Skip to main content

Android Security Policy

Overview

The Android Security Policy lets administrators manage security, privacy, encryption, permission, lock screen, developer, and application trust settings on managed Android devices.

Use this policy to:

  • Disable debugging and developer features

  • Enforce Google Play Protect

  • Restrict untrusted application installation

  • Control runtime app permissions

  • Require device encryption

  • Disable screenshots and screen recording

  • Restrict location sharing

  • Control lock screen features

  • Configure advanced Android security protections

  • Protect work profile notifications from personal apps

This policy supports both company-owned and BYOD Android devices running Android 9 or later.


Supported Platforms

Platform

Minimum Supported Version

Android

Android 9+

The MTE Policy setting requires Android 12 or later and compatible hardware.


Before You Begin

Before deploying this policy:

  1. Confirm the Android device is enrolled in Swif.

  2. Identify whether the device is company-owned, BYOD, or dedicated.

  3. Review which controls affect the entire device and which affect only managed data.

  4. Test restrictive settings on a small device group.

  5. Notify users before disabling screenshots, biometrics, location sharing, or other commonly used features.

  6. Confirm that required business apps will continue to function with the selected permission settings.


Steps

  1. In Swif, go to Device Management.

  2. Open Policies.

  3. Create or edit a policy.

  4. Select Android Security Policy.

  5. Configure the required security and privacy controls.

  6. Assign the policy to the appropriate Android device group.

  7. Save and deploy the policy.

  8. Monitor device compliance and user impact after deployment.


Recommended Baseline Configuration

For most managed Android environments, consider the following baseline:

Setting

Recommended Value

Allow Debugging Features

Disabled

Default Permission Policy

PROMPT

Encryption Policy

ENABLED_WITH_PASSWORD

Private Key Selection Enabled

Disabled

Disable Screen Capture

Based on data sensitivity

Disable Location Sharing

Based on business requirements

Disable Keyguard

Disabled

Developer Settings

DEVELOPER_SETTINGS_DISABLED

Google Play Protect Verify Apps

VERIFY_APPS_ENFORCED

Untrusted Apps Policy

DISALLOW_INSTALL

Common Criteria Mode

Disabled unless specifically required

Content Protection Policy

CONTENT_PROTECTION_ENFORCED where supported

Personal Apps That Can Read Work Notifications

Leave empty unless explicitly required

For BYOD devices, apply restrictions carefully to avoid unnecessarily affecting the user's personal profile.


Debugging and Developer Controls

Allow Debugging Features

When enabled, users can access Android debugging tools, including:

  • USB debugging

  • Developer options

  • Other device debugging capabilities

The default is disabled.

For production devices, keep this setting disabled unless developers need temporary debugging access.

Allowing debugging features may increase the risk of:

  • Unauthorized device access through ADB

  • Security control bypass

  • Local data extraction

  • Unapproved configuration changes


Developer Settings

The Developer Settings control is available under Advanced Security Overrides.

Value

Behavior

DEVELOPER_SETTINGS_UNSPECIFIED

Uses the platform default

DEVELOPER_SETTINGS_DISABLED

Prevents access to developer settings

DEVELOPER_SETTINGS_ALLOWED

Allows access to developer settings

Recommended value:

DEVELOPER_SETTINGS_DISABLED

Use DEVELOPER_SETTINGS_ALLOWED only for approved development or testing devices.


Application Permission Controls

Default Permission Policy

The Default Permission Policy defines how Android handles runtime permission requests.

Value

Behavior

PROMPT

Prompts the user to allow or deny the permission

GRANT

Automatically grants requested permissions

DENY

Automatically denies requested permissions

The default is:

PROMPT

Recommended Use

  • Use PROMPT for most environments.

  • Use GRANT only when required for trusted business applications.

  • Use DENY in highly restricted environments where app permissions must be explicitly approved.


Permission Grants

Use Permission Grants to override the default policy for specific Android permissions.

Each entry includes:

  • Permission

  • Policy

Supported policy values are:

  • PROMPT

  • GRANT

  • DENY

Common permission examples include:

android.permission.CAMERA
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_CONTACTS
android.permission.RECORD_AUDIO
android.permission.CALL_PHONE

Example

Permission

Policy

android.permission.CAMERA

GRANT

android.permission.ACCESS_FINE_LOCATION

DENY

android.permission.RECORD_AUDIO

PROMPT

Explicit permission grants override the Default Permission Policy.

