DevicePolicyManager
public
class
DevicePolicyManager
extends Object
java.lang.Object | |
↳ | android.app.admin.DevicePolicyManager |
Public interface for managing policies enforced on a device. Most clients of this class must be
registered with the system as a device
administrator. Additionally, a device administrator may be registered as either a profile or
device owner. A given method is accessible to all device administrators unless the documentation
for that method specifies that it is restricted to either device or profile owners. Any
application calling an api may only pass as an argument a device administrator component it
owns. Otherwise, a SecurityException
will be thrown.
Developer Guides
For more information about managing policies for device administration, read the Device Administration developer guide.
Instances of this class must be obtained using Context.getSystemService(Class)
with the argument DevicePolicyManager.class
or Context.getSystemService(String)
with the argument Context.DEVICE_POLICY_SERVICE
.
Requires the FEATURE_DEVICE_ADMIN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Summary
Nested classes | |
---|---|
interface |
DevicePolicyManager.OnClearApplicationUserDataListener
Callback used in |
Constants | |
---|---|
String |
ACTION_ADD_DEVICE_ADMIN
Activity action: ask the user to add a new device administrator to the system. |
String |
ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
Broadcast Action: Sent after application delegation scopes are changed. |
String |
ACTION_DEVICE_ADMIN_SERVICE
Service action: Action for a service that device owner and profile owner can optionally own. |
String |
ACTION_DEVICE_OWNER_CHANGED
Broadcast action: sent when the device owner is set, changed or cleared. |
String |
ACTION_MANAGED_PROFILE_PROVISIONED
Broadcast Action: This broadcast is sent to indicate that provisioning of a managed profile has completed successfully. |
String |
ACTION_PROFILE_OWNER_CHANGED
Broadcast action: sent when the profile owner is set, changed or cleared. |
String |
ACTION_PROVISIONING_SUCCESSFUL
Activity action: This activity action is sent to indicate that provisioning of a managed profile or managed device has completed successfully. |
String |
ACTION_PROVISION_MANAGED_DEVICE
Activity action: Starts the provisioning flow which sets up a managed device. |
String |
ACTION_PROVISION_MANAGED_PROFILE
Activity action: Starts the provisioning flow which sets up a managed profile. |
String |
ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
Activity action: have the user enter a new password for the parent profile. |
String |
ACTION_SET_NEW_PASSWORD
Activity action: have the user enter a new password. |
String |
ACTION_START_ENCRYPTION
Activity action: begin the process of encrypting data on the device. |
String |
ACTION_SYSTEM_UPDATE_POLICY_CHANGED
Broadcast action: notify that a new local system update policy has been set by the device owner. |
String |
DELEGATION_APP_RESTRICTIONS
Delegation of application restrictions management. |
String |
DELEGATION_BLOCK_UNINSTALL
Delegation of application uninstall block. |
String |
DELEGATION_CERT_INSTALL
Delegation of certificate installation and management. |
String |
DELEGATION_ENABLE_SYSTEM_APP
Delegation for enabling system apps. |
String |
DELEGATION_INSTALL_EXISTING_PACKAGE
Delegation for installing existing packages. |
String |
DELEGATION_KEEP_UNINSTALLED_PACKAGES
Delegation of management of uninstalled packages. |
String |
DELEGATION_PACKAGE_ACCESS
Delegation of package access state. |
String |
DELEGATION_PERMISSION_GRANT
Delegation of permission policy and permission grant state. |
int |
ENCRYPTION_STATUS_ACTIVATING
Result code for |
int |
ENCRYPTION_STATUS_ACTIVE
Result code for |
int |
ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY
Result code for |
int |
ENCRYPTION_STATUS_ACTIVE_PER_USER
Result code for |
int |
ENCRYPTION_STATUS_INACTIVE
Result code for |
int |
ENCRYPTION_STATUS_UNSUPPORTED
Result code for |
String |
EXTRA_ADD_EXPLANATION
An optional CharSequence providing additional explanation for why the admin is being added. |
String |
EXTRA_DELEGATION_SCOPES
An |
String |
EXTRA_DEVICE_ADMIN
The ComponentName of the administrator component. |
String |
EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
An |
String |
EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
A |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
A ComponentName extra indicating the device admin receiver of the mobile device management application that will be set as the profile owner or device owner and active admin. |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE
An int extra holding a minimum required version code for the device admin package. |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
A String extra holding the URL-safe base64 encoded SHA-256 or SHA-1 hash (see notes below) of
the file at download location specified in
|
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
A String extra holding a http cookie header which should be used in the http request to the
url specified in |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
A String extra holding a url that specifies the download location of the device admin package. |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
This constant was deprecated
in API level 23.
Use |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
A String extra holding the URL-safe base64 encoded SHA-256 checksum of any signature of the
android package archive at the download location specified in |
String |
EXTRA_PROVISIONING_DISCLAIMERS
A |
String |
EXTRA_PROVISIONING_DISCLAIMER_CONTENT
A |
String |
EXTRA_PROVISIONING_DISCLAIMER_HEADER
A String extra of localized disclaimer header. |
String |
EXTRA_PROVISIONING_EMAIL_ADDRESS
This constant was deprecated
in API level 26.
From |
String |
EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION
Boolean extra to indicate that the migrated account should be kept. |
String |
EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
A Boolean extra that can be used by the mobile device management application to skip the
disabling of system apps during provisioning when set to |
String |
EXTRA_PROVISIONING_LOCALE
A String extra holding the |
String |
EXTRA_PROVISIONING_LOCAL_TIME
A Long extra holding the wall clock time (in milliseconds) to be set on the device's
|
String |
EXTRA_PROVISIONING_LOGO_URI
A |
String |
EXTRA_PROVISIONING_MAIN_COLOR
A integer extra indicating the predominant color to show during the provisioning. |
String |
EXTRA_PROVISIONING_SKIP_ENCRYPTION
A boolean extra indicating whether device encryption can be skipped as part of device owner or managed profile provisioning. |
String |
EXTRA_PROVISIONING_SKIP_USER_CONSENT
A boolean extra indicating if the user consent steps from the provisioning flow should be skipped. |
String |
EXTRA_PROVISIONING_TIME_ZONE
A String extra holding the time zone |
String |
EXTRA_PROVISIONING_WIFI_HIDDEN
A boolean extra indicating whether the wifi network in |
String |
EXTRA_PROVISIONING_WIFI_PAC_URL
A String extra holding the proxy auto-config (PAC) URL for the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_PASSWORD
A String extra holding the password of the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_PROXY_BYPASS
A String extra holding the proxy bypass for the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_PROXY_HOST
A String extra holding the proxy host for the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_PROXY_PORT
An int extra holding the proxy port for the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
A String extra indicating the security type of the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_SSID
A String extra holding the ssid of the wifi network that should be used during nfc device owner provisioning for downloading the mobile device management application. |
int |
FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY
Flag for |
int |
FLAG_MANAGED_CAN_ACCESS_PARENT
Flag used by |
int |
FLAG_PARENT_CAN_ACCESS_MANAGED
Flag used by |
int |
ID_TYPE_BASE_INFO
Specifies that the device should attest its manufacturer details. |
int |
ID_TYPE_IMEI
Specifies that the device should attest its IMEI. |
int |
ID_TYPE_MEID
Specifies that the device should attest its MEID. |
int |
ID_TYPE_SERIAL
Specifies that the device should attest its serial number. |
int |
INSTALLKEY_REQUEST_CREDENTIALS_ACCESS
Specifies that the calling app should be granted access to the installed credentials immediately. |
int |
INSTALLKEY_SET_USER_SELECTABLE
Specifies that a user can select the key via the Certificate Selection prompt. |
int |
KEYGUARD_DISABLE_BIOMETRICS
Disable all biometric authentication on keyguard secure screens (e.g. |
int |
KEYGUARD_DISABLE_FACE
Disable face authentication on keyguard secure screens (e.g. |
int |
KEYGUARD_DISABLE_FEATURES_ALL
Disable all current and future keyguard customizations. |
int |
KEYGUARD_DISABLE_FEATURES_NONE
Widgets are enabled in keyguard |
int |
KEYGUARD_DISABLE_FINGERPRINT
Disable fingerprint authentication on keyguard secure screens (e.g. |
int |
KEYGUARD_DISABLE_IRIS
Disable iris authentication on keyguard secure screens (e.g. |
int |
KEYGUARD_DISABLE_REMOTE_INPUT
Disable text entry into notifications on secure keyguard screens (e.g. |
int |
KEYGUARD_DISABLE_SECURE_CAMERA
Disable the camera on secure keyguard screens (e.g. |
int |
KEYGUARD_DISABLE_SECURE_NOTIFICATIONS
Disable showing all notifications on secure keyguard screens (e.g. |
int |
KEYGUARD_DISABLE_TRUST_AGENTS
Disable trust agents on secure keyguard screens (e.g. |
int |
KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS
Only allow redacted notifications on secure keyguard screens (e.g. |
int |
KEYGUARD_DISABLE_WIDGETS_ALL
Disable all keyguard widgets. |
int |
LEAVE_ALL_SYSTEM_APPS_ENABLED
Flag used by |
int |
LOCK_TASK_FEATURE_GLOBAL_ACTIONS
Enable the global actions dialog during LockTask mode. |
int |
LOCK_TASK_FEATURE_HOME
Enable the Home button during LockTask mode. |
int |
LOCK_TASK_FEATURE_KEYGUARD
Enable the keyguard during LockTask mode. |
int |
LOCK_TASK_FEATURE_NONE
Disable all configurable SystemUI features during LockTask mode. |
int |
LOCK_TASK_FEATURE_NOTIFICATIONS
Enable notifications during LockTask mode. |
int |
LOCK_TASK_FEATURE_OVERVIEW
Enable the Overview button and the Overview screen during LockTask mode. |
int |
LOCK_TASK_FEATURE_SYSTEM_INFO
Enable the system info area in the status bar during LockTask mode. |
int |
MAKE_USER_EPHEMERAL
Flag used by |
String |
MIME_TYPE_PROVISIONING_NFC
This MIME type is used for starting the device owner provisioning. |
int |
PASSWORD_QUALITY_ALPHABETIC
Constant for |
int |
PASSWORD_QUALITY_ALPHANUMERIC
Constant for |
int |
PASSWORD_QUALITY_BIOMETRIC_WEAK
Constant for |
int |
PASSWORD_QUALITY_COMPLEX
Constant for |
int |
PASSWORD_QUALITY_NUMERIC
Constant for |
int |
PASSWORD_QUALITY_NUMERIC_COMPLEX
Constant for |
int |
PASSWORD_QUALITY_SOMETHING
Constant for |
int |
PASSWORD_QUALITY_UNSPECIFIED
Constant for |
int |
PERMISSION_GRANT_STATE_DEFAULT
Runtime permission state: The user can manage the permission through the UI. |
int |
PERMISSION_GRANT_STATE_DENIED
Runtime permission state: The permission is denied to the app and the user cannot manage the permission through the UI. |
int |
PERMISSION_GRANT_STATE_GRANTED
Runtime permission state: The permission is granted to the app and the user cannot manage the permission through the UI. |
int |
PERMISSION_POLICY_AUTO_DENY
Permission policy to always deny new permission requests for runtime permissions. |
int |
PERMISSION_POLICY_AUTO_GRANT
Permission policy to always grant new permission requests for runtime permissions. |
int |
PERMISSION_POLICY_PROMPT
Permission policy to prompt user for new permission requests for runtime permissions. |
String |
POLICY_DISABLE_CAMERA
Constant to indicate the feature of disabling the camera. |
String |
POLICY_DISABLE_SCREEN_CAPTURE
Constant to indicate the feature of disabling screen captures. |
int |
RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT
Flag for |
int |
RESET_PASSWORD_REQUIRE_ENTRY
Flag for |
int |
SKIP_SETUP_WIZARD
Flag used by |
int |
WIPE_EUICC
Flag for |
int |
WIPE_EXTERNAL_STORAGE
Flag for |
int |
WIPE_RESET_PROTECTION_DATA
Flag for |
Public methods | |
---|---|
void
|
addCrossProfileIntentFilter(ComponentName admin, IntentFilter filter, int flags)
Called by the profile owner of a managed profile so that some intents sent in the managed profile can also be resolved in the parent, or vice versa. |
boolean
|
addCrossProfileWidgetProvider(ComponentName admin, String packageName)
Called by the profile owner of a managed profile to enable widget providers from a given package to be available in the parent profile. |
int
|
addOverrideApn(ComponentName admin, ApnSetting apnSetting)
Called by device owner to add an override APN. |
void
|
addPersistentPreferredActivity(ComponentName admin, IntentFilter filter, ComponentName activity)
Called by a profile owner or device owner to set a default activity that the system selects
to handle intents that match the given |
void
|
addUserRestriction(ComponentName admin, String key)
Called by a profile or device owner to set a user restriction specified by the key. |
boolean
|
bindDeviceAdminServiceAsUser(ComponentName admin, Intent serviceIntent, ServiceConnection conn, int flags, UserHandle targetUser)
Called by a device owner to bind to a service from a profile owner or vice versa. |
void
|
clearApplicationUserData(ComponentName admin, String packageName, Executor executor, DevicePolicyManager.OnClearApplicationUserDataListener listener)
Called by the device owner or profile owner to clear application user data of a given package. |
void
|
clearCrossProfileIntentFilters(ComponentName admin)
Called by a profile owner of a managed profile to remove the cross-profile intent filters that go from the managed profile to the parent, or from the parent to the managed profile. |
void
|
clearDeviceOwnerApp(String packageName)
This method was deprecated
in API level 26.
This method is expected to be used for testing purposes only. The device owner
will lose control of the device and its data after calling it. In order to protect any
sensitive data that remains on the device, it is advised that the device owner factory resets
the device instead of calling this method. See |
void
|
clearPackagePersistentPreferredActivities(ComponentName admin, String packageName)
Called by a profile owner or device owner to remove all persistent intent handler preferences
associated with the given package that were set by |
void
|
clearProfileOwner(ComponentName admin)
This method was deprecated
in API level 26.
This method is expected to be used for testing purposes only. The profile owner
will lose control of the user and its data after calling it. In order to protect any
sensitive data that remains on this user, it is advised that the profile owner deletes it
instead of calling this method. See |
boolean
|
clearResetPasswordToken(ComponentName admin)
Called by a profile or device owner to revoke the current password reset token. |
void
|
clearUserRestriction(ComponentName admin, String key)
Called by a profile or device owner to clear a user restriction specified by the key. |
Intent
|
createAdminSupportIntent(String restriction)
Called by any app to display a support dialog when a feature was disabled by an admin. |
UserHandle
|
createAndManageUser(ComponentName admin, String name, ComponentName profileOwner, PersistableBundle adminExtras, int flags)
Called by a device owner to create a user with the specified name and a given component of the calling package as profile owner. |
int
|
enableSystemApp(ComponentName admin, Intent intent)
Re-enable system apps by intent that were disabled by default when the user was initialized. |
void
|
enableSystemApp(ComponentName admin, String packageName)
Re-enable a system app that was disabled by default when the user was initialized. |
AttestedKeyPair
|
generateKeyPair(ComponentName admin, String algorithm, KeyGenParameterSpec keySpec, int idAttestationFlags)
Called by a device or profile owner, or delegated certificate installer, to generate a new private/public key pair. |
String[]
|
getAccountTypesWithManagementDisabled()
Gets the array of accounts for which account management is disabled by the profile owner. |
List<ComponentName>
|
getActiveAdmins()
Return a list of all currently active device administrators' component names. |
Set<String>
|
getAffiliationIds(ComponentName admin)
Returns the set of affiliation ids previously set via |
String
|
getAlwaysOnVpnPackage(ComponentName admin)
Called by a device or profile owner to read the name of the package administering an always-on VPN connection for the current user. |
Bundle
|
getApplicationRestrictions(ComponentName admin, String packageName)
Retrieves the application restrictions for a given target application running in the calling user. |
String
|
getApplicationRestrictionsManagingPackage(ComponentName admin)
This method was deprecated
in API level 26.
