To optimize IT operations and strengthen your digital defences, we are rolling out two powerful enhancements to the Android Management API (AMAPI). These features are designed to give IT admins scalable control, ensure consistency, and keep critical work apps running without interruption across your fleet.
Feature 1: Restrict default apps for consistency and policy enforcement
Addressing device consistency and reducing user risk, the new restrict default apps feature allows IT admins to set a specific, approved application for essential device functions and prevent users from making unauthorized changes.
Why is this useful?
By enforcing the use of approved applications, companies can ensure that common tasks such as browsing, calling, or messaging remain compliant and consistent across all enrolled devices. Once configured, this policy prevents users from changing default application settings, ensuring adherence to corporate policies across all managed devices.
How can it be applied?
This feature is broadly supported across Android Enterprise management modes:
- Fully Managed Devices: Policies apply across the entire device.
- Company-Owned with Android Work Profile (COPE): Policies apply to the Work Profile and extend to the Personal Profile for certain pre-installed system apps. For COPE devices, setting defaults for dialer and SMS helps apply your security policy uniformly across both profiles, mitigating potential security exposures.
- Personally-Owned with Android Work Profile (BYOD): Enforcement is strictly limited to the managed Work Profile. Defaults cannot be enforced on the Personal Profile.
Supported default app types
Depending on your management mode and Android version, you can now set and protect the default apps for the following core functions:
- Browser
- Dialler
- SMS
- Home launcher
- Assistant
- Call redirection
- Call screening
- Wallet
Find the full compatibility matrix for supported default app types across Android versions and management modes here.
Feature 2: Role-based app privileges for critical app persistence
This high-priority feature tackles the core challenge of ensuring mission-critical applications remain operational. The role-based app privileges feature gives a special status to vital apps- such as Mobile Threat Defence (MTD) or system health tools - so they cannot be restricted by either the user or other defined behaviors such as the device’s battery management features.
Why is this useful?
By assigning a predefined role to an app, it is shielded from system limits or user interference. This ensures the app’s continuous operation, maintaining your security posture and ensuring data integrity.
Predefined roles and app protection
The following table shows the available roles and the protections:
|
Predefined role |
Focus |
Key protection granted |
|
Security and monitoring |
Protected from power-saving shutdowns. Users cannot stop or tamper with the app. | |
|
Device performance and diagnostics |
Protected from power-saving shutdowns. Users cannot stop or tamper with the app. | |
|
Dedicated, single-purpose use |
Users cannot stop or tamper with the app. | |
|
Continuous background operation |
Protected from power-saving shutdowns. Users cannot stop or tamper with the app. |
Ready to learn more?
To find out exactly how to configure and deploy these new capabilities, including detailed platform-specific requirements and policy structures, please refer to the updated documentation in the Android Enterprise Help Centre.
- View the Full Device Management and Work Profile Help Center articles for details on which default app types are supported in each mode ↗️
- Visit our Help Center for more details on the role-based app privileges feature ↗️
In the meantime, share your thoughts in the comments below. Do any of these new features solve existing pain points for your fleet management?
