Default application settings

The Android Management API allows IT admins to remotely set and enforce default applications on managed devices or profiles. This enhances device security by preventing users from switching to less secure apps for critical functions like dialing, SMS, and browsing, thereby reducing risks like phishing and data exfiltration.

Once an admin sets a default application policy, end-users are prevented from changing any default app settings on the specified profile.

Policy configuration

Default applications can be configured by adding one or more DefaultApplicationSetting objects to the defaultApplicationSettings field in the policy. Each setting object targets a specific application type and can be applied to different scopes.

Set the default apps

For each DefaultApplicationType, a prioritized list of apps can be provided in the defaultApplications field. The API will set the first app from the list that is installed on the device and qualified for the app type as the default.

For a non-system app to be set as the default, its signing key certificate fingerprint on the device must match the fingerprint obtained from the Google Play Store or one of the entries in ApplicationPolicy.signingKeyCerts.

Define scopes

The defaultApplicationScopes field determines where the policy is applied. The available scopes are:

• SCOPE_FULLY_MANAGED: Applies to fully managed devices.
• SCOPE_WORK_PROFILE: Applies to the work profile on company-owned or personally-owned devices.
• SCOPE_PERSONAL_PROFILE: Applies to the personal profile on company-owned devices.

When setting a default app for the SCOPE_FULLY_MANAGED or SCOPE_WORK_PROFILE, the application must have a corresponding entry in the applications policy. The installType for that app must not be BLOCKED.

When targeting the SCOPE_PERSONAL_PROFILE, the policy is restricted to setting only pre-installed system apps as the default.

Cross-profile roles

Some roles, like DEFAULT_WALLET, apply across profiles on a device. For these roles on a company-owned device with a work profile, an admin can choose to set a default app in either the work profile or the personal profile, but not both simultaneously.

Management mode and Android version

Support for this feature varies by the device's management mode and Android version.

Non-compliance reporting

If the policy cannot be applied, the device reports a non-compliance (see NonComplianceDetail). Common reasons for non-compliance include:

• Unsupported device or configuration: A non-compliance with reason API_LEVEL or MANAGEMENT_MODE is reported if the feature is not supported on the device's Android version or for its management mode.
• Unsupported scopes: If none of the scopes specified in the policy are applicable to the device's management mode (e.g., a policy with only SCOPE_PERSONAL_PROFILE is sent to a fully managed device), a non-compliance is reported with reason MANAGEMENT_MODE and the specific reason DEFAULT_APPLICATION_SETTING_UNSUPPORTED_SCOPES.
• App not installed: For fully managed devices and work profiles, if none of the applications in the prioritized list are installed on the device, a non-compliance with reason APP_NOT_INSTALLED is reported.
• Invalid value: If at least one app is installed but the default application settings fail to apply due to other reasons (e.g. the app is not of the right type), a non-compliance with reason INVALID_VALUE is reported.
• Personal profile failure: For the personal profile, a generic INVALID_VALUE non-compliance is reported if it fails to apply for any reason, without disclosing the installation status of the personal apps.

Default application status reporting

Starting with Android 16, device status reports include defaultApplicationInfo. This field provides details about the current default applications and the results of policy application attempts. To enable this reporting, set the defaultApplicationInfoReportingEnabled flag to true in StatusReportingSettings.

• Fully managed devices: Reports cover all application types.
• Devices with work profiles: Reports only include application types supported for the work profile.

Each application type in the report includes the following details:

• packageName: Indicates the current default application for this type. It could be an application set by the policy, the system default, or the one chosen by the user. If this field is not reported, no default application is set for this type.
• defaultApplicationSettingAttempts: Lists the outcomes of default application setting attempts for each app specified in the policy. This helps admins understand why applications with higher priority in the list might not have been set as the default.

Example policy

Here is an example policy that sets the default browser and dialer. Applications are added to the applications policy as the scope contains SCOPE_FULLY_MANAGED or SCOPE_WORK_PROFILE. defaultApplicationInfoReportingEnabled is set to true to enable the reporting.

{
  "applications": [
    {
      "packageName": "com.android.chrome",
      "installType": "AVAILABLE"
    },
    {
      "packageName": "com.google.android.dialer",
      "installType": "AVAILABLE"
    },
    {
      "packageName": "com.samsung.android.dialer",
      "installType": "AVAILABLE"
    }
  ],
  "statusReportingSettings": {
    "defaultApplicationInfoReportingEnabled": true
  },
  "defaultApplicationSettings": [
    {
      "defaultApplicationType": "DEFAULT_BROWSER",
      "defaultApplications": [
        {
          "packageName": "com.android.chrome"
        }
      ],
      "defaultApplicationScopes": [
        "SCOPE_FULLY_MANAGED",
        "SCOPE_WORK_PROFILE"
      ]
    },
    {
      "defaultApplicationType": "DEFAULT_DIALER",
      "defaultApplications": [
        {
          "packageName": "com.google.android.dialer"
        },
        {
          "packageName": "com.samsung.android.dialer"
        }
      ],
      "defaultApplicationScopes": [
        "SCOPE_FULLY_MANAGED",
        "SCOPE_WORK_PROFILE",
        "SCOPE_PERSONAL_PROFILE"
      ]
    }
  ]
}