Is it secure to pass secrets to kiosk devices using `managedConfiguration` in a Android Management policy?

Question

Using the managedConfiguration under ApplicationPolicy inside a enterprises.policies, we can apply certain configurations to a managed app

Is it secure / correct to use this managedConfiguration to pass some secrets to the device or if I should use something else?

If not, what would be the better / more secure way to achieve this?

(FYI, I was planning to pass an API key to some dedicated devices so that they could call some API at my server)

score 1 · Accepted Answer · answered May 13 '21 at 09:41

It is not recommended to use the managed configuration to pass an api key to dedicated devices. You can try using a security key manager like the Secret Manager API from Google. Additionally, we do have an excellent guide for best practices around API Keys management from our developer documentation although it is not Android specific.

Is it secure to pass secrets to kiosk devices using `managedConfiguration` in a Android Management policy?

1 Answers1