DevicePolicyManager.java revision ea2ec97f37c649881f2be8a5cc40bf44080cc632
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package android.app.admin; 18 19import android.annotation.SdkConstant; 20import android.annotation.SdkConstant.SdkConstantType; 21import android.annotation.SystemApi; 22import android.app.Activity; 23import android.content.ComponentName; 24import android.content.Context; 25import android.content.Intent; 26import android.content.IntentFilter; 27import android.content.pm.ActivityInfo; 28import android.content.pm.PackageManager; 29import android.content.pm.ResolveInfo; 30import android.graphics.Bitmap; 31import android.net.ProxyInfo; 32import android.os.Bundle; 33import android.os.Handler; 34import android.os.PersistableBundle; 35import android.os.Process; 36import android.os.RemoteCallback; 37import android.os.RemoteException; 38import android.os.ServiceManager; 39import android.os.UserHandle; 40import android.os.UserManager; 41import android.provider.Settings; 42import android.security.Credentials; 43import android.service.restrictions.RestrictionsReceiver; 44import android.util.Log; 45 46import com.android.org.conscrypt.TrustedCertificateStore; 47 48import org.xmlpull.v1.XmlPullParserException; 49 50import java.io.ByteArrayInputStream; 51import java.io.IOException; 52import java.net.InetSocketAddress; 53import java.net.Proxy; 54import java.security.KeyFactory; 55import java.security.PrivateKey; 56import java.security.cert.Certificate; 57import java.security.cert.CertificateException; 58import java.security.cert.CertificateFactory; 59import java.security.cert.X509Certificate; 60import java.security.spec.PKCS8EncodedKeySpec; 61import java.security.spec.InvalidKeySpecException; 62import java.security.NoSuchAlgorithmException; 63import java.util.ArrayList; 64import java.util.Collections; 65import java.util.List; 66 67/** 68 * Public interface for managing policies enforced on a device. Most clients of this class must be 69 * registered with the system as a 70 * <a href="{@docRoot}guide/topics/admin/device-admin.html">device administrator</a>. Additionally, 71 * a device administrator may be registered as either a profile or device owner. A given method is 72 * accessible to all device administrators unless the documentation for that method specifies that 73 * it is restricted to either device or profile owners. 74 * 75 * <div class="special reference"> 76 * <h3>Developer Guides</h3> 77 * <p>For more information about managing policies for device administration, read the 78 * <a href="{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a> 79 * developer guide.</p> 80 * </div> 81 */ 82public class DevicePolicyManager { 83 private static String TAG = "DevicePolicyManager"; 84 85 private final Context mContext; 86 private final IDevicePolicyManager mService; 87 88 private DevicePolicyManager(Context context, Handler handler) { 89 mContext = context; 90 mService = IDevicePolicyManager.Stub.asInterface( 91 ServiceManager.getService(Context.DEVICE_POLICY_SERVICE)); 92 } 93 94 /** @hide */ 95 public static DevicePolicyManager create(Context context, Handler handler) { 96 DevicePolicyManager me = new DevicePolicyManager(context, handler); 97 return me.mService != null ? me : null; 98 } 99 100 /** 101 * Activity action: Starts the provisioning flow which sets up a managed profile. 102 * 103 * <p>A managed profile allows data separation for example for the usage of a 104 * device as a personal and corporate device. The user which provisioning is started from and 105 * the managed profile share a launcher. 106 * 107 * <p>This intent will typically be sent by a mobile device management application (MDM). 108 * Provisioning adds a managed profile and sets the MDM as the profile owner who has full 109 * control over the profile. 110 * 111 * In version {@link android.os.Build.VERSION_CODES#LOLLIPOP}, this intent must contain the 112 * extra {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME}. 113 * As of {@link android.os.Build.VERSION_CODES#MNC}, it should contain the extra 114 * {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME} instead, although specifying only 115 * {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME} is still supported. 116 * 117 * <p> When managed provisioning has completed, broadcasts are sent to the application specified 118 * in the provisioning intent. The 119 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE} broadcast is sent in the 120 * managed profile and the {@link #ACTION_MANAGED_PROFILE_PROVISIONED} broadcast is sent in 121 * the primary profile. 122 * 123 * <p> If provisioning fails, the managedProfile is removed so the device returns to its 124 * previous state. 125 * 126 * <p>Input: Nothing.</p> 127 * <p>Output: Nothing</p> 128 */ 129 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 130 public static final String ACTION_PROVISION_MANAGED_PROFILE 131 = "android.app.action.PROVISION_MANAGED_PROFILE"; 132 133 /** 134 * A {@link android.os.Parcelable} extra of type {@link android.os.PersistableBundle} that allows 135 * a mobile device management application that starts managed profile provisioning to pass data 136 * to itself on the managed profile when provisioning completes. The mobile device management 137 * application sends this extra in an intent with the action 138 * {@link #ACTION_PROVISION_MANAGED_PROFILE} and receives it in 139 * {@link DeviceAdminReceiver#onProfileProvisioningComplete} via an intent with the action 140 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE}. The bundle is not changed 141 * during the managed profile provisioning. 142 */ 143 public static final String EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE = 144 "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE"; 145 146 /** 147 * A String extra holding the package name of the mobile device management application that 148 * will be set as the profile owner or device owner. 149 * 150 * <p>If an application starts provisioning directly via an intent with action 151 * {@link #ACTION_PROVISION_MANAGED_PROFILE} this package has to match the package name of the 152 * application that started provisioning. The package will be set as profile owner in that case. 153 * 154 * <p>This package is set as device owner when device owner provisioning is started by an NFC 155 * message containing an NFC record with MIME type {@link #MIME_TYPE_PROVISIONING_NFC}. 156 * 157 * <p> When this extra is set, the application must have exactly one device admin receiver. 158 * This receiver will be set as the profile or device owner and active admin.</p> 159 160 * @see DeviceAdminReceiver 161 * @deprecated Use {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME}. This extra is still 162 * supported. 163 */ 164 @Deprecated 165 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME 166 = "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME"; 167 168 /** 169 * A ComponentName extra indicating the device admin receiver of the mobile device management 170 * application that will be set as the profile owner or device owner and active admin. 171 * 172 * <p>If an application starts provisioning directly via an intent with action 173 * {@link #ACTION_PROVISION_MANAGED_PROFILE} the package name of this component has to match the 174 * package name of the application that started provisioning. 175 * 176 * <p>This component is set as device owner and active admin when device owner provisioning is 177 * started by an NFC message containing an NFC record with MIME type 178 * {@link #MIME_TYPE_PROVISIONING_NFC_V2}. For the NFC record, the component name should be 179 * flattened to a string, via {@link ComponentName#flattenToShortString()}. 180 * 181 * @see DeviceAdminReceiver 182 */ 183 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME 184 = "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME"; 185 186 /** 187 * An {@link android.accounts.Account} extra holding the account to migrate during managed 188 * profile provisioning. If the account supplied is present in the primary user, it will be 189 * copied, along with its credentials to the managed profile and removed from the primary user. 190 * 191 * Use with {@link #ACTION_PROVISION_MANAGED_PROFILE}. 192 */ 193 194 public static final String EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE 195 = "android.app.extra.PROVISIONING_ACCOUNT_TO_MIGRATE"; 196 197 /** 198 * A String extra that, holds the email address of the account which a managed profile is 199 * created for. Used with {@link #ACTION_PROVISION_MANAGED_PROFILE} and 200 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE}. 201 * 202 * <p> This extra is part of the {@link #EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE}. 203 * 204 * <p> If the {@link #ACTION_PROVISION_MANAGED_PROFILE} intent that starts managed provisioning 205 * contains this extra, it is forwarded in the 206 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE} intent to the mobile 207 * device management application that was set as the profile owner during provisioning. 208 * It is usually used to avoid that the user has to enter their email address twice. 209 */ 210 public static final String EXTRA_PROVISIONING_EMAIL_ADDRESS 211 = "android.app.extra.PROVISIONING_EMAIL_ADDRESS"; 212 213 /** 214 * A Boolean extra that can be used by the mobile device management application to skip the 215 * disabling of system apps during provisioning when set to <code>true</code>. 216 * 217 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 218 * provisioning via an NFC bump. 219 */ 220 public static final String EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED = 221 "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED"; 222 223 /** 224 * A String extra holding the time zone {@link android.app.AlarmManager} that the device 225 * will be set to. 226 * 227 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 228 * provisioning via an NFC bump. 229 */ 230 public static final String EXTRA_PROVISIONING_TIME_ZONE 231 = "android.app.extra.PROVISIONING_TIME_ZONE"; 232 233 /** 234 * A Long extra holding the wall clock time (in milliseconds) to be set on the device's 235 * {@link android.app.AlarmManager}. 236 * 237 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 238 * provisioning via an NFC bump. 239 */ 240 public static final String EXTRA_PROVISIONING_LOCAL_TIME 241 = "android.app.extra.PROVISIONING_LOCAL_TIME"; 242 243 /** 244 * A String extra holding the {@link java.util.Locale} that the device will be set to. 245 * Format: xx_yy, where xx is the language code, and yy the country code. 246 * 247 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 248 * provisioning via an NFC bump. 249 */ 250 public static final String EXTRA_PROVISIONING_LOCALE 251 = "android.app.extra.PROVISIONING_LOCALE"; 252 253 /** 254 * A String extra holding the ssid of the wifi network that should be used during nfc device 255 * owner provisioning for downloading the mobile device management application. 256 * 257 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 258 * provisioning via an NFC bump. 259 */ 260 public static final String EXTRA_PROVISIONING_WIFI_SSID 261 = "android.app.extra.PROVISIONING_WIFI_SSID"; 262 263 /** 264 * A boolean extra indicating whether the wifi network in {@link #EXTRA_PROVISIONING_WIFI_SSID} 265 * is hidden or not. 266 * 267 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 268 * provisioning via an NFC bump. 269 */ 270 public static final String EXTRA_PROVISIONING_WIFI_HIDDEN 271 = "android.app.extra.PROVISIONING_WIFI_HIDDEN"; 272 273 /** 274 * A String extra indicating the security type of the wifi network in 275 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 276 * 277 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 278 * provisioning via an NFC bump. 279 */ 280 public static final String EXTRA_PROVISIONING_WIFI_SECURITY_TYPE 281 = "android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE"; 282 283 /** 284 * A String extra holding the password of the wifi network in 285 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 286 * 287 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 288 * provisioning via an NFC bump. 289 */ 290 public static final String EXTRA_PROVISIONING_WIFI_PASSWORD 291 = "android.app.extra.PROVISIONING_WIFI_PASSWORD"; 292 293 /** 294 * A String extra holding the proxy host for the wifi network in 295 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 296 * 297 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 298 * provisioning via an NFC bump. 299 */ 300 public static final String EXTRA_PROVISIONING_WIFI_PROXY_HOST 301 = "android.app.extra.PROVISIONING_WIFI_PROXY_HOST"; 302 303 /** 304 * An int extra holding the proxy port for the wifi network in 305 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 306 * 307 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 308 * provisioning via an NFC bump. 309 */ 310 public static final String EXTRA_PROVISIONING_WIFI_PROXY_PORT 311 = "android.app.extra.PROVISIONING_WIFI_PROXY_PORT"; 312 313 /** 314 * A String extra holding the proxy bypass for the wifi network in 315 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 316 * 317 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 318 * provisioning via an NFC bump. 319 */ 320 public static final String EXTRA_PROVISIONING_WIFI_PROXY_BYPASS 321 = "android.app.extra.PROVISIONING_WIFI_PROXY_BYPASS"; 322 323 /** 324 * A String extra holding the proxy auto-config (PAC) URL for the wifi network in 325 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 326 * 327 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 328 * provisioning via an NFC bump. 329 */ 330 public static final String EXTRA_PROVISIONING_WIFI_PAC_URL 331 = "android.app.extra.PROVISIONING_WIFI_PAC_URL"; 332 333 /** 334 * A String extra holding a url that specifies the download location of the device admin 335 * package. When not provided it is assumed that the device admin package is already installed. 336 * 337 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 338 * provisioning via an NFC bump. 339 */ 340 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION 341 = "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION"; 342 343 /** 344 * An int extra holding a minimum required version code for the device admin package. If the 345 * device admin is already installed on the device, it will only be re-downloaded from 346 * {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION} if the version of the 347 * installed package is less than this version code. 348 * 349 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts device owner 350 * provisioning via an NFC bump. 351 */ 352 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE 353 = "android.app.extra.PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE"; 354 355 /** 356 * A String extra holding a http cookie header which should be used in the http request to the 357 * url specified in {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION}. 358 * 359 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 360 * provisioning via an NFC bump. 361 */ 362 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER 363 = "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER"; 364 365 /** 366 * A String extra holding the URL-safe base64 encoded SHA-1 checksum of the file at download 367 * location specified in {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION}. If 368 * this doesn't match the file at the download location an error will be shown to the user and 369 * the user will be asked to factory reset the device. 370 * 371 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 372 * provisioning via an NFC bump. 373 */ 374 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM 375 = "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM"; 376 377 /** 378 * Broadcast Action: This broadcast is sent to indicate that provisioning of a managed profile 379 * has completed successfully. 380 * 381 * <p>The broadcast is limited to the primary profile, to the app specified in the provisioning 382 * intent (@see #ACTION_PROVISION_MANAGED_PROFILE). 383 * 384 * <p>This intent will contain the extra {@link #EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE} which 385 * corresponds to the account requested to be migrated at provisioning time, if any. 386 */ 387 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 388 public static final String ACTION_MANAGED_PROFILE_PROVISIONED 389 = "android.app.action.MANAGED_PROFILE_PROVISIONED"; 390 391 /** 392 * A boolean extra indicating whether device encryption is required as part of Device Owner 393 * provisioning. 394 * 395 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts device owner 396 * provisioning via an NFC bump. 397 */ 398 public static final String EXTRA_PROVISIONING_SKIP_ENCRYPTION = 399 "android.app.extra.PROVISIONING_SKIP_ENCRYPTION"; 400 401 /** 402 * On devices managed by a device owner app, a {@link ComponentName} extra indicating the 403 * component of the application that is temporarily granted device owner privileges during 404 * device initialization and profile owner privileges during secondary user initialization. 405 * 406 * <p> 407 * It can also be used in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts 408 * device owner provisioning via an NFC bump. For the NFC record, it should be flattened to a 409 * string first. 410 * 411 * @see ComponentName#flattenToShortString() 412 */ 413 public static final String EXTRA_PROVISIONING_DEVICE_INITIALIZER_COMPONENT_NAME 414 = "android.app.extra.PROVISIONING_DEVICE_INITIALIZER_COMPONENT_NAME"; 415 416 /** 417 * A String extra holding an http url that specifies the download location of the device 418 * initializer package. When not provided it is assumed that the device initializer package is 419 * already installed. 420 * 421 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts device owner 422 * provisioning via an NFC bump. 423 */ 424 public static final String EXTRA_PROVISIONING_DEVICE_INITIALIZER_PACKAGE_DOWNLOAD_LOCATION 425 = "android.app.extra.PROVISIONING_DEVICE_INITIALIZER_PACKAGE_DOWNLOAD_LOCATION"; 426 427 /** 428 * An int extra holding a minimum required version code for the device initializer package. 429 * If the initializer is already installed on the device, it will only be re-downloaded from 430 * {@link #EXTRA_PROVISIONING_DEVICE_INITIALIZER_PACKAGE_DOWNLOAD_LOCATION} if the version of 431 * the installed package is less than this version code. 432 * 433 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts device owner 434 * provisioning via an NFC bump. 435 */ 436 public static final String EXTRA_PROVISIONING_DEVICE_INITIALIZER_MINIMUM_VERSION_CODE 437 = "android.app.extra.PROVISIONING_DEVICE_INITIALIZER_MINIMUM_VERSION_CODE"; 438 439 /** 440 * A String extra holding a http cookie header which should be used in the http request to the 441 * url specified in {@link #EXTRA_PROVISIONING_DEVICE_INITIALIZER_PACKAGE_DOWNLOAD_LOCATION}. 442 * 443 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts device owner 444 * provisioning via an NFC bump. 445 */ 446 public static final String EXTRA_PROVISIONING_DEVICE_INITIALIZER_PACKAGE_DOWNLOAD_COOKIE_HEADER 447 = "android.app.extra.PROVISIONING_DEVICE_INITIALIZER_PACKAGE_DOWNLOAD_COOKIE_HEADER"; 448 449 /** 450 * A String extra holding the URL-safe base64 encoded SHA-1 checksum of the file at download 451 * location specified in 452 * {@link #EXTRA_PROVISIONING_DEVICE_INITIALIZER_PACKAGE_DOWNLOAD_LOCATION}. If this doesn't 453 * match the file at the download location an error will be shown to the user and the user will 454 * be asked to factory reset the device. 455 * 456 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts device owner 457 * provisioning via an NFC bump. 458 */ 459 public static final String EXTRA_PROVISIONING_DEVICE_INITIALIZER_PACKAGE_CHECKSUM 460 = "android.app.extra.PROVISIONING_DEVICE_INITIALIZER_PACKAGE_CHECKSUM"; 461 462 /** 463 * A String extra holding the MAC address of the Bluetooth device to connect to with status 464 * updates during provisioning. 465 * 466 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts device owner 467 * provisioning via an NFC bump. 468 */ 469 public static final String EXTRA_PROVISIONING_BT_MAC_ADDRESS 470 = "android.app.extra.PROVISIONING_BT_MAC_ADDRESS"; 471 472 /** 473 * A String extra holding the Bluetooth service UUID on the device to connect to with status 474 * updates during provisioning. 475 * 476 * <p>This value must be specified when {@code #EXTRA_PROVISIONING_BT_MAC_ADDRESS} is present. 477 * 478 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts device owner 479 * provisioning via an NFC bump. 480 */ 481 public static final String EXTRA_PROVISIONING_BT_UUID 482 = "android.app.extra.PROVISIONING_BT_UUID"; 483 484 /** 485 * A String extra holding a unique identifier used to identify the device connecting over 486 * Bluetooth. This identifier will be part of every status message sent to the remote device. 487 * 488 * <p>This value must be specified when {@code #EXTRA_PROVISIONING_BT_MAC_ADDRESS} is present. 489 * 490 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts device owner 491 * provisioning via an NFC bump. 492 */ 493 public static final String EXTRA_PROVISIONING_BT_DEVICE_ID 494 = "android.app.extra.PROVISIONING_BT_DEVICE_ID"; 495 496 /** 497 * A Boolean extra that that will cause a provisioned device to temporarily proxy network 498 * traffic over Bluetooth. When a Wi-Fi network is available, the network proxy will stop. 499 * 500 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts device owner 501 * provisioning via an NFC bump. 502 */ 503 public static final String EXTRA_PROVISIONING_BT_USE_PROXY 504 = "android.app.extra.PROVISIONING_BT_USE_PROXY"; 505 506 /** 507 * A {@link android.os.Parcelable} extra of type {@link android.os.PersistableBundle} that 508 * holds data needed by the system to wipe factory reset protection. The data needed to wipe 509 * the device depend on the installed factory reset protection implementation. For example, 510 * if an account is needed to unlock a device, this extra may contain data used to 511 * authenticate that account. 512 * 513 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC_V2} that starts device owner 514 * provisioning via an NFC bump. 515 */ 516 public static final String EXTRA_PROVISIONING_RESET_PROTECTION_PARAMETERS 517 = "android.app.extra.PROVISIONING_RESET_PROTECTION_PARAMETERS"; 518 519 /** 520 * This MIME type is used for starting the Device Owner provisioning that does not require 521 * provisioning features introduced in Android API level 522 * {@link android.os.Build.VERSION_CODES#MNC} or later levels. 523 * 524 * <p>For more information about the provisioning process see 525 * {@link #MIME_TYPE_PROVISIONING_NFC_V2}. 526 * 527 * <p>The NFC record must contain a serialized {@link java.util.Properties} object which 528 * contains the following properties: 529 * <ul> 530 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME}</li> 531 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION}, optional</li> 532 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER}, optional</li> 533 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM}, optional</li> 534 * <li>{@link #EXTRA_PROVISIONING_LOCAL_TIME} (convert to String), optional</li> 535 * <li>{@link #EXTRA_PROVISIONING_TIME_ZONE}, optional</li> 536 * <li>{@link #EXTRA_PROVISIONING_LOCALE}, optional</li> 537 * <li>{@link #EXTRA_PROVISIONING_WIFI_SSID}, optional</li> 538 * <li>{@link #EXTRA_PROVISIONING_WIFI_HIDDEN} (convert to String), optional</li> 539 * <li>{@link #EXTRA_PROVISIONING_WIFI_SECURITY_TYPE}, optional</li> 540 * <li>{@link #EXTRA_PROVISIONING_WIFI_PASSWORD}, optional</li> 541 * <li>{@link #EXTRA_PROVISIONING_WIFI_PROXY_HOST}, optional</li> 542 * <li>{@link #EXTRA_PROVISIONING_WIFI_PROXY_PORT} (convert to String), optional</li> 543 * <li>{@link #EXTRA_PROVISIONING_WIFI_PROXY_BYPASS}, optional</li> 544 * <li>{@link #EXTRA_PROVISIONING_WIFI_PAC_URL}, optional</li></ul> 545 * 546 * <p> 547 * As of {@link android.os.Build.VERSION_CODES#MNC}, the properties should contain 548 * {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME} instead of 549 * {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME}, (although specifying only 550 * {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME} is still supported). 551 * 552 * @see #MIME_TYPE_PROVISIONING_NFC_V2 553 * 554 */ 555 public static final String MIME_TYPE_PROVISIONING_NFC 556 = "application/com.android.managedprovisioning"; 557 558 559 /** 560 * This MIME type is used for starting the Device Owner provisioning that requires 561 * new provisioning features introduced in API version 562 * {@link android.os.Build.VERSION_CODES#MNC} in addition to those supported in earlier 563 * versions. 564 * 565 * <p>During device owner provisioning a device admin app is set as the owner of the device. 566 * A device owner has full control over the device. The device owner can not be modified by the 567 * user and the only way of resetting the device is if the device owner app calls a factory 568 * reset. 569 * 570 * <p> A typical use case would be a device that is owned by a company, but used by either an 571 * employee or client. 572 * 573 * <p> The NFC message should be sent to an unprovisioned device. 574 * 575 * <p>The NFC record must contain a serialized {@link java.util.Properties} object which 576 * contains the following properties in addition to properties listed at 577 * {@link #MIME_TYPE_PROVISIONING_NFC}: 578 * <ul> 579 * <li>{@link #EXTRA_PROVISIONING_SKIP_ENCRYPTION}, optional</li> 580 * <li>{@link #EXTRA_PROVISIONING_DEVICE_INITIALIZER_COMPONENT_NAME}, optional</li> 581 * <li>{@link #EXTRA_PROVISIONING_DEVICE_INITIALIZER_PACKAGE_DOWNLOAD_LOCATION}, optional</li> 582 * <li>{@link #EXTRA_PROVISIONING_DEVICE_INITIALIZER_PACKAGE_DOWNLOAD_COOKIE_HEADER}, optional</li> 583 * <li>{@link #EXTRA_PROVISIONING_DEVICE_INITIALIZER_PACKAGE_CHECKSUM}, optional</li> 584 * <li>{@link #EXTRA_PROVISIONING_DEVICE_INITIALIZER_MINIMUM_VERSION_CODE}, optional</li> 585 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME}. 586 * Replaces {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME}. The value of the property 587 * should be converted to a String via 588 * {@link android.content.ComponentName#flattenToString()}</li> 589 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE}, optional</li> 590 * <li>{@link #EXTRA_PROVISIONING_BT_MAC_ADDRESS}, optional</li> 591 * <li>{@link #EXTRA_PROVISIONING_BT_UUID}, optional</li> 592 * <li>{@link #EXTRA_PROVISIONING_BT_DEVICE_ID}, optional</li> 593 * <li>{@link #EXTRA_PROVISIONING_BT_USE_PROXY}, optional</li></ul> 594 * 595 * <p> When device owner provisioning has completed, an intent of the type 596 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE} is broadcasted to the 597 * device owner. 598 * 599 * <p> 600 * If provisioning fails, the device is factory reset. 601 * 602 * <p>Input: Nothing.</p> 603 * <p>Output: Nothing</p> 604 */ 605 public static final String MIME_TYPE_PROVISIONING_NFC_V2 606 = "application/com.android.managedprovisioning.v2"; 607 608 /** 609 * Activity action: ask the user to add a new device administrator to the system. 610 * The desired policy is the ComponentName of the policy in the 611 * {@link #EXTRA_DEVICE_ADMIN} extra field. This will invoke a UI to 612 * bring the user through adding the device administrator to the system (or 613 * allowing them to reject it). 614 * 615 * <p>You can optionally include the {@link #EXTRA_ADD_EXPLANATION} 616 * field to provide the user with additional explanation (in addition 617 * to your component's description) about what is being added. 618 * 619 * <p>If your administrator is already active, this will ordinarily return immediately (without 620 * user intervention). However, if your administrator has been updated and is requesting 621 * additional uses-policy flags, the user will be presented with the new list. New policies 622 * will not be available to the updated administrator until the user has accepted the new list. 623 */ 624 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 625 public static final String ACTION_ADD_DEVICE_ADMIN 626 = "android.app.action.ADD_DEVICE_ADMIN"; 627 628 /** 629 * @hide 630 * Activity action: ask the user to add a new device administrator as the profile owner 631 * for this user. Only system apps can launch this intent. 632 * 633 * <p>The ComponentName of the profile owner admin is passed in the {@link #EXTRA_DEVICE_ADMIN} 634 * extra field. This will invoke a UI to bring the user through adding the profile owner admin 635 * to remotely control restrictions on the user. 636 * 637 * <p>The intent must be invoked via {@link Activity#startActivityForResult()} to receive the 638 * result of whether or not the user approved the action. If approved, the result will 639 * be {@link Activity#RESULT_OK} and the component will be set as an active admin as well 640 * as a profile owner. 641 * 642 * <p>You can optionally include the {@link #EXTRA_ADD_EXPLANATION} 643 * field to provide the user with additional explanation (in addition 644 * to your component's description) about what is being added. 645 * 646 * <p>If there is already a profile owner active or the caller is not a system app, the 647 * operation will return a failure result. 648 */ 649 @SystemApi 650 public static final String ACTION_SET_PROFILE_OWNER 651 = "android.app.action.SET_PROFILE_OWNER"; 652 653 /** 654 * Protected broadcast action that will be sent to managed provisioning to notify it that a 655 * status update has been reported by the device initializer. The status update will be 656 * reported to the remote setup device over Bluetooth. 657 * 658 * <p>Broadcasts with this action must supply a 659 * {@linkplain DeviceInitializerStatus#isCustomStatus(int) custom} status code in the 660 * {@link EXTRA_DEVICE_INITIALIZER_STATUS_CODE} extra. 661 * 662 * <p>Broadcasts may optionally contain a description in the 663 * {@link EXTRA_DEVICE_INITIALIZER_STATUS_DESCRIPTION} extra. 664 * @hide 665 */ 666 @SystemApi 667 public static final String ACTION_SEND_DEVICE_INITIALIZER_STATUS 668 = "android.app.action.SEND_DEVICE_INITIALIZER_STATUS"; 669 670 /** 671 * An integer extra that contains the status code that defines a status update. This extra must 672 * sent as part of a broadcast with an action of {@code ACTION_SEND_DEVICE_INITIALIZER_STATUS}. 673 * 674 * <p>The status code sent with this extra must be a custom status code as defined by 675 * {@link DeviceInitializerStatus#isCustomStatus(int)}. 676 * @hide 677 */ 678 @SystemApi 679 public static final String EXTRA_DEVICE_INITIALIZER_STATUS_CODE 680 = "android.app.extra.DEVICE_INITIALIZER_STATUS_CODE"; 681 682 /** 683 * A {@code String} extra that contains an optional description accompanying a status update. 684 * This extra my be sent as part of a broadcast with an action of 685 * {@code ACTION_SEND_DEVICE_INITIALIZER_STATUS}. 686 * @hide 687 */ 688 @SystemApi 689 public static final String EXTRA_DEVICE_INITIALIZER_STATUS_DESCRIPTION 690 = "android.app.extra.DEVICE_INITIALIZER_STATUS_DESCRIPTION"; 691 692 /** 693 * @hide 694 * Name of the profile owner admin that controls the user. 695 */ 696 @SystemApi 697 public static final String EXTRA_PROFILE_OWNER_NAME 698 = "android.app.extra.PROFILE_OWNER_NAME"; 699 700 /** 701 * Activity action: send when any policy admin changes a policy. 702 * This is generally used to find out when a new policy is in effect. 703 * 704 * @hide 705 */ 706 public static final String ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED 707 = "android.app.action.DEVICE_POLICY_MANAGER_STATE_CHANGED"; 708 709 /** 710 * The ComponentName of the administrator component. 711 * 712 * @see #ACTION_ADD_DEVICE_ADMIN 713 */ 714 public static final String EXTRA_DEVICE_ADMIN = "android.app.extra.DEVICE_ADMIN"; 715 716 /** 717 * An optional CharSequence providing additional explanation for why the 718 * admin is being added. 719 * 720 * @see #ACTION_ADD_DEVICE_ADMIN 721 */ 722 public static final String EXTRA_ADD_EXPLANATION = "android.app.extra.ADD_EXPLANATION"; 723 724 /** 725 * Activity action: have the user enter a new password. This activity should 726 * be launched after using {@link #setPasswordQuality(ComponentName, int)}, 727 * or {@link #setPasswordMinimumLength(ComponentName, int)} to have the user 728 * enter a new password that meets the current requirements. You can use 729 * {@link #isActivePasswordSufficient()} to determine whether you need to 730 * have the user select a new password in order to meet the current 731 * constraints. Upon being resumed from this activity, you can check the new 732 * password characteristics to see if they are sufficient. 733 */ 734 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 735 public static final String ACTION_SET_NEW_PASSWORD 736 = "android.app.action.SET_NEW_PASSWORD"; 737 738 /** 739 * Flag used by {@link #addCrossProfileIntentFilter} to allow activities in 740 * the parent profile to access intents sent from the managed profile. 741 * That is, when an app in the managed profile calls 742 * {@link Activity#startActivity(Intent)}, the intent can be resolved by a 743 * matching activity in the parent profile. 744 */ 745 public static final int FLAG_PARENT_CAN_ACCESS_MANAGED = 0x0001; 746 747 /** 748 * Flag used by {@link #addCrossProfileIntentFilter} to allow activities in 749 * the managed profile to access intents sent from the parent profile. 750 * That is, when an app in the parent profile calls 751 * {@link Activity#startActivity(Intent)}, the intent can be resolved by a 752 * matching activity in the managed profile. 753 */ 754 public static final int FLAG_MANAGED_CAN_ACCESS_PARENT = 0x0002; 755 756 /** 757 * Broadcast action: notify that a new local OTA policy has been set by the device owner. 758 * The new policy can be retrieved by {@link #getOtaPolicy()}. 759 */ 760 @SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION) 761 public static final String ACTION_OTA_POLICY_CHANGED = "android.app.action.OTA_POLICY_CHANGED"; 762 763 764 /** 765 * Return true if the given administrator component is currently 766 * active (enabled) in the system. 767 */ 768 public boolean isAdminActive(ComponentName who) { 769 return isAdminActiveAsUser(who, UserHandle.myUserId()); 770 } 771 772 /** 773 * @see #isAdminActive(ComponentName) 774 * @hide 775 */ 776 public boolean isAdminActiveAsUser(ComponentName who, int userId) { 777 if (mService != null) { 778 try { 779 return mService.isAdminActive(who, userId); 780 } catch (RemoteException e) { 781 Log.w(TAG, "Failed talking with device policy service", e); 782 } 783 } 784 return false; 785 } 786 /** 787 * Return true if the given administrator component is currently being removed 788 * for the user. 789 * @hide 790 */ 791 public boolean isRemovingAdmin(ComponentName who, int userId) { 792 if (mService != null) { 793 try { 794 return mService.isRemovingAdmin(who, userId); 795 } catch (RemoteException e) { 796 Log.w(TAG, "Failed talking with device policy service", e); 797 } 798 } 799 return false; 800 } 801 802 803 /** 804 * Return a list of all currently active device administrator's component 805 * names. Note that if there are no administrators than null may be 806 * returned. 807 */ 808 public List<ComponentName> getActiveAdmins() { 809 return getActiveAdminsAsUser(UserHandle.myUserId()); 810 } 811 812 /** 813 * @see #getActiveAdmins() 814 * @hide 815 */ 816 public List<ComponentName> getActiveAdminsAsUser(int userId) { 817 if (mService != null) { 818 try { 819 return mService.getActiveAdmins(userId); 820 } catch (RemoteException e) { 821 Log.w(TAG, "Failed talking with device policy service", e); 822 } 823 } 824 return null; 825 } 826 827 /** 828 * Used by package administration code to determine if a package can be stopped 829 * or uninstalled. 830 * @hide 831 */ 832 public boolean packageHasActiveAdmins(String packageName) { 833 if (mService != null) { 834 try { 835 return mService.packageHasActiveAdmins(packageName, UserHandle.myUserId()); 836 } catch (RemoteException e) { 837 Log.w(TAG, "Failed talking with device policy service", e); 838 } 839 } 840 return false; 841 } 842 843 /** 844 * Remove a current administration component. This can only be called 845 * by the application that owns the administration component; if you 846 * try to remove someone else's component, a security exception will be 847 * thrown. 848 */ 849 public void removeActiveAdmin(ComponentName who) { 850 if (mService != null) { 851 try { 852 mService.removeActiveAdmin(who, UserHandle.myUserId()); 853 } catch (RemoteException e) { 854 Log.w(TAG, "Failed talking with device policy service", e); 855 } 856 } 857 } 858 859 /** 860 * Returns true if an administrator has been granted a particular device policy. This can 861 * be used to check if the administrator was activated under an earlier set of policies, 862 * but requires additional policies after an upgrade. 863 * 864 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. Must be 865 * an active administrator, or an exception will be thrown. 866 * @param usesPolicy Which uses-policy to check, as defined in {@link DeviceAdminInfo}. 867 */ 868 public boolean hasGrantedPolicy(ComponentName admin, int usesPolicy) { 869 if (mService != null) { 870 try { 871 return mService.hasGrantedPolicy(admin, usesPolicy, UserHandle.myUserId()); 872 } catch (RemoteException e) { 873 Log.w(TAG, "Failed talking with device policy service", e); 874 } 875 } 876 return false; 877 } 878 879 /** 880 * Constant for {@link #setPasswordQuality}: the policy has no requirements 881 * for the password. Note that quality constants are ordered so that higher 882 * values are more restrictive. 883 */ 884 public static final int PASSWORD_QUALITY_UNSPECIFIED = 0; 885 886 /** 887 * Constant for {@link #setPasswordQuality}: the policy allows for low-security biometric 888 * recognition technology. This implies technologies that can recognize the identity of 889 * an individual to about a 3 digit PIN (false detection is less than 1 in 1,000). 890 * Note that quality constants are ordered so that higher values are more restrictive. 891 */ 892 public static final int PASSWORD_QUALITY_BIOMETRIC_WEAK = 0x8000; 893 894 /** 895 * Constant for {@link #setPasswordQuality}: the policy requires some kind 896 * of password, but doesn't care what it is. Note that quality constants 897 * are ordered so that higher values are more restrictive. 898 */ 899 public static final int PASSWORD_QUALITY_SOMETHING = 0x10000; 900 901 /** 902 * Constant for {@link #setPasswordQuality}: the user must have entered a 903 * password containing at least numeric characters. Note that quality 904 * constants are ordered so that higher values are more restrictive. 905 */ 906 public static final int PASSWORD_QUALITY_NUMERIC = 0x20000; 907 908 /** 909 * Constant for {@link #setPasswordQuality}: the user must have entered a 910 * password containing at least numeric characters with no repeating (4444) 911 * or ordered (1234, 4321, 2468) sequences. Note that quality 912 * constants are ordered so that higher values are more restrictive. 913 */ 914 public static final int PASSWORD_QUALITY_NUMERIC_COMPLEX = 0x30000; 915 916 /** 917 * Constant for {@link #setPasswordQuality}: the user must have entered a 918 * password containing at least alphabetic (or other symbol) characters. 919 * Note that quality constants are ordered so that higher values are more 920 * restrictive. 921 */ 922 public static final int PASSWORD_QUALITY_ALPHABETIC = 0x40000; 923 924 /** 925 * Constant for {@link #setPasswordQuality}: the user must have entered a 926 * password containing at least <em>both></em> numeric <em>and</em> 927 * alphabetic (or other symbol) characters. Note that quality constants are 928 * ordered so that higher values are more restrictive. 929 */ 930 public static final int PASSWORD_QUALITY_ALPHANUMERIC = 0x50000; 931 932 /** 933 * Constant for {@link #setPasswordQuality}: the user must have entered a 934 * password containing at least a letter, a numerical digit and a special 935 * symbol, by default. With this password quality, passwords can be 936 * restricted to contain various sets of characters, like at least an 937 * uppercase letter, etc. These are specified using various methods, 938 * like {@link #setPasswordMinimumLowerCase(ComponentName, int)}. Note 939 * that quality constants are ordered so that higher values are more 940 * restrictive. 941 */ 942 public static final int PASSWORD_QUALITY_COMPLEX = 0x60000; 943 944 /** 945 * Called by an application that is administering the device to set the 946 * password restrictions it is imposing. After setting this, the user 947 * will not be able to enter a new password that is not at least as 948 * restrictive as what has been set. Note that the current password 949 * will remain until the user has set a new one, so the change does not 950 * take place immediately. To prompt the user for a new password, use 951 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. 952 * 953 * <p>Quality constants are ordered so that higher values are more restrictive; 954 * thus the highest requested quality constant (between the policy set here, 955 * the user's preference, and any other considerations) is the one that 956 * is in effect. 957 * 958 * <p>The calling device admin must have requested 959 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 960 * this method; if it has not, a security exception will be thrown. 961 * 962 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 963 * @param quality The new desired quality. One of 964 * {@link #PASSWORD_QUALITY_UNSPECIFIED}, {@link #PASSWORD_QUALITY_SOMETHING}, 965 * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_NUMERIC_COMPLEX}, 966 * {@link #PASSWORD_QUALITY_ALPHABETIC}, {@link #PASSWORD_QUALITY_ALPHANUMERIC} 967 * or {@link #PASSWORD_QUALITY_COMPLEX}. 968 */ 969 public void setPasswordQuality(ComponentName admin, int quality) { 970 if (mService != null) { 971 try { 972 mService.setPasswordQuality(admin, quality); 973 } catch (RemoteException e) { 974 Log.w(TAG, "Failed talking with device policy service", e); 975 } 976 } 977 } 978 979 /** 980 * Retrieve the current minimum password quality for all admins of this user 981 * and its profiles or a particular one. 982 * @param admin The name of the admin component to check, or null to aggregate 983 * all admins. 984 */ 985 public int getPasswordQuality(ComponentName admin) { 986 return getPasswordQuality(admin, UserHandle.myUserId()); 987 } 988 989 /** @hide per-user version */ 990 public int getPasswordQuality(ComponentName admin, int userHandle) { 991 if (mService != null) { 992 try { 993 return mService.getPasswordQuality(admin, userHandle); 994 } catch (RemoteException e) { 995 Log.w(TAG, "Failed talking with device policy service", e); 996 } 997 } 998 return PASSWORD_QUALITY_UNSPECIFIED; 999 } 1000 1001 /** 1002 * Called by an application that is administering the device to set the 1003 * minimum allowed password length. After setting this, the user 1004 * will not be able to enter a new password that is not at least as 1005 * restrictive as what has been set. Note that the current password 1006 * will remain until the user has set a new one, so the change does not 1007 * take place immediately. To prompt the user for a new password, use 1008 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 1009 * constraint is only imposed if the administrator has also requested either 1010 * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_NUMERIC_COMPLEX}, 1011 * {@link #PASSWORD_QUALITY_ALPHABETIC}, {@link #PASSWORD_QUALITY_ALPHANUMERIC}, 1012 * or {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. 1013 * 1014 * <p>The calling device admin must have requested 1015 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1016 * this method; if it has not, a security exception will be thrown. 1017 * 1018 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1019 * @param length The new desired minimum password length. A value of 0 1020 * means there is no restriction. 1021 */ 1022 public void setPasswordMinimumLength(ComponentName admin, int length) { 1023 if (mService != null) { 1024 try { 1025 mService.setPasswordMinimumLength(admin, length); 1026 } catch (RemoteException e) { 1027 Log.w(TAG, "Failed talking with device policy service", e); 1028 } 1029 } 1030 } 1031 1032 /** 1033 * Retrieve the current minimum password length for all admins of this 1034 * user and its profiles or a particular one. 1035 * @param admin The name of the admin component to check, or null to aggregate 1036 * all admins. 1037 */ 1038 public int getPasswordMinimumLength(ComponentName admin) { 1039 return getPasswordMinimumLength(admin, UserHandle.myUserId()); 1040 } 1041 1042 /** @hide per-user version */ 1043 public int getPasswordMinimumLength(ComponentName admin, int userHandle) { 1044 if (mService != null) { 1045 try { 1046 return mService.getPasswordMinimumLength(admin, userHandle); 1047 } catch (RemoteException e) { 1048 Log.w(TAG, "Failed talking with device policy service", e); 1049 } 1050 } 1051 return 0; 1052 } 1053 1054 /** 1055 * Called by an application that is administering the device to set the 1056 * minimum number of upper case letters required in the password. After 1057 * setting this, the user will not be able to enter a new password that is 1058 * not at least as restrictive as what has been set. Note that the current 1059 * password will remain until the user has set a new one, so the change does 1060 * not take place immediately. To prompt the user for a new password, use 1061 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 1062 * constraint is only imposed if the administrator has also requested 1063 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 1064 * default value is 0. 1065 * <p> 1066 * The calling device admin must have requested 1067 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1068 * this method; if it has not, a security exception will be thrown. 1069 * 1070 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1071 * with. 1072 * @param length The new desired minimum number of upper case letters 1073 * required in the password. A value of 0 means there is no 1074 * restriction. 1075 */ 1076 public void setPasswordMinimumUpperCase(ComponentName admin, int length) { 1077 if (mService != null) { 1078 try { 1079 mService.setPasswordMinimumUpperCase(admin, length); 1080 } catch (RemoteException e) { 1081 Log.w(TAG, "Failed talking with device policy service", e); 1082 } 1083 } 1084 } 1085 1086 /** 1087 * Retrieve the current number of upper case letters required in the 1088 * password for all admins of this user and its profiles or a particular one. 1089 * This is the same value as set by 1090 * {#link {@link #setPasswordMinimumUpperCase(ComponentName, int)} 1091 * and only applies when the password quality is 1092 * {@link #PASSWORD_QUALITY_COMPLEX}. 1093 * 1094 * @param admin The name of the admin component to check, or null to 1095 * aggregate all admins. 1096 * @return The minimum number of upper case letters required in the 1097 * password. 1098 */ 1099 public int getPasswordMinimumUpperCase(ComponentName admin) { 1100 return getPasswordMinimumUpperCase(admin, UserHandle.myUserId()); 1101 } 1102 1103 /** @hide per-user version */ 1104 public int getPasswordMinimumUpperCase(ComponentName admin, int userHandle) { 1105 if (mService != null) { 1106 try { 1107 return mService.getPasswordMinimumUpperCase(admin, userHandle); 1108 } catch (RemoteException e) { 1109 Log.w(TAG, "Failed talking with device policy service", e); 1110 } 1111 } 1112 return 0; 1113 } 1114 1115 /** 1116 * Called by an application that is administering the device to set the 1117 * minimum number of lower case letters required in the password. After 1118 * setting this, the user will not be able to enter a new password that is 1119 * not at least as restrictive as what has been set. Note that the current 1120 * password will remain until the user has set a new one, so the change does 1121 * not take place immediately. To prompt the user for a new password, use 1122 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 1123 * constraint is only imposed if the administrator has also requested 1124 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 1125 * default value is 0. 1126 * <p> 1127 * The calling device admin must have requested 1128 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1129 * this method; if it has not, a security exception will be thrown. 1130 * 1131 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1132 * with. 1133 * @param length The new desired minimum number of lower case letters 1134 * required in the password. A value of 0 means there is no 1135 * restriction. 1136 */ 1137 public void setPasswordMinimumLowerCase(ComponentName admin, int length) { 1138 if (mService != null) { 1139 try { 1140 mService.setPasswordMinimumLowerCase(admin, length); 1141 } catch (RemoteException e) { 1142 Log.w(TAG, "Failed talking with device policy service", e); 1143 } 1144 } 1145 } 1146 1147 /** 1148 * Retrieve the current number of lower case letters required in the 1149 * password for all admins of this user and its profiles or a particular one. 1150 * This is the same value as set by 1151 * {#link {@link #setPasswordMinimumLowerCase(ComponentName, int)} 1152 * and only applies when the password quality is 1153 * {@link #PASSWORD_QUALITY_COMPLEX}. 1154 * 1155 * @param admin The name of the admin component to check, or null to 1156 * aggregate all admins. 1157 * @return The minimum number of lower case letters required in the 1158 * password. 1159 */ 1160 public int getPasswordMinimumLowerCase(ComponentName admin) { 1161 return getPasswordMinimumLowerCase(admin, UserHandle.myUserId()); 1162 } 1163 1164 /** @hide per-user version */ 1165 public int getPasswordMinimumLowerCase(ComponentName admin, int userHandle) { 1166 if (mService != null) { 1167 try { 1168 return mService.getPasswordMinimumLowerCase(admin, userHandle); 1169 } catch (RemoteException e) { 1170 Log.w(TAG, "Failed talking with device policy service", e); 1171 } 1172 } 1173 return 0; 1174 } 1175 1176 /** 1177 * Called by an application that is administering the device to set the 1178 * minimum number of letters required in the password. After setting this, 1179 * the user will not be able to enter a new password that is not at least as 1180 * restrictive as what has been set. Note that the current password will 1181 * remain until the user has set a new one, so the change does not take 1182 * place immediately. To prompt the user for a new password, use 1183 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 1184 * constraint is only imposed if the administrator has also requested 1185 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 1186 * default value is 1. 1187 * <p> 1188 * The calling device admin must have requested 1189 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1190 * this method; if it has not, a security exception will be thrown. 1191 * 1192 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1193 * with. 1194 * @param length The new desired minimum number of letters required in the 1195 * password. A value of 0 means there is no restriction. 1196 */ 1197 public void setPasswordMinimumLetters(ComponentName admin, int length) { 1198 if (mService != null) { 1199 try { 1200 mService.setPasswordMinimumLetters(admin, length); 1201 } catch (RemoteException e) { 1202 Log.w(TAG, "Failed talking with device policy service", e); 1203 } 1204 } 1205 } 1206 1207 /** 1208 * Retrieve the current number of letters required in the password for all 1209 * admins or a particular one. This is the same value as 1210 * set by {#link {@link #setPasswordMinimumLetters(ComponentName, int)} 1211 * and only applies when the password quality is 1212 * {@link #PASSWORD_QUALITY_COMPLEX}. 1213 * 1214 * @param admin The name of the admin component to check, or null to 1215 * aggregate all admins. 1216 * @return The minimum number of letters required in the password. 1217 */ 1218 public int getPasswordMinimumLetters(ComponentName admin) { 1219 return getPasswordMinimumLetters(admin, UserHandle.myUserId()); 1220 } 1221 1222 /** @hide per-user version */ 1223 public int getPasswordMinimumLetters(ComponentName admin, int userHandle) { 1224 if (mService != null) { 1225 try { 1226 return mService.getPasswordMinimumLetters(admin, userHandle); 1227 } catch (RemoteException e) { 1228 Log.w(TAG, "Failed talking with device policy service", e); 1229 } 1230 } 1231 return 0; 1232 } 1233 1234 /** 1235 * Called by an application that is administering the device to set the 1236 * minimum number of numerical digits required in the password. After 1237 * setting this, the user will not be able to enter a new password that is 1238 * not at least as restrictive as what has been set. Note that the current 1239 * password will remain until the user has set a new one, so the change does 1240 * not take place immediately. To prompt the user for a new password, use 1241 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 1242 * constraint is only imposed if the administrator has also requested 1243 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 1244 * default value is 1. 1245 * <p> 1246 * The calling device admin must have requested 1247 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1248 * this method; if it has not, a security exception will be thrown. 1249 * 1250 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1251 * with. 1252 * @param length The new desired minimum number of numerical digits required 1253 * in the password. A value of 0 means there is no restriction. 1254 */ 1255 public void setPasswordMinimumNumeric(ComponentName admin, int length) { 1256 if (mService != null) { 1257 try { 1258 mService.setPasswordMinimumNumeric(admin, length); 1259 } catch (RemoteException e) { 1260 Log.w(TAG, "Failed talking with device policy service", e); 1261 } 1262 } 1263 } 1264 1265 /** 1266 * Retrieve the current number of numerical digits required in the password 1267 * for all admins of this user and its profiles or a particular one. 1268 * This is the same value as set by 1269 * {#link {@link #setPasswordMinimumNumeric(ComponentName, int)} 1270 * and only applies when the password quality is 1271 * {@link #PASSWORD_QUALITY_COMPLEX}. 1272 * 1273 * @param admin The name of the admin component to check, or null to 1274 * aggregate all admins. 1275 * @return The minimum number of numerical digits required in the password. 1276 */ 1277 public int getPasswordMinimumNumeric(ComponentName admin) { 1278 return getPasswordMinimumNumeric(admin, UserHandle.myUserId()); 1279 } 1280 1281 /** @hide per-user version */ 1282 public int getPasswordMinimumNumeric(ComponentName admin, int userHandle) { 1283 if (mService != null) { 1284 try { 1285 return mService.getPasswordMinimumNumeric(admin, userHandle); 1286 } catch (RemoteException e) { 1287 Log.w(TAG, "Failed talking with device policy service", e); 1288 } 1289 } 1290 return 0; 1291 } 1292 1293 /** 1294 * Called by an application that is administering the device to set the 1295 * minimum number of symbols required in the password. After setting this, 1296 * the user will not be able to enter a new password that is not at least as 1297 * restrictive as what has been set. Note that the current password will 1298 * remain until the user has set a new one, so the change does not take 1299 * place immediately. To prompt the user for a new password, use 1300 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 1301 * constraint is only imposed if the administrator has also requested 1302 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 1303 * default value is 1. 1304 * <p> 1305 * The calling device admin must have requested 1306 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1307 * this method; if it has not, a security exception will be thrown. 1308 * 1309 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1310 * with. 1311 * @param length The new desired minimum number of symbols required in the 1312 * password. A value of 0 means there is no restriction. 1313 */ 1314 public void setPasswordMinimumSymbols(ComponentName admin, int length) { 1315 if (mService != null) { 1316 try { 1317 mService.setPasswordMinimumSymbols(admin, length); 1318 } catch (RemoteException e) { 1319 Log.w(TAG, "Failed talking with device policy service", e); 1320 } 1321 } 1322 } 1323 1324 /** 1325 * Retrieve the current number of symbols required in the password for all 1326 * admins or a particular one. This is the same value as 1327 * set by {#link {@link #setPasswordMinimumSymbols(ComponentName, int)} 1328 * and only applies when the password quality is 1329 * {@link #PASSWORD_QUALITY_COMPLEX}. 1330 * 1331 * @param admin The name of the admin component to check, or null to 1332 * aggregate all admins. 1333 * @return The minimum number of symbols required in the password. 1334 */ 1335 public int getPasswordMinimumSymbols(ComponentName admin) { 1336 return getPasswordMinimumSymbols(admin, UserHandle.myUserId()); 1337 } 1338 1339 /** @hide per-user version */ 1340 public int getPasswordMinimumSymbols(ComponentName admin, int userHandle) { 1341 if (mService != null) { 1342 try { 1343 return mService.getPasswordMinimumSymbols(admin, userHandle); 1344 } catch (RemoteException e) { 1345 Log.w(TAG, "Failed talking with device policy service", e); 1346 } 1347 } 1348 return 0; 1349 } 1350 1351 /** 1352 * Called by an application that is administering the device to set the 1353 * minimum number of non-letter characters (numerical digits or symbols) 1354 * required in the password. After setting this, the user will not be able 1355 * to enter a new password that is not at least as restrictive as what has 1356 * been set. Note that the current password will remain until the user has 1357 * set a new one, so the change does not take place immediately. To prompt 1358 * the user for a new password, use {@link #ACTION_SET_NEW_PASSWORD} after 1359 * setting this value. This constraint is only imposed if the administrator 1360 * has also requested {@link #PASSWORD_QUALITY_COMPLEX} with 1361 * {@link #setPasswordQuality}. The default value is 0. 1362 * <p> 1363 * The calling device admin must have requested 1364 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1365 * this method; if it has not, a security exception will be thrown. 1366 * 1367 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1368 * with. 1369 * @param length The new desired minimum number of letters required in the 1370 * password. A value of 0 means there is no restriction. 1371 */ 1372 public void setPasswordMinimumNonLetter(ComponentName admin, int length) { 1373 if (mService != null) { 1374 try { 1375 mService.setPasswordMinimumNonLetter(admin, length); 1376 } catch (RemoteException e) { 1377 Log.w(TAG, "Failed talking with device policy service", e); 1378 } 1379 } 1380 } 1381 1382 /** 1383 * Retrieve the current number of non-letter characters required in the 1384 * password for all admins of this user and its profiles or a particular one. 1385 * This is the same value as set by 1386 * {#link {@link #setPasswordMinimumNonLetter(ComponentName, int)} 1387 * and only applies when the password quality is 1388 * {@link #PASSWORD_QUALITY_COMPLEX}. 1389 * 1390 * @param admin The name of the admin component to check, or null to 1391 * aggregate all admins. 1392 * @return The minimum number of letters required in the password. 1393 */ 1394 public int getPasswordMinimumNonLetter(ComponentName admin) { 1395 return getPasswordMinimumNonLetter(admin, UserHandle.myUserId()); 1396 } 1397 1398 /** @hide per-user version */ 1399 public int getPasswordMinimumNonLetter(ComponentName admin, int userHandle) { 1400 if (mService != null) { 1401 try { 1402 return mService.getPasswordMinimumNonLetter(admin, userHandle); 1403 } catch (RemoteException e) { 1404 Log.w(TAG, "Failed talking with device policy service", e); 1405 } 1406 } 1407 return 0; 1408 } 1409 1410 /** 1411 * Called by an application that is administering the device to set the length 1412 * of the password history. After setting this, the user will not be able to 1413 * enter a new password that is the same as any password in the history. Note 1414 * that the current password will remain until the user has set a new one, so 1415 * the change does not take place immediately. To prompt the user for a new 1416 * password, use {@link #ACTION_SET_NEW_PASSWORD} after setting this value. 1417 * This constraint is only imposed if the administrator has also requested 1418 * either {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_NUMERIC_COMPLEX} 1419 * {@link #PASSWORD_QUALITY_ALPHABETIC}, or {@link #PASSWORD_QUALITY_ALPHANUMERIC} 1420 * with {@link #setPasswordQuality}. 1421 * 1422 * <p> 1423 * The calling device admin must have requested 1424 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call this 1425 * method; if it has not, a security exception will be thrown. 1426 * 1427 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1428 * with. 1429 * @param length The new desired length of password history. A value of 0 1430 * means there is no restriction. 1431 */ 1432 public void setPasswordHistoryLength(ComponentName admin, int length) { 1433 if (mService != null) { 1434 try { 1435 mService.setPasswordHistoryLength(admin, length); 1436 } catch (RemoteException e) { 1437 Log.w(TAG, "Failed talking with device policy service", e); 1438 } 1439 } 1440 } 1441 1442 /** 1443 * Called by a device admin to set the password expiration timeout. Calling this method 1444 * will restart the countdown for password expiration for the given admin, as will changing 1445 * the device password (for all admins). 1446 * 1447 * <p>The provided timeout is the time delta in ms and will be added to the current time. 1448 * For example, to have the password expire 5 days from now, timeout would be 1449 * 5 * 86400 * 1000 = 432000000 ms for timeout. 1450 * 1451 * <p>To disable password expiration, a value of 0 may be used for timeout. 1452 * 1453 * <p>The calling device admin must have requested 1454 * {@link DeviceAdminInfo#USES_POLICY_EXPIRE_PASSWORD} to be able to call this 1455 * method; if it has not, a security exception will be thrown. 1456 * 1457 * <p> Note that setting the password will automatically reset the expiration time for all 1458 * active admins. Active admins do not need to explicitly call this method in that case. 1459 * 1460 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1461 * @param timeout The limit (in ms) that a password can remain in effect. A value of 0 1462 * means there is no restriction (unlimited). 1463 */ 1464 public void setPasswordExpirationTimeout(ComponentName admin, long timeout) { 1465 if (mService != null) { 1466 try { 1467 mService.setPasswordExpirationTimeout(admin, timeout); 1468 } catch (RemoteException e) { 1469 Log.w(TAG, "Failed talking with device policy service", e); 1470 } 1471 } 1472 } 1473 1474 /** 1475 * Get the password expiration timeout for the given admin. The expiration timeout is the 1476 * recurring expiration timeout provided in the call to 1477 * {@link #setPasswordExpirationTimeout(ComponentName, long)} for the given admin or the 1478 * aggregate of all policy administrators if admin is null. 1479 * 1480 * @param admin The name of the admin component to check, or null to aggregate all admins. 1481 * @return The timeout for the given admin or the minimum of all timeouts 1482 */ 1483 public long getPasswordExpirationTimeout(ComponentName admin) { 1484 if (mService != null) { 1485 try { 1486 return mService.getPasswordExpirationTimeout(admin, UserHandle.myUserId()); 1487 } catch (RemoteException e) { 1488 Log.w(TAG, "Failed talking with device policy service", e); 1489 } 1490 } 1491 return 0; 1492 } 1493 1494 /** 1495 * Get the current password expiration time for the given admin or an aggregate of 1496 * all admins of this user and its profiles if admin is null. If the password is 1497 * expired, this will return the time since the password expired as a negative number. 1498 * If admin is null, then a composite of all expiration timeouts is returned 1499 * - which will be the minimum of all timeouts. 1500 * 1501 * @param admin The name of the admin component to check, or null to aggregate all admins. 1502 * @return The password expiration time, in ms. 1503 */ 1504 public long getPasswordExpiration(ComponentName admin) { 1505 if (mService != null) { 1506 try { 1507 return mService.getPasswordExpiration(admin, UserHandle.myUserId()); 1508 } catch (RemoteException e) { 1509 Log.w(TAG, "Failed talking with device policy service", e); 1510 } 1511 } 1512 return 0; 1513 } 1514 1515 /** 1516 * Retrieve the current password history length for all admins of this 1517 * user and its profiles or a particular one. 1518 * @param admin The name of the admin component to check, or null to aggregate 1519 * all admins. 1520 * @return The length of the password history 1521 */ 1522 public int getPasswordHistoryLength(ComponentName admin) { 1523 return getPasswordHistoryLength(admin, UserHandle.myUserId()); 1524 } 1525 1526 /** @hide per-user version */ 1527 public int getPasswordHistoryLength(ComponentName admin, int userHandle) { 1528 if (mService != null) { 1529 try { 1530 return mService.getPasswordHistoryLength(admin, userHandle); 1531 } catch (RemoteException e) { 1532 Log.w(TAG, "Failed talking with device policy service", e); 1533 } 1534 } 1535 return 0; 1536 } 1537 1538 /** 1539 * Return the maximum password length that the device supports for a 1540 * particular password quality. 1541 * @param quality The quality being interrogated. 1542 * @return Returns the maximum length that the user can enter. 1543 */ 1544 public int getPasswordMaximumLength(int quality) { 1545 // Kind-of arbitrary. 1546 return 16; 1547 } 1548 1549 /** 1550 * Determine whether the current password the user has set is sufficient 1551 * to meet the policy requirements (quality, minimum length) that have been 1552 * requested by the admins of this user and its profiles. 1553 * 1554 * <p>The calling device admin must have requested 1555 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1556 * this method; if it has not, a security exception will be thrown. 1557 * 1558 * @return Returns true if the password meets the current requirements, else false. 1559 */ 1560 public boolean isActivePasswordSufficient() { 1561 if (mService != null) { 1562 try { 1563 return mService.isActivePasswordSufficient(UserHandle.myUserId()); 1564 } catch (RemoteException e) { 1565 Log.w(TAG, "Failed talking with device policy service", e); 1566 } 1567 } 1568 return false; 1569 } 1570 1571 /** 1572 * Retrieve the number of times the user has failed at entering a 1573 * password since that last successful password entry. 1574 * 1575 * <p>The calling device admin must have requested 1576 * {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} to be able to call 1577 * this method; if it has not, a security exception will be thrown. 1578 */ 1579 public int getCurrentFailedPasswordAttempts() { 1580 if (mService != null) { 1581 try { 1582 return mService.getCurrentFailedPasswordAttempts(UserHandle.myUserId()); 1583 } catch (RemoteException e) { 1584 Log.w(TAG, "Failed talking with device policy service", e); 1585 } 1586 } 1587 return -1; 1588 } 1589 1590 /** 1591 * Setting this to a value greater than zero enables a built-in policy 1592 * that will perform a device wipe after too many incorrect 1593 * device-unlock passwords have been entered. This built-in policy combines 1594 * watching for failed passwords and wiping the device, and requires 1595 * that you request both {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} and 1596 * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA}}. 1597 * 1598 * <p>To implement any other policy (e.g. wiping data for a particular 1599 * application only, erasing or revoking credentials, or reporting the 1600 * failure to a server), you should implement 1601 * {@link DeviceAdminReceiver#onPasswordFailed(Context, android.content.Intent)} 1602 * instead. Do not use this API, because if the maximum count is reached, 1603 * the device will be wiped immediately, and your callback will not be invoked. 1604 * 1605 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1606 * @param num The number of failed password attempts at which point the 1607 * device will wipe its data. 1608 */ 1609 public void setMaximumFailedPasswordsForWipe(ComponentName admin, int num) { 1610 if (mService != null) { 1611 try { 1612 mService.setMaximumFailedPasswordsForWipe(admin, num); 1613 } catch (RemoteException e) { 1614 Log.w(TAG, "Failed talking with device policy service", e); 1615 } 1616 } 1617 } 1618 1619 /** 1620 * Retrieve the current maximum number of login attempts that are allowed 1621 * before the device wipes itself, for all admins of this user and its profiles 1622 * or a particular one. 1623 * @param admin The name of the admin component to check, or null to aggregate 1624 * all admins. 1625 */ 1626 public int getMaximumFailedPasswordsForWipe(ComponentName admin) { 1627 return getMaximumFailedPasswordsForWipe(admin, UserHandle.myUserId()); 1628 } 1629 1630 /** @hide per-user version */ 1631 public int getMaximumFailedPasswordsForWipe(ComponentName admin, int userHandle) { 1632 if (mService != null) { 1633 try { 1634 return mService.getMaximumFailedPasswordsForWipe(admin, userHandle); 1635 } catch (RemoteException e) { 1636 Log.w(TAG, "Failed talking with device policy service", e); 1637 } 1638 } 1639 return 0; 1640 } 1641 1642 /** 1643 * Returns the profile with the smallest maximum failed passwords for wipe, 1644 * for the given user. So for primary user, it might return the primary or 1645 * a managed profile. For a secondary user, it would be the same as the 1646 * user passed in. 1647 * @hide Used only by Keyguard 1648 */ 1649 public int getProfileWithMinimumFailedPasswordsForWipe(int userHandle) { 1650 if (mService != null) { 1651 try { 1652 return mService.getProfileWithMinimumFailedPasswordsForWipe(userHandle); 1653 } catch (RemoteException e) { 1654 Log.w(TAG, "Failed talking with device policy service", e); 1655 } 1656 } 1657 return UserHandle.USER_NULL; 1658 } 1659 1660 /** 1661 * Flag for {@link #resetPassword}: don't allow other admins to change 1662 * the password again until the user has entered it. 1663 */ 1664 public static final int RESET_PASSWORD_REQUIRE_ENTRY = 0x0001; 1665 1666 /** 1667 * Force a new device unlock password (the password needed to access the 1668 * entire device, not for individual accounts) on the user. This takes 1669 * effect immediately. 1670 * The given password must be sufficient for the 1671 * current password quality and length constraints as returned by 1672 * {@link #getPasswordQuality(ComponentName)} and 1673 * {@link #getPasswordMinimumLength(ComponentName)}; if it does not meet 1674 * these constraints, then it will be rejected and false returned. Note 1675 * that the password may be a stronger quality (containing alphanumeric 1676 * characters when the requested quality is only numeric), in which case 1677 * the currently active quality will be increased to match. 1678 * 1679 * <p>Calling with a null or empty password will clear any existing PIN, 1680 * pattern or password if the current password constraints allow it. 1681 * 1682 * <p>The calling device admin must have requested 1683 * {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD} to be able to call 1684 * this method; if it has not, a security exception will be thrown. 1685 * 1686 * <p>Calling this from a managed profile will throw a security exception. 1687 * 1688 * @param password The new password for the user. Null or empty clears the password. 1689 * @param flags May be 0 or {@link #RESET_PASSWORD_REQUIRE_ENTRY}. 1690 * @return Returns true if the password was applied, or false if it is 1691 * not acceptable for the current constraints. 1692 */ 1693 public boolean resetPassword(String password, int flags) { 1694 if (mService != null) { 1695 try { 1696 return mService.resetPassword(password, flags); 1697 } catch (RemoteException e) { 1698 Log.w(TAG, "Failed talking with device policy service", e); 1699 } 1700 } 1701 return false; 1702 } 1703 1704 /** 1705 * Called by an application that is administering the device to set the 1706 * maximum time for user activity until the device will lock. This limits 1707 * the length that the user can set. It takes effect immediately. 1708 * 1709 * <p>The calling device admin must have requested 1710 * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call 1711 * this method; if it has not, a security exception will be thrown. 1712 * 1713 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1714 * @param timeMs The new desired maximum time to lock in milliseconds. 1715 * A value of 0 means there is no restriction. 1716 */ 1717 public void setMaximumTimeToLock(ComponentName admin, long timeMs) { 1718 if (mService != null) { 1719 try { 1720 mService.setMaximumTimeToLock(admin, timeMs); 1721 } catch (RemoteException e) { 1722 Log.w(TAG, "Failed talking with device policy service", e); 1723 } 1724 } 1725 } 1726 1727 /** 1728 * Retrieve the current maximum time to unlock for all admins of this user 1729 * and its profiles or a particular one. 1730 * @param admin The name of the admin component to check, or null to aggregate 1731 * all admins. 1732 * @return time in milliseconds for the given admin or the minimum value (strictest) of 1733 * all admins if admin is null. Returns 0 if there are no restrictions. 1734 */ 1735 public long getMaximumTimeToLock(ComponentName admin) { 1736 return getMaximumTimeToLock(admin, UserHandle.myUserId()); 1737 } 1738 1739 /** @hide per-user version */ 1740 public long getMaximumTimeToLock(ComponentName admin, int userHandle) { 1741 if (mService != null) { 1742 try { 1743 return mService.getMaximumTimeToLock(admin, userHandle); 1744 } catch (RemoteException e) { 1745 Log.w(TAG, "Failed talking with device policy service", e); 1746 } 1747 } 1748 return 0; 1749 } 1750 1751 /** 1752 * Make the device lock immediately, as if the lock screen timeout has 1753 * expired at the point of this call. 1754 * 1755 * <p>The calling device admin must have requested 1756 * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call 1757 * this method; if it has not, a security exception will be thrown. 1758 */ 1759 public void lockNow() { 1760 if (mService != null) { 1761 try { 1762 mService.lockNow(); 1763 } catch (RemoteException e) { 1764 Log.w(TAG, "Failed talking with device policy service", e); 1765 } 1766 } 1767 } 1768 1769 /** 1770 * Flag for {@link #wipeData(int)}: also erase the device's external 1771 * storage (such as SD cards). 1772 */ 1773 public static final int WIPE_EXTERNAL_STORAGE = 0x0001; 1774 1775 /** 1776 * Flag for {@link #wipeData(int)}: also erase the factory reset protection 1777 * data. 1778 * 1779 * <p>This flag may only be set by device owner admins; if it is set by 1780 * other admins a {@link SecurityException} will be thrown. 1781 */ 1782 public static final int WIPE_RESET_PROTECTION_DATA = 0x0002; 1783 1784 /** 1785 * Ask the user data be wiped. Wiping the primary user will cause the 1786 * device to reboot, erasing all user data while next booting up. 1787 * 1788 * <p>The calling device admin must have requested 1789 * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA} to be able to call 1790 * this method; if it has not, a security exception will be thrown. 1791 * 1792 * @param flags Bit mask of additional options: currently supported flags 1793 * are {@link #WIPE_EXTERNAL_STORAGE} and 1794 * {@link #WIPE_RESET_PROTECTION_DATA}. 1795 */ 1796 public void wipeData(int flags) { 1797 if (mService != null) { 1798 try { 1799 mService.wipeData(flags, UserHandle.myUserId()); 1800 } catch (RemoteException e) { 1801 Log.w(TAG, "Failed talking with device policy service", e); 1802 } 1803 } 1804 } 1805 1806 /** 1807 * Called by an application that is administering the device to set the 1808 * global proxy and exclusion list. 1809 * <p> 1810 * The calling device admin must have requested 1811 * {@link DeviceAdminInfo#USES_POLICY_SETS_GLOBAL_PROXY} to be able to call 1812 * this method; if it has not, a security exception will be thrown. 1813 * Only the first device admin can set the proxy. If a second admin attempts 1814 * to set the proxy, the {@link ComponentName} of the admin originally setting the 1815 * proxy will be returned. If successful in setting the proxy, null will 1816 * be returned. 1817 * The method can be called repeatedly by the device admin alrady setting the 1818 * proxy to update the proxy and exclusion list. 1819 * 1820 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1821 * with. 1822 * @param proxySpec the global proxy desired. Must be an HTTP Proxy. 1823 * Pass Proxy.NO_PROXY to reset the proxy. 1824 * @param exclusionList a list of domains to be excluded from the global proxy. 1825 * @return returns null if the proxy was successfully set, or a {@link ComponentName} 1826 * of the device admin that sets thew proxy otherwise. 1827 * @hide 1828 */ 1829 public ComponentName setGlobalProxy(ComponentName admin, Proxy proxySpec, 1830 List<String> exclusionList ) { 1831 if (proxySpec == null) { 1832 throw new NullPointerException(); 1833 } 1834 if (mService != null) { 1835 try { 1836 String hostSpec; 1837 String exclSpec; 1838 if (proxySpec.equals(Proxy.NO_PROXY)) { 1839 hostSpec = null; 1840 exclSpec = null; 1841 } else { 1842 if (!proxySpec.type().equals(Proxy.Type.HTTP)) { 1843 throw new IllegalArgumentException(); 1844 } 1845 InetSocketAddress sa = (InetSocketAddress)proxySpec.address(); 1846 String hostName = sa.getHostName(); 1847 int port = sa.getPort(); 1848 StringBuilder hostBuilder = new StringBuilder(); 1849 hostSpec = hostBuilder.append(hostName) 1850 .append(":").append(Integer.toString(port)).toString(); 1851 if (exclusionList == null) { 1852 exclSpec = ""; 1853 } else { 1854 StringBuilder listBuilder = new StringBuilder(); 1855 boolean firstDomain = true; 1856 for (String exclDomain : exclusionList) { 1857 if (!firstDomain) { 1858 listBuilder = listBuilder.append(","); 1859 } else { 1860 firstDomain = false; 1861 } 1862 listBuilder = listBuilder.append(exclDomain.trim()); 1863 } 1864 exclSpec = listBuilder.toString(); 1865 } 1866 if (android.net.Proxy.validate(hostName, Integer.toString(port), exclSpec) 1867 != android.net.Proxy.PROXY_VALID) 1868 throw new IllegalArgumentException(); 1869 } 1870 return mService.setGlobalProxy(admin, hostSpec, exclSpec); 1871 } catch (RemoteException e) { 1872 Log.w(TAG, "Failed talking with device policy service", e); 1873 } 1874 } 1875 return null; 1876 } 1877 1878 /** 1879 * Set a network-independent global HTTP proxy. This is not normally what you want 1880 * for typical HTTP proxies - they are generally network dependent. However if you're 1881 * doing something unusual like general internal filtering this may be useful. On 1882 * a private network where the proxy is not accessible, you may break HTTP using this. 1883 * 1884 * <p>This method requires the caller to be the device owner. 1885 * 1886 * <p>This proxy is only a recommendation and it is possible that some apps will ignore it. 1887 * @see ProxyInfo 1888 * 1889 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1890 * with. 1891 * @param proxyInfo The a {@link ProxyInfo} object defining the new global 1892 * HTTP proxy. A {@code null} value will clear the global HTTP proxy. 1893 */ 1894 public void setRecommendedGlobalProxy(ComponentName admin, ProxyInfo proxyInfo) { 1895 if (mService != null) { 1896 try { 1897 mService.setRecommendedGlobalProxy(admin, proxyInfo); 1898 } catch (RemoteException e) { 1899 Log.w(TAG, "Failed talking with device policy service", e); 1900 } 1901 } 1902 } 1903 1904 /** 1905 * Returns the component name setting the global proxy. 1906 * @return ComponentName object of the device admin that set the global proxy, or 1907 * null if no admin has set the proxy. 1908 * @hide 1909 */ 1910 public ComponentName getGlobalProxyAdmin() { 1911 if (mService != null) { 1912 try { 1913 return mService.getGlobalProxyAdmin(UserHandle.myUserId()); 1914 } catch (RemoteException e) { 1915 Log.w(TAG, "Failed talking with device policy service", e); 1916 } 1917 } 1918 return null; 1919 } 1920 1921 /** 1922 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1923 * indicating that encryption is not supported. 1924 */ 1925 public static final int ENCRYPTION_STATUS_UNSUPPORTED = 0; 1926 1927 /** 1928 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1929 * indicating that encryption is supported, but is not currently active. 1930 */ 1931 public static final int ENCRYPTION_STATUS_INACTIVE = 1; 1932 1933 /** 1934 * Result code for {@link #getStorageEncryptionStatus}: 1935 * indicating that encryption is not currently active, but is currently 1936 * being activated. This is only reported by devices that support 1937 * encryption of data and only when the storage is currently 1938 * undergoing a process of becoming encrypted. A device that must reboot and/or wipe data 1939 * to become encrypted will never return this value. 1940 */ 1941 public static final int ENCRYPTION_STATUS_ACTIVATING = 2; 1942 1943 /** 1944 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1945 * indicating that encryption is active. 1946 */ 1947 public static final int ENCRYPTION_STATUS_ACTIVE = 3; 1948 1949 /** 1950 * Result code for {@link #getStorageEncryptionStatus}: 1951 * indicating that encryption is active, but an encryption key has not 1952 * been set by the user. 1953 */ 1954 public static final int ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY = 4; 1955 1956 /** 1957 * Activity action: begin the process of encrypting data on the device. This activity should 1958 * be launched after using {@link #setStorageEncryption} to request encryption be activated. 1959 * After resuming from this activity, use {@link #getStorageEncryption} 1960 * to check encryption status. However, on some devices this activity may never return, as 1961 * it may trigger a reboot and in some cases a complete data wipe of the device. 1962 */ 1963 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 1964 public static final String ACTION_START_ENCRYPTION 1965 = "android.app.action.START_ENCRYPTION"; 1966 1967 /** 1968 * Widgets are enabled in keyguard 1969 */ 1970 public static final int KEYGUARD_DISABLE_FEATURES_NONE = 0; 1971 1972 /** 1973 * Disable all keyguard widgets. Has no effect. 1974 */ 1975 public static final int KEYGUARD_DISABLE_WIDGETS_ALL = 1 << 0; 1976 1977 /** 1978 * Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password) 1979 */ 1980 public static final int KEYGUARD_DISABLE_SECURE_CAMERA = 1 << 1; 1981 1982 /** 1983 * Disable showing all notifications on secure keyguard screens (e.g. PIN/Pattern/Password) 1984 */ 1985 public static final int KEYGUARD_DISABLE_SECURE_NOTIFICATIONS = 1 << 2; 1986 1987 /** 1988 * Only allow redacted notifications on secure keyguard screens (e.g. PIN/Pattern/Password) 1989 */ 1990 public static final int KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS = 1 << 3; 1991 1992 /** 1993 * Ignore trust agent state on secure keyguard screens 1994 * (e.g. PIN/Pattern/Password). 1995 */ 1996 public static final int KEYGUARD_DISABLE_TRUST_AGENTS = 1 << 4; 1997 1998 /** 1999 * Disable fingerprint sensor on keyguard secure screens (e.g. PIN/Pattern/Password). 2000 */ 2001 public static final int KEYGUARD_DISABLE_FINGERPRINT = 1 << 5; 2002 2003 /** 2004 * Disable all current and future keyguard customizations. 2005 */ 2006 public static final int KEYGUARD_DISABLE_FEATURES_ALL = 0x7fffffff; 2007 2008 /** 2009 * Called by an application that is administering the device to 2010 * request that the storage system be encrypted. 2011 * 2012 * <p>When multiple device administrators attempt to control device 2013 * encryption, the most secure, supported setting will always be 2014 * used. If any device administrator requests device encryption, 2015 * it will be enabled; Conversely, if a device administrator 2016 * attempts to disable device encryption while another 2017 * device administrator has enabled it, the call to disable will 2018 * fail (most commonly returning {@link #ENCRYPTION_STATUS_ACTIVE}). 2019 * 2020 * <p>This policy controls encryption of the secure (application data) storage area. Data 2021 * written to other storage areas may or may not be encrypted, and this policy does not require 2022 * or control the encryption of any other storage areas. 2023 * There is one exception: If {@link android.os.Environment#isExternalStorageEmulated()} is 2024 * {@code true}, then the directory returned by 2025 * {@link android.os.Environment#getExternalStorageDirectory()} must be written to disk 2026 * within the encrypted storage area. 2027 * 2028 * <p>Important Note: On some devices, it is possible to encrypt storage without requiring 2029 * the user to create a device PIN or Password. In this case, the storage is encrypted, but 2030 * the encryption key may not be fully secured. For maximum security, the administrator should 2031 * also require (and check for) a pattern, PIN, or password. 2032 * 2033 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2034 * @param encrypt true to request encryption, false to release any previous request 2035 * @return the new request status (for all active admins) - will be one of 2036 * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE}, or 2037 * {@link #ENCRYPTION_STATUS_ACTIVE}. This is the value of the requests; Use 2038 * {@link #getStorageEncryptionStatus()} to query the actual device state. 2039 */ 2040 public int setStorageEncryption(ComponentName admin, boolean encrypt) { 2041 if (mService != null) { 2042 try { 2043 return mService.setStorageEncryption(admin, encrypt); 2044 } catch (RemoteException e) { 2045 Log.w(TAG, "Failed talking with device policy service", e); 2046 } 2047 } 2048 return ENCRYPTION_STATUS_UNSUPPORTED; 2049 } 2050 2051 /** 2052 * Called by an application that is administering the device to 2053 * determine the requested setting for secure storage. 2054 * 2055 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. If null, 2056 * this will return the requested encryption setting as an aggregate of all active 2057 * administrators. 2058 * @return true if the admin(s) are requesting encryption, false if not. 2059 */ 2060 public boolean getStorageEncryption(ComponentName admin) { 2061 if (mService != null) { 2062 try { 2063 return mService.getStorageEncryption(admin, UserHandle.myUserId()); 2064 } catch (RemoteException e) { 2065 Log.w(TAG, "Failed talking with device policy service", e); 2066 } 2067 } 2068 return false; 2069 } 2070 2071 /** 2072 * Called by an application that is administering the device to 2073 * determine the current encryption status of the device. 2074 * 2075 * Depending on the returned status code, the caller may proceed in different 2076 * ways. If the result is {@link #ENCRYPTION_STATUS_UNSUPPORTED}, the 2077 * storage system does not support encryption. If the 2078 * result is {@link #ENCRYPTION_STATUS_INACTIVE}, use {@link 2079 * #ACTION_START_ENCRYPTION} to begin the process of encrypting or decrypting the 2080 * storage. If the result is {@link #ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY}, the 2081 * storage system has enabled encryption but no password is set so further action 2082 * may be required. If the result is {@link #ENCRYPTION_STATUS_ACTIVATING} or 2083 * {@link #ENCRYPTION_STATUS_ACTIVE}, no further action is required. 2084 * 2085 * @return current status of encryption. The value will be one of 2086 * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE}, 2087 * {@link #ENCRYPTION_STATUS_ACTIVATING}, {@link #ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY}, 2088 * or {@link #ENCRYPTION_STATUS_ACTIVE}. 2089 */ 2090 public int getStorageEncryptionStatus() { 2091 return getStorageEncryptionStatus(UserHandle.myUserId()); 2092 } 2093 2094 /** @hide per-user version */ 2095 public int getStorageEncryptionStatus(int userHandle) { 2096 if (mService != null) { 2097 try { 2098 return mService.getStorageEncryptionStatus(userHandle); 2099 } catch (RemoteException e) { 2100 Log.w(TAG, "Failed talking with device policy service", e); 2101 } 2102 } 2103 return ENCRYPTION_STATUS_UNSUPPORTED; 2104 } 2105 2106 /** 2107 * Installs the given certificate as a user CA. 2108 * 2109 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. Use 2110 * <code>null</code> if calling from a delegated certificate installer. 2111 * @param certBuffer encoded form of the certificate to install. 2112 * 2113 * @return false if the certBuffer cannot be parsed or installation is 2114 * interrupted, true otherwise. 2115 */ 2116 public boolean installCaCert(ComponentName admin, byte[] certBuffer) { 2117 if (mService != null) { 2118 try { 2119 return mService.installCaCert(admin, certBuffer); 2120 } catch (RemoteException e) { 2121 Log.w(TAG, "Failed talking with device policy service", e); 2122 } 2123 } 2124 return false; 2125 } 2126 2127 /** 2128 * Uninstalls the given certificate from trusted user CAs, if present. 2129 * 2130 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. Use 2131 * <code>null</code> if calling from a delegated certificate installer. 2132 * @param certBuffer encoded form of the certificate to remove. 2133 */ 2134 public void uninstallCaCert(ComponentName admin, byte[] certBuffer) { 2135 if (mService != null) { 2136 try { 2137 final String alias = getCaCertAlias(certBuffer); 2138 mService.uninstallCaCert(admin, alias); 2139 } catch (CertificateException e) { 2140 Log.w(TAG, "Unable to parse certificate", e); 2141 } catch (RemoteException e) { 2142 Log.w(TAG, "Failed talking with device policy service", e); 2143 } 2144 } 2145 } 2146 2147 /** 2148 * Returns all CA certificates that are currently trusted, excluding system CA certificates. 2149 * If a user has installed any certificates by other means than device policy these will be 2150 * included too. 2151 * 2152 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. Use 2153 * <code>null</code> if calling from a delegated certificate installer. 2154 * @return a List of byte[] arrays, each encoding one user CA certificate. 2155 */ 2156 public List<byte[]> getInstalledCaCerts(ComponentName admin) { 2157 List<byte[]> certs = new ArrayList<byte[]>(); 2158 if (mService != null) { 2159 try { 2160 mService.enforceCanManageCaCerts(admin); 2161 final TrustedCertificateStore certStore = new TrustedCertificateStore(); 2162 for (String alias : certStore.userAliases()) { 2163 try { 2164 certs.add(certStore.getCertificate(alias).getEncoded()); 2165 } catch (CertificateException ce) { 2166 Log.w(TAG, "Could not encode certificate: " + alias, ce); 2167 } 2168 } 2169 } catch (RemoteException re) { 2170 Log.w(TAG, "Failed talking with device policy service", re); 2171 } 2172 } 2173 return certs; 2174 } 2175 2176 /** 2177 * Uninstalls all custom trusted CA certificates from the profile. Certificates installed by 2178 * means other than device policy will also be removed, except for system CA certificates. 2179 * 2180 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. Use 2181 * <code>null</code> if calling from a delegated certificate installer. 2182 */ 2183 public void uninstallAllUserCaCerts(ComponentName admin) { 2184 if (mService != null) { 2185 for (String alias : new TrustedCertificateStore().userAliases()) { 2186 try { 2187 mService.uninstallCaCert(admin, alias); 2188 } catch (RemoteException re) { 2189 Log.w(TAG, "Failed talking with device policy service", re); 2190 } 2191 } 2192 } 2193 } 2194 2195 /** 2196 * Returns whether this certificate is installed as a trusted CA. 2197 * 2198 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. Use 2199 * <code>null</code> if calling from a delegated certificate installer. 2200 * @param certBuffer encoded form of the certificate to look up. 2201 */ 2202 public boolean hasCaCertInstalled(ComponentName admin, byte[] certBuffer) { 2203 if (mService != null) { 2204 try { 2205 mService.enforceCanManageCaCerts(admin); 2206 return getCaCertAlias(certBuffer) != null; 2207 } catch (RemoteException re) { 2208 Log.w(TAG, "Failed talking with device policy service", re); 2209 } catch (CertificateException ce) { 2210 Log.w(TAG, "Could not parse certificate", ce); 2211 } 2212 } 2213 return false; 2214 } 2215 2216 /** 2217 * Called by a device or profile owner to install a certificate and private key pair. The 2218 * keypair will be visible to all apps within the profile. 2219 * 2220 * @param who Which {@link DeviceAdminReceiver} this request is associated with. Use 2221 * <code>null</code> if calling from a delegated certificate installer. 2222 * @param privKey The private key to install. 2223 * @param cert The certificate to install. 2224 * @param alias The private key alias under which to install the certificate. If a certificate 2225 * with that alias already exists, it will be overwritten. 2226 * @return {@code true} if the keys were installed, {@code false} otherwise. 2227 */ 2228 public boolean installKeyPair(ComponentName who, PrivateKey privKey, Certificate cert, 2229 String alias) { 2230 try { 2231 final byte[] pemCert = Credentials.convertToPem(cert); 2232 final byte[] pkcs8Key = KeyFactory.getInstance(privKey.getAlgorithm()) 2233 .getKeySpec(privKey, PKCS8EncodedKeySpec.class).getEncoded(); 2234 return mService.installKeyPair(who, pkcs8Key, pemCert, alias); 2235 } catch (RemoteException e) { 2236 Log.w(TAG, "Failed talking with device policy service", e); 2237 } catch (NoSuchAlgorithmException | InvalidKeySpecException e) { 2238 Log.w(TAG, "Failed to obtain private key material", e); 2239 } catch (CertificateException | IOException e) { 2240 Log.w(TAG, "Could not pem-encode certificate", e); 2241 } 2242 return false; 2243 } 2244 2245 /** 2246 * Returns the alias of a given CA certificate in the certificate store, or null if it 2247 * doesn't exist. 2248 */ 2249 private static String getCaCertAlias(byte[] certBuffer) throws CertificateException { 2250 final CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); 2251 final X509Certificate cert = (X509Certificate) certFactory.generateCertificate( 2252 new ByteArrayInputStream(certBuffer)); 2253 return new TrustedCertificateStore().getCertificateAlias(cert); 2254 } 2255 2256 /** 2257 * Called by a profile owner or device owner to grant access to privileged certificate 2258 * manipulation APIs to a third-party certificate installer app. Granted APIs include 2259 * {@link #getInstalledCaCerts}, {@link #hasCaCertInstalled}, {@link #installCaCert}, 2260 * {@link #uninstallCaCert}, {@link #uninstallAllUserCaCerts} and {@link #installKeyPair}. 2261 * <p> 2262 * Delegated certificate installer is a per-user state. The delegated access is persistent until 2263 * it is later cleared by calling this method with a null value or uninstallling the certificate 2264 * installer. 2265 * 2266 * @param who Which {@link DeviceAdminReceiver} this request is associated with. 2267 * @param installerPackage The package name of the certificate installer which will be given 2268 * access. If <code>null</code> is given the current package will be cleared. 2269 */ 2270 public void setCertInstallerPackage(ComponentName who, String installerPackage) 2271 throws SecurityException { 2272 if (mService != null) { 2273 try { 2274 mService.setCertInstallerPackage(who, installerPackage); 2275 } catch (RemoteException e) { 2276 Log.w(TAG, "Failed talking with device policy service", e); 2277 } 2278 } 2279 } 2280 2281 /** 2282 * Called by a profile owner or device owner to retrieve the certificate installer for the 2283 * current user. null if none is set. 2284 * 2285 * @param who Which {@link DeviceAdminReceiver} this request is associated with. 2286 * @return The package name of the current delegated certificate installer. <code>null</code> 2287 * if none is set. 2288 */ 2289 public String getCertInstallerPackage(ComponentName who) throws SecurityException { 2290 if (mService != null) { 2291 try { 2292 return mService.getCertInstallerPackage(who); 2293 } catch (RemoteException e) { 2294 Log.w(TAG, "Failed talking with device policy service", e); 2295 } 2296 } 2297 return null; 2298 } 2299 2300 /** 2301 * Called by an application that is administering the device to disable all cameras 2302 * on the device, for this user. After setting this, no applications running as this user 2303 * will be able to access any cameras on the device. 2304 * 2305 * <p>The calling device admin must have requested 2306 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_CAMERA} to be able to call 2307 * this method; if it has not, a security exception will be thrown. 2308 * 2309 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2310 * @param disabled Whether or not the camera should be disabled. 2311 */ 2312 public void setCameraDisabled(ComponentName admin, boolean disabled) { 2313 if (mService != null) { 2314 try { 2315 mService.setCameraDisabled(admin, disabled); 2316 } catch (RemoteException e) { 2317 Log.w(TAG, "Failed talking with device policy service", e); 2318 } 2319 } 2320 } 2321 2322 /** 2323 * Determine whether or not the device's cameras have been disabled for this user, 2324 * either by the current admin, if specified, or all admins. 2325 * @param admin The name of the admin component to check, or null to check if any admins 2326 * have disabled the camera 2327 */ 2328 public boolean getCameraDisabled(ComponentName admin) { 2329 return getCameraDisabled(admin, UserHandle.myUserId()); 2330 } 2331 2332 /** @hide per-user version */ 2333 public boolean getCameraDisabled(ComponentName admin, int userHandle) { 2334 if (mService != null) { 2335 try { 2336 return mService.getCameraDisabled(admin, userHandle); 2337 } catch (RemoteException e) { 2338 Log.w(TAG, "Failed talking with device policy service", e); 2339 } 2340 } 2341 return false; 2342 } 2343 2344 /** 2345 * Called by a device/profile owner to set whether the screen capture is disabled. Disabling 2346 * screen capture also prevents the content from being shown on display devices that do not have 2347 * a secure video output. See {@link android.view.Display#FLAG_SECURE} for more details about 2348 * secure surfaces and secure displays. 2349 * 2350 * <p>The calling device admin must be a device or profile owner. If it is not, a 2351 * security exception will be thrown. 2352 * 2353 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2354 * @param disabled Whether screen capture is disabled or not. 2355 */ 2356 public void setScreenCaptureDisabled(ComponentName admin, boolean disabled) { 2357 if (mService != null) { 2358 try { 2359 mService.setScreenCaptureDisabled(admin, disabled); 2360 } catch (RemoteException e) { 2361 Log.w(TAG, "Failed talking with device policy service", e); 2362 } 2363 } 2364 } 2365 2366 /** 2367 * Determine whether or not screen capture has been disabled by the current 2368 * admin, if specified, or all admins. 2369 * @param admin The name of the admin component to check, or null to check if any admins 2370 * have disabled screen capture. 2371 */ 2372 public boolean getScreenCaptureDisabled(ComponentName admin) { 2373 return getScreenCaptureDisabled(admin, UserHandle.myUserId()); 2374 } 2375 2376 /** @hide per-user version */ 2377 public boolean getScreenCaptureDisabled(ComponentName admin, int userHandle) { 2378 if (mService != null) { 2379 try { 2380 return mService.getScreenCaptureDisabled(admin, userHandle); 2381 } catch (RemoteException e) { 2382 Log.w(TAG, "Failed talking with device policy service", e); 2383 } 2384 } 2385 return false; 2386 } 2387 2388 /** 2389 * Called by a device owner to set whether auto time is required. If auto time is 2390 * required the user cannot set the date and time, but has to use network date and time. 2391 * 2392 * <p>Note: if auto time is required the user can still manually set the time zone. 2393 * 2394 * <p>The calling device admin must be a device owner. If it is not, a security exception will 2395 * be thrown. 2396 * 2397 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2398 * @param required Whether auto time is set required or not. 2399 */ 2400 public void setAutoTimeRequired(ComponentName admin, boolean required) { 2401 if (mService != null) { 2402 try { 2403 mService.setAutoTimeRequired(admin, required); 2404 } catch (RemoteException e) { 2405 Log.w(TAG, "Failed talking with device policy service", e); 2406 } 2407 } 2408 } 2409 2410 /** 2411 * @return true if auto time is required. 2412 */ 2413 public boolean getAutoTimeRequired() { 2414 if (mService != null) { 2415 try { 2416 return mService.getAutoTimeRequired(); 2417 } catch (RemoteException e) { 2418 Log.w(TAG, "Failed talking with device policy service", e); 2419 } 2420 } 2421 return false; 2422 } 2423 2424 /** 2425 * Called by an application that is administering the device to disable keyguard customizations, 2426 * such as widgets. After setting this, keyguard features will be disabled according to the 2427 * provided feature list. 2428 * 2429 * <p>The calling device admin must have requested 2430 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_KEYGUARD_FEATURES} to be able to call 2431 * this method; if it has not, a security exception will be thrown. 2432 * 2433 * <p>Calling this from a managed profile will throw a security exception. 2434 * 2435 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2436 * @param which {@link #KEYGUARD_DISABLE_FEATURES_NONE} (default), 2437 * {@link #KEYGUARD_DISABLE_WIDGETS_ALL}, {@link #KEYGUARD_DISABLE_SECURE_CAMERA}, 2438 * {@link #KEYGUARD_DISABLE_SECURE_NOTIFICATIONS}, {@link #KEYGUARD_DISABLE_TRUST_AGENTS}, 2439 * {@link #KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS}, {@link #KEYGUARD_DISABLE_FEATURES_ALL} 2440 */ 2441 public void setKeyguardDisabledFeatures(ComponentName admin, int which) { 2442 if (mService != null) { 2443 try { 2444 mService.setKeyguardDisabledFeatures(admin, which); 2445 } catch (RemoteException e) { 2446 Log.w(TAG, "Failed talking with device policy service", e); 2447 } 2448 } 2449 } 2450 2451 /** 2452 * Determine whether or not features have been disabled in keyguard either by the current 2453 * admin, if specified, or all admins. 2454 * @param admin The name of the admin component to check, or null to check if any admins 2455 * have disabled features in keyguard. 2456 * @return bitfield of flags. See {@link #setKeyguardDisabledFeatures(ComponentName, int)} 2457 * for a list. 2458 */ 2459 public int getKeyguardDisabledFeatures(ComponentName admin) { 2460 return getKeyguardDisabledFeatures(admin, UserHandle.myUserId()); 2461 } 2462 2463 /** @hide per-user version */ 2464 public int getKeyguardDisabledFeatures(ComponentName admin, int userHandle) { 2465 if (mService != null) { 2466 try { 2467 return mService.getKeyguardDisabledFeatures(admin, userHandle); 2468 } catch (RemoteException e) { 2469 Log.w(TAG, "Failed talking with device policy service", e); 2470 } 2471 } 2472 return KEYGUARD_DISABLE_FEATURES_NONE; 2473 } 2474 2475 /** 2476 * @hide 2477 */ 2478 public void setActiveAdmin(ComponentName policyReceiver, boolean refreshing, int userHandle) { 2479 if (mService != null) { 2480 try { 2481 mService.setActiveAdmin(policyReceiver, refreshing, userHandle); 2482 } catch (RemoteException e) { 2483 Log.w(TAG, "Failed talking with device policy service", e); 2484 } 2485 } 2486 } 2487 2488 /** 2489 * @hide 2490 */ 2491 public void setActiveAdmin(ComponentName policyReceiver, boolean refreshing) { 2492 setActiveAdmin(policyReceiver, refreshing, UserHandle.myUserId()); 2493 } 2494 2495 /** 2496 * Returns the DeviceAdminInfo as defined by the administrator's package info & meta-data 2497 * @hide 2498 */ 2499 public DeviceAdminInfo getAdminInfo(ComponentName cn) { 2500 ActivityInfo ai; 2501 try { 2502 ai = mContext.getPackageManager().getReceiverInfo(cn, 2503 PackageManager.GET_META_DATA); 2504 } catch (PackageManager.NameNotFoundException e) { 2505 Log.w(TAG, "Unable to retrieve device policy " + cn, e); 2506 return null; 2507 } 2508 2509 ResolveInfo ri = new ResolveInfo(); 2510 ri.activityInfo = ai; 2511 2512 try { 2513 return new DeviceAdminInfo(mContext, ri); 2514 } catch (XmlPullParserException e) { 2515 Log.w(TAG, "Unable to parse device policy " + cn, e); 2516 return null; 2517 } catch (IOException e) { 2518 Log.w(TAG, "Unable to parse device policy " + cn, e); 2519 return null; 2520 } 2521 } 2522 2523 /** 2524 * @hide 2525 */ 2526 public void getRemoveWarning(ComponentName admin, RemoteCallback result) { 2527 if (mService != null) { 2528 try { 2529 mService.getRemoveWarning(admin, result, UserHandle.myUserId()); 2530 } catch (RemoteException e) { 2531 Log.w(TAG, "Failed talking with device policy service", e); 2532 } 2533 } 2534 } 2535 2536 /** 2537 * @hide 2538 */ 2539 public void setActivePasswordState(int quality, int length, int letters, int uppercase, 2540 int lowercase, int numbers, int symbols, int nonletter, int userHandle) { 2541 if (mService != null) { 2542 try { 2543 mService.setActivePasswordState(quality, length, letters, uppercase, lowercase, 2544 numbers, symbols, nonletter, userHandle); 2545 } catch (RemoteException e) { 2546 Log.w(TAG, "Failed talking with device policy service", e); 2547 } 2548 } 2549 } 2550 2551 /** 2552 * @hide 2553 */ 2554 public void reportFailedPasswordAttempt(int userHandle) { 2555 if (mService != null) { 2556 try { 2557 mService.reportFailedPasswordAttempt(userHandle); 2558 } catch (RemoteException e) { 2559 Log.w(TAG, "Failed talking with device policy service", e); 2560 } 2561 } 2562 } 2563 2564 /** 2565 * @hide 2566 */ 2567 public void reportSuccessfulPasswordAttempt(int userHandle) { 2568 if (mService != null) { 2569 try { 2570 mService.reportSuccessfulPasswordAttempt(userHandle); 2571 } catch (RemoteException e) { 2572 Log.w(TAG, "Failed talking with device policy service", e); 2573 } 2574 } 2575 } 2576 2577 /** 2578 * @hide 2579 * Sets the given package as the device owner. The package must already be installed and there 2580 * shouldn't be an existing device owner registered, for this call to succeed. Also, this 2581 * method must be called before the device is provisioned. 2582 * @param packageName the package name of the application to be registered as the device owner. 2583 * @return whether the package was successfully registered as the device owner. 2584 * @throws IllegalArgumentException if the package name is null or invalid 2585 * @throws IllegalStateException if a device owner is already registered or the device has 2586 * already been provisioned. 2587 */ 2588 public boolean setDeviceOwner(String packageName) throws IllegalArgumentException, 2589 IllegalStateException { 2590 return setDeviceOwner(packageName, null); 2591 } 2592 2593 /** 2594 * @hide 2595 * Sets the given package as the device owner. The package must already be installed and there 2596 * shouldn't be an existing device owner registered, for this call to succeed. Also, this 2597 * method must be called before the device is provisioned. 2598 * @param packageName the package name of the application to be registered as the device owner. 2599 * @param ownerName the human readable name of the institution that owns this device. 2600 * @return whether the package was successfully registered as the device owner. 2601 * @throws IllegalArgumentException if the package name is null or invalid 2602 * @throws IllegalStateException if a device owner is already registered or the device has 2603 * already been provisioned. 2604 */ 2605 public boolean setDeviceOwner(String packageName, String ownerName) 2606 throws IllegalArgumentException, IllegalStateException { 2607 if (mService != null) { 2608 try { 2609 return mService.setDeviceOwner(packageName, ownerName); 2610 } catch (RemoteException re) { 2611 Log.w(TAG, "Failed to set device owner"); 2612 } 2613 } 2614 return false; 2615 } 2616 2617 /** 2618 * Used to determine if a particular package has been registered as a Device Owner app. 2619 * A device owner app is a special device admin that cannot be deactivated by the user, once 2620 * activated as a device admin. It also cannot be uninstalled. To check if a particular 2621 * package is currently registered as the device owner app, pass in the package name from 2622 * {@link Context#getPackageName()} to this method.<p/>This is useful for device 2623 * admin apps that want to check if they are also registered as the device owner app. The 2624 * exact mechanism by which a device admin app is registered as a device owner app is defined by 2625 * the setup process. 2626 * @param packageName the package name of the app, to compare with the registered device owner 2627 * app, if any. 2628 * @return whether or not the package is registered as the device owner app. 2629 */ 2630 public boolean isDeviceOwnerApp(String packageName) { 2631 if (mService != null) { 2632 try { 2633 return mService.isDeviceOwner(packageName); 2634 } catch (RemoteException re) { 2635 Log.w(TAG, "Failed to check device owner"); 2636 } 2637 } 2638 return false; 2639 } 2640 2641 /** 2642 * @hide 2643 * Redirect to isDeviceOwnerApp. 2644 */ 2645 public boolean isDeviceOwner(String packageName) { 2646 return isDeviceOwnerApp(packageName); 2647 } 2648 2649 /** 2650 * Clears the current device owner. The caller must be the device owner. 2651 * 2652 * This function should be used cautiously as once it is called it cannot 2653 * be undone. The device owner can only be set as a part of device setup 2654 * before setup completes. 2655 * 2656 * @param packageName The package name of the device owner. 2657 */ 2658 public void clearDeviceOwnerApp(String packageName) { 2659 if (mService != null) { 2660 try { 2661 mService.clearDeviceOwner(packageName); 2662 } catch (RemoteException re) { 2663 Log.w(TAG, "Failed to clear device owner"); 2664 } 2665 } 2666 } 2667 2668 /** @hide */ 2669 @SystemApi 2670 public String getDeviceOwner() { 2671 if (mService != null) { 2672 try { 2673 return mService.getDeviceOwner(); 2674 } catch (RemoteException re) { 2675 Log.w(TAG, "Failed to get device owner"); 2676 } 2677 } 2678 return null; 2679 } 2680 2681 /** @hide */ 2682 public String getDeviceOwnerName() { 2683 if (mService != null) { 2684 try { 2685 return mService.getDeviceOwnerName(); 2686 } catch (RemoteException re) { 2687 Log.w(TAG, "Failed to get device owner"); 2688 } 2689 } 2690 return null; 2691 } 2692 2693 /** 2694 * Sets the given component as the device initializer. The package must already be installed and 2695 * set as an active device administrator, and there must not be an existing device initializer, 2696 * for this call to succeed. This method can only be called by an app holding the 2697 * MANAGE_DEVICE_ADMINS permission before the device is provisioned or by a device owner app. A 2698 * device initializer app is granted device owner privileges during device initialization and 2699 * profile owner privileges during secondary user initialization. 2700 * @param who Which {@link DeviceAdminReceiver} this request is associated with, or null if not 2701 * called by the device owner. 2702 * @param initializer Which {@link DeviceAdminReceiver} to make device initializer. 2703 * @param initializerName The user-visible name of the device initializer. 2704 * @return whether the component was successfully registered as the device initializer. 2705 * @throws IllegalArgumentException if the componentname is null or invalid 2706 * @throws IllegalStateException if the caller is not device owner or the device has 2707 * already been provisioned or a device initializer already exists. 2708 */ 2709 public boolean setDeviceInitializer(ComponentName who, ComponentName initializer, 2710 String initializerName) throws IllegalArgumentException, IllegalStateException { 2711 if (mService != null) { 2712 try { 2713 return mService.setDeviceInitializer(who, initializer, initializerName); 2714 } catch (RemoteException re) { 2715 Log.w(TAG, "Failed to set device initializer"); 2716 } 2717 } 2718 return false; 2719 } 2720 2721 /** 2722 * Used to determine if a particular package has been registered as the device initializer. 2723 * 2724 * @param packageName the package name of the app, to compare with the registered device 2725 * initializer app, if any. 2726 * @return whether or not the caller is registered as the device initializer app. 2727 */ 2728 public boolean isDeviceInitializerApp(String packageName) { 2729 if (mService != null) { 2730 try { 2731 return mService.isDeviceInitializer(packageName); 2732 } catch (RemoteException re) { 2733 Log.w(TAG, "Failed to check device initializer"); 2734 } 2735 } 2736 return false; 2737 } 2738 2739 /** 2740 * Removes the device initializer, so that it will not be invoked on user initialization for any 2741 * subsequently created users. This method can be called by either the device owner or device 2742 * initializer itself. The caller must be an active administrator. 2743 * 2744 * @param who Which {@link DeviceAdminReceiver} this request is associated with. 2745 */ 2746 public void clearDeviceInitializerApp(ComponentName who) { 2747 if (mService != null) { 2748 try { 2749 mService.clearDeviceInitializer(who); 2750 } catch (RemoteException re) { 2751 Log.w(TAG, "Failed to clear device initializer"); 2752 } 2753 } 2754 } 2755 2756 /** 2757 * @hide 2758 * Gets the device initializer of the system. 2759 * 2760 * @return the package name of the device initializer. 2761 */ 2762 @SystemApi 2763 public String getDeviceInitializerApp() { 2764 if (mService != null) { 2765 try { 2766 return mService.getDeviceInitializer(); 2767 } catch (RemoteException re) { 2768 Log.w(TAG, "Failed to get device initializer"); 2769 } 2770 } 2771 return null; 2772 } 2773 2774 /** 2775 * @hide 2776 * Gets the device initializer component of the system. 2777 * 2778 * @return the component name of the device initializer. 2779 */ 2780 @SystemApi 2781 public ComponentName getDeviceInitializerComponent() { 2782 if (mService != null) { 2783 try { 2784 return mService.getDeviceInitializerComponent(); 2785 } catch (RemoteException re) { 2786 Log.w(TAG, "Failed to get device initializer"); 2787 } 2788 } 2789 return null; 2790 } 2791 2792 2793 /** 2794 * Sets the enabled state of the user. A user should be enabled only once it is ready to 2795 * be used. 2796 * 2797 * <p>Device initializer must call this method to mark the user as functional. 2798 * Only the device initializer agent can call this. 2799 * 2800 * <p>When the user is enabled, if the device initializer is not also the device owner, the 2801 * device initializer will no longer have elevated permissions to call methods in this class. 2802 * Additionally, it will be removed as an active administrator and its 2803 * {@link DeviceAdminReceiver} will be disabled. 2804 * 2805 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2806 * @return whether the user is now enabled. 2807 */ 2808 public boolean setUserEnabled(ComponentName admin) { 2809 if (mService != null) { 2810 try { 2811 return mService.setUserEnabled(admin); 2812 } catch (RemoteException e) { 2813 Log.w(TAG, "Failed talking with device policy service", e); 2814 } 2815 } 2816 return false; 2817 } 2818 2819 /** 2820 * @hide 2821 * @deprecated Use #ACTION_SET_PROFILE_OWNER 2822 * Sets the given component as an active admin and registers the package as the profile 2823 * owner for this user. The package must already be installed and there shouldn't be 2824 * an existing profile owner registered for this user. Also, this method must be called 2825 * before the user setup has been completed. 2826 * <p> 2827 * This method can only be called by system apps that hold MANAGE_USERS permission and 2828 * MANAGE_DEVICE_ADMINS permission. 2829 * @param admin The component to register as an active admin and profile owner. 2830 * @param ownerName The user-visible name of the entity that is managing this user. 2831 * @return whether the admin was successfully registered as the profile owner. 2832 * @throws IllegalArgumentException if packageName is null, the package isn't installed, or 2833 * the user has already been set up. 2834 */ 2835 @SystemApi 2836 public boolean setActiveProfileOwner(ComponentName admin, String ownerName) 2837 throws IllegalArgumentException { 2838 if (mService != null) { 2839 try { 2840 final int myUserId = UserHandle.myUserId(); 2841 mService.setActiveAdmin(admin, false, myUserId); 2842 return mService.setProfileOwner(admin, ownerName, myUserId); 2843 } catch (RemoteException re) { 2844 Log.w(TAG, "Failed to set profile owner " + re); 2845 throw new IllegalArgumentException("Couldn't set profile owner.", re); 2846 } 2847 } 2848 return false; 2849 } 2850 2851 /** 2852 * @hide 2853 * Clears the active profile owner and removes all user restrictions. The caller must 2854 * be from the same package as the active profile owner for this user, otherwise a 2855 * SecurityException will be thrown. 2856 * 2857 * @param admin The component to remove as the profile owner. 2858 * @return 2859 */ 2860 @SystemApi 2861 public void clearProfileOwner(ComponentName admin) { 2862 if (mService != null) { 2863 try { 2864 mService.clearProfileOwner(admin); 2865 } catch (RemoteException re) { 2866 Log.w(TAG, "Failed to clear profile owner " + admin + re); 2867 } 2868 } 2869 } 2870 2871 /** 2872 * @hide 2873 * Checks if the user was already setup. 2874 */ 2875 public boolean hasUserSetupCompleted() { 2876 if (mService != null) { 2877 try { 2878 return mService.hasUserSetupCompleted(); 2879 } catch (RemoteException re) { 2880 Log.w(TAG, "Failed to check if user setup has completed"); 2881 } 2882 } 2883 return true; 2884 } 2885 2886 /** 2887 * @hide 2888 * Sets the given component as the profile owner of the given user profile. The package must 2889 * already be installed and there shouldn't be an existing profile owner registered for this 2890 * user. Only the system can call this API if the user has already completed setup. 2891 * @param admin the component name to be registered as profile owner. 2892 * @param ownerName the human readable name of the organisation associated with this DPM. 2893 * @param userHandle the userId to set the profile owner for. 2894 * @return whether the component was successfully registered as the profile owner. 2895 * @throws IllegalArgumentException if admin is null, the package isn't installed, or 2896 * the user has already been set up. 2897 */ 2898 public boolean setProfileOwner(ComponentName admin, String ownerName, int userHandle) 2899 throws IllegalArgumentException { 2900 if (admin == null) { 2901 throw new NullPointerException("admin cannot be null"); 2902 } 2903 if (mService != null) { 2904 try { 2905 if (ownerName == null) { 2906 ownerName = ""; 2907 } 2908 return mService.setProfileOwner(admin, ownerName, userHandle); 2909 } catch (RemoteException re) { 2910 Log.w(TAG, "Failed to set profile owner", re); 2911 throw new IllegalArgumentException("Couldn't set profile owner.", re); 2912 } 2913 } 2914 return false; 2915 } 2916 2917 /** 2918 * Sets the enabled state of the profile. A profile should be enabled only once it is ready to 2919 * be used. Only the profile owner can call this. 2920 * 2921 * @see #isProfileOwnerApp 2922 * 2923 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2924 */ 2925 public void setProfileEnabled(ComponentName admin) { 2926 if (mService != null) { 2927 try { 2928 mService.setProfileEnabled(admin); 2929 } catch (RemoteException e) { 2930 Log.w(TAG, "Failed talking with device policy service", e); 2931 } 2932 } 2933 } 2934 2935 /** 2936 * Sets the name of the profile. In the device owner case it sets the name of the user 2937 * which it is called from. Only a profile owner or device owner can call this. If this is 2938 * never called by the profile or device owner, the name will be set to default values. 2939 * 2940 * @see #isProfileOwnerApp 2941 * @see #isDeviceOwnerApp 2942 * 2943 * @param profileName The name of the profile. 2944 */ 2945 public void setProfileName(ComponentName who, String profileName) { 2946 if (mService != null) { 2947 try { 2948 mService.setProfileName(who, profileName); 2949 } catch (RemoteException e) { 2950 Log.w(TAG, "Failed talking with device policy service", e); 2951 } 2952 } 2953} 2954 2955 /** 2956 * Used to determine if a particular package is registered as the profile owner for the 2957 * current user. A profile owner is a special device admin that has additional privileges 2958 * within the profile. 2959 * 2960 * @param packageName The package name of the app to compare with the registered profile owner. 2961 * @return Whether or not the package is registered as the profile owner. 2962 */ 2963 public boolean isProfileOwnerApp(String packageName) { 2964 if (mService != null) { 2965 try { 2966 ComponentName profileOwner = mService.getProfileOwner( 2967 Process.myUserHandle().getIdentifier()); 2968 return profileOwner != null 2969 && profileOwner.getPackageName().equals(packageName); 2970 } catch (RemoteException re) { 2971 Log.w(TAG, "Failed to check profile owner"); 2972 } 2973 } 2974 return false; 2975 } 2976 2977 /** 2978 * @hide 2979 * @return the packageName of the owner of the given user profile or null if no profile 2980 * owner has been set for that user. 2981 * @throws IllegalArgumentException if the userId is invalid. 2982 */ 2983 @SystemApi 2984 public ComponentName getProfileOwner() throws IllegalArgumentException { 2985 return getProfileOwnerAsUser(Process.myUserHandle().getIdentifier()); 2986 } 2987 2988 /** 2989 * @see #getProfileOwner() 2990 * @hide 2991 */ 2992 public ComponentName getProfileOwnerAsUser(final int userId) throws IllegalArgumentException { 2993 if (mService != null) { 2994 try { 2995 return mService.getProfileOwner(userId); 2996 } catch (RemoteException re) { 2997 Log.w(TAG, "Failed to get profile owner"); 2998 throw new IllegalArgumentException( 2999 "Requested profile owner for invalid userId", re); 3000 } 3001 } 3002 return null; 3003 } 3004 3005 /** 3006 * @hide 3007 * @return the human readable name of the organisation associated with this DPM or null if 3008 * one is not set. 3009 * @throws IllegalArgumentException if the userId is invalid. 3010 */ 3011 public String getProfileOwnerName() throws IllegalArgumentException { 3012 if (mService != null) { 3013 try { 3014 return mService.getProfileOwnerName(Process.myUserHandle().getIdentifier()); 3015 } catch (RemoteException re) { 3016 Log.w(TAG, "Failed to get profile owner"); 3017 throw new IllegalArgumentException( 3018 "Requested profile owner for invalid userId", re); 3019 } 3020 } 3021 return null; 3022 } 3023 3024 /** 3025 * @hide 3026 * @param user The user for whom to fetch the profile owner name, if any. 3027 * @return the human readable name of the organisation associated with this profile owner or 3028 * null if one is not set. 3029 * @throws IllegalArgumentException if the userId is invalid. 3030 */ 3031 @SystemApi 3032 public String getProfileOwnerNameAsUser(int userId) throws IllegalArgumentException { 3033 if (mService != null) { 3034 try { 3035 return mService.getProfileOwnerName(userId); 3036 } catch (RemoteException re) { 3037 Log.w(TAG, "Failed to get profile owner"); 3038 throw new IllegalArgumentException( 3039 "Requested profile owner for invalid userId", re); 3040 } 3041 } 3042 return null; 3043 } 3044 3045 /** 3046 * Called by a profile owner or device owner to add a default intent handler activity for 3047 * intents that match a certain intent filter. This activity will remain the default intent 3048 * handler even if the set of potential event handlers for the intent filter changes and if 3049 * the intent preferences are reset. 3050 * 3051 * <p>The default disambiguation mechanism takes over if the activity is not installed 3052 * (anymore). When the activity is (re)installed, it is automatically reset as default 3053 * intent handler for the filter. 3054 * 3055 * <p>The calling device admin must be a profile owner or device owner. If it is not, a 3056 * security exception will be thrown. 3057 * 3058 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3059 * @param filter The IntentFilter for which a default handler is added. 3060 * @param activity The Activity that is added as default intent handler. 3061 */ 3062 public void addPersistentPreferredActivity(ComponentName admin, IntentFilter filter, 3063 ComponentName activity) { 3064 if (mService != null) { 3065 try { 3066 mService.addPersistentPreferredActivity(admin, filter, activity); 3067 } catch (RemoteException e) { 3068 Log.w(TAG, "Failed talking with device policy service", e); 3069 } 3070 } 3071 } 3072 3073 /** 3074 * Called by a profile owner or device owner to remove all persistent intent handler preferences 3075 * associated with the given package that were set by {@link #addPersistentPreferredActivity}. 3076 * 3077 * <p>The calling device admin must be a profile owner. If it is not, a security 3078 * exception will be thrown. 3079 * 3080 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3081 * @param packageName The name of the package for which preferences are removed. 3082 */ 3083 public void clearPackagePersistentPreferredActivities(ComponentName admin, 3084 String packageName) { 3085 if (mService != null) { 3086 try { 3087 mService.clearPackagePersistentPreferredActivities(admin, packageName); 3088 } catch (RemoteException e) { 3089 Log.w(TAG, "Failed talking with device policy service", e); 3090 } 3091 } 3092 } 3093 3094 /** 3095 * Called by a profile or device owner to set the application restrictions for a given target 3096 * application running in the profile. 3097 * 3098 * <p>The provided {@link Bundle} consists of key-value pairs, where the types of values may be 3099 * boolean, int, String, or String[]. 3100 * 3101 * <p>The application restrictions are only made visible to the target application and the 3102 * profile or device owner. 3103 * 3104 * <p>If the restrictions are not available yet, but may be applied in the near future, 3105 * the admin can notify the target application of that by adding 3106 * {@link UserManager#KEY_RESTRICTIONS_PENDING} to the settings parameter. 3107 * 3108 * <p>The calling device admin must be a profile or device owner; if it is not, a security 3109 * exception will be thrown. 3110 * 3111 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3112 * @param packageName The name of the package to update restricted settings for. 3113 * @param settings A {@link Bundle} to be parsed by the receiving application, conveying a new 3114 * set of active restrictions. 3115 * 3116 * @see UserManager#KEY_RESTRICTIONS_PENDING 3117 */ 3118 public void setApplicationRestrictions(ComponentName admin, String packageName, 3119 Bundle settings) { 3120 if (mService != null) { 3121 try { 3122 mService.setApplicationRestrictions(admin, packageName, settings); 3123 } catch (RemoteException e) { 3124 Log.w(TAG, "Failed talking with device policy service", e); 3125 } 3126 } 3127 } 3128 3129 /** 3130 * Sets a list of configuration features to enable for a TrustAgent component. This is meant 3131 * to be used in conjunction with {@link #KEYGUARD_DISABLE_TRUST_AGENTS}, which disables all 3132 * trust agents but those enabled by this function call. If flag 3133 * {@link #KEYGUARD_DISABLE_TRUST_AGENTS} is not set, then this call has no effect. 3134 * 3135 * <p>The calling device admin must have requested 3136 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_KEYGUARD_FEATURES} to be able to call 3137 * this method; if not, a security exception will be thrown. 