Only grant sensitive permissions to trusted applications with a documented business requirement.


Encryption Policy

The Encryption Policy controls whether device encryption is required.

Value

Behavior

ENCRYPTION_POLICY_UNSPECIFIED

No explicit encryption requirement is defined

ENABLED_WITHOUT_PASSWORD

Encryption is enabled without requiring a password

ENABLED_WITH_PASSWORD

Encryption is enabled and protected by a password

Recommended value for most managed devices:

ENABLED_WITH_PASSWORD

This provides stronger protection for data at rest.

Encryption behavior may depend on:

  • Android version

  • Device hardware

  • Enrollment mode

  • Existing device encryption state

  • Password policy configuration

For stronger security, pair this setting with an Android Password Policy.


Screen and Privacy Controls

Disable Screen Capture

When enabled, users cannot take screenshots or screen recordings of managed content.

Use this setting for:

  • Financial applications

  • Healthcare data

  • Sensitive internal tools

  • Regulated workflows

  • Devices displaying confidential information

Enabling this control may affect:

  • User support workflows

  • Screen-sharing tools

  • Documentation processes

  • Apps that rely on screen capture

Test before applying it broadly.


Disable Location Sharing

When enabled, users cannot share device location with apps or other users.

Use this when location sharing is not required and privacy is a priority.

Before enabling it, confirm that it will not interfere with:

  • Navigation apps

  • Field service workflows

  • Device tracking

  • Geofencing

  • Emergency or safety applications

  • Location-based authentication


Private Key Selection Enabled

When enabled, Android may show a user interface allowing the user to select a private key alias if no configured private key rule matches.

The default is disabled.

Enable this only when users need to manually choose certificates for:

  • Wi-Fi authentication

  • VPN authentication

  • Browser-based certificate authentication

  • Enterprise applications

Leaving this disabled provides more centralized certificate control.


Lock Screen Security

Disable Keyguard

When enabled, Android disables the lock screen on primary or secondary displays.

This setting is supported only in dedicated device management mode.

Do not enable it on general-purpose employee devices.

Typical use cases include:

  • Kiosk devices

  • Digital signage

  • Shared task devices

  • Devices operating in physically controlled locations

Disabling the lock screen reduces local access protection and should only be used in controlled environments.


Keyguard Disabled Features

This setting allows administrators to disable individual features on the secure lock screen.

Available options include:

Feature

Effect

CAMERA

Disables lock screen camera access

NOTIFICATIONS

Hides lock screen notifications

UNREDACTED_NOTIFICATIONS

Prevents full notification content from appearing

TRUST_AGENTS

Disables Smart Lock and trust agents

DISABLE_FINGERPRINT

Disables fingerprint authentication

DISABLE_REMOTE_INPUT

Prevents replies from lock screen notifications

FACE

Disables face authentication

IRIS

Disables iris authentication

BIOMETRICS

Disables biometric authentication

SHORTCUTS

Disables lock screen shortcuts

ALL_FEATURES

Disables all supported lock screen features

Recommended Use

For devices handling sensitive data, consider disabling:

  • UNREDACTED_NOTIFICATIONS

  • TRUST_AGENTS

  • DISABLE_REMOTE_INPUT

Use biometric restrictions only when required by your organization’s security policy.


Advanced Security Overrides

Common Criteria Mode

Common Criteria Mode enables additional device security controls intended for environments with specialized certification requirements.

Value

Behavior

COMMON_CRITERIA_MODE_UNSPECIFIED

Uses platform default behavior

COMMON_CRITERIA_MODE_DISABLED

Disables Common Criteria Mode

COMMON_CRITERIA_MODE_ENABLED

Enables Common Criteria Mode

Enable this only when required by a security standard, government environment, or device certification requirement.

Device and manufacturer support may vary.


Google Play Protect Verify Apps

This setting controls whether Google Play Protect verifies installed applications.

Value

Behavior

GOOGLE_PLAY_PROTECT_VERIFY_APPS_UNSPECIFIED

Uses platform default behavior

VERIFY_APPS_ENFORCED

Enforces app verification

VERIFY_APPS_USER_CHOICE

Allows the user to decide

Recommended value:

VERIFY_APPS_ENFORCED

Google Play Protect helps detect potentially harmful applications and unsafe installation behavior.


Untrusted Apps Policy

This setting controls whether apps from outside approved application sources may be installed.