From |
boolean
|
getAutoTimeRequired()
|
List<UserHandle>
|
getBindDeviceAdminTargetUsers(ComponentName admin)
Returns the list of target users that the calling device or profile owner can use when
calling |
boolean
|
getBluetoothContactSharingDisabled(ComponentName admin)
Called by a profile owner of a managed profile to determine whether or not Bluetooth devices cannot access enterprise contacts. |
boolean
|
getCameraDisabled(ComponentName admin)
Determine whether or not the device's cameras have been disabled for this user, either by the calling admin, if specified, or all admins. |
String
|
getCertInstallerPackage(ComponentName admin)
This method was deprecated
in API level 26.
From |
boolean
|
getCrossProfileCallerIdDisabled(ComponentName admin)
Called by a profile owner of a managed profile to determine whether or not caller-Id information has been disabled. |
boolean
|
getCrossProfileContactsSearchDisabled(ComponentName admin)
Called by a profile owner of a managed profile to determine whether or not contacts search has been disabled. |
List<String>
|
getCrossProfileWidgetProviders(ComponentName admin)
Called by the profile owner of a managed profile to query providers from which packages are available in the parent profile. |
int
|
getCurrentFailedPasswordAttempts()
Retrieve the number of times the user has failed at entering a password since that last successful password entry. |
List<String>
|
getDelegatePackages(ComponentName admin, String delegationScope)
Called by a profile owner or device owner to retrieve a list of delegate packages that were granted a delegation scope. |
List<String>
|
getDelegatedScopes(ComponentName admin, String delegatedPackage)
Called by a profile owner or device owner to retrieve a list of the scopes given to a delegate package. |
CharSequence
|
getDeviceOwnerLockScreenInfo()
|
CharSequence
|
getEndUserSessionMessage(ComponentName admin)
Returns the user session end message. |
List<byte[]>
|
getInstalledCaCerts(ComponentName admin)
Returns all CA certificates that are currently trusted, excluding system CA certificates. |
List<String>
|
getKeepUninstalledPackages(ComponentName admin)
Get the list of apps to keep around as APKs even if no user has currently installed it. |
int
|
getKeyguardDisabledFeatures(ComponentName admin)
Determine whether or not features have been disabled in keyguard either by the calling admin, if specified, or all admins that set restrictions on this user and its participating profiles. |
int
|
getLockTaskFeatures(ComponentName admin)
Gets which system features are enabled for LockTask mode. |
String[]
|
getLockTaskPackages(ComponentName admin)
Returns the list of packages allowed to start the lock task mode. |
CharSequence
|
getLongSupportMessage(ComponentName admin)
Called by a device admin to get the long support message. |
int
|
getMaximumFailedPasswordsForWipe(ComponentName admin)
Retrieve the current maximum number of login attempts that are allowed before the device or profile is wiped, for a particular admin or all admins that set restrictions on this user and its participating profiles. |
long
|
getMaximumTimeToLock(ComponentName admin)
Retrieve the current maximum time to unlock for a particular admin or all admins that set restrictions on this user and its participating profiles. |
List<String>
|
getMeteredDataDisabledPackages(ComponentName admin)
Called by a device or profile owner to retrieve the list of packages which are restricted by the admin from using metered data. |
int
|
getOrganizationColor(ComponentName admin)
Called by a profile owner of a managed profile to retrieve the color used for customization. |
CharSequence
|
getOrganizationName(ComponentName admin)
Called by a profile owner of a managed profile to retrieve the name of the organization under management. |
List<ApnSetting>
|
getOverrideApns(ComponentName admin)
Called by device owner to get all override APNs inserted by device owner. |
DevicePolicyManager
|
getParentProfileInstance(ComponentName admin)
Called by the profile owner of a managed profile to obtain a |
long
|
getPasswordExpiration(ComponentName admin)
Get the current password expiration time for a particular admin or all admins that set restrictions on this user and its participating profiles. |
long
|
getPasswordExpirationTimeout(ComponentName admin)
Get the password expiration timeout for the given admin. |
int
|
getPasswordHistoryLength(ComponentName admin)
Retrieve the current password history length for a particular admin or all admins that set restrictions on this user and its participating profiles. |
int
|
getPasswordMaximumLength(int quality)
Return the maximum password length that the device supports for a particular password quality. |
int
|
getPasswordMinimumLength(ComponentName admin)
Retrieve the current minimum password length for a particular admin or all admins that set restrictions on this user and its participating profiles. |
int
|
getPasswordMinimumLetters(ComponentName admin)
Retrieve the current number of letters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
int
|
getPasswordMinimumLowerCase(ComponentName admin)
Retrieve the current number of lower case letters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
int
|
getPasswordMinimumNonLetter(ComponentName admin)
Retrieve the current number of non-letter characters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
int
|
getPasswordMinimumNumeric(ComponentName admin)
Retrieve the current number of numerical digits required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
int
|
getPasswordMinimumSymbols(ComponentName admin)
Retrieve the current number of symbols required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
int
|
getPasswordMinimumUpperCase(ComponentName admin)
Retrieve the current number of upper case letters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
int
|
getPasswordQuality(ComponentName admin)
Retrieve the current minimum password quality for a particular admin or all admins that set restrictions on this user and its participating profiles. |
SystemUpdateInfo
|
getPendingSystemUpdate(ComponentName admin)
Called by device or profile owners to get information about a pending system update. |
int
|
getPermissionGrantState(ComponentName admin, String packageName, String permission)
Returns the current grant state of a runtime permission for a specific application. |
int
|
getPermissionPolicy(ComponentName admin)
Returns the current runtime permission policy set by the device or profile owner. |
List<String>
|
getPermittedAccessibilityServices(ComponentName admin)
Returns the list of permitted accessibility services set by this device or profile owner. |
List<String>
|
getPermittedCrossProfileNotificationListeners(ComponentName admin)
Returns the list of packages installed on the primary user that allowed to use a
|
List<String>
|
getPermittedInputMethods(ComponentName admin)
Returns the list of permitted input methods set by this device or profile owner. |
long
|
getRequiredStrongAuthTimeout(ComponentName admin)
Determine for how long the user will be able to use secondary, non strong auth for authentication, since last strong method authentication (password, pin or pattern) was used. |
boolean
|
getScreenCaptureDisabled(ComponentName admin)
Determine whether or not screen capture has been disabled by the calling admin, if specified, or all admins. |
List<UserHandle>
|
getSecondaryUsers(ComponentName admin)
Called by a device owner to list all secondary users on the device. |
CharSequence
|
getShortSupportMessage(ComponentName admin)
Called by a device admin to get the short support message. |
CharSequence
|
getStartUserSessionMessage(ComponentName admin)
Returns the user session start message. |
boolean
|
getStorageEncryption(ComponentName admin)
Called by an application that is administering the device to determine the requested setting for secure storage. |
int
|
getStorageEncryptionStatus()
Called by an application that is administering the device to determine the current encryption status of the device. |
SystemUpdatePolicy
|
getSystemUpdatePolicy()
Retrieve a local system update policy set previously by |
PersistableBundle
|
getTransferOwnershipBundle()
Returns the data passed from the current administrator to the new administrator during an ownership transfer. |
List<PersistableBundle>
|
getTrustAgentConfiguration(ComponentName admin, ComponentName agent)
Gets configuration for the given trust agent based on aggregating all calls to
|
Bundle
|
getUserRestrictions(ComponentName admin)
Called by a profile or device owner to get user restrictions set with
|
String
|
getWifiMacAddress(ComponentName admin)
Called by device owner to get the MAC address of the Wi-Fi device. |
boolean
|
hasCaCertInstalled(ComponentName admin, byte[] certBuffer)
Returns whether this certificate is installed as a trusted CA. |
boolean
|
hasGrantedPolicy(ComponentName admin, int usesPolicy)
Returns true if an administrator has been granted a particular device policy. |
boolean
|
installCaCert(ComponentName admin, byte[] certBuffer)
Installs the given certificate as a user CA. |
boolean
|
installExistingPackage(ComponentName admin, String packageName)
Install an existing package that has been installed in another user, or has been kept after
removal via |
boolean
|
installKeyPair(ComponentName admin, PrivateKey privKey, Certificate[] certs, String alias, int flags)
Called by a device or profile owner, or delegated certificate installer, to install a certificate chain and corresponding private key for the leaf certificate. |
boolean
|
installKeyPair(ComponentName admin, PrivateKey privKey, Certificate[] certs, String alias, boolean requestAccess)
Called by a device or profile owner, or delegated certificate installer, to install a certificate chain and corresponding private key for the leaf certificate. |
boolean
|
installKeyPair(ComponentName admin, PrivateKey privKey, Certificate cert, String alias)
Called by a device or profile owner, or delegated certificate installer, to install a certificate and corresponding private key. |
boolean
|
isActivePasswordSufficient()
Determine whether the current password the user has set is sufficient to meet the policy requirements (e.g. |
boolean
|
isAdminActive(ComponentName admin)
Return true if the given administrator component is currently active (enabled) in the system. |
boolean
|
isAffiliatedUser()
Returns whether this user/profile is affiliated with the device. |
boolean
|
isApplicationHidden(ComponentName admin, String packageName)
Determine if a package is hidden. |
boolean
|
isBackupServiceEnabled(ComponentName admin)
Return whether the backup service is enabled by the device owner. |
boolean
|
isCallerApplicationRestrictionsManagingPackage()
This method was deprecated
in API level 26.
From |
boolean
|
isDeviceIdAttestationSupported()
Returns |
boolean
|
isDeviceOwnerApp(String packageName)
Used to determine if a particular package has been registered as a Device Owner app. |
boolean
|
isEphemeralUser(ComponentName admin)
Checks if the profile owner is running in an ephemeral user. |
boolean
|
isLockTaskPermitted(String pkg)
This function lets the caller know whether the given component is allowed to start the lock task mode. |
boolean
|
isLogoutEnabled()
Returns whether logout is enabled by a device owner. |
boolean
|
isManagedProfile(ComponentName admin)
Return if this user is a managed profile of another user. |
boolean
|
isMasterVolumeMuted(ComponentName admin)
Called by profile or device owners to check whether the master volume mute is on or off. |
boolean
|
isNetworkLoggingEnabled(ComponentName admin)
Return whether network logging is enabled by a device owner. |
boolean
|
isOverrideApnEnabled(ComponentName admin)
Called by device owner to check if override APNs are currently enabled. |
boolean
|
isPackageSuspended(ComponentName admin, String packageName)
Determine if a package is suspended. |
boolean
|
isProfileOwnerApp(String packageName)
Used to determine if a particular package is registered as the profile owner for the user. |
boolean
|
isProvisioningAllowed(String action)
Returns whether it is possible for the caller to initiate provisioning of a managed profile or device, setting itself as the device or profile owner. |
boolean
|
isResetPasswordTokenActive(ComponentName admin)
Called by a profile or device owner to check if the current reset password token is active. |
boolean
|
isSecurityLoggingEnabled(ComponentName admin)
Return whether security logging is enabled or not by the device owner. |
boolean
|
isUninstallBlocked(ComponentName admin, String packageName)
Check whether the user has been blocked by device policy from uninstalling a package. |
boolean
|
isUsingUnifiedPassword(ComponentName admin)
When called by a profile owner of a managed profile returns true if the profile uses unified challenge with its parent user. |
void
|
lockNow()
Make the device lock immediately, as if the lock screen timeout has expired at the point of this call. |
void
|
lockNow(int flags)
Make the device lock immediately, as if the lock screen timeout has expired at the point of this call. |
int
|
logoutUser(ComponentName admin)
Called by a profile owner of secondary user that is affiliated with the device to stop the calling user and switch back to primary. |
void
|
reboot(ComponentName admin)
Called by device owner to reboot the device. |
void
|
removeActiveAdmin(ComponentName admin)
Remove a current administration component. |
boolean
|
removeCrossProfileWidgetProvider(ComponentName admin, String packageName)
Called by the profile owner of a managed profile to disable widget providers from a given package to be available in the parent profile. |
boolean
|
removeKeyPair(ComponentName admin, String alias)
Called by a device or profile owner, or delegated certificate installer, to remove a certificate and private key pair installed under a given alias. |
boolean
|
removeOverrideApn(ComponentName admin, int apnId)
Called by device owner to remove an override APN. |
boolean
|
removeUser(ComponentName admin, UserHandle userHandle)
Called by a device owner to remove a user/profile and all associated data. |
boolean
|
requestBugreport(ComponentName admin)
Called by a device owner to request a bugreport. |
boolean
|
resetPassword(String password, int flags)
Force a new password for device unlock (the password needed to access the entire device) or the work profile challenge on the current user. |
boolean
|
resetPasswordWithToken(ComponentName admin, String password, byte[] token, int flags)
Called by device or profile owner to force set a new device unlock password or a managed profile challenge on current user. |
List<NetworkEvent>
|
retrieveNetworkLogs(ComponentName admin, long batchToken)
Called by device owner to retrieve the most recent batch of network logging events. |
List<SecurityLog.SecurityEvent>
|
retrievePreRebootSecurityLogs(ComponentName admin)
Called by device owners to retrieve device logs from before the device's last reboot. |
List<SecurityLog.SecurityEvent>
|
retrieveSecurityLogs(ComponentName admin)
Called by device owner to retrieve all new security logging entries since the last call to this API after device boots. |
void
|
setAccountManagementDisabled(ComponentName admin, String accountType, boolean disabled)
Called by a device owner or profile owner to disable account management for a specific type of account. |
void
|
setAffiliationIds(ComponentName admin, Set<String> ids)
Indicates the entity that controls the device or profile owner. |
void
|
setAlwaysOnVpnPackage(ComponentName admin, String vpnPackage, boolean lockdownEnabled)
Called by a device or profile owner to configure an always-on VPN connection through a specific application for the current user. |
boolean
|
setApplicationHidden(ComponentName admin, String packageName, boolean hidden)
Hide or unhide packages. |
void
|
setApplicationRestrictions(ComponentName admin, String packageName, Bundle settings)
Sets the application restrictions for a given target application running in the calling user. |
void
|
setApplicationRestrictionsManagingPackage(ComponentName admin, String packageName)
This method was deprecated
in API level 26.
From |
void
|
setAutoTimeRequired(ComponentName admin, boolean required)
Called by a device or profile owner to set whether auto time is required. |
void
|
setBackupServiceEnabled(ComponentName admin, boolean enabled)
Allows the device owner to enable or disable the backup service. |
void
|
setBluetoothContactSharingDisabled(ComponentName admin, boolean disabled)
Called by a profile owner of a managed profile to set whether bluetooth devices can access enterprise contacts. |
void
|
setCameraDisabled(ComponentName admin, boolean disabled)
Called by an application that is administering the device to disable all cameras on the device, for this user. |
void
|
setCertInstallerPackage(ComponentName admin, String installerPackage)
This method was deprecated
in API level 26.
