Skip to main content

Android EMM Default Policy and Compliance Scope

What

The Android Default Policy defines global baseline settings for managed Android EMM applications and devices. Use scoped Android Policy Filesets for settings that depend on enrollment type, device role, or a specific application.

The practical split is:

  • Android Default Policy: Fleet-wide application and device baselines.
  • Android Policy Filesets: Controls assigned to the applicable BYOD, fully managed, or Dedicated Device scope.
  • Android app Fileset Properties: App-specific overrides when one application needs different behavior from the global default.

When/Why

Use the Default Policy for settings that should apply consistently across the Android fleet. Keep enrollment-specific compliance and operational behavior in separately scoped Policy Filesets so an incompatible setting is not pushed to the wrong device mode.

Do not use the Default Policy as a dumping ground. A global baseline should be safe for every Android EMM device in scope. Use a targeted Policy Fileset when BYOD, Dedicated Device, or app-specific behavior differs.

Open the Android Default Policy in FileWave 16.4

  1. Open FileWave Central > Preferences.
  2. Select Google.
  3. Under EMM Configuration, select Default Policy Settings.
  4. Enable Customize default policy when you need to define FileWave-managed defaults.
  5. Review the values, save the Default Policy, and update the model.
FileWave Central 16.4 Preferences Google tab showing EMM Configuration and Default Policy Settings
FileWave Central 16.4: Preferences > Google > EMM Configuration > Default Policy Settings.

Global application baselines

ControlCurrent behaviorOverride
Permission PolicyDefines the default response when an app requests a managed permission.Permission Policy Filesets and app-specific permissions can provide narrower behavior.
App Update ModeDefines the baseline update behavior for Android app Filesets.An explicit App Update Mode in an app Fileset overrides the Default Policy; Unspecified inherits the default.
Credential Provider PolicyControls whether apps can act as credential providers on Android 14 and later. The default does not allow this.Allow only an approved credential-management app through its app Fileset Properties.
Android Default Policy Editor showing Permission Policy and Credential Provider Policy
The Android Default Policy Editor provides fleet-wide application baselines. App Fileset Properties can supply a narrower override where supported.

Scope Password and Keyguard compliance

FileWave 16.4 makes the Password and Keyguard sections optional in an Android Compliance Policy. Build the Policy for the enrollment mode rather than including every available section.

Device scopeRecommended Compliance Policy design
BYOD/work profileUse Password compliance without Keyguard. Android BYOD is not compatible with the Keyguard component used for Dedicated Device or single-app operation.
Fully managed deviceInclude the Password controls required by organizational policy; add other applicable sections only when needed.
Dedicated Device/single appInclude Keyguard only when that device-mode behavior is required.
  • Keep global application defaults conservative and broadly applicable.
  • Use a dedicated BYOD Password Compliance Policy without Keyguard.
  • Use a separate Dedicated Device Compliance Policy when Keyguard is required.
  • Keep System Update behavior in its own Policy so maintenance windows and Freeze Periods can change without disturbing compliance.
  • Use app-specific App Update Mode and Credential Provider overrides only for documented exceptions.
  • Avoid assigning multiple Policies that manage the same setting differently.