1 /* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.app.admin; 18 19 import org.xmlpull.v1.XmlPullParserException; 20 21 import android.annotation.SdkConstant; 22 import android.annotation.SdkConstant.SdkConstantType; 23 import android.content.ComponentName; 24 import android.content.Context; 25 import android.content.pm.ActivityInfo; 26 import android.content.pm.PackageManager; 27 import android.content.pm.ResolveInfo; 28 import android.os.Handler; 29 import android.os.RemoteCallback; 30 import android.os.RemoteException; 31 import android.os.ServiceManager; 32 import android.os.UserHandle; 33 import android.util.Log; 34 35 import java.io.IOException; 36 import java.net.InetSocketAddress; 37 import java.net.Proxy; 38 import java.util.List; 39 40 /** 41 * Public interface for managing policies enforced on a device. Most clients 42 * of this class must have published a {@link DeviceAdminReceiver} that the user 43 * has currently enabled. 44 * 45 * <div class="special reference"> 46 * <h3>Developer Guides</h3> 47 * <p>For more information about managing policies for device adminstration, read the 48 * <a href="{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a> 49 * developer guide.</p> 50 * </div> 51 */ 52 public class DevicePolicyManager { 53 private static String TAG = "DevicePolicyManager"; 54 55 private final Context mContext; 56 private final IDevicePolicyManager mService; 57 58 private DevicePolicyManager(Context context, Handler handler) { 59 mContext = context; 60 mService = IDevicePolicyManager.Stub.asInterface( 61 ServiceManager.getService(Context.DEVICE_POLICY_SERVICE)); 62 } 63 64 /** @hide */ 65 public static DevicePolicyManager create(Context context, Handler handler) { 66 DevicePolicyManager me = new DevicePolicyManager(context, handler); 67 return me.mService != null ? me : null; 68 } 69 70 /** 71 * Activity action: ask the user to add a new device administrator to the system. 72 * The desired policy is the ComponentName of the policy in the 73 * {@link #EXTRA_DEVICE_ADMIN} extra field. This will invoke a UI to 74 * bring the user through adding the device administrator to the system (or 75 * allowing them to reject it). 76 * 77 * <p>You can optionally include the {@link #EXTRA_ADD_EXPLANATION} 78 * field to provide the user with additional explanation (in addition 79 * to your component's description) about what is being added. 80 * 81 * <p>If your administrator is already active, this will ordinarily return immediately (without 82 * user intervention). However, if your administrator has been updated and is requesting 83 * additional uses-policy flags, the user will be presented with the new list. New policies 84 * will not be available to the updated administrator until the user has accepted the new list. 85 */ 86 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 87 public static final String ACTION_ADD_DEVICE_ADMIN 88 = "android.app.action.ADD_DEVICE_ADMIN"; 89 90 /** 91 * Activity action: send when any policy admin changes a policy. 92 * This is generally used to find out when a new policy is in effect. 93 * 94 * @hide 95 */ 96 public static final String ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED 97 = "android.app.action.DEVICE_POLICY_MANAGER_STATE_CHANGED"; 98 99 /** 100 * The ComponentName of the administrator component. 101 * 102 * @see #ACTION_ADD_DEVICE_ADMIN 103 */ 104 public static final String EXTRA_DEVICE_ADMIN = "android.app.extra.DEVICE_ADMIN"; 105 106 /** 107 * An optional CharSequence providing additional explanation for why the 108 * admin is being added. 109 * 110 * @see #ACTION_ADD_DEVICE_ADMIN 111 */ 112 public static final String EXTRA_ADD_EXPLANATION = "android.app.extra.ADD_EXPLANATION"; 113 114 /** 115 * Activity action: have the user enter a new password. This activity should 116 * be launched after using {@link #setPasswordQuality(ComponentName, int)}, 117 * or {@link #setPasswordMinimumLength(ComponentName, int)} to have the user 118 * enter a new password that meets the current requirements. You can use 119 * {@link #isActivePasswordSufficient()} to determine whether you need to 120 * have the user select a new password in order to meet the current 121 * constraints. Upon being resumed from this activity, you can check the new 122 * password characteristics to see if they are sufficient. 123 */ 124 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 125 public static final String ACTION_SET_NEW_PASSWORD 126 = "android.app.action.SET_NEW_PASSWORD"; 127 128 /** 129 * Return true if the given administrator component is currently 130 * active (enabled) in the system. 131 */ 132 public boolean isAdminActive(ComponentName who) { 133 if (mService != null) { 134 try { 135 return mService.isAdminActive(who, UserHandle.myUserId()); 136 } catch (RemoteException e) { 137 Log.w(TAG, "Failed talking with device policy service", e); 138 } 139 } 140 return false; 141 } 142 143 /** 144 * Return a list of all currently active device administrator's component 145 * names. Note that if there are no administrators than null may be 146 * returned. 147 */ 148 public List<ComponentName> getActiveAdmins() { 149 if (mService != null) { 150 try { 151 return mService.getActiveAdmins(UserHandle.myUserId()); 152 } catch (RemoteException e) { 153 Log.w(TAG, "Failed talking with device policy service", e); 154 } 155 } 156 return null; 157 } 158 159 /** 160 * Used by package administration code to determine if a package can be stopped 161 * or uninstalled. 162 * @hide 163 */ 164 public boolean packageHasActiveAdmins(String packageName) { 165 if (mService != null) { 166 try { 167 return mService.packageHasActiveAdmins(packageName, UserHandle.myUserId()); 168 } catch (RemoteException e) { 169 Log.w(TAG, "Failed talking with device policy service", e); 170 } 171 } 172 return false; 173 } 174 175 /** 176 * Remove a current administration component. This can only be called 177 * by the application that owns the administration component; if you 178 * try to remove someone else's component, a security exception will be 179 * thrown. 180 */ 181 public void removeActiveAdmin(ComponentName who) { 182 if (mService != null) { 183 try { 184 mService.removeActiveAdmin(who, UserHandle.myUserId()); 185 } catch (RemoteException e) { 186 Log.w(TAG, "Failed talking with device policy service", e); 187 } 188 } 189 } 190 191 /** 192 * Returns true if an administrator has been granted a particular device policy. This can 193 * be used to check if the administrator was activated under an earlier set of policies, 194 * but requires additional policies after an upgrade. 195 * 196 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. Must be 197 * an active administrator, or an exception will be thrown. 198 * @param usesPolicy Which uses-policy to check, as defined in {@link DeviceAdminInfo}. 199 */ 200 public boolean hasGrantedPolicy(ComponentName admin, int usesPolicy) { 201 if (mService != null) { 202 try { 203 return mService.hasGrantedPolicy(admin, usesPolicy, UserHandle.myUserId()); 204 } catch (RemoteException e) { 205 Log.w(TAG, "Failed talking with device policy service", e); 206 } 207 } 208 return false; 209 } 210 211 /** 212 * Constant for {@link #setPasswordQuality}: the policy has no requirements 213 * for the password. Note that quality constants are ordered so that higher 214 * values are more restrictive. 215 */ 216 public static final int PASSWORD_QUALITY_UNSPECIFIED = 0; 217 218 /** 219 * Constant for {@link #setPasswordQuality}: the policy allows for low-security biometric 220 * recognition technology. This implies technologies that can recognize the identity of 221 * an individual to about a 3 digit PIN (false detection is less than 1 in 1,000). 222 * Note that quality constants are ordered so that higher values are more restrictive. 223 */ 224 public static final int PASSWORD_QUALITY_BIOMETRIC_WEAK = 0x8000; 225 226 /** 227 * Constant for {@link #setPasswordQuality}: the policy requires some kind 228 * of password, but doesn't care what it is. Note that quality constants 229 * are ordered so that higher values are more restrictive. 230 */ 231 public static final int PASSWORD_QUALITY_SOMETHING = 0x10000; 232 233 /** 234 * Constant for {@link #setPasswordQuality}: the user must have entered a 235 * password containing at least numeric characters. Note that quality 236 * constants are ordered so that higher values are more restrictive. 237 */ 238 public static final int PASSWORD_QUALITY_NUMERIC = 0x20000; 239 240 /** 241 * Constant for {@link #setPasswordQuality}: the user must have entered a 242 * password containing at least alphabetic (or other symbol) characters. 243 * Note that quality constants are ordered so that higher values are more 244 * restrictive. 245 */ 246 public static final int PASSWORD_QUALITY_ALPHABETIC = 0x40000; 247 248 /** 249 * Constant for {@link #setPasswordQuality}: the user must have entered a 250 * password containing at least <em>both></em> numeric <em>and</em> 251 * alphabetic (or other symbol) characters. Note that quality constants are 252 * ordered so that higher values are more restrictive. 253 */ 254 public static final int PASSWORD_QUALITY_ALPHANUMERIC = 0x50000; 255 256 /** 257 * Constant for {@link #setPasswordQuality}: the user must have entered a 258 * password containing at least a letter, a numerical digit and a special 259 * symbol, by default. With this password quality, passwords can be 260 * restricted to contain various sets of characters, like at least an 261 * uppercase letter, etc. These are specified using various methods, 262 * like {@link #setPasswordMinimumLowerCase(ComponentName, int)}. Note 263 * that quality constants are ordered so that higher values are more 264 * restrictive. 265 */ 266 public static final int PASSWORD_QUALITY_COMPLEX = 0x60000; 267 268 /** 269 * Called by an application that is administering the device to set the 270 * password restrictions it is imposing. After setting this, the user 271 * will not be able to enter a new password that is not at least as 272 * restrictive as what has been set. Note that the current password 273 * will remain until the user has set a new one, so the change does not 274 * take place immediately. To prompt the user for a new password, use 275 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. 276 * 277 * <p>Quality constants are ordered so that higher values are more restrictive; 278 * thus the highest requested quality constant (between the policy set here, 279 * the user's preference, and any other considerations) is the one that 280 * is in effect. 281 * 282 * <p>The calling device admin must have requested 283 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 284 * this method; if it has not, a security exception will be thrown. 285 * 286 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 287 * @param quality The new desired quality. One of 288 * {@link #PASSWORD_QUALITY_UNSPECIFIED}, {@link #PASSWORD_QUALITY_SOMETHING}, 289 * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_ALPHABETIC}, 290 * {@link #PASSWORD_QUALITY_ALPHANUMERIC} or {@link #PASSWORD_QUALITY_COMPLEX}. 291 */ 292 public void setPasswordQuality(ComponentName admin, int quality) { 293 if (mService != null) { 294 try { 295 mService.setPasswordQuality(admin, quality, UserHandle.myUserId()); 296 } catch (RemoteException e) { 297 Log.w(TAG, "Failed talking with device policy service", e); 298 } 299 } 300 } 301 302 /** 303 * Retrieve the current minimum password quality for all admins 304 * or a particular one. 305 * @param admin The name of the admin component to check, or null to aggregate 306 * all admins. 307 */ 308 public int getPasswordQuality(ComponentName admin) { 309 return getPasswordQuality(admin, UserHandle.myUserId()); 310 } 311 312 /** @hide per-user version */ 313 public int getPasswordQuality(ComponentName admin, int userHandle) { 314 if (mService != null) { 315 try { 316 return mService.getPasswordQuality(admin, userHandle); 317 } catch (RemoteException e) { 318 Log.w(TAG, "Failed talking with device policy service", e); 319 } 320 } 321 return PASSWORD_QUALITY_UNSPECIFIED; 322 } 323 324 /** 325 * Called by an application that is administering the device to set the 326 * minimum allowed password length. After setting this, the user 327 * will not be able to enter a new password that is not at least as 328 * restrictive as what has been set. Note that the current password 329 * will remain until the user has set a new one, so the change does not 330 * take place immediately. To prompt the user for a new password, use 331 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 332 * constraint is only imposed if the administrator has also requested either 333 * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_ALPHABETIC} 334 * {@link #PASSWORD_QUALITY_ALPHANUMERIC}, or {@link #PASSWORD_QUALITY_COMPLEX} 335 * with {@link #setPasswordQuality}. 336 * 337 * <p>The calling device admin must have requested 338 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 339 * this method; if it has not, a security exception will be thrown. 340 * 341 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 342 * @param length The new desired minimum password length. A value of 0 343 * means there is no restriction. 344 */ 345 public void setPasswordMinimumLength(ComponentName admin, int length) { 346 if (mService != null) { 347 try { 348 mService.setPasswordMinimumLength(admin, length, UserHandle.myUserId()); 349 } catch (RemoteException e) { 350 Log.w(TAG, "Failed talking with device policy service", e); 351 } 352 } 353 } 354 355 /** 356 * Retrieve the current minimum password length for all admins 357 * or a particular one. 358 * @param admin The name of the admin component to check, or null to aggregate 359 * all admins. 360 */ 361 public int getPasswordMinimumLength(ComponentName admin) { 362 return getPasswordMinimumLength(admin, UserHandle.myUserId()); 363 } 364 365 /** @hide per-user version */ 366 public int getPasswordMinimumLength(ComponentName admin, int userHandle) { 367 if (mService != null) { 368 try { 369 return mService.getPasswordMinimumLength(admin, userHandle); 370 } catch (RemoteException e) { 371 Log.w(TAG, "Failed talking with device policy service", e); 372 } 373 } 374 return 0; 375 } 376 377 /** 378 * Called by an application that is administering the device to set the 379 * minimum number of upper case letters required in the password. After 380 * setting this, the user will not be able to enter a new password that is 381 * not at least as restrictive as what has been set. Note that the current 382 * password will remain until the user has set a new one, so the change does 383 * not take place immediately. To prompt the user for a new password, use 384 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 385 * constraint is only imposed if the administrator has also requested 386 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 387 * default value is 0. 388 * <p> 389 * The calling device admin must have requested 390 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 391 * this method; if it has not, a security exception will be thrown. 392 * 393 * @param admin Which {@link DeviceAdminReceiver} this request is associated 394 * with. 395 * @param length The new desired minimum number of upper case letters 396 * required in the password. A value of 0 means there is no 397 * restriction. 398 */ 399 public void setPasswordMinimumUpperCase(ComponentName admin, int length) { 400 if (mService != null) { 401 try { 402 mService.setPasswordMinimumUpperCase(admin, length, UserHandle.myUserId()); 403 } catch (RemoteException e) { 404 Log.w(TAG, "Failed talking with device policy service", e); 405 } 406 } 407 } 408 409 /** 410 * Retrieve the current number of upper case letters required in the 411 * password for all admins or a particular one. This is the same value as 412 * set by {#link {@link #setPasswordMinimumUpperCase(ComponentName, int)} 413 * and only applies when the password quality is 414 * {@link #PASSWORD_QUALITY_COMPLEX}. 415 * 416 * @param admin The name of the admin component to check, or null to 417 * aggregate all admins. 418 * @return The minimum number of upper case letters required in the 419 * password. 420 */ 421 public int getPasswordMinimumUpperCase(ComponentName admin) { 422 return getPasswordMinimumUpperCase(admin, UserHandle.myUserId()); 423 } 424 425 /** @hide per-user version */ 426 public int getPasswordMinimumUpperCase(ComponentName admin, int userHandle) { 427 if (mService != null) { 428 try { 429 return mService.getPasswordMinimumUpperCase(admin, userHandle); 430 } catch (RemoteException e) { 431 Log.w(TAG, "Failed talking with device policy service", e); 432 } 433 } 434 return 0; 435 } 436 437 /** 438 * Called by an application that is administering the device to set the 439 * minimum number of lower case letters required in the password. After 440 * setting this, the user will not be able to enter a new password that is 441 * not at least as restrictive as what has been set. Note that the current 442 * password will remain until the user has set a new one, so the change does 443 * not take place immediately. To prompt the user for a new password, use 444 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 445 * constraint is only imposed if the administrator has also requested 446 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 447 * default value is 0. 448 * <p> 449 * The calling device admin must have requested 450 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 451 * this method; if it has not, a security exception will be thrown. 452 * 453 * @param admin Which {@link DeviceAdminReceiver} this request is associated 454 * with. 455 * @param length The new desired minimum number of lower case letters 456 * required in the password. A value of 0 means there is no 457 * restriction. 458 */ 459 public void setPasswordMinimumLowerCase(ComponentName admin, int length) { 460 if (mService != null) { 461 try { 462 mService.setPasswordMinimumLowerCase(admin, length, UserHandle.myUserId()); 463 } catch (RemoteException e) { 464 Log.w(TAG, "Failed talking with device policy service", e); 465 } 466 } 467 } 468 469 /** 470 * Retrieve the current number of lower case letters required in the 471 * password for all admins or a particular one. This is the same value as 472 * set by {#link {@link #setPasswordMinimumLowerCase(ComponentName, int)} 473 * and only applies when the password quality is 474 * {@link #PASSWORD_QUALITY_COMPLEX}. 475 * 476 * @param admin The name of the admin component to check, or null to 477 * aggregate all admins. 478 * @return The minimum number of lower case letters required in the 479 * password. 480 */ 481 public int getPasswordMinimumLowerCase(ComponentName admin) { 482 return getPasswordMinimumLowerCase(admin, UserHandle.myUserId()); 483 } 484 485 /** @hide per-user version */ 486 public int getPasswordMinimumLowerCase(ComponentName admin, int userHandle) { 487 if (mService != null) { 488 try { 489 return mService.getPasswordMinimumLowerCase(admin, userHandle); 490 } catch (RemoteException e) { 491 Log.w(TAG, "Failed talking with device policy service", e); 492 } 493 } 494 return 0; 495 } 496 497 /** 498 * Called by an application that is administering the device to set the 499 * minimum number of letters required in the password. After setting this, 500 * the user will not be able to enter a new password that is not at least as 501 * restrictive as what has been set. Note that the current password will 502 * remain until the user has set a new one, so the change does not take 503 * place immediately. To prompt the user for a new password, use 504 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 505 * constraint is only imposed if the administrator has also requested 506 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 507 * default value is 1. 508 * <p> 509 * The calling device admin must have requested 510 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 511 * this method; if it has not, a security exception will be thrown. 512 * 513 * @param admin Which {@link DeviceAdminReceiver} this request is associated 514 * with. 515 * @param length The new desired minimum number of letters required in the 516 * password. A value of 0 means there is no restriction. 517 */ 518 public void setPasswordMinimumLetters(ComponentName admin, int length) { 519 if (mService != null) { 520 try { 521 mService.setPasswordMinimumLetters(admin, length, UserHandle.myUserId()); 522 } catch (RemoteException e) { 523 Log.w(TAG, "Failed talking with device policy service", e); 524 } 525 } 526 } 527 528 /** 529 * Retrieve the current number of letters required in the password for all 530 * admins or a particular one. This is the same value as 531 * set by {#link {@link #setPasswordMinimumLetters(ComponentName, int)} 532 * and only applies when the password quality is 533 * {@link #PASSWORD_QUALITY_COMPLEX}. 534 * 535 * @param admin The name of the admin component to check, or null to 536 * aggregate all admins. 537 * @return The minimum number of letters required in the password. 538 */ 539 public int getPasswordMinimumLetters(ComponentName admin) { 540 return getPasswordMinimumLetters(admin, UserHandle.myUserId()); 541 } 542 543 /** @hide per-user version */ 544 public int getPasswordMinimumLetters(ComponentName admin, int userHandle) { 545 if (mService != null) { 546 try { 547 return mService.getPasswordMinimumLetters(admin, userHandle); 548 } catch (RemoteException e) { 549 Log.w(TAG, "Failed talking with device policy service", e); 550 } 551 } 552 return 0; 553 } 554 555 /** 556 * Called by an application that is administering the device to set the 557 * minimum number of numerical digits required in the password. After 558 * setting this, the user will not be able to enter a new password that is 559 * not at least as restrictive as what has been set. Note that the current 560 * password will remain until the user has set a new one, so the change does 561 * not take place immediately. To prompt the user for a new password, use 562 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 563 * constraint is only imposed if the administrator has also requested 564 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 565 * default value is 1. 566 * <p> 567 * The calling device admin must have requested 568 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 569 * this method; if it has not, a security exception will be thrown. 570 * 571 * @param admin Which {@link DeviceAdminReceiver} this request is associated 572 * with. 573 * @param length The new desired minimum number of numerical digits required 574 * in the password. A value of 0 means there is no restriction. 575 */ 576 public void setPasswordMinimumNumeric(ComponentName admin, int length) { 577 if (mService != null) { 578 try { 579 mService.setPasswordMinimumNumeric(admin, length, UserHandle.myUserId()); 580 } catch (RemoteException e) { 581 Log.w(TAG, "Failed talking with device policy service", e); 582 } 583 } 584 } 585 586 /** 587 * Retrieve the current number of numerical digits required in the password 588 * for all admins or a particular one. This is the same value as 589 * set by {#link {@link #setPasswordMinimumNumeric(ComponentName, int)} 590 * and only applies when the password quality is 591 * {@link #PASSWORD_QUALITY_COMPLEX}. 