Keyguard Management device policy

Android keyguard manages the device and work challenge lock screens. This policy lets you manage features for Android Enterprise work profile keyguard and advanced device keyguard. You can control:

  • Keyguard management on work profile devices. You can specify the features available to users before they unlock the device keyguard and the work challenge keyguard. For example, by default users can use fingerprint unlock and view unredacted notifications on the lock screen.

  • Keyguard management on fully managed and dedicated devices. You can specify the features available, such as trust agents and secure camera, before they unlock the keyguard screen. Or, you can choose to disable all keyguard features.

  • Keyguard management on fully managed devices with work profiles. These devices were formerly known as COPE (corporate owned personally enabled) devices. You can use one Keyguard Management policy to apply separate settings to the device and the work profile.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Android Enterprise settings

Device Policies configuration screen

  • Apply to COPE. Allows you to configure Keyguard Management device policy settings for fully managed devices with work profiles.

    When this setting is On, you can apply separate settings to the device and the work profile on fully managed devices with work profiles (COPE devices).

    When this setting is Off, you can apply settings to work profile devices or fully managed devices. Settings you configure for work profiles only apply to work profile devices. Settings you configure for fully managed devices apply only to fully managed devices.

    Default is Off.

  • Work profile keyguard features: Controls whether the following features are available before a user unlocks the work profile keyguard (lock screen).
    • Disable trust agents: If Off, trust agents can operate on secure keyguard screens when a challenge is set on the work profile. Set to On to disable all trust agents on the work profile. Default is Off.
    • Disable fingerprint unlock: If Off, fingerprint unlock is available on secure keyguard screens when a challenge is set on the work profile. Set to On to disable fingerprint unlock on the work profile. Default is Off.
    • Disable unredacted notifications: If Off, unredacted notifications appear on secure keyguard screens. Set to On to show unredacted notifications. Default is Off, which means only redacted notifications on secure keyguard screens are allowed.
  • Fully managed device keyguard features: Controls whether the following features are available before a user unlocks the device keyguard (lock screen). These features apply to fully managed or dedicated devices.

    • Disable all keyguard features: If Off, all current and future keyguard customizations are available on the secure keyguard screens. Set to On to disable all keyguard customizations. Default is Off.
    • Disable trust agents: If Off, trust agents can operate on secure keyguard screens. Set to On to disable trust agents. Default is Off.
    • Disable fingerprint lock: If Off, the fingerprint lock feature is available on secure keyguard screens. Set to On to disable the fingerprint lock feature. Default is Off.
    • Disable all notifications: If Off, all notifications appear on secure keyguard screens. Set to On to show all notifications. Default is Off.
    • Disable unredacted notifications: If Off, unredacted notifications appear on secure keyguard screens. If you disable unredacted notifications, only redacted notifications are allowed on secure keyguard screens. Set to On to include unredacted notifications. Default is Off.
    • Disable secure camera: If Off, secure camera is available on secure keyguard screens. Set to On to disable the secure camera. Default is Off.

Keyguard Management device policy