Skip to main content

Application Component

The Application Policy Component lets you control which apps are allowed, blocked, or managed on devices.
You can also control app updates, permissions, and how apps behave on both work and personal profiles.

Use this component to manage app availability, security, and user access.

application-component


Default policy for Google Play Store

API reference: playStoreMode

Type: enum

This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.

Options

OptionEnumDescription
DefaultPLAY_STORE_MODE_UNSPECIFIEDUnspecified. Defaults to WHITELIST.
Only whitelisted apps WHITELISTOnly apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device.
Block blacklisted appsBLACKLISTAll apps are available and any app that should not be on the device should be explicitly marked as 'BLOCKED' in the applications policy.

Default policy for app auto updates

API reference: appAutoUpdatePolicy

Type: enum

Recommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.

When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.

The app auto-update policy, which controls when automatic app updates can be applied.

Important: Changes to app update policies don't affect updates that are in progress. Any policy changes will apply to subsequent app updates.

Options

OptionEnumDescription
DefaultAPP_AUTO_UPDATE_POLICY_UNSPECIFIEDThe auto-update policy is not set. Equivalent to CHOICE_TO_THE_USER.
AlwaysALWAYSApps are auto-updated at any time. Data charges may apply.
Choice to the user CHOICE_TO_THE_USERThe user can control auto-updates.
NeverNEVERApps are never auto-updated.
WiFi OnlyWIFI_ONLYApps are auto-updated over Wi-Fi only.

Credential provider policy

API reference: credentialProviderPolicyDefault

Type: enum

Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this and this for details. See also credentialProviderPolicy.

Options

OptionEnumDescription
Default (disallowed)CREDENTIAL_PROVIDER_POLICY_DEFAULT_UNSPECIFIEDUnspecified. Defaults to CREDENTIAL_PROVIDER_DEFAULT_DISALLOWED.
Disallowed when Credential Provider Policy of the app is unspecified CREDENTIAL_PROVIDER_DEFAULT_DISALLOWEDApps with credentialProviderPolicy unspecified are not allowed to act as a credential provider.
Disallowed except OEM default credential providersCREDENTIAL_PROVIDER_DEFAULT_DISALLOWED_EXCEPT_SYSTEMApps with credentialProviderPolicy unspecified are not allowed to act as a credential provider except for the OEM default credential providers. OEM default credential providers are always allowed to act as credential providers.

How to handle app permission requests

API reference: defaultPermissionPolicy

Type: enum

The default permission policy for runtime permission requests.

Options

OptionEnumDescription
DefaultPERMISSION_POLICY_UNSPECIFIEDPolicy not specified. If no policy is specified for a permission at any level, then the PROMPT behavior is used by default.
Prompt device user PROMPTPrompt the user to grant a permission.
Always grant permissionsGRANTPrompt the user to grant a permission. Automatically grant a permission.

On Android 12 and above, READ_SMS and following sensor-related permissions can only be granted on fully managed devices:

ACCESS_FINE_LOCATION

ACCESS_BACKGROUND_LOCATION

ACCESS_COARSE_LOCATION

CAMERA

RECORD_AUDIO

ACTIVITY_RECOGNITION

BODY_SENSORS
Always deny permissionsDENYAutomatically deny a permission.
Override individual permission requests

Override individual permission requests

API reference: permissionGrants

Type: Array<Object>

Explicit permission or group grants or denials for all apps. These values override the defaultPermissionPolicy and permissionGrants which apply to all apps.


Permission policy

API reference: permission

Type: string

The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.

Grant type

API reference: policy

Type: enum

The policy for granting the permission.

Options

OptionEnumDescription
DefaultPERMISSION_POLICY_UNSPECIFIEDPolicy not specified. If no policy is specified for a permission at any level, then the PROMPT behavior is used by default.
Prompt device userPROMPTPrompt the user to grant a permission.
Always grant permissionsGRANTPrompt the user to grant a permission. Automatically grant a permission.

On Android 12 and above, READ_SMS and following sensor-related permissions can only be granted on fully managed devices:

ACCESS_FINE_LOCATION

ACCESS_BACKGROUND_LOCATION

ACCESS_COARSE_LOCATION

CAMERA

RECORD_AUDIO

ACTIVITY_RECOGNITION

BODY_SENSORS
Always deny permissionsDENYAutomatically deny a permission.