3138 * 3139 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3140 * @param target Component name of the agent to be enabled. 3141 * @param configuration TrustAgent-specific feature bundle. If null for any admin, agent 3142 * will be strictly disabled according to the state of the 3143 * {@link #KEYGUARD_DISABLE_TRUST_AGENTS} flag. 3144 * <p>If {@link #KEYGUARD_DISABLE_TRUST_AGENTS} is set and options is not null for all admins, 3145 * then it's up to the TrustAgent itself to aggregate the values from all device admins. 3146 * <p>Consult documentation for the specific TrustAgent to determine legal options parameters. 3147 */ 3148 public void setTrustAgentConfiguration(ComponentName admin, ComponentName target, 3149 PersistableBundle configuration) { 3150 if (mService != null) { 3151 try { 3152 mService.setTrustAgentConfiguration(admin, target, configuration); 3153 } catch (RemoteException e) { 3154 Log.w(TAG, "Failed talking with device policy service", e); 3155 } 3156 } 3157 } 3158 3159 /** 3160 * Gets configuration for the given trust agent based on aggregating all calls to 3161 * {@link #setTrustAgentConfiguration(ComponentName, ComponentName, PersistableBundle)} for 3162 * all device admins. 3163 * 3164 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. If null, 3165 * this function returns a list of configurations for all admins that declare 3166 * {@link #KEYGUARD_DISABLE_TRUST_AGENTS}. If any admin declares 3167 * {@link #KEYGUARD_DISABLE_TRUST_AGENTS} but doesn't call 3168 * {@link #setTrustAgentConfiguration(ComponentName, ComponentName, PersistableBundle)} 3169 * for this {@param agent} or calls it with a null configuration, null is returned. 3170 * @param agent Which component to get enabled features for. 3171 * @return configuration for the given trust agent. 3172 */ 3173 public List<PersistableBundle> getTrustAgentConfiguration(ComponentName admin, 3174 ComponentName agent) { 3175 return getTrustAgentConfiguration(admin, agent, UserHandle.myUserId()); 3176 } 3177 3178 /** @hide per-user version */ 3179 public List<PersistableBundle> getTrustAgentConfiguration(ComponentName admin, 3180 ComponentName agent, int userHandle) { 3181 if (mService != null) { 3182 try { 3183 return mService.getTrustAgentConfiguration(admin, agent, userHandle); 3184 } catch (RemoteException e) { 3185 Log.w(TAG, "Failed talking with device policy service", e); 3186 } 3187 } 3188 return new ArrayList<PersistableBundle>(); // empty list 3189 } 3190 3191 /** 3192 * Called by a profile owner of a managed profile to set whether caller-Id information from 3193 * the managed profile will be shown in the parent profile, for incoming calls. 3194 * 3195 * <p>The calling device admin must be a profile owner. If it is not, a 3196 * security exception will be thrown. 3197 * 3198 * @param who Which {@link DeviceAdminReceiver} this request is associated with. 3199 * @param disabled If true caller-Id information in the managed profile is not displayed. 3200 */ 3201 public void setCrossProfileCallerIdDisabled(ComponentName who, boolean disabled) { 3202 if (mService != null) { 3203 try { 3204 mService.setCrossProfileCallerIdDisabled(who, disabled); 3205 } catch (RemoteException e) { 3206 Log.w(TAG, "Failed talking with device policy service", e); 3207 } 3208 } 3209 } 3210 3211 /** 3212 * Called by a profile owner of a managed profile to determine whether or not caller-Id 3213 * information has been disabled. 3214 * 3215 * <p>The calling device admin must be a profile owner. If it is not, a 3216 * security exception will be thrown. 3217 * 3218 * @param who Which {@link DeviceAdminReceiver} this request is associated with. 3219 */ 3220 public boolean getCrossProfileCallerIdDisabled(ComponentName who) { 3221 if (mService != null) { 3222 try { 3223 return mService.getCrossProfileCallerIdDisabled(who); 3224 } catch (RemoteException e) { 3225 Log.w(TAG, "Failed talking with device policy service", e); 3226 } 3227 } 3228 return false; 3229 } 3230 3231 /** 3232 * Determine whether or not caller-Id information has been disabled. 3233 * 3234 * @param userHandle The user for whom to check the caller-id permission 3235 * @hide 3236 */ 3237 public boolean getCrossProfileCallerIdDisabled(UserHandle userHandle) { 3238 if (mService != null) { 3239 try { 3240 return mService.getCrossProfileCallerIdDisabledForUser(userHandle.getIdentifier()); 3241 } catch (RemoteException e) { 3242 Log.w(TAG, "Failed talking with device policy service", e); 3243 } 3244 } 3245 return false; 3246 } 3247 3248 /** 3249 * Start Quick Contact on the managed profile for the current user, if the policy allows. 3250 * @hide 3251 */ 3252 public void startManagedQuickContact(String actualLookupKey, long actualContactId, 3253 Intent originalIntent) { 3254 if (mService != null) { 3255 try { 3256 mService.startManagedQuickContact( 3257 actualLookupKey, actualContactId, originalIntent); 3258 } catch (RemoteException e) { 3259 Log.w(TAG, "Failed talking with device policy service", e); 3260 } 3261 } 3262 } 3263 3264 /** 3265 * Called by a profile owner of a managed profile to set whether bluetooth 3266 * devices can access enterprise contacts. 3267 * <p> 3268 * The calling device admin must be a profile owner. If it is not, a 3269 * security exception will be thrown. 3270 * <p> 3271 * This API works on managed profile only. 3272 * 3273 * @param who Which {@link DeviceAdminReceiver} this request is associated 3274 * with. 3275 * @param disabled If true, bluetooth devices cannot access enterprise 3276 * contacts. 3277 */ 3278 public void setBluetoothContactSharingDisabled(ComponentName who, boolean disabled) { 3279 if (mService != null) { 3280 try { 3281 mService.setBluetoothContactSharingDisabled(who, disabled); 3282 } catch (RemoteException e) { 3283 Log.w(TAG, "Failed talking with device policy service", e); 3284 } 3285 } 3286 } 3287 3288 /** 3289 * Called by a profile owner of a managed profile to determine whether or 3290 * not Bluetooth devices cannot access enterprise contacts. 3291 * <p> 3292 * The calling device admin must be a profile owner. If it is not, a 3293 * security exception will be thrown. 3294 * <p> 3295 * This API works on managed profile only. 3296 * 3297 * @param who Which {@link DeviceAdminReceiver} this request is associated 3298 * with. 3299 */ 3300 public boolean getBluetoothContactSharingDisabled(ComponentName who) { 3301 if (mService != null) { 3302 try { 3303 return mService.getBluetoothContactSharingDisabled(who); 3304 } catch (RemoteException e) { 3305 Log.w(TAG, "Failed talking with device policy service", e); 3306 } 3307 } 3308 return true; 3309 } 3310 3311 /** 3312 * Determine whether or not Bluetooth devices cannot access contacts. 3313 * <p> 3314 * This API works on managed profile UserHandle only. 3315 * 3316 * @param userHandle The user for whom to check the caller-id permission 3317 * @hide 3318 */ 3319 public boolean getBluetoothContactSharingDisabled(UserHandle userHandle) { 3320 if (mService != null) { 3321 try { 3322 return mService.getBluetoothContactSharingDisabledForUser(userHandle 3323 .getIdentifier()); 3324 } catch (RemoteException e) { 3325 Log.w(TAG, "Failed talking with device policy service", e); 3326 } 3327 } 3328 return true; 3329 } 3330 3331 /** 3332 * Called by the profile owner of a managed profile so that some intents sent in the managed 3333 * profile can also be resolved in the parent, or vice versa. 3334 * Only activity intents are supported. 3335 * 3336 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3337 * @param filter The {@link IntentFilter} the intent has to match to be also resolved in the 3338 * other profile 3339 * @param flags {@link DevicePolicyManager#FLAG_MANAGED_CAN_ACCESS_PARENT} and 3340 * {@link DevicePolicyManager#FLAG_PARENT_CAN_ACCESS_MANAGED} are supported. 3341 */ 3342 public void addCrossProfileIntentFilter(ComponentName admin, IntentFilter filter, int flags) { 3343 if (mService != null) { 3344 try { 3345 mService.addCrossProfileIntentFilter(admin, filter, flags); 3346 } catch (RemoteException e) { 3347 Log.w(TAG, "Failed talking with device policy service", e); 3348 } 3349 } 3350 } 3351 3352 /** 3353 * Called by a profile owner of a managed profile to remove the cross-profile intent filters 3354 * that go from the managed profile to the parent, or from the parent to the managed profile. 3355 * Only removes those that have been set by the profile owner. 3356 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3357 */ 3358 public void clearCrossProfileIntentFilters(ComponentName admin) { 3359 if (mService != null) { 3360 try { 3361 mService.clearCrossProfileIntentFilters(admin); 3362 } catch (RemoteException e) { 3363 Log.w(TAG, "Failed talking with device policy service", e); 3364 } 3365 } 3366 } 3367 3368 /** 3369 * Called by a profile or device owner to set the permitted accessibility services. When 3370 * set by a device owner or profile owner the restriction applies to all profiles of the 3371 * user the device owner or profile owner is an admin for. 3372 * 3373 * By default the user can use any accessiblity service. When zero or more packages have 3374 * been added, accessiblity services that are not in the list and not part of the system 3375 * can not be enabled by the user. 3376 * 3377 * <p> Calling with a null value for the list disables the restriction so that all services 3378 * can be used, calling with an empty list only allows the builtin system's services. 3379 * 3380 * <p> System accesibility services are always available to the user the list can't modify 3381 * this. 3382 * 3383 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3384 * @param packageNames List of accessibility service package names. 3385 * 3386 * @return true if setting the restriction succeeded. It fail if there is 3387 * one or more non-system accessibility services enabled, that are not in the list. 3388 */ 3389 public boolean setPermittedAccessibilityServices(ComponentName admin, 3390 List<String> packageNames) { 3391 if (mService != null) { 3392 try { 3393 return mService.setPermittedAccessibilityServices(admin, packageNames); 3394 } catch (RemoteException e) { 3395 Log.w(TAG, "Failed talking with device policy service", e); 3396 } 3397 } 3398 return false; 3399 } 3400 3401 /** 3402 * Returns the list of permitted accessibility services set by this device or profile owner. 3403 * 3404 * <p>An empty list means no accessibility services except system services are allowed. 3405 * Null means all accessibility services are allowed. 3406 * 3407 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3408 * @return List of accessiblity service package names. 3409 */ 3410 public List<String> getPermittedAccessibilityServices(ComponentName admin) { 3411 if (mService != null) { 3412 try { 3413 return mService.getPermittedAccessibilityServices(admin); 3414 } catch (RemoteException e) { 3415 Log.w(TAG, "Failed talking with device policy service", e); 3416 } 3417 } 3418 return null; 3419 } 3420 3421 /** 3422 * Returns the list of accessibility services permitted by the device or profiles 3423 * owners of this user. 3424 * 3425 * <p>Null means all accessibility services are allowed, if a non-null list is returned 3426 * it will contain the intersection of the permitted lists for any device or profile 3427 * owners that apply to this user. It will also include any system accessibility services. 3428 * 3429 * @param userId which user to check for. 3430 * @return List of accessiblity service package names. 3431 * @hide 3432 */ 3433 @SystemApi 3434 public List<String> getPermittedAccessibilityServices(int userId) { 3435 if (mService != null) { 3436 try { 3437 return mService.getPermittedAccessibilityServicesForUser(userId); 3438 } catch (RemoteException e) { 3439 Log.w(TAG, "Failed talking with device policy service", e); 3440 } 3441 } 3442 return null; 3443 } 3444 3445 /** 3446 * Called by a profile or device owner to set the permitted input methods services. When 3447 * set by a device owner or profile owner the restriction applies to all profiles of the 3448 * user the device owner or profile owner is an admin for. 3449 * 3450 * By default the user can use any input method. When zero or more packages have 3451 * been added, input method that are not in the list and not part of the system 3452 * can not be enabled by the user. 3453 * 3454 * This method will fail if it is called for a admin that is not for the foreground user 3455 * or a profile of the foreground user. 3456 * 3457 * <p> Calling with a null value for the list disables the restriction so that all input methods 3458 * can be used, calling with an empty list disables all but the system's own input methods. 3459 * 3460 * <p> System input methods are always available to the user this method can't modify this. 3461 * 3462 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3463 * @param packageNames List of input method package names. 3464 * @return true if setting the restriction succeeded. It will fail if there are 3465 * one or more non-system input methods currently enabled that are not in 3466 * the packageNames list. 3467 */ 3468 public boolean setPermittedInputMethods(ComponentName admin, List<String> packageNames) { 3469 if (mService != null) { 3470 try { 3471 return mService.setPermittedInputMethods(admin, packageNames); 3472 } catch (RemoteException e) { 3473 Log.w(TAG, "Failed talking with device policy service", e); 3474 } 3475 } 3476 return false; 3477 } 3478 3479 3480 /** 3481 * Returns the list of permitted input methods set by this device or profile owner. 3482 * 3483 * <p>An empty list means no input methods except system input methods are allowed. 3484 * Null means all input methods are allowed. 3485 * 3486 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3487 * @return List of input method package names. 3488 */ 3489 public List<String> getPermittedInputMethods(ComponentName admin) { 3490 if (mService != null) { 3491 try { 3492 return mService.getPermittedInputMethods(admin); 3493 } catch (RemoteException e) { 3494 Log.w(TAG, "Failed talking with device policy service", e); 3495 } 3496 } 3497 return null; 3498 } 3499 3500 /** 3501 * Returns the list of input methods permitted by the device or profiles 3502 * owners of the current user. 3503 * 3504 * <p>Null means all input methods are allowed, if a non-null list is returned 3505 * it will contain the intersection of the permitted lists for any device or profile 3506 * owners that apply to this user. It will also include any system input methods. 3507 * 3508 * @return List of input method package names. 3509 * @hide 3510 */ 3511 @SystemApi 3512 public List<String> getPermittedInputMethodsForCurrentUser() { 3513 if (mService != null) { 3514 try { 3515 return mService.getPermittedInputMethodsForCurrentUser(); 3516 } catch (RemoteException e) { 3517 Log.w(TAG, "Failed talking with device policy service", e); 3518 } 3519 } 3520 return null; 3521 } 3522 3523 /** 3524 * Called by a device owner to create a user with the specified name. The UserHandle returned 3525 * by this method should not be persisted as user handles are recycled as users are removed and 3526 * created. If you need to persist an identifier for this user, use 3527 * {@link UserManager#getSerialNumberForUser}. 3528 * 3529 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3530 * @param name the user's name 3531 * @see UserHandle 3532 * @return the UserHandle object for the created user, or null if the user could not be created. 3533 */ 3534 public UserHandle createUser(ComponentName admin, String name) { 3535 try { 3536 return mService.createUser(admin, name); 3537 } catch (RemoteException re) { 3538 Log.w(TAG, "Could not create a user", re); 3539 } 3540 return null; 3541 } 3542 3543 /** 3544 * Called by a device owner to create a user with the specified name. The UserHandle returned 3545 * by this method should not be persisted as user handles are recycled as users are removed and 3546 * created. If you need to persist an identifier for this user, use 3547 * {@link UserManager#getSerialNumberForUser}. The new user will be started in the background 3548 * immediately. 3549 * 3550 * <p> profileOwnerComponent is the {@link DeviceAdminReceiver} to be the profile owner as well 3551 * as registered as an active admin on the new user. The profile owner package will be 3552 * installed on the new user if it already is installed on the device. 3553 * 3554 * <p>If the optionalInitializeData is not null, then the extras will be passed to the 3555 * profileOwnerComponent when onEnable is called. 3556 * 3557 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3558 * @param name the user's name 3559 * @param ownerName the human readable name of the organisation associated with this DPM. 3560 * @param profileOwnerComponent The {@link DeviceAdminReceiver} that will be an active admin on 3561 * the user. 3562 * @param adminExtras Extras that will be passed to onEnable of the admin receiver 3563 * on the new user. 3564 * @see UserHandle 3565 * @return the UserHandle object for the created user, or null if the user could not be created. 3566 */ 3567 public UserHandle createAndInitializeUser(ComponentName admin, String name, String ownerName, 3568 ComponentName profileOwnerComponent, Bundle adminExtras) { 3569 try { 3570 return mService.createAndInitializeUser(admin, name, ownerName, profileOwnerComponent, 3571 adminExtras); 3572 } catch (RemoteException re) { 3573 Log.w(TAG, "Could not create a user", re); 3574 } 3575 return null; 3576 } 3577 3578 /** 3579 * Called by a device owner to remove a user and all associated data. The primary user can 3580 * not be removed. 3581 * 3582 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3583 * @param userHandle the user to remove. 3584 * @return {@code true} if the user was removed, {@code false} otherwise. 3585 */ 3586 public boolean removeUser(ComponentName admin, UserHandle userHandle) { 3587 try { 3588 return mService.removeUser(admin, userHandle); 3589 } catch (RemoteException re) { 3590 Log.w(TAG, "Could not remove user ", re); 3591 return false; 3592 } 3593 } 3594 3595 /** 3596 * Called by a device owner to switch the specified user to the foreground. 3597 * 3598 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3599 * @param userHandle the user to switch to; null will switch to primary. 3600 * @return {@code true} if the switch was successful, {@code false} otherwise. 3601 * 3602 * @see Intent#ACTION_USER_FOREGROUND 3603 */ 3604 public boolean switchUser(ComponentName admin, UserHandle userHandle) { 3605 try { 3606 return mService.switchUser(admin, userHandle); 3607 } catch (RemoteException re) { 3608 Log.w(TAG, "Could not switch user ", re); 3609 return false; 3610 } 3611 } 3612 3613 /** 3614 * Called by a profile or device owner to get the application restrictions for a given target 3615 * application running in the profile. 3616 * 3617 * <p>The calling device admin must be a profile or device owner; if it is not, a security 3618 * exception will be thrown. 3619 * 3620 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3621 * @param packageName The name of the package to fetch restricted settings of. 3622 * @return {@link Bundle} of settings corresponding to what was set last time 3623 * {@link DevicePolicyManager#setApplicationRestrictions} was called, or an empty {@link Bundle} 3624 * if no restrictions have been set. 3625 */ 3626 public Bundle getApplicationRestrictions(ComponentName admin, String packageName) { 3627 if (mService != null) { 3628 try { 3629 return mService.getApplicationRestrictions(admin, packageName); 3630 } catch (RemoteException e) { 3631 Log.w(TAG, "Failed talking with device policy service", e); 3632 } 3633 } 3634 return null; 3635 } 3636 3637 /** 3638 * Called by a profile or device owner to set a user restriction specified by the key. 3639 * <p> 3640 * The calling device admin must be a profile or device owner; if it is not, 3641 * a security exception will be thrown. 3642 * 3643 * @param admin Which {@link DeviceAdminReceiver} this request is associated 3644 * with. 3645 * @param key The key of the restriction. See the constants in 3646 * {@link android.os.UserManager} for the list of keys. 3647 */ 3648 public void addUserRestriction(ComponentName admin, String key) { 3649 if (mService != null) { 3650 try { 3651 mService.setUserRestriction(admin, key, true); 3652 } catch (RemoteException e) { 3653 Log.w(TAG, "Failed talking with device policy service", e); 3654 } 3655 } 3656 } 3657 3658 /** 3659 * Called by a profile or device owner to clear a user restriction specified by the key. 3660 * <p> 3661 * The calling device admin must be a profile or device owner; if it is not, 3662 * a security exception will be thrown. 3663 * 3664 * @param admin Which {@link DeviceAdminReceiver} this request is associated 3665 * with. 3666 * @param key The key of the restriction. See the constants in 3667 * {@link android.os.UserManager} for the list of keys. 3668 */ 3669 public void clearUserRestriction(ComponentName admin, String key) { 3670 if (mService != null) { 3671 try { 3672 mService.setUserRestriction(admin, key, false); 3673 } catch (RemoteException e) { 3674 Log.w(TAG, "Failed talking with device policy service", e); 3675 } 3676 } 3677 } 3678 3679 /** 3680 * Called by profile or device owners to hide or unhide packages. When a package is hidden it 3681 * is unavailable for use, but the data and actual package file remain. 