List all devices for the enterprise via GET https://androidmanagement.googleapis.com/v1/{parent=enterprises/*}/devices using a service account with the androidmanagement.devices.list permission
For each device, inspect the applicationReports array; each entry contains packageName, versionName, installedFrom, and applicationSource fields
Cross-reference applicationReports with the policy's applications array to identify apps installed from sources other than MANAGED_GOOGLE_PLAY (installedFrom field value)
Identify devices with nonComplianceDetails where the reason is APP_NOT_INSTALLED or APP_NOT_UPDATED and the packageName matches a required app
Issue a reboot or start lost mode command via POST to https://androidmanagement.googleapis.com/v1/{name=enterprises/*/devices/*}:issueCommand for devices requiring intervention
Update the policy to add problematic packages to the blockedApplications list and PATCH the policy to force removal on next sync
Known gotchas
applicationReports are populated only for apps that the device reports; apps that have never been opened may not appear in the report, leading to incomplete inventory
Adding an app to blockedApplications forces its removal from enrolled work profile or fully managed devices, but the user-facing message is generic; communicate proactively with affected users to avoid confusion
Policy changes are delivered to devices asynchronously via FCM (Firebase Cloud Messaging); if FCM connectivity is disrupted, the device will not receive the updated policy until it polls Jamf or reconnects
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp