The Android Security Policy is used to manage core security, privacy, and permission behaviors on managed Android devices.
These controls allow organizations to enforce secure runtime permissions, limit sensitive capabilities, and configure advanced system-level security restrictions.
Minimum Requirements: Android 9+
Policy Overview
This policy allows administrators to:
Control debugging features
Set the default permission handling behavior
Enforce device encryption modes
Disable screen capture
Prevent location sharing
Apply advanced security overrides
Configure explicit permission grants for specific apps
Settings
1. Allow Debugging Features
Description:
When enabled, users can access debugging tools such as USB debugging, developer debugging tools, and other diagnostic features.
Use case:
Useful for engineering or test devices; should remain disabled for production environments.
Minimum Requirements: Android 9+
Values:
Enabled — Debugging tools available
Disabled (default) — Debugging tools blocked
2. Default Permission Policy
Defines how the device handles runtime permission requests when apps request sensitive permissions (camera, location, contacts, etc.).
Available Options:
Option | Behavior |
PROMPT | User is prompted to grant the permission |
GRANT | Permission is automatically granted |
DENY | Permission is automatically denied |
Recommendation:
Use PROMPT for general deployments, DENY for high-security environments, and GRANT only for controlled devices.
3. Encryption Policy
Controls whether device encryption is required.
Options:
ENCRYPTION_POLICY_UNSPECIFIED
ENABLED — Forces encryption
ENABLED_WITHOUT_PASSWORD
ENABLED_WITH_PASSWORD
Details:
If enabled, encryption is enforced with or without requiring the device passcode based on configuration.
Minimum Requirements: Android 9+
4. Private Key Selection Enabled
Allows a user to manually choose a private key alias when multiple matching keys exist in ChoosePrivateKeyAliasCallback.
Values:
Enabled
Disabled (default)
Minimum Requirements: Android 9+
5. Disable Screen Capture
Prevents users from taking screenshots or recording the screen.
This also prevents screen-sharing and hides sensitive information during remote support.
Values:
Enabled — Screenshot and screen recording blocked
Disabled (default) — No restriction
Minimum Requirements: Android 9+
6. Disable Location Sharing
Blocks users from sharing device location with other users or apps.
Description:
When enabled, applications cannot send location via messaging or other sharing features, helping protect user privacy and preventing unintended location leakage.
Minimum Requirements: Android 9+
Values:
Enabled — Prevent location sharing
Disabled (default)
Permission Grants
Administrators can configure explicit permission grants that override the Default Permission Policy.
These controls allow more granular app-level management for security-critical environments.
Advanced Security Overrides
The following controls configure specialized and high-security enforcement modes.
1. Common Criteria Mode
Enforces additional Common Criteria security controls.
Options:
COMMON_CRITERIA_MODE_UNSPECIFIED
COMMON_CRITERIA_MODE_ENABLED
COMMON_CRITERIA_MODE_DISABLED
2. Developer Settings
Controls access to developer settings.
Options:
DEVELOPER_SETTINGS_UNSPECIFIED
DEVELOPER_SETTINGS_ENABLED
DEVELOPER_SETTINGS_DISABLED
3. Google Play Protect Verify Apps
Determines whether Google Play Protect “Verify Apps” is active.
Options:
VERIFY_APPS_UNSPECIFIED
GOOGLE_PLAY_PROTECT_VERIFICATION_ENABLED
GOOGLE_PLAY_PROTECT_VERIFICATION_DISABLED
4. Untrusted Apps Policy
Controls whether untrusted apps can install or run.
Values include:
UNTRUSTED_APPS_POLICY_UNSPECIFIED
DISALLOW_INSTALL_UNTRUSTED_APPS
ALLOW_INSTALL_UNTRUSTED_APPS_ON_PERSONAL_PROFILE_ONLY
ALLOW_INSTALL_UNTRUSTED_APPS
5. MTE Policy (Memory Tagging Extension)
Controls whether MTE functionality is enforced.
Options:
MTE_POLICY_UNSPECIFIED
MTE_ENFORCED
MTE_DISABLED
6. Content Protection Policy
Controls application content protection behavior.
Options:
CONTENT_PROTECTION_UNSPECIFIED
CONTENT_PROTECTION_DISABLED
CONTENT_PROTECTION_ENABLED
7. Personal Apps That Can Read Work Notifications
Allows administrators to specify the package names of personal apps that may read work-profile notifications.
Input:
Enter package names manually.
Summary
The Android Security Policy provides foundational controls that strengthen device integrity, protect data privacy, and enforce enterprise security posture.
With configuration options ranging from debugging restrictions to encryption enforcement and permission governance, this policy is essential for secure Android fleet management.