1 /* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.app.admin; 18 19 import android.annotation.SdkConstant; 20 import android.annotation.SdkConstant.SdkConstantType; 21 import android.annotation.SystemApi; 22 import android.app.Activity; 23 import android.app.admin.IDevicePolicyManager; 24 import android.content.ComponentName; 25 import android.content.Context; 26 import android.content.Intent; 27 import android.content.IntentFilter; 28 import android.content.pm.ActivityInfo; 29 import android.content.pm.PackageManager; 30 import android.content.pm.ResolveInfo; 31 import android.net.ProxyInfo; 32 import android.os.Bundle; 33 import android.os.Handler; 34 import android.os.PersistableBundle; 35 import android.os.Process; 36 import android.os.RemoteCallback; 37 import android.os.RemoteException; 38 import android.os.ServiceManager; 39 import android.os.UserHandle; 40 import android.os.UserManager; 41 import android.provider.Settings; 42 import android.security.Credentials; 43 import android.service.restrictions.RestrictionsReceiver; 44 import android.service.trust.TrustAgentService; 45 import android.util.Log; 46 47 import com.android.org.conscrypt.TrustedCertificateStore; 48 49 import org.xmlpull.v1.XmlPullParserException; 50 51 import java.io.ByteArrayInputStream; 52 import java.io.IOException; 53 import java.net.InetSocketAddress; 54 import java.net.Proxy; 55 import java.security.PrivateKey; 56 import java.security.cert.Certificate; 57 import java.security.cert.CertificateException; 58 import java.security.cert.CertificateFactory; 59 import java.security.cert.X509Certificate; 60 import java.util.ArrayList; 61 import java.util.Collections; 62 import java.util.List; 63 64 /** 65 * Public interface for managing policies enforced on a device. Most clients of this class must be 66 * registered with the system as a 67 * <a href={@docRoot}guide/topics/admin/device-admin.html">device administrator</a>. Additionally, 68 * a device administrator may be registered as either a profile or device owner. A given method is 69 * accessible to all device administrators unless the documentation for that method specifies that 70 * it is restricted to either device or profile owners. 71 * 72 * <div class="special reference"> 73 * <h3>Developer Guides</h3> 74 * <p>For more information about managing policies for device administration, read the 75 * <a href="{@docRoot}guide/topics/admin/device-admin.html">Device Administration</a> 76 * developer guide.</p> 77 * </div> 78 */ 79 public class DevicePolicyManager { 80 private static String TAG = "DevicePolicyManager"; 81 82 private final Context mContext; 83 private final IDevicePolicyManager mService; 84 85 private DevicePolicyManager(Context context, Handler handler) { 86 mContext = context; 87 mService = IDevicePolicyManager.Stub.asInterface( 88 ServiceManager.getService(Context.DEVICE_POLICY_SERVICE)); 89 } 90 91 /** @hide */ 92 public static DevicePolicyManager create(Context context, Handler handler) { 93 DevicePolicyManager me = new DevicePolicyManager(context, handler); 94 return me.mService != null ? me : null; 95 } 96 97 /** 98 * Activity action: Starts the provisioning flow which sets up a managed profile. 99 * 100 * <p>A managed profile allows data separation for example for the usage of a 101 * device as a personal and corporate device. The user which provisioning is started from and 102 * the managed profile share a launcher. 103 * 104 * <p>This intent will typically be sent by a mobile device management application (mdm). 105 * Provisioning adds a managed profile and sets the mdm as the profile owner who has full 106 * control over the profile 107 * 108 * <p>This intent must contain the extra {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME}. 109 * 110 * <p> When managed provisioning has completed, an intent of the type 111 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE} is broadcasted to the 112 * managed profile. 113 * 114 * <p> If provisioning fails, the managedProfile is removed so the device returns to its 115 * previous state. 116 * 117 * <p>Input: Nothing.</p> 118 * <p>Output: Nothing</p> 119 */ 120 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 121 public static final String ACTION_PROVISION_MANAGED_PROFILE 122 = "android.app.action.PROVISION_MANAGED_PROFILE"; 123 124 /** 125 * A {@link android.os.Parcelable} extra of type {@link android.os.PersistableBundle} that allows 126 * a mobile device management application that starts managed profile provisioning to pass data 127 * to itself on the managed profile when provisioning completes. The mobile device management 128 * application sends this extra in an intent with the action 129 * {@link #ACTION_PROVISION_MANAGED_PROFILE} and receives it in 130 * {@link DeviceAdminReceiver#onProfileProvisioningComplete} via an intent with the action 131 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE}. The bundle is not changed 132 * during the managed profile provisioning. 133 */ 134 public static final String EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE = 135 "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE"; 136 137 /** 138 * A String extra holding the package name of the mobile device management application that 139 * will be set as the profile owner or device owner. 140 * 141 * <p>If an application starts provisioning directly via an intent with action 142 * {@link #ACTION_PROVISION_MANAGED_PROFILE} this package has to match the package name of the 143 * application that started provisioning. The package will be set as profile owner in that case. 144 * 145 * <p>This package is set as device owner when device owner provisioning is started by an NFC 146 * message containing an NFC record with MIME type {@link #MIME_TYPE_PROVISIONING_NFC}. 147 */ 148 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME 149 = "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME"; 150 151 /** 152 * An {@link android.accounts.Account} extra holding the account to migrate during managed 153 * profile provisioning. If the account supplied is present in the primary user, it will be 154 * copied, along with its credentials to the managed profile and removed from the primary user. 155 * 156 * Use with {@link #ACTION_PROVISION_MANAGED_PROFILE}. 157 */ 158 159 public static final String EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE 160 = "android.app.extra.PROVISIONING_ACCOUNT_TO_MIGRATE"; 161 162 /** 163 * A String extra that, holds the email address of the account which a managed profile is 164 * created for. Used with {@link #ACTION_PROVISION_MANAGED_PROFILE} and 165 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE}. 166 * 167 * <p> This extra is part of the {@link #EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE}. 168 * 169 * <p> If the {@link #ACTION_PROVISION_MANAGED_PROFILE} intent that starts managed provisioning 170 * contains this extra, it is forwarded in the 171 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE} intent to the mobile 172 * device management application that was set as the profile owner during provisioning. 173 * It is usually used to avoid that the user has to enter their email address twice. 174 */ 175 public static final String EXTRA_PROVISIONING_EMAIL_ADDRESS 176 = "android.app.extra.PROVISIONING_EMAIL_ADDRESS"; 177 178 /** 179 * A Boolean extra that can be used by the mobile device management application to skip the 180 * disabling of system apps during provisioning when set to <code>true</code>. 181 * 182 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 183 * provisioning via an NFC bump. 184 */ 185 public static final String EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED = 186 "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED"; 187 188 /** 189 * A String extra holding the time zone {@link android.app.AlarmManager} that the device 190 * will be set to. 191 * 192 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 193 * provisioning via an NFC bump. 194 */ 195 public static final String EXTRA_PROVISIONING_TIME_ZONE 196 = "android.app.extra.PROVISIONING_TIME_ZONE"; 197 198 /** 199 * A Long extra holding the wall clock time (in milliseconds) to be set on the device's 200 * {@link android.app.AlarmManager}. 201 * 202 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 203 * provisioning via an NFC bump. 204 */ 205 public static final String EXTRA_PROVISIONING_LOCAL_TIME 206 = "android.app.extra.PROVISIONING_LOCAL_TIME"; 207 208 /** 209 * A String extra holding the {@link java.util.Locale} that the device will be set to. 210 * Format: xx_yy, where xx is the language code, and yy the country code. 211 * 212 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 213 * provisioning via an NFC bump. 214 */ 215 public static final String EXTRA_PROVISIONING_LOCALE 216 = "android.app.extra.PROVISIONING_LOCALE"; 217 218 /** 219 * A String extra holding the ssid of the wifi network that should be used during nfc device 220 * owner provisioning for downloading the mobile device management application. 221 * 222 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 223 * provisioning via an NFC bump. 224 */ 225 public static final String EXTRA_PROVISIONING_WIFI_SSID 226 = "android.app.extra.PROVISIONING_WIFI_SSID"; 227 228 /** 229 * A boolean extra indicating whether the wifi network in {@link #EXTRA_PROVISIONING_WIFI_SSID} 230 * is hidden or not. 231 * 232 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 233 * provisioning via an NFC bump. 234 */ 235 public static final String EXTRA_PROVISIONING_WIFI_HIDDEN 236 = "android.app.extra.PROVISIONING_WIFI_HIDDEN"; 237 238 /** 239 * A String extra indicating the security type of the wifi network in 240 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 241 * 242 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 243 * provisioning via an NFC bump. 244 */ 245 public static final String EXTRA_PROVISIONING_WIFI_SECURITY_TYPE 246 = "android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE"; 247 248 /** 249 * A String extra holding the password of the wifi network in 250 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 251 * 252 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 253 * provisioning via an NFC bump. 254 */ 255 public static final String EXTRA_PROVISIONING_WIFI_PASSWORD 256 = "android.app.extra.PROVISIONING_WIFI_PASSWORD"; 257 258 /** 259 * A String extra holding the proxy host for the wifi network in 260 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 261 * 262 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 263 * provisioning via an NFC bump. 264 */ 265 public static final String EXTRA_PROVISIONING_WIFI_PROXY_HOST 266 = "android.app.extra.PROVISIONING_WIFI_PROXY_HOST"; 267 268 /** 269 * An int extra holding the proxy port for the wifi network in 270 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 271 * 272 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 273 * provisioning via an NFC bump. 274 */ 275 public static final String EXTRA_PROVISIONING_WIFI_PROXY_PORT 276 = "android.app.extra.PROVISIONING_WIFI_PROXY_PORT"; 277 278 /** 279 * A String extra holding the proxy bypass for the wifi network in 280 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 281 * 282 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 283 * provisioning via an NFC bump. 284 */ 285 public static final String EXTRA_PROVISIONING_WIFI_PROXY_BYPASS 286 = "android.app.extra.PROVISIONING_WIFI_PROXY_BYPASS"; 287 288 /** 289 * A String extra holding the proxy auto-config (PAC) URL for the wifi network in 290 * {@link #EXTRA_PROVISIONING_WIFI_SSID}. 291 * 292 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 293 * provisioning via an NFC bump. 294 */ 295 public static final String EXTRA_PROVISIONING_WIFI_PAC_URL 296 = "android.app.extra.PROVISIONING_WIFI_PAC_URL"; 297 298 /** 299 * A String extra holding a url that specifies the download location of the device admin 300 * package. When not provided it is assumed that the device admin package is already installed. 301 * 302 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 303 * provisioning via an NFC bump. 304 */ 305 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION 306 = "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION"; 307 308 /** 309 * A String extra holding a http cookie header which should be used in the http request to the 310 * url specified in {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION}. 311 * 312 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 313 * provisioning via an NFC bump. 314 */ 315 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER 316 = "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER"; 317 318 /** 319 * A String extra holding the SHA-1 checksum of the file at download location specified in 320 * {@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION}. If this doesn't match 321 * the file at the download location an error will be shown to the user and the user will be 322 * asked to factory reset the device. 323 * 324 * <p>Use in an NFC record with {@link #MIME_TYPE_PROVISIONING_NFC} that starts device owner 325 * provisioning via an NFC bump. 326 */ 327 public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM 328 = "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM"; 329 330 /** 331 * This MIME type is used for starting the Device Owner provisioning. 332 * 333 * <p>During device owner provisioning a device admin app is set as the owner of the device. 334 * A device owner has full control over the device. The device owner can not be modified by the 335 * user and the only way of resetting the device is if the device owner app calls a factory 336 * reset. 337 * 338 * <p> A typical use case would be a device that is owned by a company, but used by either an 339 * employee or client. 340 * 341 * <p> The NFC message should be send to an unprovisioned device. 342 * 343 * <p>The NFC record must contain a serialized {@link java.util.Properties} object which 344 * contains the following properties: 345 * <ul> 346 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME}</li> 347 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION}</li> 348 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER}, optional</li> 349 * <li>{@link #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM}</li> 350 * <li>{@link #EXTRA_PROVISIONING_LOCAL_TIME} (convert to String), optional</li> 351 * <li>{@link #EXTRA_PROVISIONING_TIME_ZONE}, optional</li> 352 * <li>{@link #EXTRA_PROVISIONING_LOCALE}, optional</li> 353 * <li>{@link #EXTRA_PROVISIONING_WIFI_SSID}, optional</li> 354 * <li>{@link #EXTRA_PROVISIONING_WIFI_HIDDEN} (convert to String), optional</li> 355 * <li>{@link #EXTRA_PROVISIONING_WIFI_SECURITY_TYPE}, optional</li> 356 * <li>{@link #EXTRA_PROVISIONING_WIFI_PASSWORD}, optional</li> 357 * <li>{@link #EXTRA_PROVISIONING_WIFI_PROXY_HOST}, optional</li> 358 * <li>{@link #EXTRA_PROVISIONING_WIFI_PROXY_PORT} (convert to String), optional</li> 359 * <li>{@link #EXTRA_PROVISIONING_WIFI_PROXY_BYPASS}, optional</li> 360 * <li>{@link #EXTRA_PROVISIONING_WIFI_PAC_URL}, optional</li></ul> 361 * 362 * <p> When device owner provisioning has completed, an intent of the type 363 * {@link DeviceAdminReceiver#ACTION_PROFILE_PROVISIONING_COMPLETE} is broadcasted to the 364 * device owner. 365 * 366 * <p> 367 * If provisioning fails, the device is factory reset. 368 * 369 * <p>Input: Nothing.</p> 370 * <p>Output: Nothing</p> 371 */ 372 public static final String MIME_TYPE_PROVISIONING_NFC 373 = "application/com.android.managedprovisioning"; 374 375 /** 376 * Activity action: ask the user to add a new device administrator to the system. 377 * The desired policy is the ComponentName of the policy in the 378 * {@link #EXTRA_DEVICE_ADMIN} extra field. This will invoke a UI to 379 * bring the user through adding the device administrator to the system (or 380 * allowing them to reject it). 381 * 382 * <p>You can optionally include the {@link #EXTRA_ADD_EXPLANATION} 383 * field to provide the user with additional explanation (in addition 384 * to your component's description) about what is being added. 385 * 386 * <p>If your administrator is already active, this will ordinarily return immediately (without 387 * user intervention). However, if your administrator has been updated and is requesting 388 * additional uses-policy flags, the user will be presented with the new list. New policies 389 * will not be available to the updated administrator until the user has accepted the new list. 390 */ 391 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 392 public static final String ACTION_ADD_DEVICE_ADMIN 393 = "android.app.action.ADD_DEVICE_ADMIN"; 394 395 /** 396 * @hide 397 * Activity action: ask the user to add a new device administrator as the profile owner 398 * for this user. Only system privileged apps that have MANAGE_USERS and MANAGE_DEVICE_ADMINS 399 * permission can call this API. 400 * 401 * <p>The ComponentName of the profile owner admin is pass in {@link #EXTRA_DEVICE_ADMIN} extra 402 * field. This will invoke a UI to bring the user through adding the profile owner admin 403 * to remotely control restrictions on the user. 404 * 405 * <p>The intent must be invoked via {@link Activity#startActivityForResult()} to receive the 406 * result of whether or not the user approved the action. If approved, the result will 407 * be {@link Activity#RESULT_OK} and the component will be set as an active admin as well 408 * as a profile owner. 409 * 410 * <p>You can optionally include the {@link #EXTRA_ADD_EXPLANATION} 411 * field to provide the user with additional explanation (in addition 412 * to your component's description) about what is being added. 413 * 414 * <p>If there is already a profile owner active or the caller doesn't have the required 415 * permissions, the operation will return a failure result. 