Android device management

Learn how to configure managed Google Play application runtime permissions and how to push permission rules to the managed Android devices.

Runtime permission policy

With runtime permission policy, IT admins can remotely set permissions to prevent applications from gaining access to data or control over a device.

Runtime permissions policy controls if an app wants data or resources that involve the user's private information, or could potentially affect the user's stored data or the operation of other applications. For example, the ability to read the user's contacts, external storage or location are runtime permissions. The device user has to grant these permission for the application. For managed Google Play applications, IT admins can configure and enforce these permissions from WebUI.

IT admins can configure runtime permissions through Appstore App Policy or through custom policy to set the default permissions for the apps within the work profile of an Android device. By modifying the default permissions, the IT admin can set default response to the requests made by work apps.

Note: Runtime permission policy is available for Android 10.0 devices or newer. On older Android versions, the permissions are always granted at installation time.
Features
  • IT admins can silently set a default response to runtime permission requests made by work apps. The options to configure permissions are as follows:
    • Prompt - prompt the user to grant a permission
    • Grant - automatically grant permission
    • Deny - automatically deny permission

      Example: Microsoft Teams app policy can be configured with the defaultPermissinPolicy as ‘Prompt’ so that for video meetings, Teams app will always request permission from the device user to use the camera.

  • Runtime permission grant: After setting a default runtime permission policy, IT admins can silently set responses for specific permissions for the managed work apps.

Android defines some permissions as dangerous and some as normal. The dangerous permissions may affect the users private information, or can potentially affect the data or the operation of other applications. For example, Android classifies the ability to read the user’s contacts as a dangerous permission. Some other examples of dangerous permissions are accessing camera, calendar, location, phone, storage.

Configuring global runtime permission

To quickly configure permissions globally to all the managed apps included in an application policy, refer to Appstore App Policy.

  1. List the app in the App Catalog and include in an app policy.

  2. Create an Appstore App Policy.
  3. Add the created app policy to a policy group.
  4. Deploy the policy group to MDM server or directly onto the selected devices.

Configuring per-app runtime permission

If you want to configure runtime permissions for individual applications rather than defining them globally for all the managed applications, you can do so through a custom policy. Based on these settings, IT admins can define if the run time permission can be granted, prompted, or denied.

To configure per-app runtime permissions, complete the following steps:

  1. Define the custom application policy to set runtime permissions at app level.

    The permission grant is managed by the configuration:

    {
      "permission": string,
      "policy": enum (PermissionPolicy)
    }
    For more details on the permissions listed, see the official Android documentation at https://developer.android.com/reference/android/Manifest.permission. Configure Prompt, Grant, or Deny for individual permissions.
  2. Upload the custom policy JSON file.
  3. Add the uploaded custom app policy to a policy group.
  4. Deploy the policy group to MDM server or directly onto the selected devices.