设置政策合规性规则
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
默认合规性规则
设备或工作资料未能遵守任何政策设置的情况
Android Device Policy
默认情况下,会立即禁止用户使用设备或工作资料。
如果设备或工作资料在 10 天后仍不合规,Android Device Policy 会将相应设备恢复出厂设置
或删除工作资料。
|
立即 |
10 天后 |
设备 |
禁止使用设备。在可能的情况下,显示一条消息,提供有关如何遵守政策设置的指导。 |
将设备恢复出厂设置。恢复出厂设置保护数据不会保留。 |
工作资料 |
禁止使用工作资料。在可能的情况下,显示一条消息,提供有关如何遵守政策设置的指导。 |
删除工作资料。 |
这些合规性强制执行规则默认强制执行,但可以修改。
要了解如何修改规则和设置其他合规性强制执行规则,请参阅
下一部分。
设置自定义合规性规则
使用policyEnforcementRules
来针对任何顶级违规行为设置自定义操作。定义设置
policyEnforcementRules
会替换 Android Device Policy 的
默认合规性规则。
每条规则都包含政策设置的名称 (settingName
),
指定设备或工作资料的可保留天数
在屏蔽之前 (blockAfterDays
),然后
已擦除 (wipeAfterDays
)。
{
"policyEnforcementRules":[
{
"settingName":"alwaysOnVpnPackage",
"blockAction":{
"blockAfterDays":3
},
"wipeAction":{
"wipeAfterDays":10,
"preserveFrp":true
}
}
]
}
在policyEnforcementRules
中
上例:
- 如果设备未能遵守
alwaysOnVpnPackage
中的任何设置,
则会在 3 天后禁止使用设备。
- 设备是否仍不符合“
alwaysOnVpnPackage
”中的任何设置
10 天之后,系统会擦除设备不过,在此示例中
系统会保留恢复出厂设置保护数据(preserveFrp
为 true
)。
自定义合规性规则的最佳实践
blockAfterDays
和 wipeAfterDays
应设置为不超过
30
。
wipeAfterDays
必须大于 blockAfterDays
。
- 如需立即禁止使用设备或工作资料,请设置
blockAfterDays
至 0
。
接收违规通知
如果设备未遵守任何政策设置(无论
强制执行规则),它会生成“合规详情”通知
指示:
- 设备或工作资料不符合政策规定的政策设置
- 原因
设备或工作资料不符合该设置的要求。
要将企业配置为接收违规详情通知,请按以下步骤操作:
- 创建时在
enabledNotificationTypes[]
中添加 STATUS_REPORT
或者更新
企业。
- 启用 pub/sub 通知。
迁移到 policyEnforcementRules
如果您是在 2019 年 5 月 7 日之前启用 Android Management API,那么:
Android Device Policy 不会强制执行任何默认合规性规则。
如需更新政策,请使用以下代码定义合规性逻辑:
policyEnforcementRules
。
policyEnforcementRules
替换 complianceRules
(现已弃用)。但是,请勿从政策中移除 complianceRules
。
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-31。
[null,null,["最后更新时间 (UTC):2025-08-31。"],[[["\u003cp\u003eAndroid Device Policy enforces default compliance rules for specific settings, blocking usage immediately and factory-resetting or deleting work profiles after 10 days of non-compliance.\u003c/p\u003e\n"],["\u003cp\u003eCustom compliance rules can be defined using \u003ccode\u003epolicyEnforcementRules\u003c/code\u003e to specify block and wipe actions for policy violations, overriding default rules.\u003c/p\u003e\n"],["\u003cp\u003eWhen setting custom compliance rules, \u003ccode\u003eblockAfterDays\u003c/code\u003e and \u003ccode\u003ewipeAfterDays\u003c/code\u003e should be within 30 days, with \u003ccode\u003ewipeAfterDays\u003c/code\u003e exceeding \u003ccode\u003eblockAfterDays\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003ePolicy violations trigger non-compliance detail notifications, configurable through enterprise settings and pub/sub notifications.\u003c/p\u003e\n"],["\u003cp\u003eEnterprises enabled before May 7, 2019, or with policies containing \u003ccode\u003ecomplianceRules\u003c/code\u003e, need to migrate to \u003ccode\u003epolicyEnforcementRules\u003c/code\u003e for compliance enforcement.\u003c/p\u003e\n"]]],["Android Device Policy enforces default compliance rules, immediately blocking device/work profile usage for violations of specific settings (e.g., password policies, encryption) and factory-resetting/deleting after 10 days of non-compliance. Custom `policyEnforcementRules` can override these defaults, setting actions like blocking or wiping after a set number of days. Violations trigger non-compliance notifications, requiring enterprise configuration. Older APIs need to migrate to `policyEnforcementRules`, retaining the deprecated `complianceRules`.\n"],null,["# Set up policy compliance rules\n\n| **Note:** If you enabled the Android Management API before May 7, 2019 or have policies that include [`complianceRules`](/management/reference/rest/v1/enterprises.policies#compliancerule) (deprecated), see [Migrate to `policyEnforcementRules`](#migrate_to_policyenforcementrules).\n\nDefault compliance rules\n------------------------\n\nIf a device or work profile fails to comply with any of the policy settings\nlisted below, [Android Device Policy](https://play.google.com/store/apps/details?id=com.google.android.apps.work.clouddpc)\nimmediately blocks usage of the device or work profile by default.