Can't block android.permission.INTERNET on specific Application using Android Management API

Question

I need to block network access to specific applications using Android management API.

I tried creating a policy something like that:

{
"applications": [
{
  "packageName": "com.google.android.googlequicksearchbox",
  "installType": "FORCE_INSTALLED",
  "permissionGrants": [
    {
      "permission": "android.permission.CHANGE_NETWORK_STATE",
      "policy": "DENY"
    },
    {
      "permission": "android.permission.INTERNET",
      "policy": "DENY"
    }
  ]
}
]}

However it doesn't work, when checking the device's non-compliance details I'm getting this:

{
"nonComplianceDetails": [
        {
          "settingName": "applications",
          "nonComplianceReason": "API_LEVEL",
          "packageName": "com.google.android.googlequicksearchbox",
          "fieldPath": "applications[1].permissionGrants"
        },
      ],
}

Which basically means that my version of android doesn't support this restriction, I tried it on API 30 & 31.

I can't find any documentation on blocking network access to applications, and on which API level it's supported, anyone with experience on that?

Answer 1

android.permission.INTERNET is a special permission which cannot be granted or denied

Answer 2

With Android Management API Resource:Policy PermissionGrant is used for runtime (dangerous) permissions. Both Internet and CHANGE_NETWORK_STATE permissions are normal permissions, meaning they're granted at install time and don't need to be requested at runtime. More than likely, this is the reason your policy is triggering non-compliance.

One potential solution to block this application from the internet is to require a VPN connection (that does not route to the internet) for this application.