DevicePolicyManager.java revision 6d36b60bebe77b88e0aff6cefb027f8c6f4716be
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package android.app.admin; 18 19import org.xmlpull.v1.XmlPullParserException; 20 21import android.annotation.SdkConstant; 22import android.annotation.SdkConstant.SdkConstantType; 23import android.content.ComponentName; 24import android.content.Context; 25import android.content.IntentFilter; 26import android.content.pm.ActivityInfo; 27import android.content.pm.PackageManager; 28import android.content.pm.ResolveInfo; 29import android.os.Handler; 30import android.os.Process; 31import android.os.RemoteCallback; 32import android.os.RemoteException; 33import android.os.ServiceManager; 34import android.os.UserHandle; 35import android.util.Log; 36 37import com.android.org.conscrypt.TrustedCertificateStore; 38 39import java.io.ByteArrayInputStream; 40import java.io.IOException; 41import java.net.InetSocketAddress; 42import java.net.Proxy; 43import java.security.cert.CertificateException; 44import java.security.cert.CertificateFactory; 45import java.security.cert.X509Certificate; 46import java.util.List; 47import java.util.Set; 48 49/** 50 * Public interface for managing policies enforced on a device. Most clients 51 * of this class must have published a {@link DeviceAdminReceiver} that the user 52 * has currently enabled. 53 * 54 * <div class="special reference"> 55 * <h3>Developer Guides</h3> 56 * <p>For more information about managing policies for device adminstration, read the 57 * <a href="{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a> 58 * developer guide.</p> 59 * </div> 60 */ 61public class DevicePolicyManager { 62 private static String TAG = "DevicePolicyManager"; 63 64 private final Context mContext; 65 private final IDevicePolicyManager mService; 66 67 private DevicePolicyManager(Context context, Handler handler) { 68 mContext = context; 69 mService = IDevicePolicyManager.Stub.asInterface( 70 ServiceManager.getService(Context.DEVICE_POLICY_SERVICE)); 71 } 72 73 /** @hide */ 74 public static DevicePolicyManager create(Context context, Handler handler) { 75 DevicePolicyManager me = new DevicePolicyManager(context, handler); 76 return me.mService != null ? me : null; 77 } 78 79 /** 80 * Activity action: Starts the provisioning flow which sets up a managed profile. 81 * This intent will typically be sent by a mobile device management application(mdm). 82 * Managed profile provisioning creates a profile, moves the mdm to the profile, 83 * sets the mdm as the profile owner and removes all non required applications from the profile. 84 * As a profile owner the mdm than has full control over the managed profile. 85 * 86 * <p>The intent must contain the extras {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME} and 87 * {@link #EXTRA_PROVISIONING_DEFAULT_MANAGED_PROFILE_NAME}. 88 * 89 * <p> When managed provisioning has completed, an intent of the type 90 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE} is broadcasted to the 91 * mdm app on the managed profile. 92 * 93 * <p>Input: Nothing.</p> 94 * <p>Output: Nothing</p> 95 */ 96 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 97 public static final String ACTION_PROVISION_MANAGED_PROFILE 98 = "android.app.action.ACTION_PROVISION_MANAGED_PROFILE"; 99 100 /** 101 * A String extra holding the name of the package of the mobile device management application 102 * that starts the managed provisioning flow. This package will be set as the profile owner. 103 * <p>Use with {@link #ACTION_PROVISION_MANAGED_PROFILE}. 104 */ 105 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME 106 = "deviceAdminPackageName"; 107 108 /** 109 * A String extra holding the default name of the profile that is created during managed profile 110 * provisioning. 111 * <p>Use with {@link #ACTION_PROVISION_MANAGED_PROFILE} 112 */ 113 public static final String EXTRA_PROVISIONING_DEFAULT_MANAGED_PROFILE_NAME 114 = "defaultManagedProfileName"; 115 116 /** 117 * Activity action: ask the user to add a new device administrator to the system. 118 * The desired policy is the ComponentName of the policy in the 119 * {@link #EXTRA_DEVICE_ADMIN} extra field. This will invoke a UI to 120 * bring the user through adding the device administrator to the system (or 121 * allowing them to reject it). 122 * 123 * <p>You can optionally include the {@link #EXTRA_ADD_EXPLANATION} 124 * field to provide the user with additional explanation (in addition 125 * to your component's description) about what is being added. 126 * 127 * <p>If your administrator is already active, this will ordinarily return immediately (without 128 * user intervention). However, if your administrator has been updated and is requesting 129 * additional uses-policy flags, the user will be presented with the new list. New policies 130 * will not be available to the updated administrator until the user has accepted the new list. 131 */ 132 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 133 public static final String ACTION_ADD_DEVICE_ADMIN 134 = "android.app.action.ADD_DEVICE_ADMIN"; 135 136 /** 137 * Activity action: send when any policy admin changes a policy. 138 * This is generally used to find out when a new policy is in effect. 139 * 140 * @hide 141 */ 142 public static final String ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED 143 = "android.app.action.DEVICE_POLICY_MANAGER_STATE_CHANGED"; 144 145 /** 146 * The ComponentName of the administrator component. 147 * 148 * @see #ACTION_ADD_DEVICE_ADMIN 149 */ 150 public static final String EXTRA_DEVICE_ADMIN = "android.app.extra.DEVICE_ADMIN"; 151 152 /** 153 * An optional CharSequence providing additional explanation for why the 154 * admin is being added. 155 * 156 * @see #ACTION_ADD_DEVICE_ADMIN 157 */ 158 public static final String EXTRA_ADD_EXPLANATION = "android.app.extra.ADD_EXPLANATION"; 159 160 /** 161 * Activity action: have the user enter a new password. This activity should 162 * be launched after using {@link #setPasswordQuality(ComponentName, int)}, 163 * or {@link #setPasswordMinimumLength(ComponentName, int)} to have the user 164 * enter a new password that meets the current requirements. You can use 165 * {@link #isActivePasswordSufficient()} to determine whether you need to 166 * have the user select a new password in order to meet the current 167 * constraints. Upon being resumed from this activity, you can check the new 168 * password characteristics to see if they are sufficient. 169 */ 170 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 171 public static final String ACTION_SET_NEW_PASSWORD 172 = "android.app.action.SET_NEW_PASSWORD"; 173 174 /** 175 * Return true if the given administrator component is currently 176 * active (enabled) in the system. 177 */ 178 public boolean isAdminActive(ComponentName who) { 179 if (mService != null) { 180 try { 181 return mService.isAdminActive(who, UserHandle.myUserId()); 182 } catch (RemoteException e) { 183 Log.w(TAG, "Failed talking with device policy service", e); 184 } 185 } 186 return false; 187 } 188 189 /** 190 * Return a list of all currently active device administrator's component 191 * names. Note that if there are no administrators than null may be 192 * returned. 193 */ 194 public List<ComponentName> getActiveAdmins() { 195 if (mService != null) { 196 try { 197 return mService.getActiveAdmins(UserHandle.myUserId()); 198 } catch (RemoteException e) { 199 Log.w(TAG, "Failed talking with device policy service", e); 200 } 201 } 202 return null; 203 } 204 205 /** 206 * Used by package administration code to determine if a package can be stopped 207 * or uninstalled. 208 * @hide 209 */ 210 public boolean packageHasActiveAdmins(String packageName) { 211 if (mService != null) { 212 try { 213 return mService.packageHasActiveAdmins(packageName, UserHandle.myUserId()); 214 } catch (RemoteException e) { 215 Log.w(TAG, "Failed talking with device policy service", e); 216 } 217 } 218 return false; 219 } 220 221 /** 222 * Remove a current administration component. This can only be called 223 * by the application that owns the administration component; if you 224 * try to remove someone else's component, a security exception will be 225 * thrown. 226 */ 227 public void removeActiveAdmin(ComponentName who) { 228 if (mService != null) { 229 try { 230 mService.removeActiveAdmin(who, UserHandle.myUserId()); 231 } catch (RemoteException e) { 232 Log.w(TAG, "Failed talking with device policy service", e); 233 } 234 } 235 } 236 237 /** 238 * Returns true if an administrator has been granted a particular device policy. This can 239 * be used to check if the administrator was activated under an earlier set of policies, 240 * but requires additional policies after an upgrade. 241 * 242 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. Must be 243 * an active administrator, or an exception will be thrown. 244 * @param usesPolicy Which uses-policy to check, as defined in {@link DeviceAdminInfo}. 245 */ 246 public boolean hasGrantedPolicy(ComponentName admin, int usesPolicy) { 247 if (mService != null) { 248 try { 249 return mService.hasGrantedPolicy(admin, usesPolicy, UserHandle.myUserId()); 250 } catch (RemoteException e) { 251 Log.w(TAG, "Failed talking with device policy service", e); 252 } 253 } 254 return false; 255 } 256 257 /** 258 * Constant for {@link #setPasswordQuality}: the policy has no requirements 259 * for the password. Note that quality constants are ordered so that higher 260 * values are more restrictive. 261 */ 262 public static final int PASSWORD_QUALITY_UNSPECIFIED = 0; 263 264 /** 265 * Constant for {@link #setPasswordQuality}: the policy allows for low-security biometric 266 * recognition technology. This implies technologies that can recognize the identity of 267 * an individual to about a 3 digit PIN (false detection is less than 1 in 1,000). 268 * Note that quality constants are ordered so that higher values are more restrictive. 269 */ 270 public static final int PASSWORD_QUALITY_BIOMETRIC_WEAK = 0x8000; 271 272 /** 273 * Constant for {@link #setPasswordQuality}: the policy requires some kind 274 * of password, but doesn't care what it is. Note that quality constants 275 * are ordered so that higher values are more restrictive. 276 */ 277 public static final int PASSWORD_QUALITY_SOMETHING = 0x10000; 278 279 /** 280 * Constant for {@link #setPasswordQuality}: the user must have entered a 281 * password containing at least numeric characters. Note that quality 282 * constants are ordered so that higher values are more restrictive. 283 */ 284 public static final int PASSWORD_QUALITY_NUMERIC = 0x20000; 285 286 /** 287 * Constant for {@link #setPasswordQuality}: the user must have entered a 288 * password containing at least alphabetic (or other symbol) characters. 289 * Note that quality constants are ordered so that higher values are more 290 * restrictive. 291 */ 292 public static final int PASSWORD_QUALITY_ALPHABETIC = 0x40000; 293 294 /** 295 * Constant for {@link #setPasswordQuality}: the user must have entered a 296 * password containing at least <em>both></em> numeric <em>and</em> 297 * alphabetic (or other symbol) characters. Note that quality constants are 298 * ordered so that higher values are more restrictive. 299 */ 300 public static final int PASSWORD_QUALITY_ALPHANUMERIC = 0x50000; 301 302 /** 303 * Constant for {@link #setPasswordQuality}: the user must have entered a 304 * password containing at least a letter, a numerical digit and a special 305 * symbol, by default. With this password quality, passwords can be 306 * restricted to contain various sets of characters, like at least an 307 * uppercase letter, etc. These are specified using various methods, 308 * like {@link #setPasswordMinimumLowerCase(ComponentName, int)}. Note 309 * that quality constants are ordered so that higher values are more 310 * restrictive. 311 */ 312 public static final int PASSWORD_QUALITY_COMPLEX = 0x60000; 313 314 /** 315 * Called by an application that is administering the device to set the 316 * password restrictions it is imposing. After setting this, the user 317 * will not be able to enter a new password that is not at least as 318 * restrictive as what has been set. Note that the current password 319 * will remain until the user has set a new one, so the change does not 320 * take place immediately. To prompt the user for a new password, use 321 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. 322 * 323 * <p>Quality constants are ordered so that higher values are more restrictive; 324 * thus the highest requested quality constant (between the policy set here, 325 * the user's preference, and any other considerations) is the one that 326 * is in effect. 327 * 328 * <p>The calling device admin must have requested 329 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 330 * this method; if it has not, a security exception will be thrown. 331 * 332 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 333 * @param quality The new desired quality. One of 334 * {@link #PASSWORD_QUALITY_UNSPECIFIED}, {@link #PASSWORD_QUALITY_SOMETHING}, 335 * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_ALPHABETIC}, 336 * {@link #PASSWORD_QUALITY_ALPHANUMERIC} or {@link #PASSWORD_QUALITY_COMPLEX}. 337 */ 338 public void setPasswordQuality(ComponentName admin, int quality) { 339 if (mService != null) { 340 try { 341 mService.setPasswordQuality(admin, quality, UserHandle.myUserId()); 342 } catch (RemoteException e) { 343 Log.w(TAG, "Failed talking with device policy service", e); 344 } 345 } 346 } 347 348 /** 349 * Retrieve the current minimum password quality for all admins 350 * or a particular one. 351 * @param admin The name of the admin component to check, or null to aggregate 352 * all admins. 353 */ 354 public int getPasswordQuality(ComponentName admin) { 355 return getPasswordQuality(admin, UserHandle.myUserId()); 356 } 357 358 /** @hide per-user version */ 359 public int getPasswordQuality(ComponentName admin, int userHandle) { 360 if (mService != null) { 361 try { 362 return mService.getPasswordQuality(admin, userHandle); 363 } catch (RemoteException e) { 364 Log.w(TAG, "Failed talking with device policy service", e); 365 } 366 } 367 return PASSWORD_QUALITY_UNSPECIFIED; 368 } 369 370 /** 371 * Called by an application that is administering the device to set the 372 * minimum allowed password length. After setting this, the user 373 * will not be able to enter a new password that is not at least as 374 * restrictive as what has been set. Note that the current password 375 * will remain until the user has set a new one, so the change does not 376 * take place immediately. To prompt the user for a new password, use 377 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 378 * constraint is only imposed if the administrator has also requested either 379 * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_ALPHABETIC} 380 * {@link #PASSWORD_QUALITY_ALPHANUMERIC}, or {@link #PASSWORD_QUALITY_COMPLEX} 381 * with {@link #setPasswordQuality}. 382 * 383 * <p>The calling device admin must have requested 384 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 385 * this method; if it has not, a security exception will be thrown. 386 * 387 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 388 * @param length The new desired minimum password length. A value of 0 389 * means there is no restriction. 390 */ 391 public void setPasswordMinimumLength(ComponentName admin, int length) { 392 if (mService != null) { 393 try { 394 mService.setPasswordMinimumLength(admin, length, UserHandle.myUserId()); 395 } catch (RemoteException e) { 396 Log.w(TAG, "Failed talking with device policy service", e); 397 } 398 } 399 } 400 401 /** 402 * Retrieve the current minimum password length for all admins 403 * or a particular one. 404 * @param admin The name of the admin component to check, or null to aggregate 405 * all admins. 406 */ 407 public int getPasswordMinimumLength(ComponentName admin) { 408 return getPasswordMinimumLength(admin, UserHandle.myUserId()); 409 } 410 411 /** @hide per-user version */ 412 public int getPasswordMinimumLength(ComponentName admin, int userHandle) { 413 if (mService != null) { 414 try { 415 return mService.getPasswordMinimumLength(admin, userHandle); 416 } catch (RemoteException e) { 417 Log.w(TAG, "Failed talking with device policy service", e); 418 } 419 } 420 return 0; 421 } 422 423 /** 424 * Called by an application that is administering the device to set the 425 * minimum number of upper case letters required in the password. After 426 * setting this, the user will not be able to enter a new password that is 427 * not at least as restrictive as what has been set. Note that the current 428 * password will remain until the user has set a new one, so the change does 429 * not take place immediately. To prompt the user for a new password, use 430 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 431 * constraint is only imposed if the administrator has also requested 432 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 433 * default value is 0. 434 * <p> 435 * The calling device admin must have requested 436 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 437 * this method; if it has not, a security exception will be thrown. 438 * 439 * @param admin Which {@link DeviceAdminReceiver} this request is associated 440 * with. 441 * @param length The new desired minimum number of upper case letters 442 * required in the password. A value of 0 means there is no 443 * restriction. 444 */ 445 public void setPasswordMinimumUpperCase(ComponentName admin, int length) { 446 if (mService != null) { 447 try { 448 mService.setPasswordMinimumUpperCase(admin, length, UserHandle.myUserId()); 449 } catch (RemoteException e) { 450 Log.w(TAG, "Failed talking with device policy service", e); 451 } 452 } 453 } 454 455 /** 456 * Retrieve the current number of upper case letters required in the 457 * password for all admins or a particular one. This is the same value as 458 * set by {#link {@link #setPasswordMinimumUpperCase(ComponentName, int)} 459 * and only applies when the password quality is 460 * {@link #PASSWORD_QUALITY_COMPLEX}. 461 * 462 * @param admin The name of the admin component to check, or null to 463 * aggregate all admins. 