\n\n- [`passwordPolicies`](/android/management/reference/rest/v1/enterprises.policies#passwordrequirements)\n- [`encryptionPolicy`](/android/management/reference/rest/v1/enterprises.policies#encryptionpolicy)\n- `keyguardDisabled`\n- `permittedInputMethods`\n- `permittedAccessibilityServices`\n- `minApiLevel`\n\nIf the device or work profile remains incompliant after 10 days, [Android Device Policy](https://play.google.com/store/apps/details?id=com.google.android.apps.work.clouddpc) will factory-reset the\ndevice or delete the work profile.\n\n| | Immediately | After 10 days |\n|------------------|--------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|\n| **Device** | Blocks device usage. Where possible, displays a message with guidance on how to comply with the policy setting(s). | Factory-resets the device. Factory-reset protection data is **not** preserved. |\n| **Work profile** | Blocks work profile usage. Where possible, displays a message with guidance on how to comply with the policy setting(s). | Deletes the work profile. |\n\nThese compliance enforcment rules are enforced by default, but can be modified.\nTo learn how to modify them and set additional compliance enforcement rules, see\nthe next section.\n\nSet custom compliance rules\n---------------------------\n\nUse [`policyEnforcementRules`](/android/management/reference/rest/v1/enterprises.policies#policyenforcementrule)\nto set custom actions for any top-level policy violation. Settings defined in\n`policyEnforcementRules` override Android Device Policy's\n[default compliance rules](#default_compliance_rules).\n\nEach rule contains the name of the policy setting (`settingName`), and must\nspecify the number of days a device or work profile can remain out of\ncompliance with the setting before it's blocked (`blockAfterDays`) and then\nwiped (`wipeAfterDays`). \n\n {\n \"policyEnforcementRules\":[\n {\n \"settingName\":\"alwaysOnVpnPackage\",\n \"blockAction\":{\n \"blockAfterDays\":3\n },\n \"wipeAction\":{\n \"wipeAfterDays\":10,\n \"preserveFrp\":true\n }\n }\n ]\n }\n\nIn the [`policyEnforcementRules`](/android/management/reference/rest/v1/enterprises.policies#policyenforcementrule)\nexample above:\n\n- If a device fails to comply with any setting in `alwaysOnVpnPackage`, then device usage is blocked after three days.\n- If a device remains incompliant with any setting in `alwaysOnVpnPackage` for 10 days, then the device is wiped. However, in this case, factory-reset protection data is preserved (`preserveFrp` is `true`).\n\n### Best practices for custom compliance rules\n\n- `blockAfterDays` and `wipeAfterDays` should be set to no greater than `30`.\n- `wipeAfterDays` must be greater than `blockAfterDays`.\n- To block device or work profile usage immediately, set `blockAfterDays` to `0`.\n\nReceive policy violation notifications\n--------------------------------------\n\nIf a device fails to comply with any policy setting (regardless of\nenforcement rules), it generates a **non-compliance detail** notification\nindicating:\n\n- The policy setting that the device or work profile is not in compliance with.\n- [The reason](/android/management/reference/rest/v1/NonComplianceReason) that the device or work profile is not in compliance with the setting.\n\nTo configure an enterprise to receive non-compliance detail notifications:\n\n- Include `STATUS_REPORT` in `enabledNotificationTypes[]` when [creating](/android/management/reference/rest/v1/enterprises/create) or [updating](/android/management/reference/rest/v1/enterprises/patch) the enterprise.\n- Enable [pub/sub notifications](/android/management/notifications).\n\nMigrate to `policyEnforcementRules`\n-----------------------------------\n\nIf you enabled the Android Management API before [May 7, 2019](/android/management/release-notes#may-7-2019),\nAndroid Device Policy won't enforce any [default compliance rules](#default_compliance_rules).\n\nTo update your policies, define your compliance logic using\n[`policyEnforcementRules`](/android/management/reference/rest/v1/enterprises.policies#policyenforcementrule).\n[`policyEnforcementRules`](/android/management/reference/rest/v1/enterprises.policies#policyenforcementrule)\noverrides [`complianceRules`](/android/management/reference/rest/v1/enterprises.policies#compliancerule)\n(now deprecated). However, **do not** remove `complianceRules` from policies."]]