Define a policy document JSON with a policyEnforcementRules array; each rule specifies settingName, blockAfterDays, and wipeAfterDays thresholds
PATCH the policy to https://androidmanagement.googleapis.com/v1/{name=enterprises/*/policies/*} to push the updated enforcement configuration
Retrieve device records via GET https://androidmanagement.googleapis.com/v1/{parent=enterprises/*}/devices and inspect the nonComplianceDetails array on each device
Each nonComplianceDetail contains settingName, nonComplianceReason (API_LEVEL, MANAGEMENT_MODE, USER_ACTION, INVALID_VALUE, APP_NOT_INSTALLED, APP_NOT_UPDATED, UNSUPPORTED), and packageName if app-related
Automate remediation by triggering an issue command (e.g., RESET_PASSWORD or REBOOT) via POST to https://androidmanagement.googleapis.com/v1/{name=enterprises/*/devices/*}:issueCommand
Monitor policyCompliant boolean on device records to track overall fleet compliance posture
Known gotchas
blockAfterDays counts from when non-compliance is first detected, not from policy creation; devices that were already non-compliant before the rule was added may be blocked sooner than expected
APP_NOT_INSTALLED non-compliance reason requires the app to be listed in the policy's applications array with installType set to FORCE_INSTALLED; simply requiring the app without forcing installation will not trigger auto-install
The WIPE action is irreversible and immediate once the wipeAfterDays threshold passes; test enforcement rules in a staging enterprise before applying to production
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp