Skip to main content
← back to extensions

@swamp/gcp/androidmanagement

v2026.04.23.1

Google Cloud androidmanagement infrastructure models

Repository

https://github.com/systeminit/swamp-extensions

Platforms

linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64

Labels

gcpgoogle-cloudandroidmanagementcloudinfrastructure

Contents

models

Quality score

Verified by Swamp

How well-documented and verifiable this extension is.

100%

Grade A

  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types1/1earned
  • Has description1/1earned
  • At least one platform tag (or universal)1/1earned
  • Two or more platform tags (or universal)1/1earned
  • License declared1/1earned
  • Verified public repository2/2earned

Install

$ swamp extension pull @swamp/gcp/androidmanagement

enterprises_enrollmenttokens.tsv2026.04.23.1

Global Arguments

ArgumentTypeDescription
additionalData?stringOptional, arbitrary data associated with the enrollment token. This could contain, for example, the ID of an org unit the device is assigned to after enrollment. After a device enrolls with the token, this data will be exposed in the enrollment_token_data field of the Device resource. The data must be 1024 characters or less; otherwise, the creation request will fail.
allowPersonalUsage?enumControls whether personal usage is allowed on a device provisioned with this enrollment token.For company-owned devices: Enabling personal usage allows the user to set up a work profile on the device. Disabling personal usage requires the user provision the device as a fully managed device.For personally-owned devices: Enabling personal usage allows the user to set up a work profile on the device. Disabling personal usage will prevent the device from provisioning. Personal usage cannot be disabled on personally-owned device.
duration?stringThe length of time the enrollment token is valid, ranging from 1 minute to Durations.MAX_VALUE (https://developers.google.com/protocol-buffers/docs/reference/java/com/google/protobuf/util/Durations.html#MAX_VALUE), approximately 10,000 years. If not specified, the default duration is 1 hour. Please note that if requested duration causes the resulting expiration_timestamp to exceed Timestamps.MAX_VALUE (https://developers.google.com/protocol-buffers/docs/reference/java/com/google/protobuf/util/Timestamps.html#MAX_VALUE), then expiration_timestamp is coerced to Timestamps.MAX_VALUE.
expirationTimestamp?stringThe expiration time of the token. This is a read-only field generated by the server.
name?stringThe name of the enrollment token, which is generated by the server during creation, in the form enterprises/{enterpriseId}/enrollmentTokens/{enrollmentTokenId}.
oneTimeOnly?booleanWhether the enrollment token is for one time use only. If the flag is set to true, only one device can use it for registration.
policyName?stringThe name of the policy initially applied to the enrolled device, in the form enterprises/{enterpriseId}/policies/{policyId}. If not specified, the policy_name for the device’s user is applied. If user_name is also not specified, enterprises/{enterpriseId}/policies/default is applied by default. When updating this field, you can specify only the policyId as long as the policyId doesn’t contain any slashes. The rest of the policy name will be inferred.
qrCode?stringA JSON string whose UTF-8 representation can be used to generate a QR code to enroll a device with this enrollment token. To enroll a device using NFC, the NFC record must contain a serialized java.util.Properties representation of the properties in the JSON.
user?objectA unique identifier you create for this user, such as user342 or asset#44418. This field must be set when the user is created and can't be updated. This field must not contain personally identifiable information (PII). This identifier must be 1024 characters or less; otherwise, the update policy request will fail.
value?stringThe token value that's passed to the device and authorizes the device to enroll. This is a read-only field generated by the server.
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
createCreate a enrollmentTokens
getGet a enrollmentTokens
ArgumentTypeDescription
identifierstringThe name of the enrollmentTokens
deleteDelete the enrollmentTokens
ArgumentTypeDescription
identifierstringThe name of the enrollmentTokens
syncSync enrollmentTokens state from GCP
enterprises.tsv2026.04.23.1