From |
void
|
setCrossProfileCallerIdDisabled(ComponentName admin, boolean disabled)
Called by a profile owner of a managed profile to set whether caller-Id information from the managed profile will be shown in the parent profile, for incoming calls. |
void
|
setCrossProfileContactsSearchDisabled(ComponentName admin, boolean disabled)
Called by a profile owner of a managed profile to set whether contacts search from the managed profile will be shown in the parent profile, for incoming calls. |
void
|
setDelegatedScopes(ComponentName admin, String delegatePackage, List<String> scopes)
Called by a profile owner or device owner to grant access to privileged APIs to another app. |
void
|
setDeviceOwnerLockScreenInfo(ComponentName admin, CharSequence info)
Sets the device owner information to be shown on the lock screen. |
void
|
setEndUserSessionMessage(ComponentName admin, CharSequence endUserSessionMessage)
Called by a device owner to specify the user session end message. |
void
|
setGlobalSetting(ComponentName admin, String setting, String value)
Called by device owner to update |
void
|
setKeepUninstalledPackages(ComponentName admin, List<String> packageNames)
Set a list of apps to keep around as APKs even if no user has currently installed it. |
boolean
|
setKeyPairCertificate(ComponentName admin, String alias, List<Certificate> certs, boolean isUserSelectable)
Called by a device or profile owner, or delegated certificate installer, to associate
certificates with a key pair that was generated using |
boolean
|
setKeyguardDisabled(ComponentName admin, boolean disabled)
Called by a device owner or profile owner of secondary users that is affiliated with the device to disable the keyguard altogether. |
void
|
setKeyguardDisabledFeatures(ComponentName admin, int which)
Called by an application that is administering the device to disable keyguard customizations, such as widgets. |
void
|
setLockTaskFeatures(ComponentName admin, int flags)
Sets which system features are enabled when the device runs in lock task mode. |
void
|
setLockTaskPackages(ComponentName admin, String[] packages)
Sets which packages may enter lock task mode. |
void
|
setLogoutEnabled(ComponentName admin, boolean enabled)
Called by a device owner to specify whether logout is enabled for all secondary users. |
void
|
setLongSupportMessage(ComponentName admin, CharSequence message)
Called by a device admin to set the long support message. |
void
|
setMasterVolumeMuted(ComponentName admin, boolean on)
Called by profile or device owners to set the master volume mute on or off. |
void
|
setMaximumFailedPasswordsForWipe(ComponentName admin, int num)
Setting this to a value greater than zero enables a built-in policy that will perform a device or profile wipe after too many incorrect device-unlock passwords have been entered. |
void
|
setMaximumTimeToLock(ComponentName admin, long timeMs)
Called by an application that is administering the device to set the maximum time for user activity until the device will lock. |
List<String>
|
setMeteredDataDisabledPackages(ComponentName admin, List<String> packageNames)
Called by a device or profile owner to restrict packages from using metered data. |
void
|
setNetworkLoggingEnabled(ComponentName admin, boolean enabled)
Called by a device owner to control the network logging feature. |
void
|
setOrganizationColor(ComponentName admin, int color)
Called by a profile owner of a managed profile to set the color used for customization. |
void
|
setOrganizationName(ComponentName admin, CharSequence title)
Called by the device owner (since API 26) or profile owner (since API 24) to set the name of the organization under management. |
void
|
setOverrideApnsEnabled(ComponentName admin, boolean enabled)
Called by device owner to set if override APNs should be enabled. |
String[]
|
setPackagesSuspended(ComponentName admin, String[] packageNames, boolean suspended)
Called by device or profile owners to suspend packages for this user. |
void
|
setPasswordExpirationTimeout(ComponentName admin, long timeout)
Called by a device admin to set the password expiration timeout. |
void
|
setPasswordHistoryLength(ComponentName admin, int length)
Called by an application that is administering the device to set the length of the password history. |
void
|
setPasswordMinimumLength(ComponentName admin, int length)
Called by an application that is administering the device to set the minimum allowed password length. |
void
|
setPasswordMinimumLetters(ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of letters required in the password. |
void
|
setPasswordMinimumLowerCase(ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of lower case letters required in the password. |
void
|
setPasswordMinimumNonLetter(ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of non-letter characters (numerical digits or symbols) required in the password. |
void
|
setPasswordMinimumNumeric(ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of numerical digits required in the password. |
void
|
setPasswordMinimumSymbols(ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of symbols required in the password. |
void
|
setPasswordMinimumUpperCase(ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of upper case letters required in the password. |
void
|
setPasswordQuality(ComponentName admin, int quality)
Called by an application that is administering the device to set the password restrictions it is imposing. |
boolean
|
setPermissionGrantState(ComponentName admin, String packageName, String permission, int grantState)
Sets the grant state of a runtime permission for a specific application. |
void
|
setPermissionPolicy(ComponentName admin, int policy)
Set the default response for future runtime permission requests by applications. |
boolean
|
setPermittedAccessibilityServices(ComponentName admin, List<String> packageNames)
Called by a profile or device owner to set the permitted
|
boolean
|
setPermittedCrossProfileNotificationListeners(ComponentName admin, List<String> packageList)
Called by a profile owner of a managed profile to set the packages that are allowed to use
a |
boolean
|
setPermittedInputMethods(ComponentName admin, List<String> packageNames)
Called by a profile or device owner to set the permitted input methods services. |
void
|
setProfileEnabled(ComponentName admin)
Sets the enabled state of the profile. |
void
|
setProfileName(ComponentName admin, String profileName)
Sets the name of the profile. |
void
|
setRecommendedGlobalProxy(ComponentName admin, ProxyInfo proxyInfo)
Set a network-independent global HTTP proxy. |
void
|
setRequiredStrongAuthTimeout(ComponentName admin, long timeoutMs)
Called by a device/profile owner to set the timeout after which unlocking with secondary, non strong auth (e.g. |
boolean
|
setResetPasswordToken(ComponentName admin, byte[] token)
Called by a profile or device owner to provision a token which can later be used to reset the
device lockscreen password (if called by device owner), or managed profile challenge (if
called by profile owner), via |
void
|
setRestrictionsProvider(ComponentName admin, ComponentName provider)
Designates a specific service component as the provider for making permission requests of a local or remote administrator of the user. |
void
|
setScreenCaptureDisabled(ComponentName admin, boolean disabled)
Called by a device/profile owner to set whether the screen capture is disabled. |
void
|
setSecureSetting(ComponentName admin, String setting, String value)
Called by profile or device owners to update |
void
|
setSecurityLoggingEnabled(ComponentName admin, boolean enabled)
Called by device owner to control the security logging feature. |
void
|
setShortSupportMessage(ComponentName admin, CharSequence message)
Called by a device admin to set the short support message. |
void
|
setStartUserSessionMessage(ComponentName admin, CharSequence startUserSessionMessage)
Called by a device owner to specify the user session start message. |
boolean
|
setStatusBarDisabled(ComponentName admin, boolean disabled)
Called by device owner or profile owner of secondary users that is affiliated with the device to disable the status bar. |
int
|
setStorageEncryption(ComponentName admin, boolean encrypt)
Called by an application that is administering the device to request that the storage system be encrypted. |
void
|
setSystemSetting(ComponentName admin, String setting, String value)
Called by a device or profile owner to update |
void
|
setSystemUpdatePolicy(ComponentName admin, SystemUpdatePolicy policy)
Called by device owners to set a local system update policy. |
boolean
|
setTime(ComponentName admin, long millis)
Called by device owner to set the system wall clock time. |
boolean
|
setTimeZone(ComponentName admin, String timeZone)
Called by device owner to set the system's persistent default time zone. |
void
|
setTrustAgentConfiguration(ComponentName admin, ComponentName target, PersistableBundle configuration)
Sets a list of configuration features to enable for a trust agent component. |
void
|
setUninstallBlocked(ComponentName admin, String packageName, boolean uninstallBlocked)
Change whether a user can uninstall a package. |
void
|
setUserIcon(ComponentName admin, Bitmap icon)
Called by profile or device owners to set the user's photo. |
int
|
startUserInBackground(ComponentName admin, UserHandle userHandle)
Called by a device owner to start the specified secondary user in background. |
int
|
stopUser(ComponentName admin, UserHandle userHandle)
Called by a device owner to stop the specified secondary user. |
boolean
|
switchUser(ComponentName admin, UserHandle userHandle)
Called by a device owner to switch the specified secondary user to the foreground. |
void
|
transferOwnership(ComponentName admin, ComponentName target, PersistableBundle bundle)
Changes the current administrator to another one. |
void
|
uninstallAllUserCaCerts(ComponentName admin)
Uninstalls all custom trusted CA certificates from the profile. |
void
|
uninstallCaCert(ComponentName admin, byte[] certBuffer)
Uninstalls the given certificate from trusted user CAs, if present. |
boolean
|
updateOverrideApn(ComponentName admin, int apnId, ApnSetting apnSetting)
Called by device owner to update an override APN. |
void
|
wipeData(int flags, CharSequence reason)
Ask that all user data be wiped. |
void
|
wipeData(int flags)
Ask that all user data be wiped. |
Inherited methods | |
---|---|
Constants
ACTION_ADD_DEVICE_ADMIN
public static final String ACTION_ADD_DEVICE_ADMIN
Activity action: ask the user to add a new device administrator to the system.
The desired policy is the ComponentName of the policy in the
EXTRA_DEVICE_ADMIN
extra field. This will invoke a UI to
bring the user through adding the device administrator to the system (or
allowing them to reject it).
You can optionally include the EXTRA_ADD_EXPLANATION
field to provide the user with additional explanation (in addition
to your component's description) about what is being added.
If your administrator is already active, this will ordinarily return immediately (without user intervention). However, if your administrator has been updated and is requesting additional uses-policy flags, the user will be presented with the new list. New policies will not be available to the updated administrator until the user has accepted the new list.
Constant Value: "android.app.action.ADD_DEVICE_ADMIN"
ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
public static final String ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
Broadcast Action: Sent after application delegation scopes are changed. The new delegation
scopes will be sent in an ArrayList<String>
extra identified by the
EXTRA_DELEGATION_SCOPES
key.
Note: This is a protected intent that can only be sent by the system.
Constant Value: "android.app.action.APPLICATION_DELEGATION_SCOPES_CHANGED"
ACTION_DEVICE_ADMIN_SERVICE
public static final String ACTION_DEVICE_ADMIN_SERVICE
Service action: Action for a service that device owner and profile owner can optionally
own. If a device owner or a profile owner has such a service, the system tries to keep
a bound connection to it, in order to keep their process always running.
The service must be protected with the Manifest.permission.BIND_DEVICE_ADMIN
permission.
Constant Value: "android.app.action.DEVICE_ADMIN_SERVICE"
ACTION_DEVICE_OWNER_CHANGED
public static final String ACTION_DEVICE_OWNER_CHANGED
Broadcast action: sent when the device owner is set, changed or cleared. This broadcast is sent only to the primary user.
See also:
Constant Value: "android.app.action.DEVICE_OWNER_CHANGED"
ACTION_MANAGED_PROFILE_PROVISIONED
public static final String ACTION_MANAGED_PROFILE_PROVISIONED
Broadcast Action: This broadcast is sent to indicate that provisioning of a managed profile has completed successfully.
The broadcast is limited to the primary profile, to the app specified in the provisioning
intent with action ACTION_PROVISION_MANAGED_PROFILE
.
This intent will contain the following extras
Intent.EXTRA_USER
, corresponds to theUserHandle
of the managed profile.EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
, corresponds to the account requested to be migrated at provisioning time, if any.
Constant Value: "android.app.action.MANAGED_PROFILE_PROVISIONED"
ACTION_PROFILE_OWNER_CHANGED
public static final String ACTION_PROFILE_OWNER_CHANGED
Broadcast action: sent when the profile owner is set, changed or cleared. This broadcast is sent only to the user managed by the new profile owner.
Constant Value: "android.app.action.PROFILE_OWNER_CHANGED"
ACTION_PROVISIONING_SUCCESSFUL
public static final String ACTION_PROVISIONING_SUCCESSFUL
Activity action: This activity action is sent to indicate that provisioning of a managed
profile or managed device has completed successfully. It'll be sent at the same time as
DeviceAdminReceiver.ACTION_PROFILE_PROVISIONING_COMPLETE
broadcast but this will be
delivered faster as it's an activity intent.
The intent is only sent to the new device or profile owner.
Constant Value: "android.app.action.PROVISIONING_SUCCESSFUL"
ACTION_PROVISION_MANAGED_DEVICE
public static final String ACTION_PROVISION_MANAGED_DEVICE
Activity action: Starts the provisioning flow which sets up a managed device.
Must be started with Activity.startActivityForResult(Intent, int)
.
During device owner provisioning a device admin app is set as the owner of the device. A device owner has full control over the device. The device owner can not be modified by the user.
A typical use case would be a device that is owned by a company, but used by either an employee or client.
An intent with this action can be sent only on an unprovisioned device.
It is possible to check if provisioning is allowed or not by querying the method
isProvisioningAllowed(String)
.
The intent contains the following extras:
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
EXTRA_PROVISIONING_SKIP_ENCRYPTION
, optionalEXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
, optionalEXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
, optionalEXTRA_PROVISIONING_LOGO_URI
, optionalEXTRA_PROVISIONING_MAIN_COLOR
, optionalEXTRA_PROVISIONING_DISCLAIMERS
, optional
When device owner provisioning has completed, an intent of the type
DeviceAdminReceiver.ACTION_PROFILE_PROVISIONING_COMPLETE
is broadcast to the
device owner.
From version Build.VERSION_CODES.O
, when device owner provisioning has
completed, along with the above broadcast, activity intent
ACTION_PROVISIONING_SUCCESSFUL
will also be sent to the device owner.
If provisioning fails, the device is factory reset.
A result code of Activity.RESULT_OK
implies that the synchronous part
of the provisioning flow was successful, although this doesn't guarantee the full flow will
succeed. Conversely a result code of Activity.RESULT_CANCELED
implies
that the user backed-out of provisioning, or some precondition for provisioning wasn't met.
Constant Value: "android.app.action.PROVISION_MANAGED_DEVICE"
ACTION_PROVISION_MANAGED_PROFILE
public static final String ACTION_PROVISION_MANAGED_PROFILE
Activity action: Starts the provisioning flow which sets up a managed profile.
A managed profile allows data separation for example for the usage of a device as a personal and corporate device. The user which provisioning is started from and the managed profile share a launcher.
This intent will typically be sent by a mobile device management application (MDM). Provisioning adds a managed profile and sets the MDM as the profile owner who has full control over the profile.
It is possible to check if provisioning is allowed or not by querying the method
isProvisioningAllowed(String)
.
In version Build.VERSION_CODES.LOLLIPOP
, this intent must contain the
extra EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
.
As of Build.VERSION_CODES.M
, it should contain the extra
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
instead, although specifying only
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
is still supported.
The intent may also contain the following extras:
EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
, optionalEXTRA_PROVISIONING_SKIP_ENCRYPTION
, optional, supported fromBuild.VERSION_CODES.N
EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
, optionalEXTRA_PROVISIONING_LOGO_URI
, optionalEXTRA_PROVISIONING_MAIN_COLOR
, optionalEXTRA_PROVISIONING_SKIP_USER_CONSENT
, optionalEXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION
, optionalEXTRA_PROVISIONING_DISCLAIMERS
, optional
When managed provisioning has completed, broadcasts are sent to the application specified
in the provisioning intent. The
DeviceAdminReceiver.ACTION_PROFILE_PROVISIONING_COMPLETE
broadcast is sent in the
managed profile and the ACTION_MANAGED_PROFILE_PROVISIONED
broadcast is sent in
the primary profile.
From version Build.VERSION_CODES.O
, when managed provisioning has
completed, along with the above broadcast, activity intent
ACTION_PROVISIONING_SUCCESSFUL
will also be sent to the profile owner.
If provisioning fails, the managedProfile is removed so the device returns to its previous state.
If launched with Activity.startActivityForResult(Intent, int)
a
result code of Activity.RESULT_OK
implies that the synchronous part of
the provisioning flow was successful, although this doesn't guarantee the full flow will
succeed. Conversely a result code of Activity.RESULT_CANCELED
implies
that the user backed-out of provisioning, or some precondition for provisioning wasn't met.
Constant Value: "android.app.action.PROVISION_MANAGED_PROFILE"
ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
public static final String ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
Activity action: have the user enter a new password for the parent profile.
If the intent is launched from within a managed profile, this will trigger
entering a new password for the parent of the profile. In all other cases
the behaviour is identical to ACTION_SET_NEW_PASSWORD
.
Constant Value: "android.app.action.SET_NEW_PARENT_PROFILE_PASSWORD"
ACTION_SET_NEW_PASSWORD
public static final String ACTION_SET_NEW_PASSWORD
Activity action: have the user enter a new password. This activity should
be launched after using setPasswordQuality(ComponentName, int)
,
or setPasswordMinimumLength(ComponentName, int)
to have the user
enter a new password that meets the current requirements. You can use
isActivePasswordSufficient()
to determine whether you need to
have the user select a new password in order to meet the current
constraints. Upon being resumed from this activity, you can check the new
password characteristics to see if they are sufficient.
If the intent is launched from within a managed profile with a profile
owner built against Build.VERSION_CODES.M
or before,
this will trigger entering a new password for the parent of the profile.
For all other cases it will trigger entering a new password for the user
or profile it is launched from.
