Skip to main content

Application Component

The Application Policy Component lets you control which apps are allowed, blocked, or managed on devices.
You can also control app updates, permissions, and how apps behave on both work and personal profiles.

Use this component to manage app availability, security, and user access.

application-component

Default policy for Google Play Store

API reference: playStoreMode

Type: enum

This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.

Possible values for Play Store mode policy.

Options

OptionEnumDescription
DefaultPLAY_STORE_MODE_UNSPECIFIEDUnspecified. Defaults to WHITELIST.
Only whitelisted apps WHITELISTOnly apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device.
Block blacklisted appsBLACKLISTAll apps are available and any app that should not be on the device should be explicitly marked as 'BLOCKED' in the applications policy.

Default policy for app auto updates

API reference: appAutoUpdatePolicy

Type: enum

Recommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.

When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.

The app auto-update policy, which controls when automatic app updates can be applied.

Important: Changes to app update policies don't affect updates that are in progress. Any policy changes will apply to subsequent app updates.

Options

OptionEnumDescription
DefaultAPP_AUTO_UPDATE_POLICY_UNSPECIFIEDThe auto-update policy is not set. Equivalent to CHOICE_TO_THE_USER.
AlwaysALWAYSApps are auto-updated at any time. Data charges may apply.
Choice to the user CHOICE_TO_THE_USERThe user can control auto-updates.
NeverNEVERApps are never auto-updated.
WiFi OnlyWIFI_ONLYApps are auto-updated over Wi-Fi only.

Credential provider policy

API reference: credentialProviderPolicyDefault

Type: enum

Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this and this for details. See also credentialProviderPolicy.

Options

OptionEnumDescription
Default (disallowed)CREDENTIAL_PROVIDER_POLICY_DEFAULT_UNSPECIFIEDUnspecified. Defaults to CREDENTIAL_PROVIDER_DEFAULT_DISALLOWED.
Disallowed when Credential Provider Policy of the app is unspecified CREDENTIAL_PROVIDER_DEFAULT_DISALLOWEDApps with credentialProviderPolicy unspecified are not allowed to act as a credential provider.
Disallowed except OEM default credential providersCREDENTIAL_PROVIDER_DEFAULT_DISALLOWED_EXCEPT_SYSTEMApps with credentialProviderPolicy unspecified are not allowed to act as a credential provider except for the OEM default credential providers. OEM default credential providers are always allowed to act as credential providers.

How to handle app permission requests

API reference: defaultPermissionPolicy

Type: enum

The default permission policy for runtime permission requests.

Options

OptionEnumDescription
DefaultPERMISSION_POLICY_UNSPECIFIEDPolicy not specified. If no policy is specified for a permission at any level, then the PROMPT behavior is used by default.
Prompt device user PROMPTPrompt the user to grant a permission.
Always grant permissionsGRANTPrompt the user to grant a permission. Automatically grant a permission.

On Android 12 and above, READ_SMS and following sensor-related permissions can only be granted on fully managed devices:

ACCESS_FINE_LOCATION

ACCESS_BACKGROUND_LOCATION

ACCESS_COARSE_LOCATION

CAMERA

RECORD_AUDIO

ACTIVITY_RECOGNITION

BODY_SENSORS
Always deny permissionsDENYAutomatically deny a permission.

Override individual permission requests

API reference: permissionGrants[]

Type: Array<Object>

Explicit permission or group grants or denials for all apps. These values override the defaultPermissionPolicy and permissionGrants which apply to all apps.

Override individual permission requests fields

FieldAPI ReferenceTypeDescription
PermissionpermissionstringThe Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
Policypolicyenum(Permission Policy)The policy for granting the permission.

Permission Policy

API reference: permissionGrants[].policy

Type: enum

The policy for granting the permission.

Options

OptionEnumDescription
DefaultPERMISSION_POLICY_UNSPECIFIEDPolicy not specified. If no policy is specified for a permission at any level, then the PROMPT behavior is used by default.
Prompt device userPROMPTPrompt the user to grant a permission.
Always grant permissionsGRANTPrompt the user to grant a permission. Automatically grant a permission.

On Android 12 and above, READ_SMS and following sensor-related permissions can only be granted on fully managed devices:

ACCESS_FINE_LOCATION

ACCESS_BACKGROUND_LOCATION

ACCESS_COARSE_LOCATION

CAMERA

RECORD_AUDIO

ACTIVITY_RECOGNITION

BODY_SENSORS
Always deny permissionsDENYAutomatically deny a permission.

Note: Duplicate permissions are automatically prevented.

Application-specific policies

Application Policy

API reference: applications[]

Type: object

Policy configuration for individual applications applied to the device.

The maximum number of applications allowed per policy is 3000.

Each entry represents configuration for a single application.

Applications can be added using:

  • Play Store search
  • Package name entry
  • Private APK upload
  • Device Insights quick add

Package Name

API reference: applications[].packageName

Type: string

The package name of the application.

Example: com.google.android.youtube

Capture App Insights

API reference: enableDeviceInsights

Type: boolean

It captures Memory Usage Stats, Battery Usage Stats, Storage Usage Stats and Network Data Usage Stats

Application enabled

API reference: applications[].disabled

Type: boolean

Whether the app is disabled. When disabled, the app data is still preserved.

Install Type

API reference: applications[].installType

Type: enum

The type of installation to perform.

The type of installation to perform for an app. If setupAction references an app, they must have installType set as REQUIRED_FOR_SETUP or the setup will fail.

Install Type Options

OptionEnumDescription
DefaultINSTALL_TYPE_UNSPECIFIEDUnspecified. Defaults to AVAILABLE.
Preinstalled PREINSTALLEDThe app is automatically installed and can be removed by the user.
Force Installed FORCE_INSTALLEDThe app is automatically installed regardless of a set maintenance window and can't be removed by the user.
BlockedBLOCKEDThe app is blocked and can't be installed. If the app was installed under a previous policy, it will be uninstalled. This also blocks its instant app functionality.
Available AVAILABLEThe app is available to install.
Required For Setup REQUIRED_FOR_SETUPThe app is automatically installed and can't be removed by the user and will prevent setup from completion until installation is complete.

Install Type Notes

  • Maximum 5 REQUIRED_FOR_SETUP apps allowed.
  • CUSTOM apps:
    • Must include signing certificates.
    • Cannot use Play Store specific fields.
    • Installed only through AMAPI SDK commands.

Roles

API reference: applications[].roles[]

Type: enum (RoleType)

Roles the app has.

Apps having certain roles can be exempted from power and background execution restrictions, suspension and hibernation on Android 14 and above. The user control can also be disallowed for apps with certain roles on Android 11 and above. Refer to the documentation of each RoleType for more details.

The app is notified about the roles that are set for it if the app has a notification receiver service with <meta-data android:name="com.google.android.managementapi.notification.NotificationReceiverService.SERVICE_APP_ROLES" android:value="" />. The app is notified whenever its roles are updated or after the app is installed when it has nonempty list of roles. The app can use this notification to bootstrap itself after the installation. See Integrate with the AMAPI SDK and Manage app roles guides for more details on the requirements for the service.

For the exemptions to be applied and the app to be notified about the roles, the signing key certificate fingerprint of the app on the device must match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts. Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported.

There must not be duplicate roles with the same roleType. Multiple apps cannot hold a role with the same roleType. A role with type ROLE_TYPE_UNSPECIFIED is not allowed.

Role Type

FieldAPI ReferenceDescription
Kiosk KISOKThe role type for kiosk apps. An app can have this role only if it has installType set to REQUIRED_FOR_SETUP or CUSTOM. Before adding this role to an app with CUSTOM install type, the app must already be installed on the device.

The app having this role type is set as the preferred home intent and allowlisted for lock task mode. When there is an app with this role type, status bar will be automatically disabled.

This is preferable to setting installType to KIOSK.

On Android 11 and above, the user control is disallowed but userControlSettings can be set to USER_CONTROL_ALLOWED to allow user control for the app with this role.
Mobile Threat Defense Endpoint Detection ResponseMOBILE_THREAT_DEFENSE_ENDPOINT_DETECTION_RESPONSEThe role type for Mobile Threat Defense (MTD) / Endpoint Detection & Response (EDR) apps.