464 * @return The minimum number of upper case letters required in the 465 * password. 466 */ 467 public int getPasswordMinimumUpperCase(ComponentName admin) { 468 return getPasswordMinimumUpperCase(admin, UserHandle.myUserId()); 469 } 470 471 /** @hide per-user version */ 472 public int getPasswordMinimumUpperCase(ComponentName admin, int userHandle) { 473 if (mService != null) { 474 try { 475 return mService.getPasswordMinimumUpperCase(admin, userHandle); 476 } catch (RemoteException e) { 477 Log.w(TAG, "Failed talking with device policy service", e); 478 } 479 } 480 return 0; 481 } 482 483 /** 484 * Called by an application that is administering the device to set the 485 * minimum number of lower case letters required in the password. After 486 * setting this, the user will not be able to enter a new password that is 487 * not at least as restrictive as what has been set. Note that the current 488 * password will remain until the user has set a new one, so the change does 489 * not take place immediately. To prompt the user for a new password, use 490 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 491 * constraint is only imposed if the administrator has also requested 492 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 493 * default value is 0. 494 * <p> 495 * The calling device admin must have requested 496 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 497 * this method; if it has not, a security exception will be thrown. 498 * 499 * @param admin Which {@link DeviceAdminReceiver} this request is associated 500 * with. 501 * @param length The new desired minimum number of lower case letters 502 * required in the password. A value of 0 means there is no 503 * restriction. 504 */ 505 public void setPasswordMinimumLowerCase(ComponentName admin, int length) { 506 if (mService != null) { 507 try { 508 mService.setPasswordMinimumLowerCase(admin, length, UserHandle.myUserId()); 509 } catch (RemoteException e) { 510 Log.w(TAG, "Failed talking with device policy service", e); 511 } 512 } 513 } 514 515 /** 516 * Retrieve the current number of lower case letters required in the 517 * password for all admins or a particular one. This is the same value as 518 * set by {#link {@link #setPasswordMinimumLowerCase(ComponentName, int)} 519 * and only applies when the password quality is 520 * {@link #PASSWORD_QUALITY_COMPLEX}. 521 * 522 * @param admin The name of the admin component to check, or null to 523 * aggregate all admins. 524 * @return The minimum number of lower case letters required in the 525 * password. 526 */ 527 public int getPasswordMinimumLowerCase(ComponentName admin) { 528 return getPasswordMinimumLowerCase(admin, UserHandle.myUserId()); 529 } 530 531 /** @hide per-user version */ 532 public int getPasswordMinimumLowerCase(ComponentName admin, int userHandle) { 533 if (mService != null) { 534 try { 535 return mService.getPasswordMinimumLowerCase(admin, userHandle); 536 } catch (RemoteException e) { 537 Log.w(TAG, "Failed talking with device policy service", e); 538 } 539 } 540 return 0; 541 } 542 543 /** 544 * Called by an application that is administering the device to set the 545 * minimum number of letters required in the password. After setting this, 546 * the user will not be able to enter a new password that is not at least as 547 * restrictive as what has been set. Note that the current password will 548 * remain until the user has set a new one, so the change does not take 549 * place immediately. To prompt the user for a new password, use 550 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 551 * constraint is only imposed if the administrator has also requested 552 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 553 * default value is 1. 554 * <p> 555 * The calling device admin must have requested 556 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 557 * this method; if it has not, a security exception will be thrown. 558 * 559 * @param admin Which {@link DeviceAdminReceiver} this request is associated 560 * with. 561 * @param length The new desired minimum number of letters required in the 562 * password. A value of 0 means there is no restriction. 563 */ 564 public void setPasswordMinimumLetters(ComponentName admin, int length) { 565 if (mService != null) { 566 try { 567 mService.setPasswordMinimumLetters(admin, length, UserHandle.myUserId()); 568 } catch (RemoteException e) { 569 Log.w(TAG, "Failed talking with device policy service", e); 570 } 571 } 572 } 573 574 /** 575 * Retrieve the current number of letters required in the password for all 576 * admins or a particular one. This is the same value as 577 * set by {#link {@link #setPasswordMinimumLetters(ComponentName, int)} 578 * and only applies when the password quality is 579 * {@link #PASSWORD_QUALITY_COMPLEX}. 580 * 581 * @param admin The name of the admin component to check, or null to 582 * aggregate all admins. 583 * @return The minimum number of letters required in the password. 584 */ 585 public int getPasswordMinimumLetters(ComponentName admin) { 586 return getPasswordMinimumLetters(admin, UserHandle.myUserId()); 587 } 588 589 /** @hide per-user version */ 590 public int getPasswordMinimumLetters(ComponentName admin, int userHandle) { 591 if (mService != null) { 592 try { 593 return mService.getPasswordMinimumLetters(admin, userHandle); 594 } catch (RemoteException e) { 595 Log.w(TAG, "Failed talking with device policy service", e); 596 } 597 } 598 return 0; 599 } 600 601 /** 602 * Called by an application that is administering the device to set the 603 * minimum number of numerical digits required in the password. After 604 * setting this, the user will not be able to enter a new password that is 605 * not at least as restrictive as what has been set. Note that the current 606 * password will remain until the user has set a new one, so the change does 607 * not take place immediately. To prompt the user for a new password, use 608 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 609 * constraint is only imposed if the administrator has also requested 610 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 611 * default value is 1. 612 * <p> 613 * The calling device admin must have requested 614 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 615 * this method; if it has not, a security exception will be thrown. 616 * 617 * @param admin Which {@link DeviceAdminReceiver} this request is associated 618 * with. 619 * @param length The new desired minimum number of numerical digits required 620 * in the password. A value of 0 means there is no restriction. 621 */ 622 public void setPasswordMinimumNumeric(ComponentName admin, int length) { 623 if (mService != null) { 624 try { 625 mService.setPasswordMinimumNumeric(admin, length, UserHandle.myUserId()); 626 } catch (RemoteException e) { 627 Log.w(TAG, "Failed talking with device policy service", e); 628 } 629 } 630 } 631 632 /** 633 * Retrieve the current number of numerical digits required in the password 634 * for all admins or a particular one. This is the same value as 635 * set by {#link {@link #setPasswordMinimumNumeric(ComponentName, int)} 636 * and only applies when the password quality is 637 * {@link #PASSWORD_QUALITY_COMPLEX}. 638 * 639 * @param admin The name of the admin component to check, or null to 640 * aggregate all admins. 641 * @return The minimum number of numerical digits required in the password. 642 */ 643 public int getPasswordMinimumNumeric(ComponentName admin) { 644 return getPasswordMinimumNumeric(admin, UserHandle.myUserId()); 645 } 646 647 /** @hide per-user version */ 648 public int getPasswordMinimumNumeric(ComponentName admin, int userHandle) { 649 if (mService != null) { 650 try { 651 return mService.getPasswordMinimumNumeric(admin, userHandle); 652 } catch (RemoteException e) { 653 Log.w(TAG, "Failed talking with device policy service", e); 654 } 655 } 656 return 0; 657 } 658 659 /** 660 * Called by an application that is administering the device to set the 661 * minimum number of symbols required in the password. After setting this, 662 * the user will not be able to enter a new password that is not at least as 663 * restrictive as what has been set. Note that the current password will 664 * remain until the user has set a new one, so the change does not take 665 * place immediately. To prompt the user for a new password, use 666 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 667 * constraint is only imposed if the administrator has also requested 668 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 669 * default value is 1. 670 * <p> 671 * The calling device admin must have requested 672 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 673 * this method; if it has not, a security exception will be thrown. 674 * 675 * @param admin Which {@link DeviceAdminReceiver} this request is associated 676 * with. 677 * @param length The new desired minimum number of symbols required in the 678 * password. A value of 0 means there is no restriction. 