their IT admin has this feature enabled.
The complete timeline for this feature is published on the Android Enterprise partner portal: Feature Timeline: Improved sign-up flow, device enrollment, and on-device experiences. - We updated the documentation for
CrossProfileDataSharing
to include details of simple data sharing via intents.
September 2024
Android Management API
The Android Management API now supports the following Android 15 features:
- For Android 15 and above a new policy has been added to control Wi-Fi
roaming settings. IT Admins can use
WifiRoamingPolicy
to select the desiredWifiRoamingMode
. Supported on fully managed devices and work profiles on company-owned devices.
Android 15 release
Android Management API
The Android Management API now supports the following Android 15 features:
- Android 15 introduces a new policy to control
Circle to Search. IT admins can use
AssistContentPolicy
to control this feature. - Android 15 introduces a new policy to control Phishing Detection of apps.
IT admins can use
ContentProtectionPolicy
to control whether the app is scanned by On Device Abuse Detection (ODAD) for phishing malware. - Android 15 expands the support of
screen brightness and
screen timeout settings using the
DisplaySettings
policy to company-owned devices with a work profile. This setting was previously available only on fully managed devices.
August 2024
Android Management API
- On Android 13+, IT Admins can now query the
ICCID
associated with the SIM card of theTelephonyInfo
included in aNetworkInfo
. This is supported on fully managed devices when thenetworkInfoEnabled
field instatusReportingSettings
is set totrue
. - Various items of our documentation have been updated:
- We updated the documentation for the Common Criteria Mode to clarify that it is only supported on company-owned devices running Android 11 or above.
- We documented the optional field
DefaultStatus
inSigninDetail
.
July 2024
Android Management API
- Various items of our documentation have been updated:
- We removed the note in the documentation for
enrollmentToket.create
about not being able to retrieve the token content anymore as it is possible getting the enrollment token value usingenrollmentTokens.get
. - We clarified
NonComplianceReason
documentation.
- We removed the note in the documentation for
June 2024
Android Management API
- IT admins can now control the
screen brightness and
screen timeout settings using the
DisplaySettings
policy. Supported on fully managed devices, on Android 9 and above. - We've updated our documentation to explain that, even when using
AUTO_UPDATE_HIGH_PRIORITY
, updates to apps with larger deployments across Android's ecosystem can take up to 24h. - We've updated the Android Management API SDK (AMAPI SDK) to explain
the different use cases that this library (originally known as
Extensibility SDK) now supports. The updated documentation covers:
See AMAPI SDK release notes to know what is the latest version available.
May 2024
Android Management API
- The
get
andlist
methods forenrollmentTokens
now return populatedvalue
,qrCode
, andallowPersonalUsage
fields. - For fully managed devices, the
AllowPersonalUsage
setting now supports thePERSONAL_USAGE_DISALLOWED_USERLESS
. - On Android 11+ the new
UserControlSettings
policy allows to specify whether user control is permitted for a given app.UserControlSettings
includes user actions like force-stopping and clearing app data. - Version 1.1.5 of the AMAPI SDK is now available. Additional
information is available on the
release notes page.
Note: We strongly recommend to always use the latest available version of the library to benefit from the available bug fixes and improvements.
April 2024
Android Management API
- On Android 13+, for company-owned devices, we added controls over
which WiFi SSIDs devices can connect to. Using
WifiSsidPolicy
IT Admins can specify a list of SSIDs to be added to an allowlist (WIFI_SSID_ALLOWLIST
) or to a denylist (WIFI_SSID_DENYLIST
). - For corporate-owned devices, we added hardware identifiers (IMEI,
MEID, and serial number) to
ProvisioningInfo
that EMMs can now access during device setup using the sign-in URL.
March 2024
Android Management API
- We added additional controls over app installation using
InstallConstraint
, IT admins can restrict app installation based on specific criteria.
By settinginstallPriority
, IT admins can ensure that critical apps are installed first. - On Android 10+, AMAPI supports configuring enterprise 192 bit networks
in
openNetworkConfiguration
by passing Security value WPA3-Enterprise_192.
On Android 13+, in theMinimumWifiSecurityLevel
policy, we now supportENTERPRISE_BIT192_NETWORK_SECURITY
, which can be used to ensure that devices do not connect to Wi-Fi networks below this security level. - We have updated the
UsbDataAccess
setting so that theUSB_DATA_ACCESS_UNSPECIFIED
value defaults toDISALLOW_USB_FILE_TRANSFER
.
February 2024
Android Management API
- On Android 9+, IT admins can now control whether printing is allowed
using the
printingPolicy
field. - For Android 14+, a new policy is added to control
CredentialProvider
apps. IT admins can use the
credentialProviderPolicy
field to control whether the app is allowed to act as a credential provider. - A new policy is added to control
Arm Memory Tagging Extension (MTE) on the device. The
MtePolicy
field is supported on fully managed devices and work profiles on company-owned devices with Android 14 and above. - We have updated how AM API receives errors related to installs that
are triggered by IT admins. As a result of this migration, the
InstallationFailureReason
field now also includes client errors (in addition to the server errors). - For Android 12+, IT admins can use a key pair installed on the device
for enterprise Wi-Fi authentication. See the new
ClientCertKeyPairAlias
field in Open Network Configuration (ONC) and our network configuration guide for more information.
January 2024
Android Management API
- Devices managed by your custom DPC can now be seamlessly migrated to use Android Management API.
December 2023
Android Management API
- Added
MinimumWifiSecurityLevel
to define the different minimum security levels required to connect to Wi-Fi networks. Supported on fully managed devices and work profiles on company-owned devices with Android 13 and above.
November 2023
Android Management API
- Android 12+ now supports passwordless enterprise Wi-Fi network
configuration using
Identity
andPassword
fields in Open Network Configuration. This was already supported prior to Android 12.Note: On Android 12+, for Wi-Fi networks with EAP username/password authentication, if the user password is not provided and
AutoConnect
is set totrue
, the device might try to connect to the network with a randomly generated placeholder password. To avoid this when the user’s password is not provided, setAutoConnect
tofalse
. - Local device events that occur in quick succession are batched and
reported in a single
Pub/Sub message to EMMs.
Event type Expected latency between on-device event and corresponding EMM notification1 Previous behavior New behavior High priority keyed app states Immediate, at most one report per minute Immediate, at most one report per minute Standard priority keyed app states Schedule-based Within one minute Application-related events during provisioning, for apps with install states defined by the IT admin2 Integrated into other provisioning-related events Within one minute on top of other related provisioning events Application-related events after provisioning, for apps with install states defined by the IT admin2 Schedule-based Within 5 minutes Application-related events both during and after provisioning, for apps with install states defined by the employee3 Schedule-based Within 60 minutes Other on-device app events Schedule-based Within 60 minutes Best effort targets based on controlled circumstances. Actual latency may vary according to a variety of device and environmental factors.
2InstallType
of apps enforced in the policy:FORCE_INSTALLED
,BLOCKED
,REQUIRED_FOR_SETUP
,PREINSTALLED
andKIOSK
.
3InstallType
of available apps:AVAILABLE
,INSTALL_TYPE_UNSPECIFIED
.
October 2023
Android Management API
- Apps launched as
SetupAction
can now cancel enrollment. This will reset a company-owned device or deletes the work profile on a personally-owned device.
Android 14 release
Android Management API
With the release of Android 14, the Android Management API now supports the following Android 14 features:
- Restricting work profile contacts access
to system applications and personal apps specified in
exemptionsToShowWorkContactsInPersonalProfile
. Now access to work profile contacts can be enabled for all personal apps, select personal apps, or no personal apps.For convenience, the new
SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM
option inshowWorkContactsInPersonalProfile
ensures that the only personal apps to access work contacts are the device default Dialer, Messages, and Contacts apps. In this case, neither user-configured Dialer, Messages, and Contacts apps, nor any other system or user-installed personal apps, will be able to query work contacts. - Disable use of the ultra wideband
radio on the device. This can be achieved using the new
deviceRadioState.ultraWidebandState
policy. - Block the use of cellular 2G,
improving network security. This is offered through the new
deviceRadioState.cellularTwoGState
policy. - Android 14 introduces
customizable lock screen shortcuts.
The lock screen features admin control, which includes camera, fingerprint unlock, face unlock, etc, has been extended to also disable lockscreen shortcuts using the new
SHORTCUTS
option.
September 2023
Android Management API
- Device and provisioning information can now be optionally retrieved
during setup, allowing developers to create more targeted policies during
setup or filter devices according to the supplied attributes. The sign-in url
will now include a
provisioningInfo
parameter which can be exchanged for the corresponding device details using the new provisioningInfo get method. SigninDetails
can now be distinguished from one another with a customizabletokenTag
value.
August 2023
Android Management API
- Introduced Lost Mode for company-owned devices. Lost mode enables employers to remotely lock and secure a lost device and optionally to display a message on the device screen with contact information to facilitate asset recovery.
- Added support for certificate selection delegation which grants an app
access to selection of KeyChain certificates on behalf of requesting apps.
See
DelegatedScope.CERT_SELECTION
for more details. - Added additional WiFi management policies:
configureWifi
- Admins can now disable adding or configuring WiFi networks.wifiConfigDisabled
is now deprecated.wifiDirectSettings
- This policy can be used to disable configuring WiFi direct.tetheringSettings
- This policy can be used to disable WiFi tethering or all forms of tethering.tetheringConfigDisabled
is now deprecated.wifiState
- This policy can be used to force enable/disable WiFi in a user's device.
- Sharing of admin configured WiFi networks will be disabled from Android 13 and above
July 2023
Android Management API
- Added
userFacingType
field toApplicationReport
to signal whether an app is user facing. - Added
ONC_WIFI_INVALID_ENTERPRISE_CONFIG
specific non-compliance reason.
Non-compliance with reasonINVALID_VALUE
and specific reasonONC_WIFI_INVALID_ENTERPRISE_CONFIG
is reported if enterprise Wi-Fi network does not haveDomainSuffixMatch
set. - New Pub/Sub notification
EnrollmentCompleteEvent
added, as a type ofUsageLogEvent
that is published when the device finishes the enrollment. - Added
airplaneModeState
indeviceRadioState
to control the current state of airplane mode and whether the user can toggle it on or off. By default, the user is allowed to toggle airplane mode on or off. Supported on fully managed devices and work profiles on company-owned devices, on Android 9 and above.
June 2023
Android Management API
- Added support for the
DomainSuffixMatch
field in Open Network Configuration to configure enterprise WiFi networks for Android 6+. Enterprise WiFi configurations withoutDomainSuffixMatch
are considered insecure and will be rejected by the platform. - Added
UsbDataAccess
policy setting that allows admins to fully disable USB data transferring.usbFileTransferDisabled
is now deprecated, please useUsbDataAccess
.
December 2022
Android Management API
-
Management capabilities over Work Profile Widgets have been improved with the addition of two new API fields:
workProfileWidgets
on the application level andworkProfileWidgetsDefault
on the device level. These allow greater control over whether an application running in the work profile can create widgets on the parent profile e.g. the home screen. This functionality is disallowed by default, but can be set to allowed usingworkProfileWidgets
andworkProfileWidgetsDefault
, and is only supported for work profiles. -
We have added support to set MAC address randomization settings while configuring WiFi networks. Admins can now specify whether
MACAddressRandomizationMode
is set toHardware
orAutomatic
while configuring WiFi networks which takes effect on devices with OS version Android 13 and above and is applicable on all management modes. If set toHardware
the factory MAC address will be configured to the WiFi network, whereasAutomatic
the MAC address will be random. - Various items of our documentation have been updated:
-
Understanding Security Posture has been created to provide clarity on the potential responses from
devicePosture
andsecurityRisk
evaluations. -
autoUpdateMode
has been provided forautoUpdatePolicy
as a recommended alternative due to greater flexibility with update frequency. -
We have provided clarification that
BlockAction
andWipeAction
are restricted to company-owned devices. - The Pub/Sub notifications page has been updated to accurately reflect the resource types for different notification types.
- For Android 13+, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket.
October 2022
Android Management API
- Various items of our documentation have been updated:
- We recommend having one policy per device, to enable granular device-level management capabilities.
- In order for FreezePeriods to work as expected, system update policy cannot be set as SYSTEM_UPDATE_TYPE_UNSPECIFIED.
- Additional suggestions have been provided for policy updates regarding visibility of password steps during company-owned device provisioning.
- shareLocationDisabled is supported for fully managed devices and personally owned work profiles.
- We have provided an updated description on the usage of enterprises.devices.delete and its effects on device visibility.
- Maximum enrollment token duration is now 10,000 years, where it was previously 90 days.
July 12 2022
Android Management API
- Added NETWORK_ACTIVITY_LOGS and SECURITY_LOGS values to the DelegatedScope to grant device policy applications access to the corresponding logs.
June 14 2022
Android Management API
- Added specificNonComplianceReason and specificNonComplianceContext to NonComplianceDetail to provide detailed context for policy application errors.
June 6 2022
Android Management API
- Added a command to allow the admin to remotely clear the application data of an app.
- Enrollment tokens can now be created with a longer duration than the previous maximum of 90 days, up to approximately 10,000 years. Enrollment tokens that last longer than 90 days will have a length of 24 characters, while tokens that last 90 days or less will continue to have 20 characters.
May 24 2022
Android Management API
- Hardware-backed security features such as key attestation will now be used in device integrity evaluations, when supported by the device. This provides a strong guarantee of system integrity. Devices that fail these evaluations or do not support such hardware-backed security features will report the new HARDWARE_BACKED_EVALUATION_FAILED SecurityRisk.
May 16 2022
Android Management API
- Added unifiedLockSettings in PasswordPolicies to allow the admin to configure if the work profile needs a separate lock.
March 25 2022
Android Management API
- Added alwaysOnVpnLockdownExemption to specify which apps should be exempt from the AlwaysOnVpnPackage setting.
- Added all available fields from the Play EMM API Products resource to the Application resource.
February 22 2022
Android Management API
- Added cameraAccess to control the use of camera and camera toggle, and microphoneAccess, to control the use of microphone and microphone toggle. These fields replace newly deprecated cameraDisabled and unmuteMicrophoneDisabled, respectively.
February 15 2022
AMAPI SDK
- Minor bug fixes. See Google's Maven Repository for more details.
November 15 2021
Android Device Policy
-
Apps that are marked as unavailable in
personalApplications
will now be uninstalled from the personal profile of company-owned devices if already installed, as they are in the ApplicationPolicy for work profile and fully managed devices.
September 17 2021
Android Management API
-
You can now designate an app as an extension app using
ExtensionConfig
. Extension apps can communicate directly with Android Device Policy and in future will be able to interact with the complete set of management features offered in the Android Management API, enabling a local interface for managing the device that does not require server connectivity.- This initial release includes support for local execution of
Commands
, and currently only theClearAppData
command. See the extensibility integration guide for more details. - The remaining commands will be added over time, as well as additional extension app features designed to expose the breadth of device management features to the extension app.
- This initial release includes support for local execution of
June 30 2021
Android Device Policy
- Minor bug fixes
June 2 2021
Android Device Policy
- Minor bug fixes
May 5 2021
Android Device Policy
- Minor bug fixes
April 6 2021
Android Device Policy
- Minor bug fixes
March 2021
Android Management API
- Added two new
AdvancedSecurityOverrides
. These policies enable Android Enterprise security best practices by default, while allowing organizations to override the default values for advanced use cases. googlePlayProtectVerifyApps
enables Google Play's app verification by default.developerSettings
prevents users from accessing developer options and safe mode by default, capabilities that would otherwise introduce risk of corporate data exfiltration.-
ChoosePrivateKeyRule
now supports the direct grant of specific KeyChain keys to managed apps. - This allows the target app(s) to access specified keys by calling
getCertificateChain()
andgetPrivateKey()
without having to first callchoosePrivateKeyAlias()
. - Android Management API defaults to granting direct
access to the keys specified in policy, but otherwise falls back to
granting access after the specified app has called
choosePrivateKeyAlias()
. SeeChoosePrivateKeyRule
for more details.
Deprecations
ensureVerifyAppsEnabled
is now deprecated. Use thegooglePlayProtectVerifyApps
AdvancedSecurityOverrides
instead.- Existing API users (Google Cloud projects with Android Management
API enabled as of April 15, 2021) can continue to use
ensureVerifyAppsEnabled
until October 2021, but are encouraged to migrate toAdvancedSecurityOverrides
as soon as possible. In OctoberensureVerifyAppsEnabled
will no longer function. debuggingFeaturesAllowed
andsafeBootDisabled
are now deprecated. Use thedeveloperSettings
AdvancedSecurityOverrides
instead.- Existing API users (Google Cloud projects with Android Management
API enabled as of April 15, 2021) can continue to use
debuggingFeaturesAllowed
andsafeBootDisabled
until October 2021, but are encouraged to useAdvancedSecurityOverrides
as soon as possible. In OctoberdebuggingFeaturesAllowed
andsafeBootDisabled
will no longer function.
February 2021
Android Management API
- Added
personalApplications
support for company-owned devices starting from Android 8. The feature is now supported on all company-owned devices with a work profile. - Device phone number is now reported on Fully Managed Devices as part
of the
Device
resource.
January 2021
Android Device Policy
- Minor bug fixes
December 2020
Android Management API
- Added
personalApplications
toPersonalUsagePolicies
. On company-owned devices, IT can specify an allow or blocklist of applications in the personal profile. This feature is currently available only on Android 11 devices, but will be backported to Android 8 in a future release.
Android Device Policy
- Minor updates to the provisioning UI
November 2020
Android Management API
- Added
AutoDateAndTimeZone
, replacing the deprecatedautoTimeRequired
, to control auto date, time, and time zone configuration on a company-owned device. - Starting in Android 11, users can no longer clear app data or force
stop applications when the device is configured as a kiosk (that is,
when the
InstallType
of one application inApplicationPolicy
is set toKIOSK
). - Added new
LocationMode
controls to replace deprecated location detection method controls. On company-owned devices, IT can now choose between enforcing location, disabling location, or allowing users to toggle location on and off. - Added support for
CommonCriteriaMode
, a new feature in Android 11. Can be enabled to address specific Common Criteria Mobile Device Fundamentals Protection Profile (MDFPP) requirements.
Deprecations
autoTimeRequired
is now deprecated, following the deprecation of specific auto time controls in Android 11. UseAutoDateAndTimeZone
instead.- The following
LocationMode
options are now deprecated, following their deprecation in Android 9:HIGH_ACCURACY
,SENSORS_ONLY
,BATTERY_SAVING
, andOFF
. UseLOCATION_ENFORCED
,LOCATION_DISABLED
, andLOCATION_USER_CHOICE
instead.
October 2020
Android Device Policy
- Added
RELINQUISH_OWNERSHIP
as a new type of device command. When deploying work profile, admins can relinquish ownership of company-owned devices to employees, wiping the work profile and resetting any device policies to factory state, while leaving personal data intact. In doing so, IT loses claim to the ownership of the device now and in the future and should not expect the device to re-enroll. To factory reset a device while maintaining ownership, use thedevices.delete
method instead.
August 2020
Android Management API
-
Improvements to the work profile experience on company-owned devices were announced in the Android 11 developer preview. Android Management API adds support for these improvements for devices running Android 8.0+ or higher. Enterprises can now designate work profile devices as company-owned, allowing management of a device's work profile, personal usage policies, and certain device-wide settings while still maintaining privacy in the personal profile.
- For a high-level overview of enhancement to the work profile experience, see Work profile: the new standard for employee privacy.
- See Company-owned devices for work and personal use to learn how to set up a work profile on a company-owned device.
- An example policy for a company-owned device with a work profile is available in Devices with work profiles.
- Added
blockScope
toblockAction
. UseblockScope
to specify whether a block action applies to an entire company-owned device or to its work profile only.
Added
connectedWorkAndPersonalApp
toapplicationPolicy
. Starting in Android 11, some core apps can connect across a device's work and personal profiles. Connecting an app across profiles can provide a more unified experience for users. For example, by connecting a calendar app, users could view their work and personal events displayed together.Some apps (for example, Google Search) may be connected on devices by default. A list of connected apps on a device is available in Settings > Privacy > Connected work & personal apps.
Use
connectedWorkAndPersonalApp
to allow or disallow connected apps. Allowing an app to connect cross-profile only gives the user the option to connect the app. Users can disconnect apps at any time.Added
systemUpdateInfo
todevices
to report information on pending system updates.
July 2020
Android Device Policy
- [July 23] Minor bug fixes
June 2020
Android Device Policy
- [June 17] Minor bug fixes.
May 2020
Android Device Policy
- [May 12] Minor bug fixes.
April 2020
Android Device Policy
- [April 14] Minor bug fixes.
March 2020
Android Device Policy
- [March 16] Minor bug fixes.
February 2020
Android Device Policy
- [Feb 24] Minor bug fixes.
January 2020
Android Device Policy
- [Jan 15] Minor bug fixes.
December 2019
Android Management API
- A new policy for blocking untrusted apps (apps from unknown sources) is
available. Use
advancedSecurityOverrides.untrustedAppsPolicy
to:- Block untrusted app installs device-wide (including work profiles).
- Block untrusted app installs in a work profile only.
- Allow untrusted app installed device-wide.