On Android 14 and above, the app with this role is exempted from power and background execution restrictions, suspension and hibernation. On Android 11 and above, the user control is disallowed and userControlSettings cannot be set to USER_CONTROL_ALLOWED for the app with this role.
System Health MonitoringSYSTEM_HEALTH_MONITORINGThe role type for system health monitoring apps.

On Android 14 and above, the app with this role is exempted from power and background execution restrictions, suspension and hibernation. On Android 11 and above, the user control is disallowed and userControlSettings cannot be set to USER_CONTROL_ALLOWED for the app with this role.

Role Rules

  • No duplicate roles allowed.
  • Only one app per role type allowed.
  • ROLE_TYPE_UNSPECIFIED is not allowed.

Role Enforcement Notes

If signing certificate mismatch:

User Control

API reference: applications[].userControlSettings

Type: enum

Specifies whether user control is permitted for the app. User control includes user actions like force-stopping and clearing app data. Certain types of apps have special treatment, see USER_CONTROL_SETTINGS_UNSPECIFIED and USER_CONTROL_ALLOWED for more details.

Options

OptionEnumDescription
Default USER_CONTROL_SETTINGS_UNSPECIFIEDUses the default behaviour of the app to determine if user control is allowed or disallowed. User control is allowed by default for most apps but disallowed for following types of apps:

extensionConfig(deprecated)

• kiosk apps (see KIOSK install type for more details)

• apps with roles set to a nonempty list

• other critical system apps
Allowed USER_CONTROL_ALLOWEDUser control is allowed for the app. Kiosk apps can use this to allow user control. For extension apps, user control is disallowed even if this value is set.

For apps with roles set to a nonempty list (except roles containing only KIOSK role), this value cannot be set.

For kiosk apps (see KIOSK install type and KIOSK role type for more details), this value can be used to allow user control.
DisallowedUSER_CONTROL_DISALLOWEDUser control is disallowed for the app. This is supported on Android 11 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 11.

Preferential Network ID

API reference: applications[].preferentialNetworkId

Type: enum

ID of the preferential network the application uses. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the application will use the default network ID specified in defaultPreferentialNetworkId. See the documentation of defaultPreferentialNetworkId for the list of apps excluded from this defaulting. This applies on both work profiles and fully managed devices on Android 13 and above.

Options

OptionEnumDescription
Default PREFERENTIAL_NETWORK_ID_UNSPECIFIEDWhether this value is valid and what it means depends on where it is used, and this is documented on the relevant fields.
Application does not use any preferential networkNO_PREFERENTIAL_NETWORKApplication does not use any preferential network.
Network identifier 1PREFERENTIAL_NETWORK_ID_ONEPreferential network identifier 1.
Network identifier 2PREFERENTIAL_NETWORK_ID_TWOPreferential network identifier 2.
Network identifier 3PREFERENTIAL_NETWORK_ID_THREEPreferential network identifier 3.
Network identifier 4PREFERENTIAL_NETWORK_ID_FOURPreferential network identifier 4.
Network identifier 5PREFERENTIAL_NETWORK_ID_FIVEPreferential network identifier 5.

Install Priority

API reference: applications[].installPriority

Type: integer

Defines installation priority relative to other apps.

Amongst apps with installType set to:

FORCE_INSTALLED

PREINSTALLED

this defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.

Install Constraint

API reference: applications[].installConstraint[]

Type: object

The constraints for installing the app. You can specify a maximum of one InstallConstraint. Multiple constraints are rejected.

Constraint Limit: Maximum one constraint allowed.

Install Constraint Fields

FieldDescription
networkTypeConstraintNetwork type constraint.

enum (NetworkTypeConstraint)
chargingConstraintCharging constraint.

enum (ChargingConstraint)
deviceIdleConstraintDevice idle constraint.

enum (DeviceIdleConstraint)

NetworkTypeConstraint

API reference: applications[].installConstraint[].networkTypeConstraint

Type: enum

Options

OptionEnumDescription
Default (Any active networks)NETWORK_TYPE_CONSTRAINT_UNSPECIFIEDUnspecified. Default to INSTALL_ON_ANY_NETWORK.
Any active networks (Wi-Fi, cellular, etc.) INSTALL_ON_ANY_NETWORKAny active networks (Wi-Fi, cellular, etc.).
Any unmetered network (e.g. Wi-FI)INSTALL_ONLY_ON_UNMETERED_NETWORKAny unmetered network (e.g. Wi-FI).

ChargingConstraint

API reference: applications[].installConstraint[].chargingconstraint

Type: enum

Options

OptionEnumDescription
Default (Device doesn't have to be charging)CHARGING_CONSTRAINT_UNSPECIFIEDDefault to CHARGING_NOT_REQUIRED.
Device doesn't have to be charging CHARGING_NOT_REQUIREDDevice doesn't have to be charging.
Device has to be chargingINSTALL_ONLY_WHEN_CHARGINGDevice has to be charging.

DeviceIdleConstraint

API reference: applications[].installConstraint[].deviceIdleConstraint

Type: enum

Options

OptionEnumDescription
Default (doesn't have to be idle)DEVICE_IDLE_CONSTRAINT_UNSPECIFIEDDefault to DEVICE_IDLE_NOT_REQUIRED.
Device doesn't have to be idle, app can be installed while the user is interacting with the device DEVICE_IDLE_NOT_REQUIREDDevice doesn't have to be idle, app can be installed while the user is interacting with the device.
Device has to be idleINSTALL_ONLY_WHEN_CHARGINGDevice has to be idle.

Scopes

API reference: applications[].delegatedScopes[]

Type: enum

The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to.

Delegation Scopes that another package can acquire from Android Device Policy.

Options

OptionEnumDescription
DefaultDELEGATED_SCOPE_UNSPECIFIEDNo delegation scope specified.
Cert InstallCERT_INSTALLGrants access to certificate installation and management. This scope can be delegated to multiple applications.
Managed ConfigurationsMANAGED_CONFIGURATIONSGrants access to managed configurations management. This scope can be delegated to multiple applications.
Block UninstallBLOCK_UNINSTALLGrants access to blocking uninstallation. This scope can be delegated to multiple applications.
Permission GrantPERMISSION_GRANTGrants access to permission policy and permission grant state. This scope can be delegated to multiple applications.
Package AccessPACKAGE_ACCESSGrants access to package access state. This scope can be delegated to multiple applications.
Enable System AppENABLE_SYSTEM_APPGrants access for enabling system apps. This scope can be delegated to multiple applications.
Network Activity LogsNETWORK_ACTIVITY_LOGSGrants access to network activity logs. Allows the delegated application to call setNetworkLoggingEnabled, isNetworkLoggingEnabled and retrieveNetworkLogs methods. This scope can be delegated to at most one application. Supported for fully managed devices on Android 10 and above. Supported for a work profile on Android 12 and above. When delegation is supported and set, NETWORK_ACTIVITY_LOGS is ignored.
Security LogsSECURITY_LOGSGrants access to security logs. Allows the delegated application to call setSecurityLoggingEnabled, isSecurityLoggingEnabled, retrieveSecurityLogs and retrievePreRebootSecurityLogs methods. This scope can be delegated to at most one application. Supported for fully managed devices and company-owned devices with a work profile on Android 12 and above. When delegation is supported and set, SECURITY_LOGS is ignored.

App Track IDs

API reference: applications[].accessibleTrackIds[]

Type: string

List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo.

AppTrackInfo

FieldsTypeDescription
trackIdstringThe unmodifiable unique track identifier, taken from the releaseTrackId in the URL of the Play Console page that displays the app’s track information.
trackAliasstringThe track name associated with the trackId, set in the Play Console. The name is modifiable from Play Console.

Connected Work And Personal App

API reference: applications[].connectedWorkAndPersonalApp

Type: enum

Controls whether the app can communicate with itself across a device’s work and personal profiles, subject to user consent.

Options

OptionEnumDescription
DefaultCONNECTED_WORK_AND_PERSONAL_APP_UNSPECIFIEDDefaults to CONNECTED_WORK_AND_PERSONAL_APP_DISALLOWED.
AllowedCONNECTED_WORK_AND_PERSONAL_APP_ALLOWEDAllows the app to communicate across profiles after receiving user consent.
Disallowed CONNECTED_WORK_AND_PERSONAL_APP_DISALLOWEDDefault. Prevents the app from communicating cross-profile.

Default Permission Policy

API reference: applications[].defaultPermissionPolicy

Type: enum

The default permission policy for runtime permission requests.

Options

OptionEnumDescription
DefaultPERMISSION_POLICY_UNSPECIFIEDPolicy not specified. If no policy is specified for a permission at any level, then the PROMPT behavior is used by default.
Prompt device user PROMPTPrompt the user to grant a permission.
Always grant permissionsGRANTPrompt the user to grant a permission. Automatically grant a permission.

On Android 12 and above, READ_SMS and following sensor-related permissions can only be granted on fully managed devices:

ACCESS_FINE_LOCATION

ACCESS_BACKGROUND_LOCATION

ACCESS_COARSE_LOCATION

CAMERA

RECORD_AUDIO

ACTIVITY_RECOGNITION

BODY_SENSORS
Always deny permissionsDENYAutomatically deny a permission.

Auto Update Mode

API reference: applications[].autoUpdateMode

Type: enum

Controls the auto-update mode for the app.

If a device user makes changes to the device settings manually, these choices are ignored by AutoUpdateMode as it takes precedence.

OptionEnumDescription
UnspecifiedAUTO_UPDATE_MODE_UNSPECIFIEDUnspecified. Defaults to AUTO_UPDATE_DEFAULT.
Default AUTO_UPDATE_DEFAULTThe default update mode.

The app is automatically updated with low priority to minimize the impact on the user.

The app is updated when all of the following constraints are met:

• The device is not actively used.

• The device is connected to an unmetered network.

• The device is charging.

• The app to be updated is not running in the foreground.

The device is notified about a new update within 24 hours after it is published by the developer, after which the app is updated the next time the constraints above are met.
Postponed AUTO_UPDATE_POSTPONEDThe app is not automatically updated for a maximum of 90 days after the app becomes out of date.

90 days after the app becomes out of date, the latest available version is installed automatically with low priority (see AUTO_UPDATE_DEFAULT). After the app is updated it is not automatically updated again until 90 days after it becomes out of date again.

The user can still manually update the app from the Play Store at any time.
High Priority AUTO_UPDATE_HIGH_PRIORITYThe app is updated as soon as possible. No constraints are applied.

The device is notified as soon as possible about a new update after it becomes available.

NOTE: Updates to apps with larger deployments across Android's ecosystem can take up to 24h.

Minimum Version Code

API reference: applications[].minimumVersionCode

Type: string

The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a NonComplianceDetail with nonComplianceReason set to APP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.

Exempt from always-on VPN connection

API reference: applications[].alwaysOnVpnLockdownExemption

Type: enum

Specifies whether the app is allowed networking when the VPN is not connected and alwaysOnVpnPackage.lockdownEnabled is enabled. If set to VPN_LOCKDOWN_ENFORCED, the app is not allowed networking, and if set to VPN_LOCKDOWN_EXEMPTION, the app is allowed networking. Only supported on devices running Android 10 and above. If this is not supported by the device, the device will contain a NonComplianceDetail with nonComplianceReason set to API_LEVEL and a fieldPath. If this is not applicable to the app, the device will contain a NonComplianceDetail with nonComplianceReason set to UNSUPPORTED and a fieldPath. The fieldPath is set to applications[i].alwaysOnVpnLockdownExemption, where i is the index of the package in the applications policy.

Options

OptionEnumDescription
DefaultALWAYS_ON_VPN_LOCKDOWN_EXEMPTION_UNSPECIFIEDUnspecified. Defaults to VPN_LOCKDOWN_ENFORCED.
Enforced VPN_LOCKDOWN_ENFORCEDThe app respects the always-on VPN lockdown setting.
Exemption VPN_LOCKDOWN_EXEMPTIONThe app is exempt from the always-on VPN lockdown setting.

Home screen widgets permissions

API reference: applications[].workProfileWidgets

Type: enum

Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.

Controls if a work profile application is allowed to add widgets to the home screen.

OptionEnumDescription
DefaultWORK_PROFILE_WIDGETS_UNSPECIFIEDUnspecified. Defaults to workProfileWidgetsDefault
AllowedWORK_PROFILE_WIDGETS_ALLOWEDWork profile widgets are allowed. This means the application will be able to add widgets to the home screen.
DisallowedWORK_PROFILE_WIDGETS_DISALLOWEDWork profile widgets are disallowed. This means the application will not be able to add widgets to the home screen.

