Updates or creates a policy.

Scopes

You will need authorization for the https://www.googleapis.com/auth/androidmanagement scope to make a valid call.

If unset, the scope for this method defaults to https://www.googleapis.com/auth/androidmanagement. You can set the scope for this method like this: androidmanagement1 --scope <scope> enterprises policies-patch ...

Required Scalar Argument

  • <name> (string)
    • The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}.

Required Request Value

The request value is a data-structure with various fields. Each field may be a simple scalar or another data-structure. In the latter case it is advised to set the field-cursor to the data-structure's field to specify values more concisely.

For example, a structure like this:

Policy:
  account-types-with-management-disabled: [string]
  add-user-disabled: boolean
  adjust-volume-disabled: boolean
  advanced-security-overrides:
    common-criteria-mode: string
    developer-settings: string
    google-play-protect-verify-apps: string
    mte-policy: string
    personal-apps-that-can-read-work-notifications: [string]
    untrusted-apps-policy: string
  always-on-vpn-package:
    lockdown-enabled: boolean
    package-name: string
  android-device-policy-tracks: [string]
  app-auto-update-policy: string
  auto-date-and-time-zone: string
  auto-time-required: boolean
  block-applications-enabled: boolean
  bluetooth-config-disabled: boolean
  bluetooth-contact-sharing-disabled: boolean
  bluetooth-disabled: boolean
  camera-access: string
  camera-disabled: boolean
  cell-broadcasts-config-disabled: boolean
  create-windows-disabled: boolean
  credential-provider-policy-default: string
  credentials-config-disabled: boolean
  cross-profile-policies:
    cross-profile-copy-paste: string
    cross-profile-data-sharing: string
    exemptions-to-show-work-contacts-in-personal-profile:
      package-names: [string]
    show-work-contacts-in-personal-profile: string
    work-profile-widgets-default: string
  data-roaming-disabled: boolean
  debugging-features-allowed: boolean
  default-permission-policy: string
  device-connectivity-management:
    configure-wifi: string
    tethering-settings: string
    usb-data-access: string
    wifi-direct-settings: string
  device-owner-lock-screen-info:
    default-message: string
    localized-messages: { string: string }
  device-radio-state:
    airplane-mode-state: string
    cellular-two-g-state: string
    minimum-wifi-security-level: string
    ultra-wideband-state: string
    wifi-state: string
  encryption-policy: string
  ensure-verify-apps-enabled: boolean
  factory-reset-disabled: boolean
  frp-admin-emails: [string]
  fun-disabled: boolean
  install-apps-disabled: boolean
  install-unknown-sources-allowed: boolean
  keyguard-disabled: boolean
  keyguard-disabled-features: [string]
  kiosk-custom-launcher-enabled: boolean
  kiosk-customization:
    device-settings: string
    power-button-actions: string
    status-bar: string
    system-error-warnings: string
    system-navigation: string
  location-mode: string
  long-support-message:
    default-message: string
    localized-messages: { string: string }
  maximum-time-to-lock: string
  microphone-access: string
  minimum-api-level: integer
  mobile-networks-config-disabled: boolean
  modify-accounts-disabled: boolean
  mount-physical-media-disabled: boolean
  name: string
  network-escape-hatch-enabled: boolean
  network-reset-disabled: boolean
  outgoing-beam-disabled: boolean
  outgoing-calls-disabled: boolean
  password-requirements:
    maximum-failed-passwords-for-wipe: integer
    password-expiration-timeout: string
    password-history-length: integer
    password-minimum-length: integer
    password-minimum-letters: integer
    password-minimum-lower-case: integer
    password-minimum-non-letter: integer
    password-minimum-numeric: integer
    password-minimum-symbols: integer
    password-minimum-upper-case: integer
    password-quality: string
    password-scope: string
    require-password-unlock: string
    unified-lock-settings: string
  permitted-accessibility-services:
    package-names: [string]
  permitted-input-methods:
    package-names: [string]
  personal-usage-policies:
    account-types-with-management-disabled: [string]
    camera-disabled: boolean
    max-days-with-work-off: integer
    personal-play-store-mode: string
    screen-capture-disabled: boolean
  play-store-mode: string
  preferential-network-service: string
  printing-policy: string
  private-key-selection-enabled: boolean
  recommended-global-proxy:
    excluded-hosts: [string]
    host: string
    pac-uri: string
    port: integer
  remove-user-disabled: boolean
  safe-boot-disabled: boolean
  screen-capture-disabled: boolean
  set-user-icon-disabled: boolean
  set-wallpaper-disabled: boolean
  share-location-disabled: boolean
  short-support-message:
    default-message: string
    localized-messages: { string: string }
  skip-first-use-hints-enabled: boolean
  sms-disabled: boolean
  status-bar-disabled: boolean
  status-reporting-settings:
    application-reporting-settings:
      include-removed-apps: boolean
    application-reports-enabled: boolean
    common-criteria-mode-enabled: boolean
    device-settings-enabled: boolean
    display-info-enabled: boolean
    hardware-status-enabled: boolean
    memory-info-enabled: boolean
    network-info-enabled: boolean
    power-management-events-enabled: boolean
    software-info-enabled: boolean
    system-properties-enabled: boolean
  stay-on-plugged-modes: [string]
  system-update:
    end-minutes: integer
    start-minutes: integer
    type: string
  tethering-config-disabled: boolean
  uninstall-apps-disabled: boolean
  unmute-microphone-disabled: boolean
  usage-log:
    enabled-log-types: [string]
    upload-on-cellular-allowed: [string]
  usb-file-transfer-disabled: boolean
  usb-mass-storage-enabled: boolean
  version: string
  vpn-config-disabled: boolean
  wifi-config-disabled: boolean
  wifi-configs-lockdown-enabled: boolean

