Device Trust from Android Enterprise - Available signals

    • Device Trust from Android Enterprise provides device posture signals to registered applications for computing a device trust score.

    • Access to device trust signals is restricted via an allowlist, requiring registration.

    • Available signals include OS version, pending updates, security patch levels, critical app details, device model/brand, screen lock complexity, management state, disk encryption, network state, Google Play Protect status, DNS over TLS status, and WebView package.

    • The management state signals vary depending on whether the application is running within the personal or work profile and the device ownership type.

    • Specific management state signals like Device.WorkProfileState are available starting from particular AMAPI SDK versions.

    Device Trust from Android Enterprise makes available a set of device posture signals that registered application can access to compute a trust score of the device.

    For information on how to integrate the Android Management API SDK in your application see Device Trust from Android Enterprise - Integration guide .

    Signals
    OS Version
    SoftwareInfo includes the OS version of the device. Older OS versions typically have more vulnerabilities.
    Does the device have pending OTA
    SoftwareInfo.SystemUpdateInfo returns if there is a pending OS update for the device. Proxy for if the device is vulnerable to exploits.
    Device Security Patch Level
    SoftwareInfo#getDeviceSecurityPatchInfos() returns the current security patch level of the device for different updatable components:
    Published Security Patch Level
    SoftwareInfo#getPublishedSecurityPatchInfos() returns the current published security patch level of the device for different updatable components:
    Critical App Details
    Device#getApplicationReports() returns details on all installed applications to extensibility apps and calling application with role COMPANION_APP on a managed device. For all other use cases Device#getApplicationReports() returns details on the following critical apps:
    • com.android.chrome
    • com.google.android.gms
    • com.google.android.apps.work.clouddpc
    • com.android.vending
    • com.google.android.webview
    The provided details are shared with a list of ApplicationReport .
    Device Model / Brand
    HardwareInfo#getModel() returns the device model and HardwareInfo#getBrand() returns the device brand.
    Screen lock complexity
    DeviceSettings#getScreenLockComplexity() returns how complex the current user's screen lock is.
    Management State (and managing app)
    Device#getManagementMode() returns the management state and Device#getManagementAppPackageName() returns the management app.
    The returned information depends on the profile the application is running in. For details see the Management state table .
    Disk encryption
    DeviceSettings#getEncryptionStatus() returns if the device's storage is encrypted.
    Access Network State (Network state and Wi-Fi state)
    You can use Device#getNetworkInfo() to get details about all active networks on the device:
    • Network transport (cellular / Wi-Fi)
    • Wi-Fi Security level ( OPEN , PERSONAL , ENTERPRISE_EAP , ENTERPRISE_192 )
    • Private DNS state
    Google Play Protect VerifyApps
    DeviceSettings#getGooglePlayProtectVerifyAppsState() returns the current GooglePlayProtectVerifyAppsState .
    Is DNS over TLS enabled
    NetworkParams#getPrivateDnsState() returns whether private DNS is used on the network.
    WebView package
    SoftwareInfo#getWebviewPackage() returns the name of the current WebView package.
    Human-readable business name of the management provider
    On AMAPI-managed device, ManagementProviderInfo can be used to retrieve the human-readable business name of the management provider.

    Management state

    The values returned for the management signals depends on the profile that your application is running in.

    Management state
    Signals when called from within the Personal Profile
    Signals when called from within the Work Profile
    Non-managed device
    ownership: PERSONALLY_OWNED
    managementMode: UNMANAGED
    managementAppPackageName: N/A
    workProfileState:
    N/A
    Work Profile on personally-owned device (BYOD)
    ownership: PERSONALLY_OWNED
    managementMode: UNMANAGED
    managementAppPackageName: N/A
    workProfileState:
    ownership: PERSONALLY_OWNED
    managementMode: PROFILE_OWNER
    managementAppPackageName: Package name of the Profile Owner application
    workProfileState:
    Work Profile on company-owned device
    ownership: COMPANY_OWNED
    managementMode: UNMANAGED
    managementAppPackageName: N/A
    workProfileState:
    ownership: COMPANY_OWNED
    managementMode: PROFILE_OWNER
    managementAppPackageName: Package name of the Profile Owner application
    workProfileState:
    Fully managed device
    N/A
    ownership: COMPANY_OWNED
    managementMode: DEVICE_OWNER
    managementAppPackageName: Package name of the Device Owner application
    workProfileState:
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: