> For the complete documentation index, see [llms.txt](https://docs.cubilock.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cubilock.com/profile-management/privacy-settings/chose-private-key-rules.md).
# Chose Private Key Rules
**Choose Private Key Rules** let you define how managed apps on Android devices gain access to private keys stored in the system keystore. Private keys are used for things like secure TLS client authentication or signing operations. These rules determine **which private key alias** should be granted to an app when it requests access.
**Navigation:**
Device Management → Device Profiles → Edit Profile → Privacy Settings → Choose Private Key Rules
Many enterprise apps require a private key to authenticate securely to internal servers or APIs. Android’s Device Policy Controller (DPC) allows apps to request appropriate private key aliases via standard APIs (for example, `KeyChain.choosePrivateKeyAlias`). The **Choose Private Key Rules** section lets you pre‑configure policies that control:
* **Which apps are allowed to access private keys**
* **For which URL patterns this applies**
* **Which private key alias should be used for a given request**
This ensures that managed apps have predictable, secure access to cryptographic keys on managed devices without exposing them to unauthorized applications.
#### **UI Walkthrough**
1. **Rule List Interface**\
When no rules are present, the list will be empty.
2. **Create a New Rule**\
Click **New Rule** to begin defining an access rule for private keys. This opens a modal where you can specify patterns, apps, and key aliases.
3. **Rule Form Fields Explained**
* **URL Pattern** – A regular expression pattern that matches the URL of outgoing requests. This is used to restrict private key selection only for specific URLs. For example, `https://*.corp.internal/*`.\
If left unspecified, it matches all URLs.
* **Select Apps** – The package names of one or more managed apps that this rule applies to. If no packages are specified, the rule applies to *all managed apps*.
* **Private Key Alias** – The alias (identifier) of the private key to grant when the app makes a request.
Click **Add** to save the rule once fields are complete.
4. **Save Your Profile**\
After you’ve added rules, be sure to click **Save** in the main profile UI to apply these changes to all devices attached to this profile.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.cubilock.com/profile-management/privacy-settings/chose-private-key-rules.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.