Note: Duplicate permissions are automatically prevented.

Application-specific policies

Application Policy

API reference: applications

Type: Array<object>

Policy configuration for individual applications applied to the device.

Note:

  • The maximum number of applications allowed per policy is 2998
  • Each entry represents configuration for a single application.

Applications can be added using:

  • Play store
  • Package name
  • Private applications
  • Rhino Device Insights

Package Name

API reference: packageName

Type: string

The package name of the application.

Example: com.google.android.youtube


Application enabled

API reference: disabled

Type: boolean

Whether the app is disabled. When disabled, the app data is still preserved.


Install Type

API reference: installType

Type: enum

The type of installation to perform for an app. If setupAction references an app, they must have installType set as REQUIRED_FOR_SETUP or the setup will fail.

Options

OptionEnumDescription
DefaultINSTALL_TYPE_UNSPECIFIEDUnspecified. Defaults to AVAILABLE.
Preinstalled PREINSTALLEDThe app is automatically installed and can be removed by the user.
Force Installed FORCE_INSTALLEDThe app is automatically installed regardless of a set maintenance window and can't be removed by the user.
BlockedBLOCKEDThe app is blocked and can't be installed. If the app was installed under a previous policy, it will be uninstalled. This also blocks its instant app functionality.
Available AVAILABLEThe app is available to install.
Required For Setup REQUIRED_FOR_SETUPThe app is automatically installed and can't be removed by the user and will prevent setup from completion until installation is complete.
Custom'CUSTOM'The apps uploaded in Private apps repository can by used to install custom apps on the device. When this option is set, you need to set privateAppId refering to the app you want to install.

Notes
  • This only affects fully managed devices.
  • Play related fields minimumVersionCode, accessibleTrackIds, autoUpdateMode, installConstraint and installPriority cannot be set for the app.
  • The app isn't available in the Play Store.
  • The app installed on the device has applicationSource set to CUSTOM.
  • When the current installType is CUSTOM, the signing key certificate fingerprint of the existing custom app on the device must match one of the entries in ApplicationPolicy.signingKeyCerts. Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported. This thing will automatically taken care by Mambo.
  • Changing the installType from CUSTOM to another value must match the playstore version of the application signing key certificate fingerprint. Otherwise a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported.
  • Changing the installType to CUSTOM uninstalls the existing app if its signing key certificate fingerprint of the installed app doesn't match the one from the ApplicationPolicy.signingKeyCerts.
  • Removing the app from applications doesn't uninstall the existing app if it conforms to playStoreMode.
  • See also customAppConfig.
  • This is different from the Google Play Custom App Publishing feature.

Notes

  • Maximum 5 REQUIRED_FOR_SETUP apps allowed.
  • CUSTOM apps:
    • Must include signing certificates.
    • Cannot use Play Store specific fields.
    • Installed only through AMAPI SDK commands.

Roles

API reference: roles[]

Type: Array<object>

Apps having certain roles can be exempted from power and background execution restrictions, suspension and hibernation on Android 14 and above. The user control can also be disallowed for apps with certain roles on Android 11 and above. Refer to the documentation of each RoleType for more details.

The app is notified about the roles that are set for it if the app has a notification receiver service with <meta-data android:name="com.google.android.managementapi.notification.NotificationReceiverService.SERVICE_APP_ROLES" android:value="" />. The app is notified whenever its roles are updated or after the app is installed when it has nonempty list of roles. The app can use this notification to bootstrap itself after the installation. See Integrate with the AMAPI SDK and Manage app roles guides for more details on the requirements for the service.

For the exemptions to be applied and the app to be notified about the roles, the signing key certificate fingerprint of the app on the device must match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts. Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported.

There must not be duplicate roles with the same roleType. Multiple apps cannot hold a role with the same roleType. A role with type ROLE_TYPE_UNSPECIFIED is not allowed.


Roles Type

API reference: roleType

Type: enum

Options

OptionAPI ReferenceDescription
Kiosk KISOKThe role type for kiosk apps. An app can have this role only if it has installType set to REQUIRED_FOR_SETUP or CUSTOM. Before adding this role to an app with CUSTOM install type, the app must already be installed on the device.

The app having this role type is set as the preferred home intent and allowlisted for lock task mode. When there is an app with this role type, status bar will be automatically disabled.

This is preferable to setting installType to KIOSK.

On Android 11 and above, the user control is disallowed but userControlSettings can be set to USER_CONTROL_ALLOWED to allow user control for the app with this role.
Mobile Threat Defense Endpoint Detection ResponseMOBILE_THREAT_DEFENSE_ENDPOINT_DETECTION_RESPONSEThe role type for Mobile Threat Defense (MTD) / Endpoint Detection & Response (EDR) apps.

On Android 14 and above, the app with this role is exempted from power and background execution restrictions, suspension and hibernation. On Android 11 and above, the user control is disallowed and userControlSettings cannot be set to USER_CONTROL_ALLOWED for the app with this role.
System Health MonitoringSYSTEM_HEALTH_MONITORINGThe role type for system health monitoring apps.

On Android 14 and above, the app with this role is exempted from power and background execution restrictions, suspension and hibernation. On Android 11 and above, the user control is disallowed and userControlSettings cannot be set to USER_CONTROL_ALLOWED for the app with this role.

User Control

API reference: userControlSettings

Type: enum

Specifies whether user control is permitted for the app. User control includes user actions like force-stopping and clearing app data. Certain types of apps have special treatment, see USER_CONTROL_SETTINGS_UNSPECIFIED and USER_CONTROL_ALLOWED for more details.

Options

OptionEnumDescription
Default USER_CONTROL_SETTINGS_UNSPECIFIEDUses the default behaviour of the app to determine if user control is allowed or disallowed. User control is allowed by default for most apps but disallowed for following types of apps:

extensionConfig(deprecated)

• kiosk apps (see KIOSK install type for more details)

• apps with roles set to a nonempty list

• other critical system apps
Allowed USER_CONTROL_ALLOWEDUser control is allowed for the app. Kiosk apps can use this to allow user control. For extension apps, user control is disallowed even if this value is set.

For apps with roles set to a nonempty list (except roles containing only KIOSK role), this value cannot be set.

For kiosk apps (see KIOSK install type and KIOSK role type for more details), this value can be used to allow user control.
DisallowedUSER_CONTROL_DISALLOWEDUser control is disallowed for the app. This is supported on Android 11 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 11.

Preferential Network ID

API reference: preferentialNetworkId

Type: enum

ID of the preferential network the application uses. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the application will use the default network ID specified in defaultPreferentialNetworkId. See the documentation of defaultPreferentialNetworkId for the list of apps excluded from this defaulting. This applies on both work profiles and fully managed devices on Android 13 and above.

Options

OptionEnumDescription
Default PREFERENTIAL_NETWORK_ID_UNSPECIFIEDWhether this value is valid and what it means depends on where it is used, and this is documented on the relevant fields.
Application does not use any preferential networkNO_PREFERENTIAL_NETWORKApplication does not use any preferential network.
Network identifier 1PREFERENTIAL_NETWORK_ID_ONEPreferential network identifier 1.
Network identifier 2PREFERENTIAL_NETWORK_ID_TWOPreferential network identifier 2.
Network identifier 3PREFERENTIAL_NETWORK_ID_THREEPreferential network identifier 3.
Network identifier 4PREFERENTIAL_NETWORK_ID_FOURPreferential network identifier 4.
Network identifier 5PREFERENTIAL_NETWORK_ID_FIVEPreferential network identifier 5.

Install Priority

API reference: installPriority

Type: integer

Defines installation priority relative to other apps.

Amongst apps with installType set to FORCE_INSTALLED and PREINSTALLED

this controls the relative priority of installation. A value of 0 (default) means this app has no priority over other apps. For values between 1 and 10,000, a lower value means a higher priority. Values outside of the range 0 to 10,000 inclusive are rejected.


Install Constraint

API reference: installConstraint

Type: Array<object>

The constraints for installing the app. You can specify a maximum of one InstallConstraint. Multiple constraints are rejected.

Amongst apps with installType set to FORCE_INSTALLED andPREINSTALLED

This defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.

Network Type Constraint

API reference: networkTypeConstraint

Tyoe: enum

Network type constraint

Options

OptionEnumDescription
Default (Any active networks)NETWORK_TYPE_CONSTRAINT_UNSPECIFIEDUnspecified. Default to INSTALL_ON_ANY_NETWORK.
Any active networks (Wi-Fi, cellular, etc.) INSTALL_ON_ANY_NETWORKAny active networks (Wi-Fi, cellular, etc.).
Any unmetered network (e.g. Wi-FI)INSTALL_ONLY_ON_UNMETERED_NETWORKAny unmetered network (e.g. Wi-FI).

Charging status constraint

API reference: chargingconstraint

Type: enum

Charging constraint

Options

OptionEnumDescription
Default (Device doesn't have to be charging)CHARGING_CONSTRAINT_UNSPECIFIEDDefault to CHARGING_NOT_REQUIRED.
Device doesn't have to be charging CHARGING_NOT_REQUIREDDevice doesn't have to be charging.
Device has to be chargingINSTALL_ONLY_WHEN_CHARGINGDevice has to be charging.

Device idle state constraint

API reference: deviceIdleConstraint

Type: enum

Device idle constraint

Options

OptionEnumDescription
Default (doesn't have to be idle)DEVICE_IDLE_CONSTRAINT_UNSPECIFIEDDefault to DEVICE_IDLE_NOT_REQUIRED.
Device doesn't have to be idle, app can be installed while the user is interacting with the device DEVICE_IDLE_NOT_REQUIREDDevice doesn't have to be idle, app can be installed while the user is interacting with the device.
Device has to be idleINSTALL_ONLY_WHEN_CHARGINGDevice has to be idle.

Scopes

API reference: delegatedScopes

Type: Array<enum>

The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to.

Options

OptionEnumDescription
DefaultDELEGATED_SCOPE_UNSPECIFIEDNo delegation scope specified.
Cert InstallCERT_INSTALLGrants access to certificate installation and management. This scope can be delegated to multiple applications.
Managed ConfigurationsMANAGED_CONFIGURATIONSGrants access to managed configurations management. This scope can be delegated to multiple applications.
Block UninstallBLOCK_UNINSTALLGrants access to blocking uninstallation. This scope can be delegated to multiple applications.
Permission GrantPERMISSION_GRANTGrants access to permission policy and permission grant state. This scope can be delegated to multiple applications.
Package AccessPACKAGE_ACCESSGrants access to package access state. This scope can be delegated to multiple applications.
Enable System AppENABLE_SYSTEM_APPGrants access for enabling system apps. This scope can be delegated to multiple applications.
Network Activity LogsNETWORK_ACTIVITY_LOGSGrants access to network activity logs. Allows the delegated application to call setNetworkLoggingEnabled, isNetworkLoggingEnabled and retrieveNetworkLogs methods. This scope can be delegated to at most one application. Supported for fully managed devices on Android 10 and above. Supported for a work profile on Android 12 and above. When delegation is supported and set, NETWORK_ACTIVITY_LOGS is ignored.
Security LogsSECURITY_LOGSGrants access to security logs. Allows the delegated application to call setSecurityLoggingEnabled, isSecurityLoggingEnabled, retrieveSecurityLogs and retrievePreRebootSecurityLogs methods. This scope can be delegated to at most one application. Supported for fully managed devices and company-owned devices with a work profile on Android 12 and above. When delegation is supported and set, SECURITY_LOGS is ignored.

App Track IDs

API reference: accessibleTrackIds

Type: Array<object>

List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo.

PropsTypeDescription
trackIdstringThe unmodifiable unique track identifier, taken from the releaseTrackId in the URL of the Play Console page that displays the app’s track information.
trackAliasstringThe track name associated with the trackId, set in the Play Console. The name is modifiable from Play Console.

Connected Work & Personal App

API reference: connectedWorkAndPersonalApp

Type: enum

Options

OptionEnumDescription
DefaultCONNECTED_WORK_AND_PERSONAL_APP_UNSPECIFIEDDefaults to CONNECTED_WORK_AND_PERSONAL_APP_DISALLOWED.
AllowedCONNECTED_WORK_AND_PERSONAL_APP_ALLOWEDAllows the app to communicate across profiles after receiving user consent.
Disallowed CONNECTED_WORK_AND_PERSONAL_APP_DISALLOWEDDefault. Prevents the app from communicating cross-profile.

Default Permission Policy

API reference: defaultPermissionPolicy

Type: enum

The default policy for all permissions requested by the app. If specified, this overrides the policy-level defaultPermissionPolicy which applies to all apps. It does not override the permissionGrants which applies to all apps.

Options

OptionEnumDescription
DefaultPERMISSION_POLICY_UNSPECIFIEDPolicy not specified. If no policy is specified for a permission at any level, then the PROMPT behavior is used by default.
Prompt device user PROMPTPrompt the user to grant a permission.
Always grant permissionsGRANTPrompt the user to grant a permission. Automatically grant a permission.

On Android 12 and above, READ_SMS and following sensor-related permissions can only be granted on fully managed devices:

ACCESS_FINE_LOCATION

ACCESS_BACKGROUND_LOCATION

ACCESS_COARSE_LOCATION

CAMERA

RECORD_AUDIO

ACTIVITY_RECOGNITION

BODY_SENSORS
Always deny permissionsDENYAutomatically deny a permission.

Auto Update Mode

API reference: autoUpdateMode

Type: enum

Controls the auto-update mode for the app.

If a device user makes changes to the device settings manually, these choices are ignored by AutoUpdateMode as it takes precedence.

OptionEnumDescription
UnspecifiedAUTO_UPDATE_MODE_UNSPECIFIEDUnspecified. Defaults to AUTO_UPDATE_DEFAULT.
Default AUTO_UPDATE_DEFAULTThe default update mode.

The app is automatically updated with low priority to minimize the impact on the user.

The app is updated when all of the following constraints are met:

• The device is not actively used.

• The device is connected to an unmetered network.

• The device is charging.

• The app to be updated is not running in the foreground.

The device is notified about a new update within 24 hours after it is published by the developer, after which the app is updated the next time the constraints above are met.
Postponed AUTO_UPDATE_POSTPONEDThe app is not automatically updated for a maximum of 90 days after the app becomes out of date.

90 days after the app becomes out of date, the latest available version is installed automatically with low priority (see AUTO_UPDATE_DEFAULT). After the app is updated it is not automatically updated again until 90 days after it becomes out of date again.

The user can still manually update the app from the Play Store at any time.
High Priority AUTO_UPDATE_HIGH_PRIORITYThe app is updated as soon as possible. No constraints are applied.

The device is notified as soon as possible about a new update after it becomes available.

NOTE: Updates to apps with larger deployments across Android's ecosystem can take up to 24h.

Minimum app version code

API reference: minimumVersionCode

Type: string

The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a NonComplianceDetail with nonComplianceReason set to APP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.


Exempt from always-on VPN connection

API reference: alwaysOnVpnLockdownExemption

Type: enum

Specifies whether the app is allowed networking when the VPN is not connected and alwaysOnVpnPackage.lockdownEnabled is enabled. If set to VPN_LOCKDOWN_ENFORCED, the app is not allowed networking, and if set to VPN_LOCKDOWN_EXEMPTION, the app is allowed networking. Only supported on devices running Android 10 and above. If this is not supported by the device, the device will contain a NonComplianceDetail with nonComplianceReason set to API_LEVEL and a fieldPath. If this is not applicable to the app, the device will contain a NonComplianceDetail with nonComplianceReason set to UNSUPPORTED and a fieldPath. The fieldPath is set to applications[i].alwaysOnVpnLockdownExemption, where i is the index of the package in the applications policy.

Options

OptionEnumDescription
DefaultALWAYS_ON_VPN_LOCKDOWN_EXEMPTION_UNSPECIFIEDUnspecified. Defaults to VPN_LOCKDOWN_ENFORCED.
Enforced VPN_LOCKDOWN_ENFORCEDThe app respects the always-on VPN lockdown setting.
Exemption VPN_LOCKDOWN_EXEMPTIONThe app is exempt from the always-on VPN lockdown setting.

Home screen widgets permissions

API reference: workProfileWidgets

Type: enum

Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.

Controls if a work profile application is allowed to add widgets to the home screen.

OptionEnumDescription
DefaultWORK_PROFILE_WIDGETS_UNSPECIFIEDUnspecified. Defaults to workProfileWidgetsDefault
AllowedWORK_PROFILE_WIDGETS_ALLOWEDWork profile widgets are allowed. This means the application will be able to add widgets to the home screen.
DisallowedWORK_PROFILE_WIDGETS_DISALLOWEDWork profile widgets are disallowed. This means the application will not be able to add widgets to the home screen.

Credential Provider Policy

API reference: credentialProviderPolicy

Type: enum

Whether the app is allowed to act as a credential provider on Android 14 and above.

Options

OptionEnumDescription
DefaultCREDENTIAL_PROVIDER_POLICY_UNSPECIFIEDUnspecified. The behaviour is governed by credentialProviderPolicyDefault.
AllowedCREDENTIAL_PROVIDER_ALLOWEDApp is allowed to act as a credential provider.

Grant permissions

API reference: permissionGrants

Type: Array<Object>

Explicit permission or group grants or denials for all apps. These values override the defaultPermissionPolicy and permissionGrants which apply to all apps.


Permission Policy

API reference: permission

Type: string

The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.

Note: Duplicate permissions are automatically prevented.


Grant type

API reference: policy

Type: enum

The policy for granting the permission.

Options

OptionEnumDescription
Default PERMISSION_POLICY_UNSPECIFIEDPERMISSION_POLICY_UNSPECIFIEDPolicy not specified. If no policy is specified for a permission at any level, then the PROMPT behavior is used by default.
Prompt device user PROMPTPROMPTPrompt the user to grant a permission.
Always grant permissions GRANTGRANTPrompt the user to grant a permission. Automatically grant a permission.

On Android 12 and above, READ_SMS and following sensor-related permissions can only be granted on fully managed devices:

ACCESS_FINE_LOCATION

ACCESS_BACKGROUND_LOCATION

ACCESS_COARSE_LOCATION

CAMERA

RECORD_AUDIO

ACTIVITY_RECOGNITION

BODY_SENSORS
Always deny permissions DENYDENYAutomatically deny a permission.

Custom App Config

API reference: customAppConfig

Type: Array<object>

Configuration for this custom app. installType must be set to CUSTOM for this to be set.

User uninstall settings

API reference: userUninstallSettings

Type: enum

Specifies if a user is allowed to uninstall the custom app.

Options

OptionEnumDescription
DefaultUSER_UNINSTALL_SETTINGS_UNSPECIFIEDUnspecified. Defaults to DISALLOW_UNINSTALL_BY_USER.
Disallow uninstall by user DISALLOW_UNINSTALL_BY_USERUser is not allowed to uninstall the custom app.
Allow uninstall by userALLOW_UNINSTALL_BY_USERUser is allowed to uninstall the custom app.

Managed Configuration

API reference: managedConfiguration

Type: map<string, Value>

Managed configuration applied to the app. The format for the configuration is dictated by the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the ManagedProperty. The field value must be compatible with the type of the ManagedProperty:

typeJSON value
BOOLtrue or false
STRINGstring
INTEGERnumber
CHOICEstring
MULTISELECTarray of strings
HIDDENstring
BUNDLE_ARRAYarray of objects

Note: string values cannot be longer than 65535 characters.

Personal usage policies

Personal usage policies

Control how apps in the personal profile are

Api Reference: personalPlayStoreMode

Type: enum

Used together with personalApplications to control how apps in the personal profile are allowed or blocked.

Options

OptionEnumDescription
DefaultPLAY_STORE_MODE_UNSPECIFIEDUnspecified. Defaults to BLOCKLIST.
Only whitelisted appsALLOWLISTOnly apps explicitly specified in personalApplications with installType set to AVAILABLE are allowed to be installed in the personal profile.
Block blacklisted apps BLOCKLISTAll Play Store apps are available for installation in the personal profile, except those whose installType is BLOCKED in personalApplications.

Applied to applications on the personal profile

API reference: personalApplications

Type: Array<object>

Policies for apps in the personal profile of a company-owned device with a work profile.

Applications can be added using:

  • Play Store search
  • Package name entry

Package Name

API reference: packageName

Type: string

The package name of the application.

Install Type

API reference: installType

Type: enum

Types of installation behaviors a personal profile application can have.

OptionEnumDescription
DefaultINSTALL_TYPE_UNSPECIFIEDUnspecified. Defaults to AVAILABLE.
BlockedBLOCKEDThe app is blocked and can't be installed in the personal profile. If the app was previously installed in the device, it will be uninstalled.
Available AVAILABLEThe app is available to install in the personal profile.

Summary

Use the Applications Policy Component to:

✔ Control enterprise application distribution
✔ Configure managed application settings
✔ Deploy private enterprise applications
✔ Enforce permission and security policies
✔ Control personal profile applications
✔ Enable enterprise telemetry and analytics
✔ Enforce installation conditions and constraints

This component is the primary control point for enterprise application management across managed devices.