can be set completely with the following arguments which are assumed to be executed in the given order. Note how the cursor position is adjusted to the respective structures, allowing simple field names to be used most of the time.

  • -r . account-types-with-management-disabled=et
    • Account types that can't be managed by the user.
    • Each invocation of this argument appends the given value to the array.
  • add-user-disabled=false
    • Whether adding new users and profiles is disabled.
  • adjust-volume-disabled=false
    • Whether adjusting the master volume is disabled. Also mutes the device.
  • advanced-security-overrides common-criteria-mode=dolore
    • Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (https://www.commoncriteriaportal.org/) (CC). Enabling Common Criteria Mode increases certain security components on a device, including AES-GCM encryption of Bluetooth Long Term Keys, and Wi-Fi configuration stores.Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required.
  • developer-settings=eirmod
    • Controls access to developer settings: developer options and safe boot. Replaces safeBootDisabled (deprecated) and debuggingFeaturesAllowed (deprecated).
  • google-play-protect-verify-apps=lorem
    • Whether Google Play Protect verification (https://support.google.com/accounts/answer/2812853) is enforced. Replaces ensureVerifyAppsEnabled (deprecated).
  • mte-policy=accusam
    • Optional. Controls Memory Tagging Extension (MTE) (https://source.android.com/docs/security/test/memory-safety/arm-mte) on the device. The device needs to be rebooted to apply changes to the MTE policy.
  • personal-apps-that-can-read-work-notifications=amet
    • Personal apps that can read work profile notifications using a NotificationListenerService (https://developer.android.com/reference/android/service/notification/NotificationListenerService). By default, no personal apps (aside from system apps) can read work notifications. Each value in the list must be a package name.
    • Each invocation of this argument appends the given value to the array.

  • untrusted-apps-policy=erat

    • The policy for untrusted apps (apps from unknown sources) enforced on the device. Replaces install_unknown_sources_allowed (deprecated).

  • ..always-on-vpn-package lockdown-enabled=true

    • Disallows networking when the VPN is not connected.

  • package-name=erat

    • The package name of the VPN app.

