Release notes | Android Management API

September 2024

Android Management API

The Android Management API now supports the following Android 15 features:

For Android 15 and above a new policy has been added to control Wi-Fi roaming settings. IT Admins can use WifiRoamingPolicy to select the desired WifiRoamingMode. Supported on fully managed devices and work profiles on company-owned devices.

Android 15 release

Android Management API

The Android Management API now supports the following Android 15 features:

Android 15 introduces a new policy to control Circle to Search. IT admins can use AssistContentPolicy to control this feature.
Android 15 introduces a new policy to control Phishing Detection of apps. IT admins can use ContentProtectionPolicy to control whether the app is scanned by On Device Abuse Detection (ODAD) for phishing malware.
Note: Users are not able to see this control from settings on devices with a work profile. This will be fixed in a later platform release.
Android 15 expands the support of screen brightness and screen timeout settings using the DisplaySettings policy to company-owned devices with a work profile. This setting was previously available only on fully managed devices.

August 2024

Android Management API

On Android 13+, IT Admins can now query the ICCID associated with the SIM card of the TelephonyInfo included in a NetworkInfo. This is supported on fully managed devices when the networkInfoEnabled field in statusReportingSettings is set to true.
Various items of our documentation have been updated:
- We updated the documentation for the Common Criteria Mode to clarify that it is only supported on company-owned devices running Android 11 or above.
- We documented the optional field DefaultStatus in SigninDetail.

July 2024

Android Management API

Various items of our documentation have been updated:
- We removed the note in the documentation for enrollmentToket.create about not being able to retrieve the token content anymore as it is possible getting the enrollment token value using enrollmentTokens.get.
- We clarified NonComplianceReason documentation.

June 2024

Android Management API

IT admins can now control the screen brightness and screen timeout settings using the DisplaySettings policy. Supported on fully managed devices, on Android 9 and above.
We've updated our documentation to explain that, even when using AUTO_UPDATE_HIGH_PRIORITY, updates to apps with larger deployments across Android's ecosystem can take up to 24h.
We've updated the Android Management API SDK (AMAPI SDK) to explain the different use cases that this library (originally known as Extensibility SDK) now supports. The updated documentation covers:
See AMAPI SDK release notes to know what is the latest version available.

May 2024

Android Management API

The get and list methods for enrollmentTokens now return populated value, qrCode, and allowPersonalUsage fields.
For fully managed devices, the AllowPersonalUsage setting now supports the PERSONAL_USAGE_DISALLOWED_USERLESS.
On Android 11+ the new UserControlSettings policy allows to specify whether user control is permitted for a given app. UserControlSettings includes user actions like force-stopping and clearing app data.
Version 1.1.5 of the AMAPI SDK is now available. Additional information is available on the release notes page.
Note: We strongly recommend to always use the latest available version of the library to benefit from the available bug fixes and improvements.

April 2024

Android Management API

On Android 13+, for company-owned devices, we added controls over which WiFi SSIDs devices can connect to. Using WifiSsidPolicy IT Admins can specify a list of SSIDs to be added to an allowlist ( WIFI_SSID_ALLOWLIST) or to a denylist ( WIFI_SSID_DENYLIST).
For corporate-owned devices, we added hardware identifiers (IMEI, MEID, and serial number) to ProvisioningInfo that EMMs can now access during device setup using the sign-in URL.

March 2024

Android Management API

We added additional controls over app installation using InstallConstraint, IT admins can restrict app installation based on specific criteria.
By setting installPriority, IT admins can ensure that critical apps are installed first.
On Android 10+, AMAPI supports configuring enterprise 192 bit networks in openNetworkConfiguration by passing Security value WPA3-Enterprise_192.
On Android 13+, in the MinimumWifiSecurityLevel policy, we now support ENTERPRISE_BIT192_NETWORK_SECURITY, which can be used to ensure that devices do not connect to Wi-Fi networks below this security level.
We have updated the UsbDataAccess setting so that the USB_DATA_ACCESS_UNSPECIFIED value defaults to DISALLOW_USB_FILE_TRANSFER.

February 2024

Android Management API

On Android 9+, IT admins can now control whether printing is allowed using the printingPolicy field.
For Android 14+, a new policy is added to control CredentialProvider apps. IT admins can use the credentialProviderPolicy field to control whether the app is allowed to act as a credential provider.
A new policy is added to control Arm Memory Tagging Extension (MTE) on the device. The MtePolicy field is supported on fully managed devices and work profiles on company-owned devices with Android 14 and above.
We have updated how AM API receives errors related to installs that are triggered by IT admins. As a result of this migration, the InstallationFailureReason field now also includes client errors (in addition to the server errors).
For Android 12+, IT admins can use a key pair installed on the device for enterprise Wi-Fi authentication. See the new ClientCertKeyPairAlias field in Open Network Configuration (ONC) and our network configuration guide for more information.

January 2024

Android Management API

Devices managed by your custom DPC can now be seamlessly migrated to use Android Management API.

December 2023

Android Management API

Added MinimumWifiSecurityLevel to define the different minimum security levels required to connect to Wi-Fi networks. Supported on fully managed devices and work profiles on company-owned devices with Android 13 and above.

November 2023

Android Management API

Android 12+ now supports passwordless enterprise Wi-Fi network configuration using Identity and Password fields in Open Network Configuration. This was already supported prior to Android 12.
Note: On Android 12+, for Wi-Fi networks with EAP username/password authentication, if the user password is not provided and AutoConnect is set to true, the device might try to connect to the network with a randomly generated placeholder password. To avoid this when the user’s password is not provided, set AutoConnect to false.

Local device events that occur in quick succession are batched and reported in a single Pub/Sub message to EMMs.

Event type	Expected latency between on-device event and corresponding EMM notification¹
Event type	Previous behavior	New behavior
High priority keyed app states	Immediate, at most one report per minute	Immediate, at most one report per minute
Standard priority keyed app states	Schedule-based	Within one minute
Application-related events during provisioning, for apps with install states defined by the IT admin²	Integrated into other provisioning-related events	Within one minute on top of other related provisioning events
Application-related events after provisioning, for apps with install states defined by the IT admin²	Schedule-based	Within 5 minutes
Application-related events both during and after provisioning, for apps with install states defined by the employee³	Schedule-based	Within 60 minutes
Other on-device app events	Schedule-based	Within 60 minutes

¹ Best effort targets based on controlled circumstances. Actual latency may vary according to a variety of device and environmental factors.
² InstallType of apps enforced in the policy: FORCE_INSTALLED, BLOCKED, REQUIRED_FOR_SETUP, PREINSTALLED and KIOSK.
³ InstallType of available apps: AVAILABLE, INSTALL_TYPE_UNSPECIFIED.

October 2023

Android Management API

Apps launched as SetupAction can now cancel enrollment. This will reset a company-owned device or deletes the work profile on a personally-owned device.

Android 14 release

Android Management API

With the release of Android 14, the Android Management API now supports the following Android 14 features:

Restricting work profile contacts access to system applications and personal apps specified in exemptionsToShowWorkContactsInPersonalProfile. Now access to work profile contacts can be enabled for all personal apps, select personal apps, or no personal apps.
For convenience, the new SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM option in showWorkContactsInPersonalProfile ensures that the only personal apps to access work contacts are the device default Dialer, Messages, and Contacts apps. In this case, neither user-configured Dialer, Messages, and Contacts apps, nor any other system or user-installed personal apps, will be able to query work contacts.
Disable use of the ultra wideband radio on the device. This can be achieved using the new deviceRadioState.ultraWidebandState policy.
Block the use of cellular 2G, improving network security. This is offered through the new deviceRadioState.cellularTwoGState policy.
Android 14 introduces customizable lock screen shortcuts.
The lock screen features admin control, which includes camera, fingerprint unlock, face unlock, etc, has been extended to also disable lockscreen shortcuts using the new SHORTCUTS option.

September 2023

Android Management API

Device and provisioning information can now be optionally retrieved during setup, allowing developers to create more targeted policies during setup or filter devices according to the supplied attributes. The sign-in url will now include a provisioningInfo parameter which can be exchanged for the corresponding device details using the new provisioningInfo get method.
SigninDetails can now be distinguished from one another with a customizable tokenTag value.

August 2023

Android Management API

Introduced Lost Mode for company-owned devices. Lost mode enables employers to remotely lock and secure a lost device and optionally to display a message on the device screen with contact information to facilitate asset recovery.
Added support for certificate selection delegation which grants an app access to selection of KeyChain certificates on behalf of requesting apps. See DelegatedScope.CERT_SELECTION for more details.
Added additional WiFi management policies:
- configureWifi - Admins can now disable adding or configuring WiFi networks. wifiConfigDisabled is now deprecated.
- wifiDirectSettings - This policy can be used to disable configuring WiFi direct.
- tetheringSettings - This policy can be used to disable WiFi tethering or all forms of tethering. tetheringConfigDisabled is now deprecated.
- wifiState - This policy can be used to force enable/disable WiFi in a user's device.
Sharing of admin configured WiFi networks will be disabled from Android 13 and above

July 2023

Android Management API

Added userFacingType field to ApplicationReport to signal whether an app is user facing.
Added ONC_WIFI_INVALID_ENTERPRISE_CONFIG specific non-compliance reason.
Non-compliance with reason INVALID_VALUE and specific reason ONC_WIFI_INVALID_ENTERPRISE_CONFIG is reported if enterprise Wi-Fi network does not have DomainSuffixMatch set.
New Pub/Sub notification EnrollmentCompleteEvent added, as a type of UsageLogEvent that is published when the device finishes the enrollment.
Added airplaneModeState in deviceRadioState to control the current state of airplane mode and whether the user can toggle it on or off. By default, the user is allowed to toggle airplane mode on or off. Supported on fully managed devices and work profiles on company-owned devices, on Android 9 and above.

June 2023

Android Management API

Added support for the DomainSuffixMatch field in Open Network Configuration to configure enterprise WiFi networks for Android 6+. Enterprise WiFi configurations without DomainSuffixMatch are considered insecure and will be rejected by the platform.
Added UsbDataAccess policy setting that allows admins to fully disable USB data transferring. usbFileTransferDisabled is now deprecated, please use UsbDataAccess.

December 2022

Android Management API

Management capabilities over Work Profile Widgets have been improved with the addition of two new API fields: workProfileWidgets on the application level and workProfileWidgetsDefault on the device level. These allow greater control over whether an application running in the work profile can create widgets on the parent profile e.g. the home screen. This functionality is disallowed by default, but can be set to allowed using workProfileWidgets and workProfileWidgetsDefault, and is only supported for work profiles.
We have added support to set MAC address randomization settings while configuring WiFi networks. Admins can now specify whether MACAddressRandomizationMode is set to Hardware or Automatic while configuring WiFi networks which takes effect on devices with OS version Android 13 and above and is applicable on all management modes. If set to Hardware the factory MAC address will be configured to the WiFi network, whereas Automatic the MAC address will be random.
Various items of our documentation have been updated:

Understanding Security Posture has been created to provide clarity on the potential responses from devicePosture and securityRisk evaluations.
autoUpdateMode has been provided for autoUpdatePolicy as a recommended alternative due to greater flexibility with update frequency.
We have provided clarification that BlockAction and WipeAction are restricted to company-owned devices.
The Pub/Sub notifications page has been updated to accurately reflect the resource types for different notification types.
For Android 13+, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket.

October 2022

Android Management API

Various items of our documentation have been updated:

We recommend having one policy per device, to enable granular device-level management capabilities.
In order for FreezePeriods to work as expected, system update policy cannot be set as SYSTEM_UPDATE_TYPE_UNSPECIFIED.
Additional suggestions have been provided for policy updates regarding visibility of password steps during company-owned device provisioning.
shareLocationDisabled is supported for fully managed devices and personally owned work profiles.
We have provided an updated description on the usage of enterprises.devices.delete and its effects on device visibility.
Maximum enrollment token duration is now 10,000 years, where it was previously 90 days.

July 12 2022

Android Management API

Added NETWORK_ACTIVITY_LOGS and SECURITY_LOGS values to the DelegatedScope to grant device policy applications access to the corresponding logs.

June 14 2022

Android Management API

Added specificNonComplianceReason and specificNonComplianceContext to NonComplianceDetail to provide detailed context for policy application errors.

June 6 2022

Android Management API

Added a command to allow the admin to remotely clear the application data of an app.
Enrollment tokens can now be created with a longer duration than the previous maximum of 90 days, up to approximately 10,000 years. Enrollment tokens that last longer than 90 days will have a length of 24 characters, while tokens that last 90 days or less will continue to have 20 characters.