416 */ 417 @SystemApi 418 public static final String ACTION_SET_PROFILE_OWNER 419 = "android.app.action.SET_PROFILE_OWNER"; 420 421 /** 422 * @hide 423 * Name of the profile owner admin that controls the user. 424 */ 425 @SystemApi 426 public static final String EXTRA_PROFILE_OWNER_NAME 427 = "android.app.extra.PROFILE_OWNER_NAME"; 428 429 /** 430 * Activity action: send when any policy admin changes a policy. 431 * This is generally used to find out when a new policy is in effect. 432 * 433 * @hide 434 */ 435 public static final String ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED 436 = "android.app.action.DEVICE_POLICY_MANAGER_STATE_CHANGED"; 437 438 /** 439 * The ComponentName of the administrator component. 440 * 441 * @see #ACTION_ADD_DEVICE_ADMIN 442 */ 443 public static final String EXTRA_DEVICE_ADMIN = "android.app.extra.DEVICE_ADMIN"; 444 445 /** 446 * An optional CharSequence providing additional explanation for why the 447 * admin is being added. 448 * 449 * @see #ACTION_ADD_DEVICE_ADMIN 450 */ 451 public static final String EXTRA_ADD_EXPLANATION = "android.app.extra.ADD_EXPLANATION"; 452 453 /** 454 * Activity action: have the user enter a new password. This activity should 455 * be launched after using {@link #setPasswordQuality(ComponentName, int)}, 456 * or {@link #setPasswordMinimumLength(ComponentName, int)} to have the user 457 * enter a new password that meets the current requirements. You can use 458 * {@link #isActivePasswordSufficient()} to determine whether you need to 459 * have the user select a new password in order to meet the current 460 * constraints. Upon being resumed from this activity, you can check the new 461 * password characteristics to see if they are sufficient. 462 */ 463 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 464 public static final String ACTION_SET_NEW_PASSWORD 465 = "android.app.action.SET_NEW_PASSWORD"; 466 467 /** 468 * Flag used by {@link #addCrossProfileIntentFilter} to allow activities in 469 * the parent profile to access intents sent from the managed profile. 470 * That is, when an app in the managed profile calls 471 * {@link Activity#startActivity(Intent)}, the intent can be resolved by a 472 * matching activity in the parent profile. 473 */ 474 public static final int FLAG_PARENT_CAN_ACCESS_MANAGED = 0x0001; 475 476 /** 477 * Flag used by {@link #addCrossProfileIntentFilter} to allow activities in 478 * the managed profile to access intents sent from the parent profile. 479 * That is, when an app in the parent profile calls 480 * {@link Activity#startActivity(Intent)}, the intent can be resolved by a 481 * matching activity in the managed profile. 482 */ 483 public static final int FLAG_MANAGED_CAN_ACCESS_PARENT = 0x0002; 484 485 /** 486 * Return true if the given administrator component is currently 487 * active (enabled) in the system. 488 */ 489 public boolean isAdminActive(ComponentName who) { 490 return isAdminActiveAsUser(who, UserHandle.myUserId()); 491 } 492 493 /** 494 * @see #isAdminActive(ComponentName) 495 * @hide 496 */ 497 public boolean isAdminActiveAsUser(ComponentName who, int userId) { 498 if (mService != null) { 499 try { 500 return mService.isAdminActive(who, userId); 501 } catch (RemoteException e) { 502 Log.w(TAG, "Failed talking with device policy service", e); 503 } 504 } 505 return false; 506 } 507 /** 508 * Return true if the given administrator component is currently being removed 509 * for the user. 510 * @hide 511 */ 512 public boolean isRemovingAdmin(ComponentName who, int userId) { 513 if (mService != null) { 514 try { 515 return mService.isRemovingAdmin(who, userId); 516 } catch (RemoteException e) { 517 Log.w(TAG, "Failed talking with device policy service", e); 518 } 519 } 520 return false; 521 } 522 523 524 /** 525 * Return a list of all currently active device administrator's component 526 * names. Note that if there are no administrators than null may be 527 * returned. 528 */ 529 public List<ComponentName> getActiveAdmins() { 530 return getActiveAdminsAsUser(UserHandle.myUserId()); 531 } 532 533 /** 534 * @see #getActiveAdmins() 535 * @hide 536 */ 537 public List<ComponentName> getActiveAdminsAsUser(int userId) { 538 if (mService != null) { 539 try { 540 return mService.getActiveAdmins(userId); 541 } catch (RemoteException e) { 542 Log.w(TAG, "Failed talking with device policy service", e); 543 } 544 } 545 return null; 546 } 547 548 /** 549 * Used by package administration code to determine if a package can be stopped 550 * or uninstalled. 551 * @hide 552 */ 553 public boolean packageHasActiveAdmins(String packageName) { 554 if (mService != null) { 555 try { 556 return mService.packageHasActiveAdmins(packageName, UserHandle.myUserId()); 557 } catch (RemoteException e) { 558 Log.w(TAG, "Failed talking with device policy service", e); 559 } 560 } 561 return false; 562 } 563 564 /** 565 * Remove a current administration component. This can only be called 566 * by the application that owns the administration component; if you 567 * try to remove someone else's component, a security exception will be 568 * thrown. 569 */ 570 public void removeActiveAdmin(ComponentName who) { 571 if (mService != null) { 572 try { 573 mService.removeActiveAdmin(who, UserHandle.myUserId()); 574 } catch (RemoteException e) { 575 Log.w(TAG, "Failed talking with device policy service", e); 576 } 577 } 578 } 579 580 /** 581 * Returns true if an administrator has been granted a particular device policy. This can 582 * be used to check if the administrator was activated under an earlier set of policies, 583 * but requires additional policies after an upgrade. 584 * 585 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. Must be 586 * an active administrator, or an exception will be thrown. 587 * @param usesPolicy Which uses-policy to check, as defined in {@link DeviceAdminInfo}. 588 */ 589 public boolean hasGrantedPolicy(ComponentName admin, int usesPolicy) { 590 if (mService != null) { 591 try { 592 return mService.hasGrantedPolicy(admin, usesPolicy, UserHandle.myUserId()); 593 } catch (RemoteException e) { 594 Log.w(TAG, "Failed talking with device policy service", e); 595 } 596 } 597 return false; 598 } 599 600 /** 601 * Constant for {@link #setPasswordQuality}: the policy has no requirements 602 * for the password. Note that quality constants are ordered so that higher 603 * values are more restrictive. 604 */ 605 public static final int PASSWORD_QUALITY_UNSPECIFIED = 0; 606 607 /** 608 * Constant for {@link #setPasswordQuality}: the policy allows for low-security biometric 609 * recognition technology. This implies technologies that can recognize the identity of 610 * an individual to about a 3 digit PIN (false detection is less than 1 in 1,000). 611 * Note that quality constants are ordered so that higher values are more restrictive. 612 */ 613 public static final int PASSWORD_QUALITY_BIOMETRIC_WEAK = 0x8000; 614 615 /** 616 * Constant for {@link #setPasswordQuality}: the policy requires some kind 617 * of password, but doesn't care what it is. Note that quality constants 618 * are ordered so that higher values are more restrictive. 619 */ 620 public static final int PASSWORD_QUALITY_SOMETHING = 0x10000; 621 622 /** 623 * Constant for {@link #setPasswordQuality}: the user must have entered a 624 * password containing at least numeric characters. Note that quality 625 * constants are ordered so that higher values are more restrictive. 626 */ 627 public static final int PASSWORD_QUALITY_NUMERIC = 0x20000; 628 629 /** 630 * Constant for {@link #setPasswordQuality}: the user must have entered a 631 * password containing at least numeric characters with no repeating (4444) 632 * or ordered (1234, 4321, 2468) sequences. Note that quality 633 * constants are ordered so that higher values are more restrictive. 634 */ 635 public static final int PASSWORD_QUALITY_NUMERIC_COMPLEX = 0x30000; 636 637 /** 638 * Constant for {@link #setPasswordQuality}: the user must have entered a 639 * password containing at least alphabetic (or other symbol) characters. 640 * Note that quality constants are ordered so that higher values are more 641 * restrictive. 642 */ 643 public static final int PASSWORD_QUALITY_ALPHABETIC = 0x40000; 644 645 /** 646 * Constant for {@link #setPasswordQuality}: the user must have entered a 647 * password containing at least <em>both></em> numeric <em>and</em> 648 * alphabetic (or other symbol) characters. Note that quality constants are 649 * ordered so that higher values are more restrictive. 650 */ 651 public static final int PASSWORD_QUALITY_ALPHANUMERIC = 0x50000; 652 653 /** 654 * Constant for {@link #setPasswordQuality}: the user must have entered a 655 * password containing at least a letter, a numerical digit and a special 656 * symbol, by default. With this password quality, passwords can be 657 * restricted to contain various sets of characters, like at least an 658 * uppercase letter, etc. These are specified using various methods, 659 * like {@link #setPasswordMinimumLowerCase(ComponentName, int)}. Note 660 * that quality constants are ordered so that higher values are more 661 * restrictive. 662 */ 663 public static final int PASSWORD_QUALITY_COMPLEX = 0x60000; 664 665 /** 666 * Called by an application that is administering the device to set the 667 * password restrictions it is imposing. After setting this, the user 668 * will not be able to enter a new password that is not at least as 669 * restrictive as what has been set. Note that the current password 670 * will remain until the user has set a new one, so the change does not 671 * take place immediately. To prompt the user for a new password, use 672 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. 673 * 674 * <p>Quality constants are ordered so that higher values are more restrictive; 675 * thus the highest requested quality constant (between the policy set here, 676 * the user's preference, and any other considerations) is the one that 677 * is in effect. 678 * 679 * <p>The calling device admin must have requested 680 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 681 * this method; if it has not, a security exception will be thrown. 682 * 683 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 684 * @param quality The new desired quality. One of 685 * {@link #PASSWORD_QUALITY_UNSPECIFIED}, {@link #PASSWORD_QUALITY_SOMETHING}, 686 * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_NUMERIC_COMPLEX}, 687 * {@link #PASSWORD_QUALITY_ALPHABETIC}, {@link #PASSWORD_QUALITY_ALPHANUMERIC} 688 * or {@link #PASSWORD_QUALITY_COMPLEX}. 689 */ 690 public void setPasswordQuality(ComponentName admin, int quality) { 691 if (mService != null) { 692 try { 693 mService.setPasswordQuality(admin, quality, UserHandle.myUserId()); 694 } catch (RemoteException e) { 695 Log.w(TAG, "Failed talking with device policy service", e); 696 } 697 } 698 } 699 700 /** 701 * Retrieve the current minimum password quality for all admins of this user 702 * and its profiles or a particular one. 703 * @param admin The name of the admin component to check, or null to aggregate 704 * all admins. 705 */ 706 public int getPasswordQuality(ComponentName admin) { 707 return getPasswordQuality(admin, UserHandle.myUserId()); 708 } 709 710 /** @hide per-user version */ 711 public int getPasswordQuality(ComponentName admin, int userHandle) { 712 if (mService != null) { 713 try { 714 return mService.getPasswordQuality(admin, userHandle); 715 } catch (RemoteException e) { 716 Log.w(TAG, "Failed talking with device policy service", e); 717 } 718 } 719 return PASSWORD_QUALITY_UNSPECIFIED; 720 } 721 722 /** 723 * Called by an application that is administering the device to set the 724 * minimum allowed password length. After setting this, the user 725 * will not be able to enter a new password that is not at least as 726 * restrictive as what has been set. Note that the current password 727 * will remain until the user has set a new one, so the change does not 728 * take place immediately. To prompt the user for a new password, use 729 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 730 * constraint is only imposed if the administrator has also requested either 731 * {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_NUMERIC_COMPLEX}, 732 * {@link #PASSWORD_QUALITY_ALPHABETIC}, {@link #PASSWORD_QUALITY_ALPHANUMERIC}, 733 * or {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. 734 * 735 * <p>The calling device admin must have requested 736 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 737 * this method; if it has not, a security exception will be thrown. 738 * 739 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 740 * @param length The new desired minimum password length. A value of 0 741 * means there is no restriction. 742 */ 743 public void setPasswordMinimumLength(ComponentName admin, int length) { 744 if (mService != null) { 745 try { 746 mService.setPasswordMinimumLength(admin, length, UserHandle.myUserId()); 747 } catch (RemoteException e) { 748 Log.w(TAG, "Failed talking with device policy service", e); 749 } 750 } 751 } 752 753 /** 754 * Retrieve the current minimum password length for all admins of this 755 * user and its profiles or a particular one. 756 * @param admin The name of the admin component to check, or null to aggregate 757 * all admins. 758 */ 759 public int getPasswordMinimumLength(ComponentName admin) { 760 return getPasswordMinimumLength(admin, UserHandle.myUserId()); 761 } 762 763 /** @hide per-user version */ 764 public int getPasswordMinimumLength(ComponentName admin, int userHandle) { 765 if (mService != null) { 766 try { 767 return mService.getPasswordMinimumLength(admin, userHandle); 768 } catch (RemoteException e) { 769 Log.w(TAG, "Failed talking with device policy service", e); 770 } 771 } 772 return 0; 773 } 774 775 /** 776 * Called by an application that is administering the device to set the 777 * minimum number of upper case letters required in the password. After 778 * setting this, the user will not be able to enter a new password that is 779 * not at least as restrictive as what has been set. Note that the current 780 * password will remain until the user has set a new one, so the change does 781 * not take place immediately. To prompt the user for a new password, use 782 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 783 * constraint is only imposed if the administrator has also requested 784 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 785 * default value is 0. 786 * <p> 787 * The calling device admin must have requested 788 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 789 * this method; if it has not, a security exception will be thrown. 790 * 791 * @param admin Which {@link DeviceAdminReceiver} this request is associated 792 * with. 793 * @param length The new desired minimum number of upper case letters 794 * required in the password. A value of 0 means there is no 795 * restriction. 796 */ 797 public void setPasswordMinimumUpperCase(ComponentName admin, int length) { 798 if (mService != null) { 799 try { 800 mService.setPasswordMinimumUpperCase(admin, length, UserHandle.myUserId()); 801 } catch (RemoteException e) { 802 Log.w(TAG, "Failed talking with device policy service", e); 803 } 804 } 805 } 806 807 /** 808 * Retrieve the current number of upper case letters required in the 809 * password for all admins of this user and its profiles or a particular one. 810 * This is the same value as set by 811 * {#link {@link #setPasswordMinimumUpperCase(ComponentName, int)} 812 * and only applies when the password quality is 813 * {@link #PASSWORD_QUALITY_COMPLEX}. 814 * 815 * @param admin The name of the admin component to check, or null to 816 * aggregate all admins. 817 * @return The minimum number of upper case letters required in the 818 * password. 819 */ 820 public int getPasswordMinimumUpperCase(ComponentName admin) { 821 return getPasswordMinimumUpperCase(admin, UserHandle.myUserId()); 822 } 823 824 /** @hide per-user version */ 825 public int getPasswordMinimumUpperCase(ComponentName admin, int userHandle) { 826 if (mService != null) { 827 try { 828 return mService.getPasswordMinimumUpperCase(admin, userHandle); 829 } catch (RemoteException e) { 830 Log.w(TAG, "Failed talking with device policy service", e); 831 } 832 } 833 return 0; 834 } 835 836 /** 837 * Called by an application that is administering the device to set the 838 * minimum number of lower case letters required in the password. After 839 * setting this, the user will not be able to enter a new password that is 840 * not at least as restrictive as what has been set. Note that the current 841 * password will remain until the user has set a new one, so the change does 842 * not take place immediately. To prompt the user for a new password, use 843 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 844 * constraint is only imposed if the administrator has also requested 845 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 846 * default value is 0. 847 * <p> 848 * The calling device admin must have requested 849 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 850 * this method; if it has not, a security exception will be thrown. 851 * 852 * @param admin Which {@link DeviceAdminReceiver} this request is associated 853 * with. 854 * @param length The new desired minimum number of lower case letters 855 * required in the password. A value of 0 means there is no 856 * restriction. 857 */ 858 public void setPasswordMinimumLowerCase(ComponentName admin, int length) { 859 if (mService != null) { 860 try { 861 mService.setPasswordMinimumLowerCase(admin, length, UserHandle.myUserId()); 862 } catch (RemoteException e) { 863 Log.w(TAG, "Failed talking with device policy service", e); 864 } 865 } 866 } 867 868 /** 869 * Retrieve the current number of lower case letters required in the 870 * password for all admins of this user and its profiles or a particular one. 871 * This is the same value as set by 872 * {#link {@link #setPasswordMinimumLowerCase(ComponentName, int)} 873 * and only applies when the password quality is 874 * {@link #PASSWORD_QUALITY_COMPLEX}. 875 * 876 * @param admin The name of the admin component to check, or null to 877 * aggregate all admins. 878 * @return The minimum number of lower case letters required in the 879 * password. 880 */ 881 public int getPasswordMinimumLowerCase(ComponentName admin) { 882 return getPasswordMinimumLowerCase(admin, UserHandle.myUserId()); 883 } 884 885 /** @hide per-user version */ 886 public int getPasswordMinimumLowerCase(ComponentName admin, int userHandle) { 887 if (mService != null) { 888 try { 889 return mService.getPasswordMinimumLowerCase(admin, userHandle); 890 } catch (RemoteException e) { 891 Log.w(TAG, "Failed talking with device policy service", e); 892 } 893 } 894 return 0; 895 } 896 897 /** 898 * Called by an application that is administering the device to set the 899 * minimum number of letters required in the password. After setting this, 900 * the user will not be able to enter a new password that is not at least as 901 * restrictive as what has been set. Note that the current password will 902 * remain until the user has set a new one, so the change does not take 903 * place immediately. To prompt the user for a new password, use 904 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 905 * constraint is only imposed if the administrator has also requested 906 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 907 * default value is 1. 908 * <p> 909 * The calling device admin must have requested 910 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 911 * this method; if it has not, a security exception will be thrown. 912 * 913 * @param admin Which {@link DeviceAdminReceiver} this request is associated 914 * with. 915 * @param length The new desired minimum number of letters required in the 916 * password. A value of 0 means there is no restriction. 917 */ 918 public void setPasswordMinimumLetters(ComponentName admin, int length) { 919 if (mService != null) { 920 try { 921 mService.setPasswordMinimumLetters(admin, length, UserHandle.myUserId()); 922 } catch (RemoteException e) { 923 Log.w(TAG, "Failed talking with device policy service", e); 924 } 925 } 926 } 927 928 /** 929 * Retrieve the current number of letters required in the password for all 930 * admins or a particular one. This is the same value as 931 * set by {#link {@link #setPasswordMinimumLetters(ComponentName, int)} 932 * and only applies when the password quality is 933 * {@link #PASSWORD_QUALITY_COMPLEX}. 934 * 935 * @param admin The name of the admin component to check, or null to 936 * aggregate all admins. 937 * @return The minimum number of letters required in the password. 938 */ 939 public int getPasswordMinimumLetters(ComponentName admin) { 940 return getPasswordMinimumLetters(admin, UserHandle.myUserId()); 941 } 942 943 /** @hide per-user version */ 944 public int getPasswordMinimumLetters(ComponentName admin, int userHandle) { 945 if (mService != null) { 946 try { 947 return mService.getPasswordMinimumLetters(admin, userHandle); 948 } catch (RemoteException e) { 949 Log.w(TAG, "Failed talking with device policy service", e); 950 } 951 } 952 return 0; 953 } 954 955 /** 956 * Called by an application that is administering the device to set the 957 * minimum number of numerical digits required in the password. After 958 * setting this, the user will not be able to enter a new password that is 959 * not at least as restrictive as what has been set. Note that the current 960 * password will remain until the user has set a new one, so the change does 961 * not take place immediately. To prompt the user for a new password, use 962 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 963 * constraint is only imposed if the administrator has also requested 964 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 965 * default value is 1. 966 * <p> 967 * The calling device admin must have requested 968 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 969 * this method; if it has not, a security exception will be thrown. 970 * 971 * @param admin Which {@link DeviceAdminReceiver} this request is associated 972 * with. 973 * @param length The new desired minimum number of numerical digits required 974 * in the password. A value of 0 means there is no restriction. 975 */ 976 public void setPasswordMinimumNumeric(ComponentName admin, int length) { 977 if (mService != null) { 978 try { 979 mService.setPasswordMinimumNumeric(admin, length, UserHandle.myUserId()); 980 } catch (RemoteException e) { 981 Log.w(TAG, "Failed talking with device policy service", e); 982 } 983 } 984 } 985 986 /** 987 * Retrieve the current number of numerical digits required in the password 988 * for all admins of this user and its profiles or a particular one. 989 * This is the same value as set by 990 * {#link {@link #setPasswordMinimumNumeric(ComponentName, int)} 991 * and only applies when the password quality is 992 * {@link #PASSWORD_QUALITY_COMPLEX}. 993 * 994 * @param admin The name of the admin component to check, or null to 995 * aggregate all admins. 996 * @return The minimum number of numerical digits required in the password. 997 */ 998 public int getPasswordMinimumNumeric(ComponentName admin) { 999 return getPasswordMinimumNumeric(admin, UserHandle.myUserId()); 1000 } 1001 1002 /** @hide per-user version */ 1003 public int getPasswordMinimumNumeric(ComponentName admin, int userHandle) { 1004 if (mService != null) { 1005 try { 1006 return mService.getPasswordMinimumNumeric(admin, userHandle); 1007 } catch (RemoteException e) { 1008 Log.w(TAG, "Failed talking with device policy service", e); 1009 } 1010 } 1011 return 0; 1012 } 1013 1014 /** 1015 * Called by an application that is administering the device to set the 1016 * minimum number of symbols required in the password. After setting this, 1017 * the user will not be able to enter a new password that is not at least as 1018 * restrictive as what has been set. Note that the current password will 1019 * remain until the user has set a new one, so the change does not take 1020 * place immediately. To prompt the user for a new password, use 1021 * {@link #ACTION_SET_NEW_PASSWORD} after setting this value. This 1022 * constraint is only imposed if the administrator has also requested 1023 * {@link #PASSWORD_QUALITY_COMPLEX} with {@link #setPasswordQuality}. The 1024 * default value is 1. 1025 * <p> 1026 * The calling device admin must have requested 1027 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1028 * this method; if it has not, a security exception will be thrown. 1029 * 1030 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1031 * with. 1032 * @param length The new desired minimum number of symbols required in the 1033 * password. A value of 0 means there is no restriction. 1034 */ 1035 public void setPasswordMinimumSymbols(ComponentName admin, int length) { 1036 if (mService != null) { 1037 try { 1038 mService.setPasswordMinimumSymbols(admin, length, UserHandle.myUserId()); 1039 } catch (RemoteException e) { 1040 Log.w(TAG, "Failed talking with device policy service", e); 1041 } 1042 } 1043 } 1044 1045 /** 1046 * Retrieve the current number of symbols required in the password for all 1047 * admins or a particular one. This is the same value as 1048 * set by {#link {@link #setPasswordMinimumSymbols(ComponentName, int)} 1049 * and only applies when the password quality is 1050 * {@link #PASSWORD_QUALITY_COMPLEX}. 1051 * 1052 * @param admin The name of the admin component to check, or null to 1053 * aggregate all admins. 1054 * @return The minimum number of symbols required in the password. 1055 */ 1056 public int getPasswordMinimumSymbols(ComponentName admin) { 1057 return getPasswordMinimumSymbols(admin, UserHandle.myUserId()); 1058 } 1059 1060 /** @hide per-user version */ 1061 public int getPasswordMinimumSymbols(ComponentName admin, int userHandle) { 1062 if (mService != null) { 1063 try { 1064 return mService.getPasswordMinimumSymbols(admin, userHandle); 1065 } catch (RemoteException e) { 1066 Log.w(TAG, "Failed talking with device policy service", e); 1067 } 1068 } 1069 return 0; 1070 } 1071 1072 /** 1073 * Called by an application that is administering the device to set the 1074 * minimum number of non-letter characters (numerical digits or symbols) 1075 * required in the password. After setting this, the user will not be able 1076 * to enter a new password that is not at least as restrictive as what has 1077 * been set. Note that the current password will remain until the user has 1078 * set a new one, so the change does not take place immediately. To prompt 1079 * the user for a new password, use {@link #ACTION_SET_NEW_PASSWORD} after 1080 * setting this value. This constraint is only imposed if the administrator 1081 * has also requested {@link #PASSWORD_QUALITY_COMPLEX} with 1082 * {@link #setPasswordQuality}. The default value is 0. 1083 * <p> 1084 * The calling device admin must have requested 1085 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1086 * this method; if it has not, a security exception will be thrown. 1087 * 1088 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1089 * with. 1090 * @param length The new desired minimum number of letters required in the 1091 * password. A value of 0 means there is no restriction. 1092 */ 1093 public void setPasswordMinimumNonLetter(ComponentName admin, int length) { 1094 if (mService != null) { 1095 try { 1096 mService.setPasswordMinimumNonLetter(admin, length, UserHandle.myUserId()); 1097 } catch (RemoteException e) { 1098 Log.w(TAG, "Failed talking with device policy service", e); 1099 } 1100 } 1101 } 1102 1103 /** 1104 * Retrieve the current number of non-letter characters required in the 1105 * password for all admins of this user and its profiles or a particular one. 1106 * This is the same value as set by 1107 * {#link {@link #setPasswordMinimumNonLetter(ComponentName, int)} 1108 * and only applies when the password quality is 1109 * {@link #PASSWORD_QUALITY_COMPLEX}. 1110 * 1111 * @param admin The name of the admin component to check, or null to 1112 * aggregate all admins. 1113 * @return The minimum number of letters required in the password. 1114 */ 1115 public int getPasswordMinimumNonLetter(ComponentName admin) { 1116 return getPasswordMinimumNonLetter(admin, UserHandle.myUserId()); 1117 } 1118 1119 /** @hide per-user version */ 1120 public int getPasswordMinimumNonLetter(ComponentName admin, int userHandle) { 1121 if (mService != null) { 1122 try { 1123 return mService.getPasswordMinimumNonLetter(admin, userHandle); 1124 } catch (RemoteException e) { 1125 Log.w(TAG, "Failed talking with device policy service", e); 1126 } 1127 } 1128 return 0; 1129 } 1130 1131 /** 1132 * Called by an application that is administering the device to set the length 1133 * of the password history. After setting this, the user will not be able to 1134 * enter a new password that is the same as any password in the history. Note 1135 * that the current password will remain until the user has set a new one, so 1136 * the change does not take place immediately. To prompt the user for a new 1137 * password, use {@link #ACTION_SET_NEW_PASSWORD} after setting this value. 1138 * This constraint is only imposed if the administrator has also requested 1139 * either {@link #PASSWORD_QUALITY_NUMERIC}, {@link #PASSWORD_QUALITY_NUMERIC_COMPLEX} 1140 * {@link #PASSWORD_QUALITY_ALPHABETIC}, or {@link #PASSWORD_QUALITY_ALPHANUMERIC} 1141 * with {@link #setPasswordQuality}. 1142 * 1143 * <p> 1144 * The calling device admin must have requested 1145 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call this 1146 * method; if it has not, a security exception will be thrown. 1147 * 1148 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1149 * with. 1150 * @param length The new desired length of password history. A value of 0 1151 * means there is no restriction. 1152 */ 1153 public void setPasswordHistoryLength(ComponentName admin, int length) { 1154 if (mService != null) { 1155 try { 1156 mService.setPasswordHistoryLength(admin, length, UserHandle.myUserId()); 1157 } catch (RemoteException e) { 1158 Log.w(TAG, "Failed talking with device policy service", e); 1159 } 1160 } 1161 } 1162 1163 /** 1164 * Called by a device admin to set the password expiration timeout. Calling this method 1165 * will restart the countdown for password expiration for the given admin, as will changing 1166 * the device password (for all admins). 1167 * 1168 * <p>The provided timeout is the time delta in ms and will be added to the current time. 1169 * For example, to have the password expire 5 days from now, timeout would be 1170 * 5 * 86400 * 1000 = 432000000 ms for timeout. 1171 * 1172 * <p>To disable password expiration, a value of 0 may be used for timeout. 1173 * 1174 * <p>The calling device admin must have requested 1175 * {@link DeviceAdminInfo#USES_POLICY_EXPIRE_PASSWORD} to be able to call this 1176 * method; if it has not, a security exception will be thrown. 1177 * 1178 * <p> Note that setting the password will automatically reset the expiration time for all 1179 * active admins. Active admins do not need to explicitly call this method in that case. 1180 * 1181 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1182 * @param timeout The limit (in ms) that a password can remain in effect. A value of 0 1183 * means there is no restriction (unlimited). 1184 */ 1185 public void setPasswordExpirationTimeout(ComponentName admin, long timeout) { 1186 if (mService != null) { 1187 try { 1188 mService.setPasswordExpirationTimeout(admin, timeout, UserHandle.myUserId()); 1189 } catch (RemoteException e) { 1190 Log.w(TAG, "Failed talking with device policy service", e); 1191 } 1192 } 1193 } 1194 1195 /** 1196 * Get the password expiration timeout for the given admin. The expiration timeout is the 1197 * recurring expiration timeout provided in the call to 1198 * {@link #setPasswordExpirationTimeout(ComponentName, long)} for the given admin or the 1199 * aggregate of all policy administrators if admin is null. 1200 * 1201 * @param admin The name of the admin component to check, or null to aggregate all admins. 1202 * @return The timeout for the given admin or the minimum of all timeouts 1203 */ 1204 public long getPasswordExpirationTimeout(ComponentName admin) { 1205 if (mService != null) { 1206 try { 1207 return mService.getPasswordExpirationTimeout(admin, UserHandle.myUserId()); 1208 } catch (RemoteException e) { 1209 Log.w(TAG, "Failed talking with device policy service", e); 1210 } 1211 } 1212 return 0; 1213 } 1214 1215 /** 1216 * Get the current password expiration time for the given admin or an aggregate of 1217 * all admins of this user and its profiles if admin is null. If the password is 1218 * expired, this will return the time since the password expired as a negative number. 1219 * If admin is null, then a composite of all expiration timeouts is returned 1220 * - which will be the minimum of all timeouts. 1221 * 1222 * @param admin The name of the admin component to check, or null to aggregate all admins. 1223 * @return The password expiration time, in ms. 1224 */ 1225 public long getPasswordExpiration(ComponentName admin) { 1226 if (mService != null) { 1227 try { 1228 return mService.getPasswordExpiration(admin, UserHandle.myUserId()); 1229 } catch (RemoteException e) { 1230 Log.w(TAG, "Failed talking with device policy service", e); 1231 } 1232 } 1233 return 0; 1234 } 1235 1236 /** 1237 * Retrieve the current password history length for all admins of this 1238 * user and its profiles or a particular one. 1239 * @param admin The name of the admin component to check, or null to aggregate 1240 * all admins. 1241 * @return The length of the password history 1242 */ 1243 public int getPasswordHistoryLength(ComponentName admin) { 1244 return getPasswordHistoryLength(admin, UserHandle.myUserId()); 1245 } 1246 1247 /** @hide per-user version */ 1248 public int getPasswordHistoryLength(ComponentName admin, int userHandle) { 1249 if (mService != null) { 1250 try { 1251 return mService.getPasswordHistoryLength(admin, userHandle); 1252 } catch (RemoteException e) { 1253 Log.w(TAG, "Failed talking with device policy service", e); 1254 } 1255 } 1256 return 0; 1257 } 1258 1259 /** 1260 * Return the maximum password length that the device supports for a 1261 * particular password quality. 1262 * @param quality The quality being interrogated. 1263 * @return Returns the maximum length that the user can enter. 1264 */ 1265 public int getPasswordMaximumLength(int quality) { 1266 // Kind-of arbitrary. 1267 return 16; 1268 } 1269 1270 /** 1271 * Determine whether the current password the user has set is sufficient 1272 * to meet the policy requirements (quality, minimum length) that have been 1273 * requested by the admins of this user and its profiles. 1274 * 1275 * <p>The calling device admin must have requested 1276 * {@link DeviceAdminInfo#USES_POLICY_LIMIT_PASSWORD} to be able to call 1277 * this method; if it has not, a security exception will be thrown. 1278 * 1279 * @return Returns true if the password meets the current requirements, else false. 1280 */ 1281 public boolean isActivePasswordSufficient() { 1282 if (mService != null) { 1283 try { 1284 return mService.isActivePasswordSufficient(UserHandle.myUserId()); 1285 } catch (RemoteException e) { 1286 Log.w(TAG, "Failed talking with device policy service", e); 1287 } 1288 } 1289 return false; 1290 } 1291 1292 /** 1293 * Retrieve the number of times the user has failed at entering a 1294 * password since that last successful password entry. 