  • .. android-device-policy-tracks=accusam

    • This setting is not supported. Any value is ignored.
    • Each invocation of this argument appends the given value to the array.
  • app-auto-update-policy=sea
    • Recommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.The app auto update policy, which controls when automatic app updates can be applied.
  • auto-date-and-time-zone=takimata
    • Whether auto date, time, and time zone are enabled on a company-owned device. If this is set, then autoTimeRequired is ignored.
  • auto-time-required=true
    • Whether auto time is required, which prevents the user from manually setting the date and time. If autoDateAndTimeZone is set, this field is ignored.
  • block-applications-enabled=false
    • Whether applications other than the ones configured in applications are blocked from being installed. When set, applications that were installed under a previous policy but no longer appear in the policy are automatically uninstalled.
  • bluetooth-config-disabled=true
    • Whether configuring bluetooth is disabled.
  • bluetooth-contact-sharing-disabled=false
    • Whether bluetooth contact sharing is disabled.
  • bluetooth-disabled=true
    • Whether bluetooth is disabled. Prefer this setting over bluetooth_config_disabled because bluetooth_config_disabled can be bypassed by the user.
  • camera-access=et
    • Controls the use of the camera and whether the user has access to the camera access toggle.
  • camera-disabled=true
    • If camera_access is set to any value other than CAMERA_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether cameras are disabled: If true, all cameras are disabled, otherwise they are available. For fully managed devices this field applies for all apps on the device. For work profiles, this field applies only to apps in the work profile, and the camera access of apps outside the work profile is unaffected.
  • cell-broadcasts-config-disabled=false
    • Whether configuring cell broadcast is disabled.
  • create-windows-disabled=false
    • Whether creating windows besides app windows is disabled.
  • credential-provider-policy-default=aliquyam
    • Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this (https://developer.android.com/training/sign-in/passkeys) and this (https://developer.android.com/reference/androidx/credentials/CredentialManager) for details. See also credentialProviderPolicy.
  • credentials-config-disabled=false
    • Whether configuring user credentials is disabled.
  • cross-profile-policies cross-profile-copy-paste=dolores
    • Whether text copied from one profile (personal or work) can be pasted in the other profile.
  • cross-profile-data-sharing=consetetur
    • Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work & personal apps, are configured separately.

  • exemptions-to-show-work-contacts-in-personal-profile package-names=gubergren

    • A list of package names.
    • Each invocation of this argument appends the given value to the array.

  • .. show-work-contacts-in-personal-profile=dolor

    • Whether personal apps can access contacts stored in the work profile.See also exemptions_to_show_work_contacts_in_personal_profile.

  • work-profile-widgets-default=aliquyam

    • Specifies the default behaviour for work profile widgets. If the policy does not specify work_profile_widgets for a specific application, it will behave according to the value specified here.

  • .. data-roaming-disabled=true

    • Whether roaming data services are disabled.
  • debugging-features-allowed=true
    • Whether the user is allowed to enable debugging features.
  • default-permission-policy=lorem
    • The default permission policy for runtime permission requests.
  • device-connectivity-management configure-wifi=accusam
    • Controls Wi-Fi configuring privileges. Based on the option set, user will have either full or limited or no control in configuring Wi-Fi networks.
  • tethering-settings=gubergren
    • Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering.
  • usb-data-access=sadipscing
    • Controls what files and/or data can be transferred via USB. Supported only on company-owned devices.

  • wifi-direct-settings=at

    • Controls configuring and using Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above.

  • ..device-owner-lock-screen-info default-message=sit

    • The default message displayed if no localized message is specified or the user's locale doesn't match with any of the localized messages. A default message must be provided if any localized messages are provided.

  • localized-messages=key=duo

    • A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
    • the value will be associated with the given key

  • ..device-radio-state airplane-mode-state=sit

    • Controls whether airplane mode can be toggled by the user or not.
  • cellular-two-g-state=magna
    • Controls whether cellular 2G setting can be toggled by the user or not.
  • minimum-wifi-security-level=et
    • The minimum required security level of Wi-Fi networks that the device can connect to.
  • ultra-wideband-state=rebum.
    • Controls the state of the ultra wideband setting and whether the user can toggle it on or off.