679 */ 680 public void setPasswordMinimumSymbols(ComponentName admin, int length) { 681 if (mService != null) { 682 try { 683 mService.setPasswordMinimumSymbols(admin, length, UserHandle.myUserId()); 684 } catch (RemoteException e) { 685 Log.w(TAG, "Failed talking with device policy service", e); 686 } 687 } 688 } 689 690 /** 691 * Retrieve the current number of symbols required in the password for all 692 * admins or a particular one. This is the same value as 693 * set by {#link {@link #setPasswordMinimumSymbols(ComponentName, int)} 694 * and only applies when the password quality is 695 * {@link #PASSWORD_QUALITY_COMPLEX}. 696 * 697 * @param admin The name of the admin component to check, or null to 698 * aggregate all admins. 699 * @return The minimum number of symbols required in the password. 700 */ 701 public int getPasswordMinimumSymbols(ComponentName admin) { 702 return getPasswordMinimumSymbols(admin, UserHandle.myUserId()); 703 } 704 705 /** @hide per-user version */ 706 public int getPasswordMinimumSymbols(ComponentName admin, int userHandle) { 707 if (mService != null) { 708 try { 709 return mService.getPasswordMinimumSymbols(admin, userHandle); 710 } catch (RemoteException e) { 711 Log.w(TAG, "Failed talking with device policy service", e); 712 } 713 } 714 return 0; 715 } 716 717 /** 718 * Called by an application that is administering the device to set the 719 * minimum number of non-letter characters (numerical digits or symbols) 720 * required in the password. After setting this, the user will not be able 721 * to enter a new password that is not at least as restrictive as what has 722 * been set. Note that the current password will remain until the user has 723 * set a new one, so the change does not take place immediately. To prompt 724 * the user for a new password, use {@link #ACTION_SET_NEW_PASSWORD} after 725 * setting this value. This constraint is only imposed if the administrator 726 * has also requested {@link #PASSWORD_QUALITY_COMPLEX} with 727 * {@link #setPasswordQuality}. The default value is 0. 728 * <p> 729 * The calling device admin must have requested 730 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 731 * this method; if it has not, a security exception will be thrown. 732 * 733 * @param admin Which {@link DeviceAdminReceiver} this request is associated 734 * with. 735 * @param length The new desired minimum number of letters required in the 736 * password. A value of 0 means there is no restriction. 737 */ 738 public void setPasswordMinimumNonLetter(ComponentName admin, int length) { 739 if (mService != null) { 740 try { 741 mService.setPasswordMinimumNonLetter(admin, length, UserHandle.myUserId()); 742 } catch (RemoteException e) { 743 Log.w(TAG, "Failed talking with device policy service", e); 744 } 745 } 746 } 747 748 /** 749 * Retrieve the current number of non-letter characters required in the 750 * password for all admins or a particular one. This is the same value as 751 * set by {#link {@link #setPasswordMinimumNonLetter(ComponentName, int)} 752 * and only applies when the password quality is 753 * {@link #PASSWORD_QUALITY_COMPLEX}. 754 * 755 * @param admin The name of the admin component to check, or null to 756 * aggregate all admins. 757 * @return The minimum number of letters required in the password. 758 */ 759 public int getPasswordMinimumNonLetter(ComponentName admin) { 760 return getPasswordMinimumNonLetter(admin, UserHandle.myUserId()); 761 } 762 763 /** @hide per-user version */ 764 public int getPasswordMinimumNonLetter(ComponentName admin, int userHandle) { 765 if (mService != null) { 766 try { 767 return mService.getPasswordMinimumNonLetter(admin, userHandle); 768 } catch (RemoteException e) { 769 Log.w(TAG, "Failed talking with device policy service", e); 770 } 771 } 772 return 0; 773 } 774 775 /** 776 * Called by an application that is administering the device to set the length 777 * of the password history. After setting this, the user will not be able to 778 * enter a new password that is the same as any password in the history. Note 779 * that the current password will remain until the user has set a new one, so 780 * the change does not take place immediately. To prompt the user for a new 781 * password, use {@link #ACTION_SET_NEW_PASSWORD} after setting this value. 782 * This constraint is only imposed if the administrator has also requested 783 * either {@link #PASSWORD_QUALITY_NUMERIC}, 784 * {@link #PASSWORD_QUALITY_ALPHABETIC}, or 785 * {@link #PASSWORD_QUALITY_ALPHANUMERIC} with {@link #setPasswordQuality}. 786 * 787 * <p> 788 * The calling device admin must have requested 789 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call this 790 * method; if it has not, a security exception will be thrown. 791 * 792 * @param admin Which {@link DeviceAdminReceiver} this request is associated 793 * with. 794 * @param length The new desired length of password history. A value of 0 795 * means there is no restriction. 796 */ 797 public void setPasswordHistoryLength(ComponentName admin, int length) { 798 if (mService != null) { 799 try { 800 mService.setPasswordHistoryLength(admin, length, UserHandle.myUserId()); 801 } catch (RemoteException e) { 802 Log.w(TAG, "Failed talking with device policy service", e); 803 } 804 } 805 } 806 807 /** 808 * Called by a device admin to set the password expiration timeout. Calling this method 809 * will restart the countdown for password expiration for the given admin, as will changing 810 * the device password (for all admins). 811 * 812 * <p>The provided timeout is the time delta in ms and will be added to the current time. 813 * For example, to have the password expire 5 days from now, timeout would be 814 * 5 * 86400 * 1000 = 432000000 ms for timeout. 815 * 816 * <p>To disable password expiration, a value of 0 may be used for timeout. 817 * 818 * <p>The calling device admin must have requested 819 * {@link DeviceAdminInfo#USES_POLICY_EXPIRE_PASSWORD} to be able to call this 820 * method; if it has not, a security exception will be thrown. 821 * 822 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 823 * @param timeout The limit (in ms) that a password can remain in effect. A value of 0 824 * means there is no restriction (unlimited). 825 */ 826 public void setPasswordExpirationTimeout(ComponentName admin, long timeout) { 827 if (mService != null) { 828 try { 829 mService.setPasswordExpirationTimeout(admin, timeout, UserHandle.myUserId()); 830 } catch (RemoteException e) { 831 Log.w(TAG, "Failed talking with device policy service", e); 832 } 833 } 834 } 835 836 /** 837 * Get the password expiration timeout for the given admin. The expiration timeout is the 838 * recurring expiration timeout provided in the call to 839 * {@link #setPasswordExpirationTimeout(ComponentName, long)} for the given admin or the 840 * aggregate of all policy administrators if admin is null. 841 * 842 * @param admin The name of the admin component to check, or null to aggregate all admins. 843 * @return The timeout for the given admin or the minimum of all timeouts 844 */ 845 public long getPasswordExpirationTimeout(ComponentName admin) { 846 if (mService != null) { 847 try { 848 return mService.getPasswordExpirationTimeout(admin, UserHandle.myUserId()); 849 } catch (RemoteException e) { 850 Log.w(TAG, "Failed talking with device policy service", e); 851 } 852 } 853 return 0; 854 } 855 856 /** 857 * Get the current password expiration time for the given admin or an aggregate of 858 * all admins if admin is null. If the password is expired, this will return the time since 859 * the password expired as a negative number. If admin is null, then a composite of all 860 * expiration timeouts is returned - which will be the minimum of all timeouts. 861 * 862 * @param admin The name of the admin component to check, or null to aggregate all admins. 863 * @return The password expiration time, in ms. 864 */ 865 public long getPasswordExpiration(ComponentName admin) { 866 if (mService != null) { 867 try { 868 return mService.getPasswordExpiration(admin, UserHandle.myUserId()); 869 } catch (RemoteException e) { 870 Log.w(TAG, "Failed talking with device policy service", e); 871 } 872 } 873 return 0; 874 } 875 876 /** 877 * Retrieve the current password history length for all admins 878 * or a particular one. 879 * @param admin The name of the admin component to check, or null to aggregate 880 * all admins. 881 * @return The length of the password history 882 */ 883 public int getPasswordHistoryLength(ComponentName admin) { 884 return getPasswordHistoryLength(admin, UserHandle.myUserId()); 885 } 886 887 /** @hide per-user version */ 888 public int getPasswordHistoryLength(ComponentName admin, int userHandle) { 889 if (mService != null) { 890 try { 891 return mService.getPasswordHistoryLength(admin, userHandle); 892 } catch (RemoteException e) { 893 Log.w(TAG, "Failed talking with device policy service", e); 894 } 895 } 896 return 0; 897 } 898 899 /** 900 * Return the maximum password length that the device supports for a 901 * particular password quality. 902 * @param quality The quality being interrogated. 903 * @return Returns the maximum length that the user can enter. 