- A timeout period for allowing non-strong screen lock methods (e.g.
fingerprint and face unlock) can now be enforced on a device or work
profile using
requirePasswordUnlock
. After the timeout period expires, a user must use a strong form of authentication (password, PIN, pattern) to unlock a device or work profile. - Added
kioskCustomization
to support the ability to enable or disable the following system UI features in kiosk mode devices:- Global actions launched from the power button (see
powerButtonActions
). - System info and notifications (see
statusBar
). - Home and overview buttons (see
systemNavigation
). - Status bar (see
statusBar
). - Error dialogs for crashed or unresponsive apps (see
systemErrorWarnings
).
- Global actions launched from the power button (see
- Added
freezePeriod
policy to support blocking system updates annually over a specified freeze period. - A new parameter is available in
devices.delete
:wipeReasonMessage
lets you specify a short message to display to a user before wiping the work profile from their personal device.
Deprecations
installUnknownSourcesAllowed
is now marked as deprecated.
Support for the policy will continue until Q2 2020 for users who enabled
Android Management API before 2:00pm GMT on December 19, 2019.
The policy is not supported for users who enabled the API after this date.
advancedSecurityOverrides.untrustedAppsPolicy
replaces installUnknownSourcesAllowed
.
The table below provides a mapping between the two policies. Developers should
update their solutions with the new policy as soon as possible*.
installUnknownSourcesAllowed | advancedSecurityOverrides.untrustedAppsPolicy |
---|---|
TRUE |
ALLOW_INSTALL_DEVICE_WIDE |
FALSE |
ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY Note: Applied to all device types (work profiles and fully
managed). Because fully managed devices don't have a personal profile,
untrusted apps are blocked across the entire device. To block untrusted
apps across an entire device with a work profile, use
|
untrustedAppsPolicy
(DISALLOW_INSTALL
) is
not applied if untrustedAppsPolicy
is set to
UNTRUSTED_APPS_POLICY_UNSPECIFIED
or if the policy is left
unspecified. To block untrusted apps across an entire device, you must
explicitly set the policy to DISALLOW_INSTALL
.
November 2019
Android Device Policy
- [Nov 27] Minor bug fixes.
October 2019
Android Management API
- New
IframeFeature
options allow you to specify which Managed Google Play iframe features to enable/disable in your console.
Android Device Policy
- [Oct 16] Minor bug fixes and performance optimization.
September 04, 2019
Features
- The
policies
resource is now capable of distributing closed app releases (closed app tracks), allowing organizations to test pre-release versions of apps. For details, see Distribute apps for closed testing. - Added
permittedAccessibilityServices
topolicies
, which can be used to:- disallow all non-system accessibility services on a device, or
- only allow specified apps access to these services.
August 6, 2019
Features
- The Android Management API now evaluates the security of a device and
reports findings in device reports
(under
securityPosture
).securityPosture
returns the security posture status of a device (POSTURE_UNSPECIFIED
,SECURE
,AT_RISK
, orPOTENTIALLY_COMPROMISED
), as evaluated by SafetyNet and other checks, along with details of any identified security risks for you to share with customers through your management console.To enable this feature for a device, ensure its policy has least one field from
statusReportingSettings
enabled.
July 02, 2019
Features
- To distinguish that an app is launched from
launchApp
insetupActions
, the activity that's first launched as part of the app now contains the boolean intent extracom.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION
(set totrue
). This extra allows you to customize your app based on whether it's launched fromlaunchApp
or by a user.
May 31, 2019
Maintenance release
- Minor bug fixes and performance optimization.
May 7, 2019
Features
- Added
policyEnforcementRules
to replacecomplianceRules
, which has been deprecated. See the deprecation notice above for more information. - Added new APIs to create and edit web apps. For more details, see Support web apps.
User experience
Android Device Policy: The app’s icon is no longer visible on devices. Users can still view the policy page previously launched by the icon:
- Fully managed devices: Settings > Google > Device Policy
- Devices with work profiles: Settings > Google > Work > Device Policy
- All devices: Google Play Store app > Android Device Policy
April 16, 2019
- Android Device Policy is now available in South Korea.
March 21, 2019
Features
- Added new metadata, including alternate serial numbers, to
devices
. - The number of apps with
installType
REQUIRED_FOR_SETUP
is now limited to five per policy. This is to ensure the best possible user experience during device and work profile provisioning.
February 12, 2019
User experience
- Android Device Policy: Added improved non-compliance messaging to help users return their devices to a compliant state or inform them when it isn’t possible.
