Set up policy compliance rules
Stay organized with collections
Save and categorize content based on your preferences.
Default compliance rules
If a device or work profile fails to comply with any of the policy settings
listed below, Android Device Policy
immediately blocks usage of the device or work profile by default.
If the device or work profile remains incompliant after 10 days, Android Device Policy will factory-reset the
device or delete the work profile.
|
Immediately |
After 10 days |
| Device |
Blocks device usage. Where possible, displays a message with guidance on how to comply with the policy setting(s). |
Factory-resets the device. Factory-reset protection data is not preserved. |
| Work profile |
Blocks work profile usage. Where possible, displays a message with guidance on how to comply with the policy setting(s). |
Deletes the work profile. |
These compliance enforcment rules are enforced by default, but can be modified.
To learn how to modify them and set additional compliance enforcement rules, see
the next section.
Set custom compliance rules
Use policyEnforcementRules
to set custom actions for any top-level policy violation. Settings defined in
policyEnforcementRules override Android Device Policy's
default compliance rules.
Each rule contains the name of the policy setting (settingName), and must
specify the number of days a device or work profile can remain out of
compliance with the setting before it's blocked (blockAfterDays) and then
wiped (wipeAfterDays).
{
"policyEnforcementRules":[
{
"settingName":"alwaysOnVpnPackage",
"blockAction":{
"blockAfterDays":3
},
"wipeAction":{
"wipeAfterDays":10,
"preserveFrp":true
}
}
]
}
In the policyEnforcementRules
example above:
- If a device fails to comply with any setting in
alwaysOnVpnPackage,
then device usage is blocked after three days.
- If a device remains incompliant with any setting in
alwaysOnVpnPackage
for 10 days, then the device is wiped. However, in this case,
factory-reset protection data is preserved (preserveFrp is true).
Best practices for custom compliance rules
blockAfterDays and wipeAfterDays should be set to no greater than
30.wipeAfterDays must be greater than blockAfterDays.- To block device or work profile usage immediately, set
blockAfterDays
to 0.
Receive policy violation notifications
If a device fails to comply with any policy setting (regardless of
enforcement rules), it generates a non-compliance detail notification
indicating:
- The policy setting that the device or work profile is not in compliance
with.
- The reason that
the device or work profile is not in compliance with the setting.
To configure an enterprise to receive non-compliance detail notifications:
Migrate to policyEnforcementRules
If you enabled the Android Management API before May 7, 2019,
Android Device Policy won't enforce any default compliance rules.
To update your policies, define your compliance logic using
policyEnforcementRules.
policyEnforcementRules
overrides complianceRules
(now deprecated). However, do not remove complianceRules from policies.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-28 UTC.
[null,null,["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eAndroid Device Policy enforces default compliance rules for specific settings, blocking usage immediately and factory-resetting or deleting work profiles after 10 days of non-compliance.\u003c/p\u003e\n"],["\u003cp\u003eCustom compliance rules can be defined using \u003ccode\u003epolicyEnforcementRules\u003c/code\u003e to specify block and wipe actions for policy violations, overriding default rules.\u003c/p\u003e\n"],["\u003cp\u003eWhen setting custom compliance rules, \u003ccode\u003eblockAfterDays\u003c/code\u003e and \u003ccode\u003ewipeAfterDays\u003c/code\u003e should be within 30 days, with \u003ccode\u003ewipeAfterDays\u003c/code\u003e exceeding \u003ccode\u003eblockAfterDays\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003ePolicy violations trigger non-compliance detail notifications, configurable through enterprise settings and pub/sub notifications.\u003c/p\u003e\n"],["\u003cp\u003eEnterprises enabled before May 7, 2019, or with policies containing \u003ccode\u003ecomplianceRules\u003c/code\u003e, need to migrate to \u003ccode\u003epolicyEnforcementRules\u003c/code\u003e for compliance enforcement.\u003c/p\u003e\n"]]],["Android Device Policy enforces default compliance rules, immediately blocking device/work profile usage for violations of specific settings (e.g., password policies, encryption) and factory-resetting/deleting after 10 days of non-compliance. Custom `policyEnforcementRules` can override these defaults, setting actions like blocking or wiping after a set number of days. Violations trigger non-compliance notifications, requiring enterprise configuration. Older APIs need to migrate to `policyEnforcementRules`, retaining the deprecated `complianceRules`.\n"],null,["# Set up policy compliance rules\n\n| **Note:** If you enabled the Android Management API before May 7, 2019 or have policies that include [`complianceRules`](/management/reference/rest/v1/enterprises.policies#compliancerule) (deprecated), see [Migrate to `policyEnforcementRules`](#migrate_to_policyenforcementrules).\n\nDefault compliance rules\n------------------------\n\nIf a device or work profile fails to comply with any of the policy settings\nlisted below, [Android Device Policy](https://play.google.com/store/apps/details?id=com.google.android.apps.work.clouddpc)\nimmediately blocks usage of the device or work profile by default.\n\n- [`passwordPolicies`](/android/management/reference/rest/v1/enterprises.policies#passwordrequirements)\n- [`encryptionPolicy`](/android/management/reference/rest/v1/enterprises.policies#encryptionpolicy)\n- `keyguardDisabled`\n- `permittedInputMethods`\n- `permittedAccessibilityServices`\n- `minApiLevel`\n\nIf the device or work profile remains incompliant after 10 days, [Android Device Policy](https://play.google.com/store/apps/details?id=com.google.android.apps.work.clouddpc) will factory-reset the\ndevice or delete the work profile.\n\n| | Immediately | After 10 days |\n|------------------|--------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|\n| **Device** | Blocks device usage. Where possible, displays a message with guidance on how to comply with the policy setting(s). | Factory-resets the device. Factory-reset protection data is **not** preserved. |\n| **Work profile** | Blocks work profile usage. Where possible, displays a message with guidance on how to comply with the policy setting(s). | Deletes the work profile. |\n\nThese compliance enforcment rules are enforced by default, but can be modified.\nTo learn how to modify them and set additional compliance enforcement rules, see\nthe next section.\n\nSet custom compliance rules\n---------------------------\n\nUse [`policyEnforcementRules`](/android/management/reference/rest/v1/enterprises.policies#policyenforcementrule)\nto set custom actions for any top-level policy violation. Settings defined in\n`policyEnforcementRules` override Android Device Policy's\n[default compliance rules](#default_compliance_rules).\n\nEach rule contains the name of the policy setting (`settingName`), and must\nspecify the number of days a device or work profile can remain out of\ncompliance with the setting before it's blocked (`blockAfterDays`) and then\nwiped (`wipeAfterDays`). \n\n {\n \"policyEnforcementRules\":[\n {\n \"settingName\":\"alwaysOnVpnPackage\",\n \"blockAction\":{\n \"blockAfterDays\":3\n },\n \"wipeAction\":{\n \"wipeAfterDays\":10,\n \"preserveFrp\":true\n }\n }\n ]\n }\n\nIn the [`policyEnforcementRules`](/android/management/reference/rest/v1/enterprises.policies#policyenforcementrule)\nexample above:\n\n- If a device fails to comply with any setting in `alwaysOnVpnPackage`, then device usage is blocked after three days.\n- If a device remains incompliant with any setting in `alwaysOnVpnPackage` for 10 days, then the device is wiped. However, in this case, factory-reset protection data is preserved (`preserveFrp` is `true`).\n\n### Best practices for custom compliance rules\n\n- `blockAfterDays` and `wipeAfterDays` should be set to no greater than `30`.\n- `wipeAfterDays` must be greater than `blockAfterDays`.\n- To block device or work profile usage immediately, set `blockAfterDays` to `0`.\n\nReceive policy violation notifications\n--------------------------------------\n\nIf a device fails to comply with any policy setting (regardless of\nenforcement rules), it generates a **non-compliance detail** notification\nindicating:\n\n- The policy setting that the device or work profile is not in compliance with.\n- [The reason](/android/management/reference/rest/v1/NonComplianceReason) that the device or work profile is not in compliance with the setting.\n\nTo configure an enterprise to receive non-compliance detail notifications:\n\n- Include `STATUS_REPORT` in `enabledNotificationTypes[]` when [creating](/android/management/reference/rest/v1/enterprises/create) or [updating](/android/management/reference/rest/v1/enterprises/patch) the enterprise.\n- Enable [pub/sub notifications](/android/management/notifications).\n\nMigrate to `policyEnforcementRules`\n-----------------------------------\n\nIf you enabled the Android Management API before [May 7, 2019](/android/management/release-notes#may-7-2019),\nAndroid Device Policy won't enforce any [default compliance rules](#default_compliance_rules).\n\nTo update your policies, define your compliance logic using\n[`policyEnforcementRules`](/android/management/reference/rest/v1/enterprises.policies#policyenforcementrule).\n[`policyEnforcementRules`](/android/management/reference/rest/v1/enterprises.policies#policyenforcementrule)\noverrides [`complianceRules`](/android/management/reference/rest/v1/enterprises.policies#compliancerule)\n(now deprecated). However, **do not** remove `complianceRules` from policies."]]
