Advanced security settings. In most cases, setting these is not needed.
Configuration for an always-on VPN connection.
Central instance to access all AndroidManagement related resource activities
A compliance rule condition which is satisfied if the Android Framework API level on the device doesn’t meet a minimum requirement. There can only be one rule with this type of condition per policy.
Id to name association of a app track.
This represents a single version of the app.
Information about an app.
An app-related event.
A permission required by the app.
Policy for an individual app. Note: Application availability on a given device cannot be changed using this policy if installAppsDisabled is enabled. The maximum number of applications that you can specify per policy is 3,000.
Information reported about an installed app.
Settings controlling the behavior of application reports.
An action to block access to apps and data on a fully managed device or in a work profile. This action also triggers a device or work profile to displays a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified.
Controls apps’ access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) (or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern is not set, or set to the empty string or .*) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey (https://developer.android.com/reference/android/security/KeyChain#getPrivateKey%28android.content.Context,%20java.lang.String%29), without first having to call KeyChain.choosePrivateKeyAlias.When an app calls KeyChain.choosePrivateKeyAlias if more than one choosePrivateKeyRules matches, the last matching rule defines which key alias to return.
Parameters associated with the CLEAR_APP_DATA command to clear the data of specified apps from the device.
Status of the CLEAR_APP_DATA command to clear the data of specified apps from the device.
A command.
Information about Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (https://www.commoncriteriaportal.org/) (CC).This information is only available if statusReportingSettings.commonCriteriaModeEnabled is true in the device’s policy.
A rule declaring which mitigating actions to take when a device is not compliant with its policy. For every rule, there is always an implicit mitigating action to set policy_compliant to false for the Device resource, and display a message on the device indicating that the device is not compliant with its policy. Other mitigating actions may optionally be taken as well, depending on the field values in the rule.
Contact details for managed Google Play enterprises.
This feature is not generally available.
Controls the data from the work profile that can be accessed from the personal profile and vice versa. A nonComplianceDetail with MANAGEMENT_MODE is reported if the device does not have a work profile.
Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp
A device owned by an enterprise. Unless otherwise noted, all fields are read-only and can’t be modified by enterprises.devices.patch.
Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.
Controls for device radio settings.
Information about security related device settings on device.
Device display information.
Information related to whether this device was migrated from being managed by another Device Policy Controller (DPC).
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
An enrollment token.
The configuration applied to an enterprise.
Gets info about an application.
Creates an enterprise. This is the last step in the enterprise signup flow. See also: SigninDetail
Permanently deletes an enterprise and all accounts and data associated with it. Warning: this will result in a cascaded deletion of all AM API devices associated with the deleted enterprise. Only available for EMM-managed enterprises.
Deletes a device. This operation wipes the device. Deleted devices do not show up in enterprises.devices.list calls and a 404 is returned from enterprises.devices.get.
Gets a device. Deleted devices will respond with a 404 error.
Issues a command to a device. The Operation resource returned contains a Command in its metadata field. Use the get operation method to get the status of the command.
Lists devices for a given enterprise. Deleted devices are not returned in the response.
Starts asynchronous cancellation on a long-running operation. The server makes a best effort to cancel the operation, but success is not guaranteed. If the server doesn’t support this method, it returns google.rpc.Code.UNIMPLEMENTED. Clients can use Operations.GetOperation or other methods to check whether the cancellation succeeded or whether the operation completed despite cancellation. On successful cancellation, the operation is not deleted; instead, it becomes an operation with an Operation.error value with a google.rpc.Status.code of 1, corresponding to Code.CANCELLED.
Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.
Lists operations that match the specified filter in the request. If the server doesn’t support this method, it returns UNIMPLEMENTED.
Updates a device.
Creates an enrollment token for a given enterprise. It’s up to the caller’s responsibility to manage the lifecycle of newly created tokens and deleting them when they’re not intended to be used anymore. Once an enrollment token has been created, it’s not possible to retrieve the token’s content anymore using AM API. It is recommended for EMMs to securely store the token if it’s intended to be reused.