See also:
Constant Value: "android.app.action.SET_NEW_PASSWORD"
ACTION_START_ENCRYPTION
public static final String ACTION_START_ENCRYPTION
Activity action: begin the process of encrypting data on the device. This activity should
be launched after using setStorageEncryption(ComponentName, boolean)
to request encryption be activated.
After resuming from this activity, use getStorageEncryption(ComponentName)
to check encryption status. However, on some devices this activity may never return, as
it may trigger a reboot and in some cases a complete data wipe of the device.
Constant Value: "android.app.action.START_ENCRYPTION"
ACTION_SYSTEM_UPDATE_POLICY_CHANGED
public static final String ACTION_SYSTEM_UPDATE_POLICY_CHANGED
Broadcast action: notify that a new local system update policy has been set by the device
owner. The new policy can be retrieved by getSystemUpdatePolicy()
.
Constant Value: "android.app.action.SYSTEM_UPDATE_POLICY_CHANGED"
DELEGATION_APP_RESTRICTIONS
public static final String DELEGATION_APP_RESTRICTIONS
Delegation of application restrictions management. This scope grants access to the
setApplicationRestrictions(ComponentName, String, Bundle)
and getApplicationRestrictions(ComponentName, String)
APIs.
Constant Value: "delegation-app-restrictions"
DELEGATION_BLOCK_UNINSTALL
public static final String DELEGATION_BLOCK_UNINSTALL
Delegation of application uninstall block. This scope grants access to the
setUninstallBlocked(ComponentName, String, boolean)
API.
Constant Value: "delegation-block-uninstall"
DELEGATION_CERT_INSTALL
public static final String DELEGATION_CERT_INSTALL
Delegation of certificate installation and management. This scope grants access to the
getInstalledCaCerts(ComponentName)
, hasCaCertInstalled(ComponentName, byte[])
, installCaCert(ComponentName, byte[])
,
uninstallCaCert(ComponentName, byte[])
, uninstallAllUserCaCerts(ComponentName)
and installKeyPair(ComponentName, PrivateKey, Certificate, String)
APIs.
Constant Value: "delegation-cert-install"
DELEGATION_ENABLE_SYSTEM_APP
public static final String DELEGATION_ENABLE_SYSTEM_APP
Delegation for enabling system apps. This scope grants access to the enableSystemApp(ComponentName, Intent)
API.
Constant Value: "delegation-enable-system-app"
DELEGATION_INSTALL_EXISTING_PACKAGE
public static final String DELEGATION_INSTALL_EXISTING_PACKAGE
Delegation for installing existing packages. This scope grants access to the
installExistingPackage(ComponentName, String)
API.
Constant Value: "delegation-install-existing-package"
DELEGATION_KEEP_UNINSTALLED_PACKAGES
public static final String DELEGATION_KEEP_UNINSTALLED_PACKAGES
Delegation of management of uninstalled packages. This scope grants access to the
#setKeepUninstalledPackages
and #getKeepUninstalledPackages
APIs.
Constant Value: "delegation-keep-uninstalled-packages"
DELEGATION_PACKAGE_ACCESS
public static final String DELEGATION_PACKAGE_ACCESS
Delegation of package access state. This scope grants access to the
isApplicationHidden(ComponentName, String)
, setApplicationHidden(ComponentName, String, boolean)
, isPackageSuspended(ComponentName, String)
, and
setPackagesSuspended(ComponentName, String[], boolean)
APIs.
Constant Value: "delegation-package-access"
DELEGATION_PERMISSION_GRANT
public static final String DELEGATION_PERMISSION_GRANT
Delegation of permission policy and permission grant state. This scope grants access to the
setPermissionPolicy(ComponentName, int)
, getPermissionGrantState(ComponentName, String, String)
,
and setPermissionGrantState(ComponentName, String, String, int)
APIs.
Constant Value: "delegation-permission-grant"
ENCRYPTION_STATUS_ACTIVATING
public static final int ENCRYPTION_STATUS_ACTIVATING
Result code for getStorageEncryptionStatus()
:
indicating that encryption is not currently active, but is currently
being activated. This is only reported by devices that support
encryption of data and only when the storage is currently
undergoing a process of becoming encrypted. A device that must reboot and/or wipe data
to become encrypted will never return this value.
Constant Value: 2 (0x00000002)
ENCRYPTION_STATUS_ACTIVE
public static final int ENCRYPTION_STATUS_ACTIVE
Result code for setStorageEncryption(ComponentName, boolean)
and getStorageEncryptionStatus()
:
indicating that encryption is active.
Also see ENCRYPTION_STATUS_ACTIVE_PER_USER
.
Constant Value: 3 (0x00000003)
ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY
public static final int ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY
Result code for getStorageEncryptionStatus()
:
indicating that encryption is active, but an encryption key has not
been set by the user.
Constant Value: 4 (0x00000004)
ENCRYPTION_STATUS_ACTIVE_PER_USER
public static final int ENCRYPTION_STATUS_ACTIVE_PER_USER
Result code for getStorageEncryptionStatus()
:
indicating that encryption is active and the encryption key is tied to the user or profile.
This value is only returned to apps targeting API level 24 and above. For apps targeting
earlier API levels, ENCRYPTION_STATUS_ACTIVE
is returned, even if the
encryption key is specific to the user or profile.
Constant Value: 5 (0x00000005)
ENCRYPTION_STATUS_INACTIVE
public static final int ENCRYPTION_STATUS_INACTIVE
Result code for setStorageEncryption(ComponentName, boolean)
and getStorageEncryptionStatus()
:
indicating that encryption is supported, but is not currently active.
Constant Value: 1 (0x00000001)
ENCRYPTION_STATUS_UNSUPPORTED
public static final int ENCRYPTION_STATUS_UNSUPPORTED
Result code for setStorageEncryption(ComponentName, boolean)
and getStorageEncryptionStatus()
:
indicating that encryption is not supported.
Constant Value: 0 (0x00000000)
EXTRA_ADD_EXPLANATION
public static final String EXTRA_ADD_EXPLANATION
An optional CharSequence providing additional explanation for why the admin is being added.
See also:
Constant Value: "android.app.extra.ADD_EXPLANATION"
EXTRA_DELEGATION_SCOPES
public static final String EXTRA_DELEGATION_SCOPES
An ArrayList<String>
corresponding to the delegation scopes given to an app in the
ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
broadcast.
Constant Value: "android.app.extra.DELEGATION_SCOPES"
EXTRA_DEVICE_ADMIN
public static final String EXTRA_DEVICE_ADMIN
The ComponentName of the administrator component.
See also:
Constant Value: "android.app.extra.DEVICE_ADMIN"
EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
public static final String EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
An Account
extra holding the account to migrate during managed
profile provisioning. If the account supplied is present in the primary user, it will be
copied, along with its credentials to the managed profile and removed from the primary user.
Use with ACTION_PROVISION_MANAGED_PROFILE
.
Constant Value: "android.app.extra.PROVISIONING_ACCOUNT_TO_MIGRATE"
EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
public static final String EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
A Parcelable
extra of type PersistableBundle
that
allows a mobile device management application or NFC programmer application which starts
managed provisioning to pass data to the management application instance after provisioning.
If used with ACTION_PROVISION_MANAGED_PROFILE
it can be used by the application that
sends the intent to pass data to itself on the newly created profile.
If used with ACTION_PROVISION_MANAGED_DEVICE
it allows passing data to the same
instance of the app on the primary user.
Starting from Build.VERSION_CODES.M
, if used with
MIME_TYPE_PROVISIONING_NFC
as part of NFC managed device provisioning, the NFC
message should contain a stringified Properties
instance, whose string
properties will be converted into a PersistableBundle
and passed to the
management application after provisioning.
In both cases the application receives the data in
DeviceAdminReceiver.onProfileProvisioningComplete(Context, Intent)
via an intent with the action
DeviceAdminReceiver.ACTION_PROFILE_PROVISIONING_COMPLETE
. The bundle is not changed
during the managed provisioning.
Constant Value: "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE"
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
A ComponentName extra indicating the device admin receiver of the mobile device management application that will be set as the profile owner or device owner and active admin.
If an application starts provisioning directly via an intent with action
ACTION_PROVISION_MANAGED_PROFILE
or
ACTION_PROVISION_MANAGED_DEVICE
the package name of this
component has to match the package name of the application that started provisioning.
This component is set as device owner and active admin when device owner provisioning is
started by an intent with action ACTION_PROVISION_MANAGED_DEVICE
or by an NFC
message containing an NFC record with MIME type
MIME_TYPE_PROVISIONING_NFC
. For the NFC record, the component name must be
flattened to a string, via ComponentName.flattenToShortString()
.
See also:
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME"
EXTRA_PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE
An int extra holding a minimum required version code for the device admin package. If the
device admin is already installed on the device, it will only be re-downloaded from
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
if the version of the
installed package is less than this version code.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
A String extra holding the URL-safe base64 encoded SHA-256 or SHA-1 hash (see notes below) of
the file at download location specified in
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
.
Either this extra or EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
must be
present. The provided checksum must match the checksum of the file at the download
location. If the checksum doesn't match an error will be shown to the user and the user will
be asked to factory reset the device.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Note: for devices running Build.VERSION_CODES.LOLLIPOP
and Build.VERSION_CODES.LOLLIPOP_MR1
only SHA-1 hash is supported.
Starting from Build.VERSION_CODES.M
, this parameter accepts SHA-256 in
addition to SHA-1. Support for SHA-1 is likely to be removed in future OS releases.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
A String extra holding a http cookie header which should be used in the http request to the
url specified in EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
A String extra holding a url that specifies the download location of the device admin package. When not provided it is assumed that the device admin package is already installed.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
This constant was deprecated
in API level 23.
Use EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
. This extra is still
supported, but only if there is only one device admin receiver in the package that requires
the permission Manifest.permission.BIND_DEVICE_ADMIN
.
A String extra holding the package name of the mobile device management application that will be set as the profile owner or device owner.
If an application starts provisioning directly via an intent with action
ACTION_PROVISION_MANAGED_PROFILE
this package has to match the package name of the
application that started provisioning. The package will be set as profile owner in that case.
This package is set as device owner when device owner provisioning is started by an NFC
message containing an NFC record with MIME type MIME_TYPE_PROVISIONING_NFC
.
When this extra is set, the application must have exactly one device admin receiver. This receiver will be set as the profile or device owner and active admin.
See also:
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME"
EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
A String extra holding the URL-safe base64 encoded SHA-256 checksum of any signature of the
android package archive at the download location specified in EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
.
The signatures of an android package archive can be obtained using
PackageManager.getPackageArchiveInfo(String, int)
with flag
PackageManager.GET_SIGNATURES
.
Either this extra or EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
must be
present. The provided checksum must match the checksum of any signature of the file at
the download location. If the checksum does not match an error will be shown to the user and
the user will be asked to factory reset the device.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM"
EXTRA_PROVISIONING_DISCLAIMERS
public static final String EXTRA_PROVISIONING_DISCLAIMERS
A Bundle
[] extra consisting of list of disclaimer headers and disclaimer contents.
Each Bundle
must have both EXTRA_PROVISIONING_DISCLAIMER_HEADER
as disclaimer header, and EXTRA_PROVISIONING_DISCLAIMER_CONTENT
as disclaimer
content.
The extra typically contains one disclaimer from the company of mobile device management application (MDM), and one disclaimer from the organization.
Call Bundle.putParcelableArray(String, Parcelable[])
to put the Bundle
[]
Maximum 3 key-value pairs can be specified. The rest will be ignored.
Use in an intent with action ACTION_PROVISION_MANAGED_PROFILE
or
ACTION_PROVISION_MANAGED_DEVICE
Constant Value: "android.app.extra.PROVISIONING_DISCLAIMERS"
EXTRA_PROVISIONING_DISCLAIMER_CONTENT
public static final String EXTRA_PROVISIONING_DISCLAIMER_CONTENT
A Uri
extra pointing to disclaimer content.
The following URI schemes are accepted:
- content (
ContentResolver.SCHEME_CONTENT
) - android.resource (
ContentResolver.SCHEME_ANDROID_RESOURCE
)
Styled text is supported in the disclaimer content. The content is parsed by
Html.fromHtml(String)
and displayed in a
TextView
.
If a content:
URI is passed, URI is passed, the intent should have the flag
Intent.FLAG_GRANT_READ_URI_PERMISSION
and the uri should be added to the
ClipData
of the intent too.
Use in Bundle EXTRA_PROVISIONING_DISCLAIMERS
System app, i.e. application with ApplicationInfo.FLAG_SYSTEM
, can also insert a
disclaimer by declaring an application-level meta-data in AndroidManifest.xml
.
Must use it with EXTRA_PROVISIONING_DISCLAIMER_HEADER
. Here is the example:
<meta-data android:name="android.app.extra.PROVISIONING_DISCLAIMER_CONTENT" android:resource="@string/disclaimer_content" />
Constant Value: "android.app.extra.PROVISIONING_DISCLAIMER_CONTENT"
EXTRA_PROVISIONING_DISCLAIMER_HEADER
public static final String EXTRA_PROVISIONING_DISCLAIMER_HEADER
A String extra of localized disclaimer header.
The extra is typically the company name of mobile device management application (MDM) or the organization name.
Use in Bundle EXTRA_PROVISIONING_DISCLAIMERS
System app, i.e. application with ApplicationInfo.FLAG_SYSTEM
, can also insert a
disclaimer by declaring an application-level meta-data in AndroidManifest.xml
.
Must use it with EXTRA_PROVISIONING_DISCLAIMER_CONTENT
. Here is the example:
<meta-data android:name="android.app.extra.PROVISIONING_DISCLAIMER_HEADER" android:resource="@string/disclaimer_header" />
Constant Value: "android.app.extra.PROVISIONING_DISCLAIMER_HEADER"
EXTRA_PROVISIONING_EMAIL_ADDRESS
public static final String EXTRA_PROVISIONING_EMAIL_ADDRESS
This constant was deprecated
in API level 26.
From Build.VERSION_CODES.O
, never used while provisioning the
device.
Constant Value: "android.app.extra.PROVISIONING_EMAIL_ADDRESS"
EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION
public static final String EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION
Boolean extra to indicate that the migrated account should be kept. This is used in
conjunction with EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
. If it's set to true
,
the account will not be removed from the primary user after it is migrated to the newly
created user or profile.
Defaults to false
Use with ACTION_PROVISION_MANAGED_PROFILE
and
EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
Constant Value: "android.app.extra.PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION"
EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
public static final String EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
A Boolean extra that can be used by the mobile device management application to skip the
disabling of system apps during provisioning when set to true
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
or an intent with action
ACTION_PROVISION_MANAGED_DEVICE
that starts device owner provisioning.
Constant Value: "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED"
EXTRA_PROVISIONING_LOCALE
public static final String EXTRA_PROVISIONING_LOCALE
A String extra holding the Locale
that the device will be set to.
Format: xx_yy, where xx is the language code, and yy the country code.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_LOCALE"
EXTRA_PROVISIONING_LOCAL_TIME
public static final String EXTRA_PROVISIONING_LOCAL_TIME
A Long extra holding the wall clock time (in milliseconds) to be set on the device's
AlarmManager
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_LOCAL_TIME"
EXTRA_PROVISIONING_LOGO_URI
public static final String EXTRA_PROVISIONING_LOGO_URI
A Uri
extra pointing to a logo image. This image will be shown during the
provisioning. If this extra is not passed, a default image will be shown.
The following URI schemes are accepted:
- content (
ContentResolver.SCHEME_CONTENT
) - android.resource (
ContentResolver.SCHEME_ANDROID_RESOURCE
)
It is the responsibility of the caller to provide an image with a reasonable pixel density for the device.
If a content: URI is passed, the intent should have the flag
Intent.FLAG_GRANT_READ_URI_PERMISSION
and the uri should be added to the
ClipData
of the intent too.
Use in an intent with action ACTION_PROVISION_MANAGED_PROFILE
or
ACTION_PROVISION_MANAGED_DEVICE
Constant Value: "android.app.extra.PROVISIONING_LOGO_URI"
EXTRA_PROVISIONING_MAIN_COLOR
public static final String EXTRA_PROVISIONING_MAIN_COLOR
A integer extra indicating the predominant color to show during the provisioning.
