API_LEVEL non compliance details ... anything to worry about?

Question

We recently adopted the Android Management API and we've got around 250 kiosk devices which are in various locations throughout the UK.

I can see a bunch of warnings related to the API level of the device. i.e policyCompliant: true, however there are some nonComplianceDetails.

I'm wondering if this is something to worry about? Will the devices factory reset themselves after a certain amount of time?

An affected device

{
  "name": "enterprises/XXXXXXXX/devices/XXXXXXXX",
  "managementMode": "DEVICE_OWNER",
  "state": "ACTIVE",
  "appliedState": "ACTIVE",
  "policyCompliant": true,
  "nonComplianceDetails": [
    {
      "settingName": "systemErrorDialogsDisabled",
      "nonComplianceReason": "API_LEVEL"
    },
    {
      "settingName": "lockTaskFeatures",
      "nonComplianceReason": "API_LEVEL"
    }
  ],
  "enrollmentTime": "2019-01-25T17:09:08.693Z",
  "lastStatusReportTime": "2019-12-02T11:15:14.869Z",
  "lastPolicySyncTime": "2019-12-02T11:15:10.501Z",
  "appliedPolicyVersion": "4",
  "apiLevel": 24,
  "enrollmentTokenData": "20",
  "disabledReason": {},
  "hardwareInfo": {
    "brand": "XXXX",
    "hardware": "XXXXXX",
    "deviceBasebandVersion": "XXXXXXXX",
    "manufacturer": "XXXX",
    "serialNumber": "XXXXXXXX",
    "model": "XXXXXX"
  },
  "policyName": "enterprises/XXXXXXXX/policies/policy_v41",
  "appliedPolicyName": "enterprises/XXXXXXXX/policies/policy_v41",
  "networkInfo": {
    "imei": "XXXXXXXX",
    "wifiMacAddress": "38:1c:4a:XX:c2:XX",
    "networkOperatorName": "vodafone UK"
  },
  "memoryInfo": {
    "totalRam": "1008689152",
    "totalInternalStorage": "1560133632"
  },
  "userName": "enterprises/XXXXXXXX/users/XXXXXXXX",
  "enrollmentTokenName": "enterprises/XXXXXXXX/enrollmentTokens/XXXXXXXX",
  "securityPosture": {
    "devicePosture": "POTENTIALLY_COMPROMISED",
    "postureDetails": [
      {
        "securityRisk": "COMPROMISED_OS",
        "advice": [
          {
            "defaultMessage": "The user should restore their device to a clean factory ROM."
          }
        ]
      }
    ]
  }
}