904 */ 905 public int getPasswordMaximumLength(int quality) { 906 // Kind-of arbitrary. 907 return 16; 908 } 909 910 /** 911 * Determine whether the current password the user has set is sufficient 912 * to meet the policy requirements (quality, minimum length) that have been 913 * requested. 914 * 915 * <p>The calling device admin must have requested 916 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 917 * this method; if it has not, a security exception will be thrown. 918 * 919 * @return Returns true if the password meets the current requirements, 920 * else false. 921 */ 922 public boolean isActivePasswordSufficient() { 923 if (mService != null) { 924 try { 925 return mService.isActivePasswordSufficient(UserHandle.myUserId()); 926 } catch (RemoteException e) { 927 Log.w(TAG, "Failed talking with device policy service", e); 928 } 929 } 930 return false; 931 } 932 933 /** 934 * Retrieve the number of times the user has failed at entering a 935 * password since that last successful password entry. 936 * 937 * <p>The calling device admin must have requested 938 * {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} to be able to call 939 * this method; if it has not, a security exception will be thrown. 940 */ 941 public int getCurrentFailedPasswordAttempts() { 942 if (mService != null) { 943 try { 944 return mService.getCurrentFailedPasswordAttempts(UserHandle.myUserId()); 945 } catch (RemoteException e) { 946 Log.w(TAG, "Failed talking with device policy service", e); 947 } 948 } 949 return -1; 950 } 951 952 /** 953 * Setting this to a value greater than zero enables a built-in policy 954 * that will perform a device wipe after too many incorrect 955 * device-unlock passwords have been entered. This built-in policy combines 956 * watching for failed passwords and wiping the device, and requires 957 * that you request both {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} and 958 * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA}}. 959 * 960 * <p>To implement any other policy (e.g. wiping data for a particular 961 * application only, erasing or revoking credentials, or reporting the 962 * failure to a server), you should implement 963 * {@link DeviceAdminReceiver#onPasswordFailed(Context, android.content.Intent)} 964 * instead. Do not use this API, because if the maximum count is reached, 965 * the device will be wiped immediately, and your callback will not be invoked. 966 * 967 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 968 * @param num The number of failed password attempts at which point the 969 * device will wipe its data. 970 */ 971 public void setMaximumFailedPasswordsForWipe(ComponentName admin, int num) { 972 if (mService != null) { 973 try { 974 mService.setMaximumFailedPasswordsForWipe(admin, num, UserHandle.myUserId()); 975 } catch (RemoteException e) { 976 Log.w(TAG, "Failed talking with device policy service", e); 977 } 978 } 979 } 980 981 /** 982 * Retrieve the current maximum number of login attempts that are allowed 983 * before the device wipes itself, for all admins 984 * or a particular one. 985 * @param admin The name of the admin component to check, or null to aggregate 986 * all admins. 987 */ 988 public int getMaximumFailedPasswordsForWipe(ComponentName admin) { 989 return getMaximumFailedPasswordsForWipe(admin, UserHandle.myUserId()); 990 } 991 992 /** @hide per-user version */ 993 public int getMaximumFailedPasswordsForWipe(ComponentName admin, int userHandle) { 994 if (mService != null) { 995 try { 996 return mService.getMaximumFailedPasswordsForWipe(admin, userHandle); 997 } catch (RemoteException e) { 998 Log.w(TAG, "Failed talking with device policy service", e); 999 } 1000 } 1001 return 0; 1002 } 1003 1004 /** 1005 * Flag for {@link #resetPassword}: don't allow other admins to change 1006 * the password again until the user has entered it. 1007 */ 1008 public static final int RESET_PASSWORD_REQUIRE_ENTRY = 0x0001; 1009 1010 /** 1011 * Force a new device unlock password (the password needed to access the 1012 * entire device, not for individual accounts) on the user. This takes 1013 * effect immediately. 1014 * The given password must be sufficient for the 1015 * current password quality and length constraints as returned by 1016 * {@link #getPasswordQuality(ComponentName)} and 1017 * {@link #getPasswordMinimumLength(ComponentName)}; if it does not meet 1018 * these constraints, then it will be rejected and false returned. Note 1019 * that the password may be a stronger quality (containing alphanumeric 1020 * characters when the requested quality is only numeric), in which case 1021 * the currently active quality will be increased to match. 1022 * 1023 * <p>The calling device admin must have requested 1024 * {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD} to be able to call 1025 * this method; if it has not, a security exception will be thrown. 1026 * 1027 * @param password The new password for the user. 1028 * @param flags May be 0 or {@link #RESET_PASSWORD_REQUIRE_ENTRY}. 1029 * @return Returns true if the password was applied, or false if it is 1030 * not acceptable for the current constraints. 1031 */ 1032 public boolean resetPassword(String password, int flags) { 1033 if (mService != null) { 1034 try { 1035 return mService.resetPassword(password, flags, UserHandle.myUserId()); 1036 } catch (RemoteException e) { 1037 Log.w(TAG, "Failed talking with device policy service", e); 1038 } 1039 } 1040 return false; 1041 } 1042 1043 /** 1044 * Called by an application that is administering the device to set the 1045 * maximum time for user activity until the device will lock. This limits 1046 * the length that the user can set. It takes effect immediately. 1047 * 1048 * <p>The calling device admin must have requested 1049 * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call 1050 * this method; if it has not, a security exception will be thrown. 1051 * 1052 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1053 * @param timeMs The new desired maximum time to lock in milliseconds. 1054 * A value of 0 means there is no restriction. 1055 */ 1056 public void setMaximumTimeToLock(ComponentName admin, long timeMs) { 1057 if (mService != null) { 1058 try { 1059 mService.setMaximumTimeToLock(admin, timeMs, UserHandle.myUserId()); 1060 } catch (RemoteException e) { 1061 Log.w(TAG, "Failed talking with device policy service", e); 1062 } 1063 } 1064 } 1065 1066 /** 1067 * Retrieve the current maximum time to unlock for all admins 1068 * or a particular one. 1069 * @param admin The name of the admin component to check, or null to aggregate 1070 * all admins. 1071 */ 1072 public long getMaximumTimeToLock(ComponentName admin) { 1073 return getMaximumTimeToLock(admin, UserHandle.myUserId()); 1074 } 1075 1076 /** @hide per-user version */ 1077 public long getMaximumTimeToLock(ComponentName admin, int userHandle) { 1078 if (mService != null) { 1079 try { 1080 return mService.getMaximumTimeToLock(admin, userHandle); 1081 } catch (RemoteException e) { 1082 Log.w(TAG, "Failed talking with device policy service", e); 1083 } 1084 } 1085 return 0; 1086 } 1087 1088 /** 1089 * Make the device lock immediately, as if the lock screen timeout has 1090 * expired at the point of this call. 1091 * 1092 * <p>The calling device admin must have requested 1093 * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call 1094 * this method; if it has not, a security exception will be thrown. 1095 */ 1096 public void lockNow() { 1097 if (mService != null) { 1098 try { 1099 mService.lockNow(); 1100 } catch (RemoteException e) { 1101 Log.w(TAG, "Failed talking with device policy service", e); 1102 } 1103 } 1104 } 1105 1106 /** 1107 * Flag for {@link #wipeData(int)}: also erase the device's external 1108 * storage. 1109 */ 1110 public static final int WIPE_EXTERNAL_STORAGE = 0x0001; 1111 1112 /** 1113 * Ask the user date be wiped. This will cause the device to reboot, 1114 * erasing all user data while next booting up. External storage such 1115 * as SD cards will be also erased if the flag {@link #WIPE_EXTERNAL_STORAGE} 1116 * is set. 1117 * 1118 * <p>The calling device admin must have requested 1119 * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA} to be able to call 1120 * this method; if it has not, a security exception will be thrown. 1121 * 1122 * @param flags Bit mask of additional options: currently 0 and 1123 * {@link #WIPE_EXTERNAL_STORAGE} are supported. 1124 */ 1125 public void wipeData(int flags) { 1126 if (mService != null) { 1127 try { 1128 mService.wipeData(flags, UserHandle.myUserId()); 1129 } catch (RemoteException e) { 1130 Log.w(TAG, "Failed talking with device policy service", e); 1131 } 1132 } 1133 } 1134 1135 /** 1136 * Called by an application that is administering the device to set the 1137 * global proxy and exclusion list. 1138 * <p> 1139 * The calling device admin must have requested 1140 * {@link DeviceAdminInfo#USES_POLICY_SETS_GLOBAL_PROXY} to be able to call 1141 * this method; if it has not, a security exception will be thrown. 