The Android Security Policy is a comprehensive set of controls designed to help organizations protect their Android devices, data, and users. This policy is part of Swif’s Android Enterprise Policy Systems and enables IT teams to enforce advanced security standards across all managed Android devices—whether company-owned or BYOD (Bring Your Own Device).
What Is the Android Security Policy?
The Android Security Policy lets administrators centrally manage and enforce security settings on Android devices enrolled via Swif’s MDM platform. It covers a wide range of security features, from encryption and app verification to screen capture prevention and permission management.
By applying this policy, organizations can:
Ensure devices meet compliance requirements
Protect sensitive data from unauthorized access
Reduce the risk of malware and untrusted apps
Standardize security across all Android endpoints
Key Features and Controls
The policy includes the following controls (each can be enabled or customized as needed):
Advanced Security Overrides: Allows overriding advanced security restrictions for specific administrative or testing purposes.
Common Criteria Mode: Enables enhanced security mode that meets Common Criteria certification standards.
Content Protection Policy: Defines how sensitive content (like screenshots or clipboard data) is protected on the device.
Developer Settings restrictions: Controls whether users can access developer options on the device.
Google Play Protect (Verify Apps): Enforces Google Play Protect app verification to check for harmful apps.
MTE (Memory Tagging Extension) Policy: Configures Memory Tagging Extension (MTE) for detecting memory safety issues on supported devices.
Personal Apps That Can Read Work Notifications: Lists personal apps allowed to read notifications from work profile apps.
Untrusted Apps Policy: Specifies how the device handles apps from untrusted or unknown sources.
When it is set to DISALLOW_INSTALL, installation of apps from untrusted sources is blocked, and the “Install unknown apps” option appears grayed out on the device. (Notice: it may vary depending on the specific policy settings applied.)
Go to: Settings → Security and Privacy → Install unknown apps
Debugging Features Allowed: Determines if debugging tools like ADB or USB debugging are permitted.
Default Permission Policy: Sets the default behavior for runtime app permissions (auto-grant, deny, or prompt).
This follows the same procedure as the Permission Grants field, but applies the setting automatically by default.
Encryption Policy: Defines encryption requirements for device storage and data protection.
Ensure Verify Apps Enabled: Ensures the “Verify apps” feature is always turned on to block harmful apps.
Go to Play Store → Account icon → Play Protect → Settings —
“Scan apps with Play Protect” should be ON and greyed out. (Notice: it may vary depending on the specific policy settings applied.)
Keyguard Disabled: Disables the device’s lock screen (keyguard) when allowed by policy.
Keyguard Disabled Features: Specifies which lock screen features (like camera or notifications) are disabled.
Permission Grants: Defines explicit permissions granted or denied to specific apps.
Permission – Represents a specific runtime permission setting for an app or component.
Policy – The overall configuration object that contains all management and restriction settings for the device.
Private Key Selection Enabled: Controls whether users can select a private key from the keystore for authentication.
Screen Capture Disabled: Prevents screenshots, screen recording, or display sharing of device content.
Share Location Disabled: Disables the ability to share location data from the device with apps or services. When this feature is set to true, location sharing is disabled.
How to Apply the Android Security Policy
Prerequisites
Your organization must be registered with Android Enterprise via Swif.
Devices must be enrolled using Swif’s Android MDM (see here).
Step-by-Step Guide
Register Your Team with Android Enterprise
Use the Swif MDM console or API to register your organization.
Follow the guided flow to connect your Google account (corporate email recommended).
Enroll Devices
Generate a QR code for enrollment via the Swif console or API.
For full control: Wipe the device, scan the QR code on the setup screen.
For BYOD: Use the QR code from the device’s menu (capabilities may be limited).
Apply the Security Policy
In the Swif dashboard, navigate to Policies > Android Security Policy.
Select the devices or groups to apply the policy.
Customize settings as needed for your organization’s requirements.
Save and deploy the policy.
Verify Policy Enforcement
Confirm that enrolled devices appear in the Swif dashboard.
Check that security controls (e.g., encryption, screen capture prevention) are active.
Use compliance reports to monitor device status.
Troubleshooting & Tips
If QR code enrollment fails, ensure the code is generated in TEXT mode and all formatting is correct.
For Zero Touch (DEP) enrollment, integration with the device manufacturer may be required.
BYOD enrollments have limited management capabilities compared to fully managed devices.
For detailed troubleshooting, see the Swif Android Enrollment Methods.
Why Use the Android Security Policy?
Unified Security: Apply consistent controls across Android, Mac, Windows, and Linux.
Compliance: Meet regulatory and audit requirements with automated reporting.
Reduced Risk: Block untrusted apps, enforce encryption, and prevent data leaks.
Easy Management: Centralized dashboard for policy deployment and monitoring.