May 24 2022

Android Management API

Hardware-backed security features such as key attestation will now be used in device integrity evaluations, when supported by the device. This provides a strong guarantee of system integrity. Devices that fail these evaluations or do not support such hardware-backed security features will report the new HARDWARE_BACKED_EVALUATION_FAILED SecurityRisk.

May 16 2022

Android Management API

Added unifiedLockSettings in PasswordPolicies to allow the admin to configure if the work profile needs a separate lock.

March 25 2022

Android Management API

Added alwaysOnVpnLockdownExemption to specify which apps should be exempt from the AlwaysOnVpnPackage setting.
Added all available fields from the Play EMM API Products resource to the Application resource.

February 22 2022

Android Management API

Added cameraAccess to control the use of camera and camera toggle, and microphoneAccess, to control the use of microphone and microphone toggle. These fields replace newly deprecated cameraDisabled and unmuteMicrophoneDisabled, respectively.

February 15 2022

AMAPI SDK

Minor bug fixes. See Google's Maven Repository for more details.

November 15 2021

Android Device Policy

Apps that are marked as unavailable in personalApplications will now be uninstalled from the personal profile of company-owned devices if already installed, as they are in the ApplicationPolicy for work profile and fully managed devices.

September 17 2021

Android Management API

You can now designate an app as an extension app using ExtensionConfig. Extension apps can communicate directly with Android Device Policy and in future will be able to interact with the complete set of management features offered in the Android Management API, enabling a local interface for managing the device that does not require server connectivity.
- This initial release includes support for local execution of Commands, and currently only the ClearAppData command. See the extensibility integration guide for more details.
- The remaining commands will be added over time, as well as additional extension app features designed to expose the breadth of device management features to the extension app.

June 30 2021

Android Device Policy

Minor bug fixes

June 2 2021

Android Device Policy

Minor bug fixes

May 5 2021

Android Device Policy

Minor bug fixes

April 6 2021

Android Device Policy

Minor bug fixes

March 2021

Android Management API

Added two new AdvancedSecurityOverrides. These policies enable Android Enterprise security best practices by default, while allowing organizations to override the default values for advanced use cases.

googlePlayProtectVerifyApps enables Google Play's app verification by default.
developerSettings prevents users from accessing developer options and safe mode by default, capabilities that would otherwise introduce risk of corporate data exfiltration.

ChoosePrivateKeyRule now supports the direct grant of specific KeyChain keys to managed apps.

This allows the target app(s) to access specified keys by calling getCertificateChain() and getPrivateKey() without having to first call choosePrivateKeyAlias().
Android Management API defaults to granting direct access to the keys specified in policy, but otherwise falls back to granting access after the specified app has called choosePrivateKeyAlias(). See ChoosePrivateKeyRule for more details.

Deprecations

ensureVerifyAppsEnabled is now deprecated. Use the googlePlayProtectVerifyApps AdvancedSecurityOverrides instead.

Existing API users (Google Cloud projects with Android Management API enabled as of April 15, 2021) can continue to use ensureVerifyAppsEnabled until October 2021, but are encouraged to migrate to AdvancedSecurityOverrides as soon as possible. In October ensureVerifyAppsEnabled will no longer function.

debuggingFeaturesAllowed and safeBootDisabled are now deprecated. Use the developerSettings AdvancedSecurityOverrides instead.

Existing API users (Google Cloud projects with Android Management API enabled as of April 15, 2021) can continue to use debuggingFeaturesAllowed and safeBootDisabled until October 2021, but are encouraged to use AdvancedSecurityOverrides as soon as possible. In October debuggingFeaturesAllowed and safeBootDisabled will no longer function.

February 2021

Android Management API

Added personalApplications support for company-owned devices starting from Android 8. The feature is now supported on all company-owned devices with a work profile.
Device phone number is now reported on Fully Managed Devices as part of the Device resource.

January 2021

Android Device Policy

Minor bug fixes

December 2020

Android Management API

Added personalApplications to PersonalUsagePolicies. On company-owned devices, IT can specify an allow or blocklist of applications in the personal profile. This feature is currently available only on Android 11 devices, but will be backported to Android 8 in a future release.