Global Arguments

ArgumentTypeDescription
contactInfo?objectEmail address for a point of contact, which will be used to send important announcements related to managed Google Play.
enabledNotificationTypes?arrayThe types of Google Pub/Sub notifications enabled for the enterprise.
enterpriseDisplayName?stringThe name of the enterprise displayed to users. This field has a maximum length of 100 characters.
googleAuthenticationSettings?objectOutput only. Whether users need to be authenticated by Google during the enrollment process. IT admin can specify if Google authentication is enabled for the enterprise for knowledge worker devices. This value can be set only via the Google Admin Console. Google authentication can be used with signin_url In the case where Google authentication is required and a signin_url is specified, Google authentication will be launched before signin_url. This value is overridden by EnrollmentToken.googleAuthenticationOptions and SigninDetail.googleAuthenticationOptions, if they are set.
logo?objectThe base-64 encoded SHA-256 hash of the content hosted at url. If the content doesn't match this hash, Android Device Policy won't use the data.
name?stringThe name of the enterprise which is generated by the server during creation, in the form enterprises/{enterpriseId}.
primaryColor?numberA color in RGB format that indicates the predominant color to display in the device management app UI. The color components are stored as follows: (red << 16) | (green << 8) | blue, where the value of each component is between 0 and 255, inclusive.
pubsubTopic?stringThe topic which Pub/Sub notifications are published to, in the form projects/{project}/topics/{topic}. This field is only required if Pub/Sub notifications are enabled.
signinDetails?arrayControls whether personal usage is allowed on a device provisioned with this enrollment token.For company-owned devices: Enabling personal usage allows the user to set up a work profile on the device. Disabling personal usage requires the user provision the device as a fully managed device.For personally-owned devices: Enabling personal usage allows the user to set up a work profile on the device. Disabling personal usage will prevent the device from provisioning. Personal usage cannot be disabled on personally-owned device.
termsAndConditions?arrayThe default message displayed if no localized message is specified or the user's locale doesn't match with any of the localized messages. A default message must be provided if any localized messages are provided.
enterpriseToken?stringThe enterprise token appended to the callback URL. Set this when creating a customer-managed enterprise (https://developers.google.com/android/management/create-enterprise#customer-managed_enterprises) and not when creating a deprecated EMM-managed enterprise (https://developers.google.com/android/management/create-enterprise#emm-managed_enterprises).
projectId?stringThe ID of the Google Cloud Platform project which will own the enterprise.
signupUrlName?stringThe name of the SignupUrl used to sign up for the enterprise. Set this when creating a customer-managed enterprise (https://developers.google.com/android/management/create-enterprise#customer-managed_enterprises) and not when creating a deprecated EMM-managed enterprise (https://developers.google.com/android/management/create-enterprise#emm-managed_enterprises).
createCreate a enterprises
getGet a enterprises
ArgumentTypeDescription
identifierstringThe name of the enterprises
updateUpdate enterprises attributes
deleteDelete the enterprises
ArgumentTypeDescription
identifierstringThe name of the enterprises
syncSync enterprises state from GCP
generate_enterprise_upgrade_urlgenerate enterprise upgrade url
ArgumentTypeDescription
adminEmail?any
allowedDomains?any
provisioninginfo.tsv2026.04.23.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a provisioningInfo
ArgumentTypeDescription
identifierstringThe name of the provisioningInfo
syncSync provisioningInfo state from GCP
enterprises_applications.tsv2026.04.23.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
getGet a applications
ArgumentTypeDescription
identifierstringThe name of the applications
syncSync applications state from GCP
enterprises_migrationtokens.tsv2026.04.23.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
additionalData?stringImmutable. Optional EMM-specified additional data. Once the device is migrated this will be populated in the migrationAdditionalData field of the Device resource. This must be at most 1024 characters.
deviceId?stringRequired. Immutable. The id of the device, as in the Play EMM API. This corresponds to the deviceId parameter in Play EMM API's Devices.get (https://developers.google.com/android/work/play/emm-api/v1/devices/get#parameters) call.
expireTime?stringImmutable. The time when this migration token expires. This can be at most seven days from the time of creation. The migration token is deleted seven days after it expires.
managementMode?enumRequired. Immutable. The management mode of the device or profile being migrated.
policy?stringRequired. Immutable. The name of the policy initially applied to the enrolled device, in the form enterprises/{enterprise}/policies/{policy}.
ttl?stringInput only. The time that this migration token is valid for. This is input-only, and for returning a migration token the server will populate the expireTime field. This can be at most seven days. The default is seven days.
userId?stringRequired. Immutable. The user id of the Managed Google Play account on the device, as in the Play EMM API. This corresponds to the userId parameter in Play EMM API's Devices.get (https://developers.google.com/android/work/play/emm-api/v1/devices/get#parameters) call.
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
createCreate a migrationTokens
getGet a migrationTokens
ArgumentTypeDescription
identifierstringThe name of the migrationTokens
syncSync migrationTokens state from GCP
enterprises_devices.tsv2026.04.23.1

Global Arguments

ArgumentTypeDescription
apiLevel?numberThe API level of the Android platform version running on the device.
applicationReports?arrayThe source of the package.
appliedPasswordPolicies?arrayNumber of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
appliedPolicyName?stringThe name of the policy currently applied to the device.
appliedPolicyVersion?stringThe version of the policy currently applied to the device.
appliedState?enumThe state currently applied to the device.
commonCriteriaModeInfo?objectWhether Common Criteria Mode is enabled.
defaultApplicationInfo?arrayOutput only. The outcome of setting the app as the default.
deviceSettings?objectWhether ADB (https://developer.android.com/studio/command-line/adb.html) is enabled on the device.
disabledReason?objectThe default message displayed if no localized message is specified or the user's locale doesn't match with any of the localized messages. A default message must be provided if any localized messages are provided.
displays?arrayDisplay density expressed as dots-per-inch.
dpcMigrationInfo?objectOutput only. If this device was migrated from another DPC, the additionalData field of the migration token is populated here.
enrollmentTime?stringThe time of device enrollment.
enrollmentTokenData?stringIf the device was enrolled with an enrollment token with additional data provided, this field contains that data.
enrollmentTokenName?stringIf the device was enrolled with an enrollment token, this field contains the name of the token.
hardwareInfo?objectBattery shutdown temperature thresholds in Celsius for each battery on the device.
hardwareStatusSamples?arrayCurrent battery temperatures in Celsius for each battery on the device.
lastPolicySyncTime?stringThe last time the device fetched its policy.
lastStatusReportTime?stringThe last time the device sent a status report.
managementMode?enumThe type of management mode Android Device Policy takes on the device. This influences which policy settings are supported.
memoryEvents?arrayThe number of free bytes in the medium, or for EXTERNAL_STORAGE_DETECTED, the total capacity in bytes of the storage medium.
memoryInfo?objectTotal internal storage on device in bytes.
name?stringThe name of the device in the form enterprises/{enterpriseId}/devices/{deviceId}.
networkInfo?objectIMEI number of the GSM device. For example, A1000031212.
nonComplianceDetails?arrayIf the policy setting could not be applied, the current value of the setting on the device.
ownership?enumOwnership of the managed device.
policyCompliant?booleanWhether the device is compliant with its policy.
policyName?stringThe name of the policy applied to the device, in the form enterprises/{enterpriseId}/policies/{policyId}. If not specified, the policy_name for the device's user is applied. This field can be modified by a patch request. You can specify only the policyId when calling enterprises.devices.patch, as long as the policyId doesn’t contain any slashes. The rest of the policy name is inferred.
powerManagementEvents?arrayFor BATTERY_LEVEL_COLLECTED events, the battery level as a percentage.
previousDeviceNames?arrayIf the same physical device has been enrolled multiple times, this field contains its previous device names. The serial number is used as the unique identifier to determine if the same physical device has enrolled previously. The names are in chronological order.
securityPosture?objectDevice's security posture value.
softwareInfo?objectAndroid build ID string meant for displaying to the user. For example, shamu-userdebug 6.0.1 MOB30I 2756745 dev-keys.
state?enumThe state to be applied to the device. This field can be modified by a patch request. Note that when calling enterprises.devices.patch, ACTIVE and DISABLED are the only allowable values. To enter the device into a DELETED state, call enterprises.devices.delete.
systemProperties?recordMap of selected system properties name and value related to the device. This information is only available if systemPropertiesEnabled is true in the device's policy.
user?objectA unique identifier you create for this user, such as user342 or asset#44418. This field must be set when the user is created and can't be updated. This field must not contain personally identifiable information (PII). This identifier must be 1024 characters or less; otherwise, the update policy request will fail.
userName?stringThe resource name of the user that owns this device in the form enterprises/{enterpriseId}/users/{userId}.
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
getGet a devices
ArgumentTypeDescription
identifierstringThe name of the devices
updateUpdate devices attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
deleteDelete the devices
ArgumentTypeDescription
identifierstringThe name of the devices
syncSync devices state from GCP
issue_commandissue command
ArgumentTypeDescription
addEsimParams?any
clearAppsDataParams?any
clearAppsDataStatus?any
createTime?any
duration?any
errorCode?any
esimStatus?any
newPassword?any
removeEsimParams?any
requestDeviceInfoParams?any
requestDeviceInfoStatus?any
resetPasswordFlags?any
startLostModeParams?any
startLostModeStatus?any
stopLostModeParams?any
stopLostModeStatus?any
type?any
userName?any
wipeParams?any
enterprises_webapps.tsv2026.04.23.1

