# Android EMM Default Policy and Compliance Scope

## What

The Android Default Policy defines global baseline settings for managed Android EMM applications and devices. Use scoped Android Policy Filesets for settings that depend on enrollment type, device role, or a specific application.

The practical split is:

- **Android Default Policy:** Fleet-wide application and device baselines.
- **Android Policy Filesets:** Controls assigned to the applicable BYOD, fully managed, or Dedicated Device scope.
- **Android app Fileset Properties:** App-specific overrides when one application needs different behavior from the global default.

## When/Why

Use the Default Policy for settings that should apply consistently across the Android fleet. Keep enrollment-specific compliance and operational behavior in separately scoped Policy Filesets so an incompatible setting is not pushed to the wrong device mode.

<div class="callout warning" id="bkmrk-do-not-use-the-defau">**Do not use the Default Policy as a dumping ground.** A global baseline should be safe for every Android EMM device in scope. Use a targeted Policy Fileset when BYOD, Dedicated Device, or app-specific behavior differs.

</div>## Open the Android Default Policy in FileWave 16.4

1. Open **FileWave Central &gt; Preferences**.
2. Select **Google**.
3. Under **EMM Configuration**, select **Default Policy Settings**.
4. Enable **Customize default policy** when you need to define FileWave-managed defaults.
5. Review the values, save the Default Policy, and update the model.

<figure id="bkmrk-filewave-central-16.">![FileWave Central 16.4 Preferences Google tab showing EMM Configuration and Default Policy Settings](https://kb.filewave.com/uploads/images/gallery/2026-07/E1gDH5Ofq9tEU22F-filewave-central-16-4-google-emm-default-policy-settings.png)<figcaption>FileWave Central 16.4: **Preferences &gt; Google &gt; EMM Configuration &gt; Default Policy Settings**.</figcaption></figure>## Global application baselines

<table id="bkmrk-controlcurrent-behav"><thead><tr><th>Control</th><th>Current behavior</th><th>Override</th></tr></thead><tbody><tr><td>**Permission Policy**</td><td>Defines the default response when an app requests a managed permission.</td><td>Permission Policy Filesets and app-specific permissions can provide narrower behavior.</td></tr><tr><td>**Credential Provider Policy**</td><td>Controls whether apps can act as credential providers on Android 14 and later. The default does not allow this.</td><td>Allow only an approved credential-management app through its app Fileset Properties.</td></tr><tr><td>**Android Factory Reset Protection**</td><td>Registers the managed Google account used to recover a device after a protected wipe and provides access to the FRP email template.</td><td>Use a controlled organizational recovery account rather than a personal administrator account.</td></tr><tr><td>**USB Data Access**</td><td>Defines the global Device Connectivity behavior for files or data transferred through USB.</td><td>Use a scoped Policy Fileset when a particular device role requires different USB behavior.</td></tr></tbody></table>

<div class="callout info" id="bkmrk-auto-update-mode-is-">**Auto Update Mode is configured on the Android app Fileset, not in this Default Policy Editor.** See [Android Apps](https://kb.filewave.com/books/filesets-payloads/page/android-apps) for the four per-app modes.

</div><figure id="bkmrk-the-android-default--1">![Android Default Policy Editor showing application policies, Factory Reset Protection, and USB Data Access](https://kb.filewave.com/uploads/images/gallery/2026-07/O4worIeSyV2sBVNO-filewave-central-16-4-android-default-policy-editor-full-sanitized.png)<figcaption>Android Default Policy Editor in FileWave 16.4. The displayed values are examples; configure them for your organization’s policy and enrollment model.</figcaption></figure><div class="callout warning" id="bkmrk-factory-reset-protec">**Factory Reset Protection account:** Use a managed recovery identity that remains accessible to the organization. Do not tie fleet recovery to an individual employee’s personal Google account.

</div>## Scope Password and Keyguard compliance

FileWave 16.4 makes the Password and Keyguard sections optional in an Android Compliance Policy. Build the Policy for the enrollment mode rather than including every available section.

<table id="bkmrk-device-scoperecommen"><thead><tr><th>Device scope</th><th>Recommended Compliance Policy design</th></tr></thead><tbody><tr><td>**BYOD/work profile**</td><td>Use Password compliance without Keyguard. Android BYOD is not compatible with the Keyguard component used for Dedicated Device or single-app operation.</td></tr><tr><td>**Fully managed device**</td><td>Include the Password controls required by organizational policy; add other applicable sections only when needed.</td></tr><tr><td>**Dedicated Device/single app**</td><td>Include Keyguard only when that device-mode behavior is required.</td></tr></tbody></table>

## Recommended policy pattern

- Keep global application defaults conservative and broadly applicable.
- Use a dedicated BYOD Password Compliance Policy without Keyguard.
- Use a separate Dedicated Device Compliance Policy when Keyguard is required.
- Keep System Update behavior in its own Policy so maintenance windows and Freeze Periods can change without disturbing compliance.
- Configure Auto Update Mode on each Android app Fileset. Use app-specific Credential Provider overrides only for documented exceptions.
- Avoid assigning multiple Policies that manage the same setting differently.

## Related Content

- [Android EMM Policies and Permissions](https://kb.filewave.com/books/android/page/android-emm-policies-and-permissions)
- [Android Policy Planning](https://kb.filewave.com/books/top-tips/page/android-policy-planning)
- [Android Apps](https://kb.filewave.com/books/filesets-payloads/page/android-apps)
- [Android devices with multiple policies](https://kb.filewave.com/books/android/page/android-devices-with-multiple-policies)