592 * 593 * @param admin The name of the admin component to check, or null to 594 * aggregate all admins. 595 * @return The minimum number of numerical digits required in the password. 596 */ 597 public int getPasswordMinimumNumeric(ComponentName admin) { 598 return getPasswordMinimumNumeric(admin, UserHandle.myUserId()); 599 } 600 601 /** @hide per-user version */ 602 public int getPasswordMinimumNumeric(ComponentName admin, int userHandle) { 603 if (mService != null) { 604 try { 605 return mService.getPasswordMinimumNumeric(admin, userHandle); 606 } catch (RemoteException e) { 607 Log.w(TAG, "Failed talking with device policy service", e); 608 } 609 } 610 return 0; 611 } 612 613 /** 614 * Called by an application that is administering the device to set the 615 * minimum number of symbols required in the password. After setting this, 616 * the user will not be able to enter a new password that is not at least as 617 * restrictive as what has been set. Note that the current password will 618 * remain until the user has set a new one, so the change does not take 619 * place immediately. To prompt the user for a new password, use 620 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 621 * constraint is only imposed if the administrator has also requested 622 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 623 * default value is 1. 624 * <p> 625 * The calling device admin must have requested 626 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 627 * this method; if it has not, a security exception will be thrown. 628 * 629 * @param admin Which {@link DeviceAdminReceiver} this request is associated 630 * with. 631 * @param length The new desired minimum number of symbols required in the 632 * password. A value of 0 means there is no restriction. 633 */ 634 public void setPasswordMinimumSymbols(ComponentName admin, int length) { 635 if (mService != null) { 636 try { 637 mService.setPasswordMinimumSymbols(admin, length, UserHandle.myUserId()); 638 } catch (RemoteException e) { 639 Log.w(TAG, "Failed talking with device policy service", e); 640 } 641 } 642 } 643 644 /** 645 * Retrieve the current number of symbols required in the password for all 646 * admins or a particular one. This is the same value as 647 * set by {#link {@link #setPasswordMinimumSymbols(ComponentName, int)} 648 * and only applies when the password quality is 649 * {@link #PASSWORD_QUALITY_COMPLEX}. 650 * 651 * @param admin The name of the admin component to check, or null to 652 * aggregate all admins. 653 * @return The minimum number of symbols required in the password. 654 */ 655 public int getPasswordMinimumSymbols(ComponentName admin) { 656 return getPasswordMinimumSymbols(admin, UserHandle.myUserId()); 657 } 658 659 /** @hide per-user version */ 660 public int getPasswordMinimumSymbols(ComponentName admin, int userHandle) { 661 if (mService != null) { 662 try { 663 return mService.getPasswordMinimumSymbols(admin, userHandle); 664 } catch (RemoteException e) { 665 Log.w(TAG, "Failed talking with device policy service", e); 666 } 667 } 668 return 0; 669 } 670 671 /** 672 * Called by an application that is administering the device to set the 673 * minimum number of non-letter characters (numerical digits or symbols) 674 * required in the password. After setting this, the user will not be able 675 * to enter a new password that is not at least as restrictive as what has 676 * been set. Note that the current password will remain until the user has 677 * set a new one, so the change does not take place immediately. To prompt 678 * the user for a new password, use {@link #ACTION_SET_NEW_PASSWORD} after 679 * setting this value. This constraint is only imposed if the administrator 680 * has also requested {@link #PASSWORD_QUALITY_COMPLEX} with 681 * {@link #setPasswordQuality}. The default value is 0. 682 * <p> 683 * The calling device admin must have requested 684 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 685 * this method; if it has not, a security exception will be thrown. 686 * 687 * @param admin Which {@link DeviceAdminReceiver} this request is associated 688 * with. 689 * @param length The new desired minimum number of letters required in the 690 * password. A value of 0 means there is no restriction. 691 */ 692 public void setPasswordMinimumNonLetter(ComponentName admin, int length) { 693 if (mService != null) { 694 try { 695 mService.setPasswordMinimumNonLetter(admin, length, UserHandle.myUserId()); 696 } catch (RemoteException e) { 697 Log.w(TAG, "Failed talking with device policy service", e); 698 } 699 } 700 } 701 702 /** 703 * Retrieve the current number of non-letter characters required in the 704 * password for all admins or a particular one. This is the same value as 705 * set by {#link {@link #setPasswordMinimumNonLetter(ComponentName, int)} 706 * and only applies when the password quality is 707 * {@link #PASSWORD_QUALITY_COMPLEX}. 708 * 709 * @param admin The name of the admin component to check, or null to 710 * aggregate all admins. 711 * @return The minimum number of letters required in the password. 712 */ 713 public int getPasswordMinimumNonLetter(ComponentName admin) { 714 return getPasswordMinimumNonLetter(admin, UserHandle.myUserId()); 715 } 716 717 /** @hide per-user version */ 718 public int getPasswordMinimumNonLetter(ComponentName admin, int userHandle) { 719 if (mService != null) { 720 try { 721 return mService.getPasswordMinimumNonLetter(admin, userHandle); 722 } catch (RemoteException e) { 723 Log.w(TAG, "Failed talking with device policy service", e); 724 } 725 } 726 return 0; 727 } 728 729 /** 730 * Called by an application that is administering the device to set the length 731 * of the password history. After setting this, the user will not be able to 732 * enter a new password that is the same as any password in the history. Note 733 * that the current password will remain until the user has set a new one, so 734 * the change does not take place immediately. To prompt the user for a new 735 * password, use {@link #ACTION_SET_NEW_PASSWORD} after setting this value. 736 * This constraint is only imposed if the administrator has also requested 737 * either {@link #PASSWORD_QUALITY_NUMERIC}, 738 * {@link #PASSWORD_QUALITY_ALPHABETIC}, or 739 * {@link #PASSWORD_QUALITY_ALPHANUMERIC} with {@link #setPasswordQuality}. 740 * 741 * <p> 742 * The calling device admin must have requested 743 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call this 744 * method; if it has not, a security exception will be thrown. 745 * 746 * @param admin Which {@link DeviceAdminReceiver} this request is associated 747 * with. 748 * @param length The new desired length of password history. A value of 0 749 * means there is no restriction. 750 */ 751 public void setPasswordHistoryLength(ComponentName admin, int length) { 752 if (mService != null) { 753 try { 754 mService.setPasswordHistoryLength(admin, length, UserHandle.myUserId()); 755 } catch (RemoteException e) { 756 Log.w(TAG, "Failed talking with device policy service", e); 757 } 758 } 759 } 760 761 /** 762 * Called by a device admin to set the password expiration timeout. Calling this method 763 * will restart the countdown for password expiration for the given admin, as will changing 764 * the device password (for all admins). 765 * 766 * <p>The provided timeout is the time delta in ms and will be added to the current time. 767 * For example, to have the password expire 5 days from now, timeout would be 768 * 5 * 86400 * 1000 = 432000000 ms for timeout. 769 * 770 * <p>To disable password expiration, a value of 0 may be used for timeout. 771 * 772 * <p>The calling device admin must have requested 773 * {@link DeviceAdminInfo#USES_POLICY_EXPIRE_PASSWORD} to be able to call this 774 * method; if it has not, a security exception will be thrown. 775 * 776 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 777 * @param timeout The limit (in ms) that a password can remain in effect. A value of 0 778 * means there is no restriction (unlimited). 779 */ 780 public void setPasswordExpirationTimeout(ComponentName admin, long timeout) { 781 if (mService != null) { 782 try { 783 mService.setPasswordExpirationTimeout(admin, timeout, UserHandle.myUserId()); 784 } catch (RemoteException e) { 785 Log.w(TAG, "Failed talking with device policy service", e); 786 } 787 } 788 } 789 790 /** 791 * Get the password expiration timeout for the given admin. The expiration timeout is the 792 * recurring expiration timeout provided in the call to 793 * {@link #setPasswordExpirationTimeout(ComponentName, long)} for the given admin or the 794 * aggregate of all policy administrators if admin is null. 795 * 796 * @param admin The name of the admin component to check, or null to aggregate all admins. 797 * @return The timeout for the given admin or the minimum of all timeouts 798 */ 799 public long getPasswordExpirationTimeout(ComponentName admin) { 800 if (mService != null) { 801 try { 802 return mService.getPasswordExpirationTimeout(admin, UserHandle.myUserId()); 803 } catch (RemoteException e) { 804 Log.w(TAG, "Failed talking with device policy service", e); 805 } 806 } 807 return 0; 808 } 809 810 /** 811 * Get the current password expiration time for the given admin or an aggregate of 812 * all admins if admin is null. If the password is expired, this will return the time since 813 * the password expired as a negative number. If admin is null, then a composite of all 814 * expiration timeouts is returned - which will be the minimum of all timeouts. 815 * 816 * @param admin The name of the admin component to check, or null to aggregate all admins. 817 * @return The password expiration time, in ms. 818 */ 819 public long getPasswordExpiration(ComponentName admin) { 820 if (mService != null) { 821 try { 822 return mService.getPasswordExpiration(admin, UserHandle.myUserId()); 823 } catch (RemoteException e) { 824 Log.w(TAG, "Failed talking with device policy service", e); 825 } 826 } 827 return 0; 828 } 829 830 /** 831 * Retrieve the current password history length for all admins 832 * or a particular one. 833 * @param admin The name of the admin component to check, or null to aggregate 834 * all admins. 835 * @return The length of the password history 836 */ 837 public int getPasswordHistoryLength(ComponentName admin) { 838 return getPasswordHistoryLength(admin, UserHandle.myUserId()); 839 } 840 841 /** @hide per-user version */ 842 public int getPasswordHistoryLength(ComponentName admin, int userHandle) { 843 if (mService != null) { 844 try { 845 return mService.getPasswordHistoryLength(admin, userHandle); 846 } catch (RemoteException e) { 847 Log.w(TAG, "Failed talking with device policy service", e); 848 } 849 } 850 return 0; 851 } 852 853 /** 854 * Return the maximum password length that the device supports for a 855 * particular password quality. 856 * @param quality The quality being interrogated. 857 * @return Returns the maximum length that the user can enter. 858 */ 859 public int getPasswordMaximumLength(int quality) { 860 // Kind-of arbitrary. 861 return 16; 862 } 863 864 /** 865 * Determine whether the current password the user has set is sufficient 866 * to meet the policy requirements (quality, minimum length) that have been 867 * requested. 868 * 869 * <p>The calling device admin must have requested 870 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 871 * this method; if it has not, a security exception will be thrown. 872 * 873 * @return Returns true if the password meets the current requirements, 874 * else false. 875 */ 876 public boolean isActivePasswordSufficient() { 877 if (mService != null) { 878 try { 879 return mService.isActivePasswordSufficient(UserHandle.myUserId()); 880 } catch (RemoteException e) { 881 Log.w(TAG, "Failed talking with device policy service", e); 882 } 883 } 884 return false; 885 } 886 887 /** 888 * Retrieve the number of times the user has failed at entering a 889 * password since that last successful password entry. 890 * 891 * <p>The calling device admin must have requested 892 * {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} to be able to call 893 * this method; if it has not, a security exception will be thrown. 894 */ 895 public int getCurrentFailedPasswordAttempts() { 896 if (mService != null) { 897 try { 898 return mService.getCurrentFailedPasswordAttempts(UserHandle.myUserId()); 899 } catch (RemoteException e) { 900 Log.w(TAG, "Failed talking with device policy service", e); 901 } 902 } 903 return -1; 904 } 905 906 /** 907 * Setting this to a value greater than zero enables a built-in policy 908 * that will perform a device wipe after too many incorrect 909 * device-unlock passwords have been entered. This built-in policy combines 910 * watching for failed passwords and wiping the device, and requires 911 * that you request both {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} and 912 * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA}}. 913 * 914 * <p>To implement any other policy (e.g. wiping data for a particular 915 * application only, erasing or revoking credentials, or reporting the 916 * failure to a server), you should implement 917 * {@link DeviceAdminReceiver#onPasswordFailed(Context, android.content.Intent)} 918 * instead. Do not use this API, because if the maximum count is reached, 919 * the device will be wiped immediately, and your callback will not be invoked. 920 * 921 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 922 * @param num The number of failed password attempts at which point the 923 * device will wipe its data. 924 */ 925 public void setMaximumFailedPasswordsForWipe(ComponentName admin, int num) { 926 if (mService != null) { 927 try { 928 mService.setMaximumFailedPasswordsForWipe(admin, num, UserHandle.myUserId()); 929 } catch (RemoteException e) { 930 Log.w(TAG, "Failed talking with device policy service", e); 931 } 932 } 933 } 934 935 /** 936 * Retrieve the current maximum number of login attempts that are allowed 937 * before the device wipes itself, for all admins 938 * or a particular one. 939 * @param admin The name of the admin component to check, or null to aggregate 940 * all admins. 941 */ 942 public int getMaximumFailedPasswordsForWipe(ComponentName admin) { 943 return getMaximumFailedPasswordsForWipe(admin, UserHandle.myUserId()); 944 } 945 946 /** @hide per-user version */ 947 public int getMaximumFailedPasswordsForWipe(ComponentName admin, int userHandle) { 948 if (mService != null) { 949 try { 950 return mService.getMaximumFailedPasswordsForWipe(admin, userHandle); 951 } catch (RemoteException e) { 952 Log.w(TAG, "Failed talking with device policy service", e); 953 } 954 } 955 return 0; 956 } 957 958 /** 959 * Flag for {@link #resetPassword}: don't allow other admins to change 960 * the password again until the user has entered it. 961 */ 962 public static final int RESET_PASSWORD_REQUIRE_ENTRY = 0x0001; 963 964 /** 965 * Force a new device unlock password (the password needed to access the 966 * entire device, not for individual accounts) on the user. This takes 967 * effect immediately. 