Security Component
The Security Policy Component is used to control how secure a device must be. It lets you manage screen lock requirements, encryption, system restrictions, and what actions users are allowed to take on the device.
Use this component when you need to protect data and prevent misuse of a managed device.
Device Radio State
Device Radio State
API reference: deviceRadioState — Type: object
Covers controls for radio state such as Wi-Fi, bluetooth, and more.
Control Wi-Fi states
API reference: wifiState — Type: enum
Controls whether the Wi-Fi is on or off and if the user can change said state. Supported on company-owned devices running Android 13 and above.
| Option | Enum | Description |
|---|---|---|
| Default | WIFI_STATE_UNSPECIFIED | Defaults to WIFI_STATE_USER_CHOICE. |
| User choice | WIFI_STATE_USER_CHOICE | User is allowed to enable/disable Wi-Fi. |
| Wi-Fi enforced on | WIFI_ENABLED | Wi-Fi is on and the user is not allowed to turn it off. |
| Wi-Fi enforced off | WIFI_DISABLED | Wi-Fi is off and the user is not allowed to turn it on. |
Control airplane mode state
API reference: airplaneModeState — Type: enum
Supported on Android 9 and above on fully managed devices and work profiles on company-owned devices.
| Option | Enum | Description |
|---|---|---|
| Default | AIRPLANE_MODE_STATE_UNSPECIFIED | Defaults to AIRPLANE_MODE_USER_CHOICE. |
| User choice | AIRPLANE_MODE_USER_CHOICE | The user is allowed to toggle airplane mode on or off. |
| Disabled | AIRPLANE_MODE_DISABLED | Airplane mode is disabled. The user is not allowed to toggle it on. |
Control ultra wideband state
API reference: ultraWidebandState — Type: enum
Supported on Android 14 and above on fully managed devices and work profiles on company-owned devices.
| Option | Enum | Description |
|---|---|---|
| Default | ULTRA_WIDEBAND_STATE_UNSPECIFIED | Defaults to ULTRA_WIDEBAND_USER_CHOICE. |
| User choice | ULTRA_WIDEBAND_USER_CHOICE | The user is allowed to toggle ultra wideband on or off. |
| Disabled | ULTRA_WIDEBAND_DISABLED | Ultra wideband is disabled. The user is not allowed to toggle it on. |
Control cellular 2G setting usability
API reference: cellularTwoGState — Type: enum
Supported on Android 14 and above on fully managed devices and work profiles on company-owned devices.
| Option | Enum | Description |
|---|---|---|
| Default | CELLULAR_TWO_G_STATE_UNSPECIFIED | Defaults to CELLULAR_TWO_G_USER_CHOICE. |
| User choice | CELLULAR_TWO_G_USER_CHOICE | The user is allowed to toggle cellular 2G on or off. |
| Disabled | CELLULAR_TWO_G_DISABLED | Cellular 2G is disabled. The user is not allowed to toggle it on. |
Minimum required security level of Wi-Fi networks
API reference: minimumWifiSecurityLevel — Type: enum
Supported on Android 13 and above on fully managed devices and work profiles on company-owned devices.
| Option | Enum | Description |
|---|---|---|
| Default | MINIMUM_WIFI_SECURITY_LEVEL_UNSPECIFIED | Defaults to OPEN_NETWORK_SECURITY. |
| Open | OPEN_NETWORK_SECURITY | The device can connect to all types of Wi-Fi networks. |
| Personal only (WEP, WPA2-PSK) | PERSONAL_NETWORK_SECURITY | Open Wi-Fi networks are not allowed. |
| Enterprise EAP only | ENTERPRISE_NETWORK_SECURITY | Enterprise EAP network is the minimum required. |
| Enterprise 192-bit only | ENTERPRISE_BIT192_NETWORK_SECURITY | 192-bit enterprise network is the minimum required. |
Device Connectivity Management
Device Connectivity Management
API reference: deviceConnectivityManagement — Type: Object
Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.