Refer to Color
for how the color is represented.
Use with ACTION_PROVISION_MANAGED_PROFILE
or
ACTION_PROVISION_MANAGED_DEVICE
.
Constant Value: "android.app.extra.PROVISIONING_MAIN_COLOR"
EXTRA_PROVISIONING_SKIP_ENCRYPTION
public static final String EXTRA_PROVISIONING_SKIP_ENCRYPTION
A boolean extra indicating whether device encryption can be skipped as part of device owner or managed profile provisioning.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
or an intent with action
ACTION_PROVISION_MANAGED_DEVICE
that starts device owner provisioning.
From Build.VERSION_CODES.N
onwards, this is also supported for an
intent with action ACTION_PROVISION_MANAGED_PROFILE
.
Constant Value: "android.app.extra.PROVISIONING_SKIP_ENCRYPTION"
EXTRA_PROVISIONING_SKIP_USER_CONSENT
public static final String EXTRA_PROVISIONING_SKIP_USER_CONSENT
A boolean extra indicating if the user consent steps from the provisioning flow should be
skipped. If unspecified, defaults to false
.
It can only be used by an existing device owner trying to create a managed profile via
ACTION_PROVISION_MANAGED_PROFILE
. Otherwise it is ignored.
Constant Value: "android.app.extra.PROVISIONING_SKIP_USER_CONSENT"
EXTRA_PROVISIONING_TIME_ZONE
public static final String EXTRA_PROVISIONING_TIME_ZONE
A String extra holding the time zone AlarmManager
that the device
will be set to.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_TIME_ZONE"
EXTRA_PROVISIONING_WIFI_HIDDEN
public static final String EXTRA_PROVISIONING_WIFI_HIDDEN
A boolean extra indicating whether the wifi network in EXTRA_PROVISIONING_WIFI_SSID
is hidden or not.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_WIFI_HIDDEN"
EXTRA_PROVISIONING_WIFI_PAC_URL
public static final String EXTRA_PROVISIONING_WIFI_PAC_URL
A String extra holding the proxy auto-config (PAC) URL for the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_WIFI_PAC_URL"
EXTRA_PROVISIONING_WIFI_PASSWORD
public static final String EXTRA_PROVISIONING_WIFI_PASSWORD
A String extra holding the password of the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_WIFI_PASSWORD"
EXTRA_PROVISIONING_WIFI_PROXY_BYPASS
public static final String EXTRA_PROVISIONING_WIFI_PROXY_BYPASS
A String extra holding the proxy bypass for the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_WIFI_PROXY_BYPASS"
EXTRA_PROVISIONING_WIFI_PROXY_HOST
public static final String EXTRA_PROVISIONING_WIFI_PROXY_HOST
A String extra holding the proxy host for the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_WIFI_PROXY_HOST"
EXTRA_PROVISIONING_WIFI_PROXY_PORT
public static final String EXTRA_PROVISIONING_WIFI_PROXY_PORT
An int extra holding the proxy port for the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_WIFI_PROXY_PORT"
EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
public static final String EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
A String extra indicating the security type of the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
and could be one of NONE
, WPA
or
WEP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE"
EXTRA_PROVISIONING_WIFI_SSID
public static final String EXTRA_PROVISIONING_WIFI_SSID
A String extra holding the ssid of the wifi network that should be used during nfc device owner provisioning for downloading the mobile device management application.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump.
Constant Value: "android.app.extra.PROVISIONING_WIFI_SSID"
FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY
public static final int FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY
Flag for lockNow(int)
: also evict the user's credential encryption key from the
keyring. The user's credential will need to be entered again in order to derive the
credential encryption key that will be stored back in the keyring for future use.
This flag can only be used by a profile owner when locking a managed profile when
getStorageEncryptionStatus()
returns ENCRYPTION_STATUS_ACTIVE_PER_USER
.
In order to secure user data, the user will be stopped and restarted so apps should wait until they are next run to perform further actions.
Constant Value: 1 (0x00000001)
FLAG_MANAGED_CAN_ACCESS_PARENT
public static final int FLAG_MANAGED_CAN_ACCESS_PARENT
Flag used by addCrossProfileIntentFilter(ComponentName, IntentFilter, int)
to allow activities in
the managed profile to access intents sent from the parent profile.
That is, when an app in the parent profile calls
Activity.startActivity(Intent)
, the intent can be resolved by a
matching activity in the managed profile.
Constant Value: 2 (0x00000002)
FLAG_PARENT_CAN_ACCESS_MANAGED
public static final int FLAG_PARENT_CAN_ACCESS_MANAGED
Flag used by addCrossProfileIntentFilter(ComponentName, IntentFilter, int)
to allow activities in
the parent profile to access intents sent from the managed profile.
That is, when an app in the managed profile calls
Activity.startActivity(Intent)
, the intent can be resolved by a
matching activity in the parent profile.
Constant Value: 1 (0x00000001)
ID_TYPE_BASE_INFO
public static final int ID_TYPE_BASE_INFO
Specifies that the device should attest its manufacturer details. For use with
generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)
.
Constant Value: 1 (0x00000001)
ID_TYPE_IMEI
public static final int ID_TYPE_IMEI
Specifies that the device should attest its IMEI. For use with generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)
.
Constant Value: 4 (0x00000004)
ID_TYPE_MEID
public static final int ID_TYPE_MEID
Specifies that the device should attest its MEID. For use with generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)
.
Constant Value: 8 (0x00000008)
ID_TYPE_SERIAL
public static final int ID_TYPE_SERIAL
Specifies that the device should attest its serial number. For use with
generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)
.
Constant Value: 2 (0x00000002)
INSTALLKEY_REQUEST_CREDENTIALS_ACCESS
public static final int INSTALLKEY_REQUEST_CREDENTIALS_ACCESS
Specifies that the calling app should be granted access to the installed credentials
immediately. Otherwise, access to the credentials will be gated by user approval.
For use with installKeyPair(ComponentName, PrivateKey, Certificate[], String, int)
Constant Value: 1 (0x00000001)
INSTALLKEY_SET_USER_SELECTABLE
public static final int INSTALLKEY_SET_USER_SELECTABLE
Specifies that a user can select the key via the Certificate Selection prompt.
If this flag is not set when calling installKeyPair(ComponentName, PrivateKey, Certificate, String)
, the key can only be granted
access by implementing DeviceAdminReceiver.onChoosePrivateKeyAlias(Context, Intent, int, Uri, String)
.
For use with installKeyPair(ComponentName, PrivateKey, Certificate[], String, int)
Constant Value: 2 (0x00000002)
KEYGUARD_DISABLE_BIOMETRICS
public static final int KEYGUARD_DISABLE_BIOMETRICS
Disable all biometric authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Constant Value: 416 (0x000001a0)
KEYGUARD_DISABLE_FACE
public static final int KEYGUARD_DISABLE_FACE
Disable face authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Constant Value: 128 (0x00000080)
KEYGUARD_DISABLE_FEATURES_ALL
public static final int KEYGUARD_DISABLE_FEATURES_ALL
Disable all current and future keyguard customizations.
Constant Value: 2147483647 (0x7fffffff)
KEYGUARD_DISABLE_FEATURES_NONE
public static final int KEYGUARD_DISABLE_FEATURES_NONE
Widgets are enabled in keyguard
Constant Value: 0 (0x00000000)
KEYGUARD_DISABLE_FINGERPRINT
public static final int KEYGUARD_DISABLE_FINGERPRINT
Disable fingerprint authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Constant Value: 32 (0x00000020)
KEYGUARD_DISABLE_IRIS
public static final int KEYGUARD_DISABLE_IRIS
Disable iris authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Constant Value: 256 (0x00000100)
KEYGUARD_DISABLE_REMOTE_INPUT
public static final int KEYGUARD_DISABLE_REMOTE_INPUT
Disable text entry into notifications on secure keyguard screens (e.g. PIN/Pattern/Password).
Constant Value: 64 (0x00000040)
KEYGUARD_DISABLE_SECURE_CAMERA
public static final int KEYGUARD_DISABLE_SECURE_CAMERA
Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password)
Constant Value: 2 (0x00000002)
KEYGUARD_DISABLE_SECURE_NOTIFICATIONS
public static final int KEYGUARD_DISABLE_SECURE_NOTIFICATIONS
Disable showing all notifications on secure keyguard screens (e.g. PIN/Pattern/Password)
Constant Value: 4 (0x00000004)
KEYGUARD_DISABLE_TRUST_AGENTS
public static final int KEYGUARD_DISABLE_TRUST_AGENTS
Disable trust agents on secure keyguard screens (e.g. PIN/Pattern/Password).
By setting this flag alone, all trust agents are disabled. If the admin then wants to
whitelist specific features of some trust agent, setTrustAgentConfiguration(ComponentName, ComponentName, PersistableBundle)
can be
used in conjuction to set trust-agent-specific configurations.
Constant Value: 16 (0x00000010)
KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS
public static final int KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS
Only allow redacted notifications on secure keyguard screens (e.g. PIN/Pattern/Password)
Constant Value: 8 (0x00000008)
KEYGUARD_DISABLE_WIDGETS_ALL
public static final int KEYGUARD_DISABLE_WIDGETS_ALL
Disable all keyguard widgets. Has no effect starting from
Build.VERSION_CODES.LOLLIPOP
since keyguard widget is only supported
on Android versions lower than 5.0.
Constant Value: 1 (0x00000001)
LEAVE_ALL_SYSTEM_APPS_ENABLED
public static final int LEAVE_ALL_SYSTEM_APPS_ENABLED
Flag used by createAndManageUser(ComponentName, String, ComponentName, PersistableBundle, int)
to specify that the newly created user should skip
the disabling of system apps during provisioning.
Constant Value: 16 (0x00000010)
LOCK_TASK_FEATURE_GLOBAL_ACTIONS
public static final int LOCK_TASK_FEATURE_GLOBAL_ACTIONS
Enable the global actions dialog during LockTask mode. This is the dialog that shows up when the user long-presses the power button, for example. Note that the user may not be able to power off the device if this flag is not set.
This flag is enabled by default until setLockTaskFeatures(ComponentName, int)
is
called for the first time.
See also:
Constant Value: 16 (0x00000010)
LOCK_TASK_FEATURE_HOME
public static final int LOCK_TASK_FEATURE_HOME
Enable the Home button during LockTask mode. Note that if a custom launcher is used, it has
to be registered as the default launcher with
addPersistentPreferredActivity(ComponentName, IntentFilter, ComponentName)
, and its
package needs to be whitelisted for LockTask with
setLockTaskPackages(ComponentName, String[])
.
See also:
Constant Value: 4 (0x00000004)
LOCK_TASK_FEATURE_KEYGUARD
public static final int LOCK_TASK_FEATURE_KEYGUARD
Enable the keyguard during LockTask mode. Note that if the keyguard is already disabled with
setKeyguardDisabled(ComponentName, boolean)
, setting this flag will have no effect.
If this flag is not set, the keyguard will not be shown even if the user has a lock screen
credential.
See also:
Constant Value: 32 (0x00000020)
LOCK_TASK_FEATURE_NONE
public static final int LOCK_TASK_FEATURE_NONE
Disable all configurable SystemUI features during LockTask mode. This includes,
- system info area in the status bar (connectivity icons, clock, etc.)
- notifications (including alerts, icons, and the notification shade)
- Home button
- Recents button and UI
- global actions menu (i.e. power button menu)
- keyguard
See also:
Constant Value: 0 (0x00000000)
LOCK_TASK_FEATURE_NOTIFICATIONS
public static final int LOCK_TASK_FEATURE_NOTIFICATIONS
Enable notifications during LockTask mode. This includes notification icons on the status
bar, heads-up notifications, and the expandable notification shade. Note that the Quick
Settings panel remains disabled. This feature flag can only be used in combination with
LOCK_TASK_FEATURE_HOME
. setLockTaskFeatures(ComponentName, int)
throws an IllegalArgumentException
if this feature flag is defined without
LOCK_TASK_FEATURE_HOME
.
See also:
Constant Value: 2 (0x00000002)
LOCK_TASK_FEATURE_OVERVIEW
public static final int LOCK_TASK_FEATURE_OVERVIEW
Enable the Overview button and the Overview screen during LockTask mode. This feature flag
can only be used in combination with LOCK_TASK_FEATURE_HOME
, and
setLockTaskFeatures(ComponentName, int)
will throw an
IllegalArgumentException
if this feature flag is defined without
LOCK_TASK_FEATURE_HOME
.
See also:
Constant Value: 8 (0x00000008)
LOCK_TASK_FEATURE_SYSTEM_INFO
public static final int LOCK_TASK_FEATURE_SYSTEM_INFO
Enable the system info area in the status bar during LockTask mode. The system info area usually occupies the right side of the status bar (although this can differ across OEMs). It includes all system information indicators, such as date and time, connectivity, battery, vibration mode, etc.
See also:
Constant Value: 1 (0x00000001)
MAKE_USER_EPHEMERAL
public static final int MAKE_USER_EPHEMERAL
Flag used by createAndManageUser(ComponentName, String, ComponentName, PersistableBundle, int)
to specify that the user should be created
ephemeral. Ephemeral users will be removed after switching to another user or rebooting the
device.
Constant Value: 2 (0x00000002)
MIME_TYPE_PROVISIONING_NFC
public static final String MIME_TYPE_PROVISIONING_NFC
This MIME type is used for starting the device owner provisioning.
During device owner provisioning a device admin app is set as the owner of the device. A device owner has full control over the device. The device owner can not be modified by the user and the only way of resetting the device is if the device owner app calls a factory reset.
A typical use case would be a device that is owned by a company, but used by either an employee or client.
The NFC message must be sent to an unprovisioned device.
The NFC record must contain a serialized Properties
object which
contains the following properties:
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
, optionalEXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
, optionalEXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
, optionalEXTRA_PROVISIONING_LOCAL_TIME
(convert to String), optionalEXTRA_PROVISIONING_TIME_ZONE
, optionalEXTRA_PROVISIONING_LOCALE
, optionalEXTRA_PROVISIONING_WIFI_SSID
, optionalEXTRA_PROVISIONING_WIFI_HIDDEN
(convert to String), optionalEXTRA_PROVISIONING_WIFI_SECURITY_TYPE
, optionalEXTRA_PROVISIONING_WIFI_PASSWORD
, optionalEXTRA_PROVISIONING_WIFI_PROXY_HOST
, optionalEXTRA_PROVISIONING_WIFI_PROXY_PORT
(convert to String), optionalEXTRA_PROVISIONING_WIFI_PROXY_BYPASS
, optionalEXTRA_PROVISIONING_WIFI_PAC_URL
, optionalEXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
, optional, supported fromBuild.VERSION_CODES.M
As of Build.VERSION_CODES.M
, the properties should contain
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
instead of
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
, (although specifying only
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
is still supported).
Constant Value: "application/com.android.managedprovisioning"
PASSWORD_QUALITY_ALPHABETIC
public static final int PASSWORD_QUALITY_ALPHABETIC
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least alphabetic (or other symbol) characters.
Note that quality constants are ordered so that higher values are more
restrictive.
Constant Value: 262144 (0x00040000)
PASSWORD_QUALITY_ALPHANUMERIC
public static final int PASSWORD_QUALITY_ALPHANUMERIC
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least both> numeric and
alphabetic (or other symbol) characters. Note that quality constants are
ordered so that higher values are more restrictive.
Constant Value: 327680 (0x00050000)
PASSWORD_QUALITY_BIOMETRIC_WEAK
public static final int PASSWORD_QUALITY_BIOMETRIC_WEAK
Constant for setPasswordQuality(ComponentName, int)
: the policy allows for low-security biometric
recognition technology. This implies technologies that can recognize the identity of
an individual to about a 3 digit PIN (false detection is less than 1 in 1,000).
Note that quality constants are ordered so that higher values are more restrictive.
Constant Value: 32768 (0x00008000)
PASSWORD_QUALITY_COMPLEX
public static final int PASSWORD_QUALITY_COMPLEX
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least a letter, a numerical digit and a special
symbol, by default. With this password quality, passwords can be
restricted to contain various sets of characters, like at least an
uppercase letter, etc. These are specified using various methods,
like setPasswordMinimumLowerCase(ComponentName, int)
. Note
that quality constants are ordered so that higher values are more
restrictive.
