Release notes

Android Management API

• We added the guide on how to detect work profiles managed by the Android Device policy app.
• We've updated the Android Management API SDK (AMAPI SDK) to include the first release candidate for the device trust signal APIs. See AMAPI SDK release notes to know what is the latest version available.

Android Management API

• EMMs can now limit the IT admin to sign up using an email from an allowlist of domain names.
• Documentation items have also been updated:
  • The web apps guide has been updated to clarify how the user's chosen default browser interacts with display settings like fullscreen or minimal UI. The browser may or may not support these attributes. IT administrators are responsible for testing the browser's compatibility with web app settings before deploying it to users.

Android Management API

• For Android 15 and later, IT admins can now use the privateSpacePolicy to allow or disallow the creation of a Private Space.
• For Android 15 and later, we introduced WifiRoamingMode in WifiRoamingPolicy, allowing IT admins to disable Wi-Fi roaming for specific SSIDs on fully managed devices and on work profiles on company-owned devices.
• Various items of our documentation have been updated:
  • The description of the keyguardDisable field now includes information about management mode.
  • The securityPosture documentation now includes a table that shows the equivalent Play Integrity API verdict for each AM API verdict.

Android Management API

• We now prevent users from changing their email address during customers signup. We also introduced validation for admin_email when creating a signup URL.
• Various items of our documentation have been updated:
  • We updated the description for the addUserDisabled policy. For devices where managementMode is DEVICE_OWNER this field is ignored and the user is never allowed to add or remove users.
  • We updated the ExtensionConfig to clarify that exempt from battery restrictions applies to Android 11 and above.
  • We updated the description of the PermissionPolicy .
  • We clarified to how many applications a scope can be delegated in the DelegatedScope enum.

Android Management API

• We updated the behavior of the CommonCriteriaMode policy.
  COMMON_CRITERIA_MODE_ENABLED will now enable cryptographic policy integrity check and additional network certificate validation. The result of the policy integrity check is set to PolicySignatureVerificationStatus if statusReportingSettings.commonCriteriaModeEnabled is set to true.
  There are no changes to the behaviour of the default value (COMMON_CRITERIA_MODE_UNSPECIFIED) or when explicitly disabling it with COMMON_CRITERIA_MODE_DISABLED.
• We updated the documentation for PERSONAL_USAGE_DISALLOWED_USERLESS to remind developers that this change is necessary before January 2025. If this change is omitted, users may encounter an "Authenticate with Google" prompt during enrollment, when their IT admin has this feature enabled.
  The complete timeline for this feature is published on the Android Enterprise partner portal: Feature Timeline: Improved sign-up flow, device enrollment, and on-device experiences.
• We updated the documentation for CrossProfileDataSharing to include details of simple data sharing via intents.

Android Management API

The Android Management API now supports the following Android 15 features:

• For Android 15 and above a new policy has been added to control Wi-Fi roaming settings. IT Admins can use WifiRoamingPolicy to select the desired WifiRoamingMode. Supported on fully managed devices and work profiles on company-owned devices.

Android Management API

The Android Management API now supports the following Android 15 features:

• Android 15 introduces a new policy to control Circle to Search. IT admins can use AssistContentPolicy to control this feature.
• Android 15 introduces a new policy to control Phishing Detection of apps. IT admins can use ContentProtectionPolicy to control whether the app is scanned by On Device Abuse Detection (ODAD) for phishing malware.
• Android 15 expands the support of screen brightness and screen timeout settings using the DisplaySettings policy to company-owned devices with a work profile. This setting was previously available only on fully managed devices.

Android Management API

• On Android 13+, IT ​​Admins can now query the ICCID associated with the SIM card of the TelephonyInfo included in a NetworkInfo. This is supported on fully managed devices when the networkInfoEnabled field in statusReportingSettings is set to true.
• Various items of our documentation have been updated:
  • We updated the documentation for the Common Criteria Mode to clarify that it is only supported on company-owned devices running Android 11 or above.
  • We documented the optional field DefaultStatus in SigninDetail.

Android Management API

• Various items of our documentation have been updated:
  • We removed the note in the documentation for enrollmentToket.create about not being able to retrieve the token content anymore as it is possible getting the enrollment token value using enrollmentTokens.get.
  • We clarified NonComplianceReason documentation.