USB Data Access
API reference: usbDataAccess — Type: enum
Controls what files and/or data can be transferred via USB. Supported only on company-owned devices.
| Option | Enum | Description |
|---|---|---|
| Default | USB_DATA_ACCESS_UNSPECIFIED | Defaults to DISALLOW_USB_FILE_TRANSFER. |
| Allow all | ALLOW_USB_DATA_TRANSFER | All types of USB data transfers are allowed. |
| Disallow file transfer | DISALLOW_USB_FILE_TRANSFER | Transferring files over USB is disallowed. Mouse and keyboard connections are still allowed. |
| Disallow all | DISALLOW_USB_DATA_TRANSFER | All types of USB data transfers are prohibited. Requires Android 12+ with USB HAL 1.3+. |
Wi-Fi configuration
API reference: ConfigureWifi — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | CONFIGURE_WIFI_UNSPECIFIED | Defaults to ALLOW_CONFIGURING_WIFI unless wifiConfigDisabled is true. |
| Allow | ALLOW_CONFIGURING_WIFI | The user is allowed to configure Wi-Fi. |
| Disallow new configurations | DISALLOW_ADD_WIFI_CONFIG | Adding new Wi-Fi configurations is disallowed. User can only switch between already configured networks. Android 13+. |
| Disallow all | DISALLOW_CONFIGURING_WIFI | Disallows all Wi-Fi configuration. |
Wi-Fi direct configuration
API reference: wifiDirectSettings — Type: enum
Supported on company-owned devices running Android 13 and above.
| Option | Enum | Description |
|---|---|---|
| Default | WIFI_DIRECT_SETTINGS_UNSPECIFIED | Defaults to ALLOW_WIFI_DIRECT. |
| Allow | ALLOW_WIFI_DIRECT | The user is allowed to use Wi-Fi direct. |
| Disallow | DISALLOW_WIFI_DIRECT | The user is not allowed to use Wi-Fi direct. |
Tethering settings
API reference: tetheringSettings — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | TETHERING_SETTINGS_UNSPECIFIED | Defaults to ALLOW_ALL_TETHERING. |
| Allow all | ALLOW_ALL_TETHERING | Allows configuration and use of all forms of tethering. |
| Disallow Wi-Fi tethering | DISALLOW_WIFI_TETHERING | Disallows Wi-Fi tethering. Android 13+ on company-owned devices. |
| Disallow all | DISALLOW_ALL_TETHERING | Disallows all forms of tethering. |
Wi-Fi SSID Restriction Policy
API reference: wifiSsidPolicy — Type: Object
Restrictions on which Wi-Fi SSIDs the device can connect to. Supported on company-owned devices running Android 13 and above.
| Field | API Reference | Type | Description |
|---|---|---|---|
| Wi-Fi SSID policy type | wifiSsidPolicyType | enum | Type of the Wi-Fi SSID policy to be applied. |
| SSIDs to be allowed | wifiSsids[] | object | List of Wi-Fi SSIDs that should be applied in the policy. |
Wi-Fi SSID Policy Type options
| Option | Enum | Description |
|---|---|---|
| Default | WIFI_SSID_POLICY_TYPE_UNSPECIFIED | No restrictions on which SSID the device can connect to. |
| Deny | WIFI_SSID_DENYLIST | The device cannot connect to any Wi-Fi network in the denylist. |
| Allow | WIFI_SSID_ALLOWLIST | The device can only connect to SSIDs in the allowlist. |
Wi-Fi Roaming Settings
API reference: wifiRoamingPolicy.wifiRoamingSettings[] — Type: Object
| Option | Enum | Description |
|---|---|---|
| Unspecified | WIFI_ROAMING_MODE_UNSPECIFIED | Defaults to WIFI_ROAMING_DEFAULT. |
| Disabled | WIFI_ROAMING_DISABLED | Wi-Fi roaming is disabled. Android 15+ on fully managed devices. |
| Default | WIFI_ROAMING_DEFAULT | Default Wi-Fi roaming mode of the device. |
| Aggressive | WIFI_ROAMING_AGGRESSIVE | Allows quicker Wi-Fi roaming. Android 15+. |
Bluetooth Sharing
API reference: bluetoothSharing — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | BLUETOOTH_SHARING_UNSPECIFIED | Defaults to BLUETOOTH_SHARING_DISALLOWED on work profiles and BLUETOOTH_SHARING_ALLOWED on fully managed devices. |
| Allowed | BLUETOOTH_SHARING_ALLOWED | Bluetooth sharing is allowed. Supported on Android 8+. |
| Disallowed | BLUETOOTH_SHARING_DISALLOWED | Bluetooth sharing is disallowed. Supported on Android 8+. |
Preferential Network Service Settings
Preferential Network Service Settings
API reference: preferentialNetworkServiceSettings — Type: Object
Can be set on both work profiles and fully managed devices on Android 13 and above.
Default Preferential Network
API reference: preferentialNetworkServiceSettings.defaultPreferentialNetworkId — Type: enum
| Option | Enum | Description |
|---|---|---|
| Unspecified | PREFERENTIAL_NETWORK_ID_UNSPECIFIED | Defaults to NO_PREFERENTIAL_NETWORK. |
| No preferential network | NO_PREFERENTIAL_NETWORK | Application does not use any preferential network. |
| Network 1 | PREFERENTIAL_NETWORK_ID_ONE | Preferential network identifier 1. |
| Network 2 | PREFERENTIAL_NETWORK_ID_TWO | Preferential network identifier 2. |
| Network 3 | PREFERENTIAL_NETWORK_ID_THREE | Preferential network identifier 3. |
| Network 4 | PREFERENTIAL_NETWORK_ID_FOUR | Preferential network identifier 4. |
| Network 5 | PREFERENTIAL_NETWORK_ID_FIVE | Preferential network identifier 5. |
Fallback to Default Connection
API reference: preferentialNetworkServiceConfigs[].fallbackToDefaultConnection — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | FALLBACK_TO_DEFAULT_CONNECTION_UNSPECIFIED | Defaults to FALLBACK_TO_DEFAULT_CONNECTION_ALLOWED. |
| Allow | FALLBACK_TO_DEFAULT_CONNECTION_ALLOWED | Fallback to default connection is allowed. |
| Disallow | FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED | Fallback to default connection is not allowed. |
Non matching networks
API reference: preferentialNetworkServiceConfigs[].nonMatchingNetworks — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | NON_MATCHING_NETWORKS_UNSPECIFIED | Defaults to NON_MATCHING_NETWORKS_ALLOWED. |
| Allow | NON_MATCHING_NETWORKS_ALLOWED | Apps can use networks other than the preferential service. |
| Disallow | NON_MATCHING_NETWORKS_DISALLOWED | Apps are blocked from using other networks. Android 14+. |
Short message for functionalities disabled by admin
API reference: shortSupportMessage.UserFacingMessage
A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. Maximum 200 characters.
Long message displayed on device administrator settings
API reference: longSupportMessage.UserFacingMessage
A message displayed to the user in the device administrators settings screen. Maximum 4096 characters.
Features & actions on lock screen
API reference: keyguardDisabledFeatures[] — Type: enum
| Option | Enum | Description |
|---|---|---|
| Camera | CAMERA | Disable the camera on secure keyguard screens. |
| Notifications | NOTIFICATIONS | Disable showing all notifications on secure keyguard screens. |
| Fingerprint | DISABLE_FINGERPRINT | Disable fingerprint sensor on secure keyguard screens. |
| Face unlock | FACE | Disable face authentication on secure keyguard screens. |
| Iris unlock | IRIS | Disable iris authentication on secure keyguard screens. |
| Trust agents | TRUST_AGENTS | Ignore trust agent state on secure keyguard screens. |
| Remote input | DISABLE_REMOTE_INPUT | Disable remote input on secure keyguard screens. |
| Shortcuts | SHORTCUTS | Disable all shortcuts on secure keyguard screen on Android 14+. |
Encryption Policy
API reference: encryptionPolicy — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | ENCRYPTION_POLICY_UNSPECIFIED | No encryption required. |
| Encryption without password on boot | ENABLED_WITHOUT_PASSWORD | Encryption required but no password required to boot. |
| Encryption with password on boot | ENABLED_WITH_PASSWORD | Encryption required with password required to boot. |
App Functions
API reference: appFunctions — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | APP_FUNCTIONS_UNSPECIFIED | Defaults to APP_FUNCTIONS_ALLOWED. |
| Allowed | APP_FUNCTIONS_ALLOWED | Apps are allowed to expose app functions. |
| Disallowed | APP_FUNCTIONS_DISALLOWED | Apps are not allowed to expose app functions. |
Password Policies
Password Policies
API reference: passwordPolicies[] — Type: Object
Password requirement policies. Different policies can be set for work profile or fully managed devices by setting the passwordScope field.
