Home | History | Annotate | Download | only in admin
      1 /*
      2  * Copyright (C) 2010 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 package android.app.admin;
     18 
     19 import org.xmlpull.v1.XmlPullParserException;
     20 
     21 import android.annotation.SdkConstant;
     22 import android.annotation.SdkConstant.SdkConstantType;
     23 import android.content.ComponentName;
     24 import android.content.Context;
     25 import android.content.pm.ActivityInfo;
     26 import android.content.pm.PackageManager;
     27 import android.content.pm.ResolveInfo;
     28 import android.os.Handler;
     29 import android.os.RemoteCallback;
     30 import android.os.RemoteException;
     31 import android.os.ServiceManager;
     32 import android.os.UserHandle;
     33 import android.util.Log;
     34 
     35 import java.io.IOException;
     36 import java.net.InetSocketAddress;
     37 import java.net.Proxy;
     38 import java.util.List;
     39 
     40 /**
     41  * Public interface for managing policies enforced on a device.  Most clients
     42  * of this class must have published a {@link DeviceAdminReceiver} that the user
     43  * has currently enabled.
     44  *
     45  * <div class="special reference">
     46  * <h3>Developer Guides</h3>
     47  * <p>For more information about managing policies for device adminstration, read the
     48  * <a href="{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a>
     49  * developer guide.</p>
     50  * </div>
     51  */
     52 public class DevicePolicyManager {
     53     private static String TAG = "DevicePolicyManager";
     54 
     55     private final Context mContext;
     56     private final IDevicePolicyManager mService;
     57 
     58     private DevicePolicyManager(Context context, Handler handler) {
     59         mContext = context;
     60         mService = IDevicePolicyManager.Stub.asInterface(
     61                 ServiceManager.getService(Context.DEVICE_POLICY_SERVICE));
     62     }
     63 
     64     /** @hide */
     65     public static DevicePolicyManager create(Context context, Handler handler) {
     66         DevicePolicyManager me = new DevicePolicyManager(context, handler);
     67         return me.mService != null ? me : null;
     68     }
     69 
     70     /**
     71      * Activity action: ask the user to add a new device administrator to the system.
     72      * The desired policy is the ComponentName of the policy in the
     73      * {@link #EXTRA_DEVICE_ADMIN} extra field.  This will invoke a UI to
     74      * bring the user through adding the device administrator to the system (or
     75      * allowing them to reject it).
     76      *
     77      * <p>You can optionally include the {@link #EXTRA_ADD_EXPLANATION}
     78      * field to provide the user with additional explanation (in addition
     79      * to your component's description) about what is being added.
     80      *
     81      * <p>If your administrator is already active, this will ordinarily return immediately (without
     82      * user intervention).  However, if your administrator has been updated and is requesting
     83      * additional uses-policy flags, the user will be presented with the new list.  New policies
     84      * will not be available to the updated administrator until the user has accepted the new list.
     85      */
     86     @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION)
     87     public static final String ACTION_ADD_DEVICE_ADMIN
     88             = "android.app.action.ADD_DEVICE_ADMIN";
     89 
     90     /**
     91      * Activity action: send when any policy admin changes a policy.
     92      * This is generally used to find out when a new policy is in effect.
     93      *
     94      * @hide
     95      */
     96     public static final String ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED
     97             = "android.app.action.DEVICE_POLICY_MANAGER_STATE_CHANGED";
     98 
     99     /**
    100      * The ComponentName of the administrator component.
    101      *
    102      * @see #ACTION_ADD_DEVICE_ADMIN
    103      */
    104     public static final String EXTRA_DEVICE_ADMIN = "android.app.extra.DEVICE_ADMIN";
    105 
    106     /**
    107      * An optional CharSequence providing additional explanation for why the
    108      * admin is being added.
    109      *
    110      * @see #ACTION_ADD_DEVICE_ADMIN
    111      */
    112     public static final String EXTRA_ADD_EXPLANATION = "android.app.extra.ADD_EXPLANATION";
    113 
    114     /**
    115      * Activity action: have the user enter a new password. This activity should
    116      * be launched after using {@link #setPasswordQuality(ComponentName, int)},
    117      * or {@link #setPasswordMinimumLength(ComponentName, int)} to have the user
    118      * enter a new password that meets the current requirements. You can use
    119      * {@link #isActivePasswordSufficient()} to determine whether you need to
    120      * have the user select a new password in order to meet the current
    121      * constraints. Upon being resumed from this activity, you can check the new
    122      * password characteristics to see if they are sufficient.
    123      */
    124     @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION)
    125     public static final String ACTION_SET_NEW_PASSWORD
    126             = "android.app.action.SET_NEW_PASSWORD";
    127 
    128     /**
    129      * Return true if the given administrator component is currently
    130      * active (enabled) in the system.
    131      */
    132     public boolean isAdminActive(ComponentName who) {
    133         if (mService != null) {
    134             try {
    135                 return mService.isAdminActive(who, UserHandle.myUserId());
    136             } catch (RemoteException e) {
    137                 Log.w(TAG, "Failed talking with device policy service", e);
    138             }
    139         }
    140         return false;
    141     }
    142 
    143     /**
    144      * Return a list of all currently active device administrator's component
    145      * names.  Note that if there are no administrators than null may be
    146      * returned.
    147      */
    148     public List<ComponentName> getActiveAdmins() {
    149         if (mService != null) {
    150             try {
    151                 return mService.getActiveAdmins(UserHandle.myUserId());
    152             } catch (RemoteException e) {
    153                 Log.w(TAG, "Failed talking with device policy service", e);
    154             }
    155         }
    156         return null;
    157     }
    158 
    159     /**
    160      * Used by package administration code to determine if a package can be stopped
    161      * or uninstalled.
    162      * @hide
    163      */
    164     public boolean packageHasActiveAdmins(String packageName) {
    165         if (mService != null) {
    166             try {
    167                 return mService.packageHasActiveAdmins(packageName, UserHandle.myUserId());
    168             } catch (RemoteException e) {
    169                 Log.w(TAG, "Failed talking with device policy service", e);
    170             }
    171         }
    172         return false;
    173     }
    174 
    175     /**
    176      * Remove a current administration component.  This can only be called
    177      * by the application that owns the administration component; if you
    178      * try to remove someone else's component, a security exception will be
    179      * thrown.
    180      */
    181     public void removeActiveAdmin(ComponentName who) {
    182         if (mService != null) {
    183             try {
    184                 mService.removeActiveAdmin(who, UserHandle.myUserId());
    185             } catch (RemoteException e) {
    186                 Log.w(TAG, "Failed talking with device policy service", e);
    187             }
    188         }
    189     }
    190 
    191     /**
    192      * Returns true if an administrator has been granted a particular device policy.  This can
    193      * be used to check if the administrator was activated under an earlier set of policies,
    194      * but requires additional policies after an upgrade.
    195      *
    196      * @param admin Which {@link DeviceAdminReceiver} this request is associated with.  Must be
    197      * an active administrator, or an exception will be thrown.
    198      * @param usesPolicy Which uses-policy to check, as defined in {@link DeviceAdminInfo}.
    199      */
    200     public boolean hasGrantedPolicy(ComponentName admin, int usesPolicy) {
    201         if (mService != null) {
    202             try {
    203                 return mService.hasGrantedPolicy(admin, usesPolicy, UserHandle.myUserId());
    204             } catch (RemoteException e) {
    205                 Log.w(TAG, "Failed talking with device policy service", e);
    206             }
    207         }
    208         return false;
    209     }
    210 
    211     /**
    212      * Constant for {@link #setPasswordQuality}: the policy has no requirements
    213      * for the password.  Note that quality constants are ordered so that higher
    214      * values are more restrictive.
    215      */
    216     public static final int PASSWORD_QUALITY_UNSPECIFIED = 0;
    217 
    218     /**
    219      * Constant for {@link #setPasswordQuality}: the policy allows for low-security biometric
    220      * recognition technology.  This implies technologies that can recognize the identity of
    221      * an individual to about a 3 digit PIN (false detection is less than 1 in 1,000).
