Accounts

The Accounts settings restrict users from configuring specific types of accounts on devices.

The following table describes the accounts that you can configure on a device:

Policy setting	Description	Supported devices
Configure restricted account types	Account types in Android are specific to an app and are created when the app makes the appropriate calls to the operating system. When an app requires authentication, it can create its own unique account type. The format of an account type is similar to the application's bundle identifier or package name. Account types, along with their associated authenticators, help ensure that only trusted apps can create accounts and interact with the Android account management system. By restricting the account types, you can prevent malicious apps from creating unauthorized accounts or accessing sensitive user information. For example, `com.google` - This account type is used for Google accounts, including Gmail, Google Drive, and other Google services. `com.facebook.auth.login` - This account type is associated with Facebook accounts, allowing apps to integrate with Facebook for authentication and access to user data. `com.microsoft.exchange` - This account type is associated with Microsoft Exchange accounts used for email, calendar, and contacts synchronization.	Android 5.0+ PO and DO
Configure Allowed Accounts (Allowlist)	The accounts are considered acceptable for configuration on the device. However, this setting does not prevent users from adding accounts. The device does not detect any block-listing until the account is configured, and the device reports the data to the MaaS360 compliance engine. The MaaS360 variables such as `%email%` and `%username%` are used to allowlist directory data. You can also use broader formats to add multiple accounts. The wildcards such as `.\Qstring\E.` are supported in Java™ regex syntax. This means that everything between "`\Q`" and "`\E`" is treated as a literal string so that all the characters such as '`@`' or '`.`' are interpreted as regular characters. The '`.`' pattern matches any sequence of characters. For example, if you require to support all the Gmail accounts, add `.\Q@gmail.com\E.`. In this format, it is important that the `.` (period) comes before the `` (asterisk) so that the string recognizes all potential entries that come before and after `gmail.com`. The devices with restricted accounts appear as out of compliance, and custom actions can be enforced if necessary. If the wanted result is to restrict users from adding any accounts at all, refer to the Allow modification of accounts setting under Android Enterprise Settings > Security to prevent such actions. The accounts can be configured in the Work container. All other accounts are automatically restricted. The following account placeholders are supported. `%deviceid%` `%username%` `%domain%` `%email%` `%upn%` The supported wildcard is `* .\Qdomain\E.{}`. If the admin sees the following as Out of Compliance, then those accounts are not in the client policy, For example, "`Account(s) not in allowlist: X, need to be removed.`" where `X` can be one of the following. `Office` `Email` `Work account` `Nora` `Drivers` `Meet` `Microsoft 365`	Android 5.0+ PO and DO
Restrict Personal Accounts in Google Play	If this setting is enabled, MaaS360 blocks the use of personal Google accounts to install apps, but allows users to add personal Google accounts (to read their email in Gmail for example). Note: Applies to both G Suite and non-G Suite accounts. The default setting is off.	Android 5.0+ (PO, WPCO and DO)
Configure Allowed Google Account By Domain	Allow only specific Google accounts for mail access, play store access and other Google services on the device. All other accounts such as personal accounts are blocked. If your organization uses G-Suite and enabled G-Suite binding with MaaS360, this policy can be used to restrict play store access only to corporate Google accounts. If your organization uses G Suite and enabled G Suite binding with MaaS360, use this policy to restrict Play Store access to corporate Google accounts. For example, you can allow corporate domains such as mycompany.org so that personal accounts such as gmail.com are automatically blocked. If you do not specify domains, users can add and sign in to Google services from any Google account. Note: If you allow gmail.com, you must enter the complete email address (along with the gmail.com suffix) to sign in. When a domain is allowed, an error message is displayed on the sign-in screen if the email address does not match the allowed domain.	Android 5.0+ PO and DO