Policy scope
API reference: passwordScope — Type: enum
| Option | Enum | Description |
|---|---|---|
| Devices and profiles | SCOPE_UNSPECIFIED | Applied to the work profile for work profile devices and the whole device for fully managed/dedicated devices. |
| Devices | SCOPE_DEVICE | Requirements applied only to the device. |
| Profiles | SCOPE_PROFILE | Requirements applied only to the work profile. |
Unified work and personal lock
API reference: unifiedLockSettings — Type: enum
Applicable when: passwordScope = SCOPE_PROFILE. Controls whether a unified lock is allowed on Android 9+.
| Option | Enum | Description |
|---|---|---|
| Default | UNIFIED_LOCK_SETTINGS_UNSPECIFIED | Defaults to ALLOW_UNIFIED_WORK_AND_PERSONAL_LOCK. |
| Allow unified lock | ALLOW_UNIFIED_WORK_AND_PERSONAL_LOCK | A common lock for the device and the work profile is allowed. |
| Require separate work lock | REQUIRE_SEPARATE_WORK_LOCK | A separate lock for the work profile is required. |
Time before password re-entry is required
API reference: requirePasswordUnlock — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | REQUIRE_PASSWORD_UNLOCK_UNSPECIFIED | Defaults to USE_DEFAULT_DEVICE_TIMEOUT. |
| Use default | USE_DEFAULT_DEVICE_TIMEOUT | The timeout period is set to the device's default. |
| 24 hours | REQUIRE_EVERY_DAY | The timeout period is set to 24 hours. |
Password Expiration Timeout
API reference: passwordExpirationTimeout — Type: string
A duration in seconds with up to nine fractional digits, ending with 's'. Example: "86400s" (24 hours). Value 0 means no expiration.
Password Quality
API reference: passwordQuality — Type: enum
| Option | Enum | Description |
|---|---|---|
| No requirements | PASSWORD_QUALITY_UNSPECIFIED | There are no password requirements. |
| Something | SOMETHING | A password is required, but no restrictions on content. |
| Biometric | BIOMETRIC_WEAK | Low-security biometric recognition technology at minimum. |
| Numeric | NUMERIC | The password must contain numeric characters. |
| Numeric complex | NUMERIC_COMPLEX | Numeric characters with no repeating or ordered sequences. |
| Alphabetic | ALPHABETIC | The password must contain alphabetic or symbol characters. |
| Alphanumeric | ALPHANUMERIC | The password must contain both numeric and alphabetic characters. |
| Custom | COMPLEX | Must meet the minimum requirements specified in passwordMinimumLength, passwordMinimumLetters, etc. |
Minimum length
API reference: passwordMinimumLength — Type: Integer
The minimum allowed password length. A value of 0 means no restriction. Only enforced when passwordQuality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
Complex Password Character Rules
Applicable when: passwordQuality = COMPLEX
| Field | API reference | Type | Description |
|---|---|---|---|
| Minimum letters | passwordMinimumLetters | integer | Minimum number of letters required. |
| Minimum lowercase | passwordMinimumLowerCase | integer | Minimum number of lower case letters required. |
| Minimum uppercase | passwordMinimumUpperCase | integer | Minimum number of upper case letters required. |
| Minimum non-letter | passwordMinimumNonLetter | integer | Minimum number of non-letter characters required. |
| Minimum numeric | passwordMinimumNumeric | integer | Minimum number of numerical digits required. |
| Minimum symbols | passwordMinimumSymbols | integer | Minimum number of symbols required. |
Password changes before reuse is allowed
API reference: passwordHistoryLength — Type: Integer
The number of previous passwords that cannot be reused. Value 0 means no restriction.
