Default compliance rules
If a device or work profile fails to comply with any of the policy settings listed below, Android Device Policy immediately blocks usage of the device or work profile by default.
passwordPolicies
encryptionPolicy
keyguardDisabled
permittedInputMethods
permittedAccessibilityServices
minApiLevel
If the device or work profile remains incompliant after 10 days, Android Device Policy will factory-reset the device or delete the work profile.
Immediately | After 10 days | |
---|---|---|
Device | Blocks device usage. Where possible, displays a message with guidance on how to comply with the policy setting(s). | Factory-resets the device. Factory-reset protection data is not preserved. |
Work profile | Blocks work profile usage. Where possible, displays a message with guidance on how to comply with the policy setting(s). | Deletes the work profile. |
These compliance enforcment rules are enforced by default, but can be modified. To learn how to modify them and set additional compliance enforcement rules, see the next section.
Set custom compliance rules
Use policyEnforcementRules
to set custom actions for any top-level policy violation. Settings defined in
policyEnforcementRules
override Android Device Policy's
default compliance rules.
Each rule contains the name of the policy setting (settingName
), and must
specify the number of days a device or work profile can remain out of
compliance with the setting before it's blocked (blockAfterDays
) and then
wiped (wipeAfterDays
).
{
"policyEnforcementRules":[
{
"settingName":"alwaysOnVpnPackage",
"blockAction":{
"blockAfterDays":3
},
"wipeAction":{
"wipeAfterDays":10,
"preserveFrp":true
}
}
]
}
In the policyEnforcementRules
example above:
- If a device fails to comply with any setting in
alwaysOnVpnPackage
, then device usage is blocked after three days. - If a device remains incompliant with any setting in
alwaysOnVpnPackage
for 10 days, then the device is wiped. However, in this case, factory-reset protection data is preserved (preserveFrp
istrue
).
Best practices for custom compliance rules
blockAfterDays
andwipeAfterDays
should be set to no greater than30
.wipeAfterDays
must be greater thanblockAfterDays
.- To block device or work profile usage immediately, set
blockAfterDays
to0
.
Receive policy violation notifications
If a device fails to comply with any policy setting (regardless of enforcement rules), it generates a non-compliance detail notification indicating:
- The policy setting that the device or work profile is not in compliance with.
- The reason that the device or work profile is not in compliance with the setting.
To configure an enterprise to receive non-compliance detail notifications:
- Include
STATUS_REPORT
inenabledNotificationTypes[]
when creating or updating the enterprise. - Enable pub/sub notifications.
Migrate to policyEnforcementRules
If you enabled the Android Management API before May 7, 2019, Android Device Policy won't enforce any default compliance rules.
To update your policies, define your compliance logic using
policyEnforcementRules
.
policyEnforcementRules
overrides complianceRules
(now deprecated). However, do not remove complianceRules
from policies.