  • wifi-state=dolor

    • Controls current state of Wi-Fi and if user can change its state.

  • .. encryption-policy=lorem

    • Whether encryption is enabled
  • ensure-verify-apps-enabled=false
    • Whether app verification is force-enabled.
  • factory-reset-disabled=true
    • Whether factory resetting from settings is disabled.
  • frp-admin-emails=no
    • Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won't provide factory reset protection.
    • Each invocation of this argument appends the given value to the array.
  • fun-disabled=false
    • Whether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled.
  • install-apps-disabled=true
    • Whether user installation of apps is disabled.
  • install-unknown-sources-allowed=false
    • This field has no effect.
  • keyguard-disabled=true
    • If true, this disables the Lock Screen (https://source.android.com/docs/core/display/multi_display/lock-screen) for primary and/or secondary displays.
  • keyguard-disabled-features=nonumy
    • Disabled keyguard customizations, such as widgets.
    • Each invocation of this argument appends the given value to the array.
  • kiosk-custom-launcher-enabled=true
    • Whether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. Use kioskCustomization to further configure the kiosk device behavior.
  • kiosk-customization device-settings=tempor
    • Specifies whether the Settings app is allowed in kiosk mode.
  • power-button-actions=dolore
    • Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.
  • status-bar=eos
    • Specifies whether system info and notifications are disabled in kiosk mode.
  • system-error-warnings=amet.
    • Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode. When blocked, the system will force-stop the app as if the user chooses the "close app" option on the UI.

  • system-navigation=dolore

    • Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode.

  • .. location-mode=amet

    • The degree of location detection enabled.
  • long-support-message default-message=ut
    • The default message displayed if no localized message is specified or the user's locale doesn't match with any of the localized messages. A default message must be provided if any localized messages are provided.

  • localized-messages=key=at

    • A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
    • the value will be associated with the given key

  • .. maximum-time-to-lock=sit

    • Maximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction.
  • microphone-access=vero
    • Controls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices.
  • minimum-api-level=81
    • The minimum allowed Android API level.
  • mobile-networks-config-disabled=true
    • Whether configuring mobile networks is disabled.
  • modify-accounts-disabled=false
    • Whether adding or removing accounts is disabled.
  • mount-physical-media-disabled=false
    • Whether the user mounting physical external media is disabled.
  • name=kasd
    • The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}.
  • network-escape-hatch-enabled=false
    • Whether the network escape hatch is enabled. If a network connection can't be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.Note: Setting wifiConfigDisabled to true will override this setting under specific circumstances. Please see wifiConfigDisabled for further details. Setting configureWifi to DISALLOW_CONFIGURING_WIFI will override this setting under specific circumstances. Please see DISALLOW_CONFIGURING_WIFI for further details.
  • network-reset-disabled=true
    • Whether resetting network settings is disabled.
  • outgoing-beam-disabled=false
    • Whether using NFC to beam data from apps is disabled.
  • outgoing-calls-disabled=true
    • Whether outgoing calls are disabled.
  • password-requirements maximum-failed-passwords-for-wipe=68
    • Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
  • password-expiration-timeout=takimata
    • Password expiration timeout.
  • password-history-length=35
    • The length of the password history. After setting this field, the user won't be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
  • password-minimum-length=74
    • The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
  • password-minimum-letters=13
    • Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
  • password-minimum-lower-case=87
    • Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
  • password-minimum-non-letter=86
    • Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
  • password-minimum-numeric=19
    • Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
  • password-minimum-symbols=64
    • Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
  • password-minimum-upper-case=98
    • Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
  • password-quality=vero
    • The required password quality.
  • password-scope=rebum.
    • The scope that the password requirement applies to.
  • require-password-unlock=dolores
    • The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.

  • unified-lock-settings=consetetur

    • Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.

  • ..permitted-accessibility-services package-names=dolores

    • A list of package names.
    • Each invocation of this argument appends the given value to the array.

  • ..permitted-input-methods package-names=sed

    • A list of package names.
    • Each invocation of this argument appends the given value to the array.