- Android Device Policy: After an enrollment token is registered, a
new setup experience guides users through the steps required by their policy
to complete their device or work profile configuration.
Features
- Added new field to
installType
REQUIRED_FOR_SETUP
: If true, the app must be installed before the device or work profile setup completes. Note: If the app isn't installed for any reason (e.g. incompatibility, geo-availability, poor network connection), setup won't complete.
- Added
SetupAction
topolicies
. WithSetupAction
, you can specify an app to launch during setup, allowing a user to further configure their device. See Launch an app during setup for more details. - For enterprises with status reports enabled, new device reports are now issued immediately following any failed attempt to unlock a device or work profile.
Deprecations
- In
policies
,wifiConfigsLockdownEnabled
has been deprecated. WiFi networks specified is policy are now non-modifiable by default. To make them modifiable, setwifiConfigDisabled
to false.
December 10, 2018
Features
- Added support for work profile devices to the sign-in URL provisioning method. Work profile device owners can now sign in with their corporate credentials to complete provisioning.
User experience
Added support for dark mode in Android Device Policy. Dark mode is a display theme available in Android 9 Pie, which can be enabled in Settings > Display > Advanced > Device theme > Dark.
November 2, 2018
Features
- A new enrollment method is available for fully managed devices. The method uses a sign-in URL to prompt users to enter their credentials, allowing you to assign a policy and provision users' devices based on their identity.
- Added support for the managed configurations iframe,
a UI you can add to your console for IT admins to set and save managed
configurations. The iframe returns a unique
mcmId
for each saved configuration, which you can add topolicies
. - Added
passwordPolicies
andPasswordPolicyScope
topolicies
:passwordPolicies
sets the password requirements for the specified scope (device or work profile).- If
PasswordPolicyScope
isn't specified, the default scope isSCOPE_PROFILE
for work profile devices, andSCOPE_DEVICE
for fully managed or dedicated devices. passwordPolicies
overridespasswordRequirements
ifPasswordPolicyScope
is unspecified (default), orPasswordPolicyScope
is set to the same scope aspasswordRequirements
September 20, 2018
Bug fixes
- Fixed issue that made kiosk devices incorrectly appear out of compliance following provisioning, for a subset of policy configurations
August 28, 2018
Features
Updates to support work profile and fully managed device provisioning and management:
- New provisioning methods are available for work profiles:
- Provide users with an enrollment token link.
- Go to Settings > Google > Set up work profile.
- Added new fields to
enrollmentTokens
.oneTimeOnly
: If true, the enrollment token will expire after it's first used.userAccountIdentifier
: Identifies a specific managed Google Play Account.- If not specified: The API silently creates a new account each time a device is enrolled with the token.
- If specified: The API uses the specified account each time a device is enrolled with the token. You can specify the same account across multiple tokens. See Specify a user for more information.
- Added
managementMode
(read-only) todevices
.- Devices with work profiles:
managementMode
is set toPROFILE_OWNER
. - Dedicated devices and fully managed devices:
managementMode
is set toDEVICE_OWNER
.
- Devices with work profiles:
Updates to the policies
resource to improve app management
capabilities:
- Added new field
playStoreMode
.WHITELIST
(default): Only apps added to policy are available in the work profile or on the managed device. Any app not in policy is unavailable, and uninstalled if previously installed.BLACKLIST
: Apps added to policy are unavailable. All other apps listed in Google Play are available.
- Added
BLOCKED
as an InstallType option, which makes an app unavailable to install. If the app is already installed, it will be uninstalled.- You can use installType
BLOCKED
together withplayStoreMode
BLACKLIST
to prevent a managed device or work profile from installing specific apps.
- You can use installType
User experience
- Updated Android Device Policy settings to match device settings.
July 12, 2018
User experience
- Merged the status and device details pages in Android Device Policy into a single page.
- Improved setup UI consistency with Android setup wizard.
Features
- Added PermissionGrants at the policy level. You can now control
runtime permissions at four levels:
- Global, across all apps: set defaultPermissionPolicy at the policy level.
- Per permission, across all apps: set permissionGrant at the policy level.
- Per app, across all permissions: set defaultPermissionPolicy within ApplicationPolicy.
- Per app, per permission: set permissionGrant within ApplicationPolicy.
