DevicePolicyManager.java revision f6e2fcc2eaf5e650237d3c6d79a2de49d2d4111e
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package android.app.admin; 18 19import android.annotation.SdkConstant; 20import android.annotation.SdkConstant.SdkConstantType; 21import android.app.Activity; 22import android.content.AbstractRestrictionsProvider; 23import android.content.ComponentName; 24import android.content.Context; 25import android.content.Intent; 26import android.content.IntentFilter; 27import android.content.pm.ActivityInfo; 28import android.content.pm.PackageManager; 29import android.content.pm.ResolveInfo; 30import android.content.RestrictionsManager; 31import android.media.AudioService; 32import android.net.ProxyInfo; 33import android.os.Bundle; 34import android.os.Handler; 35import android.os.Process; 36import android.os.RemoteCallback; 37import android.os.RemoteException; 38import android.os.ServiceManager; 39import android.os.UserHandle; 40import android.os.UserManager; 41import android.provider.Settings; 42import android.service.trust.TrustAgentService; 43import android.util.Log; 44 45import com.android.org.conscrypt.TrustedCertificateStore; 46 47import org.xmlpull.v1.XmlPullParserException; 48 49import java.io.ByteArrayInputStream; 50import java.io.IOException; 51import java.net.InetSocketAddress; 52import java.net.Proxy; 53import java.security.cert.CertificateException; 54import java.security.cert.CertificateFactory; 55import java.security.cert.X509Certificate; 56import java.util.List; 57import java.util.Set; 58 59/** 60 * Public interface for managing policies enforced on a device. Most clients 61 * of this class must have published a {@link DeviceAdminReceiver} that the user 62 * has currently enabled. 63 * 64 * <div class="special reference"> 65 * <h3>Developer Guides</h3> 66 * <p>For more information about managing policies for device adminstration, read the 67 * <a href="{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a> 68 * developer guide.</p> 69 * </div> 70 */ 71public class DevicePolicyManager { 72 private static String TAG = "DevicePolicyManager"; 73 74 private final Context mContext; 75 private final IDevicePolicyManager mService; 76 77 private DevicePolicyManager(Context context, Handler handler) { 78 mContext = context; 79 mService = IDevicePolicyManager.Stub.asInterface( 80 ServiceManager.getService(Context.DEVICE_POLICY_SERVICE)); 81 } 82 83 /** @hide */ 84 public static DevicePolicyManager create(Context context, Handler handler) { 85 DevicePolicyManager me = new DevicePolicyManager(context, handler); 86 return me.mService != null ? me : null; 87 } 88 89 /** 90 * Activity action: Starts the provisioning flow which sets up a managed profile. 91 * 92 * <p>A managed profile allows data separation for example for the usage of a 93 * device as a personal and corporate device. The user which provisioning is started from and 94 * the managed profile share a launcher. 95 * 96 * <p>This intent will typically be sent by a mobile device management application (mdm). 97 * Provisioning adds a managed profile and sets the mdm as the profile owner who has full 98 * control over the profile 99 * 100 * <p>This intent must contain the extras {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME} 101 * {@link #EXTRA_PROVISIONING_DEFAULT_MANAGED_PROFILE_NAME} and {@link #EXTRA_DEVICE_ADMIN}. 102 * 103 * <p> When managed provisioning has completed, an intent of the type 104 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE} is broadcasted to the 105 * managed profile. 106 * 107 * <p> If provisioning fails, the managedProfile is removed so the device returns to its 108 * previous state. 109 * 110 * <p>Input: Nothing.</p> 111 * <p>Output: Nothing</p> 112 */ 113 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 114 public static final String ACTION_PROVISION_MANAGED_PROFILE 115 = "android.app.action.ACTION_PROVISION_MANAGED_PROFILE"; 116 117 /** 118 * A String extra holding the package name of the mobile device management application that 119 * will be set as the profile owner or device owner. 120 * 121 * <p>If an application starts provisioning directly via an intent with action 122 * {@link #ACTION_PROVISION_MANAGED_PROFILE} this package has to match the package name of the 123 * application that started provisioning. The package will be set as profile owner in that case. 124 * 125 * <p>This package is set as device owner when device owner provisioning is started by an Nfc 126 * message containing an Nfc record with MIME type {@link #PROVISIONING_NFC_MIME_TYPE}. 127 */ 128 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME 129 = "android.app.extra.deviceAdminPackageName"; 130 131 /** 132 * A String extra holding the default name of the profile that is created during managed profile 133 * provisioning. 134 * 135 * <p>Use with {@link #ACTION_PROVISION_MANAGED_PROFILE} 136 */ 137 public static final String EXTRA_PROVISIONING_DEFAULT_MANAGED_PROFILE_NAME 138 = "android.app.extra.defaultManagedProfileName"; 139 140 /** 141 * A String extra that, holds the email address of the account which a managed profile is 142 * created for. Used with {@link #ACTION_PROVISION_MANAGED_PROFILE} and 143 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE}. 144 * 145 * <p> If the {@link #ACTION_PROVISION_MANAGED_PROFILE} intent that starts managed provisioning 146 * contains this extra, it is forwarded in the 147 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE} intent to the mobile 148 * device management application that was set as the profile owner during provisioning. 149 * It is usually used to avoid that the user has to enter their email address twice. 150 */ 151 public static final String EXTRA_PROVISIONING_EMAIL_ADDRESS 152 = "android.app.extra.ManagedProfileEmailAddress"; 153 154 /** 155 * A String extra holding the time zone {@link android.app.AlarmManager} that the device 156 * will be set to. 157 * 158 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 159 * provisioning via an Nfc bump. 160 */ 161 public static final String EXTRA_PROVISIONING_TIME_ZONE 162 = "android.app.extra.timeZone"; 163 164 /** 165 * A Long extra holding the local time {@link android.app.AlarmManager} that the device 166 * will be set to. 167 * 168 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 169 * provisioning via an Nfc bump. 170 */ 171 public static final String EXTRA_PROVISIONING_LOCAL_TIME 172 = "android.app.extra.localTime"; 173 174 /** 175 * A String extra holding the {@link java.util.Locale} that the device will be set to. 176 * Format: xx_yy, where xx is the language code, and yy the country code. 177 * 178 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 179 * provisioning via an Nfc bump. 180 */ 181 public static final String EXTRA_PROVISIONING_LOCALE 182 = "android.app.extra.locale"; 183 184 /** 185 * A String extra holding the ssid of the wifi network that should be used during nfc device 186 * owner provisioning for downloading the mobile device management application. 187 * 188 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 189 * provisioning via an Nfc bump. 190 */ 191 public static final String EXTRA_PROVISIONING_WIFI_SSID 192 = "android.app.extra.wifiSsid"; 193 194 /** 195 * A boolean extra indicating whether the wifi network in {@link #EXTRA_PROVISIONING_WIFI_SSID} 196 * is hidden or not. 197 * 198 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 199 * provisioning via an Nfc bump. 200 */ 201 public static final String EXTRA_PROVISIONING_WIFI_HIDDEN 202 = "android.app.extra.wifiHidden"; 203 204 /** 205 * A String extra indicating the security type of the wifi network in 206 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 207 * 208 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 209 * provisioning via an Nfc bump. 210 */ 211 public static final String EXTRA_PROVISIONING_WIFI_SECURITY_TYPE 212 = "android.app.extra.wifiSecurityType"; 213 214 /** 215 * A String extra holding the password of the wifi network in 216 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 217 * 218 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 219 * provisioning via an Nfc bump. 220 */ 221 public static final String EXTRA_PROVISIONING_WIFI_PASSWORD 222 = "android.app.extra.wifiPassword"; 223 224 /** 225 * A String extra holding the proxy host for the wifi network in 226 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 227 * 228 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 229 * provisioning via an Nfc bump. 230 */ 231 public static final String EXTRA_PROVISIONING_WIFI_PROXY_HOST 232 = "android.app.extra.wifiProxyHost"; 233 234 /** 235 * An int extra holding the proxy port for the wifi network in 236 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 237 * 238 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 239 * provisioning via an Nfc bump. 240 */ 241 public static final String EXTRA_PROVISIONING_WIFI_PROXY_PORT 242 = "android.app.extra.wifiProxyPort"; 243 244 /** 245 * A String extra holding the proxy bypass for the wifi network in 246 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 247 * 248 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 249 * provisioning via an Nfc bump. 250 */ 251 public static final String EXTRA_PROVISIONING_WIFI_PROXY_BYPASS 252 = "android.app.extra.wifiProxyBypassHosts"; 253 254 /** 255 * A String extra holding the proxy auto-config (PAC) URL for the wifi network in 256 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 257 * 258 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 259 * provisioning via an Nfc bump. 260 */ 261 public static final String EXTRA_PROVISIONING_WIFI_PAC_URL 262 = "android.app.extra.wifiPacUrl"; 263 264 /** 265 * A String extra holding a url that specifies the download location of the device admin 266 * package. When not provided it is assumed that the device admin package is already installed. 267 * 268 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 269 * provisioning via an Nfc bump. 270 */ 271 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION 272 = "android.app.extra.deviceAdminPackageDownloadLocation"; 273 274 /** 275 * A String extra holding the SHA-1 checksum of the file at download location specified in 276 * {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION}. If this doesn't match 277 * the file at the download location an error will be shown to the user and the user will be 278 * asked to factory reset the device. 279 * 280 * <p>Use in an Nfc record with {@link #PROVISIONING_NFC_MIME_TYPE} that starts device owner 281 * provisioning via an Nfc bump. 282 */ 283 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM 284 = "android.app.extra.deviceAdminPackageChecksum"; 285 286 /** 287 * This MIME type is used for starting the Device Owner provisioning. 288 * 289 * <p>During device owner provisioning a device admin app is set as the owner of the device. 290 * A device owner has full control over the device. The device owner can not be modified by the 291 * user and the only way of resetting the device is if the device owner app calls a factory 292 * reset. 293 * 294 * <p> A typical use case would be a device that is owned by a company, but used by either an 295 * employee or client. 296 * 297 * <p> The Nfc message should be send to an unprovisioned device. 298 * 299 * <p>The Nfc record must contain a serialized {@link java.util.Properties} object which 300 * contains the following properties: 301 * <ul> 302 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME}</li> 303 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION}</li> 304 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM}</li> 305 * <li>{@link #EXTRA_PROVISIONING_LOCAL_TIME} (convert to String), optional</li> 306 * <li>{@link #EXTRA_PROVISIONING_TIME_ZONE}, optional</li> 307 * <li>{@link #EXTRA_PROVISIONING_LOCALE}, optional</li> 308 * <li>{@link #EXTRA_PROVISIONING_WIFI_SSID}, optional</li> 309 * <li>{@link #EXTRA_PROVISIONING_WIFI_HIDDEN} (convert to String), optional</li> 310 * <li>{@link #EXTRA_PROVISIONING_WIFI_SECURITY_TYPE}, optional</li> 311 * <li>{@link #EXTRA_PROVISIONING_WIFI_PASSWORD}, optional</li> 312 * <li>{@link #EXTRA_PROVISIONING_WIFI_PROXY_HOST}, optional</li> 313 * <li>{@link #EXTRA_PROVISIONING_WIFI_PROXY_PORT} (convert to String), optional</li> 314 * <li>{@link #EXTRA_PROVISIONING_WIFI_PROXY_BYPASS}, optional</li> 315 * <li>{@link #EXTRA_PROVISIONING_WIFI_PAC_URL}, optional</li></ul> 316 * 317 * <p> When device owner provisioning has completed, an intent of the type 318 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE} is broadcasted to the 319 * device owner. 320 * 321 * <p> 322 * If provisioning fails, the device is factory reset. 323 * 324 * <p>Input: Nothing.</p> 325 * <p>Output: Nothing</p> 326 */ 327 public static final String PROVISIONING_NFC_MIME_TYPE 328 = "application/com.android.managedprovisioning"; 329 330 /** 331 * Activity action: ask the user to add a new device administrator to the system. 332 * The desired policy is the ComponentName of the policy in the 333 * {@link #EXTRA_DEVICE_ADMIN} extra field. This will invoke a UI to 334 * bring the user through adding the device administrator to the system (or 335 * allowing them to reject it). 336 * 337 * <p>You can optionally include the {@link #EXTRA_ADD_EXPLANATION} 338 * field to provide the user with additional explanation (in addition 339 * to your component's description) about what is being added. 