1 page.title=Device Administration 2 page.tags=devicepolicymanager,policy,security 3 @jd:body 4 5 <div id="qv-wrapper"> 6 <div id="qv"> 7 <h2>In this document</h2> 8 <ol> 9 <li><a href="#overview">Device Administration API Overview</a> 10 <ol> 11 <li><a href="#how">How does it work?</a></li> 12 <li><a href="#policies">Policies</a></li> 13 </ol> 14 </li> 15 <li><a href="#sample">Sample Application</a></li> 16 <li><a href="#developing">Developing a Device Administration Application</a> 17 <ol> 18 <li><a href="#manifest">Creating the manifest</a></li> 19 <li><a href="#code">Implementing the code</a></li> 20 </ol> 21 </li> 22 23 </ol> 24 25 <h2>Key classes</h2> 26 <ol> 27 <li>{@link android.app.admin.DeviceAdminReceiver}</li> 28 <li>{@link android.app.admin.DevicePolicyManager}</li> 29 <li>{@link android.app.admin.DeviceAdminInfo}</li> 30 </ol> 31 </div> 32 </div> 33 34 <p>Android 2.2 introduces support for enterprise applications by offering the 35 Android Device Administration API. The Device Administration API provides device 36 administration features at the system level. These APIs allow you to create 37 security-aware applications that are useful in enterprise settings, in which IT 38 professionals require rich control over employee devices. For example, the 39 built-in Android Email application has leveraged the new APIs to improve 40 Exchange support. Through the Email application, Exchange administrators can 41 enforce password policies — including alphanumeric passwords or numeric 42 PINs — across devices. Administrators can also remotely wipe (that is, 43 restore factory defaults on) lost or stolen handsets. Exchange users can sync 44 their email and calendar data.</p> 45 46 <p>This document is intended for developers who want to develop enterprise 47 solutions for Android-powered devices. It discusses the various features 48 provided by the Device Administration API to provide stronger security for 49 employee devices that are powered by Android.</p> 50 51 52 <h2 id="overview">Device Administration API Overview</h2> 53 54 <p>Here are examples of the types of applications that might use the Device Administration API:</p> 55 <ul> 56 <li>Email clients.</li> 57 <li>Security applications that do remote wipe.</li> 58 <li>Device management services and applications.</li> 59 </ul> 60 61 <h3 id="how">How does it work?</h3> 62 <p>You use the Device Administration API to write device admin applications that users 63 install on their devices. The device admin application enforces the desired 64 policies. Here's how it works:</p> <ul> 65 <li>A system administrator writes a device admin application that enforces 66 remote/local device security policies. These policies could be hard-coded into 67 the app, or the application could dynamically fetch policies from a third-party 68 server. </li> 69 <li>The application is installed on users' devices. Android does 70 not currently have an automated provisioning solution. Some of the ways a sysadmin might 71 distribute the application to users are as follows: 72 <ul> 73 <li>Google Play.</li> 74 <li>Enabling installation from another store.</li> 75 <li>Distributing the application through other means, such as email or websites.</li> 76 77 </ul> 78 79 80 </li> 81 <li>The system prompts the user to enable the device admin application. How 82 and when this happens depends on how the application is implemented.</li> 83 <li>Once users enable the device admin application, they are subject to 84 its policies. Complying with those policies typically confers benefits, such as 85 access to sensitive systems and data.</li> 86 </ul> 87 <p>If users do not enable the device admin app, it remains on the device, but in an inactive state. Users will not be subject to its policies, and they will conversely not get any of the application's benefits—for example, they may not be able to sync data.</p> 88 <p>If a user fails to comply with the policies (for example, if a user sets a 89 password that violates the guidelines), it is up to the application to decide 90 how to handle this. However, typically this will result in the user not being 91 able to sync data.</p> 92 <p>If a device attempts to connect to a server that requires policies not 93 supported in the Device Administration API, the connection will not 94 be allowed. The Device Administration API does not currently allow partial 95 provisioning. In other words, if a device (for example, a legacy device) does 96 not support all of the stated policies, there is no way to allow the 97 device to connect.</p> 98 <p>If a device contains multiple enabled admin applications, the strictest policy is 99 enforced. There is no way to target a particular admin 100 application.</p> 101 <p>To uninstall an existing device admin application, users need to 102 first unregister the application as an administrator. </p> 103 104 105 <h3 id="policies">Policies</h3> 106 107 <p>In an enterprise setting, it's often the case that employee devices must 108 adhere to a strict set of policies that govern the use of the device. The 109 Device Administration API supports the policies listed in Table 1. 110 Note that the Device Administration API currently only supports passwords for screen 111 lock:</p> 112 <p class="table-caption"><strong>Table 1.</strong> Policies supported by the Device Administration API.</p> 113 <table border="1"> 114 <tr> 115 <th>Policy</th> 116 <th>Description</th> 117 </tr> 118 <tr> 119 <td>Password enabled</td> 120 <td>Requires that devices ask for PIN or passwords.</td> 121 </tr> 122 <tr> 123 <td>Minimum password length</td> 124 <td>Set the required number of characters for the password. For example, you 125 can require PIN or passwords to have at least six characters. </td> </tr> 126 <tr> 127 <td>Alphanumeric password required</td> 128 <td>Requires that passwords have a 129 combination of letters and numbers. They may include symbolic characters. 130 </td> 131 </tr> 132 133 <tr> 134 <td>Complex password required</td> 135 <td>Requires that passwords must contain at least a letter, a numerical digit, and a special symbol. Introduced in Android 3.0. 136 </td> 137 </tr> 138 139 <tr> 140 <td>Minimum letters required in password</td> <td>The minimum number of 141 letters required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 142 </tr> 143 144 145 <tr> 146 <td>Minimum lowercase letters required in password</td> 147 <td>The minimum number of lowercase 148 letters required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 149 </tr> 150 151 <tr> 152 <td>Minimum non-letter characters required in password</td> 153 <td>The minimum number of 154 non-letter characters required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 155 </tr> 156 157 <tr> 158 <td>Minimum numerical digits required in password</td> 159 <td>The minimum number of numerical digits required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 160 </tr> 161 162 <tr> 163 <td>Minimum symbols required in password</td> 164 <td>The minimum number of symbols required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 165 </tr> 166 167 <tr> 168 <td>Minimum uppercase letters required in password</td> 169 <td>The minimum number of uppercase letters required in the password for all admins or a particular one. Introduced in Android 3.0.</td> 170 </tr> 171 172 <tr> 173 <td>Password expiration timeout</td> 174 <td>When the password will expire, expressed as a delta in milliseconds from when a device admin sets the expiration timeout. Introduced in Android 3.0.</td> 175 </tr> 176 177 <tr> 178 <td>Password history restriction</td> 179 <td>This policy prevents users from reusing the last <em>n</em> unique passwords. 180 This policy is typically used in conjunction with 181 {@link android.app.admin.DevicePolicyManager#setPasswordExpirationTimeout(android.content.ComponentName,long) setPasswordExpirationTimeout()}, which forces 182 users to update their passwords after a specified amount of time has elapsed. 183 Introduced in Android 3.0.</td> 184 </tr> 185 186 <tr> 187 <td>Maximum failed password attempts </td> 188 <td>Specifies how many times a user can enter the wrong password before the 189 device wipes its data. The Device Administration API also allows administrators to 190 remotely reset the device to factory defaults. This secures data in case the 191 device is lost or stolen.</td> 192 </tr> 193 <tr> 194 <td>Maximum inactivity time lock</td> 195 <td>Sets the length of time since the user last touched the screen or 196 pressed a button before the device locks the screen. When this happens, users 197 need to enter their PIN or passwords again before they can use their devices and 198 access data. The value can be between 1 and 60 minutes.</td> </tr> 199 200 <tr> 201 <td>Require storage encryption</td> 202 <td>Specifies that the storage area should be encrypted, if the device supports it. 203 Introduced in Android 3.0.</td> </tr> 204 205 <tr> 206 <td>Disable camera</td> 207 208 <td>Specifies that the camera should be disabled. Note that this doesn't have 209 to be a permanent disabling. The camera can be enabled/disabled dynamically 210 based on context, time, and so on. Introduced in Android 4.0.</td> 211 212 </tr> 213 214 215 </table> 216 217 <h4>Other features</h4> 218 219 <p>In addition to supporting the policies listed in the above table, the Device 220 Administration API lets you do the following:</p> <ul> 221 <li>Prompt user to set a new password.</li> 222 <li>Lock device immediately.</li> 223 <li>Wipe the device's data (that is, restore the device to its factory defaults).</li> 224 </ul> 225 226 227 <h2 id="sample">Sample Application</h2> 228 229 <p>The examples used in this document are based on the Device Administration API 230 sample, which is included in the SDK samples (available through the 231 Android SDK Manager) and located on your system as 232 <code><sdk_root>/ApiDemos/app/src/main/java/com/example/android/apis/app/DeviceAdminSample.java</code>.</p> 233 234 <p>The sample application offers a demo of device admin features. It presents users 235 with a user interface that lets them enable the device admin application. Once 236 they've enabled the application, they can use the buttons in the user interface 237 to do the following:</p> 238 <ul> 239 <li>Set password quality.</li> 240 <li>Specify requirements for the user's password, such as minimum length, the minimum number of 241 numeric characters it must contain, and so on.</li> 242 <li>Set the password. If the password does not conform to the specified 243 policies, the system returns an error.</li> 244 <li>Set how many failed password attempts can occur before the device is wiped 245 (that is, restored to factory settings).</li> 246 <li>Set how long from now the password will expire.</li> 247 <li>Set the password history length (<em>length</em> refers to number of old passwords stored in the history). 248 This prevents users from reusing 249 one of the last <em>n</em> passwords they previously used.</li> 250 <li>Specify that the storage area should be encrypted, if the device supports it.</li> 251 <li>Set the maximum amount of inactive time that can elapse before the device 252 locks.</li> 253 <li>Make the device lock immediately.</li> 254 <li>Wipe the device's data (that is, restore factory settings).</li> 255 <li>Disable the camera.</li> 256 257 </ul> 258 259 260 261 <img src="{@docRoot}images/admin/device-admin-app.png"/> 262 263 <p class="img-caption"><strong>Figure 1.</strong> Screenshot of the Sample Application</p> 264 265 266 267 <h2 id="developing">Developing a Device Administration Application</h2> 268 269 <p>System administrators can use the Device Administration API to write an application 270 that enforces remote/local device security policy enforcement. This section 271 summarizes the steps involved in creating a device administration 272 application.</p> 273 274 <h3 id="manifest">Creating the manifest</h3> 275 276 <p>To use the Device Administration API, the application's 277 manifest must include the following:</p> 278 <ul> 279 <li>A subclass of {@link android.app.admin.DeviceAdminReceiver} that includes the following: 280 <ul> 281 <li>The {@link android.Manifest.permission#BIND_DEVICE_ADMIN} permission.</li> 282 <li>The ability to respond to the {@link android.app.admin.DeviceAdminReceiver#ACTION_DEVICE_ADMIN_ENABLED} 283 intent, expressed in the manifest as an intent filter.</li> 284 </ul> 285 </li> 286 <li>A declaration of security policies used in metadata.