This page provides an overview of the enterprise APIs, features, and behavior changes introduced in Android 17 (API level 37). Some of the new enterprise features and updates in Android 17 are described in the following sections:
Agentic Automation on Android
A framework is established for AI agents to automate app workflows while
preventing automation inside work profiles. On fully managed devices and the
personal profile of COPE devices, administrators can disable AI automation
entirely by leveraging the existing setNearbyAppStreamingPolicy.
Localhost Restriction
Cross-profile loopback traffic (e.g., to 127.0.0.1) is restricted in Android
17 to safeguard corporate data. Read the behavior change guide on blocking
cross profile loopback traffic for details.
Local Network Protection
Android 17 introduces the ACCESS_LOCAL_NETWORK runtime permission for apps to
discover and communicate with local devices. IT administrators can pre-grant
this permission using setPermissionGrantState() to prevent workflow
disruptions. For more information, refer to this local network permission
guide.
Enable Certificate Transparency by default
Certificate Transparency (CT) verification will be enabled by default for network connections to protect against MitM attacks. Connections relying on private or internal certificates may fail unless those domains are explicitly opted out using a custom Network Security Configuration.
Android Contacts Picker
The system Contacts Picker is enhanced to allow apps to receive full-fidelity
contact records across profile boundaries, transitioning to a secure one-by-one
user selection model. Cross-profile contact visibility remains governed by the
DevicePolicyManager.setCrossProfileContactsSearchDisabled policy.
Android HID API
Direct application access to raw Human Interface Device (HID) datastreams is now
gated behind the dangerous-level ACCESS_HID permission. Administrators can
implicitly block this access on enterprise-managed devices by using
DevicePolicyManager.setUsbDataSignalingEnabled to disable USB data
signaling.
USB4 and Thunderbolt Support
Enables high-speed USB4 and Thunderbolt PCIe tunneling, which actively respects
physical data layer restrictions. If USB data access is restricted using
DevicePolicyManager.setUsbDataSignalingEnabled, high-speed tunnels are
blocked to secure the device attack surface.
Device State for LLMs
Authorized assistant applications can consume device-level data to on-device
agents using the App Functions framework to enable context-aware
responses. This won't return any data from work profiles, and admins can
globally disable this pipeline using
DevicePolicyManager.setAppFunctionsPolicy with the
DevicePolicyManager.APP_FUNCTIONS_DISABLED flag.