1295 * 1296 * <p>The calling device admin must have requested 1297 * {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} to be able to call 1298 * this method; if it has not, a security exception will be thrown. 1299 */ 1300 public int getCurrentFailedPasswordAttempts() { 1301 if (mService != null) { 1302 try { 1303 return mService.getCurrentFailedPasswordAttempts(UserHandle.myUserId()); 1304 } catch (RemoteException e) { 1305 Log.w(TAG, "Failed talking with device policy service", e); 1306 } 1307 } 1308 return -1; 1309 } 1310 1311 /** 1312 * Setting this to a value greater than zero enables a built-in policy 1313 * that will perform a device wipe after too many incorrect 1314 * device-unlock passwords have been entered. This built-in policy combines 1315 * watching for failed passwords and wiping the device, and requires 1316 * that you request both {@link DeviceAdminInfo#USES_POLICY_WATCH_LOGIN} and 1317 * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA}}. 1318 * 1319 * <p>To implement any other policy (e.g. wiping data for a particular 1320 * application only, erasing or revoking credentials, or reporting the 1321 * failure to a server), you should implement 1322 * {@link DeviceAdminReceiver#onPasswordFailed(Context, android.content.Intent)} 1323 * instead. Do not use this API, because if the maximum count is reached, 1324 * the device will be wiped immediately, and your callback will not be invoked. 1325 * 1326 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1327 * @param num The number of failed password attempts at which point the 1328 * device will wipe its data. 1329 */ 1330 public void setMaximumFailedPasswordsForWipe(ComponentName admin, int num) { 1331 if (mService != null) { 1332 try { 1333 mService.setMaximumFailedPasswordsForWipe(admin, num, UserHandle.myUserId()); 1334 } catch (RemoteException e) { 1335 Log.w(TAG, "Failed talking with device policy service", e); 1336 } 1337 } 1338 } 1339 1340 /** 1341 * Retrieve the current maximum number of login attempts that are allowed 1342 * before the device wipes itself, for all admins of this user and its profiles 1343 * or a particular one. 1344 * @param admin The name of the admin component to check, or null to aggregate 1345 * all admins. 1346 */ 1347 public int getMaximumFailedPasswordsForWipe(ComponentName admin) { 1348 return getMaximumFailedPasswordsForWipe(admin, UserHandle.myUserId()); 1349 } 1350 1351 /** @hide per-user version */ 1352 public int getMaximumFailedPasswordsForWipe(ComponentName admin, int userHandle) { 1353 if (mService != null) { 1354 try { 1355 return mService.getMaximumFailedPasswordsForWipe(admin, userHandle); 1356 } catch (RemoteException e) { 1357 Log.w(TAG, "Failed talking with device policy service", e); 1358 } 1359 } 1360 return 0; 1361 } 1362 1363 /** 1364 * Returns the profile with the smallest maximum failed passwords for wipe, 1365 * for the given user. So for primary user, it might return the primary or 1366 * a managed profile. For a secondary user, it would be the same as the 1367 * user passed in. 1368 * @hide Used only by Keyguard 1369 */ 1370 public int getProfileWithMinimumFailedPasswordsForWipe(int userHandle) { 1371 if (mService != null) { 1372 try { 1373 return mService.getProfileWithMinimumFailedPasswordsForWipe(userHandle); 1374 } catch (RemoteException e) { 1375 Log.w(TAG, "Failed talking with device policy service", e); 1376 } 1377 } 1378 return UserHandle.USER_NULL; 1379 } 1380 1381 /** 1382 * Flag for {@link #resetPassword}: don't allow other admins to change 1383 * the password again until the user has entered it. 1384 */ 1385 public static final int RESET_PASSWORD_REQUIRE_ENTRY = 0x0001; 1386 1387 /** 1388 * Force a new device unlock password (the password needed to access the 1389 * entire device, not for individual accounts) on the user. This takes 1390 * effect immediately. 1391 * The given password must be sufficient for the 1392 * current password quality and length constraints as returned by 1393 * {@link #getPasswordQuality(ComponentName)} and 1394 * {@link #getPasswordMinimumLength(ComponentName)}; if it does not meet 1395 * these constraints, then it will be rejected and false returned. Note 1396 * that the password may be a stronger quality (containing alphanumeric 1397 * characters when the requested quality is only numeric), in which case 1398 * the currently active quality will be increased to match. 1399 * 1400 * <p>Calling with a null or empty password will clear any existing PIN, 1401 * pattern or password if the current password constraints allow it. 1402 * 1403 * <p>The calling device admin must have requested 1404 * {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD} to be able to call 1405 * this method; if it has not, a security exception will be thrown. 1406 * 1407 * <p>Calling this from a managed profile will throw a security exception. 1408 * 1409 * @param password The new password for the user. Null or empty clears the password. 1410 * @param flags May be 0 or {@link #RESET_PASSWORD_REQUIRE_ENTRY}. 1411 * @return Returns true if the password was applied, or false if it is 1412 * not acceptable for the current constraints. 1413 */ 1414 public boolean resetPassword(String password, int flags) { 1415 if (mService != null) { 1416 try { 1417 return mService.resetPassword(password, flags, UserHandle.myUserId()); 1418 } catch (RemoteException e) { 1419 Log.w(TAG, "Failed talking with device policy service", e); 1420 } 1421 } 1422 return false; 1423 } 1424 1425 /** 1426 * Called by an application that is administering the device to set the 1427 * maximum time for user activity until the device will lock. This limits 1428 * the length that the user can set. It takes effect immediately. 1429 * 1430 * <p>The calling device admin must have requested 1431 * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call 1432 * this method; if it has not, a security exception will be thrown. 1433 * 1434 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1435 * @param timeMs The new desired maximum time to lock in milliseconds. 1436 * A value of 0 means there is no restriction. 1437 */ 1438 public void setMaximumTimeToLock(ComponentName admin, long timeMs) { 1439 if (mService != null) { 1440 try { 1441 mService.setMaximumTimeToLock(admin, timeMs, UserHandle.myUserId()); 1442 } catch (RemoteException e) { 1443 Log.w(TAG, "Failed talking with device policy service", e); 1444 } 1445 } 1446 } 1447 1448 /** 1449 * Retrieve the current maximum time to unlock for all admins of this user 1450 * and its profiles or a particular one. 1451 * @param admin The name of the admin component to check, or null to aggregate 1452 * all admins. 1453 * @return time in milliseconds for the given admin or the minimum value (strictest) of 1454 * all admins if admin is null. Returns 0 if there are no restrictions. 1455 */ 1456 public long getMaximumTimeToLock(ComponentName admin) { 1457 return getMaximumTimeToLock(admin, UserHandle.myUserId()); 1458 } 1459 1460 /** @hide per-user version */ 1461 public long getMaximumTimeToLock(ComponentName admin, int userHandle) { 1462 if (mService != null) { 1463 try { 1464 return mService.getMaximumTimeToLock(admin, userHandle); 1465 } catch (RemoteException e) { 1466 Log.w(TAG, "Failed talking with device policy service", e); 1467 } 1468 } 1469 return 0; 1470 } 1471 1472 /** 1473 * Make the device lock immediately, as if the lock screen timeout has 1474 * expired at the point of this call. 1475 * 1476 * <p>The calling device admin must have requested 1477 * {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} to be able to call 1478 * this method; if it has not, a security exception will be thrown. 1479 */ 1480 public void lockNow() { 1481 if (mService != null) { 1482 try { 1483 mService.lockNow(); 1484 } catch (RemoteException e) { 1485 Log.w(TAG, "Failed talking with device policy service", e); 1486 } 1487 } 1488 } 1489 1490 /** 1491 * Flag for {@link #wipeData(int)}: also erase the device's external 1492 * storage (such as SD cards). 1493 */ 1494 public static final int WIPE_EXTERNAL_STORAGE = 0x0001; 1495 1496 /** 1497 * Flag for {@link #wipeData(int)}: also erase the factory reset protection 1498 * data. 1499 * 1500 * <p>This flag may only be set by device owner admins; if it is set by 1501 * other admins a {@link SecurityException} will be thrown. 1502 */ 1503 public static final int WIPE_RESET_PROTECTION_DATA = 0x0002; 1504 1505 /** 1506 * Ask the user data be wiped. This will cause the device to reboot, 1507 * erasing all user data while next booting up. 1508 * 1509 * <p>The calling device admin must have requested 1510 * {@link DeviceAdminInfo#USES_POLICY_WIPE_DATA} to be able to call 1511 * this method; if it has not, a security exception will be thrown. 1512 * 1513 * @param flags Bit mask of additional options: currently supported flags 1514 * are {@link #WIPE_EXTERNAL_STORAGE} and 1515 * {@link #WIPE_RESET_PROTECTION_DATA}. 1516 */ 1517 public void wipeData(int flags) { 1518 if (mService != null) { 1519 try { 1520 mService.wipeData(flags, UserHandle.myUserId()); 1521 } catch (RemoteException e) { 1522 Log.w(TAG, "Failed talking with device policy service", e); 1523 } 1524 } 1525 } 1526 1527 /** 1528 * Called by an application that is administering the device to set the 1529 * global proxy and exclusion list. 1530 * <p> 1531 * The calling device admin must have requested 1532 * {@link DeviceAdminInfo#USES_POLICY_SETS_GLOBAL_PROXY} to be able to call 1533 * this method; if it has not, a security exception will be thrown. 1534 * Only the first device admin can set the proxy. If a second admin attempts 1535 * to set the proxy, the {@link ComponentName} of the admin originally setting the 1536 * proxy will be returned. If successful in setting the proxy, null will 1537 * be returned. 1538 * The method can be called repeatedly by the device admin alrady setting the 1539 * proxy to update the proxy and exclusion list. 1540 * 1541 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1542 * with. 1543 * @param proxySpec the global proxy desired. Must be an HTTP Proxy. 1544 * Pass Proxy.NO_PROXY to reset the proxy. 1545 * @param exclusionList a list of domains to be excluded from the global proxy. 1546 * @return returns null if the proxy was successfully set, or a {@link ComponentName} 1547 * of the device admin that sets thew proxy otherwise. 1548 * @hide 1549 */ 1550 public ComponentName setGlobalProxy(ComponentName admin, Proxy proxySpec, 1551 List<String> exclusionList ) { 1552 if (proxySpec == null) { 1553 throw new NullPointerException(); 1554 } 1555 if (mService != null) { 1556 try { 1557 String hostSpec; 1558 String exclSpec; 1559 if (proxySpec.equals(Proxy.NO_PROXY)) { 1560 hostSpec = null; 1561 exclSpec = null; 1562 } else { 1563 if (!proxySpec.type().equals(Proxy.Type.HTTP)) { 1564 throw new IllegalArgumentException(); 1565 } 1566 InetSocketAddress sa = (InetSocketAddress)proxySpec.address(); 1567 String hostName = sa.getHostName(); 1568 int port = sa.getPort(); 1569 StringBuilder hostBuilder = new StringBuilder(); 1570 hostSpec = hostBuilder.append(hostName) 1571 .append(":").append(Integer.toString(port)).toString(); 1572 if (exclusionList == null) { 1573 exclSpec = ""; 1574 } else { 1575 StringBuilder listBuilder = new StringBuilder(); 1576 boolean firstDomain = true; 1577 for (String exclDomain : exclusionList) { 1578 if (!firstDomain) { 1579 listBuilder = listBuilder.append(","); 1580 } else { 1581 firstDomain = false; 1582 } 1583 listBuilder = listBuilder.append(exclDomain.trim()); 1584 } 1585 exclSpec = listBuilder.toString(); 1586 } 1587 if (android.net.Proxy.validate(hostName, Integer.toString(port), exclSpec) 1588 != android.net.Proxy.PROXY_VALID) 1589 throw new IllegalArgumentException(); 1590 } 1591 return mService.setGlobalProxy(admin, hostSpec, exclSpec, UserHandle.myUserId()); 1592 } catch (RemoteException e) { 1593 Log.w(TAG, "Failed talking with device policy service", e); 1594 } 1595 } 1596 return null; 1597 } 1598 1599 /** 1600 * Set a network-independent global HTTP proxy. This is not normally what you want 1601 * for typical HTTP proxies - they are generally network dependent. However if you're 1602 * doing something unusual like general internal filtering this may be useful. On 1603 * a private network where the proxy is not accessible, you may break HTTP using this. 1604 * 1605 * <p>This method requires the caller to be the device owner. 1606 * 1607 * <p>This proxy is only a recommendation and it is possible that some apps will ignore it. 1608 * @see ProxyInfo 1609 * 1610 * @param admin Which {@link DeviceAdminReceiver} this request is associated 1611 * with. 1612 * @param proxyInfo The a {@link ProxyInfo} object defining the new global 1613 * HTTP proxy. A {@code null} value will clear the global HTTP proxy. 1614 */ 1615 public void setRecommendedGlobalProxy(ComponentName admin, ProxyInfo proxyInfo) { 1616 if (mService != null) { 1617 try { 1618 mService.setRecommendedGlobalProxy(admin, proxyInfo); 1619 } catch (RemoteException e) { 1620 Log.w(TAG, "Failed talking with device policy service", e); 1621 } 1622 } 1623 } 1624 1625 /** 1626 * Returns the component name setting the global proxy. 1627 * @return ComponentName object of the device admin that set the global proxy, or 1628 * null if no admin has set the proxy. 1629 * @hide 1630 */ 1631 public ComponentName getGlobalProxyAdmin() { 1632 if (mService != null) { 1633 try { 1634 return mService.getGlobalProxyAdmin(UserHandle.myUserId()); 1635 } catch (RemoteException e) { 1636 Log.w(TAG, "Failed talking with device policy service", e); 1637 } 1638 } 1639 return null; 1640 } 1641 1642 /** 1643 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1644 * indicating that encryption is not supported. 1645 */ 1646 public static final int ENCRYPTION_STATUS_UNSUPPORTED = 0; 1647 1648 /** 1649 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1650 * indicating that encryption is supported, but is not currently active. 1651 */ 1652 public static final int ENCRYPTION_STATUS_INACTIVE = 1; 1653 1654 /** 1655 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1656 * indicating that encryption is not currently active, but is currently 1657 * being activated. This is only reported by devices that support 1658 * encryption of data and only when the storage is currently 1659 * undergoing a process of becoming encrypted. A device that must reboot and/or wipe data 1660 * to become encrypted will never return this value. 1661 */ 1662 public static final int ENCRYPTION_STATUS_ACTIVATING = 2; 1663 1664 /** 1665 * Result code for {@link #setStorageEncryption} and {@link #getStorageEncryptionStatus}: 1666 * indicating that encryption is active. 1667 */ 1668 public static final int ENCRYPTION_STATUS_ACTIVE = 3; 1669 1670 /** 1671 * Activity action: begin the process of encrypting data on the device. This activity should 1672 * be launched after using {@link #setStorageEncryption} to request encryption be activated. 1673 * After resuming from this activity, use {@link #getStorageEncryption} 1674 * to check encryption status. However, on some devices this activity may never return, as 1675 * it may trigger a reboot and in some cases a complete data wipe of the device. 1676 */ 1677 @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION) 1678 public static final String ACTION_START_ENCRYPTION 1679 = "android.app.action.START_ENCRYPTION"; 1680 1681 /** 1682 * Widgets are enabled in keyguard 1683 */ 1684 public static final int KEYGUARD_DISABLE_FEATURES_NONE = 0; 1685 1686 /** 1687 * Disable all keyguard widgets. Has no effect. 1688 */ 1689 public static final int KEYGUARD_DISABLE_WIDGETS_ALL = 1 << 0; 1690 1691 /** 1692 * Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password) 1693 */ 1694 public static final int KEYGUARD_DISABLE_SECURE_CAMERA = 1 << 1; 1695 1696 /** 1697 * Disable showing all notifications on secure keyguard screens (e.g. PIN/Pattern/Password) 1698 */ 1699 public static final int KEYGUARD_DISABLE_SECURE_NOTIFICATIONS = 1 << 2; 1700 1701 /** 1702 * Only allow redacted notifications on secure keyguard screens (e.g. PIN/Pattern/Password) 1703 */ 1704 public static final int KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS = 1 << 3; 1705 1706 /** 1707 * Ignore trust agent state on secure keyguard screens 1708 * (e.g. PIN/Pattern/Password). 1709 */ 1710 public static final int KEYGUARD_DISABLE_TRUST_AGENTS = 1 << 4; 1711 1712 /** 1713 * Disable fingerprint sensor on keyguard secure screens (e.g. PIN/Pattern/Password). 1714 */ 1715 public static final int KEYGUARD_DISABLE_FINGERPRINT = 1 << 5; 1716 1717 /** 1718 * Disable all current and future keyguard customizations. 1719 */ 1720 public static final int KEYGUARD_DISABLE_FEATURES_ALL = 0x7fffffff; 1721 1722 /** 1723 * Called by an application that is administering the device to 1724 * request that the storage system be encrypted. 1725 * 1726 * <p>When multiple device administrators attempt to control device 1727 * encryption, the most secure, supported setting will always be 1728 * used. If any device administrator requests device encryption, 1729 * it will be enabled; Conversely, if a device administrator 1730 * attempts to disable device encryption while another 1731 * device administrator has enabled it, the call to disable will 1732 * fail (most commonly returning {@link #ENCRYPTION_STATUS_ACTIVE}). 1733 * 1734 * <p>This policy controls encryption of the secure (application data) storage area. Data 1735 * written to other storage areas may or may not be encrypted, and this policy does not require 1736 * or control the encryption of any other storage areas. 1737 * There is one exception: If {@link android.os.Environment#isExternalStorageEmulated()} is 1738 * {@code true}, then the directory returned by 1739 * {@link android.os.Environment#getExternalStorageDirectory()} must be written to disk 1740 * within the encrypted storage area. 1741 * 1742 * <p>Important Note: On some devices, it is possible to encrypt storage without requiring 1743 * the user to create a device PIN or Password. In this case, the storage is encrypted, but 1744 * the encryption key may not be fully secured. For maximum security, the administrator should 1745 * also require (and check for) a pattern, PIN, or password. 1746 * 1747 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1748 * @param encrypt true to request encryption, false to release any previous request 1749 * @return the new request status (for all active admins) - will be one of 1750 * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE}, or 1751 * {@link #ENCRYPTION_STATUS_ACTIVE}. This is the value of the requests; Use 1752 * {@link #getStorageEncryptionStatus()} to query the actual device state. 1753 */ 1754 public int setStorageEncryption(ComponentName admin, boolean encrypt) { 1755 if (mService != null) { 1756 try { 1757 return mService.setStorageEncryption(admin, encrypt, UserHandle.myUserId()); 1758 } catch (RemoteException e) { 1759 Log.w(TAG, "Failed talking with device policy service", e); 1760 } 1761 } 1762 return ENCRYPTION_STATUS_UNSUPPORTED; 1763 } 1764 1765 /** 1766 * Called by an application that is administering the device to 1767 * determine the requested setting for secure storage. 1768 * 1769 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. If null, 1770 * this will return the requested encryption setting as an aggregate of all active 1771 * administrators. 1772 * @return true if the admin(s) are requesting encryption, false if not. 1773 */ 1774 public boolean getStorageEncryption(ComponentName admin) { 1775 if (mService != null) { 1776 try { 1777 return mService.getStorageEncryption(admin, UserHandle.myUserId()); 1778 } catch (RemoteException e) { 1779 Log.w(TAG, "Failed talking with device policy service", e); 1780 } 1781 } 1782 return false; 1783 } 1784 1785 /** 1786 * Called by an application that is administering the device to 1787 * determine the current encryption status of the device. 1788 * 1789 * Depending on the returned status code, the caller may proceed in different 1790 * ways. If the result is {@link #ENCRYPTION_STATUS_UNSUPPORTED}, the 1791 * storage system does not support encryption. If the 1792 * result is {@link #ENCRYPTION_STATUS_INACTIVE}, use {@link 1793 * #ACTION_START_ENCRYPTION} to begin the process of encrypting or decrypting the 1794 * storage. If the result is {@link #ENCRYPTION_STATUS_ACTIVATING} or 1795 * {@link #ENCRYPTION_STATUS_ACTIVE}, no further action is required. 1796 * 1797 * @return current status of encryption. The value will be one of 1798 * {@link #ENCRYPTION_STATUS_UNSUPPORTED}, {@link #ENCRYPTION_STATUS_INACTIVE}, 1799 * {@link #ENCRYPTION_STATUS_ACTIVATING}, or{@link #ENCRYPTION_STATUS_ACTIVE}. 1800 */ 1801 public int getStorageEncryptionStatus() { 1802 return getStorageEncryptionStatus(UserHandle.myUserId()); 1803 } 1804 1805 /** @hide per-user version */ 1806 public int getStorageEncryptionStatus(int userHandle) { 1807 if (mService != null) { 1808 try { 1809 return mService.getStorageEncryptionStatus(userHandle); 1810 } catch (RemoteException e) { 1811 Log.w(TAG, "Failed talking with device policy service", e); 1812 } 1813 } 1814 return ENCRYPTION_STATUS_UNSUPPORTED; 1815 } 1816 1817 /** 1818 * Installs the given certificate as a user CA. 1819 * 1820 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1821 * @param certBuffer encoded form of the certificate to install. 1822 * 1823 * @return false if the certBuffer cannot be parsed or installation is 1824 * interrupted, true otherwise. 1825 */ 1826 public boolean installCaCert(ComponentName admin, byte[] certBuffer) { 1827 if (mService != null) { 1828 try { 1829 return mService.installCaCert(admin, certBuffer); 1830 } catch (RemoteException e) { 1831 Log.w(TAG, "Failed talking with device policy service", e); 1832 } 1833 } 1834 return false; 1835 } 1836 1837 /** 1838 * Uninstalls the given certificate from trusted user CAs, if present. 1839 * 1840 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1841 * @param certBuffer encoded form of the certificate to remove. 1842 */ 1843 public void uninstallCaCert(ComponentName admin, byte[] certBuffer) { 1844 if (mService != null) { 1845 try { 1846 final String alias = getCaCertAlias(certBuffer); 1847 mService.uninstallCaCert(admin, alias); 1848 } catch (CertificateException e) { 1849 Log.w(TAG, "Unable to parse certificate", e); 1850 } catch (RemoteException e) { 1851 Log.w(TAG, "Failed talking with device policy service", e); 1852 } 1853 } 1854 } 1855 1856 /** 1857 * Returns all CA certificates that are currently trusted, excluding system CA certificates. 1858 * If a user has installed any certificates by other means than device policy these will be 1859 * included too. 1860 * 1861 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1862 * @return a List of byte[] arrays, each encoding one user CA certificate. 1863 */ 1864 public List<byte[]> getInstalledCaCerts(ComponentName admin) { 1865 List<byte[]> certs = new ArrayList<byte[]>(); 1866 if (mService != null) { 1867 try { 1868 mService.enforceCanManageCaCerts(admin); 1869 final TrustedCertificateStore certStore = new TrustedCertificateStore(); 1870 for (String alias : certStore.userAliases()) { 1871 try { 1872 certs.add(certStore.getCertificate(alias).getEncoded()); 1873 } catch (CertificateException ce) { 1874 Log.w(TAG, "Could not encode certificate: " + alias, ce); 1875 } 1876 } 1877 } catch (RemoteException re) { 1878 Log.w(TAG, "Failed talking with device policy service", re); 1879 } 1880 } 1881 return certs; 1882 } 1883 1884 /** 1885 * Uninstalls all custom trusted CA certificates from the profile. Certificates installed by 1886 * means other than device policy will also be removed, except for system CA certificates. 1887 * 1888 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1889 */ 1890 public void uninstallAllUserCaCerts(ComponentName admin) { 1891 if (mService != null) { 1892 for (String alias : new TrustedCertificateStore().userAliases()) { 1893 try { 1894 mService.uninstallCaCert(admin, alias); 1895 } catch (RemoteException re) { 1896 Log.w(TAG, "Failed talking with device policy service", re); 1897 } 1898 } 1899 } 1900 } 1901 1902 /** 1903 * Returns whether this certificate is installed as a trusted CA. 1904 * 1905 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1906 * @param certBuffer encoded form of the certificate to look up. 1907 */ 1908 public boolean hasCaCertInstalled(ComponentName admin, byte[] certBuffer) { 1909 if (mService != null) { 1910 try { 1911 mService.enforceCanManageCaCerts(admin); 1912 return getCaCertAlias(certBuffer) != null; 1913 } catch (RemoteException re) { 1914 Log.w(TAG, "Failed talking with device policy service", re); 1915 } catch (CertificateException ce) { 1916 Log.w(TAG, "Could not parse certificate", ce); 1917 } 1918 } 1919 return false; 1920 } 1921 1922 /** 1923 * Called by a device or profile owner to install a certificate and private key pair. The 1924 * keypair will be visible to all apps within the profile. 1925 * 1926 * @param who Which {@link DeviceAdminReceiver} this request is associated with. 1927 * @param privKey The private key to install. 1928 * @param cert The certificate to install. 1929 * @param alias The private key alias under which to install the certificate. If a certificate 1930 * with that alias already exists, it will be overwritten. 1931 * @return {@code true} if the keys were installed, {@code false} otherwise. 1932 */ 1933 public boolean installKeyPair(ComponentName who, PrivateKey privKey, Certificate cert, 1934 String alias) { 1935 try { 1936 final byte[] pemCert = Credentials.convertToPem(cert); 1937 return mService.installKeyPair(who, privKey.getEncoded(), pemCert, alias); 1938 } catch (CertificateException e) { 1939 Log.w(TAG, "Error encoding certificate", e); 1940 } catch (IOException e) { 1941 Log.w(TAG, "Error writing certificate", e); 1942 } catch (RemoteException e) { 1943 Log.w(TAG, "Failed talking with device policy service", e); 1944 } 1945 return false; 1946 } 1947 1948 /** 1949 * Returns the alias of a given CA certificate in the certificate store, or null if it 1950 * doesn't exist. 1951 */ 1952 private static String getCaCertAlias(byte[] certBuffer) throws CertificateException { 1953 final CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); 1954 final X509Certificate cert = (X509Certificate) certFactory.generateCertificate( 1955 new ByteArrayInputStream(certBuffer)); 1956 return new TrustedCertificateStore().getCertificateAlias(cert); 1957 } 1958 1959 /** 1960 * Called by an application that is administering the device to disable all cameras 1961 * on the device, for this user. After setting this, no applications running as this user 1962 * will be able to access any cameras on the device. 1963 * 1964 * <p>The calling device admin must have requested 1965 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_CAMERA} to be able to call 1966 * this method; if it has not, a security exception will be thrown. 1967 * 1968 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 1969 * @param disabled Whether or not the camera should be disabled. 1970 */ 1971 public void setCameraDisabled(ComponentName admin, boolean disabled) { 1972 if (mService != null) { 1973 try { 1974 mService.setCameraDisabled(admin, disabled, UserHandle.myUserId()); 1975 } catch (RemoteException e) { 1976 Log.w(TAG, "Failed talking with device policy service", e); 1977 } 1978 } 1979 } 1980 1981 /** 1982 * Determine whether or not the device's cameras have been disabled for this user, 1983 * either by the current admin, if specified, or all admins. 1984 * @param admin The name of the admin component to check, or null to check if any admins 1985 * have disabled the camera 1986 */ 1987 public boolean getCameraDisabled(ComponentName admin) { 1988 return getCameraDisabled(admin, UserHandle.myUserId()); 1989 } 1990 1991 /** @hide per-user version */ 1992 public boolean getCameraDisabled(ComponentName admin, int userHandle) { 1993 if (mService != null) { 1994 try { 1995 return mService.getCameraDisabled(admin, userHandle); 1996 } catch (RemoteException e) { 1997 Log.w(TAG, "Failed talking with device policy service", e); 1998 } 1999 } 2000 return false; 2001 } 2002 2003 /** 2004 * Called by a device/profile owner to set whether the screen capture is disabled. Disabling 2005 * screen capture also prevents the content from being shown on display devices that do not have 2006 * a secure video output. See {@link android.view.Display#FLAG_SECURE} for more details about 2007 * secure surfaces and secure displays. 2008 * 2009 * <p>The calling device admin must be a device or profile owner. If it is not, a 2010 * security exception will be thrown. 2011 * 2012 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2013 * @param disabled Whether screen capture is disabled or not. 2014 */ 2015 public void setScreenCaptureDisabled(ComponentName admin, boolean disabled) { 2016 if (mService != null) { 2017 try { 2018 mService.setScreenCaptureDisabled(admin, UserHandle.myUserId(), disabled); 2019 } catch (RemoteException e) { 2020 Log.w(TAG, "Failed talking with device policy service", e); 2021 } 2022 } 2023 } 2024 2025 /** 2026 * Determine whether or not screen capture has been disabled by the current 2027 * admin, if specified, or all admins. 2028 * @param admin The name of the admin component to check, or null to check if any admins 2029 * have disabled screen capture. 2030 */ 2031 public boolean getScreenCaptureDisabled(ComponentName admin) { 2032 return getScreenCaptureDisabled(admin, UserHandle.myUserId()); 2033 } 2034 2035 /** @hide per-user version */ 2036 public boolean getScreenCaptureDisabled(ComponentName admin, int userHandle) { 2037 if (mService != null) { 2038 try { 2039 return mService.getScreenCaptureDisabled(admin, userHandle); 2040 } catch (RemoteException e) { 2041 Log.w(TAG, "Failed talking with device policy service", e); 2042 } 2043 } 2044 return false; 2045 } 2046 2047 /** 2048 * Called by a device owner to set whether auto time is required. If auto time is 2049 * required the user cannot set the date and time, but has to use network date and time. 2050 * 2051 * <p>Note: if auto time is required the user can still manually set the time zone. 2052 * 2053 * <p>The calling device admin must be a device owner. If it is not, a security exception will 2054 * be thrown. 2055 * 2056 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2057 * @param required Whether auto time is set required or not. 2058 */ 2059 public void setAutoTimeRequired(ComponentName admin, boolean required) { 2060 if (mService != null) { 2061 try { 2062 mService.setAutoTimeRequired(admin, UserHandle.myUserId(), required); 2063 } catch (RemoteException e) { 2064 Log.w(TAG, "Failed talking with device policy service", e); 2065 } 2066 } 2067 } 2068 2069 /** 2070 * @return true if auto time is required. 2071 */ 2072 public boolean getAutoTimeRequired() { 2073 if (mService != null) { 2074 try { 2075 return mService.getAutoTimeRequired(); 2076 } catch (RemoteException e) { 2077 Log.w(TAG, "Failed talking with device policy service", e); 2078 } 2079 } 2080 return false; 2081 } 2082 2083 /** 2084 * Called by an application that is administering the device to disable keyguard customizations, 2085 * such as widgets. After setting this, keyguard features will be disabled according to the 2086 * provided feature list. 2087 * 2088 * <p>The calling device admin must have requested 2089 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_KEYGUARD_FEATURES} to be able to call 2090 * this method; if it has not, a security exception will be thrown. 2091 * 2092 * <p>Calling this from a managed profile will throw a security exception. 2093 * 2094 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2095 * @param which {@link #KEYGUARD_DISABLE_FEATURES_NONE} (default), 2096 * {@link #KEYGUARD_DISABLE_WIDGETS_ALL}, {@link #KEYGUARD_DISABLE_SECURE_CAMERA}, 2097 * {@link #KEYGUARD_DISABLE_SECURE_NOTIFICATIONS}, {@link #KEYGUARD_DISABLE_TRUST_AGENTS}, 2098 * {@link #KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS}, {@link #KEYGUARD_DISABLE_FEATURES_ALL} 2099 */ 2100 public void setKeyguardDisabledFeatures(ComponentName admin, int which) { 2101 if (mService != null) { 2102 try { 2103 mService.setKeyguardDisabledFeatures(admin, which, UserHandle.myUserId()); 2104 } catch (RemoteException e) { 2105 Log.w(TAG, "Failed talking with device policy service", e); 2106 } 2107 } 2108 } 2109 2110 /** 2111 * Determine whether or not features have been disabled in keyguard either by the current 2112 * admin, if specified, or all admins. 2113 * @param admin The name of the admin component to check, or null to check if any admins 2114 * have disabled features in keyguard. 2115 * @return bitfield of flags. See {@link #setKeyguardDisabledFeatures(ComponentName, int)} 2116 * for a list. 2117 */ 2118 public int getKeyguardDisabledFeatures(ComponentName admin) { 2119 return getKeyguardDisabledFeatures(admin, UserHandle.myUserId()); 2120 } 2121 2122 /** @hide per-user version */ 2123 public int getKeyguardDisabledFeatures(ComponentName admin, int userHandle) { 2124 if (mService != null) { 2125 try { 2126 return mService.getKeyguardDisabledFeatures(admin, userHandle); 2127 } catch (RemoteException e) { 2128 Log.w(TAG, "Failed talking with device policy service", e); 2129 } 2130 } 2131 return KEYGUARD_DISABLE_FEATURES_NONE; 2132 } 2133 2134 /** 2135 * @hide 2136 */ 2137 public void setActiveAdmin(ComponentName policyReceiver, boolean refreshing, int userHandle) { 2138 if (mService != null) { 2139 try { 2140 mService.setActiveAdmin(policyReceiver, refreshing, userHandle); 2141 } catch (RemoteException e) { 2142 Log.w(TAG, "Failed talking with device policy service", e); 2143 } 2144 } 2145 } 2146 2147 /** 2148 * @hide 2149 */ 2150 public void setActiveAdmin(ComponentName policyReceiver, boolean refreshing) { 2151 setActiveAdmin(policyReceiver, refreshing, UserHandle.myUserId()); 2152 } 2153 2154 /** 2155 * Returns the DeviceAdminInfo as defined by the administrator's package info & meta-data 2156 * @hide 2157 */ 2158 public DeviceAdminInfo getAdminInfo(ComponentName cn) { 2159 ActivityInfo ai; 2160 try { 2161 ai = mContext.getPackageManager().getReceiverInfo(cn, 2162 PackageManager.GET_META_DATA); 2163 } catch (PackageManager.NameNotFoundException e) { 2164 Log.w(TAG, "Unable to retrieve device policy " + cn, e); 2165 return null; 2166 } 2167 2168 ResolveInfo ri = new ResolveInfo(); 2169 ri.activityInfo = ai; 2170 2171 try { 2172 return new DeviceAdminInfo(mContext, ri); 2173 } catch (XmlPullParserException e) { 2174 Log.w(TAG, "Unable to parse device policy " + cn, e); 2175 return null; 2176 } catch (IOException e) { 2177 Log.w(TAG, "Unable to parse device policy " + cn, e); 2178 return null; 2179 } 2180 } 2181 2182 /** 2183 * @hide 2184 */ 2185 public void getRemoveWarning(ComponentName admin, RemoteCallback result) { 2186 if (mService != null) { 2187 try { 2188 mService.getRemoveWarning(admin, result, UserHandle.myUserId()); 2189 } catch (RemoteException e) { 2190 Log.w(TAG, "Failed talking with device policy service", e); 2191 } 2192 } 2193 } 2194 2195 /** 2196 * @hide 2197 */ 2198 public void setActivePasswordState(int quality, int length, int letters, int uppercase, 2199 int lowercase, int numbers, int symbols, int nonletter, int userHandle) { 2200 if (mService != null) { 2201 try { 2202 mService.setActivePasswordState(quality, length, letters, uppercase, lowercase, 2203 numbers, symbols, nonletter, userHandle); 2204 } catch (RemoteException e) { 2205 Log.w(TAG, "Failed talking with device policy service", e); 2206 } 2207 } 2208 } 2209 2210 /** 2211 * @hide 2212 */ 2213 public void reportFailedPasswordAttempt(int userHandle) { 2214 if (mService != null) { 2215 try { 2216 mService.reportFailedPasswordAttempt(userHandle); 2217 } catch (RemoteException e) { 2218 Log.w(TAG, "Failed talking with device policy service", e); 2219 } 2220 } 2221 } 2222 2223 /** 2224 * @hide 2225 */ 2226 public void reportSuccessfulPasswordAttempt(int userHandle) { 2227 if (mService != null) { 2228 try { 2229 mService.reportSuccessfulPasswordAttempt(userHandle); 2230 } catch (RemoteException e) { 2231 Log.w(TAG, "Failed talking with device policy service", e); 2232 } 2233 } 2234 } 2235 2236 /** 2237 * @hide 2238 * Sets the given package as the device owner. The package must already be installed and there 2239 * shouldn't be an existing device owner registered, for this call to succeed. Also, this 2240 * method must be called before the device is provisioned. 2241 * @param packageName the package name of the application to be registered as the device owner. 2242 * @return whether the package was successfully registered as the device owner. 2243 * @throws IllegalArgumentException if the package name is null or invalid 2244 * @throws IllegalStateException if a device owner is already registered or the device has 2245 * already been provisioned. 2246 */ 2247 public boolean setDeviceOwner(String packageName) throws IllegalArgumentException, 2248 IllegalStateException { 2249 return setDeviceOwner(packageName, null); 2250 } 2251 2252 /** 2253 * @hide 2254 * Sets the given package as the device owner. The package must already be installed and there 2255 * shouldn't be an existing device owner registered, for this call to succeed. Also, this 2256 * method must be called before the device is provisioned. 2257 * @param packageName the package name of the application to be registered as the device owner. 2258 * @param ownerName the human readable name of the institution that owns this device. 2259 * @return whether the package was successfully registered as the device owner. 2260 * @throws IllegalArgumentException if the package name is null or invalid 2261 * @throws IllegalStateException if a device owner is already registered or the device has 2262 * already been provisioned. 2263 */ 2264 public boolean setDeviceOwner(String packageName, String ownerName) 2265 throws IllegalArgumentException, IllegalStateException { 2266 if (mService != null) { 2267 try { 2268 return mService.setDeviceOwner(packageName, ownerName); 2269 } catch (RemoteException re) { 2270 Log.w(TAG, "Failed to set device owner"); 2271 } 2272 } 2273 return false; 2274 } 2275 2276 /** 2277 * Used to determine if a particular package has been registered as a Device Owner app. 2278 * A device owner app is a special device admin that cannot be deactivated by the user, once 2279 * activated as a device admin. It also cannot be uninstalled. To check if a particular 2280 * package is currently registered as the device owner app, pass in the package name from 2281 * {@link Context#getPackageName()} to this method.<p/>This is useful for device 2282 * admin apps that want to check if they are also registered as the device owner app. The 2283 * exact mechanism by which a device admin app is registered as a device owner app is defined by 2284 * the setup process. 2285 * @param packageName the package name of the app, to compare with the registered device owner 2286 * app, if any. 2287 * @return whether or not the package is registered as the device owner app. 2288 */ 2289 public boolean isDeviceOwnerApp(String packageName) { 2290 if (mService != null) { 2291 try { 2292 return mService.isDeviceOwner(packageName); 2293 } catch (RemoteException re) { 2294 Log.w(TAG, "Failed to check device owner"); 2295 } 2296 } 2297 return false; 2298 } 2299 2300 /** 2301 * @hide 2302 * Redirect to isDeviceOwnerApp. 2303 */ 2304 public boolean isDeviceOwner(String packageName) { 2305 return isDeviceOwnerApp(packageName); 2306 } 2307 2308 /** 2309 * Clears the current device owner. The caller must be the device owner. 2310 * 2311 * This function should be used cautiously as once it is called it cannot 2312 * be undone. The device owner can only be set as a part of device setup 2313 * before setup completes. 2314 * 2315 * @param packageName The package name of the device owner. 2316 */ 2317 public void clearDeviceOwnerApp(String packageName) { 2318 if (mService != null) { 2319 try { 2320 mService.clearDeviceOwner(packageName); 2321 } catch (RemoteException re) { 2322 Log.w(TAG, "Failed to clear device owner"); 2323 } 2324 } 2325 } 2326 2327 /** @hide */ 2328 @SystemApi 2329 public String getDeviceOwner() { 2330 if (mService != null) { 2331 try { 2332 return mService.getDeviceOwner(); 2333 } catch (RemoteException re) { 2334 Log.w(TAG, "Failed to get device owner"); 2335 } 2336 } 2337 return null; 2338 } 2339 2340 /** @hide */ 2341 public String getDeviceOwnerName() { 2342 if (mService != null) { 2343 try { 2344 return mService.getDeviceOwnerName(); 2345 } catch (RemoteException re) { 2346 Log.w(TAG, "Failed to get device owner"); 2347 } 2348 } 2349 return null; 2350 } 2351 2352 /** 2353 * @hide 2354 * @deprecated Use #ACTION_SET_PROFILE_OWNER 2355 * Sets the given component as an active admin and registers the package as the profile 2356 * owner for this user. The package must already be installed and there shouldn't be 2357 * an existing profile owner registered for this user. Also, this method must be called 2358 * before the user setup has been completed. 2359 * <p> 2360 * This method can only be called by system apps that hold MANAGE_USERS permission and 2361 * MANAGE_DEVICE_ADMINS permission. 2362 * @param admin The component to register as an active admin and profile owner. 2363 * @param ownerName The user-visible name of the entity that is managing this user. 2364 * @return whether the admin was successfully registered as the profile owner. 2365 * @throws IllegalArgumentException if packageName is null, the package isn't installed, or 2366 * the user has already been set up. 2367 */ 2368 @SystemApi 2369 public boolean setActiveProfileOwner(ComponentName admin, String ownerName) 2370 throws IllegalArgumentException { 2371 if (mService != null) { 2372 try { 2373 final int myUserId = UserHandle.myUserId(); 2374 mService.setActiveAdmin(admin, false, myUserId); 2375 return mService.setProfileOwner(admin, ownerName, myUserId); 2376 } catch (RemoteException re) { 2377 Log.w(TAG, "Failed to set profile owner " + re); 2378 throw new IllegalArgumentException("Couldn't set profile owner.", re); 2379 } 2380 } 2381 return false; 2382 } 2383 2384 /** 2385 * @hide 2386 * Clears the active profile owner and removes all user restrictions. The caller must 2387 * be from the same package as the active profile owner for this user, otherwise a 2388 * SecurityException will be thrown. 2389 * 2390 * @param admin The component to remove as the profile owner. 2391 * @return 2392 */ 2393 @SystemApi 2394 public void clearProfileOwner(ComponentName admin) { 2395 if (mService != null) { 2396 try { 2397 mService.clearProfileOwner(admin); 2398 } catch (RemoteException re) { 2399 Log.w(TAG, "Failed to clear profile owner " + admin + re); 2400 } 2401 } 2402 } 2403 2404 /** 2405 * @hide 2406 * Checks if the user was already setup. 2407 */ 2408 public boolean hasUserSetupCompleted() { 2409 if (mService != null) { 2410 try { 2411 return mService.hasUserSetupCompleted(); 2412 } catch (RemoteException re) { 2413 Log.w(TAG, "Failed to check if user setup has completed"); 2414 } 2415 } 2416 return true; 2417 } 2418 2419 /** 2420 * @deprecated Use setProfileOwner(ComponentName ...) 2421 * @hide 2422 * Sets the given package as the profile owner of the given user profile. The package must 2423 * already be installed and there shouldn't be an existing profile owner registered for this 2424 * user. Also, this method must be called before the user has been used for the first time. 2425 * @param packageName the package name of the application to be registered as profile owner. 2426 * @param ownerName the human readable name of the organisation associated with this DPM. 2427 * @param userHandle the userId to set the profile owner for. 2428 * @return whether the package was successfully registered as the profile owner. 2429 * @throws IllegalArgumentException if packageName is null, the package isn't installed, or 2430 * the user has already been set up. 2431 */ 2432 public boolean setProfileOwner(String packageName, String ownerName, int userHandle) 2433 throws IllegalArgumentException { 2434 if (packageName == null) { 2435 throw new NullPointerException("packageName cannot be null"); 2436 } 2437 return setProfileOwner(new ComponentName(packageName, ""), ownerName, userHandle); 2438 } 2439 2440 /** 2441 * @hide 2442 * Sets the given component as the profile owner of the given user profile. The package must 2443 * already be installed and there shouldn't be an existing profile owner registered for this 2444 * user. Only the system can call this API if the user has already completed setup. 2445 * @param admin the component name to be registered as profile owner. 2446 * @param ownerName the human readable name of the organisation associated with this DPM. 2447 * @param userHandle the userId to set the profile owner for. 2448 * @return whether the component was successfully registered as the profile owner. 2449 * @throws IllegalArgumentException if admin is null, the package isn't installed, or 2450 * the user has already been set up. 2451 */ 2452 public boolean setProfileOwner(ComponentName admin, String ownerName, int userHandle) 2453 throws IllegalArgumentException { 2454 if (admin == null) { 2455 throw new NullPointerException("admin cannot be null"); 2456 } 2457 if (mService != null) { 2458 try { 2459 if (ownerName == null) { 2460 ownerName = ""; 2461 } 2462 return mService.setProfileOwner(admin, ownerName, userHandle); 2463 } catch (RemoteException re) { 2464 Log.w(TAG, "Failed to set profile owner", re); 2465 throw new IllegalArgumentException("Couldn't set profile owner.", re); 2466 } 2467 } 2468 return false; 2469 } 2470 2471 /** 2472 * Sets the enabled state of the profile. A profile should be enabled only once it is ready to 2473 * be used. Only the profile owner can call this. 2474 * 2475 * @see #isProfileOwnerApp 2476 * 2477 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2478 */ 2479 public void setProfileEnabled(ComponentName admin) { 2480 if (mService != null) { 2481 try { 2482 mService.setProfileEnabled(admin); 2483 } catch (RemoteException e) { 2484 Log.w(TAG, "Failed talking with device policy service", e); 2485 } 2486 } 2487 } 2488 2489 /** 2490 * Sets the name of the profile. In the device owner case it sets the name of the user 2491 * which it is called from. Only a profile owner or device owner can call this. If this is 2492 * never called by the profile or device owner, the name will be set to default values. 2493 * 2494 * @see #isProfileOwnerApp 2495 * @see #isDeviceOwnerApp 2496 * 2497 * @param profileName The name of the profile. 2498 */ 2499 public void setProfileName(ComponentName who, String profileName) { 2500 if (mService != null) { 2501 try { 2502 mService.setProfileName(who, profileName); 2503 } catch (RemoteException e) { 2504 Log.w(TAG, "Failed talking with device policy service", e); 2505 } 2506 } 2507 } 2508 2509 /** 2510 * Used to determine if a particular package is registered as the profile owner for the 2511 * current user. A profile owner is a special device admin that has additional privileges 2512 * within the profile. 2513 * 2514 * @param packageName The package name of the app to compare with the registered profile owner. 2515 * @return Whether or not the package is registered as the profile owner. 2516 */ 2517 public boolean isProfileOwnerApp(String packageName) { 2518 if (mService != null) { 2519 try { 2520 ComponentName profileOwner = mService.getProfileOwner( 2521 Process.myUserHandle().getIdentifier()); 2522 return profileOwner != null 2523 && profileOwner.getPackageName().equals(packageName); 2524 } catch (RemoteException re) { 2525 Log.w(TAG, "Failed to check profile owner"); 2526 } 2527 } 2528 return false; 2529 } 2530 2531 /** 2532 * @hide 2533 * @return the packageName of the owner of the given user profile or null if no profile 2534 * owner has been set for that user. 2535 * @throws IllegalArgumentException if the userId is invalid. 2536 */ 2537 @SystemApi 2538 public ComponentName getProfileOwner() throws IllegalArgumentException { 2539 return getProfileOwnerAsUser(Process.myUserHandle().getIdentifier()); 2540 } 2541 2542 /** 2543 * @see #getProfileOwner() 2544 * @hide 2545 */ 2546 public ComponentName getProfileOwnerAsUser(final int userId) throws IllegalArgumentException { 2547 if (mService != null) { 2548 try { 2549 return mService.getProfileOwner(userId); 2550 } catch (RemoteException re) { 2551 Log.w(TAG, "Failed to get profile owner"); 2552 throw new IllegalArgumentException( 2553 "Requested profile owner for invalid userId", re); 2554 } 2555 } 2556 return null; 2557 } 2558 2559 /** 2560 * @hide 2561 * @return the human readable name of the organisation associated with this DPM or null if 2562 * one is not set. 2563 * @throws IllegalArgumentException if the userId is invalid. 2564 */ 2565 public String getProfileOwnerName() throws IllegalArgumentException { 2566 if (mService != null) { 2567 try { 2568 return mService.getProfileOwnerName(Process.myUserHandle().getIdentifier()); 2569 } catch (RemoteException re) { 2570 Log.w(TAG, "Failed to get profile owner"); 2571 throw new IllegalArgumentException( 2572 "Requested profile owner for invalid userId", re); 2573 } 2574 } 2575 return null; 2576 } 2577 2578 /** 2579 * @hide 2580 * @param user The user for whom to fetch the profile owner name, if any. 2581 * @return the human readable name of the organisation associated with this profile owner or 2582 * null if one is not set. 2583 * @throws IllegalArgumentException if the userId is invalid. 2584 */ 2585 @SystemApi 2586 public String getProfileOwnerNameAsUser(int userId) throws IllegalArgumentException { 2587 if (mService != null) { 2588 try { 2589 return mService.getProfileOwnerName(userId); 2590 } catch (RemoteException re) { 2591 Log.w(TAG, "Failed to get profile owner"); 2592 throw new IllegalArgumentException( 2593 "Requested profile owner for invalid userId", re); 2594 } 2595 } 2596 return null; 2597 } 2598 2599 /** 2600 * Called by a profile owner or device owner to add a default intent handler activity for 2601 * intents that match a certain intent filter. This activity will remain the default intent 2602 * handler even if the set of potential event handlers for the intent filter changes and if 2603 * the intent preferences are reset. 2604 * 2605 * <p>The default disambiguation mechanism takes over if the activity is not installed 2606 * (anymore). When the activity is (re)installed, it is automatically reset as default 2607 * intent handler for the filter. 2608 * 2609 * <p>The calling device admin must be a profile owner or device owner. If it is not, a 2610 * security exception will be thrown. 2611 * 2612 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2613 * @param filter The IntentFilter for which a default handler is added. 2614 * @param activity The Activity that is added as default intent handler. 2615 */ 2616 public void addPersistentPreferredActivity(ComponentName admin, IntentFilter filter, 2617 ComponentName activity) { 2618 if (mService != null) { 2619 try { 2620 mService.addPersistentPreferredActivity(admin, filter, activity); 2621 } catch (RemoteException e) { 2622 Log.w(TAG, "Failed talking with device policy service", e); 2623 } 2624 } 2625 } 2626 2627 /** 2628 * Called by a profile owner or device owner to remove all persistent intent handler preferences 2629 * associated with the given package that were set by {@link #addPersistentPreferredActivity}. 2630 * 2631 * <p>The calling device admin must be a profile owner. If it is not, a security 2632 * exception will be thrown. 2633 * 2634 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2635 * @param packageName The name of the package for which preferences are removed. 2636 */ 2637 public void clearPackagePersistentPreferredActivities(ComponentName admin, 2638 String packageName) { 2639 if (mService != null) { 2640 try { 2641 mService.clearPackagePersistentPreferredActivities(admin, packageName); 2642 } catch (RemoteException e) { 2643 Log.w(TAG, "Failed talking with device policy service", e); 2644 } 2645 } 2646 } 2647 2648 /** 2649 * Called by a profile or device owner to set the application restrictions for a given target 2650 * application running in the profile. 2651 * 2652 * <p>The provided {@link Bundle} consists of key-value pairs, where the types of values may be 2653 * boolean, int, String, or String[]. 2654 * 2655 * <p>The application restrictions are only made visible to the target application and the 2656 * profile or device owner. 2657 * 2658 * <p>If the restrictions are not available yet, but may be applied in the near future, 2659 * the admin can notify the target application of that by adding 2660 * {@link UserManager#KEY_RESTRICTIONS_PENDING} to the settings parameter. 2661 * 2662 * <p>The calling device admin must be a profile or device owner; if it is not, a security 2663 * exception will be thrown. 2664 * 2665 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2666 * @param packageName The name of the package to update restricted settings for. 2667 * @param settings A {@link Bundle} to be parsed by the receiving application, conveying a new 2668 * set of active restrictions. 