Advanced Policy Component
The Advanced Policy Component provides fine-grained control over system behavior, logging, authentication routing, key management, and application-level integrations.
Use this component when you need to configure advanced enterprise security, logging, and system integration behaviors.

Default activity to manage specified intents
Default activity to manage specified intents
API reference: persistentPreferredActivities
Type: Array<object>
A default activity for handling intents that match a particular intent filter.
Note: To set up a kiosk, use InstallType to KIOSK rather than use persistent preferred activities.
Receiver App
API reference: receiverActivity
Type: string
The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent.
Intent actions
API reference: actions
Type: Array<string>
The intent actions to match in the filter. If any actions are included in the filter, then an intent's action must be one of those values for it to match. If no actions are included, the intent action is ignored.
Intent categories
API reference: categories
Type: Array<string>
The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent.
Only permit input methods provided by these apps
API reference: permittedInputMethods.packageNames
Type: Array<string>
If present, only the input methods provided by packages in this list are permitted. If this field is present, but the list is empty, then only system input methods are permitted.
Whitelisted accessibility services by application
API reference: permittedAccessibilityServices.packageNames
Type: Array<string>
Specifies permitted accessibility services. If the field is not set, any accessibility service can be used. If the field is set, only the accessibility services in this list and the system's built-in accessibility service can be used. In particular, if the field is set to empty, only the system's built-in accessibility servicess can be used. This can be set on fully managed devices and on work profiles. When applied to a work profile, this affects both the personal profile and the work profile.
Whitelisted emails that can use their Google account to factory reset devices
API reference: frpAdminEmails
Type: Array<string>
Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won't provide factory reset protection.
Rule set for automatically selecting a private key and certificate to authenticate device to servers
Rule set for automatically selecting a private key and certificate to authenticate device to servers
API reference: choosePrivateKeyRules
Type: Array<object>
Rules for determining apps' access to private keys. This must be empty if any application has CERT_SELECTION delegation scope.
Controls apps' access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias (or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern is not set, or set to the empty string or .\*) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey, without first having to call KeyChain.choosePrivateKeyAlias.
When an app calls KeyChain.choosePrivateKeyAlias if more than one choosePrivateKeyRules matches, the last matching rule defines which key alias to return.
Outgoing URL request to match
API reference: urlPattern
Type: string
The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax of java.util.regex.Pattern.
Key alias
API reference: privateKeyAlias
Type: string
The package names to which this rule applies. The signing key certificate fingerprint of the app is verified against the signing key certificate fingerprints provided by Play Store and ApplicationPolicy.signingKeyCerts . If no package names are specified, then the alias is provided to all apps that call KeyChain.choosePrivateKeyAlias or any overloads (but not without calling KeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they call KeyChain.choosePrivateKeyAlias.
Apps subject to this rule
API reference: packageNames
Type: string
The alias of the private key to be used.
Usage Log
Usage Log
API reference: usageLog
Type: object
Controls types of device activity logs collected from the device and reported via Pub/Sub notification.
Enabled Log Types
API reference: enabledLogTypes
Type: enum
Specifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled.
| Option | Enum | Description |
|---|---|---|
| Network Activity Logs | NETWORK_ACTIVITY_LOGS | Enable logging of on-device security events, like when the device password is incorrectly entered or removable storage is mounted. See UsageLogEvent for a complete description of the logged security events. Supported for fully managed devices on Android 7 and above. Supported for company-owned devices with a work profile on Android 12 and above, on which only security events from the work profile are logged. Can be overridden by the application delegated scope SECURITY_LOGS |
| Security Logs | SECURITY_LOGS | Enable logging of on-device network events, like DNS lookups and TCP connections. See UsageLogEvent for a complete description of the logged network events. Supported for fully managed devices on Android 8 and above. Supported for company-owned devices with a work profile on Android 12 and above, on which only network events from the work profile are logged. Can be overridden by the application delegated scope NETWORK_ACTIVITY_LOGS |
Upload Logs Over Cellular
API reference: uploadOnCellularAllowed
Type: enum
Specifies which of the enabled log types can be uploaded over mobile data. By default logs are queued for upload when the device connects to WiFi.
| Option | Enum | Description |
|---|---|---|
| Network Activity Logs | NETWORK_ACTIVITY_LOGS | Enable logging of on-device security events, like when the device password is incorrectly entered or removable storage is mounted. See UsageLogEvent for a complete description of the logged security events. Supported for fully managed devices on Android 7 and above. Supported for company-owned devices with a work profile on Android 12 and above, on which only security events from the work profile are logged. Can be overridden by the application delegated scope SECURITY_LOGS |
| Security Logs | SECURITY_LOGS | Enable logging of on-device network events, like DNS lookups and TCP connections. See UsageLogEvent for a complete description of the logged network events. Supported for fully managed devices on Android 8 and above. Supported for company-owned devices with a work profile on Android 12 and above, on which only network events from the work profile are logged. Can be overridden by the application delegated scope NETWORK_ACTIVITY_LOGS |
Allow device users to select a private key if none match from rules above
API reference: privateKeySelectionEnabled
Type: boolean
Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application has CERT_SELECTION delegation scope.
Allow the companion app to be exempt from VPN lockdown if the VPN cannot make a connection
API reference: allowEmmCompanionVpnExemption
Type: boolean
Allows EMM companion apps to bypass VPN restrictions.
Summary
Use the Advanced Policy Component to:
✔ Control advanced intent routing
✔ Restrict keyboards and accessibility services
✔ Configure private key routing rules
✔ Enable enterprise logging and upload policies
✔ Configure FRP admin recovery access
✔ Enable advanced authentication and VPN exemptions
This component is typically used in high-security enterprise deployments, regulated environments, and advanced device management scenarios.