Constant Value: 393216 (0x00060000)
PASSWORD_QUALITY_NUMERIC
public static final int PASSWORD_QUALITY_NUMERIC
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least numeric characters. Note that quality
constants are ordered so that higher values are more restrictive.
Constant Value: 131072 (0x00020000)
PASSWORD_QUALITY_NUMERIC_COMPLEX
public static final int PASSWORD_QUALITY_NUMERIC_COMPLEX
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least numeric characters with no repeating (4444)
or ordered (1234, 4321, 2468) sequences. Note that quality
constants are ordered so that higher values are more restrictive.
Constant Value: 196608 (0x00030000)
PASSWORD_QUALITY_SOMETHING
public static final int PASSWORD_QUALITY_SOMETHING
Constant for setPasswordQuality(ComponentName, int)
: the policy requires some kind
of password or pattern, but doesn't care what it is. Note that quality constants
are ordered so that higher values are more restrictive.
Constant Value: 65536 (0x00010000)
PASSWORD_QUALITY_UNSPECIFIED
public static final int PASSWORD_QUALITY_UNSPECIFIED
Constant for setPasswordQuality(ComponentName, int)
: the policy has no requirements
for the password. Note that quality constants are ordered so that higher
values are more restrictive.
Constant Value: 0 (0x00000000)
PERMISSION_GRANT_STATE_DEFAULT
public static final int PERMISSION_GRANT_STATE_DEFAULT
Runtime permission state: The user can manage the permission through the UI.
Constant Value: 0 (0x00000000)
PERMISSION_GRANT_STATE_DENIED
public static final int PERMISSION_GRANT_STATE_DENIED
Runtime permission state: The permission is denied to the app and the user cannot manage the permission through the UI.
Constant Value: 2 (0x00000002)
PERMISSION_GRANT_STATE_GRANTED
public static final int PERMISSION_GRANT_STATE_GRANTED
Runtime permission state: The permission is granted to the app and the user cannot manage the permission through the UI.
Constant Value: 1 (0x00000001)
PERMISSION_POLICY_AUTO_DENY
public static final int PERMISSION_POLICY_AUTO_DENY
Permission policy to always deny new permission requests for runtime permissions. Already granted or denied permissions are not affected by this.
Constant Value: 2 (0x00000002)
PERMISSION_POLICY_AUTO_GRANT
public static final int PERMISSION_POLICY_AUTO_GRANT
Permission policy to always grant new permission requests for runtime permissions. Already granted or denied permissions are not affected by this.
Constant Value: 1 (0x00000001)
PERMISSION_POLICY_PROMPT
public static final int PERMISSION_POLICY_PROMPT
Permission policy to prompt user for new permission requests for runtime permissions. Already granted or denied permissions are not affected by this.
Constant Value: 0 (0x00000000)
POLICY_DISABLE_CAMERA
public static final String POLICY_DISABLE_CAMERA
Constant to indicate the feature of disabling the camera. Used as argument to
createAdminSupportIntent(String)
.
Constant Value: "policy_disable_camera"
POLICY_DISABLE_SCREEN_CAPTURE
public static final String POLICY_DISABLE_SCREEN_CAPTURE
Constant to indicate the feature of disabling screen captures. Used as argument to
createAdminSupportIntent(String)
.
Constant Value: "policy_disable_screen_capture"
RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT
public static final int RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT
Flag for resetPasswordWithToken(ComponentName, String, byte[], int)
and resetPassword(String, int)
: don't ask for user
credentials on device boot.
If the flag is set, the device can be booted without asking for user password.
The absence of this flag does not change the current boot requirements. This flag
can be set by the device owner only. If the app is not the device owner, the flag
is ignored. Once the flag is set, it cannot be reverted back without resetting the
device to factory defaults.
Constant Value: 2 (0x00000002)
RESET_PASSWORD_REQUIRE_ENTRY
public static final int RESET_PASSWORD_REQUIRE_ENTRY
Flag for resetPasswordWithToken(ComponentName, String, byte[], int)
and resetPassword(String, int)
: don't allow other admins
to change the password again until the user has entered it.
Constant Value: 1 (0x00000001)
SKIP_SETUP_WIZARD
public static final int SKIP_SETUP_WIZARD
Flag used by createAndManageUser(ComponentName, String, ComponentName, PersistableBundle, int)
to skip setup wizard after creating a new user.
Constant Value: 1 (0x00000001)
WIPE_EUICC
public static final int WIPE_EUICC
Flag for wipeData(int)
: also erase the device's eUICC data.
Constant Value: 4 (0x00000004)
WIPE_EXTERNAL_STORAGE
public static final int WIPE_EXTERNAL_STORAGE
Flag for wipeData(int)
: also erase the device's external
storage (such as SD cards).
Constant Value: 1 (0x00000001)
WIPE_RESET_PROTECTION_DATA
public static final int WIPE_RESET_PROTECTION_DATA
Flag for wipeData(int)
: also erase the factory reset protection
data.
This flag may only be set by device owner admins; if it is set by
other admins a SecurityException
will be thrown.
Constant Value: 2 (0x00000002)
Public methods
addCrossProfileIntentFilter
public void addCrossProfileIntentFilter (ComponentName admin, IntentFilter filter, int flags)
Called by the profile owner of a managed profile so that some intents sent in the managed profile can also be resolved in the parent, or vice versa. Only activity intents are supported.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
filter |
IntentFilter : The IntentFilter the intent has to match to be also resolved in the
other profile |
flags |
int : FLAG_MANAGED_CAN_ACCESS_PARENT and
FLAG_PARENT_CAN_ACCESS_MANAGED are supported. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
addCrossProfileWidgetProvider
public boolean addCrossProfileWidgetProvider (ComponentName admin, String packageName)
Called by the profile owner of a managed profile to enable widget providers from a given package to be available in the parent profile. As a result the user will be able to add widgets from the white-listed package running under the profile to a widget host which runs under the parent profile, for example the home screen. Note that a package may have zero or more provider components, where each component provides a different widget type.
Note: By default no widget provider package is white-listed.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
packageName |
String : The package from which widget providers are white-listed. |
Returns | |
---|---|
boolean |
Whether the package was added. |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner. |
addOverrideApn
public int addOverrideApn (ComponentName admin, ApnSetting apnSetting)
Called by device owner to add an override APN.
This method may returns -1
if apnSetting
conflicts with an existing
override APN. Update the existing conflicted APN with
updateOverrideApn(ComponentName, int, ApnSetting)
instead of adding a new entry.
Two override APNs are considered to conflict when all the following APIs return the same values on both override APNs:
ApnSetting.getOperatorNumeric()
ApnSetting.getApnName()
ApnSetting.getProxyAddress()
ApnSetting.getProxyPort()
ApnSetting.getMmsProxyAddress()
ApnSetting.getMmsProxyPort()
ApnSetting.getMmsc()
ApnSetting.isEnabled()
ApnSetting.getMvnoType()
ApnSetting.getProtocol()
ApnSetting.getRoamingProtocol()
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated withThis value must never be |
apnSetting |
ApnSetting : the override APN to insertThis value must never be |
Returns | |
---|---|
int |
The id of inserted override APN. Or -1 when failed to insert into
the database. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
addPersistentPreferredActivity
public void addPersistentPreferredActivity (ComponentName admin, IntentFilter filter, ComponentName activity)
Called by a profile owner or device owner to set a default activity that the system selects
to handle intents that match the given IntentFilter
. This activity will remain the
default intent handler even if the set of potential event handlers for the intent filter
changes and if the intent preferences are reset.
Note that the caller should still declare the activity in the manifest, the API just sets the activity to be the default one to handle the given intent filter.
The default disambiguation mechanism takes over if the activity is not installed (anymore). When the activity is (re)installed, it is automatically reset as default intent handler for the filter.
The calling device admin must be a profile owner or device owner. If it is not, a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
filter |
IntentFilter : The IntentFilter for which a default handler is added. |
activity |
ComponentName : The Activity that is added as default intent handler.This value must never be |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
addUserRestriction
public void addUserRestriction (ComponentName admin, String key)
Called by a profile or device owner to set a user restriction specified by the key.
The calling device admin must be a profile or device owner; if it is not, a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
key |
String : The key of the restriction. See the constants in UserManager
for the list of keys. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
bindDeviceAdminServiceAsUser
public boolean bindDeviceAdminServiceAsUser (ComponentName admin, Intent serviceIntent, ServiceConnection conn, int flags, UserHandle targetUser)
Called by a device owner to bind to a service from a profile owner or vice versa.
See getBindDeviceAdminTargetUsers(ComponentName)
for a definition of which
device/profile owners are allowed to bind to services of another profile/device owner.
The service must be protected by Manifest.permission.BIND_DEVICE_ADMIN
.
Note that the Context
used to obtain this
DevicePolicyManager
instance via Context.getSystemService(Class)
will be used
to bind to the Service
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
serviceIntent |
Intent : Identifies the service to connect to. The Intent must specify either an
explicit component name or a package name to match an
IntentFilter published by a service. |
conn |
ServiceConnection : Receives information as the service is started and stopped in main thread. This
must be a valid ServiceConnection object; it must not be null . |
flags |
int : Operation options for the binding operation. See
Context.bindService(Intent, ServiceConnection, int) .Value is either |
targetUser |
UserHandle : Which user to bind to. Must be one of the users returned by
getBindDeviceAdminTargetUsers(ComponentName) , otherwise a SecurityException will
be thrown.This value must never be |
Returns | |
---|---|
boolean |
If you have successfully bound to the service, true is returned;
false is returned if the connection is not made and you will not
receive the service object. |
clearApplicationUserData
public void clearApplicationUserData (ComponentName admin, String packageName, Executor executor, DevicePolicyManager.OnClearApplicationUserDataListener listener)
Called by the device owner or profile owner to clear application user data of a given
package. The behaviour of this is equivalent to the target application calling
ActivityManager.clearApplicationUserData()
.
Note: an application can store data outside of its application data, e.g. external storage or user dictionary. This data will not be wiped by calling this API.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
packageName |
String : The name of the package which will have its user data wiped.This value must never be |
executor |
Executor : The executor through which the listener should be invoked.This value must never be Callback and listener events are dispatched through this
|
listener |
DevicePolicyManager.OnClearApplicationUserDataListener : A callback object that will inform the caller when the clearing is done.This value must never be |
Throws | |
---|---|
SecurityException |
if the caller is not the device owner/profile owner. |
clearCrossProfileIntentFilters
public void clearCrossProfileIntentFilters (ComponentName admin)
Called by a profile owner of a managed profile to remove the cross-profile intent filters that go from the managed profile to the parent, or from the parent to the managed profile. Only removes those that have been set by the profile owner.
Note: A list of default cross profile intent filters are set up by the system when
the profile is created, some of them ensure the proper functioning of the profile, while
others enable sharing of data from the parent to the managed profile for user convenience.
These default intent filters are not cleared when this API is called. If the default cross
profile data sharing is not desired, they can be disabled with
UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
clearDeviceOwnerApp
public void clearDeviceOwnerApp (String packageName)
This method was deprecated
in API level 26.
This method is expected to be used for testing purposes only. The device owner
will lose control of the device and its data after calling it. In order to protect any
sensitive data that remains on the device, it is advised that the device owner factory resets
the device instead of calling this method. See wipeData(int)
.
Clears the current device owner. The caller must be the device owner. This function should be used cautiously as once it is called it cannot be undone. The device owner can only be set as a part of device setup, before it completes.
While some policies previously set by the device owner will be cleared by this method, it is a best-effort process and some other policies will still remain in place after the device owner is cleared.
Parameters | |
---|---|
packageName |
String : The package name of the device owner. |
Throws | |
---|---|
SecurityException |
if the caller is not in packageName or packageName
does not own the current device owner component. |
clearPackagePersistentPreferredActivities
public void clearPackagePersistentPreferredActivities (ComponentName admin, String packageName)
Called by a profile owner or device owner to remove all persistent intent handler preferences
associated with the given package that were set by addPersistentPreferredActivity(ComponentName, IntentFilter, ComponentName)
.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
packageName |
String : The name of the package for which preferences are removed. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
clearProfileOwner
public void clearProfileOwner (ComponentName admin)
This method was deprecated
in API level 26.
This method is expected to be used for testing purposes only. The profile owner
will lose control of the user and its data after calling it. In order to protect any
sensitive data that remains on this user, it is advised that the profile owner deletes it
instead of calling this method. See wipeData(int)
.
Clears the active profile owner. The caller must be the profile owner of this user, otherwise a SecurityException will be thrown. This method is not available to managed profile owners.
While some policies previously set by the profile owner will be cleared by this method, it is a best-effort process and some other policies will still remain in place after the profile owner is cleared.
Parameters | |
---|---|
admin |
ComponentName : The component to remove as the profile owner.This value must never be |
Throws | |
---|---|
SecurityException |
if admin is not an active profile owner, or the method is
being called from a managed profile. |
clearResetPasswordToken
public boolean clearResetPasswordToken (ComponentName admin)
Called by a profile or device owner to revoke the current password reset token.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. |
Returns | |
---|---|
boolean |
true if the operation is successful, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
clearUserRestriction
public void clearUserRestriction (ComponentName admin, String key)
Called by a profile or device owner to clear a user restriction specified by the key.
The calling device admin must be a profile or device owner; if it is not, a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
key |
String : The key of the restriction. See the constants in UserManager
for the list of keys. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
createAdminSupportIntent
public Intent createAdminSupportIntent (String restriction)
Called by any app to display a support dialog when a feature was disabled by an admin.
This returns an intent that can be used with Context.startActivity(Intent)
to
display the dialog. It will tell the user that the feature indicated by restriction
was disabled by an admin, and include a link for more information. The default content of
the dialog can be changed by the restricting admin via
setShortSupportMessage(ComponentName, CharSequence)
. If the restriction is not
set (i.e. the feature is available), then the return value will be null
.
Parameters | |
---|---|
restriction |
String : Indicates for which feature the dialog should be displayed. Can be a
user restriction from UserManager , e.g.
UserManager.DISALLOW_ADJUST_VOLUME , or one of the constants
POLICY_DISABLE_CAMERA , POLICY_DISABLE_SCREEN_CAPTURE .This value must never be |
Returns | |
---|---|
Intent |
Intent An intent to be used to start the dialog-activity if the restriction is set by an admin, or null if the restriction does not exist or no admin set it. |
createAndManageUser
public UserHandle createAndManageUser (ComponentName admin, String name, ComponentName profileOwner, PersistableBundle adminExtras, int flags)
Called by a device owner to create a user with the specified name and a given component of
the calling package as profile owner. The UserHandle returned by this method should not be
persisted as user handles are recycled as users are removed and created. If you need to
persist an identifier for this user, use UserManager.getSerialNumberForUser(UserHandle)
. The new
user will not be started in the background.
admin is the DeviceAdminReceiver
which is the device owner. profileOwner is also a
DeviceAdminReceiver in the same package as admin, and will become the profile owner and will
be registered as an active admin on the new user. The profile owner package will be installed
on the new user.
If the adminExtras are not null, they will be stored on the device until the user is started for the first time. Then the extras will be passed to the admin when onEnable is called.
From Build.VERSION_CODES.P
onwards, if targeting
Build.VERSION_CODES.P
, throws UserManager.UserOperationException
instead of
returning null
on failure.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
name |
String : The user's name.This value must never be |
profileOwner |
ComponentName : Which DeviceAdminReceiver will be profile owner. Has to be in the
same package as admin, otherwise no user is created and an
IllegalArgumentException is thrown.This value must never be |
adminExtras |
PersistableBundle : Extras that will be passed to onEnable of the admin receiver on the new
user.This value may be |
flags |
int : SKIP_SETUP_WIZARD , MAKE_USER_EPHEMERAL and
LEAVE_ALL_SYSTEM_APPS_ENABLED are supported.Value is either |
Returns | |
---|---|
UserHandle |
the UserHandle object for the created user, or null if the
user could not be created. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
UserManager.UserOperationException |
if the user could not be created and the calling app is
targeting Build.VERSION_CODES.P and running on
Build.VERSION_CODES.P .
|
See also:
enableSystemApp
public int enableSystemApp (ComponentName admin, Intent intent)
Re-enable system apps by intent that were disabled by default when the user was initialized.
