Sample Android Custom Policies

This topic provides sample Android custom policies in JSON format for use with BigFix WebUI, covering configurations such as kiosk mode, Wi-Fi restrictions, app verification, and VPN setup. Each policy can be modified to meet organizational requirements and includes guidance for uploading and assigning policies. Reference links to official documentation are provided for further customization and policy details.

To learn how to upload a custom policy, visit https://help.hcl-software.com/bigfix/11.0/platform/Platform/WebUI_Users_Guide/t_upload_custom_policy.html.
Ensure to add the uploaded custom policy to a policy group with the appropriate OS and "Assign To Group" selected.

Note: You can find a complete reference for every policy setting and sample JSON code at the official Android Management API documentation at https://developers.google.com/android/management/reference/rest/v1/enterprises.policies.

Dedicated Device - Kiosk Mode

Single App Kiosk Mode: Lock down a dedicated device on kiosk mode with a single specialized app with minimal device functionalities.

"kioskCustomLauncherEnabled": true,
"keyguardDisabled": true,
"applications": [
  {
    "packageName": "<com.example.app>",
    "installType": "KIOSK",
    "defaultPermissionPolicy": "GRANT"
  }
]

Multiple App Kiosk Mode: Lock down a dedicated device on kiosk mode and limit the device usage to one or more applications as per the organization's requirements.

"kioskCustomLauncherEnabled": true,
"keyguardDisabled": true,
"applications": [
 {
   "packageName": "com.example.app",
   "installType": "KIOSK",
   "defaultPermissionPolicy": "GRANT"
 },
 {
   "packageName": "com.example.app_to_be_linked",
   "installType": "FORCE_INSTALLED",
   "defaultPermissionPolicy": "GRANT"
 }
]

Wi-Fi Configuration

Wi-Fi Configure Lockdown: For fully managed devices, IT admins can optionally prevent a device user from manually modifying corporate Wi-Fi settings on their device by setting wifiConfigsLockdownEnabled to true in the policy.

{
  "applications": [
    {
      "packageName": "com.android.chrome",
      "installType": "AVAILABLE"
    }
  ],
  "wifiConfigsLockdownEnabled": true,
  "openNetworkConfiguration": {
    "NetworkConfigurations": [
      {
        "GUID": "a",
        "Name": "Hotspot",
        "Type": "WiFi",
        "WiFi": {
          "SSID": "WiFi network 1",
          "Security": "WPA-PSK",
          "Passphrase": "test1234",
          "AutoConnect": true
        }
      }
    ]
  }
}

Wi-Fi Configure Disable: For fully managed devices, IT admins can optionally restrict device users from adding or modifying Wi-Fi network (personal and corporate) on the device by setting wifiConfigDisabled to true in the policy. This limits Wi-Fi connectivity to just those networks provisioned through the policy.

{
"applications": [
    {
      "packageName": "com.android.chrome",
      "installType": "AVAILABLE"
    }
   ],
"wifiConfigDisabled": true,
"openNetworkConfiguration": {
    "NetworkConfigurations": [{
      "GUID": "a",
      "Name": "ACT broadband",
      "Type": "WiFi",
      "WiFi": {
        "SSID": "WiFi network 1",
        "Security": "WPA-PSK",
        "Passphrase": "test1234",
        "AutoConnect": true
      }
    }]
  }
}

Verify Apps Enforcement

Verify Apps enforcement: Scans all the apps installed on Android devices for harmful software, before and after installation, to ensure that malicious apps cannot compromise corporate data.

{
  "advancedSecurityOverrides": {
    "developerSettings": "DEVELOPER_SETTINGS_ALLOWED",
    "untrustedAppsPolicy": "DISALLOW_INSTALL",
    "googlePlayProtectVerifyApps": "VERIFY_APPS_ENFORCED"
  },
  "applications": [
    {
      "packageName": "com.android.chrome",
      "installType": "AVAILABLE"
    }
   ]
}

Verify Apps at user's choice: IT admins can provide device users an option to turn Verify Apps on or off.

{
  "advancedSecurityOverrides": {
    "developerSettings": "DEVELOPER_SETTINGS_ALLOWED",
    "untrustedAppsPolicy": "DISALLOW_INSTALL",
    "googlePlayProtectVerifyApps": "VERIFY_APPS_USER_CHOICE"
  },
  "applications": [
    {
      "packageName": "com.android.chrome",
      "installType": "AVAILABLE"
    },
    {
      "packageName": "com.spotify.music",
      "installType": "AVAILABLE"
    }
   ]
}

VPN Configuration

AlwaysOnVPNPackage.json: Android can start a VPN service when the device boots, and keep it running while the device or work profile is on.

{
"alwaysOnVpnPackage": {
"packageName": "com.paloaltonetworks.globalprotect",
"lockdownEnabled": false
},
"applications": [
{
"packageName": "com.paloaltonetworks.globalprotect",
"installType": "FORCE_INSTALLED"
},
{
"packageName": "com.android.chrome",
"installType": "FORCE_INSTALLED"
}
]
}