</li> 287 </ul> 288 <p>Here is an excerpt from the Device Administration sample manifest:</p> 289 <pre><activity android:name=".app.DeviceAdminSample" 290 android:label="@string/activity_sample_device_admin"> 291 <intent-filter> 292 <action android:name="android.intent.action.MAIN" /> 293 <category android:name="android.intent.category.SAMPLE_CODE" /> 294 </intent-filter> 295 </activity> 296 <receiver android:name=".app.DeviceAdminSample$DeviceAdminSampleReceiver" 297 android:label="@string/sample_device_admin" 298 android:description="@string/sample_device_admin_description" 299 android:permission="android.permission.BIND_DEVICE_ADMIN"> 300 <meta-data android:name="android.app.device_admin" 301 android:resource="@xml/device_admin_sample" /> 302 <intent-filter> 303 <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" /> 304 </intent-filter> 305 </receiver></pre> 306 307 <p>Note that:</p> 308 <ul> 309 <li>The following attributes refer to string resources that for the sample application reside in 310 <code>ApiDemos/res/values/strings.xml</code>. For more information about resources, see 311 <a 312 href="{@docRoot}guide/topics/resources/index.html">Application Resources</a>. 313 <ul> 314 <li><code>android:label="@string/activity_sample_device_admin"</code> refers to the 315 user-readable label for the activity.</li> 316 317 <li><code>android:label="@string/sample_device_admin"</code> refers to the 318 user-readable label for the permission.</li> 319 320 <li><code>android:description="@string/sample_device_admin_description"</code> refers to 321 the user-readable description of the permission. A descripton is typically longer and more 322 informative than 323 a label.</li> 324 </ul> 325 326 327 <li><code>android:permission="android.permission.BIND_DEVICE_ADMIN" 328 </code> is a permission that a {@link android.app.admin.DeviceAdminReceiver} subclass must 329 have, to ensure that only the system can interact with the receiver (no application can be granted this permission). This 330 prevents other applications from abusing your device admin app.</li> 331 <li><code>android.app.action.DEVICE_ADMIN_ENABLED</code> is the primary 332 action that a {@link android.app.admin.DeviceAdminReceiver} subclass must handle to be 333 allowed to manage a device. This is set to the receiver when the user enables 334 the device admin app. Your code typically handles this in 335 {@link android.app.admin.DeviceAdminReceiver#onEnabled onEnabled()}. To be supported, the receiver must also 336 require the {@link android.Manifest.permission#BIND_DEVICE_ADMIN} permission so that other applications 337 cannot abuse it. </li> 338 <li>When a user enables the device admin application, that gives the receiver 339 permission to perform actions in response to the broadcast of particular system 340 events. When suitable event arises, the application can impose a policy. For 341 example, if the user attempts to set a new password that doesn't meet the policy 342 requirements, the application can prompt the user to pick a different password 343 that does meet the requirements.</li> 344 345 <li><code>android:resource="@xml/device_admin_sample"</code> 346 declares the security policies used in metadata. The metadata provides additional 347 information specific to the device administrator, as parsed by the {@link 348 android.app.admin.DeviceAdminInfo} class. Here are the contents of 349 <code>device_admin_sample.xml</code>:</li> 350 </ul> 351 <pre><device-admin xmlns:android="http://schemas.android.com/apk/res/android">; 352 <uses-policies> 353 <limit-password /> 354 <watch-login /> 355 <reset-password /> 356 <force-lock /> 357 <wipe-data /> 358 <expire-password /> 359 <encrypted-storage /> 360 <disable-camera /> 361 </uses-policies> 362 </device-admin> 363 </pre> 364 <p> In designing your device administration application, you don't need to 365 include all of the policies, just the ones that are relevant for your app. 366 </p> 367 For more discussion of the manifest file, see the <a 368 href="{@docRoot}guide/topics/manifest/manifest-intro.html">Android Developers Guide</a>. 369 370 371 372 <h3 id="code">Implementing the code</h3> 373 374 <p>The Device Administration API includes the following classes:</p> 375 <dl> 376 <dt>{@link android.app.admin.DeviceAdminReceiver}</dt> 377 <dd>Base class for implementing a device administration component. This class provides 378 a convenience for interpreting the raw intent actions that are sent by the 379 system. Your Device Administration application must include a 380 {@link android.app.admin.DeviceAdminReceiver} subclass.