    222      * Note that quality constants are ordered so that higher values are more restrictive.
    223      */
    224     public static final int PASSWORD_QUALITY_BIOMETRIC_WEAK = 0x8000;
    225 
    226     /**
    227      * Constant for {@link #setPasswordQuality}: the policy requires some kind
    228      * of password, but doesn't care what it is.  Note that quality constants
    229      * are ordered so that higher values are more restrictive.
    230      */
    231     public static final int PASSWORD_QUALITY_SOMETHING = 0x10000;
    232 
    233     /**
    234      * Constant for {@link #setPasswordQuality}: the user must have entered a
    235      * password containing at least numeric characters.  Note that quality
    236      * constants are ordered so that higher values are more restrictive.
    237      */
    238     public static final int PASSWORD_QUALITY_NUMERIC = 0x20000;
    239 
    240     /**
    241      * Constant for {@link #setPasswordQuality}: the user must have entered a
    242      * password containing at least alphabetic (or other symbol) characters.
    243      * Note that quality constants are ordered so that higher values are more
    244      * restrictive.
    245      */
    246     public static final int PASSWORD_QUALITY_ALPHABETIC = 0x40000;
    247 
    248     /**
    249      * Constant for {@link #setPasswordQuality}: the user must have entered a
    250      * password containing at least <em>both></em> numeric <em>and</em>
    251      * alphabetic (or other symbol) characters.  Note that quality constants are
    252      * ordered so that higher values are more restrictive.
    253      */
    254     public static final int PASSWORD_QUALITY_ALPHANUMERIC = 0x50000;
    255 
    256     /**
    257      * Constant for {@link #setPasswordQuality}: the user must have entered a
    258      * password containing at least a letter, a numerical digit and a special
    259      * symbol, by default. With this password quality, passwords can be
    260      * restricted to contain various sets of characters, like at least an
    261      * uppercase letter, etc. These are specified using various methods,
    262      * like {@link #setPasswordMinimumLowerCase(ComponentName, int)}. Note
    263      * that quality constants are ordered so that higher values are more
    264      * restrictive.
    265      */
    266     public static final int PASSWORD_QUALITY_COMPLEX = 0x60000;
    267 
    268     /**
    269      * Called by an application that is administering the device to set the
    270      * password restrictions it is imposing.  After setting this, the user
    271      * will not be able to enter a new password that is not at least as
    272      * restrictive as what has been set.  Note that the current password
    273      * will remain until the user has set a new one, so the change does not
    274      * take place immediately.  To prompt the user for a new password, use
    275      * {@link #ACTION_SET_NEW_PASSWORD} after setting this value.
    276      *
    277      * <p>Quality constants are ordered so that higher values are more restrictive;
    278      * thus the highest requested quality constant (between the policy set here,
    279      * the user's preference, and any other considerations) is the one that
    280      * is in effect.
    281      *
    282      * <p>The calling device admin must have requested
    283      * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call
    284      * this method; if it has not, a security exception will be thrown.
    285      *
    286      * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
    287      * @param quality The new desired quality.  One of
    288      * {@link #PASSWORD_QUALITY_UNSPECIFIED}, {@link #PASSWORD_QUALITY_SOMETHING},
    289      * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_ALPHABETIC},
    290      * {@link #PASSWORD_QUALITY_ALPHANUMERIC} or {@link #PASSWORD_QUALITY_COMPLEX}.
    291      */
    292     public void setPasswordQuality(ComponentName admin, int quality) {
    293         if (mService != null) {
    294             try {
    295                 mService.setPasswordQuality(admin, quality, UserHandle.myUserId());
    296             } catch (RemoteException e) {
    297                 Log.w(TAG, "Failed talking with device policy service", e);
    298             }
    299         }
    300     }
    301 
    302     /**
    303      * Retrieve the current minimum password quality for all admins
    304      * or a particular one.
    305      * @param admin The name of the admin component to check, or null to aggregate
    306      * all admins.
    307      */
    308     public int getPasswordQuality(ComponentName admin) {
    309         return getPasswordQuality(admin, UserHandle.myUserId());
    310     }
    311 
    312     /** @hide per-user version */
    313     public int getPasswordQuality(ComponentName admin, int userHandle) {
    314         if (mService != null) {
    315             try {
    316                 return mService.getPasswordQuality(admin, userHandle);
    317             } catch (RemoteException e) {
    318                 Log.w(TAG, "Failed talking with device policy service", e);
    319             }
    320         }
    321         return PASSWORD_QUALITY_UNSPECIFIED;
    322     }
    323 
    324     /**
    325      * Called by an application that is administering the device to set the
    326      * minimum allowed password length.  After setting this, the user
    327      * will not be able to enter a new password that is not at least as
    328      * restrictive as what has been set.  Note that the current password
    329      * will remain until the user has set a new one, so the change does not
    330      * take place immediately.  To prompt the user for a new password, use
    331      * {@link #ACTION_SET_NEW_PASSWORD} after setting this value.  This
    332      * constraint is only imposed if the administrator has also requested either
    333      * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_ALPHABETIC}
    334      * {@link #PASSWORD_QUALITY_ALPHANUMERIC}, or {@link #PASSWORD_QUALITY_COMPLEX}
    335      * with {@link #setPasswordQuality}.
    336      *
    337      * <p>The calling device admin must have requested
    338      * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call
    339      * this method; if it has not, a security exception will be thrown.
    340      *
    341      * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
    342      * @param length The new desired minimum password length.  A value of 0
    343      * means there is no restriction.
    344      */
    345     public void setPasswordMinimumLength(ComponentName admin, int length) {
    346         if (mService != null) {
    347             try {
    348                 mService.setPasswordMinimumLength(admin, length, UserHandle.myUserId());
    349             } catch (RemoteException e) {
    350                 Log.w(TAG, "Failed talking with device policy service", e);
    351             }
    352         }
    353     }
    354 
    355     /**
    356      * Retrieve the current minimum password length for all admins
    357      * or a particular one.
    358      * @param admin The name of the admin component to check, or null to aggregate
    359      * all admins.
    360      */
    361     public int getPasswordMinimumLength(ComponentName admin) {
    362         return getPasswordMinimumLength(admin, UserHandle.myUserId());
    363     }
    364 
    365     /** @hide per-user version */
    366     public int getPasswordMinimumLength(ComponentName admin, int userHandle) {
    367         if (mService != null) {
    368             try {
    369                 return mService.getPasswordMinimumLength(admin, userHandle);
    370             } catch (RemoteException e) {
    371                 Log.w(TAG, "Failed talking with device policy service", e);
    372             }
    373         }
    374         return 0;
    375     }
    376 
    377     /**
    378      * Called by an application that is administering the device to set the
    379      * minimum number of upper case letters required in the password. After
    380      * setting this, the user will not be able to enter a new password that is
    381      * not at least as restrictive as what has been set. Note that the current
    382      * password will remain until the user has set a new one, so the change does
    383      * not take place immediately. To prompt the user for a new password, use
    384      * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This
    385      * constraint is only imposed if the administrator has also requested
    386      * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The
    387      * default value is 0.
    388      * <p>
    389      * The calling device admin must have requested
    390      * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call
    391      * this method; if it has not, a security exception will be thrown.
    392      *
    393      * @param admin Which {@link DeviceAdminReceiver} this request is associated
    394      *            with.
    395      * @param length The new desired minimum number of upper case letters
    396      *            required in the password. A value of 0 means there is no
    397      *            restriction.
    398      */
    399     public void setPasswordMinimumUpperCase(ComponentName admin, int length) {
    400         if (mService != null) {
    401             try {
    402                 mService.setPasswordMinimumUpperCase(admin, length, UserHandle.myUserId());
    403             } catch (RemoteException e) {
    404                 Log.w(TAG, "Failed talking with device policy service", e);
    405             }
    406         }
    407     }
    408 
    409     /**
    410      * Retrieve the current number of upper case letters required in the
    411      * password for all admins or a particular one. This is the same value as
    412      * set by {#link {@link #setPasswordMinimumUpperCase(ComponentName, int)}
    413      * and only applies when the password quality is
    414      * {@link #PASSWORD_QUALITY_COMPLEX}.
    415      *
    416      * @param admin The name of the admin component to check, or null to
    417      *            aggregate all admins.
    418      * @return The minimum number of upper case letters required in the
    419      *         password.
    420      */
    421     public int getPasswordMinimumUpperCase(ComponentName admin) {
    422         return getPasswordMinimumUpperCase(admin, UserHandle.myUserId());
    423     }
    424 
    425     /** @hide per-user version */
    426     public int getPasswordMinimumUpperCase(ComponentName admin, int userHandle) {
    427         if (mService != null) {
    428             try {
    429                 return mService.getPasswordMinimumUpperCase(admin, userHandle);
    430             } catch (RemoteException e) {
    431                 Log.w(TAG, "Failed talking with device policy service", e);
    432             }
    433         }
    434         return 0;
    435     }
    436 
    437     /**
    438      * Called by an application that is administering the device to set the
    439      * minimum number of lower case letters required in the password. After
    440      * setting this, the user will not be able to enter a new password that is
    441      * not at least as restrictive as what has been set. Note that the current
    442      * password will remain until the user has set a new one, so the change does
    443      * not take place immediately. To prompt the user for a new password, use
    444      * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This
    445      * constraint is only imposed if the administrator has also requested
    446      * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The
    447      * default value is 0.
    448      * <p>
    449      * The calling device admin must have requested
    450      * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call
    451      * this method; if it has not, a security exception will be thrown.
    452      *
    453      * @param admin Which {@link DeviceAdminReceiver} this request is associated
    454      *            with.
    455      * @param length The new desired minimum number of lower case letters
    456      *            required in the password. A value of 0 means there is no
    457      *            restriction.
    458      */
    459     public void setPasswordMinimumLowerCase(ComponentName admin, int length) {
    460         if (mService != null) {
    461             try {
    462                 mService.setPasswordMinimumLowerCase(admin, length, UserHandle.myUserId());
    463             } catch (RemoteException e) {
    464                 Log.w(TAG, "Failed talking with device policy service", e);
    465             }
    466         }
    467     }
    468 
    469     /**
    470      * Retrieve the current number of lower case letters required in the
    471      * password for all admins or a particular one. This is the same value as
    472      * set by {#link {@link #setPasswordMinimumLowerCase(ComponentName, int)}
    473      * and only applies when the password quality is
    474      * {@link #PASSWORD_QUALITY_COMPLEX}.
    475      *
    476      * @param admin The name of the admin component to check, or null to
    477      *            aggregate all admins.
    478      * @return The minimum number of lower case letters required in the
    479      *         password.
    480      */
    481     public int getPasswordMinimumLowerCase(ComponentName admin) {
    482         return getPasswordMinimumLowerCase(admin, UserHandle.myUserId());
    483     }
    484 
    485     /** @hide per-user version */
    486     public int getPasswordMinimumLowerCase(ComponentName admin, int userHandle) {
    487         if (mService != null) {
    488             try {
    489                 return mService.getPasswordMinimumLowerCase(admin, userHandle);
    490             } catch (RemoteException e) {
    491                 Log.w(TAG, "Failed talking with device policy service", e);
    492             }
    493         }
    494         return 0;
    495     }
    496 
    497     /**
    498      * Called by an application that is administering the device to set the
    499      * minimum number of letters required in the password. After setting this,
    500      * the user will not be able to enter a new password that is not at least as
    501      * restrictive as what has been set. Note that the current password will
    502      * remain until the user has set a new one, so the change does not take
    503      * place immediately. To prompt the user for a new password, use
    504      * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This
    505      * constraint is only imposed if the administrator has also requested
    506      * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The
    507      * default value is 1.
    508      * <p>
    509      * The calling device admin must have requested
    510      * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call
    511      * this method; if it has not, a security exception will be thrown.
    512      *
    513      * @param admin Which {@link DeviceAdminReceiver} this request is associated
    514      *            with.
    515      * @param length The new desired minimum number of letters required in the
    516      *            password. A value of 0 means there is no restriction.
    517      */
    518     public void setPasswordMinimumLetters(ComponentName admin, int length) {
    519         if (mService != null) {
    520             try {
    521                 mService.setPasswordMinimumLetters(admin, length, UserHandle.myUserId());
    522             } catch (RemoteException e) {
    523                 Log.w(TAG, "Failed talking with device policy service", e);
    524             }
    525         }
    526     }
    527 
    528     /**
    529      * Retrieve the current number of letters required in the password for all
    530      * admins or a particular one. This is the same value as
    531      * set by {#link {@link #setPasswordMinimumLetters(ComponentName, int)}
    532      * and only applies when the password quality is
    533      * {@link #PASSWORD_QUALITY_COMPLEX}.
    534      *
    535      * @param admin The name of the admin component to check, or null to
    536      *            aggregate all admins.
    537      * @return The minimum number of letters required in the password.
    538      */
    539     public int getPasswordMinimumLetters(ComponentName admin) {
    540         return getPasswordMinimumLetters(admin, UserHandle.myUserId());
    541     }
    542 
    543     /** @hide per-user version */
    544     public int getPasswordMinimumLetters(ComponentName admin, int userHandle) {
    545         if (mService != null) {
    546             try {
    547                 return mService.getPasswordMinimumLetters(admin, userHandle);
    548             } catch (RemoteException e) {
    549                 Log.w(TAG, "Failed talking with device policy service", e);
    550             }
    551         }
    552         return 0;
    553     }
    554 
    555     /**
    556      * Called by an application that is administering the device to set the
    557      * minimum number of numerical digits required in the password. After
    558      * setting this, the user will not be able to enter a new password that is
    559      * not at least as restrictive as what has been set. Note that the current
    560      * password will remain until the user has set a new one, so the change does
    561      * not take place immediately. To prompt the user for a new password, use
    562      * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This
    563      * constraint is only imposed if the administrator has also requested
    564      * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The
    565      * default value is 1.
    566      * <p>
    567      * The calling device admin must have requested
    568      * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call
    569      * this method; if it has not, a security exception will be thrown.
    570      *
    571      * @param admin Which {@link DeviceAdminReceiver} this request is associated
    572      *            with.
    573      * @param length The new desired minimum number of numerical digits required
    574      *            in the password. A value of 0 means there is no restriction.
    575      */
    576     public void setPasswordMinimumNumeric(ComponentName admin, int length) {
    577         if (mService != null) {
    578             try {
    579                 mService.setPasswordMinimumNumeric(admin, length, UserHandle.myUserId());
    580             } catch (RemoteException e) {
    581                 Log.w(TAG, "Failed talking with device policy service", e);
    582             }
    583         }
    584     }
    585 
    586     /**
    587      * Retrieve the current number of numerical digits required in the password
    588      * for all admins or a particular one. This is the same value as
    589      * set by {#link {@link #setPasswordMinimumNumeric(ComponentName, int)}
    590      * and only applies when the password quality is
    591      * {@link #PASSWORD_QUALITY_COMPLEX}.
    592      *
    593      * @param admin The name of the admin component to check, or null to
    594      *            aggregate all admins.
    595      * @return The minimum number of numerical digits required in the password.
    596      */
    597     public int getPasswordMinimumNumeric(ComponentName admin) {
    598         return getPasswordMinimumNumeric(admin, UserHandle.myUserId());
    599     }
    600 
    601     /** @hide per-user version */
    602     public int getPasswordMinimumNumeric(ComponentName admin, int userHandle) {
    603         if (mService != null) {
    604             try {
    605                 return mService.getPasswordMinimumNumeric(admin, userHandle);
    606             } catch (RemoteException e) {
    607                 Log.w(TAG, "Failed talking with device policy service", e);
    608             }
    609         }
    610         return 0;
    611     }
    612 
    613     /**
    614      * Called by an application that is administering the device to set the
    615      * minimum number of symbols required in the password. After setting this,
    616      * the user will not be able to enter a new password that is not at least as
    617      * restrictive as what has been set. Note that the current password will
    618      * remain until the user has set a new one, so the change does not take
    619      * place immediately. To prompt the user for a new password, use
    620      * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This
    621      * constraint is only imposed if the administrator has also requested
    622      * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The
    623      * default value is 1.
    624      * <p>
    625      * The calling device admin must have requested
    626      * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call
    627      * this method; if it has not, a security exception will be thrown.
    628      *
    629      * @param admin Which {@link DeviceAdminReceiver} this request is associated
    630      *            with.
    631      * @param length The new desired minimum number of symbols required in the
    632      *            password. A value of 0 means there is no restriction.
    633      */
    634     public void setPasswordMinimumSymbols(ComponentName admin, int length) {
    635         if (mService != null) {
    636             try {
    637                 mService.setPasswordMinimumSymbols(admin, length, UserHandle.myUserId());
    638             } catch (RemoteException e) {
    639                 Log.w(TAG, "Failed talking with device policy service", e);
    640             }
    641         }
    642     }
    643 
    644     /**
    645      * Retrieve the current number of symbols required in the password for all
    646      * admins or a particular one. This is the same value as
    647      * set by {#link {@link #setPasswordMinimumSymbols(ComponentName, int)}
    648      * and only applies when the password quality is
    649      * {@link #PASSWORD_QUALITY_COMPLEX}.
    650      *
    651      * @param admin The name of the admin component to check, or null to
    652      *            aggregate all admins.
    653      * @return The minimum number of symbols required in the password.
    654      */
    655     public int getPasswordMinimumSymbols(ComponentName admin) {
    656         return getPasswordMinimumSymbols(admin, UserHandle.myUserId());
    657     }
    658 
    659     /** @hide per-user version */
    660     public int getPasswordMinimumSymbols(ComponentName admin, int userHandle) {
    661         if (mService != null) {
    662             try {
    663                 return mService.getPasswordMinimumSymbols(admin, userHandle);
    664             } catch (RemoteException e) {
    665                 Log.w(TAG, "Failed talking with device policy service", e);
    666             }
    667         }
    668         return 0;
    669     }
    670 
    671     /**
    672      * Called by an application that is administering the device to set the
    673      * minimum number of non-letter characters (numerical digits or symbols)
    674      * required in the password. After setting this, the user will not be able
    675      * to enter a new password that is not at least as restrictive as what has
    676      * been set. Note that the current password will remain until the user has
    677      * set a new one, so the change does not take place immediately. To prompt
    678      * the user for a new password, use {@link #ACTION_SET_NEW_PASSWORD} after
    679      * setting this value. This constraint is only imposed if the administrator
    680      * has also requested {@link #PASSWORD_QUALITY_COMPLEX} with
    681      * {@link #setPasswordQuality}. The default value is 0.
    682      * <p>
    683      * The calling device admin must have requested
    684      * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call
    685      * this method; if it has not, a security exception will be thrown.
    686      *
    687      * @param admin Which {@link DeviceAdminReceiver} this request is associated
    688      *            with.
    689      * @param length The new desired minimum number of letters required in the
    690      *            password. A value of 0 means there is no restriction.
    691      */
    692     public void setPasswordMinimumNonLetter(ComponentName admin, int length) {
    693         if (mService != null) {
    694             try {
    695                 mService.setPasswordMinimumNonLetter(admin, length, UserHandle.myUserId());
    696             } catch (RemoteException e) {
    697                 Log.w(TAG, "Failed talking with device policy service", e);
    698             }
    699         }
    700     }
    701 
    702     /**
    703      * Retrieve the current number of non-letter characters required in the
    704      * password for all admins or a particular one. This is the same value as
    705      * set by {#link {@link #setPasswordMinimumNonLetter(ComponentName, int)}
    706      * and only applies when the password quality is
    707      * {@link #PASSWORD_QUALITY_COMPLEX}.
    708      *
    709      * @param admin The name of the admin component to check, or null to
    710      *            aggregate all admins.
    711      * @return The minimum number of letters required in the password.
    712      */
    713     public int getPasswordMinimumNonLetter(ComponentName admin) {
    714         return getPasswordMinimumNonLetter(admin, UserHandle.myUserId());
    715     }
    716 
    717     /** @hide per-user version */
    718     public int getPasswordMinimumNonLetter(ComponentName admin, int userHandle) {
    719         if (mService != null) {
    720             try {
    721                 return mService.getPasswordMinimumNonLetter(admin, userHandle);
    722             } catch (RemoteException e) {
    723                 Log.w(TAG, "Failed talking with device policy service", e);
    724             }
    725         }
    726         return 0;
    727     }
    728 
    729   /**
    730    * Called by an application that is administering the device to set the length
    731    * of the password history. After setting this, the user will not be able to
    732    * enter a new password that is the same as any password in the history. Note
    733    * that the current password will remain until the user has set a new one, so
    734    * the change does not take place immediately. To prompt the user for a new
    735    * password, use {@link #ACTION_SET_NEW_PASSWORD} after setting this value.
    736    * This constraint is only imposed if the administrator has also requested
    737    * either {@link #PASSWORD_QUALITY_NUMERIC},
    738    * {@link #PASSWORD_QUALITY_ALPHABETIC}, or
    739    * {@link #PASSWORD_QUALITY_ALPHANUMERIC} with {@link #setPasswordQuality}.
    740    *
    741    * <p>
    742    * The calling device admin must have requested
    743    * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call this
    744    * method; if it has not, a security exception will be thrown.
    745    *
    746    * @param admin Which {@link DeviceAdminReceiver} this request is associated
    747    *        with.
    748    * @param length The new desired length of password history. A value of 0
    749    *        means there is no restriction.
    750    */
    751     public void setPasswordHistoryLength(ComponentName admin, int length) {
    752         if (mService != null) {
    753             try {
    754                 mService.setPasswordHistoryLength(admin, length, UserHandle.myUserId());
    755             } catch (RemoteException e) {
    756                 Log.w(TAG, "Failed talking with device policy service", e);
    757             }
    758         }
    759     }
    760 
    761     /**
    762      * Called by a device admin to set the password expiration timeout. Calling this method
    763      * will restart the countdown for password expiration for the given admin, as will changing
    764      * the device password (for all admins).
    765      *
    766      * <p>The provided timeout is the time delta in ms and will be added to the current time.
    767      * For example, to have the password expire 5 days from now, timeout would be
    768      * 5 * 86400 * 1000 = 432000000 ms for timeout.
    769      *
    770      * <p>To disable password expiration, a value of 0 may be used for timeout.
    771      *
    772      * <p>The calling device admin must have requested
    773      * {@link DeviceAdminInfo#USES_POLICY_EXPIRE_PASSWORD} to be able to call this
    774      * method; if it has not, a security exception will be thrown.
    775      *
    776      * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
    777      * @param timeout The limit (in ms) that a password can remain in effect. A value of 0
    778      *        means there is no restriction (unlimited).
    779      */
    780     public void setPasswordExpirationTimeout(ComponentName admin, long timeout) {
    781         if (mService != null) {
    782             try {
    783                 mService.setPasswordExpirationTimeout(admin, timeout, UserHandle.myUserId());
    784             } catch (RemoteException e) {
    785                 Log.w(TAG, "Failed talking with device policy service", e);
    786             }
    787         }
    788     }
    789 
    790     /**
    791      * Get the password expiration timeout for the given admin. The expiration timeout is the
    792      * recurring expiration timeout provided in the call to
    793      * {@link #setPasswordExpirationTimeout(ComponentName, long)} for the given admin or the
    794      * aggregate of all policy administrators if admin is null.
    795      *
    796      * @param admin The name of the admin component to check, or null to aggregate all admins.
    797      * @return The timeout for the given admin or the minimum of all timeouts
    798      */
    799     public long getPasswordExpirationTimeout(ComponentName admin) {
    800         if (mService != null) {
    801             try {
    802                 return mService.getPasswordExpirationTimeout(admin, UserHandle.myUserId());
    803             } catch (RemoteException e) {
    804                 Log.w(TAG, "Failed talking with device policy service", e);
    805             }
    806         }
    807         return 0;
    808     }
    809 
    810     /**
    811      * Get the current password expiration time for the given admin or an aggregate of
    812      * all admins if admin is null. If the password is expired, this will return the time since
    813      * the password expired as a negative number.  If admin is null, then a composite of all
    814      * expiration timeouts is returned - which will be the minimum of all timeouts.
    815      *
    816      * @param admin The name of the admin component to check, or null to aggregate all admins.
    817      * @return The password expiration time, in ms.
    818      */
    819     public long getPasswordExpiration(ComponentName admin) {
    820         if (mService != null) {
    821             try {
    822                 return mService.getPasswordExpiration(admin, UserHandle.myUserId());
    823             } catch (RemoteException e) {
    824                 Log.w(TAG, "Failed talking with device policy service", e);
    825             }
    826         }
    827         return 0;
    828     }
    829 
    830     /**
    831      * Retrieve the current password history length for all admins
    832      * or a particular one.
    833      * @param admin The name of the admin component to check, or null to aggregate
    834      * all admins.
    835      * @return The length of the password history
    836      */
    837     public int getPasswordHistoryLength(ComponentName admin) {
    838         return getPasswordHistoryLength(admin, UserHandle.myUserId());
    839     }
    840 
    841     /** @hide per-user version */
    842     public int getPasswordHistoryLength(ComponentName admin, int userHandle) {
    843         if (mService != null) {
    844             try {
    845                 return mService.getPasswordHistoryLength(admin, userHandle);
    846             } catch (RemoteException e) {
    847                 Log.w(TAG, "Failed talking with device policy service", e);
    848             }
    849         }
    850         return 0;
    851     }
    852 
    853     /**
    854      * Return the maximum password length that the device supports for a
    855      * particular password quality.
    856      * @param quality The quality being interrogated.
    857      * @return Returns the maximum length that the user can enter.
    858      */
    859     public int getPasswordMaximumLength(int quality) {
    860         // Kind-of arbitrary.
    861         return 16;
    862     }
    863 
    864     /**
    865      * Determine whether the current password the user has set is sufficient
    866      * to meet the policy requirements (quality, minimum length) that have been
    867      * requested.
    868      *
    869      * <p>The calling device admin must have requested
    870      * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call
    871      * this method; if it has not, a security exception will be thrown.
    872      *
    873      * @return Returns true if the password meets the current requirements,
    874      * else false.
    875      */
    876     public boolean isActivePasswordSufficient() {
    877         if (mService != null) {
    878             try {
    879                 return mService.isActivePasswordSufficient(UserHandle.myUserId());
    880             } catch (RemoteException e) {
    881                 Log.w(TAG, "Failed talking with device policy service", e);
    882             }
    883         }
    884         return false;
    885     }
    886 
    887     /**
    888      * Retrieve the number of times the user has failed at entering a
    889      * password since that last successful password entry.
    890      *
    891      * <p>The calling device admin must have requested
    892      * {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} to be able to call
    893      * this method; if it has not, a security exception will be thrown.
    894      */
    895     public int getCurrentFailedPasswordAttempts() {
    896         if (mService != null) {
    897             try {
    898                 return mService.getCurrentFailedPasswordAttempts(UserHandle.myUserId());
    899             } catch (RemoteException e) {
    900                 Log.w(TAG, "Failed talking with device policy service", e);
    901             }
    902         }
    903         return -1;
    904     }
    905 
    906     /**
    907      * Setting this to a value greater than zero enables a built-in policy
    908      * that will perform a device wipe after too many incorrect
    909      * device-unlock passwords have been entered.  This built-in policy combines
    910      * watching for failed passwords and wiping the device, and requires
    911      * that you request both {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} and
    912      * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA}}.
    913      *
    914      * <p>To implement any other policy (e.g. wiping data for a particular
    915      * application only, erasing or revoking credentials, or reporting the
    916      * failure to a server), you should implement
    917      * {@link DeviceAdminReceiver#onPasswordFailed(Context, android.content.Intent)}
    918      * instead.  Do not use this API, because if the maximum count is reached,
    919      * the device will be wiped immediately, and your callback will not be invoked.
    920      *
    921      * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
    922      * @param num The number of failed password attempts at which point the
    923      * device will wipe its data.
    924      */
    925     public void setMaximumFailedPasswordsForWipe(ComponentName admin, int num) {
    926         if (mService != null) {
    927             try {
    928                 mService.setMaximumFailedPasswordsForWipe(admin, num, UserHandle.myUserId());
    929             } catch (RemoteException e) {
    930                 Log.w(TAG, "Failed talking with device policy service", e);
    931             }
    932         }
    933     }
    934 
    935     /**
    936      * Retrieve the current maximum number of login attempts that are allowed
    937      * before the device wipes itself, for all admins
    938      * or a particular one.
    939      * @param admin The name of the admin component to check, or null to aggregate
    940      * all admins.
    941      */
    942     public int getMaximumFailedPasswordsForWipe(ComponentName admin) {
    943         return getMaximumFailedPasswordsForWipe(admin, UserHandle.myUserId());
    944     }
    945 
    946     /** @hide per-user version */
    947     public int getMaximumFailedPasswordsForWipe(ComponentName admin, int userHandle) {
    948         if (mService != null) {
    949             try {
    950                 return mService.getMaximumFailedPasswordsForWipe(admin, userHandle);
    951             } catch (RemoteException e) {
    952                 Log.w(TAG, "Failed talking with device policy service", e);
    953             }
    954         }
    955         return 0;
    956     }
    957 
    958     /**
    959      * Flag for {@link #resetPassword}: don't allow other admins to change
    960      * the password again until the user has entered it.
    961      */
    962     public static final int RESET_PASSWORD_REQUIRE_ENTRY = 0x0001;
    963 
    964     /**
    965      * Force a new device unlock password (the password needed to access the
    966      * entire device, not for individual accounts) on the user.  This takes
    967      * effect immediately.
    968      * The given password must be sufficient for the
    969      * current password quality and length constraints as returned by
    970      * {@link #getPasswordQuality(ComponentName)} and
    971      * {@link #getPasswordMinimumLength(ComponentName)}; if it does not meet
    972      * these constraints, then it will be rejected and false returned.  Note
    973      * that the password may be a stronger quality (containing alphanumeric
    974      * characters when the requested quality is only numeric), in which case
    975      * the currently active quality will be increased to match.
    976      *
    977      * <p>The calling device admin must have requested
    978      * {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD} to be able to call
    979      * this method; if it has not, a security exception will be thrown.
    980      *
    981      * @param password The new password for the user.
    982      * @param flags May be 0 or {@link #RESET_PASSWORD_REQUIRE_ENTRY}.
    983      * @return Returns true if the password was applied, or false if it is
    984      * not acceptable for the current constraints.
    985      */
    986     public boolean resetPassword(String password, int flags) {
    987         if (mService != null) {
    988             try {
    989                 return mService.resetPassword(password, flags, UserHandle.myUserId());
    990             } catch (RemoteException e) {
    991                 Log.w(TAG, "Failed talking with device policy service", e);
    992             }
    993         }
    994         return false;
    995     }
    996 
    997     /**
    998      * Called by an application that is administering the device to set the
    999      * maximum time for user activity until the device will lock.  This limits
   1000      * the length that the user can set.  It takes effect immediately.
   1001      *
   1002      * <p>The calling device admin must have requested
   1003      * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call
   1004      * this method; if it has not, a security exception will be thrown.
   1005      *
   1006      * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
   1007      * @param timeMs The new desired maximum time to lock in milliseconds.
   1008      * A value of 0 means there is no restriction.
   1009      */
   1010     public void setMaximumTimeToLock(ComponentName admin, long timeMs) {
   1011         if (mService != null) {
   1012             try {
   1013                 mService.setMaximumTimeToLock(admin, timeMs, UserHandle.myUserId());
   1014             } catch (RemoteException e) {
   1015                 Log.w(TAG, "Failed talking with device policy service", e);
   1016             }
   1017         }
   1018     }
   1019 
   1020     /**
   1021      * Retrieve the current maximum time to unlock for all admins
   1022      * or a particular one.
   1023      * @param admin The name of the admin component to check, or null to aggregate
   1024      * all admins.
   1025      */
   1026     public long getMaximumTimeToLock(ComponentName admin) {
   1027         return getMaximumTimeToLock(admin, UserHandle.myUserId());
   1028     }
   1029 
   1030     /** @hide per-user version */
   1031     public long getMaximumTimeToLock(ComponentName admin, int userHandle) {
   1032         if (mService != null) {
   1033             try {
   1034                 return mService.getMaximumTimeToLock(admin, userHandle);
   1035             } catch (RemoteException e) {
   1036                 Log.w(TAG, "Failed talking with device policy service", e);
   1037             }
   1038         }
   1039         return 0;
   1040     }
   1041 
   1042     /**
   1043      * Make the device lock immediately, as if the lock screen timeout has
   1044      * expired at the point of this call.
   1045      *
   1046      * <p>The calling device admin must have requested
   1047      * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call
   1048      * this method; if it has not, a security exception will be thrown.
   1049      */
   1050     public void lockNow() {
   1051         if (mService != null) {
   1052             try {
   1053                 mService.lockNow();
   1054             } catch (RemoteException e) {
   1055                 Log.w(TAG, "Failed talking with device policy service", e);
   1056             }
   1057         }
   1058     }
   1059 
   1060     /**
   1061      * Flag for {@link #wipeData(int)}: also erase the device's external
   1062      * storage.
   1063      */
   1064     public static final int WIPE_EXTERNAL_STORAGE = 0x0001;
   1065 
   1066     /**
   1067      * Ask the user date be wiped.  This will cause the device to reboot,
   1068      * erasing all user data while next booting up.  External storage such
   1069      * as SD cards will be also erased if the flag {@link #WIPE_EXTERNAL_STORAGE}
   1070      * is set.
   1071      *
   1072      * <p>The calling device admin must have requested
   1073      * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA} to be able to call
   1074      * this method; if it has not, a security exception will be thrown.
   1075      *
   1076      * @param flags Bit mask of additional options: currently 0 and
   1077      *              {@link #WIPE_EXTERNAL_STORAGE} are supported.
   1078      */
   1079     public void wipeData(int flags) {
   1080         if (mService != null) {
   1081             try {
   1082                 mService.wipeData(flags, UserHandle.myUserId());
   1083             } catch (RemoteException e) {
   1084                 Log.w(TAG, "Failed talking with device policy service", e);
   1085             }
   1086         }
   1087     }
   1088 
   1089     /**
   1090      * Called by an application that is administering the device to set the
   1091      * global proxy and exclusion list.
   1092      * <p>
   1093      * The calling device admin must have requested
   1094      * {@link DeviceAdminInfo#USES_POLICY_SETS_GLOBAL_PROXY} to be able to call
   1095      * this method; if it has not, a security exception will be thrown.
   1096      * Only the first device admin can set the proxy. If a second admin attempts
   1097      * to set the proxy, the {@link ComponentName} of the admin originally setting the
   1098      * proxy will be returned. If successful in setting the proxy, null will
   1099      * be returned.
   1100      * The method can be called repeatedly by the device admin alrady setting the
   1101      * proxy to update the proxy and exclusion list.
   1102      *
   1103      * @param admin Which {@link DeviceAdminReceiver} this request is associated
   1104      *            with.
   1105      * @param proxySpec the global proxy desired. Must be an HTTP Proxy.
   1106      *            Pass Proxy.NO_PROXY to reset the proxy.
   1107      * @param exclusionList a list of domains to be excluded from the global proxy.
   1108      * @return returns null if the proxy was successfully set, or a {@link ComponentName}
   1109      *            of the device admin that sets thew proxy otherwise.
   1110      * @hide
   1111      */
   1112     public ComponentName setGlobalProxy(ComponentName admin, Proxy proxySpec,
   1113             List<String> exclusionList ) {
   1114         if (proxySpec == null) {
   1115             throw new NullPointerException();
   1116         }
   1117         if (mService != null) {
   1118             try {
   1119                 String hostSpec;
   1120                 String exclSpec;
   1121                 if (proxySpec.equals(Proxy.NO_PROXY)) {
   1122                     hostSpec = null;
   1123                     exclSpec = null;
   1124                 } else {
   1125                     if (!proxySpec.type().equals(Proxy.Type.HTTP)) {
   1126                         throw new IllegalArgumentException();
   1127                     }
   1128                     InetSocketAddress sa = (InetSocketAddress)proxySpec.address();
   1129                     String hostName = sa.getHostName();
   1130                     int port = sa.getPort();
   1131                     StringBuilder hostBuilder = new StringBuilder();
   1132                     hostSpec = hostBuilder.append(hostName)
   1133                         .append(":").append(Integer.toString(port)).toString();
   1134                     if (exclusionList == null) {
   1135                         exclSpec = "";
   1136                     } else {
   1137                         StringBuilder listBuilder = new StringBuilder();
   1138                         boolean firstDomain = true;
   1139                         for (String exclDomain : exclusionList) {
   1140                             if (!firstDomain) {
   1141                                 listBuilder = listBuilder.append(",");
   1142                             } else {
   1143                                 firstDomain = false;
   1144                             }
   1145                             listBuilder = listBuilder.append(exclDomain.trim());
   1146                         }
   1147                         exclSpec = listBuilder.toString();
   1148                     }
   1149                     android.net.Proxy.validate(hostName, Integer.toString(port), exclSpec);
   1150                 }
   1151                 return mService.setGlobalProxy(admin, hostSpec, exclSpec, UserHandle.myUserId());
   1152             } catch (RemoteException e) {
   1153                 Log.w(TAG, "Failed talking with device policy service", e);
   1154             }
   1155         }
   1156         return null;
   1157     }
   1158 
   1159     /**
   1160      * Returns the component name setting the global proxy.
   1161      * @return ComponentName object of the device admin that set the global proxy, or
   1162      *            null if no admin has set the proxy.
   1163      * @hide
   1164      */
   1165     public ComponentName getGlobalProxyAdmin() {
   1166         if (mService != null) {
   1167             try {
   1168                 return mService.getGlobalProxyAdmin(UserHandle.myUserId());
   1169             } catch (RemoteException e) {
   1170                 Log.w(TAG, "Failed talking with device policy service", e);
   1171             }
   1172         }
   1173         return null;
   1174     }
   1175 
   1176     /**
   1177      * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}:
   1178      * indicating that encryption is not supported.
   1179      */
   1180     public static final int ENCRYPTION_STATUS_UNSUPPORTED = 0;
   1181 
   1182     /**
   1183      * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}:
   1184      * indicating that encryption is supported, but is not currently active.
   1185      */
   1186     public static final int ENCRYPTION_STATUS_INACTIVE = 1;
   1187 
   1188     /**
   1189      * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}:
   1190      * indicating that encryption is not currently active, but is currently
   1191      * being activated.  This is only reported by devices that support
   1192      * encryption of data and only when the storage is currently
   1193      * undergoing a process of becoming encrypted.  A device that must reboot and/or wipe data
   1194      * to become encrypted will never return this value.
   1195      */
   1196     public static final int ENCRYPTION_STATUS_ACTIVATING = 2;
   1197 
   1198     /**
   1199      * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}:
   1200      * indicating that encryption is active.
   1201      */
   1202     public static final int ENCRYPTION_STATUS_ACTIVE = 3;
   1203 
   1204     /**
   1205      * Activity action: begin the process of encrypting data on the device.  This activity should
   1206      * be launched after using {@link #setStorageEncryption} to request encryption be activated.
   1207      * After resuming from this activity, use {@link #getStorageEncryption}
   1208      * to check encryption status.  However, on some devices this activity may never return, as
   1209      * it may trigger a reboot and in some cases a complete data wipe of the device.
   1210      */
   1211     @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION)
   1212     public static final String ACTION_START_ENCRYPTION
   1213             = "android.app.action.START_ENCRYPTION";
   1214 
   1215     /**
   1216      * Widgets are enabled in keyguard
   1217      */
   1218     public static final int KEYGUARD_DISABLE_FEATURES_NONE = 0;
   1219 
   1220     /**
   1221      * Disable all keyguard widgets
   1222      */
   1223     public static final int KEYGUARD_DISABLE_WIDGETS_ALL = 1 << 0;
   1224 
   1225     /**
   1226      * Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password)
   1227      */
   1228     public static final int KEYGUARD_DISABLE_SECURE_CAMERA = 1 << 1;
   1229 
   1230     /**
   1231      * Disable all current and future keyguard customizations.
   1232      */
   1233     public static final int KEYGUARD_DISABLE_FEATURES_ALL = 0x7fffffff;
   1234 
   1235     /**
   1236      * Called by an application that is administering the device to
   1237      * request that the storage system be encrypted.
   1238      *
   1239      * <p>When multiple device administrators attempt to control device
   1240      * encryption, the most secure, supported setting will always be
   1241      * used.  If any device administrator requests device encryption,
   1242      * it will be enabled;  Conversely, if a device administrator
   1243      * attempts to disable device encryption while another
   1244      * device administrator has enabled it, the call to disable will
   1245      * fail (most commonly returning {@link #ENCRYPTION_STATUS_ACTIVE}).
   1246      *
   1247      * <p>This policy controls encryption of the secure (application data) storage area.  Data
   1248      * written to other storage areas may or may not be encrypted, and this policy does not require
   1249      * or control the encryption of any other storage areas.
   1250      * There is one exception:  If {@link android.os.Environment#isExternalStorageEmulated()} is
   1251      * {@code true}, then the directory returned by
   1252      * {@link android.os.Environment#getExternalStorageDirectory()} must be written to disk
   1253      * within the encrypted storage area.
   1254      *
   1255      * <p>Important Note:  On some devices, it is possible to encrypt storage without requiring
   1256      * the user to create a device PIN or Password.  In this case, the storage is encrypted, but
   1257      * the encryption key may not be fully secured.  For maximum security, the administrator should
   1258      * also require (and check for) a pattern, PIN, or password.
   1259      *
   1260      * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
   1261      * @param encrypt true to request encryption, false to release any previous request
   1262      * @return the new request status (for all active admins) - will be one of
   1263      * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE}, or
   1264      * {@link #ENCRYPTION_STATUS_ACTIVE}.  This is the value of the requests;  Use
   1265      * {@link #getStorageEncryptionStatus()} to query the actual device state.
   1266      */
   1267     public int setStorageEncryption(ComponentName admin, boolean encrypt) {
   1268         if (mService != null) {
   1269             try {
   1270                 return mService.setStorageEncryption(admin, encrypt, UserHandle.myUserId());
   1271             } catch (RemoteException e) {
   1272                 Log.w(TAG, "Failed talking with device policy service", e);
   1273             }
   1274         }
   1275         return ENCRYPTION_STATUS_UNSUPPORTED;
   1276     }
   1277 
   1278     /**
   1279      * Called by an application that is administering the device to
   1280      * determine the requested setting for secure storage.
   1281      *
   1282      * @param admin Which {@link DeviceAdminReceiver} this request is associated with.  If null,
   1283      * this will return the requested encryption setting as an aggregate of all active
   1284      * administrators.
   1285      * @return true if the admin(s) are requesting encryption, false if not.
   1286      */
   1287     public boolean getStorageEncryption(ComponentName admin) {
   1288         if (mService != null) {
   1289             try {
   1290                 return mService.getStorageEncryption(admin, UserHandle.myUserId());
   1291             } catch (RemoteException e) {
   1292                 Log.w(TAG, "Failed talking with device policy service", e);
   1293             }
   1294         }
   1295         return false;
   1296     }
   1297 
   1298     /**
   1299      * Called by an application that is administering the device to
   1300      * determine the current encryption status of the device.
   1301      *
   1302      * Depending on the returned status code, the caller may proceed in different
   1303      * ways.  If the result is {@link #ENCRYPTION_STATUS_UNSUPPORTED}, the
   1304      * storage system does not support encryption.  If the
   1305      * result is {@link #ENCRYPTION_STATUS_INACTIVE}, use {@link
   1306      * #ACTION_START_ENCRYPTION} to begin the process of encrypting or decrypting the
   1307      * storage.  If the result is {@link #ENCRYPTION_STATUS_ACTIVATING} or
   1308      * {@link #ENCRYPTION_STATUS_ACTIVE}, no further action is required.
   1309      *
   1310      * @return current status of encryption.  The value will be one of
   1311      * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE},
   1312      * {@link #ENCRYPTION_STATUS_ACTIVATING}, or{@link #ENCRYPTION_STATUS_ACTIVE}.
   1313      */
   1314     public int getStorageEncryptionStatus() {
   1315         return getStorageEncryptionStatus(UserHandle.myUserId());
   1316     }
   1317 
   1318     /** @hide per-user version */
   1319     public int getStorageEncryptionStatus(int userHandle) {
   1320         if (mService != null) {
   1321             try {
   1322                 return mService.getStorageEncryptionStatus(userHandle);
   1323             } catch (RemoteException e) {
   1324                 Log.w(TAG, "Failed talking with device policy service", e);
   1325             }
   1326         }
   1327         return ENCRYPTION_STATUS_UNSUPPORTED;
   1328     }
   1329 
   1330     /**
   1331      * Called by an application that is administering the device to disable all cameras
   1332      * on the device.  After setting this, no applications will be able to access any cameras
   1333      * on the device.
   1334      *
   1335      * <p>The calling device admin must have requested
   1336      * {@link DeviceAdminInfo#USES_POLICY_DISABLE_CAMERA} to be able to call
   1337      * this method; if it has not, a security exception will be thrown.
   1338      *
   1339      * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
   1340      * @param disabled Whether or not the camera should be disabled.
   1341      */
   1342     public void setCameraDisabled(ComponentName admin, boolean disabled) {
   1343         if (mService != null) {
   1344             try {
   1345                 mService.setCameraDisabled(admin, disabled, UserHandle.myUserId());
   1346             } catch (RemoteException e) {
   1347                 Log.w(TAG, "Failed talking with device policy service", e);
   1348             }
   1349         }
   1350     }
   1351 
   1352     /**
   1353      * Determine whether or not the device's cameras have been disabled either by the current
   1354      * admin, if specified, or all admins.
   1355      * @param admin The name of the admin component to check, or null to check if any admins
   1356      * have disabled the camera
   1357      */
   1358     public boolean getCameraDisabled(ComponentName admin) {
   1359         return getCameraDisabled(admin, UserHandle.myUserId());
   1360     }
   1361 
   1362     /** @hide per-user version */
   1363     public boolean getCameraDisabled(ComponentName admin, int userHandle) {
   1364         if (mService != null) {
   1365             try {
   1366                 return mService.getCameraDisabled(admin, userHandle);
   1367             } catch (RemoteException e) {
   1368                 Log.w(TAG, "Failed talking with device policy service", e);
   1369             }
   1370         }
   1371         return false;
   1372     }
   1373 
   1374     /**
   1375      * Called by an application that is administering the device to disable keyguard customizations,
   1376      * such as widgets. After setting this, keyguard features will be disabled according to the
   1377      * provided feature list.
   1378      *
   1379      * <p>The calling device admin must have requested
   1380      * {@link DeviceAdminInfo#USES_POLICY_DISABLE_KEYGUARD_FEATURES} to be able to call
   1381      * this method; if it has not, a security exception will be thrown.
   1382      *
   1383      * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
   1384      * @param which {@link #KEYGUARD_DISABLE_FEATURES_NONE} (default),
   1385      * {@link #KEYGUARD_DISABLE_WIDGETS_ALL}, {@link #KEYGUARD_DISABLE_SECURE_CAMERA},
   1386      * {@link #KEYGUARD_DISABLE_FEATURES_ALL}
   1387      */
   1388     public void setKeyguardDisabledFeatures(ComponentName admin, int which) {
   1389         if (mService != null) {
   1390             try {
   1391                 mService.setKeyguardDisabledFeatures(admin, which, UserHandle.myUserId());
   1392             } catch (RemoteException e) {
   1393                 Log.w(TAG, "Failed talking with device policy service", e);
   1394             }
   1395         }
   1396     }
   1397 
   1398     /**
   1399      * Determine whether or not features have been disabled in keyguard either by the current
   1400      * admin, if specified, or all admins.
   1401      * @param admin The name of the admin component to check, or null to check if any admins
   1402      * have disabled features in keyguard.
   1403      * @return bitfield of flags. See {@link #setKeyguardDisabledFeatures(ComponentName, int)}
   1404      * for a list.
   1405      */
   1406     public int getKeyguardDisabledFeatures(ComponentName admin) {
   1407         return getKeyguardDisabledFeatures(admin, UserHandle.myUserId());
   1408     }
   1409 
   1410     /** @hide per-user version */
   1411     public int getKeyguardDisabledFeatures(ComponentName admin, int userHandle) {
   1412         if (mService != null) {
   1413             try {
   1414                 return mService.getKeyguardDisabledFeatures(admin, userHandle);
   1415             } catch (RemoteException e) {
   1416                 Log.w(TAG, "Failed talking with device policy service", e);
   1417             }
   1418         }
   1419         return KEYGUARD_DISABLE_FEATURES_NONE;
   1420     }
   1421 
   1422     /**
   1423      * @hide
   1424      */
   1425     public void setActiveAdmin(ComponentName policyReceiver, boolean refreshing) {
   1426         if (mService != null) {
   1427             try {
   1428                 mService.setActiveAdmin(policyReceiver, refreshing, UserHandle.myUserId());
   1429             } catch (RemoteException e) {
   1430                 Log.w(TAG, "Failed talking with device policy service", e);
   1431             }
   1432         }
   1433     }
   1434 
   1435     /**
   1436      * Returns the DeviceAdminInfo as defined by the administrator's package info & meta-data
   1437      * @hide
   1438      */
   1439     public DeviceAdminInfo getAdminInfo(ComponentName cn) {
   1440         ActivityInfo ai;
   1441         try {
   1442             ai = mContext.getPackageManager().getReceiverInfo(cn,
   1443                     PackageManager.GET_META_DATA);
   1444         } catch (PackageManager.NameNotFoundException e) {
   1445             Log.w(TAG, "Unable to retrieve device policy " + cn, e);
   1446             return null;
   1447         }
   1448 
   1449         ResolveInfo ri = new ResolveInfo();
   1450         ri.activityInfo = ai;
   1451 
   1452         try {
   1453             return new DeviceAdminInfo(mContext, ri);
   1454         } catch (XmlPullParserException e) {
   1455             Log.w(TAG, "Unable to parse device policy " + cn, e);
   1456             return null;
   1457         } catch (IOException e) {
   1458             Log.w(TAG, "Unable to parse device policy " + cn, e);
   1459             return null;
   1460         }
   1461     }
   1462 
   1463     /**
   1464      * @hide
   1465      */
   1466     public void getRemoveWarning(ComponentName admin, RemoteCallback result) {
   1467         if (mService != null) {
   1468             try {
   1469                 mService.getRemoveWarning(admin, result, UserHandle.myUserId());
   1470             } catch (RemoteException e) {
   1471                 Log.w(TAG, "Failed talking with device policy service", e);
   1472             }
   1473         }
   1474     }
   1475 
   1476     /**
   1477      * @hide
   1478      */
   1479     public void setActivePasswordState(int quality, int length, int letters, int uppercase,
   1480             int lowercase, int numbers, int symbols, int nonletter, int userHandle) {
   1481         if (mService != null) {
   1482             try {
   1483                 mService.setActivePasswordState(quality, length, letters, uppercase, lowercase,
   1484                         numbers, symbols, nonletter, userHandle);
   1485             } catch (RemoteException e) {
   1486                 Log.w(TAG, "Failed talking with device policy service", e);
   1487             }
   1488         }
   1489     }
   1490 
   1491     /**
   1492      * @hide
   1493      */
   1494     public void reportFailedPasswordAttempt(int userHandle) {
   1495         if (mService != null) {
   1496             try {
   1497                 mService.reportFailedPasswordAttempt(userHandle);
   1498             } catch (RemoteException e) {
   1499                 Log.w(TAG, "Failed talking with device policy service", e);
   1500             }
   1501         }
   1502     }
   1503 
   1504     /**
   1505      * @hide
   1506      */
   1507     public void reportSuccessfulPasswordAttempt(int userHandle) {
   1508         if (mService != null) {
   1509             try {
   1510                 mService.reportSuccessfulPasswordAttempt(userHandle);
   1511             } catch (RemoteException e) {
   1512                 Log.w(TAG, "Failed talking with device policy service", e);
   1513             }
   1514         }
   1515     }
   1516 
   1517     /**
   1518      * @hide
   1519      * Sets the given package as the device owner. The package must already be installed and there
   1520      * shouldn't be an existing device owner registered, for this call to succeed. Also, this
   1521      * method must be called before the device is provisioned.
   1522      * @param packageName the package name of the application to be registered as the device owner.
   1523      * @return whether the package was successfully registered as the device owner.
   1524      * @throws IllegalArgumentException if the package name is null or invalid
   1525      * @throws IllegalStateException if a device owner is already registered or the device has
   1526      *         already been provisioned.
   1527      */
   1528     public boolean setDeviceOwner(String packageName) throws IllegalArgumentException,
   1529             IllegalStateException {
   1530         if (mService != null) {
   1531             try {
   1532                 return mService.setDeviceOwner(packageName);
   1533             } catch (RemoteException re) {
   1534                 Log.w(TAG, "Failed to set device owner");
   1535             }
   1536         }
   1537         return false;
   1538     }
   1539 
   1540 
   1541     /**
   1542      * Used to determine if a particular package has been registered as a Device Owner app.
   1543      * A device owner app is a special device admin that cannot be deactivated by the user, once
   1544      * activated as a device admin. It also cannot be uninstalled. To check if a particular
   1545      * package is currently registered as the device owner app, pass in the package name from
   1546      * {@link Context#getPackageName()} to this method.<p/>This is useful for device
   1547      * admin apps that want to check if they are also registered as the device owner app. The
   1548      * exact mechanism by which a device admin app is registered as a device owner app is defined by
   1549      * the setup process.
   1550      * @param packageName the package name of the app, to compare with the registered device owner
   1551      * app, if any.
   1552      * @return whether or not the package is registered as the device owner app.
   1553      */
   1554     public boolean isDeviceOwnerApp(String packageName) {
   1555         if (mService != null) {
   1556             try {
   1557                 return mService.isDeviceOwner(packageName);
   1558             } catch (RemoteException re) {
   1559                 Log.w(TAG, "Failed to check device owner");
   1560             }
   1561         }
   1562         return false;
   1563     }
   1564 
   1565     /**
   1566      * @hide
   1567      * Redirect to isDeviceOwnerApp.
   1568      */
   1569     public boolean isDeviceOwner(String packageName) {
   1570         return isDeviceOwnerApp(packageName);
   1571     }
   1572 
   1573     /** @hide */
   1574     public String getDeviceOwner() {
   1575         if (mService != null) {
   1576             try {
   1577                 return mService.getDeviceOwner();
   1578             } catch (RemoteException re) {
   1579                 Log.w(TAG, "Failed to get device owner");
   1580             }
   1581         }
   1582         return null;
   1583     }
   1584 }
   1585