1 ## 9.5\. Multi-User Support 2 3 Android includes [support for multiple users]( 4 http://developer.android.com/reference/android/os/UserManager.html) 5 and provides support for full user isolation. 6 7 * Device implementations MAY but SHOULD NOT enable multi-user if they use 8 [removable media]( 9 http://developer.android.com/reference/android/os/Environment.html) 10 for primary external storage. 11 12 If device implementations include multiple users, they: 13 14 * [C-1-1] MUST meet the following requirements related to 15 [multi-user support]( 16 http://source.android.com/devices/storage/traditional.html). 17 * [C-1-2] MUST, for each user, implement a security 18 model consistent with the Android platform security model as defined in 19 [Security and Permissions reference document]( 20 http://developer.android.com/guide/topics/security/permissions.html) 21 in the APIs. 22 * [C-1-3] MUST have separate and isolated shared application storage 23 (a.k.a. `/sdcard`) directories for each user instance. 24 * [C-1-4] MUST ensure that applications owned by and running on behalf a 25 given user cannot list, read, or write to the files owned by any other user, 26 even if the data of both users are stored on the same volume or filesystem. 27 * [C-1-5] MUST encrypt the contents of the SD card when multiuser is enabled 28 using a key stored only on non-removable media accessible only to the system if 29 device implementations use removable media for the external storage APIs. 30 As this will make the media unreadable by a host PC, device implementations 31 will be required to switch to MTP or a similar system to provide host PCs with 32 access to the current users data. 33 34 If device implementations include multiple users and 35 do not declare the `android.hardware.telephony` feature flag, they: 36 37 * [C-2-1] MUST support restricted profiles, 38 a feature that allows device owners to manage additional users and their 39 capabilities on the device. With restricted profiles, device owners can quickly 40 set up separate environments for additional users to work in, with the ability 41 to manage finer-grained restrictions in the apps that are available in those 42 environments. 43 44 If device implementations include multiple users and 45 declare the `android.hardware.telephony` feature flag, they: 46 47 * [C-3-1] MUST NOT support restricted profiles but MUST align with the AOSP 48 implementation of controls to enable /disable other users from accessing the 49 voice calls and SMS. 50 51