1142 * Only the first device admin can set the proxy. If a second admin attempts 1143 * to set the proxy, the {@link ComponentName} of the admin originally setting the 1144 * proxy will be returned. If successful in setting the proxy, null will 1145 * be returned. 1146 * The method can be called repeatedly by the device admin alrady setting the 1147 * proxy to update the proxy and exclusion list. 1148 * 1149 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1150 * with. 1151 * @param proxySpec the global proxy desired. Must be an HTTP Proxy. 1152 * Pass Proxy.NO_PROXY to reset the proxy. 1153 * @param exclusionList a list of domains to be excluded from the global proxy. 1154 * @return returns null if the proxy was successfully set, or a {@link ComponentName} 1155 * of the device admin that sets thew proxy otherwise. 1156 * @hide 1157 */ 1158 public ComponentName setGlobalProxy(ComponentName admin, Proxy proxySpec, 1159 List<String> exclusionList ) { 1160 if (proxySpec == null) { 1161 throw new NullPointerException(); 1162 } 1163 if (mService != null) { 1164 try { 1165 String hostSpec; 1166 String exclSpec; 1167 if (proxySpec.equals(Proxy.NO_PROXY)) { 1168 hostSpec = null; 1169 exclSpec = null; 1170 } else { 1171 if (!proxySpec.type().equals(Proxy.Type.HTTP)) { 1172 throw new IllegalArgumentException(); 1173 } 1174 InetSocketAddress sa = (InetSocketAddress)proxySpec.address(); 1175 String hostName = sa.getHostName(); 1176 int port = sa.getPort(); 1177 StringBuilder hostBuilder = new StringBuilder(); 1178 hostSpec = hostBuilder.append(hostName) 1179 .append(":").append(Integer.toString(port)).toString(); 1180 if (exclusionList == null) { 1181 exclSpec = ""; 1182 } else { 1183 StringBuilder listBuilder = new StringBuilder(); 1184 boolean firstDomain = true; 1185 for (String exclDomain : exclusionList) { 1186 if (!firstDomain) { 1187 listBuilder = listBuilder.append(","); 1188 } else { 1189 firstDomain = false; 1190 } 1191 listBuilder = listBuilder.append(exclDomain.trim()); 1192 } 1193 exclSpec = listBuilder.toString(); 1194 } 1195 if (android.net.Proxy.validate(hostName, Integer.toString(port), exclSpec) 1196 != android.net.Proxy.PROXY_VALID) 1197 throw new IllegalArgumentException(); 1198 } 1199 return mService.setGlobalProxy(admin, hostSpec, exclSpec, UserHandle.myUserId()); 1200 } catch (RemoteException e) { 1201 Log.w(TAG, "Failed talking with device policy service", e); 1202 } 1203 } 1204 return null; 1205 } 1206 1207 /** 1208 * Returns the component name setting the global proxy. 1209 * @return ComponentName object of the device admin that set the global proxy, or 1210 * null if no admin has set the proxy. 1211 * @hide 1212 */ 1213 public ComponentName getGlobalProxyAdmin() { 1214 if (mService != null) { 1215 try { 1216 return mService.getGlobalProxyAdmin(UserHandle.myUserId()); 1217 } catch (RemoteException e) { 1218 Log.w(TAG, "Failed talking with device policy service", e); 1219 } 1220 } 1221 return null; 1222 } 1223 1224 /** 1225 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1226 * indicating that encryption is not supported. 1227 */ 1228 public static final int ENCRYPTION_STATUS_UNSUPPORTED = 0; 1229 1230 /** 1231 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1232 * indicating that encryption is supported, but is not currently active. 1233 */ 1234 public static final int ENCRYPTION_STATUS_INACTIVE = 1; 1235 1236 /** 1237 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1238 * indicating that encryption is not currently active, but is currently 1239 * being activated. This is only reported by devices that support 1240 * encryption of data and only when the storage is currently 1241 * undergoing a process of becoming encrypted. A device that must reboot and/or wipe data 1242 * to become encrypted will never return this value. 1243 */ 1244 public static final int ENCRYPTION_STATUS_ACTIVATING = 2; 1245 1246 /** 1247 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1248 * indicating that encryption is active. 1249 */ 1250 public static final int ENCRYPTION_STATUS_ACTIVE = 3; 1251 1252 /** 1253 * Activity action: begin the process of encrypting data on the device. This activity should 1254 * be launched after using {@link #setStorageEncryption} to request encryption be activated. 1255 * After resuming from this activity, use {@link #getStorageEncryption} 1256 * to check encryption status. However, on some devices this activity may never return, as 1257 * it may trigger a reboot and in some cases a complete data wipe of the device. 1258 */ 1259 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 1260 public static final String ACTION_START_ENCRYPTION 1261 = "android.app.action.START_ENCRYPTION"; 1262 1263 /** 1264 * Widgets are enabled in keyguard 1265 */ 1266 public static final int KEYGUARD_DISABLE_FEATURES_NONE = 0; 1267 1268 /** 1269 * Disable all keyguard widgets 1270 */ 1271 public static final int KEYGUARD_DISABLE_WIDGETS_ALL = 1 << 0; 1272 1273 /** 1274 * Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password) 1275 */ 1276 public static final int KEYGUARD_DISABLE_SECURE_CAMERA = 1 << 1; 1277 1278 /** 1279 * Disable all current and future keyguard customizations. 1280 */ 1281 public static final int KEYGUARD_DISABLE_FEATURES_ALL = 0x7fffffff; 1282 1283 /** 1284 * Called by an application that is administering the device to 1285 * request that the storage system be encrypted. 1286 * 1287 * <p>When multiple device administrators attempt to control device 1288 * encryption, the most secure, supported setting will always be 1289 * used. If any device administrator requests device encryption, 1290 * it will be enabled; Conversely, if a device administrator 1291 * attempts to disable device encryption while another 1292 * device administrator has enabled it, the call to disable will 1293 * fail (most commonly returning {@link #ENCRYPTION_STATUS_ACTIVE}). 1294 * 1295 * <p>This policy controls encryption of the secure (application data) storage area. Data 1296 * written to other storage areas may or may not be encrypted, and this policy does not require 1297 * or control the encryption of any other storage areas. 1298 * There is one exception: If {@link android.os.Environment#isExternalStorageEmulated()} is 1299 * {@code true}, then the directory returned by 1300 * {@link android.os.Environment#getExternalStorageDirectory()} must be written to disk 1301 * within the encrypted storage area. 1302 * 1303 * <p>Important Note: On some devices, it is possible to encrypt storage without requiring 1304 * the user to create a device PIN or Password. In this case, the storage is encrypted, but 1305 * the encryption key may not be fully secured. For maximum security, the administrator should 1306 * also require (and check for) a pattern, PIN, or password. 1307 * 1308 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1309 * @param encrypt true to request encryption, false to release any previous request 1310 * @return the new request status (for all active admins) - will be one of 1311 * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE}, or 1312 * {@link #ENCRYPTION_STATUS_ACTIVE}. This is the value of the requests; Use 1313 * {@link #getStorageEncryptionStatus()} to query the actual device state. 1314 */ 1315 public int setStorageEncryption(ComponentName admin, boolean encrypt) { 1316 if (mService != null) { 1317 try { 1318 return mService.setStorageEncryption(admin, encrypt, UserHandle.myUserId()); 1319 } catch (RemoteException e) { 1320 Log.w(TAG, "Failed talking with device policy service", e); 1321 } 1322 } 1323 return ENCRYPTION_STATUS_UNSUPPORTED; 1324 } 1325 1326 /** 1327 * Called by an application that is administering the device to 1328 * determine the requested setting for secure storage. 1329 * 1330 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. If null, 1331 * this will return the requested encryption setting as an aggregate of all active 1332 * administrators. 1333 * @return true if the admin(s) are requesting encryption, false if not. 1334 */ 1335 public boolean getStorageEncryption(ComponentName admin) { 1336 if (mService != null) { 1337 try { 1338 return mService.getStorageEncryption(admin, UserHandle.myUserId()); 1339 } catch (RemoteException e) { 1340 Log.w(TAG, "Failed talking with device policy service", e); 1341 } 1342 } 1343 return false; 1344 } 1345 1346 /** 1347 * Called by an application that is administering the device to 1348 * determine the current encryption status of the device. 1349 * 1350 * Depending on the returned status code, the caller may proceed in different 1351 * ways. If the result is {@link #ENCRYPTION_STATUS_UNSUPPORTED}, the 1352 * storage system does not support encryption. If the 1353 * result is {@link #ENCRYPTION_STATUS_INACTIVE}, use {@link 1354 * #ACTION_START_ENCRYPTION} to begin the process of encrypting or decrypting the 1355 * storage. If the result is {@link #ENCRYPTION_STATUS_ACTIVATING} or 1356 * {@link #ENCRYPTION_STATUS_ACTIVE}, no further action is required. 1357 * 1358 * @return current status of encryption. The value will be one of 1359 * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE}, 1360 * {@link #ENCRYPTION_STATUS_ACTIVATING}, or{@link #ENCRYPTION_STATUS_ACTIVE}. 