This function can be called by a device owner, profile owner, or by a delegate given the
DELEGATION_ENABLE_SYSTEM_APP
scope via setDelegatedScopes(ComponentName, String, List
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is an enable system app delegate. |
intent |
Intent : An intent matching the app(s) to be installed. All apps that resolve for this
intent will be re-enabled in the calling profile. |
Returns | |
---|---|
int |
int The number of activities that matched the intent and were installed. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
enableSystemApp
public void enableSystemApp (ComponentName admin, String packageName)
Re-enable a system app that was disabled by default when the user was initialized. This
function can be called by a device owner, profile owner, or by a delegate given the
DELEGATION_ENABLE_SYSTEM_APP
scope via setDelegatedScopes(ComponentName, String, List
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is an enable system app delegate. |
packageName |
String : The package to be re-enabled in the calling profile. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
generateKeyPair
public AttestedKeyPair generateKeyPair (ComponentName admin, String algorithm, KeyGenParameterSpec keySpec, int idAttestationFlags)
Called by a device or profile owner, or delegated certificate installer, to generate a
new private/public key pair. If the device supports key generation via secure hardware,
this method is useful for creating a key in KeyChain that never left the secure hardware.
Access to the key is controlled the same way as in installKeyPair(ComponentName, PrivateKey, Certificate, String)
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
algorithm |
String : The key generation algorithm, see KeyPairGenerator .This value must never be |
keySpec |
KeyGenParameterSpec : Specification of the key to generate, see
KeyPairGenerator .This value must never be |
idAttestationFlags |
int : A bitmask of all the identifiers that should be included in the
attestation record (ID_TYPE_BASE_INFO , ID_TYPE_SERIAL ,
ID_TYPE_IMEI and ID_TYPE_MEID ), or 0 if no device
identification is required in the attestation record.
Device owner, profile owner and their delegated certificate installer can use
ID_TYPE_BASE_INFO to request inclusion of the general device information
including manufacturer, model, brand, device and product in the attestation record.
Only device owner and their delegated certificate installer can use
ID_TYPE_SERIAL , ID_TYPE_IMEI and ID_TYPE_MEID to request
unique device identifiers to be attested.
If any of
If any flag is specified, then an attestation challenge must be included in the
Value is either |
Returns | |
---|---|
AttestedKeyPair |
A non-null AttestedKeyPair if the key generation succeeded, null otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner. If Device ID attestation is requested (using ID_TYPE_SERIAL ,
ID_TYPE_IMEI or ID_TYPE_MEID ), the caller must be the Device Owner
or the Certificate Installer delegate. |
IllegalArgumentException |
if the alias in keySpec is empty, if the
algorithm specification in keySpec is not RSAKeyGenParameterSpec
or ECGenParameterSpec , or if Device ID attestation was requested but the
keySpec does not contain an attestation challenge. |
UnsupportedOperationException |
if Device ID attestation was requested but the underlying hardware does not support it. |
getAccountTypesWithManagementDisabled
public String[] getAccountTypesWithManagementDisabled ()
Gets the array of accounts for which account management is disabled by the profile owner.
Account management can be disabled/enabled by calling
setAccountManagementDisabled(ComponentName, String, boolean)
.
Returns | |
---|---|
String[] |
a list of account types for which account management has been disabled. This value may be |
getActiveAdmins
public List<ComponentName> getActiveAdmins ()
Return a list of all currently active device administrators' component
names. If there are no administrators null
may be
returned.
Returns | |
---|---|
List<ComponentName> |
This value may be |
getAffiliationIds
public Set<String> getAffiliationIds (ComponentName admin)
Returns the set of affiliation ids previously set via setAffiliationIds(ComponentName, Set
, or an
empty set if none have been set.
Parameters | |
---|---|
admin |
ComponentName This value must never be |
Returns | |
---|---|
Set<String> |
This value will never be |
getAlwaysOnVpnPackage
public String getAlwaysOnVpnPackage (ComponentName admin)
Called by a device or profile owner to read the name of the package administering an
always-on VPN connection for the current user. If there is no such package, or the always-on
VPN is provided by the system instead of by an application, null
will be returned.
Parameters | |
---|---|
admin |
ComponentName This value must never be |
Returns | |
---|---|
String |
Package name of VPN controller responsible for always-on VPN, or null if none
is set. |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner.
|
getApplicationRestrictions
public Bundle getApplicationRestrictions (ComponentName admin, String packageName)
Retrieves the application restrictions for a given target application running in the calling user.
The caller must be a profile or device owner on that user, or the package allowed to manage
application restrictions via setDelegatedScopes(ComponentName, String, List
with the
DELEGATION_APP_RESTRICTIONS
scope; otherwise a security exception will be thrown.
NOTE: The method performs disk I/O and shouldn't be called on the main thread
This method may take several seconds to complete, so it should only be called from a worker thread.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if called by the application restrictions managing package. |
packageName |
String : The name of the package to fetch restricted settings of. |
Returns | |
---|---|
Bundle |
Bundle of settings corresponding to what was set last time
setApplicationRestrictions(ComponentName, String, Bundle) was called, or an empty
Bundle if no restrictions have been set.This value will never be |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
getApplicationRestrictionsManagingPackage
public String getApplicationRestrictionsManagingPackage (ComponentName admin)
This method was deprecated
in API level 26.
From Build.VERSION_CODES.O
. Use getDelegatePackages(ComponentName, String)
with the DELEGATION_APP_RESTRICTIONS
scope instead.
Called by a profile owner or device owner to retrieve the application restrictions managing
package for the current user, or null
if none is set. If there are multiple
delegates this function will return one of them.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
String |
The package name allowed to manage application restrictions on the current user, or
null if none is set. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
getAutoTimeRequired
public boolean getAutoTimeRequired ()
Returns | |
---|---|
boolean |
true if auto time is required. |
getBindDeviceAdminTargetUsers
public List<UserHandle> getBindDeviceAdminTargetUsers (ComponentName admin)
Returns the list of target users that the calling device or profile owner can use when
calling bindDeviceAdminServiceAsUser(ComponentName, Intent, ServiceConnection, int, UserHandle)
.
A device owner can bind to a service from a profile owner and vice versa, provided that:
- Both belong to the same package name.
- Both users are affiliated. See
setAffiliationIds(ComponentName, Set
.)
Parameters | |
---|---|
admin |
ComponentName This value must never be |
Returns | |
---|---|
List<UserHandle> |
This value will never be |
getBluetoothContactSharingDisabled
public boolean getBluetoothContactSharingDisabled (ComponentName admin)
Called by a profile owner of a managed profile to determine whether or not Bluetooth devices cannot access enterprise contacts.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
This API works on managed profile only.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
getCameraDisabled
public boolean getCameraDisabled (ComponentName admin)
Determine whether or not the device's cameras have been disabled for this user, either by the calling admin, if specified, or all admins.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to check whether any admins
have disabled the camera
|
Returns | |
---|---|
boolean |
getCertInstallerPackage
public String getCertInstallerPackage (ComponentName admin)
This method was deprecated
in API level 26.
From Build.VERSION_CODES.O
. Use getDelegatePackages(ComponentName, String)
with the DELEGATION_CERT_INSTALL
scope instead.
Called by a profile owner or device owner to retrieve the certificate installer for the user,
or null
if none is set. If there are multiple delegates this function will return one
of them.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
String |
The package name of the current delegated certificate installer, or null if
none is set. |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner. |
getCrossProfileCallerIdDisabled
public boolean getCrossProfileCallerIdDisabled (ComponentName admin)
Called by a profile owner of a managed profile to determine whether or not caller-Id information has been disabled.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
getCrossProfileContactsSearchDisabled
public boolean getCrossProfileContactsSearchDisabled (ComponentName admin)
Called by a profile owner of a managed profile to determine whether or not contacts search has been disabled.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
getCrossProfileWidgetProviders
public List<String> getCrossProfileWidgetProviders (ComponentName admin)
Called by the profile owner of a managed profile to query providers from which packages are available in the parent profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
List<String> |
The white-listed package list. This value will never be |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
getCurrentFailedPasswordAttempts
public int getCurrentFailedPasswordAttempts ()
Retrieve the number of times the user has failed at entering a password since that last successful password entry.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to retrieve the number of failed
password attemts for the parent user.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_WATCH_LOGIN
to be able to call this method; if it has not, a security exception will be thrown.
Returns | |
---|---|
int |
The number of times user has entered an incorrect password since the last correct password entry. |
Throws | |
---|---|
SecurityException |
if the calling application does not own an active administrator
that uses DeviceAdminInfo.USES_POLICY_WATCH_LOGIN
|
getDelegatePackages
public List<String> getDelegatePackages (ComponentName admin, String delegationScope)
Called by a profile owner or device owner to retrieve a list of delegate packages that were granted a delegation scope.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
delegationScope |
String : The scope whose delegates should be retrieved.This value must never be |
Returns | |
---|---|
List<String> |
A list of package names of the current delegated packages for
delegationScope .This value may be |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner.
|
getDelegatedScopes
public List<String> getDelegatedScopes (ComponentName admin, String delegatedPackage)
Called by a profile owner or device owner to retrieve a list of the scopes given to a
delegate package. Other apps can use this method to retrieve their own delegated scopes by
passing null
for admin
and their own package name as
delegatedPackage
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is delegatedPackage . |
delegatedPackage |
String : The package name of the app whose scopes should be retrieved.This value must never be |
Returns | |
---|---|
List<String> |
A list containing the scopes given to delegatedPackage .This value will never be |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner.
|
getDeviceOwnerLockScreenInfo
public CharSequence getDeviceOwnerLockScreenInfo ()
Returns | |
---|---|
CharSequence |
The device owner information. If it is not set returns null .
|
getEndUserSessionMessage
public CharSequence getEndUserSessionMessage (ComponentName admin)
Returns the user session end message.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
CharSequence |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
getInstalledCaCerts
public List<byte[]> getInstalledCaCerts (ComponentName admin)
Returns all CA certificates that are currently trusted, excluding system CA certificates. If a user has installed any certificates by other means than device policy these will be included too.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
Returns | |
---|---|
List<byte[]> |
a List of byte[] arrays, each encoding one user CA certificate. This value will never be |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner.
|
getKeepUninstalledPackages
public List<String> getKeepUninstalledPackages (ComponentName admin)
Get the list of apps to keep around as APKs even if no user has currently installed it. This
function can be called by a device owner or by a delegate given the
DELEGATION_KEEP_UNINSTALLED_PACKAGES
scope via setDelegatedScopes(ComponentName, String, List
.
Please note that packages returned in this method are not automatically pre-cached.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is a keep uninstalled packages delegate. |
Returns | |
---|---|
List<String> |
List of package names to keep cached. This value may be |
getKeyguardDisabledFeatures
public int getKeyguardDisabledFeatures (ComponentName admin)
Determine whether or not features have been disabled in keyguard either by the calling admin, if specified, or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to check whether any
admins have disabled features in keyguard. |
Returns | |
---|---|
int |
bitfield of flags. See setKeyguardDisabledFeatures(ComponentName, int)
for a list.
|
getLockTaskFeatures
public int getLockTaskFeatures (ComponentName admin)
Gets which system features are enabled for LockTask mode.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
int |
bitfield of flags. See setLockTaskFeatures(ComponentName, int) for a list.Value is either |
Throws | |
---|---|
SecurityException |
if admin is not the device owner, the profile owner of an
affiliated user or profile, or the profile owner when no device owner is set. |
getLockTaskPackages
public String[] getLockTaskPackages (ComponentName admin)
Returns the list of packages allowed to start the lock task mode.
Parameters | |
---|---|
admin |
ComponentName This value must never be |
Returns | |
---|---|
String[] |
This value will never be |
Throws | |
---|---|
SecurityException |
if admin is not the device owner, the profile owner of an
affiliated user or profile, or the profile owner when no device owner is set. |
getLongSupportMessage
public CharSequence getLongSupportMessage (ComponentName admin)
Called by a device admin to get the long support message.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
CharSequence |
The message set by setLongSupportMessage(ComponentName, CharSequence) or
null if no message has been set. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator.
|
getMaximumFailedPasswordsForWipe
public int getMaximumFailedPasswordsForWipe (ComponentName admin)
Retrieve the current maximum number of login attempts that are allowed before the device or profile is wiped, for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
the value for the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
all admins.
|
Returns | |
---|---|
int |
getMaximumTimeToLock
public long getMaximumTimeToLock (ComponentName admin)
Retrieve the current maximum time to unlock for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
all admins. |
Returns | |
---|---|
long |
time in milliseconds for the given admin or the minimum value (strictest) of all admins if admin is null. Returns 0 if there are no restrictions. |
getMeteredDataDisabledPackages
public List<String> getMeteredDataDisabledPackages (ComponentName admin)
Called by a device or profile owner to retrieve the list of packages which are restricted by the admin from using metered data.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
List<String> |
the list of restricted package names. This value will never be |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
getOrganizationColor
public int getOrganizationColor (ComponentName admin)
Called by a profile owner of a managed profile to retrieve the color used for customization. This color is used as background color of the confirm credentials screen for that user.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
int |
The 24bit (0xRRGGBB) representation of the color to be used. |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
getOrganizationName
public CharSequence getOrganizationName (ComponentName admin)
Called by a profile owner of a managed profile to retrieve the name of the organization under management.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
CharSequence |
The organization name or null if none is set. |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
getOverrideApns
public List<ApnSetting> getOverrideApns (ComponentName admin)
Called by device owner to get all override APNs inserted by device owner.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated withThis value must never be |
Returns | |
---|---|
List<ApnSetting> |
A list of override APNs inserted by device owner. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
getParentProfileInstance
public DevicePolicyManager getParentProfileInstance (ComponentName admin)
Called by the profile owner of a managed profile to obtain a DevicePolicyManager
whose calls act on the parent profile.
The following methods are supported for the parent instance, all other methods will throw a SecurityException when called on the parent instance:
getPasswordQuality(ComponentName)
setPasswordQuality(ComponentName, int)
getPasswordMinimumLength(ComponentName)
setPasswordMinimumLength(ComponentName, int)
getPasswordMinimumUpperCase(ComponentName)
setPasswordMinimumUpperCase(ComponentName, int)
getPasswordMinimumLowerCase(ComponentName)
setPasswordMinimumLowerCase(ComponentName, int)
getPasswordMinimumLetters(ComponentName)
setPasswordMinimumLetters(ComponentName, int)
getPasswordMinimumNumeric(ComponentName)
setPasswordMinimumNumeric(ComponentName, int)
getPasswordMinimumSymbols(ComponentName)
setPasswordMinimumSymbols(ComponentName, int)
getPasswordMinimumNonLetter(ComponentName)
setPasswordMinimumNonLetter(ComponentName, int)
getPasswordHistoryLength(ComponentName)
setPasswordHistoryLength(ComponentName, int)
getPasswordExpirationTimeout(ComponentName)
setPasswordExpirationTimeout(ComponentName, long)
getPasswordExpiration(ComponentName)
getPasswordMaximumLength(int)
isActivePasswordSufficient()
getCurrentFailedPasswordAttempts()
getMaximumFailedPasswordsForWipe(ComponentName)
setMaximumFailedPasswordsForWipe(ComponentName, int)
getMaximumTimeToLock(ComponentName)
setMaximumTimeToLock(ComponentName, long)
lockNow()
getKeyguardDisabledFeatures(ComponentName)
setKeyguardDisabledFeatures(ComponentName, int)
getTrustAgentConfiguration(ComponentName, ComponentName)
setTrustAgentConfiguration(ComponentName, ComponentName, PersistableBundle)
getRequiredStrongAuthTimeout(ComponentName)
setRequiredStrongAuthTimeout(ComponentName, long)
Parameters | |
---|---|
admin |
ComponentName This value must never be |
Returns | |
---|---|
DevicePolicyManager |
a new instance of DevicePolicyManager that acts on the parent profile.This value will never be |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
getPasswordExpiration
public long getPasswordExpiration (ComponentName admin)
Get the current password expiration time for a particular admin or all admins that set
restrictions on this user and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account. If admin is null
, then a composite
of all expiration times is returned - which will be the minimum of all of them.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
the password expiration for the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate all admins. |
Returns | |
---|---|
long |
The password expiration time, in milliseconds since epoch. |
getPasswordExpirationTimeout
public long getPasswordExpirationTimeout (ComponentName admin)
Get the password expiration timeout for the given admin. The expiration timeout is the
recurring expiration timeout provided in the call to
setPasswordExpirationTimeout(ComponentName, long)
for the given admin or the
aggregate of all participating policy administrators if admin
is null. Admins that
have set restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate all admins. |
Returns | |
---|---|
long |
The timeout for the given admin or the minimum of all timeouts |
getPasswordHistoryLength
public int getPasswordHistoryLength (ComponentName admin)
Retrieve the current password history length for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
all admins. |
Returns | |
---|---|
int |
The length of the password history |
getPasswordMaximumLength
public int getPasswordMaximumLength (int quality)
Return the maximum password length that the device supports for a particular password quality.