Password failures before device is wiped
API reference: maximumFailedPasswordsForWipe — Type: Integer
Number of incorrect passwords that can be entered before a device is wiped. Value 0 means no restriction.
Enforcement Rules
Enforcement Rules
API reference: policyEnforcementRules
Rules that define the behavior when a particular policy cannot be applied on a device. Each rule defines actions to take if a device is not compliant with the specified policy.
Each enforcement rule group contains:
- Target policies to monitor
- Optional block action timeline
- Optional wipe action timeline
- Optional Factory Reset Protection (FRP) preservation
Available Policy Targets
| Policy Name | Android Policies |
|---|---|
| Password Policies | passwordPolicies |
| Time before lock | maximumTimeToLock |
| Disable screenshot | screenCaptureDisabled |
| Disable camera | cameraDisabled |
| Camera access | cameraAccess |
| Disabled lock screen features | keyguardDisabledFeatures |
| Default permission policy | defaultPermissionPolicy |
| Disable factory reset | factoryResetDisabled |
| Disable installing apps | installAppsDisabled |
| Disable uninstalling apps | uninstallAppsDisabled |
| Encryption policy | encryptionPolicy |
| WiFi Configuration | openNetworkConfiguration |
| Always on VPN | alwaysOnVpnPackage |
| System update policy | systemUpdate |
| Applications policy | applications |
| Enable kiosk launcher | kioskCustomLauncherEnabled |
| Kiosk action settings | kioskCustomization |
Block Device Access
API reference: policyEnforcementRules.blockAction.blockAfterDays — Type: Integer
Number of days the policy is non-compliant before the device is blocked. Value 0 means immediate block. Must be less than wipeAfterDays.
Wipe Device Data
API reference: policyEnforcementRules.wipeAction.wipeAfterDays — Type: Integer
Number of days the policy is non-compliant before the device is wiped. Must be greater than blockAfterDays.
Preserve Factory Reset Protection (FRP)
API reference: policyEnforcementRules.wipeAction.preserveFrp — Type: boolean
Whether factory-reset protection data is preserved on the device after wipe. Does not apply to work profiles.
Cross Profile Policies
Cross Profile Policies
API reference: crossProfilePolicies — Type: Object
Controls the data from the work profile that can be accessed from the personal profile and vice versa.
Share contacts from work to personal profile
API reference: crossProfilePolicies.showWorkContactsInPersonalProfile — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_UNSPECIFIED | Defaults to SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED. |
| Allowed | SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED | Allows apps in the personal profile to access work profile contacts. |
| Disallowed | SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED | Prevents personal apps from accessing work profile contacts. |
| Disallowed except system apps | SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM | Prevents most personal apps except OEM default Dialer, Messages, and Contacts. Android 14+. |
Share copied text across profiles
API reference: crossProfilePolicies.crossProfileCopyPaste — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | CROSS_PROFILE_COPY_PASTE_UNSPECIFIED | Defaults to COPY_FROM_WORK_TO_PERSONAL_DISALLOWED. |
| Allowed | CROSS_PROFILE_COPY_PASTE_ALLOWED | Text copied in either profile can be pasted in the other. |
| Disallowed from work to personal | COPY_FROM_WORK_TO_PERSONAL_DISALLOWED | Prevents pasting work profile text into the personal profile. |
Share app data across profiles
API reference: crossProfilePolicies.crossProfileDataSharing — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | CROSS_PROFILE_DATA_SHARING_UNSPECIFIED | Defaults to DATA_SHARING_FROM_WORK_TO_PERSONAL_DISALLOWED. |
| Allowed | CROSS_PROFILE_DATA_SHARING_ALLOWED | Data from either profile can be shared with the other. |
| Disallowed from work to personal | DATA_SHARING_FROM_WORK_TO_PERSONAL_DISALLOWED | Prevents sharing data from the work profile to the personal profile. |
| Disallowed always | CROSS_PROFILE_DATA_SHARING_DISALLOWED | Prevents data sharing in both directions. |
Work profile widgets default
API reference: crossProfilePolicies.workProfileWidgetsDefault — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | WORK_PROFILE_WIDGETS_DEFAULT_UNSPECIFIED | Defaults to WORK_PROFILE_WIDGETS_DEFAULT_DISALLOWED. |
| Allowed | WORK_PROFILE_WIDGETS_DEFAULT_ALLOWED | Work profile widgets are allowed by default. |
| Disallowed | WORK_PROFILE_WIDGETS_DEFAULT_DISALLOWED | Work profile widgets are disallowed by default. |
Personal Usage Policies
Personal Usage Policies
API reference: personalUsagePolicies — Type: Object
Policies managing personal usage on a company-owned device with a work profile.