Android Device Policy

Minor updates to the provisioning UI

November 2020

Android Management API

Added AutoDateAndTimeZone, replacing the deprecated autoTimeRequired, to control auto date, time, and time zone configuration on a company-owned device.
Starting in Android 11, users can no longer clear app data or force stop applications when the device is configured as a kiosk (that is, when the InstallType of one application in ApplicationPolicy is set to KIOSK).
Added new LocationMode controls to replace deprecated location detection method controls. On company-owned devices, IT can now choose between enforcing location, disabling location, or allowing users to toggle location on and off.
Added support for CommonCriteriaMode, a new feature in Android 11. Can be enabled to address specific Common Criteria Mobile Device Fundamentals Protection Profile (MDFPP) requirements.

Deprecations

autoTimeRequired is now deprecated, following the deprecation of specific auto time controls in Android 11. Use AutoDateAndTimeZone instead.
The following LocationMode options are now deprecated, following their deprecation in Android 9: HIGH_ACCURACY, SENSORS_ONLY, BATTERY_SAVING, and OFF. Use LOCATION_ENFORCED, LOCATION_DISABLED, and LOCATION_USER_CHOICE instead.

October 2020

Android Device Policy

Added RELINQUISH_OWNERSHIP as a new type of device command. When deploying work profile, admins can relinquish ownership of company-owned devices to employees, wiping the work profile and resetting any device policies to factory state, while leaving personal data intact. In doing so, IT loses claim to the ownership of the device now and in the future and should not expect the device to re-enroll. To factory reset a device while maintaining ownership, use the devices.delete method instead.

August 2020

Android Management API

Improvements to the work profile experience on company-owned devices were announced in the Android 11 developer preview. Android Management API adds support for these improvements for devices running Android 8.0+ or higher. Enterprises can now designate work profile devices as company-owned, allowing management of a device's work profile, personal usage policies, and certain device-wide settings while still maintaining privacy in the personal profile.
- For a high-level overview of enhancement to the work profile experience, see Work profile: the new standard for employee privacy.
- See Company-owned devices for work and personal use to learn how to set up a work profile on a company-owned device.
- An example policy for a company-owned device with a work profile is available in Devices with work profiles.
- Added blockScope to blockAction. Use blockScope to specify whether a block action applies to an entire company-owned device or to its work profile only.
Added connectedWorkAndPersonalApp to applicationPolicy. Starting in Android 11, some core apps can connect across a device's work and personal profiles. Connecting an app across profiles can provide a more unified experience for users. For example, by connecting a calendar app, users could view their work and personal events displayed together.

Some apps (for example, Google Search) may be connected on devices by default. A list of connected apps on a device is available in Settings > Privacy > Connected work & personal apps.

Use connectedWorkAndPersonalApp to allow or disallow connected apps. Allowing an app to connect cross-profile only gives the user the option to connect the app. Users can disconnect apps at any time.
Added systemUpdateInfo to devices to report information on pending system updates.

July 2020

Android Device Policy

[July 23] Minor bug fixes

June 2020

Android Device Policy

[June 17] Minor bug fixes.

May 2020

Android Device Policy

[May 12] Minor bug fixes.

April 2020

Android Device Policy

[April 14] Minor bug fixes.

March 2020

Android Device Policy

[March 16] Minor bug fixes.

February 2020

Android Device Policy

[Feb 24] Minor bug fixes.

January 2020

Android Device Policy

[Jan 15] Minor bug fixes.

December 2019

Android Management API

A new policy for blocking untrusted apps (apps from unknown sources) is available. Use advancedSecurityOverrides.untrustedAppsPolicy to:
- Block untrusted app installs device-wide (including work profiles).
- Block untrusted app installs in a work profile only.
- Allow untrusted app installed device-wide.
advancedSecurityOverrides.untrustedAppsPolicy replaces installUnknownSourcesAllowed, which is now deprecated. For more details, see the Deprecations section below.
A timeout period for allowing non-strong screen lock methods (e.g. fingerprint and face unlock) can now be enforced on a device or work profile using requirePasswordUnlock. After the timeout period expires, a user must use a strong form of authentication (password, PIN, pattern) to unlock a device or work profile.
Added kioskCustomization to support the ability to enable or disable the following system UI features in kiosk mode devices:
- Global actions launched from the power button (see powerButtonActions).
- System info and notifications (see statusBar).
- Home and overview buttons (see systemNavigation).
- Status bar (see statusBar).
- Error dialogs for crashed or unresponsive apps (see systemErrorWarnings).
Added freezePeriod policy to support blocking system updates annually over a specified freeze period.
A new parameter is available in devices.delete: wipeReasonMessage lets you specify a short message to display to a user before wiping the work profile from their personal device.

Deprecations

installUnknownSourcesAllowed is now marked as deprecated. Support for the policy will continue until Q2 2020 for users who enabled Android Management API before 2:00pm GMT on December 19, 2019. The policy is not supported for users who enabled the API after this date.

advancedSecurityOverrides.untrustedAppsPolicy replaces installUnknownSourcesAllowed. The table below provides a mapping between the two policies. Developers should update their solutions with the new policy as soon as possible*.

installUnknownSourcesAllowed	advancedSecurityOverrides.untrustedAppsPolicy
`TRUE`	`ALLOW_INSTALL_DEVICE_WIDE`
`FALSE`	`ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY` Note: Applied to all device types (work profiles and fully managed). Because fully managed devices don't have a personal profile, untrusted apps are blocked across the entire device. To block untrusted apps across an entire device with a work profile, use `DISALLOW_INSTALL` instead.

*For users who enabled Android Management API before 2:00pm GMT on December 19, 2019: The default value of untrustedAppsPolicy (DISALLOW_INSTALL) is not applied if untrustedAppsPolicy is set to UNTRUSTED_APPS_POLICY_UNSPECIFIED or if the policy is left unspecified. To block untrusted apps across an entire device, you must explicitly set the policy to DISALLOW_INSTALL.

November 2019

Android Device Policy

[Nov 27] Minor bug fixes.

October 2019

Android Management API

New IframeFeature options allow you to specify which Managed Google Play iframe features to enable/disable in your console.

Android Device Policy

[Oct 16] Minor bug fixes and performance optimization.

September 04, 2019

Features

The policies resource is now capable of distributing closed app releases (closed app tracks), allowing organizations to test pre-release versions of apps. For details, see Distribute apps for closed testing.
Added permittedAccessibilityServices to policies, which can be used to:
- disallow all non-system accessibility services on a device, or
- only allow specified apps access to these services.

August 6, 2019

Features

The Android Management API now evaluates the security of a device and reports findings in device reports (under securityPosture). securityPosture returns the security posture status of a device (POSTURE_UNSPECIFIED, SECURE, AT_RISK, or POTENTIALLY_COMPROMISED), as evaluated by SafetyNet and other checks, along with details of any identified security risks for you to share with customers through your management console.
To enable this feature for a device, ensure its policy has least one field from statusReportingSettings enabled.

July 02, 2019

Features

To distinguish that an app is launched from launchApp in setupActions, the activity that's first launched as part of the app now contains the boolean intent extra com.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION (set to true). This extra allows you to customize your app based on whether it's launched from launchApp or by a user.

May 31, 2019

Maintenance release

Minor bug fixes and performance optimization.

May 7, 2019

Features

Added policyEnforcementRules to replace complianceRules, which has been deprecated. See the deprecation notice above for more information.
Added new APIs to create and edit web apps. For more details, see Support web apps.

User experience

Android Device Policy: The app’s icon is no longer visible on devices. Users can still view the policy page previously launched by the icon:

Fully managed devices: Settings > Google > Device Policy
Devices with work profiles: Settings > Google > Work > Device Policy
All devices: Google Play Store app > Android Device Policy

April 16, 2019

Android Device Policy is now available in South Korea.

March 21, 2019

Features

Added new metadata, including alternate serial numbers, to devices.
The number of apps with installType REQUIRED_FOR_SETUP is now limited to five per policy. This is to ensure the best possible user experience during device and work profile provisioning.

February 12, 2019

User experience

Android Device Policy: Added improved non-compliance messaging to help users return their devices to a compliant state or inform them when it isn’t possible.
Android Device Policy: After an enrollment token is registered, a new setup experience guides users through the steps required by their policy to complete their device or work profile configuration.

Figure 1. Guided setup experience.

Features

Added new field to installType
- REQUIRED_FOR_SETUP: If true, the app must be installed before the device or work profile setup completes. Note: If the app isn't installed for any reason (e.g. incompatibility, geo-availability, poor network connection), setup won't complete.
Added SetupAction to policies. With SetupAction, you can specify an app to launch during setup, allowing a user to further configure their device. See Launch an app during setup for more details.
For enterprises with status reports enabled, new device reports are now issued immediately following any failed attempt to unlock a device or work profile.

Deprecations

In policies, wifiConfigsLockdownEnabled has been deprecated. WiFi networks specified is policy are now non-modifiable by default. To make them modifiable, set wifiConfigDisabled to false.

December 10, 2018

Features

Added support for work profile devices to the sign-in URL provisioning method. Work profile device owners can now sign in with their corporate credentials to complete provisioning.

User experience

Added support for dark mode in Android Device Policy. Dark mode is a display theme available in Android 9 Pie, which can be enabled in Settings > Display > Advanced > Device theme > Dark.

Figure 1. (L) Normal display mode (R) Dark mode

November 2, 2018

Features

A new enrollment method is available for fully managed devices. The method uses a sign-in URL to prompt users to enter their credentials, allowing you to assign a policy and provision users' devices based on their identity.
Added support for the managed configurations iframe, a UI you can add to your console for IT admins to set and save managed configurations. The iframe returns a unique mcmId for each saved configuration, which you can add to policies.
Added passwordPolicies and PasswordPolicyScope to policies:
- passwordPolicies sets the password requirements for the specified scope (device or work profile).
- If PasswordPolicyScope isn't specified, the default scope is SCOPE_PROFILE for work profile devices, and SCOPE_DEVICE for fully managed or dedicated devices.
- passwordPolicies overrides passwordRequirements if PasswordPolicyScope is unspecified (default), or PasswordPolicyScope is set to the same scope as passwordRequirements

September 20, 2018

Bug fixes

Fixed issue that made kiosk devices incorrectly appear out of compliance following provisioning, for a subset of policy configurations

August 28, 2018

Features

Updates to support work profile and fully managed device provisioning and management:

New provisioning methods are available for work profiles:
- Provide users with an enrollment token link.
- Go to Settings > Google > Set up work profile.
Added new fields to enrollmentTokens.
- oneTimeOnly: If true, the enrollment token will expire after it's first used.
- userAccountIdentifier: Identifies a specific managed Google Play Account.
  - If not specified: The API silently creates a new account each time a device is enrolled with the token.
  - If specified: The API uses the specified account each time a device is enrolled with the token. You can specify the same account across multiple tokens. See Specify a user for more information.
Added managementMode (read-only) to devices.
- Devices with work profiles: managementMode is set to PROFILE_OWNER.
- Dedicated devices and fully managed devices: managementMode is set to DEVICE_OWNER.

Updates to the policies resource to improve app management capabilities:

Added new field playStoreMode.
- WHITELIST (default): Only apps added to policy are available in the work profile or on the managed device. Any app not in policy is unavailable, and uninstalled if previously installed.
- BLACKLIST: Apps added to policy are unavailable. All other apps listed in Google Play are available.
Added BLOCKED as an InstallType option, which makes an app unavailable to install. If the app is already installed, it will be uninstalled.
- You can use installType BLOCKED together with playStoreMode BLACKLIST to prevent a managed device or work profile from installing specific apps.

User experience

Updated Android Device Policy settings to match device settings.

July 12, 2018

User experience

Merged the status and device details pages in Android Device Policy into a single page.
Improved setup UI consistency with Android setup wizard.

Features

Added PermissionGrants at the policy level. You can now control runtime permissions at four levels:
- Global, across all apps: set defaultPermissionPolicy at the policy level.
- Per permission, across all apps: set permissionGrant at the policy level.
- Per app, across all permissions: set defaultPermissionPolicy within ApplicationPolicy.
- Per app, per permission: set permissionGrant within ApplicationPolicy.
When factory resetting a device, the new WipeDataFlag allows you to:
- WIPE_EXTERNAL_STORAGE: wipe the device's external storage (e.g. SD cards).
- PRESERVE_RESET_PROTECTION_DATA: preserve the factory reset protection data on the device. This flag ensures that only an authorized user can recover a device if, for instance, the device is lost. Note: Only enable this feature if you've set frpAdminEmails[] in policy.