Deletes an enrollment token. This operation invalidates the token, preventing its future use.
Gets an active, unexpired enrollment token. Only a partial view of EnrollmentToken is returned: all the fields but name and expiration_timestamp are empty. This method is meant to help manage active enrollment tokens lifecycle. For security reasons, it’s recommended to delete active enrollment tokens as soon as they’re not intended to be used anymore.
Lists active, unexpired enrollment tokens for a given enterprise. The list items contain only a partial view of EnrollmentToken: all the fields but name and expiration_timestamp are empty. This method is meant to help manage active enrollment tokens lifecycle. For security reasons, it’s recommended to delete active enrollment tokens as soon as they’re not intended to be used anymore.
Gets an enterprise.
Lists EMM-managed enterprises. Only BASIC fields are returned.
A builder providing access to all methods supported on
enterprise resources.
It is not used directly, but through the
AndroidManagement hub.
Creates a migration token, to migrate an existing device from being managed by the EMM’s Device Policy Controller (DPC) to being managed by the Android Management API.
Gets a migration token.
Lists migration tokens.
Updates an enterprise. See also: SigninDetail
Deletes a policy. This operation is only permitted if no devices are currently referencing the policy.
Gets a policy.
Lists policies for a given enterprise.
Updates or creates a policy.
Creates a web app.
Deletes a web app.
Gets a web app.
Lists web apps for a given enterprise.
Updates a web app.
Creates a web token to access an embeddable managed Google Play web UI for a given enterprise.
Configuration to enable an app as an extension app, with the capability of interacting with Android Device Policy offline. For Android versions 13 and above, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket (https://developer.android.com/topic/performance/appstandby#restricted-bucket). Extensions apps are also protected against users clearing their data or force-closing the application, although admins can continue to use the clear app data command (https://developer.android.com/management/reference/rest/v1/enterprises.devices/issueCommand#CommandType) on extension apps if needed for Android 13 and above.
Data hosted at an external location. The data is to be downloaded by Android Device Policy and verified against the hash.
A system freeze period. When a device’s clock is within the freeze period, all incoming system updates (including security patches) are blocked and won’t be installed.When the device is outside any set freeze periods, the normal policy behavior (automatic, windowed, or postponed) applies.Leap years are ignored in freeze period calculations, in particular: If Feb. 29th is set as the start or end date of a freeze period, the freeze period will start or end on Feb. 28th instead. When a device’s system clock reads Feb. 29th, it’s treated as Feb. 28th. When calculating the number of days in a freeze period or the time between two freeze periods, Feb. 29th is ignored and not counted as a day.Note: For Freeze Periods to take effect, SystemUpdateType cannot be specified as SYSTEM_UPDATE_TYPE_UNSPECIFIED, because freeze periods require a defined policy to be specified.
Information about device hardware. The fields related to temperature thresholds are only available if hardwareStatusEnabled is true in the device’s policy.
Hardware status. Temperatures may be compared to the temperature thresholds available in hardwareInfo to determine hardware health.
Amongst apps with InstallType set to: FORCE_INSTALLED PREINSTALLEDthis defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.
Keyed app state reported by the app.
Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK.
An action to launch an app.
Response to a request to list devices for a given enterprise.
Response to a request to list enrollment tokens for a given enterprise.
Response to a request to list enterprises.
Response to a request to list migration tokens for a given enterprise.
The response message for Operations.ListOperations.
Response to a request to list policies for a given enterprise.
Response to a request to list web apps for a given enterprise.
The managed configurations template for the app, saved from the managed configurations iframe.
Managed property.
An entry of a managed property.
An event related to memory and storage measurements.To distinguish between new and old events, we recommend using the createTime field.
Information about device memory and storage.
A token to initiate the migration of a device from being managed by a third-party DPC to being managed by Android Management API. A migration token is valid only for a single device.
Device network info.
Provides detail about non-compliance with a policy setting.
A compliance rule condition which is satisfied if there exists any matching NonComplianceDetail for the device. A NonComplianceDetail matches a NonComplianceDetailCondition if all the fields which are set within the NonComplianceDetailCondition match the corresponding NonComplianceDetail fields.
This feature is not generally available.
Additional context for non-compliance related to Wi-Fi configuration.
This resource represents a long-running operation that is the result of a network API call.
A list of package names.
Additional context for non-compliance related to password policies.
Requirements for the password used to unlock a device.
The result of an attempt to clear the data of a single app.
Configuration for an Android permission and its grant state.
A default activity for handling intents that match a particular intent filter. Note: To set up a kiosk, use InstallType to KIOSK rather than use persistent preferred activities.
Policies for apps in the personal profile of a company-owned device with a work profile.
Policies controlling personal usage on a company-owned device with a work profile.
A policy resource represents a group of settings that govern the behavior of a managed device and the apps installed on it.
A rule that defines the actions to take if a device or work profile is not compliant with the policy specified in settingName. In the case of multiple matching or multiple triggered enforcement rules, a merge will occur with the most severe action being taken. However, all triggered rules are still kept track of: this includes initial trigger time and all associated non-compliance details. In the situation where the most severe enforcement rule is satisfied, the next most appropriate action is applied.
Additional details regarding the security posture of the device.
A power management event.
Information about a device that is available during setup.
Get the device provisioning information by the identifier provided in the sign-in url.
A builder providing access to all methods supported on
provisioningInfo resources.
It is not used directly, but through the
AndroidManagement hub.
Configuration info for an HTTP proxy. For a direct proxy, set the host, port, and excluded_hosts fields. For a PAC script proxy, set the pac_uri field.
The security posture of the device, as determined by the current device state and the policies applied.
An action executed during setup.
A resource containing sign in details for an enterprise. Use enterprises to manage SigninDetails for a given enterprise.For an enterprise, we can have any number of SigninDetails that is uniquely identified by combination of the following three fields (signin_url, allow_personal_usage, token_tag). One cannot create two SigninDetails with the same (signin_url, allow_personal_usage, token_tag). (token_tag is an optional field).Patch: The operation updates the current list of SigninDetails with the new list of SigninDetails. If the stored SigninDetail configuration is passed, it returns the same signin_enrollment_token and qr_code. If we pass multiple identical SigninDetail configurations that are not stored, it will store the first one amongst those SigninDetail configurations. if the configuration already exists we cannot request it more than once in a particular patch API call, otherwise it will give a duplicate key error and the whole operation will fail. If we remove certain SigninDetail configuration from the request then it will get removed from the storage. We can then request another signin_enrollment_token and qr_code for the same SigninDetail configuration.
An enterprise signup URL.
Creates an enterprise signup URL.
A builder providing access to all methods supported on
signupUrl resources.
It is not used directly, but through the
AndroidManagement hub.
Information about device software.
Additional context for SpecificNonComplianceReason.
Parameters associated with the START_LOST_MODE command to put the device into lost mode. At least one of the parameters, not including the organization name, must be provided in order for the device to be put into lost mode.
Status of the START_LOST_MODE command to put the device into lost mode.
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC (https://github.com/grpc). Each Status message contains three pieces of data: error code, error message, and error details.You can find out more about this error model and how to work with it in the API Design Guide (https://cloud.google.com/apis/design/errors).
Settings controlling the behavior of status reports.
Parameters associated with the STOP_LOST_MODE command to take the device out of lost mode.
Status of the STOP_LOST_MODE command to take the device out of lost mode.
Configuration for managing system updates
Information about a potential pending system update.
Telephony information associated with a given SIM card on the device. Only supported on fully managed devices starting from Android API level 23.
A terms and conditions page to be accepted during provisioning.
Controls types of device activity logs collected from the device and reported via Pub/Sub notification (https://developers.google.com/android/management/notifications).
A user belonging to an enterprise.
Provides a user-facing message with locale info. The maximum message length is 4096 characters.
A web app.
An icon for a web app. Supported formats are: png, jpg and webp.
A web token used to access the managed Google Play iframe.
An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified.