1 page.title=Device Administration 2 @jd:body 3 4 <div id="qv-wrapper"> 5 <div id="qv"> 6 <h2>In this document</h2> 7 <ol> 8 <li><a href="#overview">Device Administration API Overview</a> 9 <ol> 10 <li><a href="#how">How does it work?</a></li> 11 <li><a href="#policies">Policies</a></li> 12 </ol> 13 </li> 14 <li><a href="#sample">Sample Application</a></li> 15 <li><a href="#developing">Developing a Device Administration Application</a> 16 <ol> 17 <li><a href="#manifest">Creating the manifest</a></li> 18 <li><a href="#code">Implementing the code</a></li> 19 </ol> 20 </li> 21 22 </ol> 23 24 <h2>Key classes</h2> 25 <ol> 26 <li>{@link android.app.admin.DeviceAdminReceiver}</li> 27 <li>{@link android.app.admin.DevicePolicyManager}</li> 28 <li>{@link android.app.admin.DeviceAdminInfo}</li> 29 </ol> 30 <h2>Related samples</h2> 31 <ol> 32 <li><a 33 href="{@docRoot}resources/samples/ApiDemos/src/com/example/android/apis/app/DeviceAdminSample.html"> 34 DeviceAdminSample</a></li> 35 </ol> 36 </div> 37 </div> 38 39 <p>Android 2.2 introduces support for enterprise applications by offering the 40 Android Device Administration API. The Device Administration API provides device 41 administration features at the system level. These APIs allow you to create 42 security-aware applications that are useful in enterprise settings, in which IT 43 professionals require rich control over employee devices. For example, the 44 built-in Android Email application has leveraged the new APIs to improve 45 Exchange support. Through the Email application, Exchange administrators can 46 enforce password policies — including alphanumeric passwords or numeric 47 PINs — across devices. Administrators can also remotely wipe (that is, 48 restore factory defaults on) lost or stolen handsets. Exchange users can sync 49 their email and calendar data.</p> 50 51 <p>This document is intended for developers who want to develop enterprise 52 solutions for Android-powered devices. It discusses the various features 53 provided by the Device Administration API to provide stronger security for 54 employee devices that are powered by Android.</p> 55 56 57 <h2 id="overview">Device Administration API Overview</h2> 58 59 <p>Here are examples of the types of applications that might use the Device Administration API:</p> 60 <ul> 61 <li>Email clients.</li> 62 <li>Security applications that do remote wipe.</li> 63 <li>Device management services and applications.</li> 64 </ul> 65 66 <h3 id="how">How does it work?</h3> 67 <p>You use the Device Administration API to write device admin applications that users 68 install on their devices. The device admin application enforces the desired 69 policies. Here's how it works:</p> <ul> 70 <li>A system administrator writes a device admin application that enforces 71 remote/local device security policies. These policies could be hard-coded into 72 the app, or the application could dynamically fetch policies from a third-party 73 server. </li> 74 <li>The application is installed on users' devices. Android does 75 not currently have an automated provisioning solution. Some of the ways a sysadmin might 76 distribute the application to users are as follows: 77 <ul> 78 <li>Google Play.</li> 79 <li>Enabling installation from another store.</li> 80 <li>Distributing the application through other means, such as email or websites.</li> 81 82 </ul> 83 84 85 </li> 86 <li>The system prompts the user to enable the device admin application. How 87 and when this happens depends on how the application is implemented.</li> 88 <li>Once users enable the device admin application, they are subject to 89 its policies. Complying with those policies typically confers benefits, such as 90 access to sensitive systems and data.</li> 91 </ul> 92 <p>If users do not enable the device admin app, it remains on the device, but in an inactive state. Users will not be subject to its policies, and they will conversely not get any of the application's benefits—for example, they may not be able to sync data.</p> 93 <p>If a user fails to comply with the policies (for example, if a user sets a 94 password that violates the guidelines), it is up to the application to decide 95 how to handle this. However, typically this will result in the user not being 96 able to sync data.</p> 97 <p>If a device attempts to connect to a server that requires policies not 98 supported in the Device Administration API, the connection will not 99 be allowed. The Device Administration API does not currently allow partial 100 provisioning. In other words, if a device (for example, a legacy device) does 101 not support all of the stated policies, there is no way to allow the 102 device to connect.</p> 103 <p>If a device contains multiple enabled admin applications, the strictest policy is 104 enforced. There is no way to target a particular admin 105 application.</p> 106 <p>To uninstall an existing device admin application, users need to 107 first unregister the application as an administrator. </p> 108 109 110 <h3 id="policies">Policies</h3> 111 112 <p>In an enterprise setting, it's often the case that employee devices must 113 adhere to a strict set of policies that govern the use of the device. The 114 Device Administration API supports the policies listed in Table 1. 115 Note that the Device Administration API currently only supports passwords for screen 116 lock:</p> 117 <p class="table-caption"><strong>Table 1.</strong> Policies supported by the Device Administration API.</p> 118 <table border="1"> 119 <tr> 120 <th>Policy</th> 121 <th>Description</th> 122 </tr> 123 <tr> 124 <td>Password enabled</td> 125 <td>Requires that devices ask for PIN or passwords.</td> 126 </tr> 127 <tr> 128 <td>Minimum password length</td> 129 <td>Set the required number of characters for the password. For example, you 130 can require PIN or passwords to have at least six characters. </td> </tr> 131 <tr> 132 <td>Alphanumeric password required</td> 133 <td>Requires that passwords have a 134 combination of letters and numbers. They may include symbolic characters. 135 </td> 136 </tr> 137 138 <tr> 139 <td>Complex password required</td> 140 <td>Requires that passwords must contain at least a letter, a numerical digit, and a special symbol. Introduced in Android 3.0. 141 </td> 142 </tr> 143 144 <tr> 145 <td>Minimum letters required in password</td> <td>The minimum number of 146 letters required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 147 </tr> 148 149 150 <tr> 151 <td>Minimum lowercase letters required in password</td> 152 <td>The minimum number of lowercase 153 letters required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 154 </tr> 155 156 <tr> 157 <td>Minimum non-letter characters required in password</td> 158 <td>The minimum number of 159 non-letter characters required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 160 </tr> 161 162 <tr> 163 <td>Minimum numerical digits required in password</td> 164 <td>The minimum number of numerical digits required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 165 </tr> 166 167 <tr> 168 <td>Minimum symbols required in password</td> 169 <td>The minimum number of symbols required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 170 </tr> 171 172 <tr> 173 <td>Minimum uppercase letters required in password</td> 174 <td>The minimum number of uppercase letters required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 175 </tr> 176 177 <tr> 178 <td>Password expiration timeout</td> 179 <td>When the password will expire, expressed as a delta in milliseconds from when a device admin sets the expiration timeout. Introduced in Android 3.0.</td> 180 </tr> 181 182 <tr> 183 <td>Password history restriction</td> 184 <td>This policy prevents users from reusing the last <em>n</em> unique passwords. 185 This policy is typically used in conjunction with 186 {@link android.app.admin.DevicePolicyManager#setPasswordExpirationTimeout(android.content.ComponentName,long) setPasswordExpirationTimeout()}, which forces 187 users to update their passwords after a specified amount of time has elapsed. 188 Introduced in Android 3.0.</td> 189 </tr> 190 191 <tr> 192 <td>Maximum failed password attempts </td> 193 <td>Specifies how many times a user can enter the wrong password before the 194 device wipes its data. The Device Administration API also allows administrators to 195 remotely reset the device to factory defaults. This secures data in case the 196 device is lost or stolen.</td> 197 </tr> 198 <tr> 199 <td>Maximum inactivity time lock</td> 200 <td>Sets the length of time since the user last touched the screen or 201 pressed a button before the device locks the screen. When this happens, users 202 need to enter their PIN or passwords again before they can use their devices and 203 access data. The value can be between 1 and 60 minutes.</td> </tr> 204 205 <tr> 206 <td>Require storage encryption</td> 207 <td>Specifies that the storage area should be encrypted, if the device supports it. 208 Introduced in Android 3.0.</td> </tr> 209 210 <tr> 211 <td>Disable camera</td> 212 213 <td>Specifies that the camera should be disabled. Note that this doesn't have 214 to be a permanent disabling. The camera can be enabled/disabled dynamically 215 based on context, time, and so on. Introduced in Android 4.0.</td> 216 217 </tr> 218 219 220 </table> 221 222 <h4>Other features</h4> 223 224 <p>In addition to supporting the policies listed in the above table, the Device 225 Administration API lets you do the following:</p> <ul> 226 <li>Prompt user to set a new password.</li> 227 <li>Lock device immediately.</li> 228 <li>Wipe the device's data (that is, restore the device to its factory defaults).</li> 229 </ul> 230 231 232 <h2 id="sample">Sample Application</h2> 233 234 <p>The examples used in this document are based on the <a 235 href="{@docRoot}resources/samples/ApiDemos/src/com/example/android/apis/app/DeviceAdminSample.html"> 236 Device Administration API 237 sample</a>, which is included in the SDK samples. For information on downloading and 238 installing the SDK samples, see <a 239 href="{@docRoot}resources/samples/get.html"> 240 Getting the Samples</a>. Here is the <a 241 href="{@docRoot}resources/samples/ApiDemos/src/com/example/android/apis/app/DeviceAdminSample.html"> 242 complete code</a> for 243 the sample. </p> 244 <p>The 245 sample application offers a demo of device admin features. It presents users 246 with a user interface that lets them enable the device admin application. Once 247 they've enabled the application, they can use the buttons in the user interface 248 to do the following:</p> 249 <ul> 250 <li>Set password quality.</li> 251 <li>Specify requirements for the user's password, such as minimum length, the minimum number of 252 numeric characters it must contain, and so on.</li> 253 <li>Set the password. If the password does not conform to the specified 254 policies, the system returns an error.</li> 255 <li>Set how many failed password attempts can occur before the device is wiped 256 (that is, restored to factory settings).</li> 257 <li>Set how long from now the password will expire.</li> 258 <li>Set the password history length (<em>length</em> refers to number of old passwords stored in the history). 259 This prevents users from reusing 260 one of the last <em>n</em> passwords they previously used.</li> 261 <li>Specify that the storage area should be encrypted, if the device supports it.</li> 262 <li>Set the maximum amount of inactive time that can elapse before the device 263 locks.</li> 264 <li>Make the device lock immediately.</li> 265 <li>Wipe the device's data (that is, restore factory settings).</li> 266 <li>Disable the camera.</li> 267 268 </ul> 269 270 271 272 <img src="{@docRoot}images/admin/device-admin-app.png"/> 273 274 <p class="img-caption"><strong>Figure 1.</strong> Screenshot of the Sample Application</p> 275 276 277 278 <h2 id="developing">Developing a Device Administration Application</h2> 279 280 <p>System administrators can use the Device Administration API to write an application 281 that enforces remote/local device security policy enforcement. This section 282 summarizes the steps involved in creating a device administration 283 application.</p> 284 285 <h3 id="manifest">Creating the manifest</h3> 286 287 <p>To use the Device Administration API, the application's 288 manifest must include the following:</p> 289 <ul> 290 <li>A subclass of {@link android.app.admin.DeviceAdminReceiver} that includes the following: 291 <ul> 292 <li>The {@link android.Manifest.permission#BIND_DEVICE_ADMIN} permission.</li> 293 <li>The ability to respond to the {@link android.app.admin.DeviceAdminReceiver#ACTION_DEVICE_ADMIN_ENABLED} 294 intent, expressed in the manifest as an intent filter.</li> 295 </ul> 296 </li> 297 <li>A declaration of security policies used in metadata.</li> 298 </ul> 299 <p>Here is an excerpt from the Device Administration sample manifest:</p> 300 <pre><activity android:name=".app.DeviceAdminSample" 301 android:label="@string/activity_sample_device_admin"> 302 <intent-filter> 303 <action android:name="android.intent.action.MAIN" /> 304 <category android:name="android.intent.category.SAMPLE_CODE" /> 305 </intent-filter> 306 </activity> 307 <receiver android:name=".app.DeviceAdminSample$DeviceAdminSampleReceiver" 308 android:label="@string/sample_device_admin" 309 android:description="@string/sample_device_admin_description" 310 android:permission="android.permission.BIND_DEVICE_ADMIN"> 311 <meta-data android:name="android.app.device_admin" 312 android:resource="@xml/device_admin_sample" /> 313 <intent-filter> 314 <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" /> 315 </intent-filter> 316 </receiver></pre> 317 318 <p>Note that:</p> 319 <ul> 320 <li>The following attributes refer to string resources that for the sample application reside in 321 <code>ApiDemos/res/values/strings.xml</code>. For more information about resources, see 322 <a 323 href="{@docRoot}guide/topics/resources/index.html">Application Resources</a>. 324 <ul> 325 <li><code>android:label="@string/activity_sample_device_admin"</code> refers to the 326 user-readable label for the activity.</li> 327 328 <li><code>android:label="@string/sample_device_admin"</code> refers to the 329 user-readable label for the permission.</li> 330 331 <li><code>android:description="@string/sample_device_admin_description"</code> refers to 332 the user-readable description of the permission. A descripton is typically longer and more 333 informative than 334 a label.</li> 335 </ul> 336 337 338 <li><code>android:permission="android.permission.BIND_DEVICE_ADMIN" 339 </code> is a permission that a {@link android.app.admin.DeviceAdminReceiver} subclass must 340 have, to ensure that only the system can interact with the receiver (no application can be granted this permission). This 341 prevents other applications from abusing your device admin app.</li> 342 <li><code>android.app.action.DEVICE_ADMIN_ENABLED</code> is the the primary 343 action that a {@link android.app.admin.DeviceAdminReceiver} subclass must handle to be 344 allowed to manage a device. This is set to the receiver when the user enables 345 the device admin app. Your code typically handles this in 346 {@link android.app.admin.DeviceAdminReceiver#onEnabled onEnabled()}. To be supported, the receiver must also 347 require the {@link android.Manifest.permission#BIND_DEVICE_ADMIN} permission so that other applications 348 cannot abuse it. </li> 349 <li>When a user enables the device admin application, that gives the receiver 350 permission to perform actions in response to the broadcast of particular system 351 events. When suitable event arises, the application can impose a policy. For 352 example, if the user attempts to set a new password that doesn't meet the policy 353 requirements, the application can prompt the user to pick a different password 354 that does meet the requirements.</li> 355 356 <li><code>android:resource="@xml/device_admin_sample"</code> 357 declares the security policies used in metadata. The metadata provides additional 358 information specific to the device administrator, as parsed by the {@link 359 android.app.admin.DeviceAdminInfo} class. Here are the contents of 360 <code>device_admin_sample.xml</code>:</li> 361 </ul> 362 <pre><device-admin xmlns:android="http://schemas.android.com/apk/res/android">; 363 <uses-policies> 364 <limit-password /> 365 <watch-login /> 366 <reset-password /> 367 <force-lock /> 368 <wipe-data /> 369 <expire-password /> 370 <encrypted-storage /> 371 <disable-camera /> 372 </uses-policies> 373 </device-admin> 374 </pre> 375 <p> In designing your device administration application, you don't need to 376 include all of the policies, just the ones that are relevant for your app. 377 </p> 378 For more discussion of the manifest file, see the <a 379 href="{@docRoot}guide/topics/manifest/manifest-intro.html">Android Developers Guide</a>. 380 381 382 383 <h3 id="code">Implementing the code</h3> 384 385 <p>The Device Administration API includes the following classes:</p> 386 <dl> 387 <dt>{@link android.app.admin.DeviceAdminReceiver}</dt> 388 <dd>Base class for implementing a device administration component. This class provides 389 a convenience for interpreting the raw intent actions that are sent by the 390 system. Your Device Administration application must include a 391 {@link android.app.admin.DeviceAdminReceiver} subclass.</dd> 392 <dt>{@link android.app.admin.DevicePolicyManager}</dt> 393 <dd>A class for managing policies enforced on a device. Most clients of 394 this class must have published a {@link android.app.admin.DeviceAdminReceiver} that the user 395 has currently enabled. The {@link android.app.admin.DevicePolicyManager} manages policies for 396 one or more {@link android.app.admin.DeviceAdminReceiver} instances</dd> 397 <dt>{@link android.app.admin.DeviceAdminInfo}</dt> 398 <dd>This class is used to specify metadata 399 for a device administrator component.</dd> 400 </dl> 401 <p>These classes provide the foundation for a fully functional device administration application. 402 The rest of this section describes how you use the {@link 403 android.app.admin.DeviceAdminReceiver} and 404 {@link android.app.admin.DevicePolicyManager} APIs to write a device admin application.</p> 405 406 <h4 id="receiver">Subclassing DeviceAdminReceiver</h4> 407 <p>To create a device admin application, you must subclass 408 {@link android.app.admin.DeviceAdminReceiver}. The {@link android.app.admin.DeviceAdminReceiver} class 409 consists of a series of callbacks that are triggered when particular events 410 occur.</p> 411 <p>In its {@link android.app.admin.DeviceAdminReceiver} subclass, the sample application 412 simply displays a {@link android.widget.Toast} notification in response to particular 413 events. For example:</p> 414 <pre>public class DeviceAdminSample extends DeviceAdminReceiver { 415 416 void showToast(Context context, String msg) { 417 String status = context.getString(R.string.admin_receiver_status, msg); 418 Toast.makeText(context, status, Toast.LENGTH_SHORT).show(); 419 } 420 421 @Override 422 public void onEnabled(Context context, Intent intent) { 423 showToast(context, context.getString(R.string.admin_receiver_status_enabled)); 424 } 425 426 @Override 427 public CharSequence onDisableRequested(Context context, Intent intent) { 428 return context.getString(R.string.admin_receiver_status_disable_warning); 429 } 430 431 @Override 432 public void onDisabled(Context context, Intent intent) { 433 showToast(context, context.getString(R.string.admin_receiver_status_disabled)); 434 } 435 436 @Override 437 public void onPasswordChanged(Context context, Intent intent) { 438 showToast(context, context.getString(R.string.admin_receiver_status_pw_changed)); 439 } 440 ... 441 }</pre> 442 443 444 <h4 id="enabling">Enabling the application</h4> 445 <p>One of the major events a device admin application has to handle is the user 446 enabling the application. The user must explicitly enable the application for 447 the policies to be enforced. If the user chooses not to enable the application 448 it will still be present on the device, but its policies will not be enforced, and the user will not 449 get any of the application's benefits.</p> 450 <p>The process of enabling the application begins when the user performs an 451 action that triggers the {@link android.app.admin.DevicePolicyManager#ACTION_ADD_DEVICE_ADMIN} 452 intent. In the 453 sample application, this happens when the user clicks the <strong>Enable 454 Admin</strong> checkbox. </p> 455 <p>When the user clicks the <strong>Enable Admin</strong> checkbox, the display 456 changes to prompt the user to activate the device admin application, as shown in figure 457 2.</p> 458 459 <img src="{@docRoot}images/admin/device-admin-activate-prompt.png"/> 460 <p class="img-caption"><strong>Figure 2.</strong> Sample Application: Activating the Application</p> 461 462 <p>Below is the code that gets executed when the user clicks the <strong>Enable Admin</strong> checkbox. This has the effect of triggering the 463 {@link android.preference.Preference.OnPreferenceChangeListener#onPreferenceChange(android.preference.Preference, java.lang.Object) onPreferenceChange()} 464 callback. This callback is invoked when the value of this {@link android.preference.Preference} has been changed by the user and is about to be set and/or persisted. If the user is enabling the application, the display 465 changes to prompt the user to activate the device admin application, as shown in figure 466 2. Otherwise, the device admin application is disabled. </p> 467 468 <pre>@Override 469 public boolean onPreferenceChange(Preference preference, Object newValue) { 470 if (super.onPreferenceChange(preference, newValue)) { 471 return true; 472 } 473 boolean value = (Boolean) newValue; 474 if (preference == mEnableCheckbox) { 475 if (value != mAdminActive) { 476 if (value) { 477 // Launch the activity to have the user enable our admin. 478 Intent intent = new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN); 479 intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN, mDeviceAdminSample); 480 intent.putExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION, 481 mActivity.getString(R.string.add_admin_extra_app_text)); 482 startActivityForResult(intent, REQUEST_CODE_ENABLE_ADMIN); 483 // return false - don't update checkbox until we're really active 484 return false; 485 } else { 486 mDPM.removeActiveAdmin(mDeviceAdminSample); 487 enableDeviceCapabilitiesArea(false); 488 mAdminActive = false; 489 } 490 } 491 } else if (preference == mDisableCameraCheckbox) { 492 mDPM.setCameraDisabled(mDeviceAdminSample, value); 493 ... 494 } 495 return true; 496 }</pre> 497 498 499 <p>The line 500 <code>intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN, 501 mDeviceAdminSample)</code> states that <code>mDeviceAdminSample</code> (which is 502 a {@link android.app.admin.DeviceAdminReceiver} component) is the target policy. 503 This line invokes the user interface shown in figure 2, which guides users through 504 adding the device administrator to the system (or allows them to reject it).</p> 505 506 <p>When the application needs to perform an operation that is contingent on the 507 device admin application being enabled, it confirms that the application is 508 active. To do this it uses the {@link android.app.admin.DevicePolicyManager} method 509 {@link android.app.admin.DevicePolicyManager#isAdminActive(android.content.ComponentName) isAdminActive()}. Notice that the {@link android.app.admin.DevicePolicyManager} 510 method {@link android.app.admin.DevicePolicyManager#isAdminActive(android.content.ComponentName) isAdminActive()} takes a {@link android.app.admin.DeviceAdminReceiver} 511 component as its argument:</p> 512 513 <pre> 514 DevicePolicyManager mDPM; 515 ... 516 private boolean isActiveAdmin() { 517 return mDPM.isAdminActive(mDeviceAdminSample); 518 } 519 </pre> 520 521 522 523 <h3 id="admin_ops">Managing policies</h3> 524 <p>{@link android.app.admin.DevicePolicyManager} is a public class for managing policies 525 enforced on a device. {@link android.app.admin.DevicePolicyManager} manages policies for one 526 or more {@link android.app.admin.DeviceAdminReceiver} instances. </p> 527 <p>You get a handle to the {@link android.app.admin.DevicePolicyManager} as follows: </p> 528 <pre> 529 DevicePolicyManager mDPM = 530 (DevicePolicyManager)getSystemService(Context.DEVICE_POLICY_SERVICE); 531 </pre> 532 <p>This section describes how to use {@link android.app.admin.DevicePolicyManager} to perform 533 administrative tasks:</p> 534 <ul> 535 <li><a href="#pwd">Set password policies</a></li> 536 <li><a href="#lock">Set device lock</a></li> 537 <li><a href="#wipe">Perform data wipe</a></li> 538 </ul> 539 540 <h4 id="pwd">Set password policies</h4> 541 <p>{@link android.app.admin.DevicePolicyManager} includes APIs for setting and enforcing the 542 device password policy. In the Device Administration API, the password only applies to 543 screen lock. This section describes common password-related tasks.</p> 544 545 <h5>Set a password for the device</h5> 546 <p>This code displays a user interface prompting the user to set a password:</p> 547 <pre>Intent intent = new Intent(DevicePolicyManager.ACTION_SET_NEW_PASSWORD); 548 startActivity(intent); 549 </pre> 550 551 <h5>Set the password quality</h5> 552 <p>The password quality can be one of the following {@link android.app.admin.DevicePolicyManager} constants: </p> 553 <dl> 554 <dt>{@link android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_ALPHABETIC}</dt><dd>The user must enter a 555 password containing at least alphabetic (or other symbol) characters.</dd> 556 <dt>{@link android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_ALPHANUMERIC}</dt><dd>The user must enter a 557 password containing at least <em>both</em> numeric <em>and</em> alphabetic (or 558 other symbol) characters.</dd> 559 <dt>{@link android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_NUMERIC}</dt><dd>The user must enter a password 560 containing at least numeric characters.</dd> 561 <dt>{@link 562 android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_COMPLEX}</dt><dd>The user 563 must have entered a password containing at least a letter, a numerical digit and 564 a special symbol.</dd> 565 <dt>{@link 566 android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_SOMETHING}</dt><dd>The 567 policy requires some kind 568 of password, but doesn't care what it is.</dd> 569 <dt>{@link android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_UNSPECIFIED}</dt><dd> 570 The policy has no requirements for the password. </dd> 571 </dl> 572 <p>For example, this is how you would set the password policy to require an alphanumeric password:</p> 573 <pre> 574 DevicePolicyManager mDPM; 575 ComponentName mDeviceAdminSample; 576 ... 577 mDPM.setPasswordQuality(mDeviceAdminSample, DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC); 578 </pre> 579 580 <h5>Set password content requirements</h5> 581 582 <p>Beginning with Android 3.0, the {@link android.app.admin.DevicePolicyManager} class 583 includes methods that let you fine-tune the contents of the password. For 584 example, you could set a policy that states that passwords must contain at least 585 <em>n</em> uppercase letters. Here are the methods for fine-tuning a password's 586 contents:</p> 587 <ul> 588 589 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumLetters(android.content.ComponentName,int) setPasswordMinimumLetters()}</li> 590 591 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumLowerCase(android.content.ComponentName,int) setPasswordMinimumLowerCase()}</li> 592 593 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumUpperCase(android.content.ComponentName,int) setPasswordMinimumUpperCase()}</li> 594 595 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumNonLetter(android.content.ComponentName,int) setPasswordMinimumNonLetter()}</li> 596 597 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumNumeric(android.content.ComponentName,int) setPasswordMinimumNumeric()}</li> 598 599 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumSymbols(android.content.ComponentName,int) setPasswordMinimumSymbols()}</li> 600 </ul> 601 <p>For example, this snippet states that the password must have at least 2 uppercase letters:</p> 602 <pre> 603 DevicePolicyManager mDPM; 604 ComponentName mDeviceAdminSample; 605 int pwMinUppercase = 2; 606 ... 607 mDPM.setPasswordMinimumUpperCase(mDeviceAdminSample, pwMinUppercase);</pre> 608 609 610 <h5>Set the minimum password length</h5> 611 <p>You can specify that a password must be at least the specified minimum 612 length. For example:</p> 613 <pre>DevicePolicyManager mDPM; 614 ComponentName mDeviceAdminSample; 615 int pwLength; 616 ... 617 mDPM.setPasswordMinimumLength(mDeviceAdminSample, pwLength); 618 </pre> 619 620 <h5>Set maximum failed password attempts</h5> 621 <p>You can set the maximum number of allowed failed password attempts before the 622 device is wiped (that is, reset to factory settings). For example:</p> 623 <pre>DevicePolicyManager mDPM; 624 ComponentName mDeviceAdminSample; 625 int maxFailedPw; 626 ... 627 mDPM.setMaximumFailedPasswordsForWipe(mDeviceAdminSample, maxFailedPw);</pre> 628 629 <h5 id="expiration">Set password expiration timeout</h5> 630 <p>Beginning with Android 3.0, you can use the 631 {@link android.app.admin.DevicePolicyManager#setPasswordExpirationTimeout(android.content.ComponentName,long) setPasswordExpirationTimeout()} 632 method to set when a password will expire, expressed as a delta in milliseconds from when a device admin sets the expiration timeout. For example:</p> 633 634 <pre>DevicePolicyManager mDPM; 635 ComponentName mDeviceAdminSample; 636 long pwExpiration; 637 ... 638 mDPM.setPasswordExpirationTimeout(mDeviceAdminSample, pwExpiration); 639 </pre> 640 641 <h5 id="history">Restrict password based on history</h5> 642 643 <p>Beginning with Android 3.0, you can use the 644 {@link android.app.admin.DevicePolicyManager#setPasswordHistoryLength(android.content.ComponentName,int) setPasswordHistoryLength()} 645 method to limit users' 646 ability to reuse old passwords. This method takes a <em>length</em> 647 parameter, which specifies how many old 648 passwords are stored. When this policy is active, users cannot enter a new 649 password that matches the last <em>n</em> passwords. This prevents 650 users from using the same password over and over. This policy is typically used 651 in conjunction with 652 {@link android.app.admin.DevicePolicyManager#setPasswordExpirationTimeout(android.content.ComponentName,long) setPasswordExpirationTimeout()}, 653 which forces users 654 to update their passwords after a specified amount of time has elapsed. </p> 655 656 <p>For example, this snippet prohibits users from reusing any of their last 5 passwords:</p> 657 658 <pre>DevicePolicyManager mDPM; 659 ComponentName mDeviceAdminSample; 660 int pwHistoryLength = 5; 661 ... 662 mDPM.setPasswordHistoryLength(mDeviceAdminSample, pwHistoryLength); 663 </pre> 664 665 <h4 id="lock">Set device lock</h4> 666 <p>You can set the maximum period of user inactivity that can occur before the 667 device locks. For example:</p> 668 <pre> 669 DevicePolicyManager mDPM; 670 ComponentName mDeviceAdminSample; 671 ... 672 long timeMs = 1000L*Long.parseLong(mTimeout.getText().toString()); 673 mDPM.setMaximumTimeToLock(mDeviceAdminSample, timeMs); 674 </pre> 675 <p>You can also programmatically tell the device to lock immediately:</p> 676 <pre> 677 DevicePolicyManager mDPM; 678 mDPM.lockNow();</pre> 679 680 681 682 <h4 id="wipe">Perform data wipe</h4> 683 684 <p>You can use the {@link android.app.admin.DevicePolicyManager} method 685 {@link android.app.admin.DevicePolicyManager#wipeData wipeData()} to reset the device to factory settings. This is useful 686 if the device is lost or stolen. Often the decision to wipe the device is the 687 result of certain conditions being met. For example, you can use 688 {@link android.app.admin.DevicePolicyManager#setMaximumFailedPasswordsForWipe setMaximumFailedPasswordsForWipe()} to state that a device should be 689 wiped after a specific number of failed password attempts.</p> 690 <p>You wipe data as follows:</p> 691 <pre> 692 DevicePolicyManager mDPM; 693 mDPM.wipeData(0);</pre> 694 <p>The {@link android.app.admin.DevicePolicyManager#wipeData wipeData()} method takes as its parameter a bit mask of 695 additional options. Currently the value must be 0. </p> 696 697 <h4>Disable camera</h4> 698 <p>Beginning with Android 4.0, you can disable the camera. Note that this doesn't have to be a permanent disabling. The camera can be enabled/disabled dynamically based on context, time, and so on. </p> 699 <p>You control whether the camera is disabled by using the 700 {@link android.app.admin.DevicePolicyManager#setCameraDisabled(android.content.ComponentName, boolean) setCameraDisabled()} method. For example, this snippet sets the camera to be enabled or disabled based on a checkbox setting:</p> 701 702 <pre>private CheckBoxPreference mDisableCameraCheckbox; 703 DevicePolicyManager mDPM; 704 ComponentName mDeviceAdminSample; 705 ... 706 mDPM.setCameraDisabled(mDeviceAdminSample, mDisableCameraCheckbox.isChecked());<br /> 707 </pre> 708 709 710 <h4 id=storage">Storage encryption</h4> 711 <p>Beginning with Android 3.0, you can use the 712 {@link android.app.admin.DevicePolicyManager#setStorageEncryption(android.content.ComponentName,boolean) setStorageEncryption()} 713 method to set a policy requiring encryption of the storage area, where supported.</p> 714 715 <p>For example:</p> 716 717 <pre> 718 DevicePolicyManager mDPM; 719 ComponentName mDeviceAdminSample; 720 ... 721 mDPM.setStorageEncryption(mDeviceAdminSample, true); 722 </pre> 723 <p> 724 See the <a href="{@docRoot}resources/samples/ApiDemos/src/com/example/android/apis/app/DeviceAdminSample.html"> Device Administration API sample</a> for a complete 725 example of how to enable storage encryption.</p> 726