Corresponding policy

{
  "name": "enterprises/XXXXXXXX/policies/policy_v41",
  "applications": [
    {
      "packageName": "com.example.examplekiosk",
      "installType": "FORCE_INSTALLED",
      "lockTaskAllowed": true,
      "defaultPermissionPolicy": "GRANT",
      "minimumVersionCode": 41
    }
  ],
  "screenCaptureDisabled": true,
  "cameraDisabled": true,
  "defaultPermissionPolicy": "GRANT",
  "persistentPreferredActivities": [
    {
      "receiverActivity": "com.example.examplekiosk/.activities.splash.SplashActivity",
      "actions": [
        "android.intent.action.MAIN"
      ],
      "categories": [
        "android.intent.category.HOME",
        "android.intent.category.DEFAULT"
      ]
    }
  ],
  "systemUpdate": {
    "type": "AUTOMATIC"
  },
  "addUserDisabled": true,
  "factoryResetDisabled": true,
  "mountPhysicalMediaDisabled": true,
  "modifyAccountsDisabled": true,
  "safeBootDisabled": true,
  "uninstallAppsDisabled": true,
  "statusBarDisabled": true,
  "keyguardDisabled": true,
  "statusReportingSettings": {
    "networkInfoEnabled": true
  },
  "wifiConfigsLockdownEnabled": true,
  "cellBroadcastsConfigDisabled": true,
  "credentialsConfigDisabled": true,
  "tetheringConfigDisabled": true,
  "vpnConfigDisabled": true,
  "createWindowsDisabled": true,
  "networkResetDisabled": true,
  "outgoingBeamDisabled": true,
  "outgoingCallsDisabled": true,
  "removeUserDisabled": true,
  "smsDisabled": true,
  "unmuteMicrophoneDisabled": true,
  "usbFileTransferDisabled": true,
  "ensureVerifyAppsEnabled": true,
  "stayOnPluggedModes": [
    "AC"
  ],
  "setUserIconDisabled": true,
  "setWallpaperDisabled": true,
  "dataRoamingDisabled": true,
  "locationMode": "HIGH_ACCURACY",
  "funDisabled": true,
  "autoTimeRequired": true,
  "appAutoUpdatePolicy": "ALWAYS",
  "encryptionPolicy": "ENABLED_WITHOUT_PASSWORD",
  "playStoreMode": "WHITELIST",
  "policyEnforcementRules": [
    {
      "settingName": "passwordPolicies",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "encryptionPolicy",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "keyguardDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "permittedInputMethods",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "permittedAccessibilityServices",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "applications",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "maximumTimeToLock",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "screenCaptureDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "cameraDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "keyguardDisabledFeatures",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "defaultPermissionPolicy",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "persistentPreferredActivities",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "openNetworkConfiguration",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "systemUpdate",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "accountTypesWithManagementDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "addUserDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "adjustVolumeDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "factoryResetDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "installAppsDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "mountPhysicalMediaDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "modifyAccountsDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "safeBootDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "uninstallAppsDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "statusBarDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "keyguardDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "minimumApiLevel",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "statusReportingSettings",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "bluetoothContactSharingDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "shortSupportMessage",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "longSupportMessage",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "passwordRequirements",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "wifiConfigsLockdownEnabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "bluetoothConfigDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "cellBroadcastsConfigDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "credentialsConfigDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "mobileNetworksConfigDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "tetheringConfigDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "vpnConfigDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "wifiConfigDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "createWindowsDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "networkResetDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "outgoingBeamDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "outgoingCallsDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "removeUserDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "shareLocationDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "smsDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "unmuteMicrophoneDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "usbFileTransferDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "ensureVerifyAppsEnabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "permittedInputMethods",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "stayOnPluggedModes",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "recommendedGlobalProxy",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "setUserIconDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "setWallpaperDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "choosePrivateKeyRules",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "alwaysOnVpnPackage",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "frpAdminEmails",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "deviceOwnerLockScreenInfo",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "dataRoamingDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "locationMode",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "networkEscapeHatchEnabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "bluetoothDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "blockApplicationsEnabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "installUnknownSourcesAllowed",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "debuggingFeaturesAllowed",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "funDisabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "autoTimeRequired",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "permittedAccessibilityServices",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "appAutoUpdatePolicy",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "kioskCustomLauncherEnabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "skipFirstUseHintsEnabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "privateKeySelectionEnabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "encryptionPolicy",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "usbMassStorageEnabled",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "permissionGrants",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "playStoreMode",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "setupActions",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "passwordPolicies",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    },
    {
      "settingName": "policyEnforcementRules",
      "blockAction": {
        "blockAfterDays": 299
      },
      "wipeAction": {
        "wipeAfterDays": 300
      }
    }
  ]
}

score 0 · Answer 1 · answered Dec 02 '19 at 13:27

0

API_LEVEL errors could be ignored in this case.

Few more suggestions: 1. Try enabling all status reporting policies for your device to have an extended view of the remote device.

For the "policyEnforcementRules" - you could try removing all values actually.
This one is probably for overriding overall default, this one is not supported. { "settingName": "policyEnforcementRules", "blockAction": { "blockAfterDays": 299 }, "wipeAction": { "wipeAfterDays": 300 } }

answered Dec 02 '19 at 13:27

Nikita Kostylev

16

1

Thanks for the reply. We don't want the device to be factory reset under any circumstances. Since there is no way to state that at a policy level, the next best thing was to take all top level settings and give the most lax `policyEnforcementRules` possible. But yeah, you are right that's pretty stupid recursive rule. It wasn't intentional, just a copy + paste cry for help. – S.Thomson Dec 02 '19 at 14:32
1

I've been contacted via email about this issue to provide more info. To reply to each of your suggestions: 1. The devices are all the same ... we ship these out from here, so most of the reporting available is not really interesting as the devices are kiosks and therefore should be in the same state. I have added softwareInfo which is interesting, as it reports the version of the DPC. 2. I'm a bit scared to remove this TBH as it relaxes the rules. I wish there was a setting that says "under no circumstances wipe this device". 3. This was a stupid addition to the policy. I've removed this – S.Thomson Jan 27 '20 at 13:25

score 0 · Answer 2 · answered Jan 28 '20 at 13:30

Updating my policy to the new Google recommended way of managing kiosk devices, i.e:

  "applications": [
    {
      "packageName": "com.example.examplekiosk",
      "installType": "KIOSK",
      "defaultPermissionPolicy": "GRANT",
      "minimumVersionCode": 41
    }
  ],

Seems to have resolved the issue on the first handful devices that have been given the updated policy. So fingers crossed this completely resolves this issue.

I wish there was a migration guide or something to help when the recommended way to do something changes.

API_LEVEL non compliance details ... anything to worry about?

2 Answers2