1361 */ 1362 public int getStorageEncryptionStatus() { 1363 return getStorageEncryptionStatus(UserHandle.myUserId()); 1364 } 1365 1366 /** @hide per-user version */ 1367 public int getStorageEncryptionStatus(int userHandle) { 1368 if (mService != null) { 1369 try { 1370 return mService.getStorageEncryptionStatus(userHandle); 1371 } catch (RemoteException e) { 1372 Log.w(TAG, "Failed talking with device policy service", e); 1373 } 1374 } 1375 return ENCRYPTION_STATUS_UNSUPPORTED; 1376 } 1377 1378 /** 1379 * Installs the given certificate as a User CA. 1380 * 1381 * @return false if the certBuffer cannot be parsed or installation is 1382 * interrupted, otherwise true 1383 * @hide 1384 */ 1385 public boolean installCaCert(byte[] certBuffer) { 1386 if (mService != null) { 1387 try { 1388 return mService.installCaCert(certBuffer); 1389 } catch (RemoteException e) { 1390 Log.w(TAG, "Failed talking with device policy service", e); 1391 } 1392 } 1393 return false; 1394 } 1395 1396 /** 1397 * Uninstalls the given certificate from the list of User CAs, if present. 1398 * 1399 * @hide 1400 */ 1401 public void uninstallCaCert(byte[] certBuffer) { 1402 if (mService != null) { 1403 try { 1404 mService.uninstallCaCert(certBuffer); 1405 } catch (RemoteException e) { 1406 Log.w(TAG, "Failed talking with device policy service", e); 1407 } 1408 } 1409 } 1410 1411 /** 1412 * Returns whether there are any user-installed CA certificates. 1413 * 1414 * @hide 1415 */ 1416 public static boolean hasAnyCaCertsInstalled() { 1417 TrustedCertificateStore certStore = new TrustedCertificateStore(); 1418 Set<String> aliases = certStore.userAliases(); 1419 return aliases != null && !aliases.isEmpty(); 1420 } 1421 1422 /** 1423 * Returns whether this certificate has been installed as a User CA. 1424 * 1425 * @hide 1426 */ 1427 public boolean hasCaCertInstalled(byte[] certBuffer) { 1428 TrustedCertificateStore certStore = new TrustedCertificateStore(); 1429 String alias; 1430 byte[] pemCert; 1431 try { 1432 CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); 1433 X509Certificate cert = (X509Certificate) certFactory.generateCertificate( 1434 new ByteArrayInputStream(certBuffer)); 1435 return certStore.getCertificateAlias(cert) != null; 1436 } catch (CertificateException ce) { 1437 Log.w(TAG, "Could not parse certificate", ce); 1438 } 1439 return false; 1440 } 1441 1442 /** 1443 * Called by an application that is administering the device to disable all cameras 1444 * on the device. After setting this, no applications will be able to access any cameras 1445 * on the device. 1446 * 1447 * <p>The calling device admin must have requested 1448 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_CAMERA} to be able to call 1449 * this method; if it has not, a security exception will be thrown. 1450 * 1451 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1452 * @param disabled Whether or not the camera should be disabled. 1453 */ 1454 public void setCameraDisabled(ComponentName admin, boolean disabled) { 1455 if (mService != null) { 1456 try { 1457 mService.setCameraDisabled(admin, disabled, UserHandle.myUserId()); 1458 } catch (RemoteException e) { 1459 Log.w(TAG, "Failed talking with device policy service", e); 1460 } 1461 } 1462 } 1463 1464 /** 1465 * Determine whether or not the device's cameras have been disabled either by the current 1466 * admin, if specified, or all admins. 1467 * @param admin The name of the admin component to check, or null to check if any admins 1468 * have disabled the camera 1469 */ 1470 public boolean getCameraDisabled(ComponentName admin) { 1471 return getCameraDisabled(admin, UserHandle.myUserId()); 1472 } 1473 1474 /** @hide per-user version */ 1475 public boolean getCameraDisabled(ComponentName admin, int userHandle) { 1476 if (mService != null) { 1477 try { 1478 return mService.getCameraDisabled(admin, userHandle); 1479 } catch (RemoteException e) { 1480 Log.w(TAG, "Failed talking with device policy service", e); 1481 } 1482 } 1483 return false; 1484 } 1485 1486 /** 1487 * Called by an application that is administering the device to disable keyguard customizations, 1488 * such as widgets. After setting this, keyguard features will be disabled according to the 1489 * provided feature list. 1490 * 1491 * <p>The calling device admin must have requested 1492 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_KEYGUARD_FEATURES} to be able to call 1493 * this method; if it has not, a security exception will be thrown. 1494 * 1495 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1496 * @param which {@link #KEYGUARD_DISABLE_FEATURES_NONE} (default), 1497 * {@link #KEYGUARD_DISABLE_WIDGETS_ALL}, {@link #KEYGUARD_DISABLE_SECURE_CAMERA}, 1498 * {@link #KEYGUARD_DISABLE_FEATURES_ALL} 1499 */ 1500 public void setKeyguardDisabledFeatures(ComponentName admin, int which) { 1501 if (mService != null) { 1502 try { 1503 mService.setKeyguardDisabledFeatures(admin, which, UserHandle.myUserId()); 1504 } catch (RemoteException e) { 1505 Log.w(TAG, "Failed talking with device policy service", e); 1506 } 1507 } 1508 } 1509 1510 /** 1511 * Determine whether or not features have been disabled in keyguard either by the current 1512 * admin, if specified, or all admins. 1513 * @param admin The name of the admin component to check, or null to check if any admins 1514 * have disabled features in keyguard. 1515 * @return bitfield of flags. See {@link #setKeyguardDisabledFeatures(ComponentName, int)} 1516 * for a list. 1517 */ 1518 public int getKeyguardDisabledFeatures(ComponentName admin) { 1519 return getKeyguardDisabledFeatures(admin, UserHandle.myUserId()); 1520 } 1521 1522 /** @hide per-user version */ 1523 public int getKeyguardDisabledFeatures(ComponentName admin, int userHandle) { 1524 if (mService != null) { 1525 try { 1526 return mService.getKeyguardDisabledFeatures(admin, userHandle); 1527 } catch (RemoteException e) { 1528 Log.w(TAG, "Failed talking with device policy service", e); 1529 } 1530 } 1531 return KEYGUARD_DISABLE_FEATURES_NONE; 1532 } 1533 1534 /** 1535 * @hide 1536 */ 1537 public void setActiveAdmin(ComponentName policyReceiver, boolean refreshing, int userHandle) { 1538 if (mService != null) { 1539 try { 1540 mService.setActiveAdmin(policyReceiver, refreshing, userHandle); 1541 } catch (RemoteException e) { 1542 Log.w(TAG, "Failed talking with device policy service", e); 1543 } 1544 } 1545 } 1546 1547 /** 1548 * @hide 1549 */ 1550 public void setActiveAdmin(ComponentName policyReceiver, boolean refreshing) { 1551 setActiveAdmin(policyReceiver, refreshing, UserHandle.myUserId()); 1552 } 1553 1554 /** 1555 * Returns the DeviceAdminInfo as defined by the administrator's package info & meta-data 1556 * @hide 1557 */ 1558 public DeviceAdminInfo getAdminInfo(ComponentName cn) { 1559 ActivityInfo ai; 1560 try { 1561 ai = mContext.getPackageManager().getReceiverInfo(cn, 1562 PackageManager.GET_META_DATA); 1563 } catch (PackageManager.NameNotFoundException e) { 1564 Log.w(TAG, "Unable to retrieve device policy " + cn, e); 1565 return null; 1566 } 1567 1568 ResolveInfo ri = new ResolveInfo(); 1569 ri.activityInfo = ai; 1570 1571 try { 1572 return new DeviceAdminInfo(mContext, ri); 1573 } catch (XmlPullParserException e) { 1574 Log.w(TAG, "Unable to parse device policy " + cn, e); 1575 return null; 1576 } catch (IOException e) { 1577 Log.w(TAG, "Unable to parse device policy " + cn, e); 1578 return null; 1579 } 1580 } 1581 1582 /** 1583 * @hide 1584 */ 1585 public void getRemoveWarning(ComponentName admin, RemoteCallback result) { 1586 if (mService != null) { 1587 try { 1588 mService.getRemoveWarning(admin, result, UserHandle.myUserId()); 1589 } catch (RemoteException e) { 1590 Log.w(TAG, "Failed talking with device policy service", e); 1591 } 1592 } 1593 } 1594 1595 /** 1596 * @hide 1597 */ 1598 public void setActivePasswordState(int quality, int length, int letters, int uppercase, 1599 int lowercase, int numbers, int symbols, int nonletter, int userHandle) { 1600 if (mService != null) { 1601 try { 1602 mService.setActivePasswordState(quality, length, letters, uppercase, lowercase, 1603 numbers, symbols, nonletter, userHandle); 1604 } catch (RemoteException e) { 1605 Log.w(TAG, "Failed talking with device policy service", e); 1606 } 1607 } 1608 } 1609 1610 /** 1611 * @hide 1612 */ 1613 public void reportFailedPasswordAttempt(int userHandle) { 1614 if (mService != null) { 1615 try { 1616 mService.reportFailedPasswordAttempt(userHandle); 1617 } catch (RemoteException e) { 1618 Log.w(TAG, "Failed talking with device policy service", e); 1619 } 1620 } 1621 } 1622 1623 /** 1624 * @hide 1625 */ 1626 public void reportSuccessfulPasswordAttempt(int userHandle) { 1627 if (mService != null) { 1628 try { 1629 mService.reportSuccessfulPasswordAttempt(userHandle); 1630 } catch (RemoteException e) { 1631 Log.w(TAG, "Failed talking with device policy service", e); 1632 } 1633 } 1634 } 1635 1636 /** 1637 * @hide 1638 * Sets the given package as the device owner. The package must already be installed and there 1639 * shouldn't be an existing device owner registered, for this call to succeed. Also, this 1640 * method must be called before the device is provisioned. 