Configure Application Policy Profile (Android Enterprise)
The Application Policy profile in Android Enterprise enables administrators to configure policies for the App Store, Play For Work, and System Applications on enrolled devices. By creating and deploying this profile, administrators gain granular control over app installations, updates, permissions, and restrictions, ensuring a secure and efficient device management process.
To create an Application Policy profile and deploy it to the device(s), follow these steps:
1. Navigate to SureMDM Web Console > Profiles > Android > Add > Application Policy > Configure.
2. Enter a Profile Name and click Add.
3. In the Select Application Source prompt, select an option from the following and click Add > Save.
SureMDM App Store
In the Enterprise App Store prompt, enter or select the following:
| Settings | Description |
|---|---|
| App Name | Select the application name from the drop-down menu. |
| App Version | The version of the application. |
| Install Silently | Select this option to install the application without human intervention. |
| Disallow Uninstallation | Prevents users from uninstalling the application. Supported only on Work Profile and Fully Managed Device enrollment modes with SureMDM Agent version 27.32.07 or later. |
| Launch App Upon Installation | Select this option to automatically launch the application once installation is complete. |
| Add Shortcut To Home Screen | Creates shortcut for the application on the device home screen. Note : If there is insufficient space, the shortcut will not be created. This feature is supported only on Samsung KNOX devices with SureMDM Agent version 27.37.00 or later. |
| Auto-Grant Permissions | Enable this option to grant all necessary permissions for the selected application by default. Supported on SureMDM Agent versions 27.48.56 and above. |
| Pre and Post Deployment Scripts | Enable this option to execute custom Pre and Post scripts during job deployment. These scripts can be used to perform specific actions before and after the application is installed. Supported on SureMDM Agent version 27.53.00 and above. |
| Pre and Post Revoke Scripts | Enable this option to execute custom Pre and Post scripts during job revocation. Supported on SureMDM Agent version 27.53.00 and above. |
or
Play For Work
Admins should select the Enable Play Store option to use the Play For Work applications.
To add applications from Play For Work, follow these steps:
1. Select the approved apps from the Play Store.
or
Upload an apk file under the Private Apps section.
2. On the Managed Configuration prompt, enter the configuration name and select the required configuration.
3. Configure the following settings and click Next.
| Settings | Description |
|---|---|
| App ID | The Application ID will be auto-populated when the application name is selected. |
| Application Track ID | Installs the application corresponding to the selected Track ID on the device. If multiple versions are available, the latest version for the selected Track ID will be installed. Click the Refresh button to update the Track ID list; older Track IDs may be removed. |
| Pinning App | Select this option to lock down the device with a single or specified application. |
| Install Silently | Select this option to install the application without human intervention. |
| Disallow Uninstallation | Prevents the user from uninstalling the application. |
| Network Type Constraint | Select a Network Type for the installation: Any Network – Installation can proceed on any available network. Unmetered Network – Installation is allowed only on unmetered networks, such as Wi-Fi. |
| Charging State Constraint | Define whether the device must be charging during installation: Charging Not Required – Installation can occur regardless of charging status. Charging Required – Device must be plugged in to proceed with installation. |
| Device Idle State Constraint | Specify the idle condition for installation: Device Idle Not Required – Installation can occur while the device is in use. Device Idle Required – Device must be idle for the installation to proceed. |
| Install Priority | Set the installation priority. A lower number indicates higher priority for the installation. |
| Minimum Version Code | Specify the minimum required app version. If a lower version is installed, the app will auto-update based on the defined auto-install constraints, bypassing the standard auto-update schedule. |
| Allow in Kiosk Mode | Select this option to allow only specific apps. |
| Launch App Upon Installation | Launches the application once it is installed on the device. Supported on Android Enterprise-enrolled devices with SureMDM Agent versions 27.31.08 and above. |
| App Update Mode | Select one of the options from the following to set the update mode: Default Mode High Priority Mode Postpone Mode |
| Add Delegated Scope | Enables granting permissions or access rights to specific functions or features within an application to another application. Supported on Work Profile, Fully Managed, and Fully Managed with Work Profile enrollment modes. The following capabilities are subsets of Delegated Scope: Certificate Management : Install, retrieve a list of, and delete device certificates in the Android Keychain. Supported on Android 8 and above. Certificate Selection: Choose which certificates are available for authentication by other applications. An application with this capability can silently authorize other apps to access specific certificates. It can also intercept prompts and silently select a certificate for authentication.Supported on Android 10 and above. Managed Configuration : Manage application-specific configurations (also known as Managed App Configurations) for supported applications.Supported on Android 8 and above. Blocking Application Uninstallation : Prevent specific applications from being uninstalled from the device. Supported on Android 8 and above. Application Permission Management : Set a global permission policy and manage individual permissions for specific applications. Supported on Android 8 and above. Package Access : Hide, unhide, suspend, or unsuspend applications silently. Supported on Android 8 and above. Enable System Apps : Allows enabling of pre-installed system applications that may be disabled by default. Supported from Android 8 and above. Network Activity Logs : Initiate and collect network activity logs to monitor and troubleshoot device connectivity. Supported on Fully Managed devices from Android 10 and above, and on Work Profile and Work Profile on Company-Owned (WPCO) devices from Android 12 and above. Security Logs : Enable the collection of device security-related logs for auditing and compliance purposes. Supported from Android 12 and above. Install Existing Package : Reinstalls apps that are already present on the device under a different user or apps preserved via the 'Keep Uninstalled Packages' setting. Supported on Device Owner (DO) and Work Profile on Company-Owned (WPCO) modes. Keep Uninstalled Packages : Specifies APKs that should remain stored on the device even after uninstallation, allowing them to be reinstalled later without re-downloading. Supported on Device Owner (DO) mode. |
4. Grant/Deny the app's permissions, and click Finish.
Admins will have the option to upload their organizations' apps in this section. This package should not be available in the Play Store.
or
Configure System Apps
In the System Application Policy prompt, enter or select the following:
| Settings | Description |
|---|---|
| App Name | Choose an application name from the drop-down menu. |
| App ID | The application ID will be auto-populated when the application name is selected. |
| Permission | Select All to allow all the permissions. |
| Status | Specify the status (Default/ Grant / Deny) |
| Pinning App | Select this option to lockdown the device with a single or specified application. |
| Allow in Kiosk Mode | Select this option to allow only specific apps. |
The newly created profile will be listed in the Profiles section .
4. Go back to the Home tab and select the Android device(s) or group(s).
5. Click Apply to launch the Apply Job/Profile To Device prompt.
6. In the Apply Job/Profile To Device prompt, select the created profile and click Apply.
or
Jobs Shortcut
- In the Job Shortcut prompt, select the Job and click Add.
This feature is supported on SureMDM agent versions 27.10.00 and above.
The newly created profile will be listed in the Profiles section .
- Go back to the Home tab and select the Android device(s) or group(s).
- Click Apply to launch the Apply Job/Profile To Device prompt.
- In the Apply Job/Profile To Device prompt, select the created profile and click Apply.