Android Management API

• IT admins can now control the screen brightness and screen timeout settings using the DisplaySettings policy. Supported on fully managed devices, on Android 9 and above.
• We've updated our documentation to explain that, even when using AUTO_UPDATE_HIGH_PRIORITY, updates to apps with larger deployments across Android's ecosystem can take up to 24h.
• We've updated the Android Management API SDK (AMAPI SDK) to explain the different use cases that this library (originally known as Extensibility SDK) now supports. The updated documentation covers:
  • How to integrate the library
  • Extension apps and local commands
  • DPC migration

  See AMAPI SDK release notes to know what is the latest version available.

Android Management API

• The get and list methods for enrollmentTokens now return populated value, qrCode, and allowPersonalUsage fields.
• For fully managed devices, the AllowPersonalUsage setting now supports the PERSONAL_USAGE_DISALLOWED_USERLESS.
• On Android 11+ the new UserControlSettings policy allows to specify whether user control is permitted for a given app. UserControlSettings includes user actions like force-stopping and clearing app data.
• Version 1.1.5 of the AMAPI SDK is now available. Additional information is available on the release notes page.

  Note: We strongly recommend to always use the latest available version of the library to benefit from the available bug fixes and improvements.

Android Management API

• On Android 13+, for company-owned devices, we added controls over which WiFi SSIDs devices can connect to. Using WifiSsidPolicy IT Admins can specify a list of SSIDs to be added to an allowlist ( WIFI_SSID_ALLOWLIST) or to a denylist ( WIFI_SSID_DENYLIST).
• For corporate-owned devices, we added hardware identifiers (IMEI, MEID, and serial number) to ProvisioningInfo that EMMs can now access during device setup using the sign-in URL.

Android Management API

• We added additional controls over app installation using InstallConstraint, IT admins can restrict app installation based on specific criteria.
  By setting installPriority, IT admins can ensure that critical apps are installed first.
• On Android 10+, AMAPI supports configuring enterprise 192 bit networks in openNetworkConfiguration by passing Security value WPA3-Enterprise_192.
  On Android 13+, in the MinimumWifiSecurityLevel policy, we now support ENTERPRISE_BIT192_NETWORK_SECURITY, which can be used to ensure that devices do not connect to Wi-Fi networks below this security level.
• We have updated the UsbDataAccess setting so that the USB_DATA_ACCESS_UNSPECIFIED value defaults to DISALLOW_USB_FILE_TRANSFER.

Android Management API

• On Android 9+, IT admins can now control whether printing is allowed using the printingPolicy field.
• For Android 14+, a new policy is added to control CredentialProvider apps. IT admins can use the credentialProviderPolicy field to control whether the app is allowed to act as a credential provider.
• A new policy is added to control Arm Memory Tagging Extension (MTE) on the device. The MtePolicy field is supported on fully managed devices and work profiles on company-owned devices with Android 14 and above.
• We have updated how AM API receives errors related to installs that are triggered by IT admins. As a result of this migration, the InstallationFailureReason field now also includes client errors (in addition to the server errors).
• For Android 12+, IT admins can use a key pair installed on the device for enterprise Wi-Fi authentication. See the new ClientCertKeyPairAlias field in Open Network Configuration (ONC) and our network configuration guide for more information.

Android Management API

• Devices managed by your custom DPC can now be seamlessly migrated to use Android Management API.

Android Management API

• Added MinimumWifiSecurityLevel to define the different minimum security levels required to connect to Wi-Fi networks. Supported on fully managed devices and work profiles on company-owned devices with Android 13 and above.

Android Management API

• Android 12+ now supports passwordless enterprise Wi-Fi network configuration using Identity and Password fields in Open Network Configuration. This was already supported prior to Android 12.

  Note: On Android 12+, for Wi-Fi networks with EAP username/password authentication, if the user password is not provided and AutoConnect is set to true, the device might try to connect to the network with a randomly generated placeholder password. To avoid this when the user’s password is not provided, set AutoConnect to false.

• Local device events that occur in quick succession are batched and reported in a single Pub/Sub message to EMMs.

  Event type	Expected latency between on-device event and corresponding EMM notification1
  	Previous behavior	New behavior
  High priority keyed app states	Immediate, at most one report per minute	Immediate, at most one report per minute
  Standard priority keyed app states	Schedule-based	Within one minute
  Application-related events during provisioning, for apps with install states defined by the IT admin2	Integrated into other provisioning-related events	Within one minute on top of other related provisioning events
  Application-related events after provisioning, for apps with install states defined by the IT admin2	Schedule-based	Within 5 minutes
  Application-related events both during and after provisioning, for apps with install states defined by the employee3	Schedule-based	Within 60 minutes
  Other on-device app events	Schedule-based	Within 60 minutes

  ¹ Best effort targets based on controlled circumstances. Actual latency may vary according to a variety of device and environmental factors.
  ² InstallType of apps enforced in the policy: FORCE_INSTALLED, BLOCKED, REQUIRED_FOR_SETUP, PREINSTALLED and KIOSK.
  ³ InstallType of available apps: AVAILABLE, INSTALL_TYPE_UNSPECIFIED.

Android Management API

• Apps launched as SetupAction can now cancel enrollment. This will reset a company-owned device or deletes the work profile on a personally-owned device.

Android Management API

With the release of Android 14, the Android Management API now supports the following Android 14 features:

• Restricting work profile contacts access to system applications and personal apps specified in exemptionsToShowWorkContactsInPersonalProfile. Now access to work profile contacts can be enabled for all personal apps, select personal apps, or no personal apps.

  For convenience, the new SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM option in showWorkContactsInPersonalProfile ensures that the only personal apps to access work contacts are the device default Dialer, Messages, and Contacts apps. In this case, neither user-configured Dialer, Messages, and Contacts apps, nor any other system or user-installed personal apps, will be able to query work contacts.

• Disable use of the ultra wideband radio on the device. This can be achieved using the new deviceRadioState.ultraWidebandState policy.
• Block the use of cellular 2G, improving network security. This is offered through the new deviceRadioState.cellularTwoGState policy.
• Android 14 introduces customizable lock screen shortcuts.

  The lock screen features admin control, which includes camera, fingerprint unlock, face unlock, etc, has been extended to also disable lockscreen shortcuts using the new SHORTCUTS option.

Android Management API

• Device and provisioning information can now be optionally retrieved during setup, allowing developers to create more targeted policies during setup or filter devices according to the supplied attributes. The sign-in url will now include a provisioningInfo parameter which can be exchanged for the corresponding device details using the new provisioningInfo get method.
• SigninDetails can now be distinguished from one another with a customizable tokenTag value.

Android Management API

• Introduced Lost Mode for company-owned devices. Lost mode enables employers to remotely lock and secure a lost device and optionally to display a message on the device screen with contact information to facilitate asset recovery.
• Added support for certificate selection delegation which grants an app access to selection of KeyChain certificates on behalf of requesting apps. See DelegatedScope.CERT_SELECTION for more details.
• Added additional WiFi management policies:
  • configureWifi - Admins can now disable adding or configuring WiFi networks. wifiConfigDisabled is now deprecated.
  • wifiDirectSettings - This policy can be used to disable configuring WiFi direct.
  • tetheringSettings - This policy can be used to disable WiFi tethering or all forms of tethering. tetheringConfigDisabled is now deprecated.
  • wifiState - This policy can be used to force enable/disable WiFi in a user's device.
• Sharing of admin configured WiFi networks will be disabled from Android 13 and above

Android Management API

• Added userFacingType field to ApplicationReport to signal whether an app is user facing.
• Added ONC_WIFI_INVALID_ENTERPRISE_CONFIG specific non-compliance reason.
  Non-compliance with reason INVALID_VALUE and specific reason ONC_WIFI_INVALID_ENTERPRISE_CONFIG is reported if enterprise Wi-Fi network does not have DomainSuffixMatch set.
• New Pub/Sub notification EnrollmentCompleteEvent added, as a type of UsageLogEvent that is published when the device finishes the enrollment.
• Added airplaneModeState in deviceRadioState to control the current state of airplane mode and whether the user can toggle it on or off. By default, the user is allowed to toggle airplane mode on or off. Supported on fully managed devices and work profiles on company-owned devices, on Android 9 and above.

Android Management API

• Added support for the DomainSuffixMatch field in Open Network Configuration to configure enterprise WiFi networks for Android 6+. Enterprise WiFi configurations without DomainSuffixMatch are considered insecure and will be rejected by the platform.
• Added UsbDataAccess policy setting that allows admins to fully disable USB data transferring. usbFileTransferDisabled is now deprecated, please use UsbDataAccess.