Bug fixes

Fixed issue with Android Device Policy exiting lock task mode when updating in the foreground.

May 25, 2018

User experience

Instead of hiding disabled apps from the launcher, Android 7.0+ devices now display icons for disabled apps in gray:

Features

Updated policies to support the following certificate management capabilities:
- Automatic granting of certificate access to apps.
- Delegating all certificate management features supported by Android Device Policy to another app (see CERT_INSTALL).
Individual apps can now be disabled in ApplicationPolicy (set disabled to true), independent of compliance rules.
It's now possible to disable system apps.
Added application reports to devices. For each managed app installed on a device, the report returns the app's package name, version, install source, and other detailed information. To enable, set applicationReportsEnabled to true in the device's policy.
Updated enterprises to include terms and conditions. An enterprise's terms and conditions are displayed on devices during provisioning.

Bug fixes

Updated provisioning flow to disable access to settings, except when access is required to complete setup (e.g. creating a passcode).

April 3, 2018

User experience

Updated the design of Android Device Policy and the device provisioning flow to improve overall user experience.

Features

Added support for Direct Boot, allowing you to remotely wipe Android 7.0+ devices that haven't been unlocked since they were last rebooted.
Added a location mode setting to the policies resource, allowing you to configure the location accuracy mode on a managed device.
Added an error response field to the Command resource.

Bug fixes

Provisioning performance has been improved.
Compliance reports are now generated immediately after a device is provisioned. To configure an enterprise to receive compliance reports, see Receive non-compliance detail notifications.

Known issues

Lock Screen Settings crashes on Android 8.0+ LG devices (e.g. LG V30) managed by Android Device Policy.

February 14, 2018

User experience

Updated the validation text for the "code" field, which is displayed if a user chooses to manually enter a QR code to enroll a device.

Features

You can now set a policy to trigger force-installed apps to auto-update if they don't meet a specified minimum app version. In ApplicationPolicy:
- Set installType to FORCE_INSTALLED
- Specify a minimumVersionCode.
Updated the Devices resource with new fields containing information that may be useful to IT admins, such as the device's carrier name (see NetworkInfo for more details), whether the device is encrypted, and whether Verify Apps is enabled (see DeviceSettings for more details).

Bug fixes

The RESET_PASSWORD and LOCK commands now work with Android 8.0 Oreo devices.
Fixed issue with DeviceSettings not being populated.
Fixed issue with stayOnPluggedModes policy handling.

December 12, 2017

Features

Android Device Policy now supports a basic kiosk launcher , which can be enabled via policy. The launcher locks down a device to a set of predefined apps and blocks user access to device settings. The specified apps appear on a single page in alphabetical order. To report a bug or request a feature, tap the feedback icon on the launcher.
Updated device setup with new retry logic. If a device is rebooted during setup, the provisioning process now continues where it left off.

The following new policies are now available. See the API reference for full details:

`keyguardDisabledFeatures`	`accountTypesWithManagementDisabled`
`installAppsDisabled`	`mountPhysicalMediaDisabled`
`uninstallAppsDisabled`	`bluetoothContactSharingDisabled`
`shortSupportMessage`	`longSupportMessage`
`bluetoothConfigDisabled`	`cellBroadcastsConfigDisabled`
`credentialsConfigDisabled`	`mobileNetworksConfigDisabled`
`tetheringConfigDisabled`	`vpnConfigDisabled`
`createWindowsDisabled`	`networkResetDisabled`
`outgoingBeamDisabled`	`outgoingCallsDisabled`
`smsDisabled`	`usbFileTransferDisabled`
`ensureVerifyAppsEnabled`	`permittedInputMethods`
`recommendedGlobalProxy`	`setUserIconDisabled`
`setWallpaperDisabled`	`alwaysOnVpnPackage`
`dataRoamingDisabled`	`bluetoothDisabled`

Updated Android Device Policy's target SDK to Android 8.0 Oreo.

Bug Fixes

It's now possible to skip the network picker display if a connection can't be made at boot. To enable the network picker on boot, use the networkEscapeHatchEnabled policy.