</dd> 381 <dt>{@link android.app.admin.DevicePolicyManager}</dt> 382 <dd>A class for managing policies enforced on a device. Most clients of 383 this class must have published a {@link android.app.admin.DeviceAdminReceiver} that the user 384 has currently enabled. The {@link android.app.admin.DevicePolicyManager} manages policies for 385 one or more {@link android.app.admin.DeviceAdminReceiver} instances</dd> 386 <dt>{@link android.app.admin.DeviceAdminInfo}</dt> 387 <dd>This class is used to specify metadata 388 for a device administrator component.</dd> 389 </dl> 390 <p>These classes provide the foundation for a fully functional device administration application. 391 The rest of this section describes how you use the {@link 392 android.app.admin.DeviceAdminReceiver} and 393 {@link android.app.admin.DevicePolicyManager} APIs to write a device admin application.</p> 394 395 <h4 id="receiver">Subclassing DeviceAdminReceiver</h4> 396 <p>To create a device admin application, you must subclass 397 {@link android.app.admin.DeviceAdminReceiver}. The {@link android.app.admin.DeviceAdminReceiver} class 398 consists of a series of callbacks that are triggered when particular events 399 occur.</p> 400 <p>In its {@link android.app.admin.DeviceAdminReceiver} subclass, the sample application 401 simply displays a {@link android.widget.Toast} notification in response to particular 402 events. For example:</p> 403 <pre>public class DeviceAdminSample extends DeviceAdminReceiver { 404 405 void showToast(Context context, String msg) { 406 String status = context.getString(R.string.admin_receiver_status, msg); 407 Toast.makeText(context, status, Toast.LENGTH_SHORT).show(); 408 } 409 410 @Override 411 public void onEnabled(Context context, Intent intent) { 412 showToast(context, context.getString(R.string.admin_receiver_status_enabled)); 413 } 414 415 @Override 416 public CharSequence onDisableRequested(Context context, Intent intent) { 417 return context.getString(R.string.admin_receiver_status_disable_warning); 418 } 419 420 @Override 421 public void onDisabled(Context context, Intent intent) { 422 showToast(context, context.getString(R.string.admin_receiver_status_disabled)); 423 } 424 425 @Override 426 public void onPasswordChanged(Context context, Intent intent) { 427 showToast(context, context.getString(R.string.admin_receiver_status_pw_changed)); 428 } 429 ... 430 }</pre> 431 432 433 <h4 id="enabling">Enabling the application</h4> 434 <p>One of the major events a device admin application has to handle is the user 435 enabling the application. The user must explicitly enable the application for 436 the policies to be enforced. If the user chooses not to enable the application 437 it will still be present on the device, but its policies will not be enforced, and the user will not 438 get any of the application's benefits.</p> 439 <p>The process of enabling the application begins when the user performs an 440 action that triggers the {@link android.app.admin.DevicePolicyManager#ACTION_ADD_DEVICE_ADMIN} 441 intent. In the 442 sample application, this happens when the user clicks the <strong>Enable 443 Admin</strong> checkbox. </p> 444 <p>When the user clicks the <strong>Enable Admin</strong> checkbox, the display 445 changes to prompt the user to activate the device admin application, as shown in figure 446 2.</p> 447 448 <img src="{@docRoot}images/admin/device-admin-activate-prompt.png"/> 449 <p class="img-caption"><strong>Figure 2.