340 * 341 * <p>If your administrator is already active, this will ordinarily return immediately (without 342 * user intervention). However, if your administrator has been updated and is requesting 343 * additional uses-policy flags, the user will be presented with the new list. New policies 344 * will not be available to the updated administrator until the user has accepted the new list. 345 */ 346 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 347 public static final String ACTION_ADD_DEVICE_ADMIN 348 = "android.app.action.ADD_DEVICE_ADMIN"; 349 350 /** 351 * Activity action: send when any policy admin changes a policy. 352 * This is generally used to find out when a new policy is in effect. 353 * 354 * @hide 355 */ 356 public static final String ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED 357 = "android.app.action.DEVICE_POLICY_MANAGER_STATE_CHANGED"; 358 359 /** 360 * The ComponentName of the administrator component. 361 * 362 * @see #ACTION_ADD_DEVICE_ADMIN 363 */ 364 public static final String EXTRA_DEVICE_ADMIN = "android.app.extra.DEVICE_ADMIN"; 365 366 /** 367 * An optional CharSequence providing additional explanation for why the 368 * admin is being added. 369 * 370 * @see #ACTION_ADD_DEVICE_ADMIN 371 */ 372 public static final String EXTRA_ADD_EXPLANATION = "android.app.extra.ADD_EXPLANATION"; 373 374 /** 375 * Activity action: have the user enter a new password. This activity should 376 * be launched after using {@link #setPasswordQuality(ComponentName, int)}, 377 * or {@link #setPasswordMinimumLength(ComponentName, int)} to have the user 378 * enter a new password that meets the current requirements. You can use 379 * {@link #isActivePasswordSufficient()} to determine whether you need to 380 * have the user select a new password in order to meet the current 381 * constraints. Upon being resumed from this activity, you can check the new 382 * password characteristics to see if they are sufficient. 383 */ 384 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 385 public static final String ACTION_SET_NEW_PASSWORD 386 = "android.app.action.SET_NEW_PASSWORD"; 387 /** 388 * Flag used by {@link #addCrossProfileIntentFilter} to allow access of certain intents from a 389 * managed profile to its parent. 390 */ 391 public static int FLAG_PARENT_CAN_ACCESS_MANAGED = 0x0001; 392 393 /** 394 * Flag used by {@link #addCrossProfileIntentFilter} to allow access of certain intents from the 395 * parent to its managed profile. 396 */ 397 public static int FLAG_MANAGED_CAN_ACCESS_PARENT = 0x0002; 398 399 /** 400 * Return true if the given administrator component is currently 401 * active (enabled) in the system. 402 */ 403 public boolean isAdminActive(ComponentName who) { 404 if (mService != null) { 405 try { 406 return mService.isAdminActive(who, UserHandle.myUserId()); 407 } catch (RemoteException e) { 408 Log.w(TAG, "Failed talking with device policy service", e); 409 } 410 } 411 return false; 412 } 413 414 /** 415 * Return a list of all currently active device administrator's component 416 * names. Note that if there are no administrators than null may be 417 * returned. 418 */ 419 public List<ComponentName> getActiveAdmins() { 420 if (mService != null) { 421 try { 422 return mService.getActiveAdmins(UserHandle.myUserId()); 423 } catch (RemoteException e) { 424 Log.w(TAG, "Failed talking with device policy service", e); 425 } 426 } 427 return null; 428 } 429 430 /** 431 * Used by package administration code to determine if a package can be stopped 432 * or uninstalled. 433 * @hide 434 */ 435 public boolean packageHasActiveAdmins(String packageName) { 436 if (mService != null) { 437 try { 438 return mService.packageHasActiveAdmins(packageName, UserHandle.myUserId()); 439 } catch (RemoteException e) { 440 Log.w(TAG, "Failed talking with device policy service", e); 441 } 442 } 443 return false; 444 } 445 446 /** 447 * Remove a current administration component. This can only be called 448 * by the application that owns the administration component; if you 449 * try to remove someone else's component, a security exception will be 450 * thrown. 451 */ 452 public void removeActiveAdmin(ComponentName who) { 453 if (mService != null) { 454 try { 455 mService.removeActiveAdmin(who, UserHandle.myUserId()); 456 } catch (RemoteException e) { 457 Log.w(TAG, "Failed talking with device policy service", e); 458 } 459 } 460 } 461 462 /** 463 * Returns true if an administrator has been granted a particular device policy. This can 464 * be used to check if the administrator was activated under an earlier set of policies, 465 * but requires additional policies after an upgrade. 466 * 467 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. Must be 468 * an active administrator, or an exception will be thrown. 469 * @param usesPolicy Which uses-policy to check, as defined in {@link DeviceAdminInfo}. 470 */ 471 public boolean hasGrantedPolicy(ComponentName admin, int usesPolicy) { 472 if (mService != null) { 473 try { 474 return mService.hasGrantedPolicy(admin, usesPolicy, UserHandle.myUserId()); 475 } catch (RemoteException e) { 476 Log.w(TAG, "Failed talking with device policy service", e); 477 } 478 } 479 return false; 480 } 481 482 /** 483 * Constant for {@link #setPasswordQuality}: the policy has no requirements 484 * for the password. Note that quality constants are ordered so that higher 485 * values are more restrictive. 486 */ 487 public static final int PASSWORD_QUALITY_UNSPECIFIED = 0; 488 489 /** 490 * Constant for {@link #setPasswordQuality}: the policy allows for low-security biometric 491 * recognition technology. This implies technologies that can recognize the identity of 492 * an individual to about a 3 digit PIN (false detection is less than 1 in 1,000). 493 * Note that quality constants are ordered so that higher values are more restrictive. 494 */ 495 public static final int PASSWORD_QUALITY_BIOMETRIC_WEAK = 0x8000; 496 497 /** 498 * Constant for {@link #setPasswordQuality}: the policy requires some kind 499 * of password, but doesn't care what it is. Note that quality constants 500 * are ordered so that higher values are more restrictive. 501 */ 502 public static final int PASSWORD_QUALITY_SOMETHING = 0x10000; 503 504 /** 505 * Constant for {@link #setPasswordQuality}: the user must have entered a 506 * password containing at least numeric characters. Note that quality 507 * constants are ordered so that higher values are more restrictive. 508 */ 509 public static final int PASSWORD_QUALITY_NUMERIC = 0x20000; 510 511 /** 512 * Constant for {@link #setPasswordQuality}: the user must have entered a 513 * password containing at least numeric characters with no repeating (4444) 514 * or ordered (1234, 4321, 2468) sequences. Note that quality 515 * constants are ordered so that higher values are more restrictive. 516 */ 517 public static final int PASSWORD_QUALITY_NUMERIC_COMPLEX = 0x30000; 518 519 /** 520 * Constant for {@link #setPasswordQuality}: the user must have entered a 521 * password containing at least alphabetic (or other symbol) characters. 522 * Note that quality constants are ordered so that higher values are more 523 * restrictive. 524 */ 525 public static final int PASSWORD_QUALITY_ALPHABETIC = 0x40000; 526 527 /** 528 * Constant for {@link #setPasswordQuality}: the user must have entered a 529 * password containing at least <em>both></em> numeric <em>and</em> 530 * alphabetic (or other symbol) characters. Note that quality constants are 531 * ordered so that higher values are more restrictive. 532 */ 533 public static final int PASSWORD_QUALITY_ALPHANUMERIC = 0x50000; 534 535 /** 536 * Constant for {@link #setPasswordQuality}: the user must have entered a 537 * password containing at least a letter, a numerical digit and a special 538 * symbol, by default. With this password quality, passwords can be 539 * restricted to contain various sets of characters, like at least an 540 * uppercase letter, etc. These are specified using various methods, 541 * like {@link #setPasswordMinimumLowerCase(ComponentName, int)}. Note 542 * that quality constants are ordered so that higher values are more 543 * restrictive. 544 */ 545 public static final int PASSWORD_QUALITY_COMPLEX = 0x60000; 546 547 /** 548 * Called by an application that is administering the device to set the 549 * password restrictions it is imposing. After setting this, the user 550 * will not be able to enter a new password that is not at least as 551 * restrictive as what has been set. Note that the current password 552 * will remain until the user has set a new one, so the change does not 553 * take place immediately. To prompt the user for a new password, use 554 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. 555 * 556 * <p>Quality constants are ordered so that higher values are more restrictive; 557 * thus the highest requested quality constant (between the policy set here, 558 * the user's preference, and any other considerations) is the one that 559 * is in effect. 560 * 561 * <p>The calling device admin must have requested 562 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 563 * this method; if it has not, a security exception will be thrown. 564 * 565 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 566 * @param quality The new desired quality. One of 567 * {@link #PASSWORD_QUALITY_UNSPECIFIED}, {@link #PASSWORD_QUALITY_SOMETHING}, 568 * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_NUMERIC_COMPLEX}, 569 * {@link #PASSWORD_QUALITY_ALPHABETIC}, {@link #PASSWORD_QUALITY_ALPHANUMERIC} 570 * or {@link #PASSWORD_QUALITY_COMPLEX}. 571 */ 572 public void setPasswordQuality(ComponentName admin, int quality) { 573 if (mService != null) { 574 try { 575 mService.setPasswordQuality(admin, quality, UserHandle.myUserId()); 576 } catch (RemoteException e) { 577 Log.w(TAG, "Failed talking with device policy service", e); 578 } 579 } 580 } 581 582 /** 583 * Retrieve the current minimum password quality for all admins of this user 584 * and its profiles or a particular one. 585 * @param admin The name of the admin component to check, or null to aggregate 586 * all admins. 587 */ 588 public int getPasswordQuality(ComponentName admin) { 589 return getPasswordQuality(admin, UserHandle.myUserId()); 590 } 591 592 /** @hide per-user version */ 593 public int getPasswordQuality(ComponentName admin, int userHandle) { 594 if (mService != null) { 595 try { 596 return mService.getPasswordQuality(admin, userHandle); 597 } catch (RemoteException e) { 598 Log.w(TAG, "Failed talking with device policy service", e); 599 } 600 } 601 return PASSWORD_QUALITY_UNSPECIFIED; 602 } 603 604 /** 605 * Called by an application that is administering the device to set the 606 * minimum allowed password length. After setting this, the user 607 * will not be able to enter a new password that is not at least as 608 * restrictive as what has been set. Note that the current password 609 * will remain until the user has set a new one, so the change does not 610 * take place immediately. To prompt the user for a new password, use 611 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 612 * constraint is only imposed if the administrator has also requested either 613 * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_NUMERIC_COMPLEX}, 614 * {@link #PASSWORD_QUALITY_ALPHABETIC}, {@link #PASSWORD_QUALITY_ALPHANUMERIC}, 615 * or {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. 616 * 617 * <p>The calling device admin must have requested 618 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 619 * this method; if it has not, a security exception will be thrown. 620 * 621 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 622 * @param length The new desired minimum password length. A value of 0 623 * means there is no restriction. 624 */ 625 public void setPasswordMinimumLength(ComponentName admin, int length) { 626 if (mService != null) { 627 try { 628 mService.setPasswordMinimumLength(admin, length, UserHandle.myUserId()); 629 } catch (RemoteException e) { 630 Log.w(TAG, "Failed talking with device policy service", e); 631 } 632 } 633 } 634 635 /** 636 * Retrieve the current minimum password length for all admins of this 637 * user and its profiles or a particular one. 638 * @param admin The name of the admin component to check, or null to aggregate 639 * all admins. 640 */ 641 public int getPasswordMinimumLength(ComponentName admin) { 642 return getPasswordMinimumLength(admin, UserHandle.myUserId()); 643 } 644 645 /** @hide per-user version */ 646 public int getPasswordMinimumLength(ComponentName admin, int userHandle) { 647 if (mService != null) { 648 try { 649 return mService.getPasswordMinimumLength(admin, userHandle); 650 } catch (RemoteException e) { 651 Log.w(TAG, "Failed talking with device policy service", e); 652 } 653 } 654 return 0; 655 } 656 657 /** 658 * Called by an application that is administering the device to set the 659 * minimum number of upper case letters required in the password. After 660 * setting this, the user will not be able to enter a new password that is 661 * not at least as restrictive as what has been set. Note that the current 662 * password will remain until the user has set a new one, so the change does 663 * not take place immediately. To prompt the user for a new password, use 664 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 665 * constraint is only imposed if the administrator has also requested 666 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 667 * default value is 0. 668 * <p> 669 * The calling device admin must have requested 670 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 671 * this method; if it has not, a security exception will be thrown. 