968 * The given password must be sufficient for the 969 * current password quality and length constraints as returned by 970 * {@link #getPasswordQuality(ComponentName)} and 971 * {@link #getPasswordMinimumLength(ComponentName)}; if it does not meet 972 * these constraints, then it will be rejected and false returned. Note 973 * that the password may be a stronger quality (containing alphanumeric 974 * characters when the requested quality is only numeric), in which case 975 * the currently active quality will be increased to match. 976 * 977 * <p>The calling device admin must have requested 978 * {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD} to be able to call 979 * this method; if it has not, a security exception will be thrown. 980 * 981 * @param password The new password for the user. 982 * @param flags May be 0 or {@link #RESET_PASSWORD_REQUIRE_ENTRY}. 983 * @return Returns true if the password was applied, or false if it is 984 * not acceptable for the current constraints. 985 */ 986 public boolean resetPassword(String password, int flags) { 987 if (mService != null) { 988 try { 989 return mService.resetPassword(password, flags, UserHandle.myUserId()); 990 } catch (RemoteException e) { 991 Log.w(TAG, "Failed talking with device policy service", e); 992 } 993 } 994 return false; 995 } 996 997 /** 998 * Called by an application that is administering the device to set the 999 * maximum time for user activity until the device will lock. This limits 1000 * the length that the user can set. It takes effect immediately. 1001 * 1002 * <p>The calling device admin must have requested 1003 * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call 1004 * this method; if it has not, a security exception will be thrown. 1005 * 1006 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1007 * @param timeMs The new desired maximum time to lock in milliseconds. 1008 * A value of 0 means there is no restriction. 1009 */ 1010 public void setMaximumTimeToLock(ComponentName admin, long timeMs) { 1011 if (mService != null) { 1012 try { 1013 mService.setMaximumTimeToLock(admin, timeMs, UserHandle.myUserId()); 1014 } catch (RemoteException e) { 1015 Log.w(TAG, "Failed talking with device policy service", e); 1016 } 1017 } 1018 } 1019 1020 /** 1021 * Retrieve the current maximum time to unlock for all admins 1022 * or a particular one. 1023 * @param admin The name of the admin component to check, or null to aggregate 1024 * all admins. 1025 */ 1026 public long getMaximumTimeToLock(ComponentName admin) { 1027 return getMaximumTimeToLock(admin, UserHandle.myUserId()); 1028 } 1029 1030 /** @hide per-user version */ 1031 public long getMaximumTimeToLock(ComponentName admin, int userHandle) { 1032 if (mService != null) { 1033 try { 1034 return mService.getMaximumTimeToLock(admin, userHandle); 1035 } catch (RemoteException e) { 1036 Log.w(TAG, "Failed talking with device policy service", e); 1037 } 1038 } 1039 return 0; 1040 } 1041 1042 /** 1043 * Make the device lock immediately, as if the lock screen timeout has 1044 * expired at the point of this call. 1045 * 1046 * <p>The calling device admin must have requested 1047 * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call 1048 * this method; if it has not, a security exception will be thrown. 1049 */ 1050 public void lockNow() { 1051 if (mService != null) { 1052 try { 1053 mService.lockNow(); 1054 } catch (RemoteException e) { 1055 Log.w(TAG, "Failed talking with device policy service", e); 1056 } 1057 } 1058 } 1059 1060 /** 1061 * Flag for {@link #wipeData(int)}: also erase the device's external 1062 * storage. 1063 */ 1064 public static final int WIPE_EXTERNAL_STORAGE = 0x0001; 1065 1066 /** 1067 * Ask the user date be wiped. This will cause the device to reboot, 1068 * erasing all user data while next booting up. External storage such 1069 * as SD cards will be also erased if the flag {@link #WIPE_EXTERNAL_STORAGE} 1070 * is set. 1071 * 1072 * <p>The calling device admin must have requested 1073 * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA} to be able to call 1074 * this method; if it has not, a security exception will be thrown. 1075 * 1076 * @param flags Bit mask of additional options: currently 0 and 1077 * {@link #WIPE_EXTERNAL_STORAGE} are supported. 1078 */ 1079 public void wipeData(int flags) { 1080 if (mService != null) { 1081 try { 1082 mService.wipeData(flags, UserHandle.myUserId()); 1083 } catch (RemoteException e) { 1084 Log.w(TAG, "Failed talking with device policy service", e); 1085 } 1086 } 1087 } 1088 1089 /** 1090 * Called by an application that is administering the device to set the 1091 * global proxy and exclusion list. 1092 * <p> 1093 * The calling device admin must have requested 1094 * {@link DeviceAdminInfo#USES_POLICY_SETS_GLOBAL_PROXY} to be able to call 1095 * this method; if it has not, a security exception will be thrown. 1096 * Only the first device admin can set the proxy. If a second admin attempts 1097 * to set the proxy, the {@link ComponentName} of the admin originally setting the 1098 * proxy will be returned. If successful in setting the proxy, null will 1099 * be returned. 1100 * The method can be called repeatedly by the device admin alrady setting the 1101 * proxy to update the proxy and exclusion list. 1102 * 1103 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1104 * with. 1105 * @param proxySpec the global proxy desired. Must be an HTTP Proxy. 1106 * Pass Proxy.NO_PROXY to reset the proxy. 1107 * @param exclusionList a list of domains to be excluded from the global proxy. 1108 * @return returns null if the proxy was successfully set, or a {@link ComponentName} 1109 * of the device admin that sets thew proxy otherwise. 1110 * @hide 1111 */ 1112 public ComponentName setGlobalProxy(ComponentName admin, Proxy proxySpec, 1113 List<String> exclusionList ) { 1114 if (proxySpec == null) { 1115 throw new NullPointerException(); 1116 } 1117 if (mService != null) { 1118 try { 1119 String hostSpec; 1120 String exclSpec; 1121 if (proxySpec.equals(Proxy.NO_PROXY)) { 1122 hostSpec = null; 1123 exclSpec = null; 1124 } else { 1125 if (!proxySpec.type().equals(Proxy.Type.HTTP)) { 1126 throw new IllegalArgumentException(); 1127 } 1128 InetSocketAddress sa = (InetSocketAddress)proxySpec.address(); 1129 String hostName = sa.getHostName(); 1130 int port = sa.getPort(); 1131 StringBuilder hostBuilder = new StringBuilder(); 1132 hostSpec = hostBuilder.append(hostName) 1133 .append(":").append(Integer.toString(port)).toString(); 1134 if (exclusionList == null) { 1135 exclSpec = ""; 1136 } else { 1137 StringBuilder listBuilder = new StringBuilder(); 1138 boolean firstDomain = true; 1139 for (String exclDomain : exclusionList) { 1140 if (!firstDomain) { 1141 listBuilder = listBuilder.append(","); 1142 } else { 1143 firstDomain = false; 1144 } 1145 listBuilder = listBuilder.append(exclDomain.trim()); 1146 } 1147 exclSpec = listBuilder.toString(); 1148 } 1149 android.net.Proxy.validate(hostName, Integer.toString(port), exclSpec); 1150 } 1151 return mService.setGlobalProxy(admin, hostSpec, exclSpec, UserHandle.myUserId()); 1152 } catch (RemoteException e) { 1153 Log.w(TAG, "Failed talking with device policy service", e); 1154 } 1155 } 1156 return null; 1157 } 1158 1159 /** 1160 * Returns the component name setting the global proxy. 1161 * @return ComponentName object of the device admin that set the global proxy, or 1162 * null if no admin has set the proxy. 1163 * @hide 1164 */ 1165 public ComponentName getGlobalProxyAdmin() { 1166 if (mService != null) { 1167 try { 1168 return mService.getGlobalProxyAdmin(UserHandle.myUserId()); 1169 } catch (RemoteException e) { 1170 Log.w(TAG, "Failed talking with device policy service", e); 1171 } 1172 } 1173 return null; 1174 } 1175 1176 /** 1177 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1178 * indicating that encryption is not supported. 1179 */ 1180 public static final int ENCRYPTION_STATUS_UNSUPPORTED = 0; 1181 1182 /** 1183 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1184 * indicating that encryption is supported, but is not currently active. 