Credential Provider Policy

API reference: applications[].credentialProviderPolicy

Type: enum

Whether the app is allowed to act as a credential provider on Android 14 and above.

OptionEnumDescription
DefaultCREDENTIAL_PROVIDER_POLICY_UNSPECIFIEDUnspecified. The behaviour is governed by credentialProviderPolicyDefault.
AllowedCREDENTIAL_PROVIDER_ALLOWEDApp is allowed to act as a credential provider.

Permission Grants

API reference: applications[].permissionGrants[]

Type: Array<Object>

Explicit permission or group grants or denials for all apps. These values override the defaultPermissionPolicy and permissionGrants which apply to all apps.

Permission Grants fields

FieldAPI ReferenceTypeDescription
PermissionpermissionstringThe Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
Policypolicyenum(Permission Policy)The policy for granting the permission..

Permission Policy

API reference: applications[].permissionGrants[].policy

Type: enum

The policy for granting the permission.

Options

OptionEnumDescription
Default PERMISSION_POLICY_UNSPECIFIEDPERMISSION_POLICY_UNSPECIFIEDPolicy not specified. If no policy is specified for a permission at any level, then the PROMPT behavior is used by default.
Prompt device user PROMPTPROMPTPrompt the user to grant a permission.
Always grant permissions GRANTGRANTPrompt the user to grant a permission. Automatically grant a permission.

On Android 12 and above, READ_SMS and following sensor-related permissions can only be granted on fully managed devices:

ACCESS_FINE_LOCATION

ACCESS_BACKGROUND_LOCATION

ACCESS_COARSE_LOCATION

CAMERA

RECORD_AUDIO

ACTIVITY_RECOGNITION

BODY_SENSORS
Always deny permissions DENYDENYAutomatically deny a permission.

Note: Duplicate permissions are automatically prevented.

Managed Configuration

Managed Configuration

API reference: managedConfiguration

Type: object (Struct format)

Managed configuration applied to the app. The format for the configuration is dictated by the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the ManagedProperty. The field value must be compatible with the type of the ManagedProperty:

typeJSON value
BOOLtrue or false
STRINGstring
INTEGERnumber
CHOICEstring
MULTISELECTarray of strings
HIDDENstring
BUNDLE_ARRAYarray of objects

Note: string values cannot be longer than 65535 characters.

Api specific note

Struct

Struct represents a structured data value, consisting of fields which map to dynamically typed values. In some languages, Struct might be supported by a native representation. For example, in scripting languages like JS a struct is represented as an object. The details of that representation are described together with the proto support for the language.

The JSON representation for Struct is JSON object.

Field nameTypeDescription
fieldsmap<string, Value>Map of dynamically typed values.

ManagedProperty

Type: object

Managed property.

Fields

FieldTypeDescription
keystringThe unique key that the app uses to identify the property, e.g. "com.google.android.gm.fieldname".
typeenum (ManagedPropertyType)The type of the property.
titlestringThe name of the property. Localized.
descriptionstringA longer description of the property, providing more detail of what it affects. Localized.
entries[]object (ManagedPropertyEntry)For CHOICE or MULTISELECT properties, the list of possible entries.
defaultValuevalue (Value format)The default value of the property. BUNDLE_ARRAY properties don't have a default value.
nestedProperties[]object (ManagedProperty)For BUNDLE_ARRAY properties, the list of nested properties. A BUNDLE_ARRAY property is at most two levels deep.

ManagedPropertyType

The type of the managed property.

OptionEnumDescription
UnspecifiedMANAGED_PROPERTY_TYPE_UNSPECIFIEDNot used.
booleanBOOLA property of boolean type.
StringSTRINGA property of string type.
IntegerINTEGERA property of integer type.
ChoiceCHOICEA choice of one item from a set.
MultiselectMULTISELECTA choice of multiple items from a set.
HiddenHIDDENA hidden restriction of string type (the default value can be used to pass along information that can't be modified, such as a version code).
BundleBUNDLEA bundle of properties.
Bundle ArrayBUNDLE_ARRAYAn array of property bundles.

ManagedPropertyEntry

An entry of a managed property.