1641 * @param packageName the package name of the application to be registered as the device owner. 1642 * @return whether the package was successfully registered as the device owner. 1643 * @throws IllegalArgumentException if the package name is null or invalid 1644 * @throws IllegalStateException if a device owner is already registered or the device has 1645 * already been provisioned. 1646 */ 1647 public boolean setDeviceOwner(String packageName) throws IllegalArgumentException, 1648 IllegalStateException { 1649 return setDeviceOwner(packageName, null); 1650 } 1651 1652 /** 1653 * @hide 1654 * Sets the given package as the device owner. The package must already be installed and there 1655 * shouldn't be an existing device owner registered, for this call to succeed. Also, this 1656 * method must be called before the device is provisioned. 1657 * @param packageName the package name of the application to be registered as the device owner. 1658 * @param ownerName the human readable name of the institution that owns this device. 1659 * @return whether the package was successfully registered as the device owner. 1660 * @throws IllegalArgumentException if the package name is null or invalid 1661 * @throws IllegalStateException if a device owner is already registered or the device has 1662 * already been provisioned. 1663 */ 1664 public boolean setDeviceOwner(String packageName, String ownerName) 1665 throws IllegalArgumentException, IllegalStateException { 1666 if (mService != null) { 1667 try { 1668 return mService.setDeviceOwner(packageName, ownerName); 1669 } catch (RemoteException re) { 1670 Log.w(TAG, "Failed to set device owner"); 1671 } 1672 } 1673 return false; 1674 } 1675 1676 1677 /** 1678 * Used to determine if a particular package has been registered as a Device Owner app. 1679 * A device owner app is a special device admin that cannot be deactivated by the user, once 1680 * activated as a device admin. It also cannot be uninstalled. To check if a particular 1681 * package is currently registered as the device owner app, pass in the package name from 1682 * {@link Context#getPackageName()} to this method.<p/>This is useful for device 1683 * admin apps that want to check if they are also registered as the device owner app. The 1684 * exact mechanism by which a device admin app is registered as a device owner app is defined by 1685 * the setup process. 1686 * @param packageName the package name of the app, to compare with the registered device owner 1687 * app, if any. 1688 * @return whether or not the package is registered as the device owner app. 1689 */ 1690 public boolean isDeviceOwnerApp(String packageName) { 1691 if (mService != null) { 1692 try { 1693 return mService.isDeviceOwner(packageName); 1694 } catch (RemoteException re) { 1695 Log.w(TAG, "Failed to check device owner"); 1696 } 1697 } 1698 return false; 1699 } 1700 1701 /** 1702 * @hide 1703 * Redirect to isDeviceOwnerApp. 1704 */ 1705 public boolean isDeviceOwner(String packageName) { 1706 return isDeviceOwnerApp(packageName); 1707 } 1708 1709 /** @hide */ 1710 public String getDeviceOwner() { 1711 if (mService != null) { 1712 try { 1713 return mService.getDeviceOwner(); 1714 } catch (RemoteException re) { 1715 Log.w(TAG, "Failed to get device owner"); 1716 } 1717 } 1718 return null; 1719 } 1720 1721 /** @hide */ 1722 public String getDeviceOwnerName() { 1723 if (mService != null) { 1724 try { 1725 return mService.getDeviceOwnerName(); 1726 } catch (RemoteException re) { 1727 Log.w(TAG, "Failed to get device owner"); 1728 } 1729 } 1730 return null; 1731 } 1732 1733 /** 1734 * @hide 1735 * Sets the given package as the profile owner of the given user profile. The package must 1736 * already be installed and there shouldn't be an existing profile owner registered for this 1737 * user. Also, this method must be called before the user has been used for the first time. 1738 * @param packageName the package name of the application to be registered as profile owner. 1739 * @param ownerName the human readable name of the organisation associated with this DPM. 1740 * @param userHandle the userId to set the profile owner for. 1741 * @return whether the package was successfully registered as the profile owner. 1742 * @throws IllegalArgumentException if packageName is null, the package isn't installed, or 1743 * the user has already been set up. 1744 */ 1745 public boolean setProfileOwner(String packageName, String ownerName, int userHandle) 1746 throws IllegalArgumentException { 1747 if (mService != null) { 1748 try { 1749 return mService.setProfileOwner(packageName, ownerName, userHandle); 1750 } catch (RemoteException re) { 1751 Log.w(TAG, "Failed to set profile owner", re); 1752 throw new IllegalArgumentException("Couldn't set profile owner.", re); 1753 } 1754 } 1755 return false; 1756 } 1757 1758 /** 1759 * Used to determine if a particular package is registered as the Profile Owner for the 1760 * current user. A profile owner is a special device admin that has additional priviledges 1761 * within the managed profile. 1762 * 1763 * @param packageName The package name of the app to compare with the registered profile owner. 1764 * @return Whether or not the package is registered as the profile owner. 1765 */ 1766 public boolean isProfileOwnerApp(String packageName) { 1767 if (mService != null) { 1768 try { 1769 String profileOwnerPackage = mService.getProfileOwner( 1770 Process.myUserHandle().getIdentifier()); 1771 return profileOwnerPackage != null && profileOwnerPackage.equals(packageName); 1772 } catch (RemoteException re) { 1773 Log.w(TAG, "Failed to check profile owner"); 1774 } 1775 } 1776 return false; 1777 } 1778 1779 /** 1780 * @hide 1781 * @return the packageName of the owner of the given user profile or null if no profile 1782 * owner has been set for that user. 1783 * @throws IllegalArgumentException if the userId is invalid. 1784 */ 1785 public String getProfileOwner() throws IllegalArgumentException { 1786 if (mService != null) { 1787 try { 1788 return mService.getProfileOwner(Process.myUserHandle().getIdentifier()); 1789 } catch (RemoteException re) { 1790 Log.w(TAG, "Failed to get profile owner"); 1791 throw new IllegalArgumentException( 1792 "Requested profile owner for invalid userId", re); 1793 } 1794 } 1795 return null; 1796 } 1797 1798 /** 1799 * @hide 1800 * @return the human readable name of the organisation associated with this DPM or null if 1801 * one is not set. 1802 * @throws IllegalArgumentException if the userId is invalid. 1803 */ 1804 public String getProfileOwnerName() throws IllegalArgumentException { 1805 if (mService != null) { 1806 try { 1807 return mService.getProfileOwnerName(Process.myUserHandle().getIdentifier()); 1808 } catch (RemoteException re) { 1809 Log.w(TAG, "Failed to get profile owner"); 1810 throw new IllegalArgumentException( 1811 "Requested profile owner for invalid userId", re); 1812 } 1813 } 1814 return null; 1815 } 1816 1817 /** 1818 * Called by a profile owner or device owner to add a default intent handler activity for 1819 * intents that match a certain intent filter. This activity will remain the default intent 1820 * handler even if the set of potential event handlers for the intent filter changes and if 1821 * the intent preferences are reset. 1822 * 1823 * <p>The default disambiguation mechanism takes over if the activity is not installed 1824 * (anymore). When the activity is (re)installed, it is automatically reset as default 1825 * intent handler for the filter. 1826 * 1827 * <p>The calling device admin must be a profile owner or device owner. If it is not, a 1828 * security exception will be thrown. 1829 * 1830 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1831 * @param filter The IntentFilter for which a default handler is added. 1832 * @param activity The Activity that is added as default intent handler. 1833 */ 1834 public void addPersistentPreferredActivity(ComponentName admin, IntentFilter filter, 1835 ComponentName activity) { 1836 if (mService != null) { 1837 try { 1838 mService.addPersistentPreferredActivity(admin, filter, activity); 1839 } catch (RemoteException e) { 1840 Log.w(TAG, "Failed talking with device policy service", e); 1841 } 1842 } 1843 } 1844 1845 /** 1846 * Called by a profile owner or device owner to remove all persistent intent handler preferences 1847 * associated with the given package that were set by {@link #addPersistentPreferredActivity}. 1848 * 1849 * <p>The calling device admin must be a profile owner. If it is not, a security 1850 * exception will be thrown. 1851 * 1852 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1853 * @param packageName The name of the package for which preferences are removed. 1854 */ 1855 public void clearPackagePersistentPreferredActivities(ComponentName admin, 1856 String packageName) { 1857 if (mService != null) { 1858 try { 1859 mService.clearPackagePersistentPreferredActivities(admin, packageName); 1860 } catch (RemoteException e) { 1861 Log.w(TAG, "Failed talking with device policy service", e); 1862 } 1863 } 1864 } 1865} 1866