Camera Disabled
API reference: personalUsagePolicies.cameraDisabled — Type: boolean
If true, the camera is disabled on the personal profile. Note: cameraDisabled is deprecated — use cameraAccess instead.
Screen Capture Disabled
API reference: personalUsagePolicies.screenCaptureDisabled — Type: boolean
If true, screen capture is disabled for all users.
Max Days With Work Profile Off
API reference: personalUsagePolicies.maxDaysWithWorkOff — Type: Integer
Controls how long the work profile can stay off. Minimum duration is 3 days. Value 0 turns the feature off.
Private Space Policy
API reference: personalUsagePolicies.privateSpacePolicy — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | PRIVATE_SPACE_POLICY_UNSPECIFIED | Defaults to PRIVATE_SPACE_ALLOWED. |
| Allowed | PRIVATE_SPACE_ALLOWED | Users can create a private space profile. |
| Disallowed | PRIVATE_SPACE_DISALLOWED | Users cannot create a private space profile. Any existing private space will be removed. |
Advanced Security
Advanced Security
API reference: advancedSecurityOverrides — Type: Object
Advanced security settings. In most cases, setting these is not needed.
Untrusted Apps Policy
API reference: advancedSecurityOverrides.untrustedAppsPolicy — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | UNTRUSTED_APPS_POLICY_UNSPECIFIED | Defaults to DISALLOW_INSTALL. |
| Don't allow installation | DISALLOW_INSTALL | Disallow untrusted app installs on entire device. |
| Allow in personal profile only | ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY | Allow untrusted app installs in the personal profile only. |
| Always allow | ALLOW_INSTALL_DEVICE_WIDE | Allow untrusted app installs on entire device. |
Google Play Protect Verification
API reference: advancedSecurityOverrides.googlePlayProtectVerifyApps — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | GOOGLE_PLAY_PROTECT_VERIFY_APPS_UNSPECIFIED | Defaults to VERIFY_APPS_ENFORCED. |
| Enforced | VERIFY_APPS_ENFORCED | Force-enables app verification. |
| User choice | VERIFY_APPS_USER_CHOICE | Allows the user to choose whether to enable app verification. |
Control access to developer settings & safe boot
API reference: advancedSecurityOverrides.developerSettings — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | DEVELOPER_SETTINGS_UNSPECIFIED | Defaults to DEVELOPER_SETTINGS_DISABLED. |
| Disabled | DEVELOPER_SETTINGS_DISABLED | Disables all developer settings and prevents the user from accessing them. |
| Allowed | DEVELOPER_SETTINGS_ALLOWED | Allows all developer settings. |
Common Criteria Mode
API reference: advancedSecurityOverrides.commonCriteriaMode — Type: enum
Supported only on company-owned devices running Android 11+. Warning: enforces a strict security model — standard device use may be affected.
| Option | Enum | Description |
|---|---|---|
| Default | COMMON_CRITERIA_MODE_UNSPECIFIED | Defaults to COMMON_CRITERIA_MODE_DISABLED. |
| Enabled | COMMON_CRITERIA_MODE_ENABLED | Enables Common Criteria Mode. |
| Disabled | COMMON_CRITERIA_MODE_DISABLED | Disables Common Criteria Mode. |
Content protection policy (Android 15+)
API reference: advancedSecurityOverrides.contentProtectionPolicy — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | CONTENT_PROTECTION_POLICY_UNSPECIFIED | Defaults to CONTENT_PROTECTION_DISABLED. |
| Disabled | CONTENT_PROTECTION_DISABLED | Content protection is disabled and the user cannot change this. |
| Enforced | CONTENT_PROTECTION_ENFORCED | Content protection is enabled and the user cannot change this. |
| User choice | CONTENT_PROTECTION_USER_CHOICE | The user is allowed to choose the behavior of content protection. |
Enable creating windows besides app windows
API reference: createWindowsDisabled — Type: boolean
Whether creating windows besides app windows is disabled.
Enable changing the device user icon
API reference: setUserIconDisabled — Type: boolean
Whether changing the user icon is disabled. Applies on Android 7 and above.
Enable changing the device wallpaper
API reference: setWallpaperDisabled — Type: boolean
Whether changing the wallpaper is disabled.
Maximum time before device sleeps
API reference: maximumTimeToLock — Type: string
Maximum time in milliseconds for user activity until the device locks. A value of 0 means no restriction.
Minimum Android API level
API reference: minimumApiLevel — Type: Integer
The minimum allowed Android API level.
Camera Access
API reference: cameraAccess — Type: enum
| Option | Enum | Description |
|---|---|---|
| Default | CAMERA_ACCESS_UNSPECIFIED | Equivalent to CAMERA_ACCESS_DISABLED if cameraDisabled is true, otherwise CAMERA_ACCESS_USER_CHOICE. |
| User choice | CAMERA_ACCESS_USER_CHOICE | All cameras on the device are available. User can use the camera access toggle on Android 12+. |
| Disabled | CAMERA_ACCESS_DISABLED | All cameras on the device are disabled. |
| Enforced | CAMERA_ACCESS_ENFORCED | All cameras are available. On fully managed devices running Android 12+, the user cannot use the camera access toggle. |
Printing Policy
API reference: printingPolicy — Type: enum
Supported on Android 9 and above.
| Option | Enum | Description |
|---|---|---|
| Default | PRINTING_POLICY_UNSPECIFIED | Defaults to PRINTING_ALLOWED. |
| Allowed | PRINTING_ALLOWED | Printing is allowed. |
| Disallowed | PRINTING_DISALLOWED | Printing is disallowed. |
Enable screenshots on device
API reference: screenCaptureDisabled — Type: boolean
Whether screen capture is disabled.
Enable adding new users and profiles on device
API reference: addUserDisabled — Type: boolean
Whether adding new users and profiles is disabled.
Enable factory reset from device settings
API reference: factoryResetDisabled — Type: boolean
Whether factory resetting from settings is disabled.
Enable installing apps on device
API reference: installAppsDisabled — Type: boolean
Whether user installation of apps is disabled.
Enable uninstalling apps on device
API reference: uninstallAppsDisabled — Type: boolean
Whether user uninstallation of applications is disabled.
Enable adding and removing accounts on device
API reference: modifyAccountsDisabled — Type: boolean
Whether adding or removing accounts is disabled.
Enable keyguard on device (Lock screen)
API reference: keyguardDisabled — Type: boolean
If true, this disables the Lock Screen for primary and/or secondary displays. Supported only in dedicated device management mode.
Enable user credentials configuration on device
API reference: credentialsConfigDisabled — Type: boolean
Whether configuring user credentials is disabled.
Enable removing other users on device
API reference: removeUserDisabled — Type: boolean
Whether removing other users is disabled.
Enable mount of physical external media on device
API reference: mountPhysicalMediaDisabled — Type: boolean
Whether the user mounting physical external media is disabled.
Summary
Use the Security Policy Component to:
- ✔ Enforce lock screen and password rules
- ✔ Prevent data leakage (USB, NFC, Bluetooth)
- ✔ Control network and roaming activity
- ✔ Restrict apps and system access
- ✔ Protect against device tampering
- ✔ Enforce company security standards
This is the most important component for enterprise compliance and data protection.