Skip to main content

Android EMM Default Policy and Compliance Scope

What

The Android Default Policy defines global baseline settings for managed Android EMM applications and devices. Use scoped Android Policy Filesets for settings that depend on enrollment type, device role, or a specific application.

The practical split is:

  • Android Default Policy: Fleet-wide application and device baselines.
  • Android Policy Filesets: Controls assigned to the applicable BYOD, fully managed, or Dedicated Device scope.
  • Android app Fileset Properties: App-specific overrides when one application needs different behavior from the global default.

When/Why

Use the Default Policy for settings that should apply consistently across the Android fleet. Keep enrollment-specific compliance and operational behavior in separately scoped Policy Filesets so an incompatible setting is not pushed to the wrong device mode.

Do not use the Default Policy as a dumping ground. A global baseline should be safe for every Android EMM device in scope. Use a targeted Policy Fileset when BYOD, Dedicated Device, or app-specific behavior differs.

Open the Android Default Policy in FileWave 16.4

  1. Open FileWave Central > Preferences.
  2. Select Google.
  3. Under EMM Configuration, select Default Policy Settings.
  4. Enable Customize default policy when you need to define FileWave-managed defaults.
  5. Review the values, save the Default Policy, and update the model.
FileWave Central 16.4 Preferences Google tab showing EMM Configuration and Default Policy Settings
FileWave Central 16.4: Preferences > Google > EMM Configuration > Default Policy Settings.

Global application baselines

ControlCurrent behaviorOverride
Permission PolicyDefines the default response when an app requests a managed permission.Permission Policy Filesets and app-specific permissions can provide narrower behavior.
App Update ModeDefines the baseline update behavior for Android app Filesets.An explicit App Update Mode in an app Fileset overrides the Default Policy; Unspecified inherits the default.
Credential Provider PolicyControls whether apps can act as credential providers on Android 14 and later. The default does not allow this.Allow only an approved credential-management app through its app Fileset Properties. Android Factory Reset ProtectionRegisters the managed Google account used to recover a device after a protected wipe and provides access to the FRP email template.Use a controlled organizational recovery account rather than a personal administrator account. USB Data AccessDefines the global Device Connectivity behavior for files or data transferred through USB.Use a scoped Policy Fileset when a particular device role requires different USB behavior.

Auto Update Mode is configured on the Android app Fileset, not in this Default Policy Editor. See Android Apps for the four per-app modes.

Android Default Policy Editor showing application policies, Factory Reset Protection, and USB Data Access
Android Default Policy Editor in FileWave 16.4. The displayed values are examples; configure them for your organization’s policy and enrollment model.

Factory Reset Protection account: Use a managed recovery identity that remains accessible to the organization. Do not tie fleet recovery to an individual employee’s personal Google account.

Scope Password and Keyguard compliance

FileWave 16.4 makes the Password and Keyguard sections optional in an Android Compliance Policy. Build the Policy for the enrollment mode rather than including every available section.

Device scopeRecommended Compliance Policy design
BYOD/work profileUse Password compliance without Keyguard. Android BYOD is not compatible with the Keyguard component used for Dedicated Device or single-app operation.
Fully managed deviceInclude the Password controls required by organizational policy; add other applicable sections only when needed.
Dedicated Device/single appInclude Keyguard only when that device-mode behavior is required.
  • Keep global application defaults conservative and broadly applicable.
  • Use a dedicated BYOD Password Compliance Policy without Keyguard.
  • Use a separate Dedicated Device Compliance Policy when Keyguard is required.
  • Keep System Update behavior in its own Policy so maintenance windows and Freeze Periods can change without disturbing compliance.
  • UseConfigure app-specific AppAuto Update Mode andon each Android app Fileset. Use app-specific Credential Provider overrides only for documented exceptions.
  • Avoid assigning multiple Policies that manage the same setting differently.