2669 * 2670 * @see UserManager#KEY_RESTRICTIONS_PENDING 2671 */ 2672 public void setApplicationRestrictions(ComponentName admin, String packageName, 2673 Bundle settings) { 2674 if (mService != null) { 2675 try { 2676 mService.setApplicationRestrictions(admin, packageName, settings); 2677 } catch (RemoteException e) { 2678 Log.w(TAG, "Failed talking with device policy service", e); 2679 } 2680 } 2681 } 2682 2683 /** 2684 * Sets a list of configuration features to enable for a TrustAgent component. This is meant 2685 * to be used in conjunction with {@link #KEYGUARD_DISABLE_TRUST_AGENTS}, which disables all 2686 * trust agents but those enabled by this function call. If flag 2687 * {@link #KEYGUARD_DISABLE_TRUST_AGENTS} is not set, then this call has no effect. 2688 * 2689 * <p>The calling device admin must have requested 2690 * {@link DeviceAdminInfo#USES_POLICY_DISABLE_KEYGUARD_FEATURES} to be able to call 2691 * this method; if not, a security exception will be thrown. 2692 * 2693 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2694 * @param target Component name of the agent to be enabled. 2695 * @param configuration TrustAgent-specific feature bundle. If null for any admin, agent 2696 * will be strictly disabled according to the state of the 2697 * {@link #KEYGUARD_DISABLE_TRUST_AGENTS} flag. 2698 * <p>If {@link #KEYGUARD_DISABLE_TRUST_AGENTS} is set and options is not null for all admins, 2699 * then it's up to the TrustAgent itself to aggregate the values from all device admins. 2700 * <p>Consult documentation for the specific TrustAgent to determine legal options parameters. 2701 * @hide 2702 */ 2703 public void setTrustAgentConfiguration(ComponentName admin, ComponentName target, 2704 PersistableBundle configuration) { 2705 if (mService != null) { 2706 try { 2707 mService.setTrustAgentConfiguration(admin, target, configuration, 2708 UserHandle.myUserId()); 2709 } catch (RemoteException e) { 2710 Log.w(TAG, "Failed talking with device policy service", e); 2711 } 2712 } 2713 } 2714 2715 /** 2716 * Gets configuration for the given trust agent based on aggregating all calls to 2717 * {@link #setTrustAgentConfiguration(ComponentName, ComponentName, PersistableBundle)} for 2718 * all device admins. 2719 * 2720 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. If null, 2721 * this function returns a list of configurations for all admins that declare 2722 * {@link #KEYGUARD_DISABLE_TRUST_AGENTS}. If any admin declares 2723 * {@link #KEYGUARD_DISABLE_TRUST_AGENTS} but doesn't call 2724 * {@link #setTrustAgentConfiguration(ComponentName, ComponentName, PersistableBundle)} 2725 * for this {@param agent} or calls it with a null configuration, null is returned. 2726 * @param agent Which component to get enabled features for. 2727 * @return configuration for the given trust agent. 2728 * @hide 2729 */ 2730 public List<PersistableBundle> getTrustAgentConfiguration(ComponentName admin, 2731 ComponentName agent) { 2732 return getTrustAgentConfiguration(admin, agent, UserHandle.myUserId()); 2733 } 2734 2735 /** @hide per-user version */ 2736 public List<PersistableBundle> getTrustAgentConfiguration(ComponentName admin, 2737 ComponentName agent, int userHandle) { 2738 if (mService != null) { 2739 try { 2740 return mService.getTrustAgentConfiguration(admin, agent, userHandle); 2741 } catch (RemoteException e) { 2742 Log.w(TAG, "Failed talking with device policy service", e); 2743 } 2744 } 2745 return new ArrayList<PersistableBundle>(); // empty list 2746 } 2747 2748 /** 2749 * Called by a profile owner of a managed profile to set whether caller-Id information from 2750 * the managed profile will be shown in the parent profile, for incoming calls. 2751 * 2752 * <p>The calling device admin must be a profile owner. If it is not, a 2753 * security exception will be thrown. 2754 * 2755 * @param who Which {@link DeviceAdminReceiver} this request is associated with. 2756 * @param disabled If true caller-Id information in the managed profile is not displayed. 2757 */ 2758 public void setCrossProfileCallerIdDisabled(ComponentName who, boolean disabled) { 2759 if (mService != null) { 2760 try { 2761 mService.setCrossProfileCallerIdDisabled(who, disabled); 2762 } catch (RemoteException e) { 2763 Log.w(TAG, "Failed talking with device policy service", e); 2764 } 2765 } 2766 } 2767 2768 /** 2769 * Called by a profile owner of a managed profile to determine whether or not caller-Id 2770 * information has been disabled. 2771 * 2772 * <p>The calling device admin must be a profile owner. If it is not, a 2773 * security exception will be thrown. 2774 * 2775 * @param who Which {@link DeviceAdminReceiver} this request is associated with. 2776 */ 2777 public boolean getCrossProfileCallerIdDisabled(ComponentName who) { 2778 if (mService != null) { 2779 try { 2780 return mService.getCrossProfileCallerIdDisabled(who); 2781 } catch (RemoteException e) { 2782 Log.w(TAG, "Failed talking with device policy service", e); 2783 } 2784 } 2785 return false; 2786 } 2787 2788 /** 2789 * Determine whether or not caller-Id information has been disabled. 2790 * 2791 * @param userHandle The user for whom to check the caller-id permission 2792 * @hide 2793 */ 2794 public boolean getCrossProfileCallerIdDisabled(UserHandle userHandle) { 2795 if (mService != null) { 2796 try { 2797 return mService.getCrossProfileCallerIdDisabledForUser(userHandle.getIdentifier()); 2798 } catch (RemoteException e) { 2799 Log.w(TAG, "Failed talking with device policy service", e); 2800 } 2801 } 2802 return false; 2803 } 2804 2805 /** 2806 * Called by the profile owner of a managed profile so that some intents sent in the managed 2807 * profile can also be resolved in the parent, or vice versa. 2808 * Only activity intents are supported. 2809 * 2810 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2811 * @param filter The {@link IntentFilter} the intent has to match to be also resolved in the 2812 * other profile 2813 * @param flags {@link DevicePolicyManager#FLAG_MANAGED_CAN_ACCESS_PARENT} and 2814 * {@link DevicePolicyManager#FLAG_PARENT_CAN_ACCESS_MANAGED} are supported. 2815 */ 2816 public void addCrossProfileIntentFilter(ComponentName admin, IntentFilter filter, int flags) { 2817 if (mService != null) { 2818 try { 2819 mService.addCrossProfileIntentFilter(admin, filter, flags); 2820 } catch (RemoteException e) { 2821 Log.w(TAG, "Failed talking with device policy service", e); 2822 } 2823 } 2824 } 2825 2826 /** 2827 * Called by a profile owner of a managed profile to remove the cross-profile intent filters 2828 * that go from the managed profile to the parent, or from the parent to the managed profile. 2829 * Only removes those that have been set by the profile owner. 2830 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2831 */ 2832 public void clearCrossProfileIntentFilters(ComponentName admin) { 2833 if (mService != null) { 2834 try { 2835 mService.clearCrossProfileIntentFilters(admin); 2836 } catch (RemoteException e) { 2837 Log.w(TAG, "Failed talking with device policy service", e); 2838 } 2839 } 2840 } 2841 2842 /** 2843 * Called by a profile or device owner to set the permitted accessibility services. When 2844 * set by a device owner or profile owner the restriction applies to all profiles of the 2845 * user the device owner or profile owner is an admin for. 2846 * 2847 * By default the user can use any accessiblity service. When zero or more packages have 2848 * been added, accessiblity services that are not in the list and not part of the system 2849 * can not be enabled by the user. 2850 * 2851 * <p> Calling with a null value for the list disables the restriction so that all services 2852 * can be used, calling with an empty list only allows the builtin system's services. 2853 * 2854 * <p> System accesibility services are always available to the user the list can't modify 2855 * this. 2856 * 2857 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2858 * @param packageNames List of accessibility service package names. 2859 * 2860 * @return true if setting the restriction succeeded. It fail if there is 2861 * one or more non-system accessibility services enabled, that are not in the list. 2862 */ 2863 public boolean setPermittedAccessibilityServices(ComponentName admin, 2864 List<String> packageNames) { 2865 if (mService != null) { 2866 try { 2867 return mService.setPermittedAccessibilityServices(admin, packageNames); 2868 } catch (RemoteException e) { 2869 Log.w(TAG, "Failed talking with device policy service", e); 2870 } 2871 } 2872 return false; 2873 } 2874 2875 /** 2876 * Returns the list of permitted accessibility services set by this device or profile owner. 2877 * 2878 * <p>An empty list means no accessibility services except system services are allowed. 2879 * Null means all accessibility services are allowed. 2880 * 2881 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2882 * @return List of accessiblity service package names. 2883 */ 2884 public List<String> getPermittedAccessibilityServices(ComponentName admin) { 2885 if (mService != null) { 2886 try { 2887 return mService.getPermittedAccessibilityServices(admin); 2888 } catch (RemoteException e) { 2889 Log.w(TAG, "Failed talking with device policy service", e); 2890 } 2891 } 2892 return null; 2893 } 2894 2895 /** 2896 * Returns the list of accessibility services permitted by the device or profiles 2897 * owners of this user. 2898 * 2899 * <p>Null means all accessibility services are allowed, if a non-null list is returned 2900 * it will contain the intersection of the permitted lists for any device or profile 2901 * owners that apply to this user. It will also include any system accessibility services. 2902 * 2903 * @param userId which user to check for. 2904 * @return List of accessiblity service package names. 2905 * @hide 2906 */ 2907 @SystemApi 2908 public List<String> getPermittedAccessibilityServices(int userId) { 2909 if (mService != null) { 2910 try { 2911 return mService.getPermittedAccessibilityServicesForUser(userId); 2912 } catch (RemoteException e) { 2913 Log.w(TAG, "Failed talking with device policy service", e); 2914 } 2915 } 2916 return null; 2917 } 2918 2919 /** 2920 * Called by a profile or device owner to set the permitted input methods services. When 2921 * set by a device owner or profile owner the restriction applies to all profiles of the 2922 * user the device owner or profile owner is an admin for. 2923 * 2924 * By default the user can use any input method. When zero or more packages have 2925 * been added, input method that are not in the list and not part of the system 2926 * can not be enabled by the user. 2927 * 2928 * This method will fail if it is called for a admin that is not for the foreground user 2929 * or a profile of the foreground user. 2930 * 2931 * <p> Calling with a null value for the list disables the restriction so that all input methods 2932 * can be used, calling with an empty list disables all but the system's own input methods. 2933 * 2934 * <p> System input methods are always available to the user this method can't modify this. 2935 * 2936 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2937 * @param packageNames List of input method package names. 2938 * @return true if setting the restriction succeeded. It will fail if there are 2939 * one or more non-system input methods currently enabled that are not in 2940 * the packageNames list. 2941 */ 2942 public boolean setPermittedInputMethods(ComponentName admin, List<String> packageNames) { 2943 if (mService != null) { 2944 try { 2945 return mService.setPermittedInputMethods(admin, packageNames); 2946 } catch (RemoteException e) { 2947 Log.w(TAG, "Failed talking with device policy service", e); 2948 } 2949 } 2950 return false; 2951 } 2952 2953 2954 /** 2955 * Returns the list of permitted input methods set by this device or profile owner. 2956 * 2957 * <p>An empty list means no input methods except system input methods are allowed. 2958 * Null means all input methods are allowed. 2959 * 2960 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 2961 * @return List of input method package names. 2962 */ 2963 public List<String> getPermittedInputMethods(ComponentName admin) { 2964 if (mService != null) { 2965 try { 2966 return mService.getPermittedInputMethods(admin); 2967 } catch (RemoteException e) { 2968 Log.w(TAG, "Failed talking with device policy service", e); 2969 } 2970 } 2971 return null; 2972 } 2973 2974 /** 2975 * Returns the list of input methods permitted by the device or profiles 2976 * owners of the current user. 2977 * 2978 * <p>Null means all input methods are allowed, if a non-null list is returned 2979 * it will contain the intersection of the permitted lists for any device or profile 2980 * owners that apply to this user. It will also include any system input methods. 2981 * 2982 * @return List of input method package names. 2983 * @hide 2984 */ 2985 @SystemApi 2986 public List<String> getPermittedInputMethodsForCurrentUser() { 2987 if (mService != null) { 2988 try { 2989 return mService.getPermittedInputMethodsForCurrentUser(); 2990 } catch (RemoteException e) { 2991 Log.w(TAG, "Failed talking with device policy service", e); 2992 } 2993 } 2994 return null; 2995 } 2996 2997 /** 2998 * Called by a device owner to create a user with the specified name. The UserHandle returned 2999 * by this method should not be persisted as user handles are recycled as users are removed and 3000 * created. If you need to persist an identifier for this user, use 3001 * {@link UserManager#getSerialNumberForUser}. 3002 * 3003 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3004 * @param name the user's name 3005 * @see UserHandle 3006 * @return the UserHandle object for the created user, or null if the user could not be created. 3007 */ 3008 public UserHandle createUser(ComponentName admin, String name) { 3009 try { 3010 return mService.createUser(admin, name); 3011 } catch (RemoteException re) { 3012 Log.w(TAG, "Could not create a user", re); 3013 } 3014 return null; 3015 } 3016 3017 /** 3018 * Called by a device owner to create a user with the specified name. The UserHandle returned 3019 * by this method should not be persisted as user handles are recycled as users are removed and 3020 * created. If you need to persist an identifier for this user, use 3021 * {@link UserManager#getSerialNumberForUser}. The new user will be started in the background 3022 * immediately. 3023 * 3024 * <p> profileOwnerComponent is the {@link DeviceAdminReceiver} to be the profile owner as well 3025 * as registered as an active admin on the new user. The profile owner package will be 3026 * installed on the new user if it already is installed on the device. 3027 * 3028 * <p>If the optionalInitializeData is not null, then the extras will be passed to the 3029 * profileOwnerComponent when onEnable is called. 3030 * 3031 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3032 * @param name the user's name 3033 * @param ownerName the human readable name of the organisation associated with this DPM. 3034 * @param profileOwnerComponent The {@link DeviceAdminReceiver} that will be an active admin on 3035 * the user. 3036 * @param adminExtras Extras that will be passed to onEnable of the admin receiver 3037 * on the new user. 3038 * @see UserHandle 3039 * @return the UserHandle object for the created user, or null if the user could not be created. 3040 */ 3041 public UserHandle createAndInitializeUser(ComponentName admin, String name, String ownerName, 3042 ComponentName profileOwnerComponent, Bundle adminExtras) { 3043 try { 3044 return mService.createAndInitializeUser(admin, name, ownerName, profileOwnerComponent, 3045 adminExtras); 3046 } catch (RemoteException re) { 3047 Log.w(TAG, "Could not create a user", re); 3048 } 3049 return null; 3050 } 3051 3052 /** 3053 * Called by a device owner to remove a user and all associated data. The primary user can 3054 * not be removed. 3055 * 3056 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3057 * @param userHandle the user to remove. 3058 * @return {@code true} if the user was removed, {@code false} otherwise. 3059 */ 3060 public boolean removeUser(ComponentName admin, UserHandle userHandle) { 3061 try { 3062 return mService.removeUser(admin, userHandle); 3063 } catch (RemoteException re) { 3064 Log.w(TAG, "Could not remove user ", re); 3065 return false; 3066 } 3067 } 3068 3069 /** 3070 * Called by a device owner to switch the specified user to the foreground. 3071 * 3072 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3073 * @param userHandle the user to switch to; null will switch to primary. 3074 * @return {@code true} if the switch was successful, {@code false} otherwise. 3075 * 3076 * @see Intent#ACTION_USER_FOREGROUND 3077 */ 3078 public boolean switchUser(ComponentName admin, UserHandle userHandle) { 3079 try { 3080 return mService.switchUser(admin, userHandle); 3081 } catch (RemoteException re) { 3082 Log.w(TAG, "Could not switch user ", re); 3083 return false; 3084 } 3085 } 3086 3087 /** 3088 * Called by a profile or device owner to get the application restrictions for a given target 3089 * application running in the profile. 3090 * 3091 * <p>The calling device admin must be a profile or device owner; if it is not, a security 3092 * exception will be thrown. 3093 * 3094 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3095 * @param packageName The name of the package to fetch restricted settings of. 3096 * @return {@link Bundle} of settings corresponding to what was set last time 3097 * {@link DevicePolicyManager#setApplicationRestrictions} was called, or an empty {@link Bundle} 3098 * if no restrictions have been set. 3099 */ 3100 public Bundle getApplicationRestrictions(ComponentName admin, String packageName) { 3101 if (mService != null) { 3102 try { 3103 return mService.getApplicationRestrictions(admin, packageName); 3104 } catch (RemoteException e) { 3105 Log.w(TAG, "Failed talking with device policy service", e); 3106 } 3107 } 3108 return null; 3109 } 3110 3111 /** 3112 * Called by a profile or device owner to set a user restriction specified 3113 * by the key. 3114 * <p> 3115 * The calling device admin must be a profile or device owner; if it is not, 3116 * a security exception will be thrown. 3117 * 3118 * @param admin Which {@link DeviceAdminReceiver} this request is associated 3119 * with. 3120 * @param key The key of the restriction. See the constants in 3121 * {@link android.os.UserManager} for the list of keys. 3122 */ 3123 public void addUserRestriction(ComponentName admin, String key) { 3124 if (mService != null) { 3125 try { 3126 mService.setUserRestriction(admin, key, true); 3127 } catch (RemoteException e) { 3128 Log.w(TAG, "Failed talking with device policy service", e); 3129 } 3130 } 3131 } 3132 3133 /** 3134 * Called by a profile or device owner to clear a user restriction specified 3135 * by the key. 3136 * <p> 3137 * The calling device admin must be a profile or device owner; if it is not, 3138 * a security exception will be thrown. 3139 * 3140 * @param admin Which {@link DeviceAdminReceiver} this request is associated 3141 * with. 3142 * @param key The key of the restriction. See the constants in 3143 * {@link android.os.UserManager} for the list of keys. 3144 */ 3145 public void clearUserRestriction(ComponentName admin, String key) { 3146 if (mService != null) { 3147 try { 3148 mService.setUserRestriction(admin, key, false); 3149 } catch (RemoteException e) { 3150 Log.w(TAG, "Failed talking with device policy service", e); 3151 } 3152 } 3153 } 3154 3155 /** 3156 * Called by device or profile owner to hide or unhide packages. When a package is hidden it 3157 * is unavailable for use, but the data and actual package file remain. 3158 * 3159 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3160 * @param packageName The name of the package to hide or unhide. 3161 * @param hidden {@code true} if the package should be hidden, {@code false} if it should be 3162 * unhidden. 3163 * @return boolean Whether the hidden setting of the package was successfully updated. 3164 */ 3165 public boolean setApplicationHidden(ComponentName admin, String packageName, 3166 boolean hidden) { 3167 if (mService != null) { 3168 try { 3169 return mService.setApplicationHidden(admin, packageName, hidden); 3170 } catch (RemoteException e) { 3171 Log.w(TAG, "Failed talking with device policy service", e); 3172 } 3173 } 3174 return false; 3175 } 3176 3177 /** 3178 * Called by device or profile owner to determine if a package is hidden. 3179 * 3180 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3181 * @param packageName The name of the package to retrieve the hidden status of. 3182 * @return boolean {@code true} if the package is hidden, {@code false} otherwise. 3183 */ 3184 public boolean isApplicationHidden(ComponentName admin, String packageName) { 3185 if (mService != null) { 3186 try { 3187 return mService.isApplicationHidden(admin, packageName); 3188 } catch (RemoteException e) { 3189 Log.w(TAG, "Failed talking with device policy service", e); 3190 } 3191 } 3192 return false; 3193 } 3194 3195 /** 3196 * Called by profile or device owner to re-enable a system app that was disabled by default 3197 * when the user was initialized. 3198 * 3199 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3200 * @param packageName The package to be re-enabled in the current profile. 3201 */ 3202 public void enableSystemApp(ComponentName admin, String packageName) { 3203 if (mService != null) { 3204 try { 3205 mService.enableSystemApp(admin, packageName); 3206 } catch (RemoteException e) { 3207 Log.w(TAG, "Failed to install package: " + packageName); 3208 } 3209 } 3210 } 3211 3212 /** 3213 * Called by profile or device owner to re-enable system apps by intent that were disabled 3214 * by default when the user was initialized. 3215 * 3216 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3217 * @param intent An intent matching the app(s) to be installed. All apps that resolve for this 3218 * intent will be re-enabled in the current profile. 3219 * @return int The number of activities that matched the intent and were installed. 3220 */ 3221 public int enableSystemApp(ComponentName admin, Intent intent) { 3222 if (mService != null) { 3223 try { 3224 return mService.enableSystemAppWithIntent(admin, intent); 3225 } catch (RemoteException e) { 3226 Log.w(TAG, "Failed to install packages matching filter: " + intent); 3227 } 3228 } 3229 return 0; 3230 } 3231 3232 /** 3233 * Called by a device owner or profile owner to disable account management for a specific type 3234 * of account. 3235 * 3236 * <p>The calling device admin must be a device owner or profile owner. If it is not, a 3237 * security exception will be thrown. 3238 * 3239 * <p>When account management is disabled for an account type, adding or removing an account 3240 * of that type will not be possible. 3241 * 3242 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3243 * @param accountType For which account management is disabled or enabled. 3244 * @param disabled The boolean indicating that account management will be disabled (true) or 3245 * enabled (false). 3246 */ 3247 public void setAccountManagementDisabled(ComponentName admin, String accountType, 3248 boolean disabled) { 3249 if (mService != null) { 3250 try { 3251 mService.setAccountManagementDisabled(admin, accountType, disabled); 3252 } catch (RemoteException e) { 3253 Log.w(TAG, "Failed talking with device policy service", e); 3254 } 3255 } 3256 } 3257 3258 /** 3259 * Gets the array of accounts for which account management is disabled by the profile owner. 3260 * 3261 * <p> Account management can be disabled/enabled by calling 3262 * {@link #setAccountManagementDisabled}. 3263 * 3264 * @return a list of account types for which account management has been disabled. 3265 * 3266 * @see #setAccountManagementDisabled 3267 */ 3268 public String[] getAccountTypesWithManagementDisabled() { 3269 return getAccountTypesWithManagementDisabledAsUser(UserHandle.myUserId()); 3270 } 3271 3272 /** 3273 * @see #getAccountTypesWithManagementDisabled() 3274 * @hide 3275 */ 3276 public String[] getAccountTypesWithManagementDisabledAsUser(int userId) { 3277 if (mService != null) { 3278 try { 3279 return mService.getAccountTypesWithManagementDisabledAsUser(userId); 3280 } catch (RemoteException e) { 3281 Log.w(TAG, "Failed talking with device policy service", e); 3282 } 3283 } 3284 3285 return null; 3286 } 3287 3288 /** 3289 * Sets which packages may enter lock task mode. 3290 * 3291 * <p>Any packages that shares uid with an allowed package will also be allowed 3292 * to activate lock task. 3293 * 3294 * This function can only be called by the device owner. 3295 * @param packages The list of packages allowed to enter lock task mode 3296 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3297 * 3298 * @see Activity#startLockTask() 3299 * @see DeviceAdminReceiver#onLockTaskModeChanged(Context, Intent, boolean, String) 3300 * @see UserManager#DISALLOW_CREATE_WINDOWS 3301 */ 3302 public void setLockTaskPackages(ComponentName admin, String[] packages) 3303 throws SecurityException { 3304 if (mService != null) { 3305 try { 3306 mService.setLockTaskPackages(admin, packages); 3307 } catch (RemoteException e) { 3308 Log.w(TAG, "Failed talking with device policy service", e); 3309 } 3310 } 3311 } 3312 3313 /** 3314 * This function returns the list of packages allowed to start the lock task mode. 3315 * 3316 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3317 * @hide 3318 */ 3319 public String[] getLockTaskPackages(ComponentName admin) { 3320 if (mService != null) { 3321 try { 3322 return mService.getLockTaskPackages(admin); 3323 } catch (RemoteException e) { 3324 Log.w(TAG, "Failed talking with device policy service", e); 3325 } 3326 } 3327 return null; 3328 } 3329 3330 /** 3331 * This function lets the caller know whether the given component is allowed to start the 3332 * lock task mode. 3333 * @param pkg The package to check 3334 */ 3335 public boolean isLockTaskPermitted(String pkg) { 3336 if (mService != null) { 3337 try { 3338 return mService.isLockTaskPermitted(pkg); 3339 } catch (RemoteException e) { 3340 Log.w(TAG, "Failed talking with device policy service", e); 3341 } 3342 } 3343 return false; 3344 } 3345 3346 /** 3347 * Called by device owners to update {@link Settings.Global} settings. Validation that the value 3348 * of the setting is in the correct form for the setting type should be performed by the caller. 3349 * <p>The settings that can be updated with this method are: 3350 * <ul> 3351 * <li>{@link Settings.Global#ADB_ENABLED}</li> 3352 * <li>{@link Settings.Global#AUTO_TIME}</li> 3353 * <li>{@link Settings.Global#AUTO_TIME_ZONE}</li> 3354 * <li>{@link Settings.Global#BLUETOOTH_ON}</li> 3355 * <li>{@link Settings.Global#DATA_ROAMING}</li> 3356 * <li>{@link Settings.Global#DEVELOPMENT_SETTINGS_ENABLED}</li> 3357 * <li>{@link Settings.Global#MODE_RINGER}</li> 3358 * <li>{@link Settings.Global#NETWORK_PREFERENCE}</li> 3359 * <li>{@link Settings.Global#USB_MASS_STORAGE_ENABLED}</li> 3360 * <li>{@link Settings.Global#WIFI_ON}</li> 3361 * <li>{@link Settings.Global#WIFI_SLEEP_POLICY}</li> 3362 * </ul> 3363 * 3364 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3365 * @param setting The name of the setting to update. 3366 * @param value The value to update the setting to. 3367 */ 3368 public void setGlobalSetting(ComponentName admin, String setting, String value) { 3369 if (mService != null) { 3370 try { 3371 mService.setGlobalSetting(admin, setting, value); 3372 } catch (RemoteException e) { 3373 Log.w(TAG, "Failed talking with device policy service", e); 3374 } 3375 } 3376 } 3377 3378 /** 3379 * Called by profile or device owners to update {@link Settings.Secure} settings. Validation 3380 * that the value of the setting is in the correct form for the setting type should be performed 3381 * by the caller. 3382 * <p>The settings that can be updated by a profile or device owner with this method are: 3383 * <ul> 3384 * <li>{@link Settings.Secure#DEFAULT_INPUT_METHOD}</li> 3385 * <li>{@link Settings.Secure#INSTALL_NON_MARKET_APPS}</li> 3386 * <li>{@link Settings.Secure#SKIP_FIRST_USE_HINTS}</li> 3387 * </ul> 3388 * <p>A device owner can additionally update the following settings: 3389 * <ul> 3390 * <li>{@link Settings.Secure#LOCATION_MODE}</li> 3391 * </ul> 3392 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3393 * @param setting The name of the setting to update. 3394 * @param value The value to update the setting to. 3395 */ 3396 public void setSecureSetting(ComponentName admin, String setting, String value) { 3397 if (mService != null) { 3398 try { 3399 mService.setSecureSetting(admin, setting, value); 3400 } catch (RemoteException e) { 3401 Log.w(TAG, "Failed talking with device policy service", e); 3402 } 3403 } 3404 } 3405 3406 /** 3407 * Designates a specific service component as the provider for 3408 * making permission requests of a local or remote administrator of the user. 3409 * <p/> 3410 * Only a profile owner can designate the restrictions provider. 3411 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3412 * @param provider The component name of the service that implements 3413 * {@link RestrictionsReceiver}. If this param is null, 3414 * it removes the restrictions provider previously assigned. 3415 */ 3416 public void setRestrictionsProvider(ComponentName admin, ComponentName provider) { 3417 if (mService != null) { 3418 try { 3419 mService.setRestrictionsProvider(admin, provider); 3420 } catch (RemoteException re) { 3421 Log.w(TAG, "Failed to set permission provider on device policy service"); 3422 } 3423 } 3424 } 3425 3426 /** 3427 * Called by profile or device owners to set the master volume mute on or off. 3428 * 3429 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3430 * @param on {@code true} to mute master volume, {@code false} to turn mute off. 3431 */ 3432 public void setMasterVolumeMuted(ComponentName admin, boolean on) { 3433 if (mService != null) { 3434 try { 3435 mService.setMasterVolumeMuted(admin, on); 3436 } catch (RemoteException re) { 3437 Log.w(TAG, "Failed to setMasterMute on device policy service"); 3438 } 3439 } 3440 } 3441 3442 /** 3443 * Called by profile or device owners to check whether the master volume mute is on or off. 3444 * 3445 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3446 * @return {@code true} if master volume is muted, {@code false} if it's not. 3447 */ 3448 public boolean isMasterVolumeMuted(ComponentName admin) { 3449 if (mService != null) { 3450 try { 3451 return mService.isMasterVolumeMuted(admin); 3452 } catch (RemoteException re) { 3453 Log.w(TAG, "Failed to get isMasterMute on device policy service"); 3454 } 3455 } 3456 return false; 3457 } 3458 3459 /** 3460 * Called by profile or device owners to change whether a user can uninstall 3461 * a package. 3462 * 3463 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3464 * @param packageName package to change. 3465 * @param uninstallBlocked true if the user shouldn't be able to uninstall the package. 3466 */ 3467 public void setUninstallBlocked(ComponentName admin, String packageName, 3468 boolean uninstallBlocked) { 3469 if (mService != null) { 3470 try { 3471 mService.setUninstallBlocked(admin, packageName, uninstallBlocked); 3472 } catch (RemoteException re) { 3473 Log.w(TAG, "Failed to call block uninstall on device policy service"); 3474 } 3475 } 3476 } 3477 3478 /** 3479 * Check whether the current user has been blocked by device policy from uninstalling a package. 3480 * Requires the caller to be the profile owner if checking a specific admin's policy. 3481 * 3482 * @param admin The name of the admin component whose blocking policy will be checked, or null 3483 * to check if any admin has blocked the uninstallation. 3484 * @param packageName package to check. 3485 * @return true if uninstallation is blocked. 3486 */ 3487 public boolean isUninstallBlocked(ComponentName admin, String packageName) { 3488 if (mService != null) { 3489 try { 3490 return mService.isUninstallBlocked(admin, packageName); 3491 } catch (RemoteException re) { 3492 Log.w(TAG, "Failed to call block uninstall on device policy service"); 3493 } 3494 } 3495 return false; 3496 } 3497 3498 /** 3499 * Called by the profile owner of a managed profile to enable widget providers from a 3500 * given package to be available in the parent profile. As a result the user will be able to 3501 * add widgets from the white-listed package running under the profile to a widget 3502 * host which runs under the parent profile, for example the home screen. Note that 3503 * a package may have zero or more provider components, where each component 3504 * provides a different widget type. 3505 * <p> 3506 * <strong>Note:</strong> By default no widget provider package is white-listed. 3507 * </p> 3508 * 3509 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3510 * @param packageName The package from which widget providers are white-listed. 3511 * @return Whether the package was added. 3512 * 3513 * @see #removeCrossProfileWidgetProvider(android.content.ComponentName, String) 3514 * @see #getCrossProfileWidgetProviders(android.content.ComponentName) 3515 */ 3516 public boolean addCrossProfileWidgetProvider(ComponentName admin, String packageName) { 3517 if (mService != null) { 3518 try { 3519 return mService.addCrossProfileWidgetProvider(admin, packageName); 3520 } catch (RemoteException re) { 3521 Log.w(TAG, "Error calling addCrossProfileWidgetProvider", re); 3522 } 3523 } 3524 return false; 3525 } 3526 3527 /** 3528 * Called by the profile owner of a managed profile to disable widget providers from a given 3529 * package to be available in the parent profile. For this method to take effect the 3530 * package should have been added via {@link #addCrossProfileWidgetProvider( 3531 * android.content.ComponentName, String)}. 3532 * <p> 3533 * <strong>Note:</strong> By default no widget provider package is white-listed. 3534 * </p> 3535 * 3536 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3537 * @param packageName The package from which widget providers are no longer 3538 * white-listed. 3539 * @return Whether the package was removed. 3540 * 3541 * @see #addCrossProfileWidgetProvider(android.content.ComponentName, String) 3542 * @see #getCrossProfileWidgetProviders(android.content.ComponentName) 3543 */ 3544 public boolean removeCrossProfileWidgetProvider(ComponentName admin, String packageName) { 3545 if (mService != null) { 3546 try { 3547 return mService.removeCrossProfileWidgetProvider(admin, packageName); 3548 } catch (RemoteException re) { 3549 Log.w(TAG, "Error calling removeCrossProfileWidgetProvider", re); 3550 } 3551 } 3552 return false; 3553 } 3554 3555 /** 3556 * Called by the profile owner of a managed profile to query providers from which packages are 3557 * available in the parent profile. 3558 * 3559 * @param admin Which {@link DeviceAdminReceiver} this request is associated with. 3560 * @return The white-listed package list. 3561 * 3562 * @see #addCrossProfileWidgetProvider(android.content.ComponentName, String) 3563 * @see #removeCrossProfileWidgetProvider(android.content.ComponentName, String) 3564 */ 3565 public List<String> getCrossProfileWidgetProviders(ComponentName admin) { 3566 if (mService != null) { 3567 try { 3568 List<String> providers = mService.getCrossProfileWidgetProviders(admin); 3569 if (providers != null) { 3570 return providers; 3571 } 3572 } catch (RemoteException re) { 3573 Log.w(TAG, "Error calling getCrossProfileWidgetProviders", re); 3574 } 3575 } 3576 return Collections.emptyList(); 3577 } 3578 } 3579
