The Accounts settings restrict users from configuring specific types of accounts on devices.

The following table describes the accounts that you can configure on a device:
Policy setting Description Supported devices
Configure restricted account types Account types in Android are specific to an app and are created when the app makes the appropriate calls to the operating system. When an app requires authentication, it can create its own unique account type. The format of an account type is similar to the app's bundle identifier or package name. Account types, along with their associated authenticators, ensure that only trusted apps can create accounts and interact with the Android account management system. By restricting the account types, you can prevent malicious apps from creating unauthorized accounts or accessing sensitive user information. For example:
  • This account type is used for Google accounts, including Gmail, Google Drive, and other Google services.
  • com.facebook.auth.login: This account type is associated with Facebook accounts, allowing apps to integrate with Facebook for authentication and access to user data.
  • This account type is associated with Microsoft Exchange accounts used for email, calendar, and contacts synchronization.
Android 5.0+ PO and DO
Configure Allowed Accounts (Allowlist) The accounts are considered acceptable to be configured on the device. However, this setting does not prevent users from adding accounts. The device is unaware of any blocklisting until the account is actually configured and the device reports the data to the MaaS360 compliance engine.

The MaaS360 variables such as %email% and %username% are used to allowlist directory data, or broader formats may be used to add a variety of accounts. For example, if you want to allow all Gmail accounts, you can add.* In this format, it is very important that the . [dot] comes before the * [star] so that the string recognizes all potential entries that come before

The devices with restricted accounts will appear as out of compliance, and custom actions may be enforced if necessary. If the desired result is to restrict users from adding any accounts at all, please refer to the Allow modification of accounts setting under Android Enterprise Settings > Security to prevent such actions.

The accounts that can be configured in the Work container. All other accounts are automatically restricted.
Supported placeholders
  • %deviceid%
  • %username%
  • %domain%
  • %email%
  • %upn%
Supported wildcards:
  • .*domain*
Android 5.0+ PO and DO
Restrict Personal Accounts in Google Play If this setting is enabled, MaaS360 blocks the use of personal Google accounts to install apps, but allows users to add personal Google accounts (to read their email in Gmail for example).
  • Applies to both G Suite and non-G Suite accounts.
  • The default setting is off (disabled).
Android 5.0+ (PO, WPCO & DO)
Configure Allowed Google Account By Domain

Allow only specific google accounts for mail access, play store access and other Google services on the device. All other accounts such as personal accounts would be blocked. If your organization uses G-Suite and enabled G-Suite binding with MaaS360, this policy can be used to restrict play store access only to corporate Google accounts.

If your organization uses G Suite and enabled G Suite binding with MaaS360, use this policy to restrict Play Store access to corporate Google accounts. For example, you can allow corporate domains such as so that personal accounts such as are automatically blocked. If you do not specify domains, users can add and sign in to Google services from any Google account.

  • If you allow, you must enter the complete email address (along with the suffix) to sign in.
  • When a domain is allowed, an error message is displayed on the sign-in screen if the email address does not match the allowed domain.
Android 5.0+ PO and DO