Skip to main content

Android Application Policy

Updated yesterday

The Android Application Policy allows organizations to centrally manage the installation, configuration, permissions, and behavior of applications on Android devices enrolled in Swif.ai. This policy is essential for maintaining control over corporate apps, enforcing compliance, and securing work profiles across Android 9+ devices.

What This Policy Covers

With this policy, administrators can:

  • Install, update, or uninstall managed apps

  • Enforce required app versions

  • Control app permissions and auto-grant rules

  • Block app usage or disable apps entirely

  • Configure network behavior, credential policies, and installation constraints

  • Allow or block installation from unknown sources

  • Restrict user app installation and app uninstallation

  • Configure advanced Android Enterprise (AE) features for work profiles

This policy is supported on Android 9+ devices and applies to both BYOD (work profile) and fully managed devices.

Policy Settings

Configuring Applications

Each application added to the policy includes its own configuration card. You may add multiple applications using the Add button.

1. Core App Configuration

Package Name

The unique package identifier for the app
Example: com.example.app

Install Type

Controls how the app is installed: FORCE_INSTALLED (automatic mandatory), BLOCKED (cannot install), AVAILABLE (optional), KIOSK (single-app mode), etc. if you are using FORCE_INSTALLED, and as shown below, the app cannot be uninstalled.

Default Permission Policy

Options may include:

  • Prompt

  • Grant

  • Deny

For example, set Default Permission Policy to "GRANT" for Google Chrome. Then go to Settings → Apps → Chrome → Permissions. When you open each permission, you’ll see that all of them are allowed and greyed out, meaning the user cannot modify them. Here is one example:

Disable Application

When enabled, the app is disabled on the device. The icon is removed, and the user cannot launch it.
Minimum requirement: Android 9+

Minimum Version Code

Specify the minimum version of the app required on the device.
If the installed version is lower, the device attempts to update it.
Possible values: Integer ≥ 0

Auto Update Mode

Determines how app updates are handled.

Options may include:

  • Use device default

  • Enabled

  • Disabled

Delegated Scopes

Defines which admin scopes the application receives.
Examples include:

  • CERT_INSTALL

  • APP_RESTRICTIONS

  • BLOCK_UNINSTALL

Connected Work And Personal App

Controls whether the app may communicate across work and personal profiles.
Useful for messaging apps requiring cross-profile behavior.

Options:

  • Allow

  • Disallow

Work Profile Widgets

Specifies whether the app can provide widgets to the home screen in the work profile.

Options:

  • Allow

  • Disallow

Always On VPN Lockdown Exemption

Determines whether the app may bypass Always-On VPN.

Options:

  • Allow

  • Disallow

Accessible Track IDs

A list of track IDs the app should have access to.

Extension Config: Notification Receiver

Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates.

Extension Config: Signing Key Fingerprints

Specify SHA-256 fingerprints for signing keys allowed for installation.
Required when installing custom apps not available in Play.

Credential Provider Policy

Determines whether the app can act as a credential provider for the device.

Options vary depending on Android security APIs.

User Control Settings

Controls user's ability to modify app settings.

Options include enabling/disabling user configuration controls.


For example, when set to DISALLOWED, it prevents users from force-stopping, clearing data, disabling, or uninstalling the app through Settings.

When userControlSettings is set to "USER_CONTROL_DISALLOWED", go to Settings → Apps → Chrome. The expected behavior is that the Force stop, Disable, and Clear data buttons should all be disabled. When these options are tapped, the following screen appears (as shown in the screenshot below):

Preferred Network ID

Specify the network ID the app should use for network traffic routing (if applicable).

2. Permission Grants

You can explicitly override default app permission rules.

Permission

Select the Android permission the rule applies to.
Example:

  • android.permission.READ_CALENDAR

  • android.permission.CAMERA

Policy

Determines how this permission is handled:

Options:

  • Grant

  • Deny

  • Prompt

(Overrides the global permission behavior.)

Add multiple permissions as needed.

For example, when you tap Microphone in Google Chrome’s permissions, a pop-up appears indicating that microphone access is restricted, as shown below.

3. Install Constraints

These constraints control under what conditions the app may be installed.

Charging Constraint

  • CHARGING_NOT_REQUIRED

  • CHARGING_REQUIRED

Device Idle Constraint

  • DEVICE_IDLE_NOT_REQUIRED

  • DEVICE_IDLE_REQUIRED

Network Type Constraint

  • INSTALL_ON_ANY_NETWORK

  • INSTALL_ONLY_ON_WIFI

4. Signing Key Certificates

Used when apps are distributed outside Google Play.

Permitted Input Methods – Package Names

List of input method packages that the app is permitted to use. Creates a whitelist of keyboards/input methods (like Gboard, SwiftKey), blocking all keyboards not in the list. If you install Microsoft Swiftkey AI Key, then apply the policy input below, a pop up occurs to disable the keyboard installed as it is not listed in the policy input. You can check the screenshot.

"permittedInputMethods": {
      "packageNames": [
        "com.google.android.inputmethod.latin"
      ]
    }

Allow Installation from Unknown Sources

When enabled, it allows apps to be installed from sources outside Google Play.
This is strongly discouraged for managed environments unless necessary.
Minimum requirement: Android 9+

Disable User App Installation

Prevents the user from installing personal apps on the device.
Minimum requirement: Android 9+

App Functions

Configure functions or capabilities that the app is allowed to execute.

Options vary depending on app configuration APIs.

Block Unlisted Applications

Prevents installation of any apps not explicitly listed in the Application Policy.
Useful for whitelisting-only deployments.

Minimum requirement: Android 9+

Permitted Accessibility Services – Package Names

Lists accessibility service packages the device may enable.

Disable App Uninstallation

When enabled, users cannot uninstall apps from the device.
Minimum requirement: Android 9+

Summary Table

Area

Controls

Examples

App Deployment

Install, remove, update, or block apps

Required apps, blocked apps

Permissions

Override default Android permission handling

Grant CAMERA, Deny LOCATION

Install Constraints

Conditions required before installing

Wi-Fi only, device charging

Security Restrictions

Unknown sources, block user installs

Disable app uninstallation

Enterprise Config

Widgets, VPN exemption, delegated scopes

Work profile controls

Signing Certificates

Acceptable signing fingerprints

SHA-256 hashes

When to Use the Android Application Policy

✔ Enforce strict corporate app usage

✔ Configure secure work profiles for BYOD

✔ Maintain compliance (SOC 2, ISO 27001, HIPAA)

✔ Prevent unauthorized app installation or removal

✔ Automate deployment of required business apps

Related Articles
Android Security Policy
Android-Specific MDM Policies Available in Swif.ai
Android Bluetooth Policy
Android Connection Policy
Android Camera Policy
Did this answer your question?