Global Arguments

ArgumentTypeDescription
displayMode?enumThe display mode of the web app.
icons?arrayThe actual bytes of the image in a base64url encoded string (c.f. RFC4648, section 5 "Base 64 Encoding with URL and Filename Safe Alphabet"). - The image type can be png or jpg. - The image should ideally be square. - The image should ideally have a size of 512x512.
name?stringThe name of the web app, which is generated by the server during creation in the form enterprises/{enterpriseId}/webApps/{packageName}.
startUrl?stringThe start URL, i.e. the URL that should load when the user opens the application.
title?stringThe title of the web app as displayed to the user (e.g., amongst a list of other applications, or as a label for an icon).
versionCode?stringThe current version of the app.Note that the version can automatically increase during the lifetime of the web app, while Google does internal housekeeping to keep the web app up-to-date.
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
createCreate a webApps
getGet a webApps
ArgumentTypeDescription
identifierstringThe name of the webApps
updateUpdate webApps attributes
deleteDelete the webApps
ArgumentTypeDescription
identifierstringThe name of the webApps
syncSync webApps state from GCP
enterprises_policies.tsv2026.04.23.1

Global Arguments

ArgumentTypeDescription
accountTypesWithManagementDisabled?arrayAccount types that can't be managed by the user.
addUserDisabled?booleanWhether adding new users and profiles is disabled. For devices where managementMode is DEVICE_OWNER this field is ignored and the user is never allowed to add or remove users.
adjustVolumeDisabled?booleanWhether adjusting the master volume is disabled. Also mutes the device. The setting has effect only on fully managed devices.
advancedSecurityOverrides?objectControls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (https://www.commoncriteriaportal.org/) (CC). Enabling Common Criteria Mode increases certain security components on a device, see CommonCriteriaMode for details.Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. If Common Criteria Mode is turned off after being enabled previously, all user-configured Wi-Fi networks may be lost and any enterprise-configured Wi-Fi networks that require user input may need to be reconfigured.
alwaysOnVpnPackage?objectDisallows networking when the VPN is not connected.
appAutoUpdatePolicy?enumRecommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.The app auto update policy, which controls when automatic app updates can be applied.
appFunctions?enumOptional. Controls whether apps on the device for fully managed devices or in the work profile for devices with work profiles are allowed to expose app functions.
applications?arrayList of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo.
assistContentPolicy?enumOptional. Controls whether AssistContent (https://developer.android.com/reference/android/app/assist/AssistContent) is allowed to be sent to a privileged app such as an assistant app. AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above.
autoDateAndTimeZone?enumWhether auto date, time, and time zone are enabled on a company-owned device. If this is set, then autoTimeRequired is ignored.
bluetoothConfigDisabled?booleanWhether configuring bluetooth is disabled.
bluetoothContactSharingDisabled?booleanWhether bluetooth contact sharing is disabled.
bluetoothDisabled?booleanWhether bluetooth is disabled. Prefer this setting over bluetooth_config_disabled because bluetooth_config_disabled can be bypassed by the user.
cameraAccess?enumControls the use of the camera and whether the user has access to the camera access toggle.
cellBroadcastsConfigDisabled?booleanWhether configuring cell broadcast is disabled.
choosePrivateKeyRules?arrayThe package names to which this rule applies. The signing key certificate fingerprint of the app is verified against the signing key certificate fingerprints provided by Play Store and ApplicationPolicy.signingKeyCerts. If no package names are specified, then the alias is provided to all apps that call KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) or any overloads (but not without calling KeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they call KeyChain.choosePrivateKeyAlias.
createWindowsDisabled?booleanWhether creating windows besides app windows is disabled.
credentialProviderPolicyDefault?enumOptional. Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this (https://developer.android.com/training/sign-in/passkeys) and this (https://developer.android.com/reference/androidx/credentials/CredentialManager) for details. See also credentialProviderPolicy.
credentialsConfigDisabled?booleanWhether configuring user credentials is disabled.
crossProfilePolicies?objectOptional. Controls whether personal profile apps can invoke app functions exposed by apps in the work profile.
dataRoamingDisabled?booleanWhether roaming data services are disabled.
defaultApplicationSettings?arrayRequired. The scopes to which the policy should be applied. This list must not be empty or contain duplicates.A NonComplianceDetail with MANAGEMENT_MODE reason and DEFAULT_APPLICATION_SETTING_UNSUPPORTED_SCOPES specific reason is reported if none of the specified scopes can be applied to the management mode (e.g. a fully managed device receives a policy with only SCOPE_PERSONAL_PROFILE in the list).
defaultPermissionPolicy?enumThe default permission policy for runtime permission requests.
deviceConnectivityManagement?objectOptional. Whether User Plane resources have to be activated during every transition from CM-IDLE mode to CM-CONNECTED state for this APN. See 3GPP TS 23.501 section 5.6.13.
deviceOwnerLockScreenInfo?objectThe default message displayed if no localized message is specified or the user's locale doesn't match with any of the localized messages. A default message must be provided if any localized messages are provided.
deviceRadioState?objectControls whether airplane mode can be toggled by the user or not.
displaySettings?objectOptional. The screen brightness between 1 and 255 where 1 is the lowest and 255 is the highest brightness. A value of 0 (default) means no screen brightness set. Any other value is rejected. screenBrightnessMode must be either BRIGHTNESS_AUTOMATIC or BRIGHTNESS_FIXED to set this. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
encryptionPolicy?enumWhether encryption is enabled
enterpriseDisplayNameVisibility?enumOptional. Controls whether the enterpriseDisplayName is visible on the device (e.g. lock screen message on company-owned devices).
factoryResetDisabled?booleanWhether factory resetting from settings is disabled.
frpAdminEmails?arrayEmail addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won't provide factory reset protection.
funDisabled?booleanWhether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled.
installAppsDisabled?booleanWhether user installation of apps is disabled.
keyguardDisabled?booleanIf true, this disables the Lock Screen (https://source.android.com/docs/core/display/multi_display/lock-screen) for primary and/or secondary displays. This policy is supported only in dedicated device management mode.
keyguardDisabledFeatures?arrayDisabled keyguard customizations, such as widgets.
kioskCustomLauncherEnabled?booleanWhether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. Use kioskCustomization to further configure the kiosk device behavior.
kioskCustomization?objectSpecifies whether the Settings app is allowed in kiosk mode.
locationMode?enumThe degree of location detection enabled.
longSupportMessage?objectThe default message displayed if no localized message is specified or the user's locale doesn't match with any of the localized messages. A default message must be provided if any localized messages are provided.
maximumTimeToLock?stringMaximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction.
microphoneAccess?enumControls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices.
minimumApiLevel?numberThe minimum allowed Android API level.
mobileNetworksConfigDisabled?booleanWhether configuring mobile networks is disabled.
modifyAccountsDisabled?booleanWhether adding or removing accounts is disabled.
mountPhysicalMediaDisabled?booleanWhether the user mounting physical external media is disabled.
name?stringThe name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}.
networkEscapeHatchEnabled?booleanWhether the network escape hatch is enabled. If a network connection can't be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.Note: Setting wifiConfigDisabled to true will override this setting under specific circumstances. Please see wifiConfigDisabled for further details. Setting configureWifi to DISALLOW_CONFIGURING_WIFI will override this setting under specific circumstances. Please see DISALLOW_CONFIGURING_WIFI for further details.
networkResetDisabled?booleanWhether resetting network settings is disabled. This applies only on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for other management modes.
oncCertificateProviders?arrayThis feature is not generally available.
openNetworkConfiguration?recordNetwork configuration for the device. See configure networks for more information.
