Manage app runtime permissions on Android devices with Google Mobile Management
What’s new: We know that to best protect your organizations and better serve your employees, you need increased control over the applications running on their mobile devices. With this launch, we did just that. Going forward, G Suite admins can manage permissions that Android apps request at runtime, as opposed to at installation time (also known as “runtime permissions”). Note that this feature is only available for apps running in work profiles or on company-owned devices.
Generally, an app requests permission at runtime when it’s attempting to access sensitive data, like a user’s location, contacts, calendar, microphone, or storage. These permissions have to be explicitly granted by the user at that moment, and not just when the app is installed. See below for an example.
To help you better manage runtime permissions for Android apps*, we introduced two new settings in the Admin console for customers using Google Mobile Management.
The first gives G Suite admins three options for management of all runtime permissions on all Android apps: (1) allow runtime permissions automatically, (2) deny runtime permissions automatically, or (3) prompt the end user to choose whether to grant runtime permissions. The last setting is the default; it can be changed in the Admin console under Device Management > Android Settings > Apps and Data Sharing.
The second setting can be found under the App Distribution and Configuration options provided when an Android app is whitelisted. This setting allows admins to manage runtime permissions for that specific app. For example, an admin can forbid the app to access the device’s location or contacts. Where there are conflicts, this setting will take priority over the app-wide setting mentioned above.
*IMPORTANT: Android apps will only request permissions at runtime if the device is running Android 6.0 (Marshmallow) or higher and the app itself targets API level 23 or higher. The second setting mentioned above will be greyed out in Admin console if the app doesn’t target API23+. If you’re unsure of whether an app will request runtime permissions, we recommend contacting the app developer.