1185 */ 1186 public static final int ENCRYPTION_STATUS_INACTIVE = 1; 1187 1188 /** 1189 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1190 * indicating that encryption is not currently active, but is currently 1191 * being activated. This is only reported by devices that support 1192 * encryption of data and only when the storage is currently 1193 * undergoing a process of becoming encrypted. A device that must reboot and/or wipe data 1194 * to become encrypted will never return this value. 1195 */ 1196 public static final int ENCRYPTION_STATUS_ACTIVATING = 2; 1197 1198 /** 1199 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1200 * indicating that encryption is active. 1201 */ 1202 public static final int ENCRYPTION_STATUS_ACTIVE = 3; 1203 1204 /** 1205 * Activity action: begin the process of encrypting data on the device. This activity should 1206 * be launched after using {@link #setStorageEncryption} to request encryption be activated. 1207 * After resuming from this activity, use {@link #getStorageEncryption} 1208 * to check encryption status. However, on some devices this activity may never return, as 1209 * it may trigger a reboot and in some cases a complete data wipe of the device. 1210 */ 1211 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 1212 public static final String ACTION_START_ENCRYPTION 1213 = "android.app.action.START_ENCRYPTION"; 1214 1215 /** 1216 * Widgets are enabled in keyguard 1217 */ 1218 public static final int KEYGUARD_DISABLE_FEATURES_NONE = 0; 1219 1220 /** 1221 * Disable all keyguard widgets 1222 */ 1223 public static final int KEYGUARD_DISABLE_WIDGETS_ALL = 1 << 0; 1224 1225 /** 1226 * Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password) 1227 */ 1228 public static final int KEYGUARD_DISABLE_SECURE_CAMERA = 1 << 1; 1229 1230 /** 1231 * Disable all current and future keyguard customizations. 1232 */ 1233 public static final int KEYGUARD_DISABLE_FEATURES_ALL = 0x7fffffff; 1234 1235 /** 1236 * Called by an application that is administering the device to 1237 * request that the storage system be encrypted. 1238 * 1239 * <p>When multiple device administrators attempt to control device 1240 * encryption, the most secure, supported setting will always be 1241 * used. If any device administrator requests device encryption, 1242 * it will be enabled; Conversely, if a device administrator 1243 * attempts to disable device encryption while another 1244 * device administrator has enabled it, the call to disable will 1245 * fail (most commonly returning {@link #ENCRYPTION_STATUS_ACTIVE}). 1246 * 1247 * <p>This policy controls encryption of the secure (application data) storage area. Data 1248 * written to other storage areas may or may not be encrypted, and this policy does not require 1249 * or control the encryption of any other storage areas. 1250 * There is one exception: If {@link android.os.Environment#isExternalStorageEmulated()} is 1251 * {@code true}, then the directory returned by 1252 * {@link android.os.Environment#getExternalStorageDirectory()} must be written to disk 1253 * within the encrypted storage area. 1254 * 1255 * <p>Important Note: On some devices, it is possible to encrypt storage without requiring 1256 * the user to create a device PIN or Password. In this case, the storage is encrypted, but 1257 * the encryption key may not be fully secured. For maximum security, the administrator should 1258 * also require (and check for) a pattern, PIN, or password. 1259 * 1260 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1261 * @param encrypt true to request encryption, false to release any previous request 1262 * @return the new request status (for all active admins) - will be one of 1263 * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE}, or 1264 * {@link #ENCRYPTION_STATUS_ACTIVE}. This is the value of the requests; Use 1265 * {@link #getStorageEncryptionStatus()} to query the actual device state. 1266 */ 1267 public int setStorageEncryption(ComponentName admin, boolean encrypt) { 1268 if (mService != null) { 1269 try { 1270 return mService.setStorageEncryption(admin, encrypt, UserHandle.myUserId()); 1271 } catch (RemoteException e) { 1272 Log.w(TAG, "Failed talking with device policy service", e); 1273 } 1274 } 1275 return ENCRYPTION_STATUS_UNSUPPORTED; 1276 } 1277 1278 /** 1279 * Called by an application that is administering the device to 1280 * determine the requested setting for secure storage. 1281 * 1282 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. If null, 1283 * this will return the requested encryption setting as an aggregate of all active 1284 * administrators. 1285 * @return true if the admin(s) are requesting encryption, false if not. 1286 */ 1287 public boolean getStorageEncryption(ComponentName admin) { 1288 if (mService != null) { 1289 try { 1290 return mService.getStorageEncryption(admin, UserHandle.myUserId()); 1291 } catch (RemoteException e) { 1292 Log.w(TAG, "Failed talking with device policy service", e); 1293 } 1294 } 1295 return false; 1296 } 1297 1298 /** 1299 * Called by an application that is administering the device to 1300 * determine the current encryption status of the device. 1301 * 1302 * Depending on the returned status code, the caller may proceed in different 1303 * ways. If the result is {@link #ENCRYPTION_STATUS_UNSUPPORTED}, the 1304 * storage system does not support encryption. If the 1305 * result is {@link #ENCRYPTION_STATUS_INACTIVE}, use {@link 1306 * #ACTION_START_ENCRYPTION} to begin the process of encrypting or decrypting the 1307 * storage. If the result is {@link #ENCRYPTION_STATUS_ACTIVATING} or 1308 * {@link #ENCRYPTION_STATUS_ACTIVE}, no further action is required. 1309 * 1310 * @return current status of encryption. The value will be one of 1311 * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE}, 1312 * {@link #ENCRYPTION_STATUS_ACTIVATING}, or{@link #ENCRYPTION_STATUS_ACTIVE}. 1313 */ 1314 public int getStorageEncryptionStatus() { 1315 return getStorageEncryptionStatus(UserHandle.myUserId()); 1316 } 1317 1318 /** @hide per-user version */ 1319 public int getStorageEncryptionStatus(int userHandle) { 1320 if (mService != null) { 1321 try { 1322 return mService.getStorageEncryptionStatus(userHandle); 1323 } catch (RemoteException e) { 1324 Log.w(TAG, "Failed talking with device policy service", e); 1325 } 1326 } 1327 return ENCRYPTION_STATUS_UNSUPPORTED; 1328 } 1329 1330 /** 1331 * Called by an application that is administering the device to disable all cameras 1332 * on the device. After setting this, no applications will be able to access any cameras 1333 * on the device. 1334 * 1335 * <p>The calling device admin must have requested 1336 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_CAMERA} to be able to call 1337 * this method; if it has not, a security exception will be thrown. 1338 * 1339 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1340 * @param disabled Whether or not the camera should be disabled. 1341 */ 1342 public void setCameraDisabled(ComponentName admin, boolean disabled) { 1343 if (mService != null) { 1344 try { 1345 mService.setCameraDisabled(admin, disabled, UserHandle.myUserId()); 1346 } catch (RemoteException e) { 1347 Log.w(TAG, "Failed talking with device policy service", e); 1348 } 1349 } 1350 } 1351 1352 /** 1353 * Determine whether or not the device's cameras have been disabled either by the current 1354 * admin, if specified, or all admins. 1355 * @param admin The name of the admin component to check, or null to check if any admins 1356 * have disabled the camera 1357 */ 1358 public boolean getCameraDisabled(ComponentName admin) { 1359 return getCameraDisabled(admin, UserHandle.myUserId()); 1360 } 1361 1362 /** @hide per-user version */ 1363 public boolean getCameraDisabled(ComponentName admin, int userHandle) { 1364 if (mService != null) { 1365 try { 1366 return mService.getCameraDisabled(admin, userHandle); 1367 } catch (RemoteException e) { 1368 Log.w(TAG, "Failed talking with device policy service", e); 1369 } 1370 } 1371 return false; 1372 } 1373 1374 /** 1375 * Called by an application that is administering the device to disable keyguard customizations, 1376 * such as widgets. After setting this, keyguard features will be disabled according to the 1377 * provided feature list. 1378 * 1379 * <p>The calling device admin must have requested 1380 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_KEYGUARD_FEATURES} to be able to call 1381 * this method; if it has not, a security exception will be thrown. 1382 * 1383 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1384 * @param which {@link #KEYGUARD_DISABLE_FEATURES_NONE} (default), 1385 * {@link #KEYGUARD_DISABLE_WIDGETS_ALL}, {@link #KEYGUARD_DISABLE_SECURE_CAMERA}, 1386 * {@link #KEYGUARD_DISABLE_FEATURES_ALL} 1387 */ 1388 public void setKeyguardDisabledFeatures(ComponentName admin, int which) { 1389 if (mService != null) { 1390 try { 1391 mService.setKeyguardDisabledFeatures(admin, which, UserHandle.myUserId()); 1392 } catch (RemoteException e) { 1393 Log.w(TAG, "Failed talking with device policy service", e); 1394 } 1395 } 1396 } 1397 1398 /** 1399 * Determine whether or not features have been disabled in keyguard either by the current 1400 * admin, if specified, or all admins. 1401 * @param admin The name of the admin component to check, or null to check if any admins 1402 * have disabled features in keyguard. 1403 * @return bitfield of flags. See {@link #setKeyguardDisabledFeatures(ComponentName, int)} 1404 * for a list. 1405 */ 1406 public int getKeyguardDisabledFeatures(ComponentName admin) { 1407 return getKeyguardDisabledFeatures(admin, UserHandle.myUserId()); 1408 } 1409 1410 /** @hide per-user version */ 1411 public int getKeyguardDisabledFeatures(ComponentName admin, int userHandle) { 1412 if (mService != null) { 1413 try { 1414 return mService.getKeyguardDisabledFeatures(admin, userHandle); 1415 } catch (RemoteException e) { 1416 Log.w(TAG, "Failed talking with device policy service", e); 1417 } 1418 } 1419 return KEYGUARD_DISABLE_FEATURES_NONE; 1420 } 1421 1422 /** 1423 * @hide 1424 */ 1425 public void setActiveAdmin(ComponentName policyReceiver, boolean refreshing) { 1426 if (mService != null) { 1427 try { 1428 mService.setActiveAdmin(policyReceiver, refreshing, UserHandle.myUserId()); 1429 } catch (RemoteException e) { 1430 Log.w(TAG, "Failed talking with device policy service", e); 1431 } 1432 } 1433 } 1434 1435 /** 1436 * Returns the DeviceAdminInfo as defined by the administrator's package info & meta-data 1437 * @hide 1438 */ 1439 public DeviceAdminInfo getAdminInfo(ComponentName cn) { 1440 ActivityInfo ai; 1441 try { 1442 ai = mContext.getPackageManager().getReceiverInfo(cn, 1443 PackageManager.GET_META_DATA); 1444 } catch (PackageManager.NameNotFoundException e) { 1445 Log.w(TAG, "Unable to retrieve device policy " + cn, e); 1446 return null; 1447 } 1448 1449 ResolveInfo ri = new ResolveInfo(); 1450 ri.activityInfo = ai; 1451 1452 try { 1453 return new DeviceAdminInfo(mContext, ri); 1454 } catch (XmlPullParserException e) { 1455 Log.w(TAG, "Unable to parse device policy " + cn, e); 1456 return null; 1457 } catch (IOException e) { 1458 Log.w(TAG, "Unable to parse device policy " + cn, e); 1459 return null; 1460 } 1461 } 1462 1463 /** 1464 * @hide 1465 */ 1466 public void getRemoveWarning(ComponentName admin, RemoteCallback result) { 1467 if (mService != null) { 1468 try { 1469 mService.getRemoveWarning(admin, result, UserHandle.myUserId()); 1470 } catch (RemoteException e) { 1471 Log.w(TAG, "Failed talking with device policy service", e); 1472 } 1473 } 1474 } 1475 1476 /** 1477 * @hide 1478 */ 1479 public void setActivePasswordState(int quality, int length, int letters, int uppercase, 1480 int lowercase, int numbers, int symbols, int nonletter, int userHandle) { 1481 if (mService != null) { 1482 try { 1483 mService.setActivePasswordState(quality, length, letters, uppercase, lowercase, 1484 numbers, symbols, nonletter, userHandle); 1485 } catch (RemoteException e) { 1486 Log.w(TAG, "Failed talking with device policy service", e); 1487 } 1488 } 1489 } 1490 1491 /** 1492 * @hide 1493 */ 1494 public void reportFailedPasswordAttempt(int userHandle) { 1495 if (mService != null) { 1496 try { 1497 mService.reportFailedPasswordAttempt(userHandle); 1498 } catch (RemoteException e) { 1499 Log.w(TAG, "Failed talking with device policy service", e); 1500 } 1501 } 1502 } 1503 1504 /** 1505 * @hide 1506 */ 1507 public void reportSuccessfulPasswordAttempt(int userHandle) { 1508 if (mService != null) { 1509 try { 1510 mService.reportSuccessfulPasswordAttempt(userHandle); 1511 } catch (RemoteException e) { 1512 Log.w(TAG, "Failed talking with device policy service", e); 1513 } 1514 } 1515 } 1516 1517 /** 1518 * @hide 1519 * Sets the given package as the device owner. The package must already be installed and there 1520 * shouldn't be an existing device owner registered, for this call to succeed. Also, this 1521 * method must be called before the device is provisioned. 1522 * @param packageName the package name of the application to be registered as the device owner. 1523 * @return whether the package was successfully registered as the device owner. 1524 * @throws IllegalArgumentException if the package name is null or invalid 1525 * @throws IllegalStateException if a device owner is already registered or the device has 1526 * already been provisioned. 1527 */ 1528 public boolean setDeviceOwner(String packageName) throws IllegalArgumentException, 1529 IllegalStateException { 1530 if (mService != null) { 1531 try { 1532 return mService.setDeviceOwner(packageName); 1533 } catch (RemoteException re) { 1534 Log.w(TAG, "Failed to set device owner"); 1535 } 1536 } 1537 return false; 1538 } 1539 1540 1541 /** 1542 * Used to determine if a particular package has been registered as a Device Owner app. 1543 * A device owner app is a special device admin that cannot be deactivated by the user, once 1544 * activated as a device admin. It also cannot be uninstalled. To check if a particular 1545 * package is currently registered as the device owner app, pass in the package name from 1546 * {@link Context#getPackageName()} to this method.<p/>This is useful for device 1547 * admin apps that want to check if they are also registered as the device owner app. The 1548 * exact mechanism by which a device admin app is registered as a device owner app is defined by 1549 * the setup process. 1550 * @param packageName the package name of the app, to compare with the registered device owner 1551 * app, if any. 1552 * @return whether or not the package is registered as the device owner app. 1553 */ 1554 public boolean isDeviceOwnerApp(String packageName) { 1555 if (mService != null) { 1556 try { 1557 return mService.isDeviceOwner(packageName); 1558 } catch (RemoteException re) { 1559 Log.w(TAG, "Failed to check device owner"); 1560 } 1561 } 1562 return false; 1563 } 1564 1565 /** 1566 * @hide 1567 * Redirect to isDeviceOwnerApp. 1568 */ 1569 public boolean isDeviceOwner(String packageName) { 1570 return isDeviceOwnerApp(packageName); 1571 } 1572 1573 /** @hide */ 1574 public String getDeviceOwner() { 1575 if (mService != null) { 1576 try { 1577 return mService.getDeviceOwner(); 1578 } catch (RemoteException re) { 1579 Log.w(TAG, "Failed to get device owner"); 1580 } 1581 } 1582 return null; 1583 } 1584 } 1585