3682 * 3683 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3684 * @param packageName The name of the package to hide or unhide. 3685 * @param hidden {@code true} if the package should be hidden, {@code false} if it should be 3686 * unhidden. 3687 * @return boolean Whether the hidden setting of the package was successfully updated. 3688 */ 3689 public boolean setApplicationHidden(ComponentName admin, String packageName, 3690 boolean hidden) { 3691 if (mService != null) { 3692 try { 3693 return mService.setApplicationHidden(admin, packageName, hidden); 3694 } catch (RemoteException e) { 3695 Log.w(TAG, "Failed talking with device policy service", e); 3696 } 3697 } 3698 return false; 3699 } 3700 3701 /** 3702 * Called by profile or device owners to determine if a package is hidden. 3703 * 3704 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3705 * @param packageName The name of the package to retrieve the hidden status of. 3706 * @return boolean {@code true} if the package is hidden, {@code false} otherwise. 3707 */ 3708 public boolean isApplicationHidden(ComponentName admin, String packageName) { 3709 if (mService != null) { 3710 try { 3711 return mService.isApplicationHidden(admin, packageName); 3712 } catch (RemoteException e) { 3713 Log.w(TAG, "Failed talking with device policy service", e); 3714 } 3715 } 3716 return false; 3717 } 3718 3719 /** 3720 * Called by profile or device owners to re-enable a system app that was disabled by default 3721 * when the user was initialized. 3722 * 3723 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3724 * @param packageName The package to be re-enabled in the current profile. 3725 */ 3726 public void enableSystemApp(ComponentName admin, String packageName) { 3727 if (mService != null) { 3728 try { 3729 mService.enableSystemApp(admin, packageName); 3730 } catch (RemoteException e) { 3731 Log.w(TAG, "Failed to install package: " + packageName); 3732 } 3733 } 3734 } 3735 3736 /** 3737 * Called by profile or device owners to re-enable system apps by intent that were disabled 3738 * by default when the user was initialized. 3739 * 3740 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3741 * @param intent An intent matching the app(s) to be installed. All apps that resolve for this 3742 * intent will be re-enabled in the current profile. 3743 * @return int The number of activities that matched the intent and were installed. 3744 */ 3745 public int enableSystemApp(ComponentName admin, Intent intent) { 3746 if (mService != null) { 3747 try { 3748 return mService.enableSystemAppWithIntent(admin, intent); 3749 } catch (RemoteException e) { 3750 Log.w(TAG, "Failed to install packages matching filter: " + intent); 3751 } 3752 } 3753 return 0; 3754 } 3755 3756 /** 3757 * Called by a device owner or profile owner to disable account management for a specific type 3758 * of account. 3759 * 3760 * <p>The calling device admin must be a device owner or profile owner. If it is not, a 3761 * security exception will be thrown. 3762 * 3763 * <p>When account management is disabled for an account type, adding or removing an account 3764 * of that type will not be possible. 3765 * 3766 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3767 * @param accountType For which account management is disabled or enabled. 3768 * @param disabled The boolean indicating that account management will be disabled (true) or 3769 * enabled (false). 3770 */ 3771 public void setAccountManagementDisabled(ComponentName admin, String accountType, 3772 boolean disabled) { 3773 if (mService != null) { 3774 try { 3775 mService.setAccountManagementDisabled(admin, accountType, disabled); 3776 } catch (RemoteException e) { 3777 Log.w(TAG, "Failed talking with device policy service", e); 3778 } 3779 } 3780 } 3781 3782 /** 3783 * Gets the array of accounts for which account management is disabled by the profile owner. 3784 * 3785 * <p> Account management can be disabled/enabled by calling 3786 * {@link #setAccountManagementDisabled}. 3787 * 3788 * @return a list of account types for which account management has been disabled. 3789 * 3790 * @see #setAccountManagementDisabled 3791 */ 3792 public String[] getAccountTypesWithManagementDisabled() { 3793 return getAccountTypesWithManagementDisabledAsUser(UserHandle.myUserId()); 3794 } 3795 3796 /** 3797 * @see #getAccountTypesWithManagementDisabled() 3798 * @hide 3799 */ 3800 public String[] getAccountTypesWithManagementDisabledAsUser(int userId) { 3801 if (mService != null) { 3802 try { 3803 return mService.getAccountTypesWithManagementDisabledAsUser(userId); 3804 } catch (RemoteException e) { 3805 Log.w(TAG, "Failed talking with device policy service", e); 3806 } 3807 } 3808 3809 return null; 3810 } 3811 3812 /** 3813 * Sets which packages may enter lock task mode. 3814 * 3815 * <p>Any packages that shares uid with an allowed package will also be allowed 3816 * to activate lock task. 3817 * 3818 * This function can only be called by the device owner. 3819 * @param packages The list of packages allowed to enter lock task mode 3820 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3821 * 3822 * @see Activity#startLockTask() 3823 * @see DeviceAdminReceiver#onLockTaskModeEntering(Context, Intent, String) 3824 * @see DeviceAdminReceiver#onLockTaskModeExiting(Context, Intent) 3825 * @see UserManager#DISALLOW_CREATE_WINDOWS 3826 */ 3827 public void setLockTaskPackages(ComponentName admin, String[] packages) 3828 throws SecurityException { 3829 if (mService != null) { 3830 try { 3831 mService.setLockTaskPackages(admin, packages); 3832 } catch (RemoteException e) { 3833 Log.w(TAG, "Failed talking with device policy service", e); 3834 } 3835 } 3836 } 3837 3838 /** 3839 * This function returns the list of packages allowed to start the lock task mode. 3840 * 3841 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3842 * @hide 3843 */ 3844 public String[] getLockTaskPackages(ComponentName admin) { 3845 if (mService != null) { 3846 try { 3847 return mService.getLockTaskPackages(admin); 3848 } catch (RemoteException e) { 3849 Log.w(TAG, "Failed talking with device policy service", e); 3850 } 3851 } 3852 return null; 3853 } 3854 3855 /** 3856 * This function lets the caller know whether the given component is allowed to start the 3857 * lock task mode. 3858 * @param pkg The package to check 3859 */ 3860 public boolean isLockTaskPermitted(String pkg) { 3861 if (mService != null) { 3862 try { 3863 return mService.isLockTaskPermitted(pkg); 3864 } catch (RemoteException e) { 3865 Log.w(TAG, "Failed talking with device policy service", e); 3866 } 3867 } 3868 return false; 3869 } 3870 3871 /** 3872 * Called by device owners to update {@link Settings.Global} settings. Validation that the value 3873 * of the setting is in the correct form for the setting type should be performed by the caller. 3874 * <p>The settings that can be updated with this method are: 3875 * <ul> 3876 * <li>{@link Settings.Global#ADB_ENABLED}</li> 3877 * <li>{@link Settings.Global#AUTO_TIME}</li> 3878 * <li>{@link Settings.Global#AUTO_TIME_ZONE}</li> 3879 * <li>{@link Settings.Global#BLUETOOTH_ON} 3880 * Changing this setting has not effect as of {@link android.os.Build.VERSION_CODES#MNC}. Use 3881 * {@link android.bluetooth.BluetoothAdapter#enable()} and 3882 * {@link android.bluetooth.BluetoothAdapter#disable()} instead.</li> 3883 * <li>{@link Settings.Global#DATA_ROAMING}</li> 3884 * <li>{@link Settings.Global#DEVELOPMENT_SETTINGS_ENABLED}</li> 3885 * <li>{@link Settings.Global#MODE_RINGER}</li> 3886 * <li>{@link Settings.Global#NETWORK_PREFERENCE}</li> 3887 * <li>{@link Settings.Global#USB_MASS_STORAGE_ENABLED}</li> 3888 * <li>{@link Settings.Global#WIFI_ON} 3889 * Changing this setting has not effect as of {@link android.os.Build.VERSION_CODES#MNC}. Use 3890 * {@link android.net.wifi.WifiManager#setWifiEnabled(boolean)} instead.</li> 3891 * <li>{@link Settings.Global#WIFI_SLEEP_POLICY}</li> 3892 * <li>{@link Settings.Global#STAY_ON_WHILE_PLUGGED_IN} 3893 * This setting is only available from {@link android.os.Build.VERSION_CODES#MNC} onwards 3894 * and can only be set if {@link #setMaximumTimeToLock} is not used to set a timeout.</li> 3895 * </ul> 3896 * 3897 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3898 * @param setting The name of the setting to update. 3899 * @param value The value to update the setting to. 3900 */ 3901 public void setGlobalSetting(ComponentName admin, String setting, String value) { 3902 if (mService != null) { 3903 try { 3904 mService.setGlobalSetting(admin, setting, value); 3905 } catch (RemoteException e) { 3906 Log.w(TAG, "Failed talking with device policy service", e); 3907 } 3908 } 3909 } 3910 3911 /** 3912 * Called by profile or device owners to update {@link Settings.Secure} settings. Validation 3913 * that the value of the setting is in the correct form for the setting type should be performed 3914 * by the caller. 3915 * <p>The settings that can be updated by a profile or device owner with this method are: 3916 * <ul> 3917 * <li>{@link Settings.Secure#DEFAULT_INPUT_METHOD}</li> 3918 * <li>{@link Settings.Secure#INSTALL_NON_MARKET_APPS}</li> 3919 * <li>{@link Settings.Secure#SKIP_FIRST_USE_HINTS}</li> 3920 * </ul> 3921 * <p>A device owner can additionally update the following settings: 3922 * <ul> 3923 * <li>{@link Settings.Secure#LOCATION_MODE}</li> 3924 * </ul> 3925 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3926 * @param setting The name of the setting to update. 3927 * @param value The value to update the setting to. 3928 */ 3929 public void setSecureSetting(ComponentName admin, String setting, String value) { 3930 if (mService != null) { 3931 try { 3932 mService.setSecureSetting(admin, setting, value); 3933 } catch (RemoteException e) { 3934 Log.w(TAG, "Failed talking with device policy service", e); 3935 } 3936 } 3937 } 3938 3939 /** 3940 * Designates a specific service component as the provider for 3941 * making permission requests of a local or remote administrator of the user. 3942 * <p/> 3943 * Only a profile owner can designate the restrictions provider. 3944 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3945 * @param provider The component name of the service that implements 3946 * {@link RestrictionsReceiver}. If this param is null, 3947 * it removes the restrictions provider previously assigned. 3948 */ 3949 public void setRestrictionsProvider(ComponentName admin, ComponentName provider) { 3950 if (mService != null) { 3951 try { 3952 mService.setRestrictionsProvider(admin, provider); 3953 } catch (RemoteException re) { 3954 Log.w(TAG, "Failed to set permission provider on device policy service"); 3955 } 3956 } 3957 } 3958 3959 /** 3960 * Called by profile or device owners to set the master volume mute on or off. 3961 * 3962 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3963 * @param on {@code true} to mute master volume, {@code false} to turn mute off. 3964 */ 3965 public void setMasterVolumeMuted(ComponentName admin, boolean on) { 3966 if (mService != null) { 3967 try { 3968 mService.setMasterVolumeMuted(admin, on); 3969 } catch (RemoteException re) { 3970 Log.w(TAG, "Failed to setMasterMute on device policy service"); 3971 } 3972 } 3973 } 3974 3975 /** 3976 * Called by profile or device owners to check whether the master volume mute is on or off. 3977 * 3978 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3979 * @return {@code true} if master volume is muted, {@code false} if it's not. 3980 */ 3981 public boolean isMasterVolumeMuted(ComponentName admin) { 3982 if (mService != null) { 3983 try { 3984 return mService.isMasterVolumeMuted(admin); 3985 } catch (RemoteException re) { 3986 Log.w(TAG, "Failed to get isMasterMute on device policy service"); 3987 } 3988 } 3989 return false; 3990 } 3991 3992 /** 3993 * Called by profile or device owners to change whether a user can uninstall 3994 * a package. 3995 * 3996 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3997 * @param packageName package to change. 3998 * @param uninstallBlocked true if the user shouldn't be able to uninstall the package. 3999 */ 4000 public void setUninstallBlocked(ComponentName admin, String packageName, 4001 boolean uninstallBlocked) { 4002 if (mService != null) { 4003 try { 4004 mService.setUninstallBlocked(admin, packageName, uninstallBlocked); 4005 } catch (RemoteException re) { 4006 Log.w(TAG, "Failed to call block uninstall on device policy service"); 4007 } 4008 } 4009 } 4010 4011 /** 4012 * Check whether the current user has been blocked by device policy from uninstalling a package. 4013 * Requires the caller to be the profile owner if checking a specific admin's policy. 4014 * <p> 4015 * <strong>Note:</strong> Starting from {@link android.os.Build.VERSION_CODES#LOLLIPOP_MR1}, the 4016 * behavior of this API is changed such that passing <code>null</code> as the <code>admin</code> 4017 * parameter will return if any admin has blocked the uninstallation. Before L MR1, passing 4018 * <code>null</code> will cause a NullPointerException to be raised. 4019 * 4020 * @param admin The name of the admin component whose blocking policy will be checked, or null 4021 * to check if any admin has blocked the uninstallation. 4022 * @param packageName package to check. 4023 * @return true if uninstallation is blocked. 4024 */ 4025 public boolean isUninstallBlocked(ComponentName admin, String packageName) { 4026 if (mService != null) { 4027 try { 4028 return mService.isUninstallBlocked(admin, packageName); 4029 } catch (RemoteException re) { 4030 Log.w(TAG, "Failed to call block uninstall on device policy service"); 4031 } 4032 } 4033 return false; 4034 } 4035 4036 /** 4037 * Called by the profile owner of a managed profile to enable widget providers from a 4038 * given package to be available in the parent profile. As a result the user will be able to 4039 * add widgets from the white-listed package running under the profile to a widget 4040 * host which runs under the parent profile, for example the home screen. Note that 4041 * a package may have zero or more provider components, where each component 4042 * provides a different widget type. 4043 * <p> 4044 * <strong>Note:</strong> By default no widget provider package is white-listed. 4045 * </p> 4046 * 4047 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 4048 * @param packageName The package from which widget providers are white-listed. 4049 * @return Whether the package was added. 4050 * 4051 * @see #removeCrossProfileWidgetProvider(android.content.ComponentName, String) 4052 * @see #getCrossProfileWidgetProviders(android.content.ComponentName) 4053 */ 4054 public boolean addCrossProfileWidgetProvider(ComponentName admin, String packageName) { 4055 if (mService != null) { 4056 try { 4057 return mService.addCrossProfileWidgetProvider(admin, packageName); 4058 } catch (RemoteException re) { 4059 Log.w(TAG, "Error calling addCrossProfileWidgetProvider", re); 4060 } 4061 } 4062 return false; 4063 } 4064 4065 /** 4066 * Called by the profile owner of a managed profile to disable widget providers from a given 4067 * package to be available in the parent profile. For this method to take effect the 4068 * package should have been added via {@link #addCrossProfileWidgetProvider( 4069 * android.content.ComponentName, String)}. 4070 * <p> 4071 * <strong>Note:</strong> By default no widget provider package is white-listed. 4072 * </p> 4073 * 4074 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 4075 * @param packageName The package from which widget providers are no longer 4076 * white-listed. 4077 * @return Whether the package was removed. 4078 * 4079 * @see #addCrossProfileWidgetProvider(android.content.ComponentName, String) 4080 * @see #getCrossProfileWidgetProviders(android.content.ComponentName) 4081 */ 4082 public boolean removeCrossProfileWidgetProvider(ComponentName admin, String packageName) { 4083 if (mService != null) { 4084 try { 4085 return mService.removeCrossProfileWidgetProvider(admin, packageName); 4086 } catch (RemoteException re) { 4087 Log.w(TAG, "Error calling removeCrossProfileWidgetProvider", re); 4088 } 4089 } 4090 return false; 4091 } 4092 4093 /** 4094 * Called by the profile owner of a managed profile to query providers from which packages are 4095 * available in the parent profile. 4096 * 4097 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 4098 * @return The white-listed package list. 4099 * 4100 * @see #addCrossProfileWidgetProvider(android.content.ComponentName, String) 4101 * @see #removeCrossProfileWidgetProvider(android.content.ComponentName, String) 4102 */ 4103 public List<String> getCrossProfileWidgetProviders(ComponentName admin) { 4104 if (mService != null) { 4105 try { 4106 List<String> providers = mService.getCrossProfileWidgetProviders(admin); 4107 if (providers != null) { 4108 return providers; 4109 } 4110 } catch (RemoteException re) { 4111 Log.w(TAG, "Error calling getCrossProfileWidgetProviders", re); 4112 } 4113 } 4114 return Collections.emptyList(); 4115 } 4116 4117 /** 4118 * Called by profile or device owners to set the current user's photo. 4119 * 4120 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 4121 * @param icon the bitmap to set as the photo. 4122 */ 4123 public void setUserIcon(ComponentName admin, Bitmap icon) { 4124 try { 4125 mService.setUserIcon(admin, icon); 4126 } catch (RemoteException re) { 4127 Log.w(TAG, "Could not set the user icon ", re); 4128 } 4129 } 4130 4131 /** 4132 * Called by device initializer to send a provisioning status update to the remote setup device. 4133 * 4134 * @param statusCode a custom status code value as defined by 4135 * {@link DeviceInitializerStatus#isCustomStatus(int)}. 4136 * @param description custom description of the status code sent 4137 */ 4138 public void sendDeviceInitializerStatus(int statusCode, String description) { 4139 try { 4140 mService.sendDeviceInitializerStatus(statusCode, description); 4141 } catch (RemoteException re) { 4142 Log.w(TAG, "Could not send device initializer status", re); 4143 } 4144 } 4145 4146 /* 4147 * Called by device owners to set a local OTA update policy. When a new OTA policy is set, 4148 * {@link #ACTION_OTA_POLICY_CHANGED} is broadcasted. 4149 * 4150 * @param who Which {@link DeviceAdminReceiver} this request is associated with. All components 4151 * in the device owner package can set OTA policies and the most recent policy takes effect. 4152 * @param policy the new OTA policy, or null to clear the current policy. 4153 * @see OtaPolicy 4154 */ 4155 public void setOtaPolicy(ComponentName who, OtaPolicy policy) { 4156 if (mService != null) { 4157 try { 4158 if (policy != null) { 4159 mService.setOtaPolicy(who, policy.getPolicyBundle()); 4160 } else { 4161 mService.setOtaPolicy(who, null); 4162 } 4163 } catch (RemoteException re) { 4164 Log.w(TAG, "Error calling setOtaPolicy", re); 4165 } 4166 } 4167 } 4168 4169 /** 4170 * Retrieve a local OTA update policy set previously by {@link #setOtaPolicy}. 4171 * 4172 * @return The current OTA policy object, or null if no policy is set or the system does not 4173 * support managed OTA. 4174 */ 4175 public OtaPolicy getOtaPolicy() { 4176 if (mService != null) { 4177 try { 4178 PersistableBundle bundle = mService.getOtaPolicy(); 4179 if (bundle != null) { 4180 return new OtaPolicy(bundle); 4181 } else { 4182 return null; 4183 } 4184 } catch (RemoteException re) { 4185 Log.w(TAG, "Error calling getOtaPolicy", re); 4186 } 4187 } 4188 return null; 4189 } 4190 4191 /** 4192 * Called by a device owner to disable the keyguard altogether. 4193 * 4194 * <p>Setting the keyguard to disabled has the same effect as choosing "None" as the screen 4195 * lock type. However, this call has no effect if a password, pin or pattern is currently set. 4196 * If a password, pin or pattern is set after the keyguard was disabled, the keyguard stops 4197 * being disabled. 4198 * 4199 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 4200 * @param enabled New state of the keyguard. 4201 * 4202 * @return {@code false} if attempting to disable the keyguard while a lock password was in 4203 * place. {@code true} otherwise." 4204 */ 4205 public boolean setKeyguardEnabledState(ComponentName admin, boolean enabled) { 4206 try { 4207 return mService.setKeyguardEnabledState(admin, enabled); 4208 } catch (RemoteException re) { 4209 Log.w(TAG, "Failed talking with device policy service", re); 4210 return false; 4211 } 4212 } 4213 4214 /** 4215 * Called by device owner to set the enabled state of the status bar. Disabling the status 4216 * bar blocks notifications, quick settings and other screen overlays that allow escaping from 4217 * a single use device. 4218 * 4219 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 4220 * @param enabled New state of the status bar. 4221 */ 4222 public void setStatusBarEnabledState(ComponentName admin, boolean enabled) { 4223 try { 4224 mService.setStatusBarEnabledState(admin, enabled); 4225 } catch (RemoteException re) { 4226 Log.w(TAG, "Failed talking with device policy service", re); 4227 } 4228 } 4229} 4230