Overview
The Android Security Policy lets administrators manage security, privacy, encryption, permission, lock screen, developer, and application trust settings on managed Android devices.
Use this policy to:
Disable debugging and developer features
Enforce Google Play Protect
Restrict untrusted application installation
Control runtime app permissions
Require device encryption
Disable screenshots and screen recording
Restrict location sharing
Control lock screen features
Configure advanced Android security protections
Protect work profile notifications from personal apps
This policy supports both company-owned and BYOD Android devices running Android 9 or later.
Supported Platforms
Platform | Minimum Supported Version |
Android | Android 9+ |
The MTE Policy setting requires Android 12 or later and compatible hardware.
Before You Begin
Before deploying this policy:
Confirm the Android device is enrolled in Swif.
Identify whether the device is company-owned, BYOD, or dedicated.
Review which controls affect the entire device and which affect only managed data.
Test restrictive settings on a small device group.
Notify users before disabling screenshots, biometrics, location sharing, or other commonly used features.
Confirm that required business apps will continue to function with the selected permission settings.
Steps
In Swif, go to Device Management.
Open Policies.
Create or edit a policy.
Select Android Security Policy.
Configure the required security and privacy controls.
Assign the policy to the appropriate Android device group.
Save and deploy the policy.
Monitor device compliance and user impact after deployment.
Recommended Baseline Configuration
For most managed Android environments, consider the following baseline:
Setting | Recommended Value |
Allow Debugging Features | Disabled |
Default Permission Policy |
|
Encryption Policy |
|
Private Key Selection Enabled | Disabled |
Disable Screen Capture | Based on data sensitivity |
Disable Location Sharing | Based on business requirements |
Disable Keyguard | Disabled |
Developer Settings |
|
Google Play Protect Verify Apps |
|
Untrusted Apps Policy |
|
Common Criteria Mode | Disabled unless specifically required |
Content Protection Policy |
|
Personal Apps That Can Read Work Notifications | Leave empty unless explicitly required |
For BYOD devices, apply restrictions carefully to avoid unnecessarily affecting the user's personal profile.
Debugging and Developer Controls
Allow Debugging Features
When enabled, users can access Android debugging tools, including:
USB debugging
Developer options
Other device debugging capabilities
The default is disabled.
For production devices, keep this setting disabled unless developers need temporary debugging access.
Allowing debugging features may increase the risk of:
Unauthorized device access through ADB
Security control bypass
Local data extraction
Unapproved configuration changes
Developer Settings
The Developer Settings control is available under Advanced Security Overrides.
Value | Behavior |
| Uses the platform default |
| Prevents access to developer settings |
| Allows access to developer settings |
Recommended value:
DEVELOPER_SETTINGS_DISABLED
Use DEVELOPER_SETTINGS_ALLOWED only for approved development or testing devices.
Application Permission Controls
Default Permission Policy
The Default Permission Policy defines how Android handles runtime permission requests.
Value | Behavior |
| Prompts the user to allow or deny the permission |
| Automatically grants requested permissions |
| Automatically denies requested permissions |
The default is:
PROMPT
Recommended Use
Use
PROMPTfor most environments.Use
GRANTonly when required for trusted business applications.Use
DENYin highly restricted environments where app permissions must be explicitly approved.
Permission Grants
Use Permission Grants to override the default policy for specific Android permissions.
Each entry includes:
Permission
Policy
Supported policy values are:
PROMPTGRANTDENY
Common permission examples include:
android.permission.CAMERA
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_CONTACTS
android.permission.RECORD_AUDIO
android.permission.CALL_PHONE
Example
Permission | Policy |
|
|
|
|
|
|
Explicit permission grants override the Default Permission Policy.
Only grant sensitive permissions to trusted applications with a documented business requirement.
Encryption Policy
The Encryption Policy controls whether device encryption is required.
Value | Behavior |
| No explicit encryption requirement is defined |
| Encryption is enabled without requiring a password |
| Encryption is enabled and protected by a password |
Recommended value for most managed devices:
ENABLED_WITH_PASSWORD
This provides stronger protection for data at rest.
Encryption behavior may depend on:
Android version
Device hardware
Enrollment mode
Existing device encryption state
Password policy configuration
For stronger security, pair this setting with an Android Password Policy.
Screen and Privacy Controls
Disable Screen Capture
When enabled, users cannot take screenshots or screen recordings of managed content.
Use this setting for:
Financial applications
Healthcare data
Sensitive internal tools
Regulated workflows
Devices displaying confidential information
Enabling this control may affect:
User support workflows
Screen-sharing tools
Documentation processes
Apps that rely on screen capture
Test before applying it broadly.
Disable Location Sharing
When enabled, users cannot share device location with apps or other users.
Use this when location sharing is not required and privacy is a priority.
Before enabling it, confirm that it will not interfere with:
Navigation apps
Field service workflows
Device tracking
Geofencing
Emergency or safety applications
Location-based authentication
Private Key Selection Enabled
When enabled, Android may show a user interface allowing the user to select a private key alias if no configured private key rule matches.
The default is disabled.
Enable this only when users need to manually choose certificates for:
Wi-Fi authentication
VPN authentication
Browser-based certificate authentication
Enterprise applications
Leaving this disabled provides more centralized certificate control.
Lock Screen Security
Disable Keyguard
When enabled, Android disables the lock screen on primary or secondary displays.
This setting is supported only in dedicated device management mode.
Do not enable it on general-purpose employee devices.
Typical use cases include:
Kiosk devices
Digital signage
Shared task devices
Devices operating in physically controlled locations
Disabling the lock screen reduces local access protection and should only be used in controlled environments.
Keyguard Disabled Features
This setting allows administrators to disable individual features on the secure lock screen.
Available options include:
Feature | Effect |
| Disables lock screen camera access |
| Hides lock screen notifications |
| Prevents full notification content from appearing |
| Disables Smart Lock and trust agents |
| Disables fingerprint authentication |
| Prevents replies from lock screen notifications |
| Disables face authentication |
| Disables iris authentication |
| Disables biometric authentication |
| Disables lock screen shortcuts |
| Disables all supported lock screen features |
Recommended Use
For devices handling sensitive data, consider disabling:
UNREDACTED_NOTIFICATIONSTRUST_AGENTSDISABLE_REMOTE_INPUT
Use biometric restrictions only when required by your organization’s security policy.
Advanced Security Overrides
Common Criteria Mode
Common Criteria Mode enables additional device security controls intended for environments with specialized certification requirements.
Value | Behavior |
| Uses platform default behavior |
| Disables Common Criteria Mode |
| Enables Common Criteria Mode |
Enable this only when required by a security standard, government environment, or device certification requirement.
Device and manufacturer support may vary.
Google Play Protect Verify Apps
This setting controls whether Google Play Protect verifies installed applications.
Value | Behavior |
| Uses platform default behavior |
| Enforces app verification |
| Allows the user to decide |
Recommended value:
VERIFY_APPS_ENFORCED
Google Play Protect helps detect potentially harmful applications and unsafe installation behavior.
Untrusted Apps Policy
This setting controls whether apps from outside approved application sources may be installed.
Value | Behavior |
| Uses platform default behavior |
| Blocks installation of untrusted applications |
| Allows untrusted apps only in the personal profile |
| Allows untrusted apps across the device |
Recommended value for company-owned devices:
DISALLOW_INSTALL
For BYOD deployments, ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY may preserve personal flexibility while protecting the managed work profile.
Allowing untrusted applications device-wide increases exposure to:
Malware
Unverified APK files
Repackaged applications
Applications that bypass managed Google Play
Data exfiltration tools
MTE Policy
The Memory Tagging Extension, or MTE, setting controls a hardware-assisted memory safety protection available on supported Android 12+ devices.
Value | Behavior |
| Uses platform default behavior |
| Enforces Memory Tagging Extension |
| Disables Memory Tagging Extension |
MTE can help detect certain memory corruption issues.
Before enforcing it:
Confirm device hardware support
Test application compatibility
Confirm the device runs Android 12 or later
Unsupported devices may ignore the setting or report a policy issue.
Content Protection Policy
This setting controls Android content protection behavior.
Value | Behavior |
| Uses platform default behavior |
| Disables content protection |
| Enforces content protection |
Use:
CONTENT_PROTECTION_ENFORCED
when supported and appropriate for devices handling sensitive company data.
Personal Apps That Can Read Work Notifications
This setting identifies personal-profile applications that are allowed to read notifications from the managed work profile.
Enter package names such as:
com.example.app
Leave this list empty unless there is a documented business requirement.
Allowing personal applications to read work notifications can expose:
Email subjects
Chat messages
Calendar reminders
Authentication prompts
Other sensitive work information
Only approve trusted applications after a security review.
Example Configurations
Standard Company-Owned Device
Allow Debugging Features: false
Default Permission Policy: PROMPT
Encryption Policy: ENABLED_WITH_PASSWORD
Private Key Selection Enabled: false
Disable Keyguard: false
Developer Settings: DEVELOPER_SETTINGS_DISABLED
Google Play Protect Verify Apps: VERIFY_APPS_ENFORCED
Untrusted Apps Policy: DISALLOW_INSTALL
This provides a balanced security baseline for general company-owned devices.
High-Security Company-Owned Device
Allow Debugging Features: false
Default Permission Policy: DENY
Encryption Policy: ENABLED_WITH_PASSWORD
Disable Screen Capture: true
Disable Location Sharing: true
Developer Settings: DEVELOPER_SETTINGS_DISABLED
Google Play Protect Verify Apps: VERIFY_APPS_ENFORCED
Untrusted Apps Policy: DISALLOW_INSTALL
Content Protection Policy: CONTENT_PROTECTION_ENFORCED
Keyguard Disabled Features:
- UNREDACTED_NOTIFICATIONS
- TRUST_AGENTS
- DISABLE_REMOTE_INPUT
Add explicit permission grants for required business applications.
BYOD Work Profile
Allow Debugging Features: false
Default Permission Policy: PROMPT
Encryption Policy: ENABLED_WITH_PASSWORD
Developer Settings: DEVELOPER_SETTINGS_DISABLED
Google Play Protect Verify Apps: VERIFY_APPS_ENFORCED
Untrusted Apps Policy: ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY
Personal Apps That Can Read Work Notifications: none
This protects the work profile while limiting impact on the personal profile.
Dedicated Kiosk Device
Allow Debugging Features: false
Encryption Policy: ENABLED_WITH_PASSWORD
Disable Keyguard: true
Developer Settings: DEVELOPER_SETTINGS_DISABLED
Google Play Protect Verify Apps: VERIFY_APPS_ENFORCED
Untrusted Apps Policy: DISALLOW_INSTALL
Use Disable Keyguard only when the device is enrolled in dedicated-device mode and is physically secured.
Security Considerations
Permission Conflicts
Explicit permission grants override the default permission policy.
For example:
Default Permission Policy: DENY
Camera Permission: GRANT
In this case, camera access is granted while other runtime permissions are denied by default.
Review explicit grants carefully to avoid unintentionally weakening the baseline.
BYOD Impact
Some settings may behave differently based on enrollment mode.
For BYOD devices:
Prefer controls scoped to the work profile
Avoid disabling personal features without a business requirement
Review notification-sharing rules carefully
Test location and screen-capture restrictions
Communicate visible changes to users
Dedicated Device Impact
Dedicated devices may support stronger controls such as disabling the keyguard.
Because these devices often operate without regular user interaction, also consider:
Physical security
Network restrictions
Kiosk application controls
Remote recovery procedures
Device replacement workflows
Troubleshooting
The Policy Is Not Applying
Check:
The device runs Android 9 or later
The device is online and checking in
The policy is assigned to the correct device group
The enrollment type supports the selected setting
The device manufacturer supports the setting
No conflicting Android policies are assigned
Some advanced settings may be ignored on unsupported hardware.
Debugging Features Are Still Available
Check:
Allow Debugging Features is disabled
Developer Settings is set to
DEVELOPER_SETTINGS_DISABLEDThe device has received the latest policy
The device is not enrolled in an unsupported management mode
Restarting the device may be required before some developer settings fully change.
An Application Cannot Access a Required Feature
Check:
The Default Permission Policy
Any explicit Permission Grants
Whether the permission name is correct
Whether the application requests that permission
Whether Android has already denied the permission
Whether another application policy overrides the permission
Add an explicit GRANT only after confirming that the application requires the permission.
Screen Capture Is Still Available
Check:
Disable Screen Capture is enabled
The policy is assigned to the correct device
The app is running inside the managed scope
The device supports screen-capture restrictions
The device has checked in since the policy was updated
Behavior may differ between the personal and work profiles.
The Device Cannot Install an App
Check:
Untrusted Apps Policy
Google Play Protect settings
Whether the app is distributed through managed Google Play
Whether installation from unknown sources is blocked elsewhere
Whether another Android Application Policy blocks the app
For company-owned devices, use managed Google Play whenever possible.
Biometrics No Longer Work
Check Keyguard Disabled Features for:
DISABLE_FINGERPRINTFACEIRISBIOMETRICSALL_FEATURES
Remove the applicable restriction and redeploy the policy if biometric authentication should be allowed.
Lock Screen Notifications Are Hidden
Check Keyguard Disabled Features for:
NOTIFICATIONSUNREDACTED_NOTIFICATIONSALL_FEATURES
UNREDACTED_NOTIFICATIONS may allow notification indicators while hiding sensitive content.
MTE Is Not Enforced
Check:
The device runs Android 12 or later
The device processor supports Memory Tagging Extension
The manufacturer supports Android MTE policy enforcement
The device has received the latest policy
Not all Android 12+ devices support MTE.
The Device Reports a Policy Error
Review:
Unsupported settings for the device model
Conflicting policy values
Invalid Android permission names
Invalid package names
Settings that require dedicated-device mode
MTE settings on unsupported devices
Remove unsupported settings, redeploy the policy, and check the device again.
Security and Compliance Impact
The Android Security Policy helps organizations:
Reduce unauthorized device debugging
Enforce app verification
Prevent untrusted application installation
Protect data at rest with encryption
Limit exposure of sensitive screen and notification content
Control access to cameras, location, contacts, microphones, and other permissions
Strengthen lock screen behavior
Protect managed work data on BYOD devices
Apply consistent Android security settings across managed devices
These controls can help support endpoint security requirements associated with frameworks such as SOC 2, ISO 27001, HIPAA, NIST, NIS2, CIS, and CMMC.
Summary
Use the Android Security Policy to centrally manage security and privacy controls on Android 9+ devices.
For most environments:
Disable debugging and developer settings.
Enforce Google Play Protect.
Block untrusted application installation.
Require encryption with a password.
Use
PROMPTas the default permission policy.Grant sensitive permissions only when required.
Protect lock screen notifications.
Test restrictive settings before broad deployment.
