Create an Android Application-based Restrictions Policy

The Android Application-based Restriction Policy lets you configure restrictions for third-party software apps that are installed on managed Android devices. These restrictions can also control how other apps interact with your app’s components. This policy works for devices running Android 5.1 and later.

Prerequisites:

• JumpCloud’s Android EMM is configured for your organization.
  • See Set up Android EMM.
• Your Android devices are enrolled in EMM.
  • See Add and Manage Android Devices and Users: Enroll Your Personal Android Device.

To create an Android Application-based Restrictions policy:

1. Log in to the JumpCloud Admin Portal.
2. Go to DEVICE MANAGEMENT > Policy Management.
3. In the All tab, click (+).
4. On the New Policy panel, select the Android tab.
5. Select the Application-based Restrictions policy from the list, then click configure.
6. On the New Policy panel, optionally enter a new name for the policy, or keep the default. Policy names must be unique.
7. For Policy Notes, enter details like when you created the policy, where you tested it, and where you deployed it.
8. Under Settings, set the app restrictions:
   1. Select Disable Installation of Apps to prevent users and admins from installing software apps on their devices. If you decide to allow users and admins to install apps and you deselect this field, be cautious when allowing unknown apps.
   2. Select Disable Uninstallation of Apps to prevent users and admins from uninstalling software apps. This also prevents apps from being uninstalled through the app itself.
   3. Select Skip System App Tutorials to allow the system recommendation for apps to skip their user tutorial and other introductory hints on first startup. This setting applies to Dedicated Devices on Android 6.0 or later only.
   4. Select Disable Creating Windows Besides App Windows to prevent creating windows outside of application windows.
   5. Under Play Store Mode, determine which apps are available to the user in the Google Play Store and the behavior on the device when apps are removed from the policy:
      • Allowlist - Permit only apps that are available to appear here. If apps do not appear, they are automatically uninstalled from the device. This is the default.
      • Blocklist - Allow all available apps, and block any app that should not be on the device.
   6. Under Google Play Protect Verification, set whether to check app content for any harmful behavior before you install it:
      • Enforce - Enable app verification. This is the default.
      • User Choice - Let the user choose to enable app verification.
   7. Under Untrusted Apps, set the control over installation of untrusted apps (apps from unknown sources) on user devices:
      • Disallow - Prevent untrusted apps from being installed anywhere on the device. This is the default.
      • Allow in Personal Profile Only - For devices with work profiles, allow untrusted apps to be installed only in the device's personal profile.
      • Allow Device Wide - Allow untrusted app installations anywhere on the device.
   8. Under Developer Options, set access to developer settings like developer options and safe boot:
      • Disable - Prevent users from accessing all developer settings. This is the default.
      • Allow - Allow users to access and configure the developer settings.
   9. Under Personal Apps That Can Read Work Notifications, add any personal apps that can read work profile notifications. By default, no personal apps (aside from system apps) can read work notifications.
   10. Under Memory Tagging Extension (MTE), control the Memory Tagging Extension (MTE) on the device. Important: The device needs to be rebooted to apply changes to the MTE policy.
       • User Choice (default)
       • Enforce
       • Disable
   11. Under Content Protection, control whether content protection, which scans for deceptive apps, is enabled. This setting is supported on Android 15 and later.
       • User Choice
       • Enforce
       • Disable (default)
   12. Under Credential Provider, control which apps are allowed to act as credential providers on Android 14 and later.
       • Disallow (default)
       • Disallow Except System Apps
   13. Under Assist Content, control whether AssistContent is allowed to be sent to a privileged app, such as an assistant app. AssistContent includes screenshots and information about an app, such as package name. This setting is supported on Android 15 and later.
       • Disallow
       • Allow (default)
   14. Under Runtime Permissions, choose how to grant permission requests to apps:
       • Allow (default) - Automatically grant a permission request. 
       • Prompt - Prompt the user to grant a permission request. This is the default.
       • Deny - Automatically deny a permission request.​​​​​
   15. Under Minimum Android API Level, enter the minimum allowable API level for apps. Learn more about Android API Levels. The default setting is 22.
9. (Optional) Select the Device Groups tab. Select one or more device groups where you will apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
10. (Optional) Select the Devices tab. Select one or more devices where you will apply this policy.

11. Click save.