- When factory resetting a device, the new WipeDataFlag allows
you to:
WIPE_EXTERNAL_STORAGE
: wipe the device's external storage (e.g. SD cards).PRESERVE_RESET_PROTECTION_DATA
: preserve the factory reset protection data on the device. This flag ensures that only an authorized user can recover a device if, for instance, the device is lost. Note: Only enable this feature if you've setfrpAdminEmails[]
in policy.
Bug fixes
- Fixed issue with Android Device Policy exiting lock task mode when updating in the foreground.
May 25, 2018
User experience
- Instead of hiding disabled apps from the launcher, Android 7.0+ devices
now display icons for disabled apps in gray:
Features
- Updated
policies
to support the following certificate management capabilities:- Automatic granting of certificate access to apps.
- Delegating all certificate management features supported by
Android Device Policy to another app (see
CERT_INSTALL
).
- Individual apps can now be disabled in ApplicationPolicy (set
disabled
totrue
), independent of compliance rules. - It's now possible to disable system apps.
- Added application reports to
devices
. For each managed app installed on a device, the report returns the app's package name, version, install source, and other detailed information. To enable, setapplicationReportsEnabled
totrue
in the device's policy. - Updated
enterprises
to include terms and conditions. An enterprise's terms and conditions are displayed on devices during provisioning.
Bug fixes
- Updated provisioning flow to disable access to settings, except when access is required to complete setup (e.g. creating a passcode).
April 3, 2018
User experience
- Updated the design of Android Device Policy and the device provisioning flow to improve overall user experience.
Features
- Added support for Direct Boot, allowing you to remotely wipe Android 7.0+ devices that haven't been unlocked since they were last rebooted.
- Added a location mode setting to the
policies
resource, allowing you to configure the location accuracy mode on a managed device. - Added an error response field to the
Command
resource.
Bug fixes
- Provisioning performance has been improved.
- Compliance reports are now generated immediately after a device is provisioned. To configure an enterprise to receive compliance reports, see Receive non-compliance detail notifications.
Known issues
- Lock Screen Settings crashes on Android 8.0+ LG devices (e.g. LG V30) managed by Android Device Policy.
February 14, 2018
User experience
- Updated the validation text for the "code" field, which is displayed if a user chooses to manually enter a QR code to enroll a device.
Features
- You can now set a policy to trigger force-installed apps to auto-update if
they don't meet a specified minimum app version. In
ApplicationPolicy:
- Set
installType
toFORCE_INSTALLED
- Specify a
minimumVersionCode
.
- Set
- Updated the Devices resource with new fields containing information that may be useful to IT admins, such as the device's carrier name (see NetworkInfo for more details), whether the device is encrypted, and whether Verify Apps is enabled (see DeviceSettings for more details).
Bug fixes
- The
RESET_PASSWORD
andLOCK
commands now work with Android 8.0 Oreo devices. - Fixed issue with DeviceSettings not being populated.
- Fixed issue with
stayOnPluggedModes
policy handling.
December 12, 2017
Features
- Android Device Policy now supports a basic kiosk launcher , which can be enabled via policy. The launcher locks down a device to a set of predefined apps and blocks user access to device settings. The specified apps appear on a single page in alphabetical order. To report a bug or request a feature, tap the feedback icon on the launcher.
- Updated device setup with new retry logic. If a device is rebooted during setup, the provisioning process now continues where it left off.
- The following new policies are now available. See the
API
reference for full details:
keyguardDisabledFeatures
accountTypesWithManagementDisabled
installAppsDisabled
mountPhysicalMediaDisabled
uninstallAppsDisabled
bluetoothContactSharingDisabled
shortSupportMessage
longSupportMessage
bluetoothConfigDisabled
cellBroadcastsConfigDisabled
credentialsConfigDisabled
mobileNetworksConfigDisabled
tetheringConfigDisabled
vpnConfigDisabled
createWindowsDisabled
networkResetDisabled
outgoingBeamDisabled
outgoingCallsDisabled
smsDisabled
usbFileTransferDisabled
ensureVerifyAppsEnabled
permittedInputMethods
recommendedGlobalProxy
setUserIconDisabled
setWallpaperDisabled
alwaysOnVpnPackage
dataRoamingDisabled
bluetoothDisabled
- Updated Android Device Policy's target SDK to Android 8.0 Oreo.
Bug Fixes
- It's now possible to skip the network picker display if a connection can't
be made at boot. To enable the network picker on boot, use the
networkEscapeHatchEnabled
policy.