672 * 673 * @param admin Which {@link DeviceAdminReceiver} this request is associated 674 * with. 675 * @param length The new desired minimum number of upper case letters 676 * required in the password. A value of 0 means there is no 677 * restriction. 678 */ 679 public void setPasswordMinimumUpperCase(ComponentName admin, int length) { 680 if (mService != null) { 681 try { 682 mService.setPasswordMinimumUpperCase(admin, length, UserHandle.myUserId()); 683 } catch (RemoteException e) { 684 Log.w(TAG, "Failed talking with device policy service", e); 685 } 686 } 687 } 688 689 /** 690 * Retrieve the current number of upper case letters required in the 691 * password for all admins of this user and its profiles or a particular one. 692 * This is the same value as set by 693 * {#link {@link #setPasswordMinimumUpperCase(ComponentName, int)} 694 * and only applies when the password quality is 695 * {@link #PASSWORD_QUALITY_COMPLEX}. 696 * 697 * @param admin The name of the admin component to check, or null to 698 * aggregate all admins. 699 * @return The minimum number of upper case letters required in the 700 * password. 701 */ 702 public int getPasswordMinimumUpperCase(ComponentName admin) { 703 return getPasswordMinimumUpperCase(admin, UserHandle.myUserId()); 704 } 705 706 /** @hide per-user version */ 707 public int getPasswordMinimumUpperCase(ComponentName admin, int userHandle) { 708 if (mService != null) { 709 try { 710 return mService.getPasswordMinimumUpperCase(admin, userHandle); 711 } catch (RemoteException e) { 712 Log.w(TAG, "Failed talking with device policy service", e); 713 } 714 } 715 return 0; 716 } 717 718 /** 719 * Called by an application that is administering the device to set the 720 * minimum number of lower case letters required in the password. After 721 * setting this, the user will not be able to enter a new password that is 722 * not at least as restrictive as what has been set. Note that the current 723 * password will remain until the user has set a new one, so the change does 724 * not take place immediately. To prompt the user for a new password, use 725 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 726 * constraint is only imposed if the administrator has also requested 727 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 728 * default value is 0. 729 * <p> 730 * The calling device admin must have requested 731 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 732 * this method; if it has not, a security exception will be thrown. 733 * 734 * @param admin Which {@link DeviceAdminReceiver} this request is associated 735 * with. 736 * @param length The new desired minimum number of lower case letters 737 * required in the password. A value of 0 means there is no 738 * restriction. 739 */ 740 public void setPasswordMinimumLowerCase(ComponentName admin, int length) { 741 if (mService != null) { 742 try { 743 mService.setPasswordMinimumLowerCase(admin, length, UserHandle.myUserId()); 744 } catch (RemoteException e) { 745 Log.w(TAG, "Failed talking with device policy service", e); 746 } 747 } 748 } 749 750 /** 751 * Retrieve the current number of lower case letters required in the 752 * password for all admins of this user and its profiles or a particular one. 753 * This is the same value as set by 754 * {#link {@link #setPasswordMinimumLowerCase(ComponentName, int)} 755 * and only applies when the password quality is 756 * {@link #PASSWORD_QUALITY_COMPLEX}. 757 * 758 * @param admin The name of the admin component to check, or null to 759 * aggregate all admins. 760 * @return The minimum number of lower case letters required in the 761 * password. 762 */ 763 public int getPasswordMinimumLowerCase(ComponentName admin) { 764 return getPasswordMinimumLowerCase(admin, UserHandle.myUserId()); 765 } 766 767 /** @hide per-user version */ 768 public int getPasswordMinimumLowerCase(ComponentName admin, int userHandle) { 769 if (mService != null) { 770 try { 771 return mService.getPasswordMinimumLowerCase(admin, userHandle); 772 } catch (RemoteException e) { 773 Log.w(TAG, "Failed talking with device policy service", e); 774 } 775 } 776 return 0; 777 } 778 779 /** 780 * Called by an application that is administering the device to set the 781 * minimum number of letters required in the password. After setting this, 782 * the user will not be able to enter a new password that is not at least as 783 * restrictive as what has been set. Note that the current password will 784 * remain until the user has set a new one, so the change does not take 785 * place immediately. To prompt the user for a new password, use 786 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 787 * constraint is only imposed if the administrator has also requested 788 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 789 * default value is 1. 790 * <p> 791 * The calling device admin must have requested 792 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 793 * this method; if it has not, a security exception will be thrown. 794 * 795 * @param admin Which {@link DeviceAdminReceiver} this request is associated 796 * with. 797 * @param length The new desired minimum number of letters required in the 798 * password. A value of 0 means there is no restriction. 799 */ 800 public void setPasswordMinimumLetters(ComponentName admin, int length) { 801 if (mService != null) { 802 try { 803 mService.setPasswordMinimumLetters(admin, length, UserHandle.myUserId()); 804 } catch (RemoteException e) { 805 Log.w(TAG, "Failed talking with device policy service", e); 806 } 807 } 808 } 809 810 /** 811 * Retrieve the current number of letters required in the password for all 812 * admins or a particular one. This is the same value as 813 * set by {#link {@link #setPasswordMinimumLetters(ComponentName, int)} 814 * and only applies when the password quality is 815 * {@link #PASSWORD_QUALITY_COMPLEX}. 816 * 817 * @param admin The name of the admin component to check, or null to 818 * aggregate all admins. 819 * @return The minimum number of letters required in the password. 820 */ 821 public int getPasswordMinimumLetters(ComponentName admin) { 822 return getPasswordMinimumLetters(admin, UserHandle.myUserId()); 823 } 824 825 /** @hide per-user version */ 826 public int getPasswordMinimumLetters(ComponentName admin, int userHandle) { 827 if (mService != null) { 828 try { 829 return mService.getPasswordMinimumLetters(admin, userHandle); 830 } catch (RemoteException e) { 831 Log.w(TAG, "Failed talking with device policy service", e); 832 } 833 } 834 return 0; 835 } 836 837 /** 838 * Called by an application that is administering the device to set the 839 * minimum number of numerical digits required in the password. After 840 * setting this, the user will not be able to enter a new password that is 841 * not at least as restrictive as what has been set. Note that the current 842 * password will remain until the user has set a new one, so the change does 843 * not take place immediately. To prompt the user for a new password, use 844 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 845 * constraint is only imposed if the administrator has also requested 846 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 847 * default value is 1. 848 * <p> 849 * The calling device admin must have requested 850 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 851 * this method; if it has not, a security exception will be thrown. 852 * 853 * @param admin Which {@link DeviceAdminReceiver} this request is associated 854 * with. 855 * @param length The new desired minimum number of numerical digits required 856 * in the password. A value of 0 means there is no restriction. 857 */ 858 public void setPasswordMinimumNumeric(ComponentName admin, int length) { 859 if (mService != null) { 860 try { 861 mService.setPasswordMinimumNumeric(admin, length, UserHandle.myUserId()); 862 } catch (RemoteException e) { 863 Log.w(TAG, "Failed talking with device policy service", e); 864 } 865 } 866 } 867 868 /** 869 * Retrieve the current number of numerical digits required in the password 870 * for all admins of this user and its profiles or a particular one. 871 * This is the same value as set by 872 * {#link {@link #setPasswordMinimumNumeric(ComponentName, int)} 873 * and only applies when the password quality is 874 * {@link #PASSWORD_QUALITY_COMPLEX}. 875 * 876 * @param admin The name of the admin component to check, or null to 877 * aggregate all admins. 878 * @return The minimum number of numerical digits required in the password. 879 */ 880 public int getPasswordMinimumNumeric(ComponentName admin) { 881 return getPasswordMinimumNumeric(admin, UserHandle.myUserId()); 882 } 883 884 /** @hide per-user version */ 885 public int getPasswordMinimumNumeric(ComponentName admin, int userHandle) { 886 if (mService != null) { 887 try { 888 return mService.getPasswordMinimumNumeric(admin, userHandle); 889 } catch (RemoteException e) { 890 Log.w(TAG, "Failed talking with device policy service", e); 891 } 892 } 893 return 0; 894 } 895 896 /** 897 * Called by an application that is administering the device to set the 898 * minimum number of symbols required in the password. After setting this, 899 * the user will not be able to enter a new password that is not at least as 900 * restrictive as what has been set. Note that the current password will 901 * remain until the user has set a new one, so the change does not take 902 * place immediately. To prompt the user for a new password, use 903 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 904 * constraint is only imposed if the administrator has also requested 905 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 906 * default value is 1. 907 * <p> 908 * The calling device admin must have requested 909 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 910 * this method; if it has not, a security exception will be thrown. 911 * 912 * @param admin Which {@link DeviceAdminReceiver} this request is associated 913 * with. 914 * @param length The new desired minimum number of symbols required in the 915 * password. A value of 0 means there is no restriction. 916 */ 917 public void setPasswordMinimumSymbols(ComponentName admin, int length) { 918 if (mService != null) { 919 try { 920 mService.setPasswordMinimumSymbols(admin, length, UserHandle.myUserId()); 921 } catch (RemoteException e) { 922 Log.w(TAG, "Failed talking with device policy service", e); 923 } 924 } 925 } 926 927 /** 928 * Retrieve the current number of symbols required in the password for all 929 * admins or a particular one. This is the same value as 930 * set by {#link {@link #setPasswordMinimumSymbols(ComponentName, int)} 931 * and only applies when the password quality is 932 * {@link #PASSWORD_QUALITY_COMPLEX}. 933 * 934 * @param admin The name of the admin component to check, or null to 935 * aggregate all admins. 936 * @return The minimum number of symbols required in the password. 937 */ 938 public int getPasswordMinimumSymbols(ComponentName admin) { 939 return getPasswordMinimumSymbols(admin, UserHandle.myUserId()); 940 } 941 942 /** @hide per-user version */ 943 public int getPasswordMinimumSymbols(ComponentName admin, int userHandle) { 944 if (mService != null) { 945 try { 946 return mService.getPasswordMinimumSymbols(admin, userHandle); 947 } catch (RemoteException e) { 948 Log.w(TAG, "Failed talking with device policy service", e); 949 } 950 } 951 return 0; 952 } 953 954 /** 955 * Called by an application that is administering the device to set the 956 * minimum number of non-letter characters (numerical digits or symbols) 957 * required in the password. After setting this, the user will not be able 958 * to enter a new password that is not at least as restrictive as what has 959 * been set. Note that the current password will remain until the user has 960 * set a new one, so the change does not take place immediately. To prompt 961 * the user for a new password, use {@link #ACTION_SET_NEW_PASSWORD} after 962 * setting this value. This constraint is only imposed if the administrator 963 * has also requested {@link #PASSWORD_QUALITY_COMPLEX} with 964 * {@link #setPasswordQuality}. The default value is 0. 965 * <p> 966 * The calling device admin must have requested 967 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 968 * this method; if it has not, a security exception will be thrown. 969 * 970 * @param admin Which {@link DeviceAdminReceiver} this request is associated 971 * with. 972 * @param length The new desired minimum number of letters required in the 973 * password. A value of 0 means there is no restriction. 974 */ 975 public void setPasswordMinimumNonLetter(ComponentName admin, int length) { 976 if (mService != null) { 977 try { 978 mService.setPasswordMinimumNonLetter(admin, length, UserHandle.myUserId()); 979 } catch (RemoteException e) { 980 Log.w(TAG, "Failed talking with device policy service", e); 981 } 982 } 983 } 984 985 /** 986 * Retrieve the current number of non-letter characters required in the 987 * password for all admins of this user and its profiles or a particular one. 988 * This is the same value as set by 989 * {#link {@link #setPasswordMinimumNonLetter(ComponentName, int)} 990 * and only applies when the password quality is 991 * {@link #PASSWORD_QUALITY_COMPLEX}. 992 * 993 * @param admin The name of the admin component to check, or null to 994 * aggregate all admins. 995 * @return The minimum number of letters required in the password. 996 */ 997 public int getPasswordMinimumNonLetter(ComponentName admin) { 998 return getPasswordMinimumNonLetter(admin, UserHandle.myUserId()); 999 } 1000 1001 /** @hide per-user version */ 1002 public int getPasswordMinimumNonLetter(ComponentName admin, int userHandle) { 1003 if (mService != null) { 1004 try { 1005 return mService.getPasswordMinimumNonLetter(admin, userHandle); 1006 } catch (RemoteException e) { 1007 Log.w(TAG, "Failed talking with device policy service", e); 1008 } 1009 } 1010 return 0; 1011 } 1012 1013 /** 1014 * Called by an application that is administering the device to set the length 1015 * of the password history. After setting this, the user will not be able to 1016 * enter a new password that is the same as any password in the history. Note 1017 * that the current password will remain until the user has set a new one, so 1018 * the change does not take place immediately. To prompt the user for a new 1019 * password, use {@link #ACTION_SET_NEW_PASSWORD} after setting this value. 1020 * This constraint is only imposed if the administrator has also requested 1021 * either {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_NUMERIC_COMPLEX} 1022 * {@link #PASSWORD_QUALITY_ALPHABETIC}, or {@link #PASSWORD_QUALITY_ALPHANUMERIC} 1023 * with {@link #setPasswordQuality}. 1024 * 1025 * <p> 1026 * The calling device admin must have requested 1027 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call this 1028 * method; if it has not, a security exception will be thrown. 1029 * 1030 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1031 * with. 1032 * @param length The new desired length of password history. A value of 0 1033 * means there is no restriction. 1034 */ 1035 public void setPasswordHistoryLength(ComponentName admin, int length) { 1036 if (mService != null) { 1037 try { 1038 mService.setPasswordHistoryLength(admin, length, UserHandle.myUserId()); 1039 } catch (RemoteException e) { 1040 Log.w(TAG, "Failed talking with device policy service", e); 1041 } 1042 } 1043 } 1044 1045 /** 1046 * Called by a device admin to set the password expiration timeout. Calling this method 1047 * will restart the countdown for password expiration for the given admin, as will changing 1048 * the device password (for all admins). 1049 * 1050 * <p>The provided timeout is the time delta in ms and will be added to the current time. 1051 * For example, to have the password expire 5 days from now, timeout would be 1052 * 5 * 86400 * 1000 = 432000000 ms for timeout. 1053 * 1054 * <p>To disable password expiration, a value of 0 may be used for timeout. 1055 * 1056 * <p>The calling device admin must have requested 1057 * {@link DeviceAdminInfo#USES_POLICY_EXPIRE_PASSWORD} to be able to call this 1058 * method; if it has not, a security exception will be thrown. 1059 * 1060 * <p> Note that setting the password will automatically reset the expiration time for all 1061 * active admins. Active admins do not need to explicitly call this method in that case. 1062 * 1063 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1064 * @param timeout The limit (in ms) that a password can remain in effect. A value of 0 1065 * means there is no restriction (unlimited). 1066 */ 1067 public void setPasswordExpirationTimeout(ComponentName admin, long timeout) { 1068 if (mService != null) { 1069 try { 1070 mService.setPasswordExpirationTimeout(admin, timeout, UserHandle.myUserId()); 1071 } catch (RemoteException e) { 1072 Log.w(TAG, "Failed talking with device policy service", e); 1073 } 1074 } 1075 } 1076 1077 /** 1078 * Get the password expiration timeout for the given admin. The expiration timeout is the 1079 * recurring expiration timeout provided in the call to 1080 * {@link #setPasswordExpirationTimeout(ComponentName, long)} for the given admin or the 1081 * aggregate of all policy administrators if admin is null. 1082 * 1083 * @param admin The name of the admin component to check, or null to aggregate all admins. 1084 * @return The timeout for the given admin or the minimum of all timeouts 1085 */ 1086 public long getPasswordExpirationTimeout(ComponentName admin) { 1087 if (mService != null) { 1088 try { 1089 return mService.getPasswordExpirationTimeout(admin, UserHandle.myUserId()); 1090 } catch (RemoteException e) { 1091 Log.w(TAG, "Failed talking with device policy service", e); 1092 } 1093 } 1094 return 0; 1095 } 1096 1097 /** 1098 * Get the current password expiration time for the given admin or an aggregate of 1099 * all admins of this user and its profiles if admin is null. If the password is 1100 * expired, this will return the time since the password expired as a negative number. 1101 * If admin is null, then a composite of all expiration timeouts is returned 1102 * - which will be the minimum of all timeouts. 1103 * 1104 * @param admin The name of the admin component to check, or null to aggregate all admins. 1105 * @return The password expiration time, in ms. 1106 */ 1107 public long getPasswordExpiration(ComponentName admin) { 1108 if (mService != null) { 1109 try { 1110 return mService.getPasswordExpiration(admin, UserHandle.myUserId()); 1111 } catch (RemoteException e) { 1112 Log.w(TAG, "Failed talking with device policy service", e); 1113 } 1114 } 1115 return 0; 1116 } 1117 1118 /** 1119 * Retrieve the current password history length for all admins of this 1120 * user and its profiles or a particular one. 1121 * @param admin The name of the admin component to check, or null to aggregate 1122 * all admins. 1123 * @return The length of the password history 1124 */ 1125 public int getPasswordHistoryLength(ComponentName admin) { 1126 return getPasswordHistoryLength(admin, UserHandle.myUserId()); 1127 } 1128 1129 /** @hide per-user version */ 1130 public int getPasswordHistoryLength(ComponentName admin, int userHandle) { 1131 if (mService != null) { 1132 try { 1133 return mService.getPasswordHistoryLength(admin, userHandle); 1134 } catch (RemoteException e) { 1135 Log.w(TAG, "Failed talking with device policy service", e); 1136 } 1137 } 1138 return 0; 1139 } 1140 1141 /** 1142 * Return the maximum password length that the device supports for a 1143 * particular password quality. 1144 * @param quality The quality being interrogated. 1145 * @return Returns the maximum length that the user can enter. 1146 */ 1147 public int getPasswordMaximumLength(int quality) { 1148 // Kind-of arbitrary. 1149 return 16; 1150 } 1151 1152 /** 1153 * Determine whether the current password the user has set is sufficient 1154 * to meet the policy requirements (quality, minimum length) that have been 1155 * requested by the admins of this user and its profiles. 1156 * 1157 * <p>The calling device admin must have requested 1158 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1159 * this method; if it has not, a security exception will be thrown. 1160 * 1161 * @return Returns true if the password meets the current requirements, else false. 1162 */ 1163 public boolean isActivePasswordSufficient() { 1164 if (mService != null) { 1165 try { 1166 return mService.isActivePasswordSufficient(UserHandle.myUserId()); 1167 } catch (RemoteException e) { 1168 Log.w(TAG, "Failed talking with device policy service", e); 1169 } 1170 } 1171 return false; 1172 } 1173 1174 /** 1175 * Retrieve the number of times the user has failed at entering a 1176 * password since that last successful password entry. 1177 * 1178 * <p>The calling device admin must have requested 1179 * {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} to be able to call 1180 * this method; if it has not, a security exception will be thrown. 1181 */ 1182 public int getCurrentFailedPasswordAttempts() { 1183 if (mService != null) { 1184 try { 1185 return mService.getCurrentFailedPasswordAttempts(UserHandle.myUserId()); 1186 } catch (RemoteException e) { 1187 Log.w(TAG, "Failed talking with device policy service", e); 1188 } 1189 } 1190 return -1; 1191 } 1192 1193 /** 1194 * Setting this to a value greater than zero enables a built-in policy 1195 * that will perform a device wipe after too many incorrect 1196 * device-unlock passwords have been entered. This built-in policy combines 1197 * watching for failed passwords and wiping the device, and requires 1198 * that you request both {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} and 1199 * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA}}. 1200 * 1201 * <p>To implement any other policy (e.g. wiping data for a particular 1202 * application only, erasing or revoking credentials, or reporting the 1203 * failure to a server), you should implement 1204 * {@link DeviceAdminReceiver#onPasswordFailed(Context, android.content.Intent)} 1205 * instead. Do not use this API, because if the maximum count is reached, 1206 * the device will be wiped immediately, and your callback will not be invoked. 1207 * 1208 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1209 * @param num The number of failed password attempts at which point the 1210 * device will wipe its data. 1211 */ 1212 public void setMaximumFailedPasswordsForWipe(ComponentName admin, int num) { 1213 if (mService != null) { 1214 try { 1215 mService.setMaximumFailedPasswordsForWipe(admin, num, UserHandle.myUserId()); 1216 } catch (RemoteException e) { 1217 Log.w(TAG, "Failed talking with device policy service", e); 1218 } 1219 } 1220 } 1221 1222 /** 1223 * Retrieve the current maximum number of login attempts that are allowed 1224 * before the device wipes itself, for all admins of this user and its profiles 1225 * or a particular one. 1226 * @param admin The name of the admin component to check, or null to aggregate 1227 * all admins. 1228 */ 1229 public int getMaximumFailedPasswordsForWipe(ComponentName admin) { 1230 return getMaximumFailedPasswordsForWipe(admin, UserHandle.myUserId()); 1231 } 1232 1233 /** @hide per-user version */ 1234 public int getMaximumFailedPasswordsForWipe(ComponentName admin, int userHandle) { 1235 if (mService != null) { 1236 try { 1237 return mService.getMaximumFailedPasswordsForWipe(admin, userHandle); 1238 } catch (RemoteException e) { 1239 Log.w(TAG, "Failed talking with device policy service", e); 1240 } 1241 } 1242 return 0; 1243 } 1244 1245 /** 1246 * Flag for {@link #resetPassword}: don't allow other admins to change 1247 * the password again until the user has entered it. 1248 */ 1249 public static final int RESET_PASSWORD_REQUIRE_ENTRY = 0x0001; 1250 1251 /** 1252 * Force a new device unlock password (the password needed to access the 1253 * entire device, not for individual accounts) on the user. This takes 1254 * effect immediately. 1255 * The given password must be sufficient for the 1256 * current password quality and length constraints as returned by 1257 * {@link #getPasswordQuality(ComponentName)} and 1258 * {@link #getPasswordMinimumLength(ComponentName)}; if it does not meet 1259 * these constraints, then it will be rejected and false returned. Note 1260 * that the password may be a stronger quality (containing alphanumeric 1261 * characters when the requested quality is only numeric), in which case 1262 * the currently active quality will be increased to match. 1263 * 1264 * <p>The calling device admin must have requested 1265 * {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD} to be able to call 1266 * this method; if it has not, a security exception will be thrown. 1267 * 1268 * Can not be called from a managed profile. 1269 * 1270 * @param password The new password for the user. 1271 * @param flags May be 0 or {@link #RESET_PASSWORD_REQUIRE_ENTRY}. 1272 * @return Returns true if the password was applied, or false if it is 1273 * not acceptable for the current constraints. 1274 */ 1275 public boolean resetPassword(String password, int flags) { 1276 if (mService != null) { 1277 try { 1278 return mService.resetPassword(password, flags, UserHandle.myUserId()); 1279 } catch (RemoteException e) { 1280 Log.w(TAG, "Failed talking with device policy service", e); 1281 } 1282 } 1283 return false; 1284 } 1285 1286 /** 1287 * Called by an application that is administering the device to set the 1288 * maximum time for user activity until the device will lock. This limits 1289 * the length that the user can set. It takes effect immediately. 1290 * 1291 * <p>The calling device admin must have requested 1292 * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call 1293 * this method; if it has not, a security exception will be thrown. 1294 * 1295 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1296 * @param timeMs The new desired maximum time to lock in milliseconds. 1297 * A value of 0 means there is no restriction. 1298 */ 1299 public void setMaximumTimeToLock(ComponentName admin, long timeMs) { 1300 if (mService != null) { 1301 try { 1302 mService.setMaximumTimeToLock(admin, timeMs, UserHandle.myUserId()); 1303 } catch (RemoteException e) { 1304 Log.w(TAG, "Failed talking with device policy service", e); 1305 } 1306 } 1307 } 1308 1309 /** 1310 * Retrieve the current maximum time to unlock for all admins of this user 1311 * and its profiles or a particular one. 1312 * @param admin The name of the admin component to check, or null to aggregate 1313 * all admins. 1314 */ 1315 public long getMaximumTimeToLock(ComponentName admin) { 1316 return getMaximumTimeToLock(admin, UserHandle.myUserId()); 1317 } 1318 1319 /** @hide per-user version */ 1320 public long getMaximumTimeToLock(ComponentName admin, int userHandle) { 1321 if (mService != null) { 1322 try { 1323 return mService.getMaximumTimeToLock(admin, userHandle); 1324 } catch (RemoteException e) { 1325 Log.w(TAG, "Failed talking with device policy service", e); 1326 } 1327 } 1328 return 0; 1329 } 1330 1331 /** 1332 * Make the device lock immediately, as if the lock screen timeout has 1333 * expired at the point of this call. 1334 * 1335 * <p>The calling device admin must have requested 1336 * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call 1337 * this method; if it has not, a security exception will be thrown. 1338 */ 1339 public void lockNow() { 1340 if (mService != null) { 1341 try { 1342 mService.lockNow(); 1343 } catch (RemoteException e) { 1344 Log.w(TAG, "Failed talking with device policy service", e); 1345 } 1346 } 1347 } 1348 1349 /** 1350 * Flag for {@link #wipeData(int)}: also erase the device's external 1351 * storage. 1352 */ 1353 public static final int WIPE_EXTERNAL_STORAGE = 0x0001; 1354 1355 /** 1356 * Ask the user data be wiped. This will cause the device to reboot, 1357 * erasing all user data while next booting up. External storage such 1358 * as SD cards will be also erased if the flag {@link #WIPE_EXTERNAL_STORAGE} 1359 * is set. 1360 * 1361 * <p>The calling device admin must have requested 1362 * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA} to be able to call 1363 * this method; if it has not, a security exception will be thrown. 1364 * 1365 * @param flags Bit mask of additional options: currently 0 and 1366 * {@link #WIPE_EXTERNAL_STORAGE} are supported. 1367 */ 1368 public void wipeData(int flags) { 1369 if (mService != null) { 1370 try { 1371 mService.wipeData(flags, UserHandle.myUserId()); 1372 } catch (RemoteException e) { 1373 Log.w(TAG, "Failed talking with device policy service", e); 1374 } 1375 } 1376 } 1377 1378 /** 1379 * Called by an application that is administering the device to set the 1380 * global proxy and exclusion list. 1381 * <p> 1382 * The calling device admin must have requested 1383 * {@link DeviceAdminInfo#USES_POLICY_SETS_GLOBAL_PROXY} to be able to call 1384 * this method; if it has not, a security exception will be thrown. 1385 * Only the first device admin can set the proxy. If a second admin attempts 1386 * to set the proxy, the {@link ComponentName} of the admin originally setting the 1387 * proxy will be returned. If successful in setting the proxy, null will 1388 * be returned. 1389 * The method can be called repeatedly by the device admin alrady setting the 1390 * proxy to update the proxy and exclusion list. 1391 * 1392 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1393 * with. 1394 * @param proxySpec the global proxy desired. Must be an HTTP Proxy. 1395 * Pass Proxy.NO_PROXY to reset the proxy. 1396 * @param exclusionList a list of domains to be excluded from the global proxy. 1397 * @return returns null if the proxy was successfully set, or a {@link ComponentName} 1398 * of the device admin that sets thew proxy otherwise. 1399 * @hide 1400 */ 1401 public ComponentName setGlobalProxy(ComponentName admin, Proxy proxySpec, 1402 List<String> exclusionList ) { 1403 if (proxySpec == null) { 1404 throw new NullPointerException(); 1405 } 1406 if (mService != null) { 1407 try { 1408 String hostSpec; 1409 String exclSpec; 1410 if (proxySpec.equals(Proxy.NO_PROXY)) { 1411 hostSpec = null; 1412 exclSpec = null; 1413 } else { 1414 if (!proxySpec.type().equals(Proxy.Type.HTTP)) { 1415 throw new IllegalArgumentException(); 1416 } 1417 InetSocketAddress sa = (InetSocketAddress)proxySpec.address(); 1418 String hostName = sa.getHostName(); 1419 int port = sa.getPort(); 1420 StringBuilder hostBuilder = new StringBuilder(); 1421 hostSpec = hostBuilder.append(hostName) 1422 .append(":").append(Integer.toString(port)).toString(); 1423 if (exclusionList == null) { 1424 exclSpec = ""; 1425 } else { 1426 StringBuilder listBuilder = new StringBuilder(); 1427 boolean firstDomain = true; 1428 for (String exclDomain : exclusionList) { 1429 if (!firstDomain) { 1430 listBuilder = listBuilder.append(","); 1431 } else { 1432 firstDomain = false; 1433 } 1434 listBuilder = listBuilder.append(exclDomain.trim()); 1435 } 1436 exclSpec = listBuilder.toString(); 1437 } 1438 if (android.net.Proxy.validate(hostName, Integer.toString(port), exclSpec) 1439 != android.net.Proxy.PROXY_VALID) 1440 throw new IllegalArgumentException(); 1441 } 1442 return mService.setGlobalProxy(admin, hostSpec, exclSpec, UserHandle.myUserId()); 1443 } catch (RemoteException e) { 1444 Log.w(TAG, "Failed talking with device policy service", e); 1445 } 1446 } 1447 return null; 1448 } 1449 1450 /** 1451 * Set a network-independent global HTTP proxy. This is not normally what you want 1452 * for typical HTTP proxies - they are generally network dependent. However if you're 1453 * doing something unusual like general internal filtering this may be useful. On 1454 * a private network where the proxy is not accessible, you may break HTTP using this. 1455 * 1456 * <p>This method requires the caller to be the device owner. 1457 * 1458 * <p>This proxy is only a recommendation and it is possible that some apps will ignore it. 1459 * @see ProxyInfo 1460 * 1461 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1462 * with. 1463 * @param proxyInfo The a {@link ProxyInfo} object defining the new global 1464 * HTTP proxy. A {@code null} value will clear the global HTTP proxy. 1465 */ 1466 public void setRecommendedGlobalProxy(ComponentName admin, ProxyInfo proxyInfo) { 1467 if (mService != null) { 1468 try { 1469 mService.setRecommendedGlobalProxy(admin, proxyInfo); 1470 } catch (RemoteException e) { 1471 Log.w(TAG, "Failed talking with device policy service", e); 1472 } 1473 } 1474 } 1475 1476 /** 1477 * Returns the component name setting the global proxy. 1478 * @return ComponentName object of the device admin that set the global proxy, or 1479 * null if no admin has set the proxy. 1480 * @hide 1481 */ 1482 public ComponentName getGlobalProxyAdmin() { 1483 if (mService != null) { 1484 try { 1485 return mService.getGlobalProxyAdmin(UserHandle.myUserId()); 1486 } catch (RemoteException e) { 1487 Log.w(TAG, "Failed talking with device policy service", e); 1488 } 1489 } 1490 return null; 1491 } 1492 1493 /** 1494 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1495 * indicating that encryption is not supported. 1496 */ 1497 public static final int ENCRYPTION_STATUS_UNSUPPORTED = 0; 1498 1499 /** 1500 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1501 * indicating that encryption is supported, but is not currently active. 1502 */ 1503 public static final int ENCRYPTION_STATUS_INACTIVE = 1; 1504 1505 /** 1506 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1507 * indicating that encryption is not currently active, but is currently 1508 * being activated. This is only reported by devices that support 1509 * encryption of data and only when the storage is currently 1510 * undergoing a process of becoming encrypted. A device that must reboot and/or wipe data 1511 * to become encrypted will never return this value. 1512 */ 1513 public static final int ENCRYPTION_STATUS_ACTIVATING = 2; 1514 1515 /** 1516 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1517 * indicating that encryption is active. 1518 */ 1519 public static final int ENCRYPTION_STATUS_ACTIVE = 3; 1520 1521 /** 1522 * Activity action: begin the process of encrypting data on the device. This activity should 1523 * be launched after using {@link #setStorageEncryption} to request encryption be activated. 1524 * After resuming from this activity, use {@link #getStorageEncryption} 1525 * to check encryption status. However, on some devices this activity may never return, as 1526 * it may trigger a reboot and in some cases a complete data wipe of the device. 1527 */ 1528 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 1529 public static final String ACTION_START_ENCRYPTION 1530 = "android.app.action.START_ENCRYPTION"; 1531 1532 /** 1533 * Widgets are enabled in keyguard 1534 */ 1535 public static final int KEYGUARD_DISABLE_FEATURES_NONE = 0; 1536 1537 /** 1538 * Disable all keyguard widgets. Has no effect. 1539 */ 1540 public static final int KEYGUARD_DISABLE_WIDGETS_ALL = 1 << 0; 1541 1542 /** 1543 * Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password) 1544 */ 1545 public static final int KEYGUARD_DISABLE_SECURE_CAMERA = 1 << 1; 1546 1547 /** 1548 * Disable showing all notifications on secure keyguard screens (e.g. PIN/Pattern/Password) 1549 */ 1550 public static final int KEYGUARD_DISABLE_SECURE_NOTIFICATIONS = 1 << 2; 1551 1552 /** 1553 * Only allow redacted notifications on secure keyguard screens (e.g. PIN/Pattern/Password) 1554 */ 1555 public static final int KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS = 1 << 3; 1556 1557 /** 1558 * Ignore {@link TrustAgentService} state on secure keyguard screens 1559 * (e.g. PIN/Pattern/Password). 1560 */ 1561 public static final int KEYGUARD_DISABLE_TRUST_AGENTS = 1 << 4; 1562 1563 /** 1564 * Disable all current and future keyguard customizations. 1565 */ 1566 public static final int KEYGUARD_DISABLE_FEATURES_ALL = 0x7fffffff; 1567 1568 /** 1569 * Called by an application that is administering the device to 1570 * request that the storage system be encrypted. 1571 * 1572 * <p>When multiple device administrators attempt to control device 1573 * encryption, the most secure, supported setting will always be 1574 * used. If any device administrator requests device encryption, 1575 * it will be enabled; Conversely, if a device administrator 1576 * attempts to disable device encryption while another 1577 * device administrator has enabled it, the call to disable will 1578 * fail (most commonly returning {@link #ENCRYPTION_STATUS_ACTIVE}). 1579 * 1580 * <p>This policy controls encryption of the secure (application data) storage area. Data 1581 * written to other storage areas may or may not be encrypted, and this policy does not require 1582 * or control the encryption of any other storage areas. 1583 * There is one exception: If {@link android.os.Environment#isExternalStorageEmulated()} is 1584 * {@code true}, then the directory returned by 1585 * {@link android.os.Environment#getExternalStorageDirectory()} must be written to disk 1586 * within the encrypted storage area. 1587 * 1588 * <p>Important Note: On some devices, it is possible to encrypt storage without requiring 1589 * the user to create a device PIN or Password. In this case, the storage is encrypted, but 1590 * the encryption key may not be fully secured. For maximum security, the administrator should 1591 * also require (and check for) a pattern, PIN, or password. 1592 * 1593 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1594 * @param encrypt true to request encryption, false to release any previous request 1595 * @return the new request status (for all active admins) - will be one of 1596 * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE}, or 1597 * {@link #ENCRYPTION_STATUS_ACTIVE}. This is the value of the requests; Use 1598 * {@link #getStorageEncryptionStatus()} to query the actual device state. 1599 */ 1600 public int setStorageEncryption(ComponentName admin, boolean encrypt) { 1601 if (mService != null) { 1602 try { 1603 return mService.setStorageEncryption(admin, encrypt, UserHandle.myUserId()); 1604 } catch (RemoteException e) { 1605 Log.w(TAG, "Failed talking with device policy service", e); 1606 } 1607 } 1608 return ENCRYPTION_STATUS_UNSUPPORTED; 1609 } 1610 1611 /** 1612 * Called by an application that is administering the device to 1613 * determine the requested setting for secure storage. 1614 * 1615 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. If null, 1616 * this will return the requested encryption setting as an aggregate of all active 1617 * administrators. 1618 * @return true if the admin(s) are requesting encryption, false if not. 1619 */ 1620 public boolean getStorageEncryption(ComponentName admin) { 1621 if (mService != null) { 1622 try { 1623 return mService.getStorageEncryption(admin, UserHandle.myUserId()); 1624 } catch (RemoteException e) { 1625 Log.w(TAG, "Failed talking with device policy service", e); 1626 } 1627 } 1628 return false; 1629 } 1630 1631 /** 1632 * Called by an application that is administering the device to 1633 * determine the current encryption status of the device. 1634 * 1635 * Depending on the returned status code, the caller may proceed in different 1636 * ways. If the result is {@link #ENCRYPTION_STATUS_UNSUPPORTED}, the 1637 * storage system does not support encryption. If the 1638 * result is {@link #ENCRYPTION_STATUS_INACTIVE}, use {@link 1639 * #ACTION_START_ENCRYPTION} to begin the process of encrypting or decrypting the 1640 * storage. If the result is {@link #ENCRYPTION_STATUS_ACTIVATING} or 1641 * {@link #ENCRYPTION_STATUS_ACTIVE}, no further action is required. 1642 * 1643 * @return current status of encryption. The value will be one of 1644 * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE}, 1645 * {@link #ENCRYPTION_STATUS_ACTIVATING}, or{@link #ENCRYPTION_STATUS_ACTIVE}. 1646 */ 1647 public int getStorageEncryptionStatus() { 1648 return getStorageEncryptionStatus(UserHandle.myUserId()); 1649 } 1650 1651 /** @hide per-user version */ 1652 public int getStorageEncryptionStatus(int userHandle) { 1653 if (mService != null) { 1654 try { 1655 return mService.getStorageEncryptionStatus(userHandle); 1656 } catch (RemoteException e) { 1657 Log.w(TAG, "Failed talking with device policy service", e); 1658 } 1659 } 1660 return ENCRYPTION_STATUS_UNSUPPORTED; 1661 } 1662 1663 /** 1664 * Installs the given certificate as a User CA. 1665 * 1666 * @return false if the certBuffer cannot be parsed or installation is 1667 * interrupted, otherwise true 1668 */ 1669 public boolean installCaCert(ComponentName who, byte[] certBuffer) { 1670 if (mService != null) { 1671 try { 1672 return mService.installCaCert(who, certBuffer); 1673 } catch (RemoteException e) { 1674 Log.w(TAG, "Failed talking with device policy service", e); 1675 } 1676 } 1677 return false; 1678 } 1679 1680 /** 1681 * Uninstalls the given certificate from the list of User CAs, if present. 1682 */ 1683 public void uninstallCaCert(ComponentName who, byte[] certBuffer) { 1684 if (mService != null) { 1685 try { 1686 final String alias = getCaCertAlias(certBuffer); 1687 mService.uninstallCaCert(who, alias); 1688 } catch (CertificateException e) { 1689 Log.w(TAG, "Unable to parse certificate", e); 1690 } catch (RemoteException e) { 1691 Log.w(TAG, "Failed talking with device policy service", e); 1692 } 1693 } 1694 } 1695 1696 /** 1697 * Returns whether there are any user-installed CA certificates. 1698 */ 1699 public boolean hasAnyCaCertsInstalled() { 1700 TrustedCertificateStore certStore = new TrustedCertificateStore(); 1701 Set<String> aliases = certStore.userAliases(); 1702 return aliases != null && !aliases.isEmpty(); 1703 } 1704 1705 /** 1706 * Returns whether this certificate has been installed as a User CA. 1707 */ 1708 public boolean hasCaCertInstalled(byte[] certBuffer) { 1709 try { 1710 return getCaCertAlias(certBuffer) != null; 1711 } catch (CertificateException ce) { 1712 Log.w(TAG, "Could not parse certificate", ce); 1713 } 1714 return false; 1715 } 1716 1717 /** 1718 * Returns the alias of a given CA certificate in the certificate store, or null if it 1719 * doesn't exist. 1720 */ 1721 private static String getCaCertAlias(byte[] certBuffer) throws CertificateException { 1722 final CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); 1723 final X509Certificate cert = (X509Certificate) certFactory.generateCertificate( 1724 new ByteArrayInputStream(certBuffer)); 1725 return new TrustedCertificateStore().getCertificateAlias(cert); 1726 } 1727 1728 /** 1729 * Called by an application that is administering the device to disable all cameras 1730 * on the device. After setting this, no applications will be able to access any cameras 1731 * on the device. 1732 * 1733 * <p>The calling device admin must have requested 1734 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_CAMERA} to be able to call 1735 * this method; if it has not, a security exception will be thrown. 1736 * 1737 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1738 * @param disabled Whether or not the camera should be disabled. 1739 */ 1740 public void setCameraDisabled(ComponentName admin, boolean disabled) { 1741 if (mService != null) { 1742 try { 1743 mService.setCameraDisabled(admin, disabled, UserHandle.myUserId()); 1744 } catch (RemoteException e) { 1745 Log.w(TAG, "Failed talking with device policy service", e); 1746 } 1747 } 1748 } 1749 1750 /** 1751 * Determine whether or not the device's cameras have been disabled either by the current 1752 * admin, if specified, or all admins. 1753 * @param admin The name of the admin component to check, or null to check if any admins 1754 * have disabled the camera 1755 */ 1756 public boolean getCameraDisabled(ComponentName admin) { 1757 return getCameraDisabled(admin, UserHandle.myUserId()); 1758 } 1759 1760 /** @hide per-user version */ 1761 public boolean getCameraDisabled(ComponentName admin, int userHandle) { 1762 if (mService != null) { 1763 try { 1764 return mService.getCameraDisabled(admin, userHandle); 1765 } catch (RemoteException e) { 1766 Log.w(TAG, "Failed talking with device policy service", e); 1767 } 1768 } 1769 return false; 1770 } 1771 1772 /** 1773 * Called by an application that is administering the device to disable keyguard customizations, 1774 * such as widgets. After setting this, keyguard features will be disabled according to the 1775 * provided feature list. 1776 * 1777 * <p>The calling device admin must have requested 1778 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_KEYGUARD_FEATURES} to be able to call 1779 * this method; if it has not, a security exception will be thrown. 1780 * 1781 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1782 * @param which {@link #KEYGUARD_DISABLE_FEATURES_NONE} (default), 1783 * {@link #KEYGUARD_DISABLE_WIDGETS_ALL}, {@link #KEYGUARD_DISABLE_SECURE_CAMERA}, 1784 * {@link #KEYGUARD_DISABLE_SECURE_NOTIFICATIONS}, {@link #KEYGUARD_DISABLE_TRUST_AGENTS}, 1785 * {@link #KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS}, {@link #KEYGUARD_DISABLE_FEATURES_ALL} 1786 */ 1787 public void setKeyguardDisabledFeatures(ComponentName admin, int which) { 1788 if (mService != null) { 1789 try { 1790 mService.setKeyguardDisabledFeatures(admin, which, UserHandle.myUserId()); 1791 } catch (RemoteException e) { 1792 Log.w(TAG, "Failed talking with device policy service", e); 1793 } 1794 } 1795 } 1796 1797 /** 1798 * Determine whether or not features have been disabled in keyguard either by the current 1799 * admin, if specified, or all admins. 1800 * @param admin The name of the admin component to check, or null to check if any admins 1801 * have disabled features in keyguard. 1802 * @return bitfield of flags. See {@link #setKeyguardDisabledFeatures(ComponentName, int)} 1803 * for a list. 1804 */ 1805 public int getKeyguardDisabledFeatures(ComponentName admin) { 1806 return getKeyguardDisabledFeatures(admin, UserHandle.myUserId()); 1807 } 1808 1809 /** @hide per-user version */ 1810 public int getKeyguardDisabledFeatures(ComponentName admin, int userHandle) { 1811 if (mService != null) { 1812 try { 1813 return mService.getKeyguardDisabledFeatures(admin, userHandle); 1814 } catch (RemoteException e) { 1815 Log.w(TAG, "Failed talking with device policy service", e); 1816 } 1817 } 1818 return KEYGUARD_DISABLE_FEATURES_NONE; 1819 } 1820 1821 /** 1822 * @hide 1823 */ 1824 public void setActiveAdmin(ComponentName policyReceiver, boolean refreshing, int userHandle) { 1825 if (mService != null) { 1826 try { 1827 mService.setActiveAdmin(policyReceiver, refreshing, userHandle); 1828 } catch (RemoteException e) { 1829 Log.w(TAG, "Failed talking with device policy service", e); 1830 } 1831 } 1832 } 1833 1834 /** 1835 * @hide 1836 */ 1837 public void setActiveAdmin(ComponentName policyReceiver, boolean refreshing) { 1838 setActiveAdmin(policyReceiver, refreshing, UserHandle.myUserId()); 1839 } 1840 1841 /** 1842 * Returns the DeviceAdminInfo as defined by the administrator's package info & meta-data 1843 * @hide 1844 */ 1845 public DeviceAdminInfo getAdminInfo(ComponentName cn) { 1846 ActivityInfo ai; 1847 try { 1848 ai = mContext.getPackageManager().getReceiverInfo(cn, 1849 PackageManager.GET_META_DATA); 1850 } catch (PackageManager.NameNotFoundException e) { 1851 Log.w(TAG, "Unable to retrieve device policy " + cn, e); 1852 return null; 1853 } 1854 1855 ResolveInfo ri = new ResolveInfo(); 1856 ri.activityInfo = ai; 1857 1858 try { 1859 return new DeviceAdminInfo(mContext, ri); 1860 } catch (XmlPullParserException e) { 1861 Log.w(TAG, "Unable to parse device policy " + cn, e); 1862 return null; 1863 } catch (IOException e) { 1864 Log.w(TAG, "Unable to parse device policy " + cn, e); 1865 return null; 1866 } 1867 } 1868 1869 /** 1870 * @hide 1871 */ 1872 public void getRemoveWarning(ComponentName admin, RemoteCallback result) { 1873 if (mService != null) { 1874 try { 1875 mService.getRemoveWarning(admin, result, UserHandle.myUserId()); 1876 } catch (RemoteException e) { 1877 Log.w(TAG, "Failed talking with device policy service", e); 1878 } 1879 } 1880 } 1881 1882 /** 1883 * @hide 1884 */ 1885 public void setActivePasswordState(int quality, int length, int letters, int uppercase, 1886 int lowercase, int numbers, int symbols, int nonletter, int userHandle) { 1887 if (mService != null) { 1888 try { 1889 mService.setActivePasswordState(quality, length, letters, uppercase, lowercase, 1890 numbers, symbols, nonletter, userHandle); 1891 } catch (RemoteException e) { 1892 Log.w(TAG, "Failed talking with device policy service", e); 1893 } 1894 } 1895 } 1896 1897 /** 1898 * @hide 1899 */ 1900 public void reportFailedPasswordAttempt(int userHandle) { 1901 if (mService != null) { 1902 try { 1903 mService.reportFailedPasswordAttempt(userHandle); 1904 } catch (RemoteException e) { 1905 Log.w(TAG, "Failed talking with device policy service", e); 1906 } 1907 } 1908 } 1909 1910 /** 1911 * @hide 1912 */ 1913 public void reportSuccessfulPasswordAttempt(int userHandle) { 1914 if (mService != null) { 1915 try { 1916 mService.reportSuccessfulPasswordAttempt(userHandle); 1917 } catch (RemoteException e) { 1918 Log.w(TAG, "Failed talking with device policy service", e); 1919 } 1920 } 1921 } 1922 1923 /** 1924 * @hide 1925 * Sets the given package as the device owner. The package must already be installed and there 1926 * shouldn't be an existing device owner registered, for this call to succeed. Also, this 1927 * method must be called before the device is provisioned. 1928 * @param packageName the package name of the application to be registered as the device owner. 1929 * @return whether the package was successfully registered as the device owner. 1930 * @throws IllegalArgumentException if the package name is null or invalid 1931 * @throws IllegalStateException if a device owner is already registered or the device has 1932 * already been provisioned. 1933 */ 1934 public boolean setDeviceOwner(String packageName) throws IllegalArgumentException, 1935 IllegalStateException { 1936 return setDeviceOwner(packageName, null); 1937 } 1938 1939 /** 1940 * @hide 1941 * Sets the given package as the device owner. The package must already be installed and there 1942 * shouldn't be an existing device owner registered, for this call to succeed. Also, this 1943 * method must be called before the device is provisioned. 1944 * @param packageName the package name of the application to be registered as the device owner. 1945 * @param ownerName the human readable name of the institution that owns this device. 1946 * @return whether the package was successfully registered as the device owner. 1947 * @throws IllegalArgumentException if the package name is null or invalid 1948 * @throws IllegalStateException if a device owner is already registered or the device has 1949 * already been provisioned. 1950 */ 1951 public boolean setDeviceOwner(String packageName, String ownerName) 1952 throws IllegalArgumentException, IllegalStateException { 1953 if (mService != null) { 1954 try { 1955 return mService.setDeviceOwner(packageName, ownerName); 1956 } catch (RemoteException re) { 1957 Log.w(TAG, "Failed to set device owner"); 1958 } 1959 } 1960 return false; 1961 } 1962 1963 1964 /** 1965 * Used to determine if a particular package has been registered as a Device Owner app. 1966 * A device owner app is a special device admin that cannot be deactivated by the user, once 1967 * activated as a device admin. It also cannot be uninstalled. To check if a particular 1968 * package is currently registered as the device owner app, pass in the package name from 1969 * {@link Context#getPackageName()} to this method.<p/>This is useful for device 1970 * admin apps that want to check if they are also registered as the device owner app. The 1971 * exact mechanism by which a device admin app is registered as a device owner app is defined by 1972 * the setup process. 1973 * @param packageName the package name of the app, to compare with the registered device owner 1974 * app, if any. 1975 * @return whether or not the package is registered as the device owner app. 1976 */ 1977 public boolean isDeviceOwnerApp(String packageName) { 1978 if (mService != null) { 1979 try { 1980 return mService.isDeviceOwner(packageName); 1981 } catch (RemoteException re) { 1982 Log.w(TAG, "Failed to check device owner"); 1983 } 1984 } 1985 return false; 1986 } 1987 1988 /** 1989 * @hide 1990 * Redirect to isDeviceOwnerApp. 1991 */ 1992 public boolean isDeviceOwner(String packageName) { 1993 return isDeviceOwnerApp(packageName); 1994 } 1995 1996 /** 1997 * Clears the current device owner. The caller must be the device owner. 1998 * 1999 * This function should be used cautiously as once it is called it cannot 2000 * be undone. The device owner can only be set as a part of device setup 2001 * before setup completes. 2002 * 2003 * @param packageName The package name of the device owner. 2004 */ 2005 public void clearDeviceOwnerApp(String packageName) { 2006 if (mService != null) { 2007 try { 2008 mService.clearDeviceOwner(packageName); 2009 } catch (RemoteException re) { 2010 Log.w(TAG, "Failed to clear device owner"); 2011 } 2012 } 2013 } 2014 2015 /** @hide */ 2016 public String getDeviceOwner() { 2017 if (mService != null) { 2018 try { 2019 return mService.getDeviceOwner(); 2020 } catch (RemoteException re) { 2021 Log.w(TAG, "Failed to get device owner"); 2022 } 2023 } 2024 return null; 2025 } 2026 2027 /** @hide */ 2028 public String getDeviceOwnerName() { 2029 if (mService != null) { 2030 try { 2031 return mService.getDeviceOwnerName(); 2032 } catch (RemoteException re) { 2033 Log.w(TAG, "Failed to get device owner"); 2034 } 2035 } 2036 return null; 2037 } 2038 2039 /** 2040 * @hide 2041 * @SystemApi 2042 * Sets the given component as an active admin and registers the package as the profile 2043 * owner for this user. The package must already be installed and there shouldn't be 2044 * an existing profile owner registered for this user. Also, this method must be called 2045 * before the user setup has been completed. 2046 * <p> 2047 * This method can only be called by system apps that hold MANAGE_USERS permission and 2048 * MANAGE_DEVICE_ADMINS permission. 2049 * @param admin The component to register as an active admin and profile owner. 2050 * @param ownerName The user-visible name of the entity that is managing this user. 2051 * @return whether the admin was successfully registered as the profile owner. 2052 * @throws IllegalArgumentException if packageName is null, the package isn't installed, or 2053 * the user has already been set up. 2054 */ 2055 public boolean setActiveProfileOwner(ComponentName admin, String ownerName) 2056 throws IllegalArgumentException { 2057 if (mService != null) { 2058 try { 2059 final int myUserId = UserHandle.myUserId(); 2060 mService.setActiveAdmin(admin, false, myUserId); 2061 return mService.setProfileOwner(admin.getPackageName(), ownerName, myUserId); 2062 } catch (RemoteException re) { 2063 Log.w(TAG, "Failed to set profile owner " + re); 2064 throw new IllegalArgumentException("Couldn't set profile owner.", re); 2065 } 2066 } 2067 return false; 2068 } 2069 2070 /** 2071 * @hide 2072 * Sets the given package as the profile owner of the given user profile. The package must 2073 * already be installed and there shouldn't be an existing profile owner registered for this 2074 * user. Also, this method must be called before the user has been used for the first time. 2075 * @param packageName the package name of the application to be registered as profile owner. 2076 * @param ownerName the human readable name of the organisation associated with this DPM. 2077 * @param userHandle the userId to set the profile owner for. 2078 * @return whether the package was successfully registered as the profile owner. 2079 * @throws IllegalArgumentException if packageName is null, the package isn't installed, or 2080 * the user has already been set up. 2081 */ 2082 public boolean setProfileOwner(String packageName, String ownerName, int userHandle) 2083 throws IllegalArgumentException { 2084 if (mService != null) { 2085 try { 2086 return mService.setProfileOwner(packageName, ownerName, userHandle); 2087 } catch (RemoteException re) { 2088 Log.w(TAG, "Failed to set profile owner", re); 2089 throw new IllegalArgumentException("Couldn't set profile owner.", re); 2090 } 2091 } 2092 return false; 2093 } 2094 2095 /** 2096 * Sets the enabled state of the profile. A profile should be enabled only once it is ready to 2097 * be used. Only the profile owner can call this. 2098 * 2099 * @see #isProfileOwnerApp 2100 * 2101 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2102 */ 2103 public void setProfileEnabled(ComponentName admin) { 2104 if (mService != null) { 2105 try { 2106 mService.setProfileEnabled(admin); 2107 } catch (RemoteException e) { 2108 Log.w(TAG, "Failed talking with device policy service", e); 2109 } 2110 } 2111 } 2112 2113 /** 2114 * Sets the name of the Managed profile. In the device owner case it sets the name of the user 2115 * which it is called from. Only the profile owner or device owner can call this. If this is 2116 * never called by the profile or device owner, the name will be set to default values. 2117 * 2118 * @see #isProfileOwnerApp 2119 * @see #isDeviceOwnerApp 2120 * 2121 * @param profileName The name of the profile. 2122 */ 2123 public void setProfileName(ComponentName who, String profileName) { 2124 if (mService != null) { 2125 try { 2126 mService.setProfileName(who, profileName); 2127 } catch (RemoteException e) { 2128 Log.w(TAG, "Failed talking with device policy service", e); 2129 } 2130 } 2131} 2132 2133 /** 2134 * Used to determine if a particular package is registered as the Profile Owner for the 2135 * current user. A profile owner is a special device admin that has additional privileges 2136 * within the managed profile. 2137 * 2138 * @param packageName The package name of the app to compare with the registered profile owner. 2139 * @return Whether or not the package is registered as the profile owner. 2140 */ 2141 public boolean isProfileOwnerApp(String packageName) { 2142 if (mService != null) { 2143 try { 2144 String profileOwnerPackage = mService.getProfileOwner( 2145 Process.myUserHandle().getIdentifier()); 2146 return profileOwnerPackage != null && profileOwnerPackage.equals(packageName); 2147 } catch (RemoteException re) { 2148 Log.w(TAG, "Failed to check profile owner"); 2149 } 2150 } 2151 return false; 2152 } 2153 2154 /** 2155 * @hide 2156 * @return the packageName of the owner of the given user profile or null if no profile 2157 * owner has been set for that user. 2158 * @throws IllegalArgumentException if the userId is invalid. 2159 */ 2160 public String getProfileOwner() throws IllegalArgumentException { 2161 if (mService != null) { 2162 try { 2163 return mService.getProfileOwner(Process.myUserHandle().getIdentifier()); 2164 } catch (RemoteException re) { 2165 Log.w(TAG, "Failed to get profile owner"); 2166 throw new IllegalArgumentException( 2167 "Requested profile owner for invalid userId", re); 2168 } 2169 } 2170 return null; 2171 } 2172 2173 /** 2174 * @hide 2175 * @return the human readable name of the organisation associated with this DPM or null if 2176 * one is not set. 2177 * @throws IllegalArgumentException if the userId is invalid. 2178 */ 2179 public String getProfileOwnerName() throws IllegalArgumentException { 2180 if (mService != null) { 2181 try { 2182 return mService.getProfileOwnerName(Process.myUserHandle().getIdentifier()); 2183 } catch (RemoteException re) { 2184 Log.w(TAG, "Failed to get profile owner"); 2185 throw new IllegalArgumentException( 2186 "Requested profile owner for invalid userId", re); 2187 } 2188 } 2189 return null; 2190 } 2191 2192 /** 2193 * Called by a profile owner or device owner to add a default intent handler activity for 2194 * intents that match a certain intent filter. This activity will remain the default intent 2195 * handler even if the set of potential event handlers for the intent filter changes and if 2196 * the intent preferences are reset. 2197 * 2198 * <p>The default disambiguation mechanism takes over if the activity is not installed 2199 * (anymore). When the activity is (re)installed, it is automatically reset as default 2200 * intent handler for the filter. 2201 * 2202 * <p>The calling device admin must be a profile owner or device owner. If it is not, a 2203 * security exception will be thrown. 2204 * 2205 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2206 * @param filter The IntentFilter for which a default handler is added. 2207 * @param activity The Activity that is added as default intent handler. 2208 */ 2209 public void addPersistentPreferredActivity(ComponentName admin, IntentFilter filter, 2210 ComponentName activity) { 2211 if (mService != null) { 2212 try { 2213 mService.addPersistentPreferredActivity(admin, filter, activity); 2214 } catch (RemoteException e) { 2215 Log.w(TAG, "Failed talking with device policy service", e); 2216 } 2217 } 2218 } 2219 2220 /** 2221 * Called by a profile owner or device owner to remove all persistent intent handler preferences 2222 * associated with the given package that were set by {@link #addPersistentPreferredActivity}. 2223 * 2224 * <p>The calling device admin must be a profile owner. If it is not, a security 2225 * exception will be thrown. 2226 * 2227 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2228 * @param packageName The name of the package for which preferences are removed. 2229 */ 2230 public void clearPackagePersistentPreferredActivities(ComponentName admin, 2231 String packageName) { 2232 if (mService != null) { 2233 try { 2234 mService.clearPackagePersistentPreferredActivities(admin, packageName); 2235 } catch (RemoteException e) { 2236 Log.w(TAG, "Failed talking with device policy service", e); 2237 } 2238 } 2239 } 2240 2241 /** 2242 * Called by a profile or device owner to set the application restrictions for a given target 2243 * application running in the managed profile. 2244 * 2245 * <p>The provided {@link Bundle} consists of key-value pairs, where the types of values may be 2246 * {@link Boolean}, {@link String}, or {@link String}[]. The recommended format for key strings 2247 * is "com.example.packagename/example-setting" to avoid naming conflicts with library 2248 * components such as {@link android.webkit.WebView}. 2249 * 2250 * <p>The application restrictions are only made visible to the target application and the 2251 * profile or device owner. 2252 * 2253 * <p>The calling device admin must be a profile or device owner; if it is not, a security 2254 * exception will be thrown. 2255 * 2256 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2257 * @param packageName The name of the package to update restricted settings for. 2258 * @param settings A {@link Bundle} to be parsed by the receiving application, conveying a new 2259 * set of active restrictions. 2260 */ 2261 public void setApplicationRestrictions(ComponentName admin, String packageName, 2262 Bundle settings) { 2263 if (mService != null) { 2264 try { 2265 mService.setApplicationRestrictions(admin, packageName, settings); 2266 } catch (RemoteException e) { 2267 Log.w(TAG, "Failed talking with device policy service", e); 2268 } 2269 } 2270 } 2271 2272 /** 2273 * Called by the profile owner so that some intents sent in the managed profile can also be 2274 * resolved in the parent, or vice versa. 2275 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2276 * @param filter The {@link IntentFilter} the intent has to match to be also resolved in the 2277 * other profile 2278 * @param flags {@link DevicePolicyManager#FLAG_MANAGED_CAN_ACCESS_PARENT} and 2279 * {@link DevicePolicyManager#FLAG_PARENT_CAN_ACCESS_MANAGED} are supported. 2280 */ 2281 public void addCrossProfileIntentFilter(ComponentName admin, IntentFilter filter, int flags) { 2282 if (mService != null) { 2283 try { 2284 mService.addCrossProfileIntentFilter(admin, filter, flags); 2285 } catch (RemoteException e) { 2286 Log.w(TAG, "Failed talking with device policy service", e); 2287 } 2288 } 2289 } 2290 2291 /** 2292 * Called by a profile owner to remove the cross-profile intent filters from the managed profile 2293 * and from the parent. 2294 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2295 */ 2296 public void clearCrossProfileIntentFilters(ComponentName admin) { 2297 if (mService != null) { 2298 try { 2299 mService.clearCrossProfileIntentFilters(admin); 2300 } catch (RemoteException e) { 2301 Log.w(TAG, "Failed talking with device policy service", e); 2302 } 2303 } 2304 } 2305 2306 /** 2307 * Called by a device owner to create a user with the specified name. The UserHandle returned 2308 * by this method should not be persisted as user handles are recycled as users are removed and 2309 * created. If you need to persist an identifier for this user, use 2310 * {@link UserManager#getSerialNumberForUser}. 2311 * 2312 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2313 * @param name the user's name 2314 * @see UserHandle 2315 * @return the UserHandle object for the created user, or null if the user could not be created. 2316 */ 2317 public UserHandle createUser(ComponentName admin, String name) { 2318 try { 2319 return mService.createUser(admin, name); 2320 } catch (RemoteException re) { 2321 Log.w(TAG, "Could not create a user", re); 2322 } 2323 return null; 2324 } 2325 2326 /** 2327 * Called by a device owner to create a user with the specified name. The UserHandle returned 2328 * by this method should not be persisted as user handles are recycled as users are removed and 2329 * created. If you need to persist an identifier for this user, use 2330 * {@link UserManager#getSerialNumberForUser}. The new user will be started in the background 2331 * immediately. 2332 * 2333 * <p> profileOwnerComponent is the {@link DeviceAdminReceiver} to be the profile owner as well 2334 * as registered as an active admin on the new user. The profile owner package will be 2335 * installed on the new user if it already is installed on the device. 2336 * 2337 * <p>If the optionalInitializeData is not null, then the extras will be passed to the 2338 * profileOwnerComponent when onEnable is called. 2339 * 2340 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2341 * @param name the user's name 2342 * @param ownerName the human readable name of the organisation associated with this DPM. 2343 * @param profileOwnerComponent The {@link DeviceAdminReceiver} that will be an active admin on 2344 * the user. 2345 * @param adminExtras Extras that will be passed to onEnable of the admin receiver 2346 * on the new user. 2347 * @see UserHandle 2348 * @return the UserHandle object for the created user, or null if the user could not be created. 2349 */ 2350 public UserHandle createAndInitializeUser(ComponentName admin, String name, String ownerName, 2351 ComponentName profileOwnerComponent, Bundle adminExtras) { 2352 try { 2353 return mService.createAndInitializeUser(admin, name, ownerName, profileOwnerComponent, 2354 adminExtras); 2355 } catch (RemoteException re) { 2356 Log.w(TAG, "Could not create a user", re); 2357 } 2358 return null; 2359 } 2360 2361 /** 2362 * Called by a device owner to remove a user and all associated data. The primary user can 2363 * not be removed. 2364 * 2365 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2366 * @param userHandle the user to remove. 2367 * @return {@code true} if the user was removed, {@code false} otherwise. 2368 */ 2369 public boolean removeUser(ComponentName admin, UserHandle userHandle) { 2370 try { 2371 return mService.removeUser(admin, userHandle); 2372 } catch (RemoteException re) { 2373 Log.w(TAG, "Could not remove user ", re); 2374 return false; 2375 } 2376 } 2377 2378 /** 2379 * Called by a device owner to switch the specified user to the foreground. 2380 * 2381 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2382 * @param userHandle the user to switch to; null will switch to primary. 2383 * @return {@code true} if the switch was successful, {@code false} otherwise. 2384 * 2385 * @see Intent#ACTION_USER_FOREGROUND 2386 */ 2387 public boolean switchUser(ComponentName admin, UserHandle userHandle) { 2388 try { 2389 return mService.switchUser(admin, userHandle); 2390 } catch (RemoteException re) { 2391 Log.w(TAG, "Could not switch user ", re); 2392 return false; 2393 } 2394 } 2395 2396 /** 2397 * Called by a profile or device owner to get the application restrictions for a given target 2398 * application running in the managed profile. 2399 * 2400 * <p>The calling device admin must be a profile or device owner; if it is not, a security 2401 * exception will be thrown. 2402 * 2403 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2404 * @param packageName The name of the package to fetch restricted settings of. 2405 * @return {@link Bundle} of settings corresponding to what was set last time 2406 * {@link DevicePolicyManager#setApplicationRestrictions} was called, or an empty {@link Bundle} 2407 * if no restrictions have been set. 2408 */ 2409 public Bundle getApplicationRestrictions(ComponentName admin, String packageName) { 2410 if (mService != null) { 2411 try { 2412 return mService.getApplicationRestrictions(admin, packageName); 2413 } catch (RemoteException e) { 2414 Log.w(TAG, "Failed talking with device policy service", e); 2415 } 2416 } 2417 return null; 2418 } 2419 2420 /** 2421 * Called by a profile or device owner to set a user restriction specified 2422 * by the key. 2423 * <p> 2424 * The calling device admin must be a profile or device owner; if it is not, 2425 * a security exception will be thrown. 2426 * 2427 * @param admin Which {@link DeviceAdminReceiver} this request is associated 2428 * with. 2429 * @param key The key of the restriction. See the constants in 2430 * {@link android.os.UserManager} for the list of keys. 2431 */ 2432 public void addUserRestriction(ComponentName admin, String key) { 2433 if (mService != null) { 2434 try { 2435 mService.setUserRestriction(admin, key, true); 2436 } catch (RemoteException e) { 2437 Log.w(TAG, "Failed talking with device policy service", e); 2438 } 2439 } 2440 } 2441 2442 /** 2443 * Called by a profile or device owner to clear a user restriction specified 2444 * by the key. 2445 * <p> 2446 * The calling device admin must be a profile or device owner; if it is not, 2447 * a security exception will be thrown. 2448 * 2449 * @param admin Which {@link DeviceAdminReceiver} this request is associated 2450 * with. 2451 * @param key The key of the restriction. See the constants in 2452 * {@link android.os.UserManager} for the list of keys. 2453 */ 2454 public void clearUserRestriction(ComponentName admin, String key) { 2455 if (mService != null) { 2456 try { 2457 mService.setUserRestriction(admin, key, false); 2458 } catch (RemoteException e) { 2459 Log.w(TAG, "Failed talking with device policy service", e); 2460 } 2461 } 2462 } 2463 2464 /** 2465 * Called by device or profile owner to block or unblock packages. When a package is blocked it 2466 * is unavailable for use, but the data and actual package file remain. 2467 * 2468 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2469 * @param packageName The name of the package to block or unblock. 2470 * @param blocked {@code true} if the package should be blocked, {@code false} if it should be 2471 * unblocked. 2472 * @return boolean Whether the blocked setting of the package was successfully updated. 2473 */ 2474 public boolean setApplicationBlocked(ComponentName admin, String packageName, 2475 boolean blocked) { 2476 if (mService != null) { 2477 try { 2478 return mService.setApplicationBlocked(admin, packageName, blocked); 2479 } catch (RemoteException e) { 2480 Log.w(TAG, "Failed talking with device policy service", e); 2481 } 2482 } 2483 return false; 2484 } 2485 2486 /** 2487 * Called by profile or device owner to block or unblock currently installed packages. This 2488 * should only be called by a profile or device owner running within a managed profile. 2489 * 2490 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2491 * @param intent An intent matching the app(s) to be updated. All apps that resolve for this 2492 * intent will be updated in the current profile. 2493 * @param blocked {@code true} if the packages should be blocked, {@code false} if they should 2494 * be unblocked. 2495 * @return int The number of activities that matched the intent and were updated. 2496 */ 2497 public int setApplicationsBlocked(ComponentName admin, Intent intent, boolean blocked) { 2498 if (mService != null) { 2499 try { 2500 return mService.setApplicationsBlocked(admin, intent, blocked); 2501 } catch (RemoteException e) { 2502 Log.w(TAG, "Failed talking with device policy service", e); 2503 } 2504 } 2505 return 0; 2506 } 2507 2508 /** 2509 * Called by device or profile owner to determine if a package is blocked. 2510 * 2511 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2512 * @param packageName The name of the package to retrieve the blocked status of. 2513 * @return boolean {@code true} if the package is blocked, {@code false} otherwise. 2514 */ 2515 public boolean isApplicationBlocked(ComponentName admin, String packageName) { 2516 if (mService != null) { 2517 try { 2518 return mService.isApplicationBlocked(admin, packageName); 2519 } catch (RemoteException e) { 2520 Log.w(TAG, "Failed talking with device policy service", e); 2521 } 2522 } 2523 return false; 2524 } 2525 2526 /** 2527 * Called by a profile owner to disable account management for a specific type of account. 2528 * 2529 * <p>The calling device admin must be a profile owner. If it is not, a 2530 * security exception will be thrown. 2531 * 2532 * <p>When account management is disabled for an account type, adding or removing an account 2533 * of that type will not be possible. 2534 * 2535 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2536 * @param accountType For which account management is disabled or enabled. 2537 * @param disabled The boolean indicating that account management will be disabled (true) or 2538 * enabled (false). 2539 */ 2540 public void setAccountManagementDisabled(ComponentName admin, String accountType, 2541 boolean disabled) { 2542 if (mService != null) { 2543 try { 2544 mService.setAccountManagementDisabled(admin, accountType, disabled); 2545 } catch (RemoteException e) { 2546 Log.w(TAG, "Failed talking with device policy service", e); 2547 } 2548 } 2549 } 2550 2551 /** 2552 * Gets the array of accounts for which account management is disabled by the profile owner. 2553 * 2554 * <p> Account management can be disabled/enabled by calling 2555 * {@link #setAccountManagementDisabled}. 2556 * 2557 * @return a list of account types for which account management has been disabled. 2558 * 2559 * @see #setAccountManagementDisabled 2560 */ 2561 public String[] getAccountTypesWithManagementDisabled() { 2562 if (mService != null) { 2563 try { 2564 return mService.getAccountTypesWithManagementDisabled(); 2565 } catch (RemoteException e) { 2566 Log.w(TAG, "Failed talking with device policy service", e); 2567 } 2568 } 2569 2570 return null; 2571 } 2572 2573 /** 2574 * Sets which packages may enter lock task mode. 2575 * 2576 * <p>Any packages that shares uid with an allowed package will also be allowed 2577 * to activate lock task. 2578 * 2579 * This function can only be called by the device owner. 2580 * @param packages The list of packages allowed to enter lock task mode 2581 * 2582 * @see Activity#startLockTask() 2583 * @see DeviceAdminReceiver#onLockTaskModeChanged(Context, Intent, boolean, String) 2584 * @see UserManager#DISALLOW_CREATE_WINDOWS 2585 */ 2586 public void setLockTaskPackages(String[] packages) throws SecurityException { 2587 if (mService != null) { 2588 try { 2589 mService.setLockTaskPackages(packages); 2590 } catch (RemoteException e) { 2591 Log.w(TAG, "Failed talking with device policy service", e); 2592 } 2593 } 2594 } 2595 2596 /** 2597 * This function returns the list of packages allowed to start the lock task mode. 2598 * @hide 2599 */ 2600 public String[] getLockTaskPackages() { 2601 if (mService != null) { 2602 try { 2603 return mService.getLockTaskPackages(); 2604 } catch (RemoteException e) { 2605 Log.w(TAG, "Failed talking with device policy service", e); 2606 } 2607 } 2608 return null; 2609 } 2610 2611 /** 2612 * This function lets the caller know whether the given component is allowed to start the 2613 * lock task mode. 2614 * @param pkg The package to check 2615 */ 2616 public boolean isLockTaskPermitted(String pkg) { 2617 if (mService != null) { 2618 try { 2619 return mService.isLockTaskPermitted(pkg); 2620 } catch (RemoteException e) { 2621 Log.w(TAG, "Failed talking with device policy service", e); 2622 } 2623 } 2624 return false; 2625 } 2626 2627 /** 2628 * Called by device owners to update {@link Settings.Global} settings. Validation that the value 2629 * of the setting is in the correct form for the setting type should be performed by the caller. 2630 * 2631 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2632 * @param setting The name of the setting to update. 2633 * @param value The value to update the setting to. 2634 */ 2635 public void setGlobalSetting(ComponentName admin, String setting, String value) { 2636 if (mService != null) { 2637 try { 2638 mService.setGlobalSetting(admin, setting, value); 2639 } catch (RemoteException e) { 2640 Log.w(TAG, "Failed talking with device policy service", e); 2641 } 2642 } 2643 } 2644 2645 /** 2646 * Called by profile or device owners to update {@link Settings.Secure} settings. Validation 2647 * that the value of the setting is in the correct form for the setting type should be performed 2648 * by the caller. 2649 * 2650 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2651 * @param setting The name of the setting to update. 2652 * @param value The value to update the setting to. 2653 */ 2654 public void setSecureSetting(ComponentName admin, String setting, String value) { 2655 if (mService != null) { 2656 try { 2657 mService.setSecureSetting(admin, setting, value); 2658 } catch (RemoteException e) { 2659 Log.w(TAG, "Failed talking with device policy service", e); 2660 } 2661 } 2662 } 2663 2664 /** 2665 * Designates a specific service component as the provider for 2666 * making permission requests of a local or remote administrator of the user. 2667 * <p/> 2668 * Only a profile owner can designate the restrictions provider. 2669 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2670 * @param provider The component name of the service that implements 2671 * {@link AbstractRestrictionsProvider}. If this param is null, 2672 * it removes the restrictions provider previously assigned. 2673 */ 2674 public void setRestrictionsProvider(ComponentName admin, ComponentName provider) { 2675 if (mService != null) { 2676 try { 2677 mService.setRestrictionsProvider(admin, provider); 2678 } catch (RemoteException re) { 2679 Log.w(TAG, "Failed to set permission provider on device policy service"); 2680 } 2681 } 2682 } 2683 2684 /** 2685 * Called by profile or device owners to set the master volume mute on or off. 2686 * 2687 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2688 * @param on {@code true} to mute master volume, {@code false} to turn mute off. 2689 */ 2690 public void setMasterVolumeMuted(ComponentName admin, boolean on) { 2691 if (mService != null) { 2692 try { 2693 mService.setMasterVolumeMuted(admin, on); 2694 } catch (RemoteException re) { 2695 Log.w(TAG, "Failed to setMasterMute on device policy service"); 2696 } 2697 } 2698 } 2699 2700 /** 2701 * Called by profile or device owners to check whether the master volume mute is on or off. 2702 * 2703 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2704 * @return {@code true} if master volume is muted, {@code false} if it's not. 2705 */ 2706 public boolean isMasterVolumeMuted(ComponentName admin) { 2707 if (mService != null) { 2708 try { 2709 return mService.isMasterVolumeMuted(admin); 2710 } catch (RemoteException re) { 2711 Log.w(TAG, "Failed to get isMasterMute on device policy service"); 2712 } 2713 } 2714 return false; 2715 } 2716 2717 /** 2718 * Called by profile or device owners to change whether a user can uninstall 2719 * a package. 2720 * 2721 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2722 * @param packageName package to change. 2723 * @param blockUninstall true if the user shouldn't be able to uninstall the package. 2724 */ 2725 public void setBlockUninstall(ComponentName admin, String packageName, boolean blockUninstall) { 2726 if (mService != null) { 2727 try { 2728 mService.setBlockUninstall(admin, packageName, blockUninstall); 2729 } catch (RemoteException re) { 2730 Log.w(TAG, "Failed to call block uninstall on device policy service"); 2731 } 2732 } 2733 } 2734 2735 /** 2736 * Called by profile or device owners to check whether a user has been blocked from 2737 * uninstalling a package. 2738 * 2739 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2740 * @param packageName package to check. 2741 * @return true if the user shouldn't be able to uninstall the package. 2742 */ 2743 public boolean getBlockUninstall(ComponentName admin, String packageName) { 2744 if (mService != null) { 2745 try { 2746 return mService.getBlockUninstall(admin, packageName); 2747 } catch (RemoteException re) { 2748 Log.w(TAG, "Failed to call block uninstall on device policy service"); 2749 } 2750 } 2751 return false; 2752 } 2753} 2754