Using the managedConfiguration under ApplicationPolicy inside a enterprises.policies, we can apply certain configurations to a managed app
Is it secure / correct to use this managedConfiguration to pass some secrets to the device or if I should use something else?
If not, what would be the better / more secure way to achieve this?
(FYI, I was planning to pass an API key to some dedicated devices so that they could call some API at my server)
It is not recommended to use the managed configuration to pass an api key to dedicated devices. You can try using a security key manager like the Secret Manager API from Google. Additionally, we do have an excellent guide for best practices around API Keys management from our developer documentation although it is not Android specific.