.png)
Supported attributes: Android app protection policy
Attribute | Description | Backed up | Restorable |
| allowedAndroidDeviceManufacturers | Semicolon-separated list of device manufacturers allowed, as a string, for the managed app to work. | Yes | Yes |
| allowedAndroidDeviceModels | List of device models allowed, as a string, for the managed app to work. | Yes | Yes |
| allowedDataIngestionLocations | Data storage locations where a user may store managed data. Inherited from managedAppProtection | Yes | Yes |
| allowedDataStorageLocations | Data storage locations where a user may store managed data. Inherited from managedAppProtection | Yes | Yes |
| allowedInboundDataTransferSources | Sources from which data is allowed to be transferred. Inherited from managedAppProtection | Yes | Yes |
| allowedOutboundClipboardSharingExceptionLength | Number of characters that may be cut or copied from company data and accounts to any application. | Yes | Yes |
| allowedOutboundClipboardSharingLevel | The level to which the clipboard may be shared between apps on the managed device. Inherited from managedAppProtection. | Yes | Yes |
| allowedOutboundDataTransferDestinations | Destinations to which data is allowed to be transferred. Inherited from managedAppProtection. | Yes | Yes |
| appActionIfAccountIsClockedOut | Defines a managed app behavior, either block or warn, if the user is clocked out (non-working time). | Yes | Yes |
| appActionIfAndroidDeviceManufacturerNotAllowed | Defines a managed app behavior, either block or wipe, if the specified device manufacturer is not allowed. | Yes | Yes |
| appActionIfAndroidDeviceModelNotAllowed | Defines a managed app behavior, either block or wipe, if the specified device model is not allowed. | Yes | Yes |
| appActionIfAndroidSafetyNetAppsVerificationFailed | Defines a managed app behavior, either warn or block, if the specified Android app verification requirement fails. | Yes | Yes |
| appActionIfAndroidSafetyNetDeviceAttestationFailed | Defines a managed app behavior, either warn or block, if the specified Android SafetyNet Attestation requirement fails. | Yes | Yes |
| appActionIfDeviceComplianceRequired | Defines a managed app behavior, either block or wipe, when the device is either rooted or jailbroken (if deviceComplianceRequired is set to true). | Yes | Yes |
| appActionIfDeviceLockNotSet | Defines a managed app behavior, either warn, block or wipe, if the screen lock is required on Android device but is not set. | Yes | Yes |
| appActionIfDevicePasscodeComplexityLessThanHigh | Defines the action to be triggered if the device does not have a passcode of high complexity or higher. | Yes | Yes |
| appActionIfDevicePasscodeComplexityLessThanLow | Defines the action to be triggered if the device does not have a passcode of low complexity or higher. | Yes | Yes |
| appActionIfDevicePasscodeComplexityLessThanMedium | Defines the action to be triggered if the device does not have a passcode of medium complexity or higher. | Yes | Yes |
| appActionIfMaximumPinRetriesExceeded | Defines a managed app behavior, either block or wipe, based on maximum number of incorrect pin retry attempts. Inherited from managedAppProtection. | Yes | Yes |
| appActionIfSamsungKnoxAttestationRequired | Defines the behavior of a managed app when Samsung Knox Attestation is required. | Yes | Yes |
| appActionIfUnableToAuthenticateUser | Specifies what action to take in the case where the user is unable to check in because their authentication token is invalid because the user has been deleted or disabled. | Yes | Yes |
| appGroupType | Public apps selection: group or individual. Inherited from targetedManagedAppProtection. | Yes | Yes |
| approvedKeyboards | Specified which keyboards are allowed if keyboardsRestricted is enabled. | Yes | Yes |
| biometricAuthenticationBlocked | Indicates whether use of the biometric authentication is allowed in place of a pin if pinRequired is set to True. | Yes | Yes |
| blockAfterCompanyPortalUpdateDeferralInDays | Maximum number of days the Company Portal update can be deferred on the device before app access will be blocked. | Yes | Yes |
| blockDataIngestionIntoOrganizationDocuments | Indicates whether a user can bring data into org documents. Inherited from managedAppProtection | Yes | Yes |
| connectToVpnOnLaunch | Indicates whether the app should connect to the configured VPN on launch. | Yes | Yes |
| contactSyncBlocked | Indicates whether contacts can be synced to the user's device. Inherited from managedAppProtection | Yes | Yes |
| createdDateTime | The date and time the policy was created. Inherited from managedAppPolicy | Yes | Yes |
| customBrowserDisplayName | Friendly name of the preferred custom browser to open weblink on Android. | Yes | Yes |
| customBrowserPackageId | Unique identifier of the preferred custom browser to open internet links on Android. | Yes | Yes |