Value

Behavior

UNTRUSTED_APPS_POLICY_UNSPECIFIED

Uses platform default behavior

DISALLOW_INSTALL

Blocks installation of untrusted applications

ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY

Allows untrusted apps only in the personal profile

ALLOW_INSTALL_DEVICE_WIDE

Allows untrusted apps across the device

Recommended value for company-owned devices:

DISALLOW_INSTALL

For BYOD deployments, ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY may preserve personal flexibility while protecting the managed work profile.

Allowing untrusted applications device-wide increases exposure to:

  • Malware

  • Unverified APK files

  • Repackaged applications

  • Applications that bypass managed Google Play

  • Data exfiltration tools


MTE Policy

The Memory Tagging Extension, or MTE, setting controls a hardware-assisted memory safety protection available on supported Android 12+ devices.

Value

Behavior

MTE_POLICY_UNSPECIFIED

Uses platform default behavior

MTE_ENFORCED

Enforces Memory Tagging Extension

MTE_DISABLED

Disables Memory Tagging Extension

MTE can help detect certain memory corruption issues.

Before enforcing it:

  • Confirm device hardware support

  • Test application compatibility

  • Confirm the device runs Android 12 or later

Unsupported devices may ignore the setting or report a policy issue.


Content Protection Policy

This setting controls Android content protection behavior.

Value

Behavior

CONTENT_PROTECTION_UNSPECIFIED

Uses platform default behavior

CONTENT_PROTECTION_DISABLED

Disables content protection

CONTENT_PROTECTION_ENFORCED

Enforces content protection

Use:

CONTENT_PROTECTION_ENFORCED

when supported and appropriate for devices handling sensitive company data.


Personal Apps That Can Read Work Notifications

This setting identifies personal-profile applications that are allowed to read notifications from the managed work profile.

Enter package names such as:

com.example.app

Leave this list empty unless there is a documented business requirement.

Allowing personal applications to read work notifications can expose:

  • Email subjects

  • Chat messages

  • Calendar reminders

  • Authentication prompts

  • Other sensitive work information

Only approve trusted applications after a security review.


Example Configurations

Standard Company-Owned Device

Allow Debugging Features: false 
Default Permission Policy: PROMPT
Encryption Policy: ENABLED_WITH_PASSWORD
Private Key Selection Enabled: false
Disable Keyguard: false
Developer Settings: DEVELOPER_SETTINGS_DISABLED
Google Play Protect Verify Apps: VERIFY_APPS_ENFORCED
Untrusted Apps Policy: DISALLOW_INSTALL

This provides a balanced security baseline for general company-owned devices.


High-Security Company-Owned Device

Allow Debugging Features: false 
Default Permission Policy: DENY
Encryption Policy: ENABLED_WITH_PASSWORD
Disable Screen Capture: true
Disable Location Sharing: true
Developer Settings: DEVELOPER_SETTINGS_DISABLED
Google Play Protect Verify Apps: VERIFY_APPS_ENFORCED
Untrusted Apps Policy: DISALLOW_INSTALL
Content Protection Policy: CONTENT_PROTECTION_ENFORCED
Keyguard Disabled Features:
- UNREDACTED_NOTIFICATIONS
- TRUST_AGENTS
- DISABLE_REMOTE_INPUT

Add explicit permission grants for required business applications.


BYOD Work Profile

Allow Debugging Features: false 
Default Permission Policy: PROMPT
Encryption Policy: ENABLED_WITH_PASSWORD
Developer Settings: DEVELOPER_SETTINGS_DISABLED
Google Play Protect Verify Apps: VERIFY_APPS_ENFORCED
Untrusted Apps Policy: ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY
Personal Apps That Can Read Work Notifications: none

This protects the work profile while limiting impact on the personal profile.


Dedicated Kiosk Device

Allow Debugging Features: false 
Encryption Policy: ENABLED_WITH_PASSWORD
Disable Keyguard: true
Developer Settings: DEVELOPER_SETTINGS_DISABLED
Google Play Protect Verify Apps: VERIFY_APPS_ENFORCED
Untrusted Apps Policy: DISALLOW_INSTALL

Use Disable Keyguard only when the device is enrolled in dedicated-device mode and is physically secured.


Security Considerations

Permission Conflicts

Explicit permission grants override the default permission policy.

For example:

Default Permission Policy: DENY 
Camera Permission: GRANT

In this case, camera access is granted while other runtime permissions are denied by default.