</strong> Sample Application: Activating the Application</p> 450 451 <p>Below is the code that gets executed when the user clicks the <strong>Enable Admin</strong> checkbox. This has the effect of triggering the 452 {@link android.preference.Preference.OnPreferenceChangeListener#onPreferenceChange(android.preference.Preference, java.lang.Object) onPreferenceChange()} 453 callback. This callback is invoked when the value of this {@link android.preference.Preference} has been changed by the user and is about to be set and/or persisted. If the user is enabling the application, the display 454 changes to prompt the user to activate the device admin application, as shown in figure 455 2. Otherwise, the device admin application is disabled. </p> 456 457 <pre>@Override 458 public boolean onPreferenceChange(Preference preference, Object newValue) { 459 if (super.onPreferenceChange(preference, newValue)) { 460 return true; 461 } 462 boolean value = (Boolean) newValue; 463 if (preference == mEnableCheckbox) { 464 if (value != mAdminActive) { 465 if (value) { 466 // Launch the activity to have the user enable our admin. 467 Intent intent = new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN); 468 intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN, mDeviceAdminSample); 469 intent.putExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION, 470 mActivity.getString(R.string.add_admin_extra_app_text)); 471 startActivityForResult(intent, REQUEST_CODE_ENABLE_ADMIN); 472 // return false - don't update checkbox until we're really active 473 return false; 474 } else { 475 mDPM.removeActiveAdmin(mDeviceAdminSample); 476 enableDeviceCapabilitiesArea(false); 477 mAdminActive = false; 478 } 479 } 480 } else if (preference == mDisableCameraCheckbox) { 481 mDPM.setCameraDisabled(mDeviceAdminSample, value); 482 ... 483 } 484 return true; 485 }</pre> 486 487 488 <p>The line 489 <code>intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN, 490 mDeviceAdminSample)</code> states that <code>mDeviceAdminSample</code> (which is 491 a {@link android.app.admin.DeviceAdminReceiver} component) is the target policy. 492 This line invokes the user interface shown in figure 2, which guides users through 493 adding the device administrator to the system (or allows them to reject it).</p> 494 495 <p>When the application needs to perform an operation that is contingent on the 496 device admin application being enabled, it confirms that the application is 497 active. To do this it uses the {@link android.app.admin.DevicePolicyManager} method 498 {@link android.app.admin.DevicePolicyManager#isAdminActive(android.content.ComponentName) isAdminActive()}. Notice that the {@link android.app.admin.DevicePolicyManager} 499 method {@link android.app.admin.DevicePolicyManager#isAdminActive(android.content.ComponentName) isAdminActive()} takes a {@link android.app.admin.DeviceAdminReceiver} 500 component as its argument:</p> 501 502 <pre> 503 DevicePolicyManager mDPM; 504 ... 505 private boolean isActiveAdmin() { 506 return mDPM.isAdminActive(mDeviceAdminSample); 507 } 508 </pre> 509 510 511 512 <h3 id="admin_ops">Managing policies</h3> 513 <p>{@link android.app.admin.DevicePolicyManager} is a public class for managing policies 514 enforced on a device. {@link android.app.admin.DevicePolicyManager} manages policies for one 515 or more {@link android.app.admin.DeviceAdminReceiver} instances. </p> 516 <p>You get a handle to the {@link android.app.admin.DevicePolicyManager} as follows: </p> 517 <pre> 518 DevicePolicyManager mDPM = 519 (DevicePolicyManager)getSystemService(Context.DEVICE_POLICY_SERVICE); 520 </pre> 521 <p>This section describes how to use {@link android.app.admin.DevicePolicyManager} to perform 522 administrative tasks:</p> 523 <ul> 524 <li><a href="#pwd">Set password policies</a></li> 525 <li><a href="#lock">Set device lock</a></li> 526 <li><a href="#wipe">Perform data wipe</a></li> 527 </ul> 528 529 <h4 id="pwd">Set password policies</h4> 530 <p>{@link android.app.admin.DevicePolicyManager} includes APIs for setting and enforcing the 531 device password policy. In the Device Administration API, the password only applies to 532 screen lock. This section describes common password-related tasks.</p> 533 534 <h5>Set a password for the device</h5> 535 <p>This code displays a user interface prompting the user to set a password:</p> 536 <pre>Intent intent = new Intent(DevicePolicyManager.ACTION_SET_NEW_PASSWORD); 537 startActivity(intent); 538 </pre> 539 540 <h5>Set the password quality</h5> 541 <p>The password quality can be one of the following {@link android.app.admin.DevicePolicyManager} constants: </p> 542 <dl> 543 <dt>{@link android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_ALPHABETIC}</dt><dd>The user must enter a 544 password containing at least alphabetic (or other symbol) characters.</dd> 545 <dt>{@link android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_ALPHANUMERIC}</dt><dd>The user must enter a 546 password containing at least <em>both</em> numeric <em>and</em> alphabetic (or 547 other symbol) characters.</dd> 548 <dt>{@link android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_NUMERIC}</dt><dd>The user must enter a password 549 containing at least numeric characters.</dd> 550 <dt>{@link 551 android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_COMPLEX}</dt><dd>The user 552 must have entered a password containing at least a letter, a numerical digit and 553 a special symbol.</dd> 554 <dt>{@link 555 android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_SOMETHING}</dt><dd>The 556 policy requires some kind 557 of password, but doesn't care what it is.</dd> 558 <dt>{@link android.app.admin.DevicePolicyManager#PASSWORD_QUALITY_UNSPECIFIED}</dt><dd> 559 The policy has no requirements for the password. </dd> 560 </dl> 561 <p>For example, this is how you would set the password policy to require an alphanumeric password:</p> 562 <pre> 563 DevicePolicyManager mDPM; 564 ComponentName mDeviceAdminSample; 565 ... 566 mDPM.setPasswordQuality(mDeviceAdminSample, DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC); 567 </pre> 568 569 <h5>Set password content requirements</h5> 570 571 <p>Beginning with Android 3.0, the {@link android.app.admin.DevicePolicyManager} class 572 includes methods that let you fine-tune the contents of the password. For 573 example, you could set a policy that states that passwords must contain at least 574 <em>n</em> uppercase letters. Here are the methods for fine-tuning a password's 575 contents:</p> 576 <ul> 577 578 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumLetters(android.content.ComponentName,int) setPasswordMinimumLetters()}</li> 579 580 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumLowerCase(android.content.ComponentName,int) setPasswordMinimumLowerCase()}</li> 581 582 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumUpperCase(android.content.ComponentName,int) setPasswordMinimumUpperCase()}</li> 583 584 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumNonLetter(android.content.ComponentName,int) setPasswordMinimumNonLetter()}</li> 585 586 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumNumeric(android.content.ComponentName,int) setPasswordMinimumNumeric()}</li> 587 588 <li>{@link android.app.admin.DevicePolicyManager#setPasswordMinimumSymbols(android.content.ComponentName,int) setPasswordMinimumSymbols()}</li> 589 </ul> 590 <p>For example, this snippet states that the password must have at least 2 uppercase letters:</p> 591 <pre> 592 DevicePolicyManager mDPM; 593 ComponentName mDeviceAdminSample; 594 int pwMinUppercase = 2; 595 ... 596 mDPM.setPasswordMinimumUpperCase(mDeviceAdminSample, pwMinUppercase);</pre> 597 598 599 <h5>Set the minimum password length</h5> 600 <p>You can specify that a password must be at least the specified minimum 601 length. For example:</p> 602 <pre>DevicePolicyManager mDPM; 603 ComponentName mDeviceAdminSample; 604 int pwLength; 605 ... 606 mDPM.setPasswordMinimumLength(mDeviceAdminSample, pwLength); 607 </pre> 608 609 <h5>Set maximum failed password attempts</h5> 610 <p>You can set the maximum number of allowed failed password attempts before the 611 device is wiped (that is, reset to factory settings). For example:</p> 612 <pre>DevicePolicyManager mDPM; 613 ComponentName mDeviceAdminSample; 614 int maxFailedPw; 615 ... 616 mDPM.setMaximumFailedPasswordsForWipe(mDeviceAdminSample, maxFailedPw);</pre> 617 618 <h5 id="expiration">Set password expiration timeout</h5> 619 <p>Beginning with Android 3.0, you can use the 620 {@link android.app.admin.DevicePolicyManager#setPasswordExpirationTimeout(android.content.ComponentName,long) setPasswordExpirationTimeout()} 621 method to set when a password will expire, expressed as a delta in milliseconds from when a device admin sets the expiration timeout. For example:</p> 622 623 <pre>DevicePolicyManager mDPM; 624 ComponentName mDeviceAdminSample; 625 long pwExpiration; 626 ... 627 mDPM.setPasswordExpirationTimeout(mDeviceAdminSample, pwExpiration); 628 </pre> 629 630 <h5 id="history">Restrict password based on history</h5> 631 632 <p>Beginning with Android 3.0, you can use the 633 {@link android.app.admin.DevicePolicyManager#setPasswordHistoryLength(android.content.ComponentName,int) setPasswordHistoryLength()} 634 method to limit users' 635 ability to reuse old passwords. This method takes a <em>length</em> 636 parameter, which specifies how many old 637 passwords are stored. When this policy is active, users cannot enter a new 638 password that matches the last <em>n</em> passwords. This prevents 639 users from using the same password over and over. This policy is typically used 640 in conjunction with 641 {@link android.app.admin.DevicePolicyManager#setPasswordExpirationTimeout(android.content.ComponentName,long) setPasswordExpirationTimeout()}, 642 which forces users 643 to update their passwords after a specified amount of time has elapsed. </p> 644 645 <p>For example, this snippet prohibits users from reusing any of their last 5 passwords:</p> 646 647 <pre>DevicePolicyManager mDPM; 648 ComponentName mDeviceAdminSample; 649 int pwHistoryLength = 5; 650 ... 651 mDPM.setPasswordHistoryLength(mDeviceAdminSample, pwHistoryLength); 652 </pre> 653 654 <h4 id="lock">Set device lock</h4> 655 <p>You can set the maximum period of user inactivity that can occur before the 656 device locks. For example:</p> 657 <pre> 658 DevicePolicyManager mDPM; 659 ComponentName mDeviceAdminSample; 660 ... 661 long timeMs = 1000L*Long.parseLong(mTimeout.getText().toString()); 662 mDPM.setMaximumTimeToLock(mDeviceAdminSample, timeMs); 663 </pre> 664 <p>You can also programmatically tell the device to lock immediately:</p> 665 <pre> 666 DevicePolicyManager mDPM; 667 mDPM.lockNow(); 668 </pre> 669 670 671 672 <h4 id="wipe">Perform data wipe</h4> 673 674 <p>You can use the {@link android.app.admin.DevicePolicyManager} method 675 {@link android.app.admin.DevicePolicyManager#wipeData wipeData()} to reset the device to factory settings. This is useful 676 if the device is lost or stolen. Often the decision to wipe the device is the 677 result of certain conditions being met. For example, you can use 678 {@link android.app.admin.DevicePolicyManager#setMaximumFailedPasswordsForWipe setMaximumFailedPasswordsForWipe()} to state that a device should be 679 wiped after a specific number of failed password attempts.</p> 680 <p>You wipe data as follows:</p> 681 <pre> 682 DevicePolicyManager mDPM; 683 mDPM.wipeData(0);</pre> 684 <p>The {@link android.app.admin.DevicePolicyManager#wipeData wipeData()} method takes as its 685 parameter a bit mask of additional options. Currently the value must be 0. </p> 686 687 <h4>Disable camera</h4> 688 <p>Beginning with Android 4.0, you can disable the camera. Note that this doesn't have to be a permanent disabling. The camera can be enabled/disabled dynamically based on context, time, and so on. </p> 689 <p>You control whether the camera is disabled by using the 690 {@link android.app.admin.DevicePolicyManager#setCameraDisabled(android.content.ComponentName, boolean) setCameraDisabled()} method. For example, this snippet sets the camera to be enabled or disabled based on a checkbox setting:</p> 691 692 <pre>private CheckBoxPreference mDisableCameraCheckbox; 693 DevicePolicyManager mDPM; 694 ComponentName mDeviceAdminSample; 695 ... 696 mDPM.setCameraDisabled(mDeviceAdminSample, mDisableCameraCheckbox.isChecked());<br /> 697 </pre> 698 699 700 <h4 id="storage">Storage encryption</h4> 701 <p>Beginning with Android 3.0, you can use the 702 {@link android.app.admin.DevicePolicyManager#setStorageEncryption(android.content.ComponentName,boolean) setStorageEncryption()} 703 method to set a policy requiring encryption of the storage area, where supported.</p> 704 705 <p>For example:</p> 706 707 <pre> 708 DevicePolicyManager mDPM; 709 ComponentName mDeviceAdminSample; 710 ... 711 mDPM.setStorageEncryption(mDeviceAdminSample, true); 712 </pre> 713 <p> 714 See the Device Administration API sample for a complete example of how to enable storage encryption. 715 </p>
