Set up policy compliance rules

AI-generated Key Takeaways

If a device or work profile violates certain policy settings, Android Device Policy immediately blocks usage by default and may factory reset the device or delete the work profile after 10 days.
Custom compliance rules can be set using policyEnforcementRules to override default actions and specify block and wipe actions for specific policy violations.
Non-compliance detail notifications are generated for any policy violation, regardless of enforcement rules, and can be received by configuring the enterprise.
Users who enabled the Android Management API before May 7, 2019, or have policies with deprecated complianceRules, need to define compliance logic using policyEnforcementRules for enforcement.

Default compliance rules

If a device or work profile fails to comply with any of the policy settings listed below, Android Device Policy immediately blocks usage of the device or work profile by default.

passwordPolicies
encryptionPolicy
keyguardDisabled
permittedInputMethods
permittedAccessibilityServices
minApiLevel

If the device or work profile remains incompliant after 10 days, Android Device Policy will factory-reset the device or delete the work profile.

	Immediately	After 10 days
Device	Blocks device usage. Where possible, displays a message with guidance on how to comply with the policy setting(s).	Factory-resets the device. Factory-reset protection data is not preserved.
Work profile	Blocks work profile usage. Where possible, displays a message with guidance on how to comply with the policy setting(s).	Deletes the work profile.

These compliance enforcment rules are enforced by default, but can be modified. To learn how to modify them and set additional compliance enforcement rules, see the next section.

Set custom compliance rules

Use policyEnforcementRules to set custom actions for any top-level policy violation. Settings defined in policyEnforcementRules override Android Device Policy's default compliance rules.

Each rule contains the name of the policy setting (settingName), and must specify the number of days a device or work profile can remain out of compliance with the setting before it's blocked (blockAfterDays) and then wiped (wipeAfterDays).

{
   "policyEnforcementRules":[
      {
         "settingName":"alwaysOnVpnPackage",
         "blockAction":{
            "blockAfterDays":3
         },
         "wipeAction":{
            "wipeAfterDays":10,
            "preserveFrp":true
         }
      }
   ]
}

In the policyEnforcementRules example above:

If a device fails to comply with any setting in alwaysOnVpnPackage, then device usage is blocked after three days.
If a device remains incompliant with any setting in alwaysOnVpnPackage for 10 days, then the device is wiped. However, in this case, factory-reset protection data is preserved (preserveFrp is true).

Best practices for custom compliance rules

blockAfterDays and wipeAfterDays should be set to no greater than 30.
wipeAfterDays must be greater than blockAfterDays.
To block device or work profile usage immediately, set blockAfterDays to 0.

Receive policy violation notifications

If a device fails to comply with any policy setting (regardless of enforcement rules), it generates a non-compliance detail notification indicating:

The policy setting that the device or work profile is not in compliance with.
The reason that the device or work profile is not in compliance with the setting.

To configure an enterprise to receive non-compliance detail notifications:

Include STATUS_REPORT in enabledNotificationTypes[] when creating or updating the enterprise.
Enable pub/sub notifications.

Migrate to `policyEnforcementRules`

If you enabled the Android Management API before May 7, 2019, Android Device Policy won't enforce any default compliance rules.

To update your policies, define your compliance logic using policyEnforcementRules. policyEnforcementRules overrides complianceRules (now deprecated). However, do not remove complianceRules from policies.