outgoingBeamDisabled?booleanWhether using NFC to beam data from apps is disabled.
outgoingCallsDisabled?booleanWhether outgoing calls are disabled.
passwordPolicies?arrayNumber of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
passwordRequirements?objectNumber of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
permissionGrants?arrayThe Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
permittedAccessibilityServices?objectA list of package names.
permittedInputMethods?objectA list of package names.
persistentPreferredActivities?arrayThe intent actions to match in the filter. If any actions are included in the filter, then an intent's action must be one of those values for it to match. If no actions are included, the intent action is ignored.
personalUsagePolicies?objectAccount types that can't be managed by the user.
playStoreMode?enumThis mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.
policyEnforcementRules?arrayNumber of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0. blockAfterDays must be less than wipeAfterDays.
preferentialNetworkService?enumControls whether preferential network service is enabled on the work profile or on fully managed devices. For example, an organization may have an agreement with a carrier that all of the work data from its employees' devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This policy has no effect if preferentialNetworkServiceSettings or ApplicationPolicy.preferentialNetworkId is set on devices running Android 13 or above.
printingPolicy?enumOptional. Controls whether printing is allowed. This is supported on devices running Android 9 and above..
privateKeySelectionEnabled?booleanAllows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application has CERT_SELECTION delegation scope.
recommendedGlobalProxy?objectFor a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.
removeUserDisabled?booleanWhether removing other users is disabled.
screenCaptureDisabled?booleanWhether screen capture is disabled. This also blocks Circle to Search (https://support.google.com/android/answer/14508957).
setUserIconDisabled?booleanWhether changing the user icon is disabled. This applies only on devices running Android 7 and above.
setWallpaperDisabled?booleanWhether changing the wallpaper is disabled.
setupActions?arrayThe default message displayed if no localized message is specified or the user's locale doesn't match with any of the localized messages. A default message must be provided if any localized messages are provided.
shareLocationDisabled?booleanWhether location sharing is disabled.
shortSupportMessage?objectThe default message displayed if no localized message is specified or the user's locale doesn't match with any of the localized messages. A default message must be provided if any localized messages are provided.
skipFirstUseHintsEnabled?booleanFlag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.
smsDisabled?booleanWhether sending and receiving SMS messages is disabled.
statusReportingSettings?objectWhether removed apps are included in application reports.
stayOnPluggedModes?arrayThe battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear maximum_time_to_lock so that the device doesn't lock itself while it stays on.
systemUpdate?objectIf the type is WINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device's local time. This value must be between 0 and 1439, inclusive. If this value is less than start_minutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.
uninstallAppsDisabled?booleanWhether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed using applications
usageLog?objectSpecifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled.
version?stringThe version of the policy. This is a read-only field. The version is incremented each time the policy is updated.
vpnConfigDisabled?booleanWhether configuring VPN is disabled.
wipeDataFlags?arrayOptional. Wipe flags to indicate what data is wiped when a device or profile wipe is triggered due to any reason (for example, non-compliance). This does not apply to the enterprises.devices.delete method.. This list must not have duplicates.
workAccountSetupConfig?objectOptional. The authentication type of the user on the device.
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
getGet a policies
ArgumentTypeDescription
identifierstringThe name of the policies
updateUpdate policies attributes
deleteDelete the policies
ArgumentTypeDescription
identifierstringThe name of the policies
syncSync policies state from GCP
modify_policy_applicationsmodify policy applications
ArgumentTypeDescription
changes?any