  • ..personal-usage-policies account-types-with-management-disabled=invidunt

    • Account types that can't be managed by the user.
    • Each invocation of this argument appends the given value to the array.
  • camera-disabled=true
    • If true, the camera is disabled on the personal profile.
  • max-days-with-work-off=2
    • Controls how long the work profile can stay off. The minimum duration must be at least 3 days. Other details are as follows: - If the duration is set to 0, the feature is turned off. - If the duration is set to a value smaller than the minimum duration, the feature returns an error. Note: If you want to avoid personal profiles being suspended during long periods of off-time, you can temporarily set a large value for this parameter.
  • personal-play-store-mode=aliquyam
    • Used together with personalApplications to control how apps in the personal profile are allowed or blocked.

  • screen-capture-disabled=false

    • If true, screen capture is disabled for all users.

  • .. play-store-mode=diam

    • This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.
  • preferential-network-service=nonumy
    • Controls whether preferential network service is enabled on the work profile. For example, an organization may have an agreement with a carrier that all of the work data from its employees' devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This has no effect on fully managed devices.
  • printing-policy=et
    • Optional. Controls whether printing is allowed. This is supported on devices running Android 9 and above. .
  • private-key-selection-enabled=true
    • Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application has CERT_SELECTION delegation scope.
  • recommended-global-proxy excluded-hosts=sed
    • For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.
    • Each invocation of this argument appends the given value to the array.
  • host=est
    • The host of the direct proxy.
  • pac-uri=takimata
    • The URI of the PAC script used to configure the proxy.

  • port=2

    • The port of the direct proxy.

  • .. remove-user-disabled=false

    • Whether removing other users is disabled.
  • safe-boot-disabled=false
    • Whether rebooting the device into safe boot is disabled.
  • screen-capture-disabled=false
    • Whether screen capture is disabled.
  • set-user-icon-disabled=false
    • Whether changing the user icon is disabled.
  • set-wallpaper-disabled=false
    • Whether changing the wallpaper is disabled.
  • share-location-disabled=false
    • Whether location sharing is disabled. share_location_disabled is supported for both fully managed devices and personally owned work profiles.
  • short-support-message default-message=no
    • The default message displayed if no localized message is specified or the user's locale doesn't match with any of the localized messages. A default message must be provided if any localized messages are provided.

  • localized-messages=key=justo

    • A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
    • the value will be associated with the given key

  • .. skip-first-use-hints-enabled=true

    • Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.
  • sms-disabled=true
    • Whether sending and receiving SMS messages is disabled.
  • status-bar-disabled=true
    • Whether the status bar is disabled. This disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. DEPRECATED. To disable the status bar on a kiosk device, use InstallType KIOSK or kioskCustomLauncherEnabled.

  • status-reporting-settings.application-reporting-settings include-removed-apps=true

    • Whether removed apps are included in application reports.

  • .. application-reports-enabled=true

    • Whether app reports are enabled.
  • common-criteria-mode-enabled=false
    • Whether Common Criteria Mode reporting is enabled.
  • device-settings-enabled=true
    • Whether device settings reporting is enabled.
  • display-info-enabled=true
    • Whether displays reporting is enabled. Report data is not available for personally owned devices with work profiles.
  • hardware-status-enabled=false
    • Whether hardware status reporting is enabled. Report data is not available for personally owned devices with work profiles.
  • memory-info-enabled=false
    • Whether memory event reporting is enabled.
  • network-info-enabled=false
    • Whether network info reporting is enabled.
  • power-management-events-enabled=false
    • Whether power management event reporting is enabled. Report data is not available for personally owned devices with work profiles.
  • software-info-enabled=true
    • Whether software info reporting is enabled.

  • system-properties-enabled=false

    • Whether system properties reporting is enabled.

  • .. stay-on-plugged-modes=erat

    • The battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear maximum_time_to_lock so that the device doesn't lock itself while it stays on.
    • Each invocation of this argument appends the given value to the array.
  • system-update end-minutes=87
    • If the type is WINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device's local time. This value must be between 0 and 1439, inclusive. If this value is less than start_minutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.
  • start-minutes=25
    • If the type is WINDOWED, the start of the maintenance window, measured as the number of minutes after midnight in the device's local time. This value must be between 0 and 1439, inclusive.

  • type=invidunt

    • The type of system update to configure.

  • .. tethering-config-disabled=false

    • Whether configuring tethering and portable hotspots is disabled. If tetheringSettings is set to anything other than TETHERING_SETTINGS_UNSPECIFIED, this setting is ignored.
  • uninstall-apps-disabled=false
    • Whether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed using applications
  • unmute-microphone-disabled=true
    • If microphone_access is set to any value other than MICROPHONE_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether microphones are disabled: If true, all microphones are disabled, otherwise they are available. This is available only on fully managed devices.
  • usage-log enabled-log-types=voluptua.
    • Specifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled.
    • Each invocation of this argument appends the given value to the array.

  • upload-on-cellular-allowed=eos

    • Specifies which of the enabled log types can be uploaded over mobile data. By default logs are queued for upload when the device connects to WiFi.
    • Each invocation of this argument appends the given value to the array.

  • .. usb-file-transfer-disabled=false

    • Whether transferring files over USB is disabled. This is supported only on company-owned devices.
  • usb-mass-storage-enabled=false
    • Whether USB storage is enabled. Deprecated.
  • version=consetetur
    • The version of the policy. This is a read-only field. The version is incremented each time the policy is updated.
  • vpn-config-disabled=false
    • Whether configuring VPN is disabled.
  • wifi-config-disabled=true
    • Whether configuring Wi-Fi networks is disabled. Supported on fully managed devices and work profiles on company-owned devices. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured using openNetworkConfiguration. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. If configureWifi is set to anything other than CONFIGURE_WIFI_UNSPECIFIED, this setting is ignored. Note: If a network connection can't be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see networkEscapeHatchEnabled).
  • wifi-configs-lockdown-enabled=true
    • DEPRECATED - Use wifi_config_disabled.

About Cursors

The cursor position is key to comfortably set complex nested structures. The following rules apply:

  • The cursor position is always set relative to the current one, unless the field name starts with the . character. Fields can be nested such as in -r f.s.o .
  • The cursor position is set relative to the top-level structure if it starts with ., e.g. -r .s.s
  • You can also set nested fields without setting the cursor explicitly. For example, to set a value relative to the current cursor position, you would specify -r struct.sub_struct=bar.
  • You can move the cursor one level up by using ... Each additional . moves it up one additional level. E.g. ... would go three levels up.

Optional Output Flags

The method's return value a JSON encoded structure, which will be written to standard output by default.

  • -o out
    • out specifies the destination to which to write the server's result to. It will be a JSON-encoded structure. The destination may be - to indicate standard output, or a filepath that is to contain the received bytes. If unset, it defaults to standard output.

Optional Method Properties

You may set the following properties to further configure the call. Please note that -p is followed by one or more key-value-pairs, and is called like this -p k1=v1 k2=v2 even though the listing below repeats the -p for completeness.

  • -p update-mask=string
    • The field mask indicating the fields to update. If not set, all modifiable fields will be modified.

Optional General Properties

The following properties can configure any call, and are not specific to this method.

  • -p $-xgafv=string

    • V1 error format.

  • -p access-token=string

    • OAuth access token.

  • -p alt=string

    • Data format for response.

  • -p callback=string

    • JSONP

  • -p fields=string

    • Selector specifying which fields to include in a partial response.

  • -p key=string

    • API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.

  • -p oauth-token=string

    • OAuth 2.0 token for the current user.

  • -p pretty-print=boolean

    • Returns response with indentations and line breaks.

  • -p quota-user=string

    • Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.

  • -p upload-type=string

    • Legacy upload protocol for media (e.g. "media", "multipart").

  • -p upload-protocol=string

    • Upload protocol for media (e.g. "raw", "multipart").