| customDialerAppDisplayName | Friendly name of a custom dialer app to click-to-open a phone number on Android. | Yes | Yes |
| customDialerAppPackageId | PackageId of a custom dialer app to click-to-open a phone number on Android. | Yes | Yes |
| dataBackupBlocked | Indicates whether the backup of a managed app's data is blocked. Inherited from managedAppProtection | Yes | Yes |
| deployedAppCount | Number of apps to which the current policy is deployed. | Yes | Yes |
| description | Description of the policy. Inherited from managedAppPolicy | Yes | Yes |
| deviceComplianceRequired | Indicates whether device compliance is required. Inherited from managedAppProtection | Yes | Yes |
| deviceLockRequired | Defines if any kind of lock must be required on Android devices. | Yes | Yes |
| dialerRestrictionLevel | Lists the classes of dialer apps that are allowed to click-to-open a phone number. Inherited from managedAppProtection. | Yes | Yes |
| disableAppEncryptionIfDeviceEncryptionIsEnabled | When this setting is enabled, app level encryption is disabled if device level encryption is enabled. | Yes | Yes |
| disableAppPinIfDevicePinIsSet | Indicates whether use of the app pin is required if the device pin is set. Inherited from managedAppProtection | Yes | Yes |
| displayName | Policy display name. Inherited from managedAppPolicy | Yes | Yes |
| encryptAppData | Indicates whether application data for managed apps should be encrypted. | Yes | Yes |
| exemptedAppPackages | Lists the app packages that are exempt from the policy and will be able to receive data from managed apps. | Yes | Yes |
| fingerprintAndBiometricEnabled | If null, this setting will be ignored. If false, both fingerprint and biometrics will be disabled. If true, both fingerprint and biometrics will be enabled. | Yes | Yes |
| fingerprintBlocked | Indicates whether use of the fingerprint reader is allowed in place of a pin if pinRequired is set to True. Inherited from managedAppProtection | Yes | Yes |
| gracePeriodToBlockAppsDuringOffClockHours | Specifies the grace period before app access is blocked during off clock hours. Inherited from managedAppProtection | Yes | Yes |
| id | Key of the entity. Inherited from managedAppPolicy | Yes | No |
| isAssigned | Indicates whether the policy is deployed to any inclusion groups. Inherited from targetedManagedAppProtection | Yes | Yes |
| keyboardsRestricted | Indicates if keyboard restriction is enabled. | Yes | Yes |
| lastModifiedDateTime | Last time the policy was modified. Inherited from managedAppPolicy | Yes | Yes |
| managedBrowser | Indicates in which managed browser(s) internet links should be opened. | Yes | Yes |
| managedBrowserToOpenLinksRequired | Indicates whether internet links should be opened in the managed browser app or any custom browser specified by CustomBrowserProtocol (for iOS) or CustomBrowserPackageId / CustomBrowserDisplayName (for Android) Inherited from managedAppProtection | Yes | Yes |
| maximumAllowedDeviceThreatLevel | Maximum allowed device threat level, as reported by the mobile threat defense app Inherited from managedAppProtection. | Yes | Yes |
| maximumPinRetries | Maximum number of incorrect pin retry attempts before the managed app is either blocked or wiped. Inherited from managedAppProtection | Yes | Yes |
| maximumRequiredOsVersion | Versions higher than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| maximumWarningOsVersion | Versions higher than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| maximumWipeOsVersion | Versions higher than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| messagingRedirectAppDisplayName | Defines the app that is allowed when a redirection is enforced by protectedMessagingRedirectAppType. | Yes | Yes |
| messagingRedirectAppPackageId | Defines the app package id that is allowed when a redirection is enforced by protectedMessagingRedirectAppType. | Yes | Yes |
| minimumPinLength | Minimum pin length required for an app-level pin if pinRequired is set to True. Inherited from managedAppProtection | Yes | Yes |
| minimumRequiredAppVersion | Versions lower than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| minimumRequiredCompanyPortalVersion | Minimum version of the Company Portal that must be installed on the device or app. | Yes | Yes |
| minimumRequiredOsVersion | Versions lower than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| minimumRequiredPatchVersion | Oldest required Android security patch level a user can have to gain secure access to the app. | Yes | Yes |
| minimumWarningAppVersion | Versions lower than the specified version will result in a warning message on the managed app. Inherited from managedAppProtection | Yes | Yes |
| minimumWarningCompanyPortalVersion | Minimum version of the Company Portal that must be installed on the device. | Yes | Yes |
| minimumWarningOsVersion | Versions lower than the specified version will result in a warning message on the managed app. Inherited from managedAppProtection | Yes | Yes |