Fields

FieldTypeDescription
valuestringThe machine-readable value of the entry, which should be used in the configuration. Not localized.
namestringThe human-readable name of the value. Localized.
Managed Configuration Template

Managed Configuration Template

API reference: managedConfigurationTemplate

Type: object (ManagedConfigurationTemplate)

The managed configurations template for the app, saved from the managed configurations iframe. This field is ignored if managedConfiguration is set.

ManagedConfigurationTemplate

The managed configurations template for the app, saved from the managed configurations iframe.

Fields

FieldTypeDescription
templateIdstringThe ID of the managed configurations template.
configurationVariablesmap (key: string, value: string)A map containing <key, value> configuration variables defined for the configuration.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Custom App Config

API reference: applications[].customAppConfig

Type: enum (UserUninstallSettings)

Configuration for this custom app.

installType must be set to CUSTOM for this to be set.

UserUninstallSettings

Specifies if a user is allowed to uninstall the custom app.

OptionEnumDescription
DefaultUSER_UNINSTALL_SETTINGS_UNSPECIFIEDUnspecified. Defaults to DISALLOW_UNINSTALL_BY_USER.
Disallow uninstall by user DISALLOW_UNINSTALL_BY_USERUser is not allowed to uninstall the custom app.
Allow uninstall by userALLOW_UNINSTALL_BY_USERUser is allowed to uninstall the custom app.

Signing Key Certificates

API reference: applications[].signingKeyCerts[]

Type: object (ApplicationSigningKeyCert)

Optional. Signing key certificates of the app.

This field is required in the following cases:

• The app has installType set to CUSTOM (i.e. a custom app). • The app has roles set to a nonempty list and the app does not exist on the Play Store. • The app has extensionConfig set (i.e. an extension app) but ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) is not set and the app does not exist on the Play Store.

If this field is not set for a custom app, the policy is rejected. If it is not set when required for a non-custom app, a NonComplianceDetail with INVALID_VALUE is reported.

For other cases, this field is optional and the signing key certificates obtained from Play Store are used.

See following policy settings to see how this field is used:

choosePrivateKeyRules

ApplicationPolicy.InstallType.CUSTOM

ApplicationPolicy.extensionConfig(Deprecated)

ApplicationPolicy.roles

ApplicationSigningKeyCert

API reference: signingKeyCertFingerprintSha256

Type: string (bytes format)

Required. The SHA-256 hash value of the signing key certificate of the app. This must be a valid SHA-256 hash value, i.e. 32 bytes.

A base64-encoded string.

Control how apps in the personal profile are

Api Reference: personalPlayStoreMode

Type: enum

Used together with personalApplications to control how apps in the personal profile are allowed or blocked.

Personal Play Store Mode

Api Reference: personalPlayStoreMode

Type: enum

Options

OptionEnumDescription
DefaultPLAY_STORE_MODE_UNSPECIFIEDUnspecified. Defaults to BLOCKLIST.
Only whitelisted appsALLOWLISTOnly apps explicitly specified in personalApplications with installType set to AVAILABLE are allowed to be installed in the personal profile.
Block blacklisted apps BLOCKLISTAll Play Store apps are available for installation in the personal profile, except those whose installType is BLOCKED in personalApplications.

Applied to applications on the personal profile

API reference: personalApplications

Type: object

Policies for apps in the personal profile of a company-owned device with a work profile.

Applications can be added using:

  • Play Store search
  • Package name entry

personalApplications fields

FieldField PathTypeDescription
packageNamepersonalApplications.packageNamestringThe package name of the application.
installTypepersonalApplications.installTypeenum(installType)Types of installation behaviors a personal profile application can have.

Install Type

API reference: personalApplications.installType

Type: enum

OptionEnumDescription
DefaultINSTALL_TYPE_UNSPECIFIEDUnspecified. Defaults to AVAILABLE.
BlockedBLOCKEDThe app is blocked and can't be installed in the personal profile. If the app was previously installed in the device, it will be uninstalled.
Available AVAILABLEThe app is available to install in the personal profile.

Summary

Use the Applications Policy Component to:

✔ Control enterprise application distribution
✔ Configure managed application settings
✔ Deploy private enterprise applications
✔ Enforce permission and security policies
✔ Control personal profile applications
✔ Enable enterprise telemetry and analytics
✔ Enforce installation conditions and constraints

This component is the primary control point for enterprise application management across managed devices.