> For the complete documentation index, see [llms.txt](https://docs.cubilock.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cubilock.com/profile-management/privacy-settings/policy-enforcement-settings.md).

# Policy Enforcement Settings

**Policy Enforcement Rules** let administrators define *custom compliance actions* when a managed device or work profile falls out of compliance with specific policy settings. Instead of relying on Android’s default compliance handling, you can create rules that determine how many days a device can remain non‑compliant before it is **blocked** and then **wiped**.

#### Navigation:

Device Management → Device Profiles → Edit Profile → Privacy Settings → Policy Enforcement Rules

#### **What Policy Enforcement Rules Do**

Android automatically enforces compliance for core policies (such as password requirements, encryption, keyguard settings, permitted accessibility services, etc.). If a device is non‑compliant, Android Device Policy *will block usage immediately by default*, and if non‑compliance persists for 10 days, it will *factory‑reset the device or delete the work profile*.

Policy Enforcement Rules allow you to override this behavior and define your own timelines and actions.

#### **Rule Components**

Each enforcement rule consists of:

* **Setting Name**\
  Select the policy setting to enforce (e.g., Password Policies, Encryption Policy, Keyguard Disabled, etc.). This corresponds to the top‑level policy key that determines compliance.
* **Block After (Days)**\
  The number of days a device can remain non‑compliant before it is **blocked** (restricted from normal use). Setting this to **0** blocks the device immediately when non‑compliance is detected.
* **Wipe After (Days)**\
  The number of days the device can remain non‑compliant *after* the block before it is **wiped** (factory reset or work profile removed). This value must always be **greater** than the Block After days.
* **Block Scope**\
  Choose whether the block applies to the **entire device** or just the **work profile** (for corporate‑owned profiles).
* **Factory Reset Protection (FRP)** toggle\
  Enable this to **preserve FRP** when the device is wiped due to non‑compliance. With FRP preserved, the device may require the original account credentials to be activated after reset.

#### When to Use Policy Enforcement Rules

| **Scenario**                    | **Use Case**                                                                  |
| ------------------------------- | ----------------------------------------------------------------------------- |
| Sensitive security environments | Block and wipe quickly when password or encryption policies are violated.     |
| Staged escalation               | Allow users time to remediate non‑compliance before restricting or wiping.    |
| Custom compliance behavior      | Deviate from default 10‑day enforcement to match organizational requirements. |

#### **How to Add a Policy Enforcement Rule**

1. Click **Add Rule** in the Policy Enforcement Rules section.
2. In the **New Compliance Rule** modal:
   * Select the **Setting Name** from the dropdown.
   * Enter the **Block After (Days)** value.
   * Enter the **Wipe After (Days)** value (must be greater than block days).
   * Choose the **Block Scope** (Device or Work Profile).
   * Optionally enable **Factory Reset Protection** to preserve FRP upon wipe.
3. Click **Add** to save the rule.

<figure><img src="/files/FF5ygSi1YBzna926nQu8" alt=""><figcaption></figcaption></figure>

#### **Sample Rule Logic**

A typical enforcement rule for password policy violation might be:

| **Setting Name**  | **Block After** | **Wipe After** | **Block Scope** | **FRP** |
| ----------------- | --------------- | -------------- | --------------- | ------- |
| Password Policies | 6 Days          | 7 Days         | Device          | Enabled |

This means if a device fails to meet password requirements, it will be blocked after **6 days** of non‑compliance, and if still non‑compliant after **7 days**, it will be wiped.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.cubilock.com/profile-management/privacy-settings/policy-enforcement-settings.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.