Create an Android Application-based Restrictions Policy

The Android Application-based Restriction Policy lets you configure restrictions for third-party software apps that are installed on managed Android devices. These restrictions can also control how other apps interact with your app’s components. This policy works for devices running Android 5.1 and later.

Prerequisites

• JumpCloud’s Android EMM is configured for your organization. See Set up Android EMM.
• Your Android devices are enrolled in EMM. See Add and Manage Android Devices and Users: Enroll Your Personal Android Device.

To create an Android Application-based Restrictions policy:

1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
2. Go to DEVICE MANAGEMENT > Policy Management.
3. In the All tab, click (+).
4. On the New Policy panel, select the Android tab.
5. Select the Application-based Restrictions policy from the list, then click configure.
6. On the New Policy panel, optionally enter a new name for the policy, or keep the default. Policy names must be unique.
7. For Policy Notes, enter details like when you created the policy, where you tested it, and where you deployed it.
8. Under Settings, set the app restrictions:
   1. Select Disable User Installation of Apps to prevent users from installing software apps on their devices. If you decide to allow users to install apps and you deselect this field, be cautious when allowing unknown apps.
   2. Select Disable User Uninstallation of Apps to prevent users from uninstalling software apps. This also prevents apps from being uninstalled through the app itself.
   3. Under Camera Access, select how users can use the camera device-wide on fully managed devices and within the device’s work profile:
      • User Choice – Allow all cameras on the device to be available. On Android 12 and later, the user can use the camera access toggle. This is the default.
      • Disable – Prevent all cameras on the device from being used.
      • Enforce – Allow all cameras on the device to be available. On fully managed devices running Android 12 and later, the user is unable to use the camera access toggle. On devices that are not fully managed or that run Android 11 or earlier, this setting is the same as User Choice.
   4. Under Play Store Mode, determine which apps are available to the user in the Google Play Store and the behavior on the device when apps are removed from the policy:
      • Allowlist – Permit only apps that are available to appear here. If apps do not appear, they are automatically uninstalled from the device. This is the default.
      • Blocklist – Allow all available apps, and block any app that should not be on the device.
   5. Under Google Play Protect Verification, check app content for any harmful behavior before you install it:
      • Enforce – Enable app verification.This is the default.
      • User Choice – Let the user choose to enable app verification.
   6. Under Unknown Source App Installation, control installation of untrusted apps (apps from unknown sources) on user devices:
      • Disallow – Prevent untrusted apps from being installed anywhere on the device. This is the default.
      • Allow in Personal Profile Only – For devices with work profiles, allow untrusted apps to be installed only in the device’s personal profile.
      • Allow Device Wide – Allow untrusted app installations anywhere on the device.
   7. Under Developer Options, control access to developer settings like developer options and safe boot:
      • Disable – Prevent users from accessing all developer settings. This is the default.
      • Allow – Allow users to access and configure the developer settings.
   8. Under Runtime Permissions, choose how to grant permission requests to apps:
      • Allow – Automatically grant a permission request. 
      • Prompt – Prompt the user to grant a permission request. This is the default.
      • Deny – Automatically deny a permission request.​​​​​
        
        
9. (Optional) Select the Device Groups tab. Select one or more device groups where you will apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
10. (Optional) Select the Devices tab. Select one or more devices where you will apply this policy.

11. Click Save.