| minimumWarningPatchVersion | Oldest recommended Android security patch level a user can have for secure access to the app. | Yes | Yes |
| minimumWipeAppVersion | Versions lower than or equal to the specified version will wipe the managed app and the associated company data. Inherited from managedAppProtection | Yes | Yes |
| minimumWipeCompanyPortalVersion | Minimum version of the Company Portal that must be installed on the device otherwise the company data on the app will be wiped. | Yes | Yes |
| minimumWipeOsVersion | Versions lower than or equal to the specified version will wipe the managed app and the associated company data. Inherited from managedAppProtection | Yes | Yes |
| minimumWipePatchVersion | Android security patch level lower than or equal to the specified value will wipe the managed app and the associated company data. | Yes | Yes |
| mobileThreatDefensePartnerPriority | Indicates how to prioritise which mobile threat defense partner is enabled for a given platform, when more than one is enabled. | Yes | Yes |
| mobileThreatDefenseRemediationAction | Determines what action to take if the mobile threat defense threat threshold isn't met. | Yes | Yes |
| notificationRestriction | Specifies the level of restriction for app notifications. Inherited from managedAppProtection. | Yes | Yes |
| organizationalCredentialsRequired | Indicates whether organisational credentials are required for app use. Inherited from managedAppProtection | Yes | Yes |
| periodBeforePinReset | Specifies the time period before the all-level pin must be reset if pinRequired is set to True. Inherited from managedAppProtection | Yes | Yes |
| periodOfflineBeforeAccessCheck | Specifies the time period after which access is checked when the device is not connected to the internet. Inherited from managedAppProtection | Yes | Yes |
| periodOfflineBeforeWipeIsEnforced | Specifies the time period an app is allowed to remain disconnected from the internet before all managed data is wiped. Inherited from managedAppProtection | Yes | Yes |
| periodOnlineBeforeAccessCheck | Specifies the time period after which access is checked when the device is connected to the internet. Inherited from managedAppProtection | Yes | Yes |
| pinCharacterSet | Character set which may be used for an app-level pin if pinRequired is set to True. Inherited from managedAppProtection. | Yes | Yes |
| pinRequired | Indicates whether an app-level pin is required. Inherited from managedAppProtection | Yes | Yes |
| pinRequiredInsteadOfBiometricTimeout | Timeout in minutes for an app pin when required instead of a non-biometric passcode. Inherited from managedAppProtection | Yes | Yes |
| previousPinBlockCount | Requires a pin to be unique from the number specified in this property. Inherited from managedAppProtection | Yes | Yes |
| printBlocked | Indicates whether printing is allowed from managed apps. Inherited from managedAppProtection | Yes | Yes |
| protectedMessagingRedirectAppType | Defines how app messaging redirection is protected by an app protection policy. Inherited from managedAppProtection. | Yes | Yes |
| requireClass3Biometrics | Requires the user to apply Class 3 biometrics on their Android device. | Yes | Yes |
| requiredAndroidSafetyNetAppsVerificationType | Defines the Android SafetyNet app verification requirement for a managed app to work. | Yes | Yes |
| requiredAndroidSafetyNetDeviceAttestationType | Defines the Android SafetyNet Device Attestation requirement for a managed app to work | Yes | Yes |
| requiredAndroidSafetyNetEvaluationType | Defines the Android SafetyNet evaluation type requirement for a managed app to work. | Yes | Yes |
| requirePinAfterBiometricChange | Specifies that a PIN prompt will override biometric prompts if Class 3 biometrics are updated on the device. | Yes | Yes |
| roleScopeTagIds | List of scope tags for this entity instance. Inherited from managedAppPolicy | Yes | Yes |
| saveAsBlocked | Indicates whether users may use the "Save As" menu item to save a copy of protected files. Inherited from managedAppProtection | Yes | Yes |
| screenCaptureBlocked | Indicates whether a managed user can take screen captures of managed apps. | Yes | Yes |
| simplePinBlocked | Indicates whether simplePin is blocked. Inherited from managedAppProtection | Yes | Yes |
| targetedAppManagementLevels | The intended app management levels for this policy. Inherited from targetedManagedAppProtection. | Yes | Yes |
| version | Version of the entity. Inherited from managedAppPolicy | Yes | Yes |
| warnAfterCompanyPortalUpdateDeferralInDays | Maximum number of days a Company Portal update can be deferred on the device before the user receives a warning. | Yes | Yes |
| wipeAfterCompanyPortalUpdateDeferralInDays | Maximum number of days a Company Portal update can be deferred on the device before company data on the app is wiped. | Yes | Yes |
 1.png)