Android Management API

• Management capabilities over Work Profile Widgets have been improved with the addition of two new API fields: workProfileWidgets on the application level and workProfileWidgetsDefault on the device level. These allow greater control over whether an application running in the work profile can create widgets on the parent profile e.g. the home screen. This functionality is disallowed by default, but can be set to allowed using workProfileWidgets and workProfileWidgetsDefault, and is only supported for work profiles.
• We have added support to set MAC address randomization settings while configuring WiFi networks. Admins can now specify whether MACAddressRandomizationMode is set to Hardware or Automatic while configuring WiFi networks which takes effect on devices with OS version Android 13 and above and is applicable on all management modes. If set to Hardware the factory MAC address will be configured to the WiFi network, whereas Automatic the MAC address will be random.
• Various items of our documentation have been updated:
• Understanding Security Posture has been created to provide clarity on the potential responses from devicePosture and securityRisk evaluations.
• autoUpdateMode has been provided for autoUpdatePolicy as a recommended alternative due to greater flexibility with update frequency.
• We have provided clarification that BlockAction and WipeAction are restricted to company-owned devices.
• The Pub/Sub notifications page has been updated to accurately reflect the resource types for different notification types.
• For Android 13+, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket.

Android Management API

• Various items of our documentation have been updated:
• We recommend having one policy per device, to enable granular device-level management capabilities.
• In order for FreezePeriods to work as expected, system update policy cannot be set as SYSTEM_UPDATE_TYPE_UNSPECIFIED.
• Additional suggestions have been provided for policy updates regarding visibility of password steps during company-owned device provisioning.
• shareLocationDisabled is supported for fully managed devices and personally owned work profiles.
• We have provided an updated description on the usage of enterprises.devices.delete and its effects on device visibility.
• Maximum enrollment token duration is now 10,000 years, where it was previously 90 days.

Android Management API

• Added NETWORK_ACTIVITY_LOGS and SECURITY_LOGS values to the DelegatedScope to grant device policy applications access to the corresponding logs.

Android Management API

• Added specificNonComplianceReason and specificNonComplianceContext to NonComplianceDetail to provide detailed context for policy application errors.

Android Management API

• Added a command to allow the admin to remotely clear the application data of an app.
• Enrollment tokens can now be created with a longer duration than the previous maximum of 90 days, up to approximately 10,000 years. Enrollment tokens that last longer than 90 days will have a length of 24 characters, while tokens that last 90 days or less will continue to have 20 characters.

Android Management API

• Hardware-backed security features such as key attestation will now be used in device integrity evaluations, when supported by the device. This provides a strong guarantee of system integrity. Devices that fail these evaluations or do not support such hardware-backed security features will report the new HARDWARE_BACKED_EVALUATION_FAILED SecurityRisk.

Android Management API

• Added unifiedLockSettings in PasswordPolicies to allow the admin to configure if the work profile needs a separate lock.

Android Management API

• Added alwaysOnVpnLockdownExemption to specify which apps should be exempt from the AlwaysOnVpnPackage setting.
• Added all available fields from the Play EMM API Products resource to the Application resource.

Android Management API

• Added cameraAccess to control the use of camera and camera toggle, and microphoneAccess, to control the use of microphone and microphone toggle. These fields replace newly deprecated cameraDisabled and unmuteMicrophoneDisabled, respectively.

AMAPI SDK

• Minor bug fixes. See Google's Maven Repository for more details.

Android Device Policy

• Apps that are marked as unavailable in personalApplications will now be uninstalled from the personal profile of company-owned devices if already installed, as they are in the ApplicationPolicy for work profile and fully managed devices.

Android Management API

• You can now designate an app as an extension app using ExtensionConfig. Extension apps can communicate directly with Android Device Policy and in future will be able to interact with the complete set of management features offered in the Android Management API, enabling a local interface for managing the device that does not require server connectivity.
  • This initial release includes support for local execution of Commands, and currently only the ClearAppData command. See the extensibility integration guide for more details.
  • The remaining commands will be added over time, as well as additional extension app features designed to expose the breadth of device management features to the extension app.

Android Device Policy

• Minor bug fixes

Android Device Policy

• Minor bug fixes

Android Device Policy

• Minor bug fixes

Android Device Policy

• Minor bug fixes

Android Management API

• Added two new AdvancedSecurityOverrides. These policies enable Android Enterprise security best practices by default, while allowing organizations to override the default values for advanced use cases.
• googlePlayProtectVerifyApps enables Google Play's app verification by default.
• developerSettings prevents users from accessing developer options and safe mode by default, capabilities that would otherwise introduce risk of corporate data exfiltration.
• ChoosePrivateKeyRule now supports the direct grant of specific KeyChain keys to managed apps.
• This allows the target app(s) to access specified keys by calling getCertificateChain() and getPrivateKey() without having to first call choosePrivateKeyAlias().
• Android Management API defaults to granting direct access to the keys specified in policy, but otherwise falls back to granting access after the specified app has called choosePrivateKeyAlias(). See ChoosePrivateKeyRule for more details.

Deprecations

• ensureVerifyAppsEnabled is now deprecated. Use the googlePlayProtectVerifyApps AdvancedSecurityOverrides instead.
• Existing API users (Google Cloud projects with Android Management API enabled as of April 15, 2021) can continue to use ensureVerifyAppsEnabled until October 2021, but are encouraged to migrate to AdvancedSecurityOverrides as soon as possible. In October ensureVerifyAppsEnabled will no longer function.
• debuggingFeaturesAllowed and safeBootDisabled are now deprecated. Use the developerSettings AdvancedSecurityOverrides instead.
• Existing API users (Google Cloud projects with Android Management API enabled as of April 15, 2021) can continue to use debuggingFeaturesAllowed and safeBootDisabled until October 2021, but are encouraged to use AdvancedSecurityOverrides as soon as possible. In October debuggingFeaturesAllowed and safeBootDisabled will no longer function.

Android Management API

• Added personalApplications support for company-owned devices starting from Android 8. The feature is now supported on all company-owned devices with a work profile.
• Device phone number is now reported on Fully Managed Devices as part of the Device resource.

Android Device Policy

• Minor bug fixes

Android Management API

• Added personalApplications to PersonalUsagePolicies. On company-owned devices, IT can specify an allow or blocklist of applications in the personal profile. This feature is currently available only on Android 11 devices, but will be backported to Android 8 in a future release.

Android Device Policy

• Minor updates to the provisioning UI

  

Android Management API

• Added AutoDateAndTimeZone, replacing the deprecated autoTimeRequired, to control auto date, time, and time zone configuration on a company-owned device.
• Starting in Android 11, users can no longer clear app data or force stop applications when the device is configured as a kiosk (that is, when the InstallType of one application in ApplicationPolicy is set to KIOSK).
• Added new LocationMode controls to replace deprecated location detection method controls. On company-owned devices, IT can now choose between enforcing location, disabling location, or allowing users to toggle location on and off.
• Added support for CommonCriteriaMode, a new feature in Android 11. Can be enabled to address specific Common Criteria Mobile Device Fundamentals Protection Profile (MDFPP) requirements.

Deprecations

• autoTimeRequired is now deprecated, following the deprecation of specific auto time controls in Android 11. Use AutoDateAndTimeZone instead.
• The following LocationMode options are now deprecated, following their deprecation in Android 9: HIGH_ACCURACY, SENSORS_ONLY, BATTERY_SAVING, and OFF. Use LOCATION_ENFORCED, LOCATION_DISABLED, and LOCATION_USER_CHOICE instead.

Android Device Policy

• Added RELINQUISH_OWNERSHIP as a new type of device command. When deploying work profile, admins can relinquish ownership of company-owned devices to employees, wiping the work profile and resetting any device policies to factory state, while leaving personal data intact. In doing so, IT loses claim to the ownership of the device now and in the future and should not expect the device to re-enroll. To factory reset a device while maintaining ownership, use the devices.delete method instead.

Android Management API

• Improvements to the work profile experience on company-owned devices were announced in the Android 11 developer preview. Android Management API adds support for these improvements for devices running Android 8.0+ or higher. Enterprises can now designate work profile devices as company-owned, allowing management of a device's work profile, personal usage policies, and certain device-wide settings while still maintaining privacy in the personal profile.

  • For a high-level overview of enhancement to the work profile experience, see Work profile: the new standard for employee privacy.
  • See Company-owned devices for work and personal use to learn how to set up a work profile on a company-owned device.
  • An example policy for a company-owned device with a work profile is available in Devices with work profiles.
  • Added blockScope to blockAction. Use blockScope to specify whether a block action applies to an entire company-owned device or to its work profile only.

• Added connectedWorkAndPersonalApp to applicationPolicy. Starting in Android 11, some core apps can connect across a device's work and personal profiles. Connecting an app across profiles can provide a more unified experience for users. For example, by connecting a calendar app, users could view their work and personal events displayed together.

  Some apps (for example, Google Search) may be connected on devices by default. A list of connected apps on a device is available in Settings > Privacy > Connected work & personal apps.

  Use connectedWorkAndPersonalApp to allow or disallow connected apps. Allowing an app to connect cross-profile only gives the user the option to connect the app. Users can disconnect apps at any time.

• Added systemUpdateInfo to devices to report information on pending system updates.

Android Device Policy

• [July 23] Minor bug fixes

Android Device Policy

• [June 17] Minor bug fixes.

Android Device Policy

• [May 12] Minor bug fixes.

Android Device Policy

• [April 14] Minor bug fixes.

Android Device Policy

• [March 16] Minor bug fixes.

Android Device Policy

• [Feb 24] Minor bug fixes.

Android Device Policy

• [Jan 15] Minor bug fixes.

Android Management API

• A new policy for blocking untrusted apps (apps from unknown sources) is available. Use advancedSecurityOverrides.untrustedAppsPolicy to:
  • Block untrusted app installs device-wide (including work profiles).
  • Block untrusted app installs in a work profile only.
  • Allow untrusted app installed device-wide.
• A timeout period for allowing non-strong screen lock methods (e.g. fingerprint and face unlock) can now be enforced on a device or work profile using requirePasswordUnlock. After the timeout period expires, a user must use a strong form of authentication (password, PIN, pattern) to unlock a device or work profile.
• Added kioskCustomization to support the ability to enable or disable the following system UI features in kiosk mode devices:
  • Global actions launched from the power button (see powerButtonActions).
  • System info and notifications (see statusBar).
  • Home and overview buttons (see systemNavigation).
  • Status bar (see statusBar).
  • Error dialogs for crashed or unresponsive apps (see systemErrorWarnings).
• Added freezePeriod policy to support blocking system updates annually over a specified freeze period.
• A new parameter is available in devices.delete: wipeReasonMessage lets you specify a short message to display to a user before wiping the work profile from their personal device.

Deprecations

installUnknownSourcesAllowed is now marked as deprecated. Support for the policy will continue until Q2 2020 for users who enabled Android Management API before 2:00pm GMT on December 19, 2019. The policy is not supported for users who enabled the API after this date.

advancedSecurityOverrides.untrustedAppsPolicy replaces installUnknownSourcesAllowed. The table below provides a mapping between the two policies. Developers should update their solutions with the new policy as soon as possible*.

Android Device Policy

• [Nov 27] Minor bug fixes.

Android Management API

• New IframeFeature options allow you to specify which Managed Google Play iframe features to enable/disable in your console.

Android Device Policy

• [Oct 16] Minor bug fixes and performance optimization.

Features

• The policies resource is now capable of distributing closed app releases (closed app tracks), allowing organizations to test pre-release versions of apps. For details, see Distribute apps for closed testing.
• Added permittedAccessibilityServices to policies, which can be used to:
  • disallow all non-system accessibility services on a device, or
  • only allow specified apps access to these services.

Features

• The Android Management API now evaluates the security of a device and reports findings in device reports (under securityPosture). securityPosture returns the security posture status of a device (POSTURE_UNSPECIFIED, SECURE, AT_RISK, or POTENTIALLY_COMPROMISED), as evaluated by SafetyNet and other checks, along with details of any identified security risks for you to share with customers through your management console.

  To enable this feature for a device, ensure its policy has least one field from statusReportingSettings enabled.

Features

• To distinguish that an app is launched from launchApp in setupActions, the activity that's first launched as part of the app now contains the boolean intent extra com.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION (set to true). This extra allows you to customize your app based on whether it's launched from launchApp or by a user.

Maintenance release

• Minor bug fixes and performance optimization.

Features

• Added policyEnforcementRules to replace complianceRules, which has been deprecated. See the deprecation notice above for more information.
• Added new APIs to create and edit web apps. For more details, see Support web apps.

User experience

Android Device Policy: The app’s icon is no longer visible on devices. Users can still view the policy page previously launched by the icon:

• Fully managed devices: Settings > Google > Device Policy
• Devices with work profiles: Settings > Google > Work > Device Policy
• All devices: Google Play Store app > Android Device Policy

• Android Device Policy is now available in South Korea.

Features

• Added new metadata, including alternate serial numbers, to devices.
• The number of apps with installType REQUIRED_FOR_SETUP is now limited to five per policy. This is to ensure the best possible user experience during device and work profile provisioning.

User experience

• Android Device Policy: Added improved non-compliance messaging to help users return their devices to a compliant state or inform them when it isn’t possible.
• Android Device Policy: After an enrollment token is registered, a new setup experience guides users through the steps required by their policy to complete their device or work profile configuration.

  

Features

• Added new field to installType
  • REQUIRED_FOR_SETUP: If true, the app must be installed before the device or work profile setup completes. Note: If the app isn't installed for any reason (e.g. incompatibility, geo-availability, poor network connection), setup won't complete.
• Added SetupAction to policies. With SetupAction, you can specify an app to launch during setup, allowing a user to further configure their device. See Launch an app during setup for more details.
• For enterprises with status reports enabled, new device reports are now issued immediately following any failed attempt to unlock a device or work profile.

Deprecations

• In policies, wifiConfigsLockdownEnabled has been deprecated. WiFi networks specified is policy are now non-modifiable by default. To make them modifiable, set wifiConfigDisabled to false.

Features

• Added support for work profile devices to the sign-in URL provisioning method. Work profile device owners can now sign in with their corporate credentials to complete provisioning.

User experience

• Added support for dark mode in Android Device Policy. Dark mode is a display theme available in Android 9 Pie, which can be enabled in Settings > Display > Advanced > Device theme > Dark.

  

Features

• A new enrollment method is available for fully managed devices. The method uses a sign-in URL to prompt users to enter their credentials, allowing you to assign a policy and provision users' devices based on their identity.
• Added support for the managed configurations iframe, a UI you can add to your console for IT admins to set and save managed configurations. The iframe returns a unique mcmId for each saved configuration, which you can add to policies.
• Added passwordPolicies and PasswordPolicyScope to policies:
  • passwordPolicies sets the password requirements for the specified scope (device or work profile).
  • If PasswordPolicyScope isn't specified, the default scope is SCOPE_PROFILE for work profile devices, and SCOPE_DEVICE for fully managed or dedicated devices.
  • passwordPolicies overrides passwordRequirements if PasswordPolicyScope is unspecified (default), or PasswordPolicyScope is set to the same scope as passwordRequirements

Bug fixes

• Fixed issue that made kiosk devices incorrectly appear out of compliance following provisioning, for a subset of policy configurations

Features

Updates to support work profile and fully managed device provisioning and management:

• New provisioning methods are available for work profiles:
  • Provide users with an enrollment token link.
  • Go to Settings > Google > Set up work profile.
• Added new fields to enrollmentTokens.
  • oneTimeOnly: If true, the enrollment token will expire after it's first used.
  • userAccountIdentifier: Identifies a specific managed Google Play Account.
    • If not specified: The API silently creates a new account each time a device is enrolled with the token.
    • If specified: The API uses the specified account each time a device is enrolled with the token. You can specify the same account across multiple tokens. See Specify a user for more information.
• Added managementMode (read-only) to devices.
  • Devices with work profiles: managementMode is set to PROFILE_OWNER.
  • Dedicated devices and fully managed devices: managementMode is set to DEVICE_OWNER.

Updates to the policies resource to improve app management capabilities:

• Added new field playStoreMode.
  • WHITELIST (default): Only apps added to policy are available in the work profile or on the managed device. Any app not in policy is unavailable, and uninstalled if previously installed.
  • BLACKLIST: Apps added to policy are unavailable. All other apps listed in Google Play are available.
• Added BLOCKED as an InstallType option, which makes an app unavailable to install. If the app is already installed, it will be uninstalled.
  • You can use installType BLOCKED together with playStoreMode BLACKLIST to prevent a managed device or work profile from installing specific apps.

User experience

• Updated Android Device Policy settings to match device settings.

User experience

• Merged the status and device details pages in Android Device Policy into a single page.
• Improved setup UI consistency with Android setup wizard.

Features

• Added PermissionGrants at the policy level. You can now control runtime permissions at four levels:
  • Global, across all apps: set defaultPermissionPolicy at the policy level.
  • Per permission, across all apps: set permissionGrant at the policy level.
  • Per app, across all permissions: set defaultPermissionPolicy within ApplicationPolicy.
  • Per app, per permission: set permissionGrant within ApplicationPolicy.
• When factory resetting a device, the new WipeDataFlag allows you to:
  • WIPE_EXTERNAL_STORAGE: wipe the device's external storage (e.g. SD cards).
  • PRESERVE_RESET_PROTECTION_DATA: preserve the factory reset protection data on the device. This flag ensures that only an authorized user can recover a device if, for instance, the device is lost. Note: Only enable this feature if you've set frpAdminEmails[] in policy.

Bug fixes

• Fixed issue with Android Device Policy exiting lock task mode when updating in the foreground.

User experience

• Instead of hiding disabled apps from the launcher, Android 7.0+ devices now display icons for disabled apps in gray:
  

  

Features

• Updated policies to support the following certificate management capabilities:
  • Automatic granting of certificate access to apps.
  • Delegating all certificate management features supported by Android Device Policy to another app (see CERT_INSTALL).
• Individual apps can now be disabled in ApplicationPolicy (set disabled to true), independent of compliance rules.
• It's now possible to disable system apps.
• Added application reports to devices. For each managed app installed on a device, the report returns the app's package name, version, install source, and other detailed information. To enable, set applicationReportsEnabled to true in the device's policy.
• Updated enterprises to include terms and conditions. An enterprise's terms and conditions are displayed on devices during provisioning.

Bug fixes

• Updated provisioning flow to disable access to settings, except when access is required to complete setup (e.g. creating a passcode).

User experience

• Updated the design of Android Device Policy and the device provisioning flow to improve overall user experience.

Features

• Added support for Direct Boot, allowing you to remotely wipe Android 7.0+ devices that haven't been unlocked since they were last rebooted.
• Added a location mode setting to the policies resource, allowing you to configure the location accuracy mode on a managed device.
• Added an error response field to the Command resource.

Bug fixes

• Provisioning performance has been improved.
• Compliance reports are now generated immediately after a device is provisioned. To configure an enterprise to receive compliance reports, see Receive non-compliance detail notifications.

Known issues

• Lock Screen Settings crashes on Android 8.0+ LG devices (e.g. LG V30) managed by Android Device Policy.

User experience

• Updated the validation text for the "code" field, which is displayed if a user chooses to manually enter a QR code to enroll a device.

Features

• You can now set a policy to trigger force-installed apps to auto-update if they don't meet a specified minimum app version. In ApplicationPolicy:
  • Set installType to FORCE_INSTALLED
  • Specify a minimumVersionCode.
• Updated the Devices resource with new fields containing information that may be useful to IT admins, such as the device's carrier name (see NetworkInfo for more details), whether the device is encrypted, and whether Verify Apps is enabled (see DeviceSettings for more details).

Bug fixes

• The RESET_PASSWORD and LOCK commands now work with Android 8.0 Oreo devices.
• Fixed issue with DeviceSettings not being populated.
• Fixed issue with stayOnPluggedModes policy handling.

Features

• Android Device Policy now supports a basic kiosk launcher , which can be enabled via policy. The launcher locks down a device to a set of predefined apps and blocks user access to device settings. The specified apps appear on a single page in alphabetical order. To report a bug or request a feature, tap the feedback icon on the launcher.
• Updated device setup with new retry logic. If a device is rebooted during setup, the provisioning process now continues where it left off.
• The following new policies are now available. See the API reference for full details:

  keyguardDisabledFeatures	accountTypesWithManagementDisabled
  installAppsDisabled	mountPhysicalMediaDisabled
  uninstallAppsDisabled	bluetoothContactSharingDisabled
  shortSupportMessage	longSupportMessage
  bluetoothConfigDisabled	cellBroadcastsConfigDisabled
  credentialsConfigDisabled	mobileNetworksConfigDisabled
  tetheringConfigDisabled	vpnConfigDisabled
  createWindowsDisabled	networkResetDisabled
  outgoingBeamDisabled	outgoingCallsDisabled
  smsDisabled	usbFileTransferDisabled
  ensureVerifyAppsEnabled	permittedInputMethods
  recommendedGlobalProxy	setUserIconDisabled
  setWallpaperDisabled	alwaysOnVpnPackage
  dataRoamingDisabled	bluetoothDisabled

• Updated Android Device Policy's target SDK to Android 8.0 Oreo.

Bug Fixes

• It's now possible to skip the network picker display if a connection can't be made at boot. To enable the network picker on boot, use the networkEscapeHatchEnabled policy.