AMAPI has recently added a new state for enrolled devices that indicates to EMMs/EMM admins a device has been locked by a finance solution.


Per Google:

"This is a financed device that has been "locked" by the financing agent. This means certain policy settings have been applied which limit device functionality until the device has been "unlocked" by the financing agent. The device will continue to apply policy settings excluding those overridden by the financing agent. When the device is "locked", the state is reported in appliedState as DEACTIVATED_BY_DEVICE_FINANCE."

I've talked about Device Lock infrequently here, which is Google's financing platform built upon AMAPI and zero-touch with a custom DPC (or DLC, L for Lock, as they call it) and partner-supplied Kiosk app supporting a limited subset of restrictions:

  • Disable date and time
  • Disable developer options
  • Disable unknown sources
  • Disable safe boot
  • Disable adding new users
  • Disable outgoing calls

With Google's Device Policy Resolution Framework introduced with 14, (notes here), you can see how this ties in behind-the-scenes, where DLC (finance) has precedence over DPC (EMM).

The name of the state AMAPI returns here is not ideal necessarily, as I think it could be easily confused with disabled, wherein the device is actually blocked from all work apps and data until the cause of disablement is addressed. Based on the description of the state nothing is actually being deactivated; rather a limited set of APIs are being overridden by a higher precedence Device Controller. I'd likely have gone with something more akin to LOCKED_BY_DEVICE_FINANCE or RESTRICTIONS_OVERRIDDEN_FINANCE_LOCKED.

But hey, I'm not the PM.

Anyway, Device Lock appears to be picking up steam. I was generously offered a sneak peek at a partner's implementation a couple of weeks ago to see the type of experience coming to market (as I understand it, there are already solutions in-life too). Gauging just how mature an offering it is is difficult because it's a rather hush-hush solution locked away in Google's partner-only documentation that only certain OEMs and partners can access. Equally, OEMs are rolling out their own solutions, with Motorola, Samsung, HMD to name but a few implementing this outside of Google's desired approach.. further fragmenting the financing experience until Google makes their mandates in GMS/CDD requirements at some point.

Those latter solutions obviously won't show up in EMM as "Deactivated", but as Device Lock picks up, admins benefit from a little additional insight into device state going forward.