Review explicit grants carefully to avoid unintentionally weakening the baseline.


BYOD Impact

Some settings may behave differently based on enrollment mode.

For BYOD devices:

  • Prefer controls scoped to the work profile

  • Avoid disabling personal features without a business requirement

  • Review notification-sharing rules carefully

  • Test location and screen-capture restrictions

  • Communicate visible changes to users


Dedicated Device Impact

Dedicated devices may support stronger controls such as disabling the keyguard.

Because these devices often operate without regular user interaction, also consider:

  • Physical security

  • Network restrictions

  • Kiosk application controls

  • Remote recovery procedures

  • Device replacement workflows


Troubleshooting

The Policy Is Not Applying

Check:

  • The device runs Android 9 or later

  • The device is online and checking in

  • The policy is assigned to the correct device group

  • The enrollment type supports the selected setting

  • The device manufacturer supports the setting

  • No conflicting Android policies are assigned

Some advanced settings may be ignored on unsupported hardware.


Debugging Features Are Still Available

Check:

  • Allow Debugging Features is disabled

  • Developer Settings is set to DEVELOPER_SETTINGS_DISABLED

  • The device has received the latest policy

  • The device is not enrolled in an unsupported management mode

Restarting the device may be required before some developer settings fully change.


An Application Cannot Access a Required Feature

Check:

  • The Default Permission Policy

  • Any explicit Permission Grants

  • Whether the permission name is correct

  • Whether the application requests that permission

  • Whether Android has already denied the permission

  • Whether another application policy overrides the permission

Add an explicit GRANT only after confirming that the application requires the permission.


Screen Capture Is Still Available

Check:

  • Disable Screen Capture is enabled

  • The policy is assigned to the correct device

  • The app is running inside the managed scope

  • The device supports screen-capture restrictions

  • The device has checked in since the policy was updated

Behavior may differ between the personal and work profiles.


The Device Cannot Install an App

Check:

  • Untrusted Apps Policy

  • Google Play Protect settings

  • Whether the app is distributed through managed Google Play

  • Whether installation from unknown sources is blocked elsewhere

  • Whether another Android Application Policy blocks the app

For company-owned devices, use managed Google Play whenever possible.


Biometrics No Longer Work

Check Keyguard Disabled Features for:

  • DISABLE_FINGERPRINT

  • FACE

  • IRIS

  • BIOMETRICS

  • ALL_FEATURES

Remove the applicable restriction and redeploy the policy if biometric authentication should be allowed.


Lock Screen Notifications Are Hidden

Check Keyguard Disabled Features for:

  • NOTIFICATIONS

  • UNREDACTED_NOTIFICATIONS

  • ALL_FEATURES

UNREDACTED_NOTIFICATIONS may allow notification indicators while hiding sensitive content.


MTE Is Not Enforced

Check:

  • The device runs Android 12 or later

  • The device processor supports Memory Tagging Extension

  • The manufacturer supports Android MTE policy enforcement

  • The device has received the latest policy

Not all Android 12+ devices support MTE.


The Device Reports a Policy Error

Review:

  • Unsupported settings for the device model

  • Conflicting policy values

  • Invalid Android permission names

  • Invalid package names

  • Settings that require dedicated-device mode

  • MTE settings on unsupported devices

Remove unsupported settings, redeploy the policy, and check the device again.


Security and Compliance Impact

The Android Security Policy helps organizations:

  • Reduce unauthorized device debugging

  • Enforce app verification

  • Prevent untrusted application installation

  • Protect data at rest with encryption

  • Limit exposure of sensitive screen and notification content

  • Control access to cameras, location, contacts, microphones, and other permissions

  • Strengthen lock screen behavior

  • Protect managed work data on BYOD devices

  • Apply consistent Android security settings across managed devices

These controls can help support endpoint security requirements associated with frameworks such as SOC 2, ISO 27001, HIPAA, NIST, NIS2, CIS, and CMMC.


Summary

Use the Android Security Policy to centrally manage security and privacy controls on Android 9+ devices.

For most environments:

  1. Disable debugging and developer settings.

  2. Enforce Google Play Protect.

  3. Block untrusted application installation.

  4. Require encryption with a password.

  5. Use PROMPT as the default permission policy.

  6. Grant sensitive permissions only when required.

  7. Protect lock screen notifications.

  8. Test restrictive settings before broad deployment.

Did this answer your question?