Parameters | |
---|---|
quality |
int : The quality being interrogated. |
Returns | |
---|---|
int |
Returns the maximum length that the user can enter. |
getPasswordMinimumLength
public int getPasswordMinimumLength (ComponentName admin)
Retrieve the current minimum password length for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
user and its profiles or a particular one.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
all admins.
|
Returns | |
---|---|
int |
getPasswordMinimumLetters
public int getPasswordMinimumLetters (ComponentName admin)
Retrieve the current number of letters required in the password
for a particular admin or all admins that set restrictions on this user
and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account.
This is the same value as set by
setPasswordMinimumLetters(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of letters required in the password. |
getPasswordMinimumLowerCase
public int getPasswordMinimumLowerCase (ComponentName admin)
Retrieve the current number of lower case letters required in the password
for a particular admin or all admins that set restrictions on this user
and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account.
This is the same value as set by
setPasswordMinimumLowerCase(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of lower case letters required in the password. |
getPasswordMinimumNonLetter
public int getPasswordMinimumNonLetter (ComponentName admin)
Retrieve the current number of non-letter characters required in the password
for a particular admin or all admins that set restrictions on this user
and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account.
This is the same value as set by
setPasswordMinimumNonLetter(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of letters required in the password. |
getPasswordMinimumNumeric
public int getPasswordMinimumNumeric (ComponentName admin)
Retrieve the current number of numerical digits required in the password
for a particular admin or all admins that set restrictions on this user
and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account.
This is the same value as set by
setPasswordMinimumNumeric(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of numerical digits required in the password. |
getPasswordMinimumSymbols
public int getPasswordMinimumSymbols (ComponentName admin)
Retrieve the current number of symbols required in the password
for a particular admin or all admins that set restrictions on this user
and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account. This is the same value as
set by setPasswordMinimumSymbols(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of symbols required in the password. |
getPasswordMinimumUpperCase
public int getPasswordMinimumUpperCase (ComponentName admin)
Retrieve the current number of upper case letters required in the password
for a particular admin or all admins that set restrictions on this user and
its participating profiles. Restrictions on profiles that have a separate challenge
are not taken into account.
This is the same value as set by
setPasswordMinimumUpperCase(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of upper case letters required in the password. |
getPasswordQuality
public int getPasswordQuality (ComponentName admin)
Retrieve the current minimum password quality for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
all admins.
|
Returns | |
---|---|
int |
getPendingSystemUpdate
public SystemUpdateInfo getPendingSystemUpdate (ComponentName admin)
Called by device or profile owners to get information about a pending system update.
Parameters | |
---|---|
admin |
ComponentName : Which profile or device owner this request is associated with.This value must never be |
Returns | |
---|---|
SystemUpdateInfo |
Information about a pending system update or null if no update pending. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
getPermissionGrantState
public int getPermissionGrantState (ComponentName admin, String packageName, String permission)
Returns the current grant state of a runtime permission for a specific application. This
function can be called by a device owner, profile owner, or by a delegate given the
DELEGATION_PERMISSION_GRANT
scope via setDelegatedScopes(ComponentName, String, List
.
Parameters | |
---|---|
admin |
ComponentName : Which profile or device owner this request is associated with, or null
if the caller is a permission grant delegate. |
packageName |
String : The application to check the grant state for. |
permission |
String : The permission to check for. |
Returns | |
---|---|
int |
the current grant state specified by device policy. If the profile or device owner
has not set a grant state, the return value is
PERMISSION_GRANT_STATE_DEFAULT . This does not indicate whether or not the
permission is currently granted for the package.
If a grant state was set by the profile or device owner, then the return value will
be one of PERMISSION_GRANT_STATE_DENIED or
PERMISSION_GRANT_STATE_GRANTED , which indicates if the permission is
currently denied or granted. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
getPermissionPolicy
public int getPermissionPolicy (ComponentName admin)
Returns the current runtime permission policy set by the device or profile owner. The
default is PERMISSION_POLICY_PROMPT
.
Parameters | |
---|---|
admin |
ComponentName : Which profile or device owner this request is associated with. |
Returns | |
---|---|
int |
the current policy for future permission requests. |
getPermittedAccessibilityServices
public List<String> getPermittedAccessibilityServices (ComponentName admin)
Returns the list of permitted accessibility services set by this device or profile owner.
An empty list means no accessibility services except system services are allowed. Null means all accessibility services are allowed.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
List<String> |
List of accessiblity service package names. This value may be |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
getPermittedCrossProfileNotificationListeners
public List<String> getPermittedCrossProfileNotificationListeners (ComponentName admin)
Returns the list of packages installed on the primary user that allowed to use a
NotificationListenerService
to receive
notifications from this managed profile, as set by the profile owner.
An empty list means no notification listener services except system ones are allowed.
A null
return value indicates that all notification listeners are allowed.
Parameters | |
---|---|
admin |
ComponentName This value must never be |
Returns | |
---|---|
List<String> |
This value may be |
getPermittedInputMethods
public List<String> getPermittedInputMethods (ComponentName admin)
Returns the list of permitted input methods set by this device or profile owner.
An empty list means no input methods except system input methods are allowed. Null means all input methods are allowed.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
List<String> |
List of input method package names. This value may be |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
getRequiredStrongAuthTimeout
public long getRequiredStrongAuthTimeout (ComponentName admin)
Determine for how long the user will be able to use secondary, non strong auth for authentication, since last strong method authentication (password, pin or pattern) was used. After the returned timeout the user is required to use strong authentication method.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
across all participating admins. |
Returns | |
---|---|
long |
The timeout in milliseconds or 0 if not configured for the provided admin. |
getScreenCaptureDisabled
public boolean getScreenCaptureDisabled (ComponentName admin)
Determine whether or not screen capture has been disabled by the calling admin, if specified, or all admins.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to check whether any admins
have disabled screen capture.
|
Returns | |
---|---|
boolean |
getSecondaryUsers
public List<UserHandle> getSecondaryUsers (ComponentName admin)
Called by a device owner to list all secondary users on the device. Managed profiles are not considered as secondary users.
Used for various user management APIs, including switchUser(ComponentName, UserHandle)
, removeUser(ComponentName, UserHandle)
and stopUser(ComponentName, UserHandle)
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
List<UserHandle> |
list of other UserHandle s on the device. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
getShortSupportMessage
public CharSequence getShortSupportMessage (ComponentName admin)
Called by a device admin to get the short support message.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
CharSequence |
The message set by setShortSupportMessage(ComponentName, CharSequence) or
null if no message has been set. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator.
|
getStartUserSessionMessage
public CharSequence getStartUserSessionMessage (ComponentName admin)
Returns the user session start message.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
CharSequence |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
getStorageEncryption
public boolean getStorageEncryption (ComponentName admin)
Called by an application that is administering the device to determine the requested setting for secure storage.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. If null,
this will return the requested encryption setting as an aggregate of all active
administrators. |
Returns | |
---|---|
boolean |
true if the admin(s) are requesting encryption, false if not. |
getStorageEncryptionStatus
public int getStorageEncryptionStatus ()
Called by an application that is administering the device to determine the current encryption status of the device.
Depending on the returned status code, the caller may proceed in different
ways. If the result is ENCRYPTION_STATUS_UNSUPPORTED
, the
storage system does not support encryption. If the
result is ENCRYPTION_STATUS_INACTIVE
, use ACTION_START_ENCRYPTION
to begin the process of encrypting or decrypting the
storage. If the result is ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY
, the
storage system has enabled encryption but no password is set so further action
may be required. If the result is ENCRYPTION_STATUS_ACTIVATING
,
ENCRYPTION_STATUS_ACTIVE
or ENCRYPTION_STATUS_ACTIVE_PER_USER
,
no further action is required.
Returns | |
---|---|
int |
current status of encryption. The value will be one of
ENCRYPTION_STATUS_UNSUPPORTED , ENCRYPTION_STATUS_INACTIVE ,
ENCRYPTION_STATUS_ACTIVATING , ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY ,
ENCRYPTION_STATUS_ACTIVE , or ENCRYPTION_STATUS_ACTIVE_PER_USER .
|
getSystemUpdatePolicy
public SystemUpdatePolicy getSystemUpdatePolicy ()
Retrieve a local system update policy set previously by setSystemUpdatePolicy(ComponentName, SystemUpdatePolicy)
.
Returns | |
---|---|
SystemUpdatePolicy |
The current policy object, or null if no policy is set.
|
getTransferOwnershipBundle
public PersistableBundle getTransferOwnershipBundle ()
Returns the data passed from the current administrator to the new administrator during an
ownership transfer. This is the same bundle
passed in
transferOwnership(ComponentName, ComponentName, PersistableBundle)
. The bundle is
persisted until the profile owner or device owner is removed.
This is the same bundle
received in the
DeviceAdminReceiver.onTransferOwnershipComplete(Context, PersistableBundle)
.
Use this method to retrieve it after the transfer as long as the new administrator is the
active device or profile owner.
Returns null
if no ownership transfer was started for the calling user.
Returns | |
---|---|
PersistableBundle |
This value may be |
Throws | |
---|---|
SecurityException |
if the caller is not a device or profile owner. |
getTrustAgentConfiguration
public List<PersistableBundle> getTrustAgentConfiguration (ComponentName admin, ComponentName agent)
Gets configuration for the given trust agent based on aggregating all calls to
setTrustAgentConfiguration(ComponentName, ComponentName, PersistableBundle)
for
all device admins.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to retrieve the configuration set
on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. If null,
this function returns a list of configurations for all admins that declare
KEYGUARD_DISABLE_TRUST_AGENTS . If any admin declares
KEYGUARD_DISABLE_TRUST_AGENTS but doesn't call
setTrustAgentConfiguration(ComponentName, ComponentName, PersistableBundle)
for this or calls it with a null configuration, null is returned. |
agent |
ComponentName : Which component to get enabled features for.This value must never be |
Returns | |
---|---|
List<PersistableBundle> |
configuration for the given trust agent.
This value may be |
getUserRestrictions
public Bundle getUserRestrictions (ComponentName admin)
Called by a profile or device owner to get user restrictions set with
addUserRestriction(ComponentName, String)
.
The target user may have more restrictions set by the system or other device owner / profile
owner. To get all the user restrictions currently set, use
UserManager.getUserRestrictions()
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
Bundle |
This value will never be |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
getWifiMacAddress
public String getWifiMacAddress (ComponentName admin)
Called by device owner to get the MAC address of the Wi-Fi device.
Parameters | |
---|---|
admin |
ComponentName : Which device owner this request is associated with.This value must never be |
Returns | |
---|---|
String |
the MAC address of the Wi-Fi device, or null when the information is not available.
(For example, Wi-Fi hasn't been enabled, or the device doesn't support Wi-Fi.)
The address will be in the |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
hasCaCertInstalled
public boolean hasCaCertInstalled (ComponentName admin, byte[] certBuffer)
Returns whether this certificate is installed as a trusted CA.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
certBuffer |
byte : encoded form of the certificate to look up. |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner.
|
hasGrantedPolicy
public boolean hasGrantedPolicy (ComponentName admin, int usesPolicy)
Returns true if an administrator has been granted a particular device policy. This can be used to check whether the administrator was activated under an earlier set of policies, but requires additional policies after an upgrade.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Must be an
active administrator, or an exception will be thrown.This value must never be |
usesPolicy |
int : Which uses-policy to check, as defined in DeviceAdminInfo . |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator.
|
installCaCert
public boolean installCaCert (ComponentName admin, byte[] certBuffer)
Installs the given certificate as a user CA.
Inserted user CAs aren't automatically trusted by apps in Android 7.0 (API level 24) and
higher. App developers can change the default behavior for an app by adding a
Security Configuration
File to the app manifest file.
The caller must be a profile or device owner on that user, or a delegate package given the
DELEGATION_CERT_INSTALL
scope via setDelegatedScopes(ComponentName, String, List
; otherwise a
security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
certBuffer |
byte : encoded form of the certificate to install. |
Returns | |
---|---|
boolean |
false if the certBuffer cannot be parsed or installation is interrupted, true otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner. |
installExistingPackage
public boolean installExistingPackage (ComponentName admin, String packageName)
Install an existing package that has been installed in another user, or has been kept after
removal via setKeepUninstalledPackages(ComponentName, List
.
This function can be called by a device owner, profile owner or a delegate given
the DELEGATION_INSTALL_EXISTING_PACKAGE
scope via setDelegatedScopes(ComponentName, String, List
.
When called in a secondary user or managed profile, the user/profile must be affiliated with
the device. See isAffiliatedUser()
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
packageName |
String : The package to be installed in the calling profile. |
Returns | |
---|---|
boolean |
true if the app is installed; false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not the device owner, or the profile owner of
an affiliated user or profile. |
installKeyPair
public boolean installKeyPair (ComponentName admin, PrivateKey privKey, Certificate[] certs, String alias, int flags)
Called by a device or profile owner, or delegated certificate installer, to install a certificate chain and corresponding private key for the leaf certificate. All apps within the profile will be able to access the certificate chain and use the private key, given direct user approval (if the user is allowed to select the private key).
The caller of this API may grant itself access to the certificate and private key immediately, without user approval. It is a best practice not to request this unless strictly necessary since it opens up additional security vulnerabilities.
Include INSTALLKEY_SET_USER_SELECTABLE
in the flags
argument to allow
the user to select the key from a dialog.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
privKey |
PrivateKey : The private key to install.This value must never be |
certs |
Certificate : The certificate chain to install. The chain should start with the leaf
certificate and include the chain of trust in order. This will be returned by
KeyChain.getCertificateChain(Context, String) .This value must never be |
alias |
String : The private key alias under which to install the certificate. If a certificate
with that alias already exists, it will be overwritten.This value must never be |
flags |
int : Flags to request that the calling app be granted access to the credentials
and set the key to be user-selectable. See INSTALLKEY_SET_USER_SELECTABLE and
INSTALLKEY_REQUEST_CREDENTIALS_ACCESS . |
Returns | |
---|---|
boolean |
true if the keys were installed, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner. |
installKeyPair
public boolean installKeyPair (ComponentName admin, PrivateKey privKey, Certificate[] certs, String alias, boolean requestAccess)
Called by a device or profile owner, or delegated certificate installer, to install a certificate chain and corresponding private key for the leaf certificate. All apps within the profile will be able to access the certificate chain and use the private key, given direct user approval.
The caller of this API may grant itself access to the certificate and private key immediately, without user approval. It is a best practice not to request this unless strictly necessary since it opens up additional security vulnerabilities.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
privKey |
PrivateKey : The private key to install.This value must never be |
certs |
Certificate : The certificate chain to install. The chain should start with the leaf
certificate and include the chain of trust in order. This will be returned by
KeyChain.getCertificateChain(Context, String) .This value must never be |
alias |
String : The private key alias under which to install the certificate. If a certificate
with that alias already exists, it will be overwritten.This value must never be |
requestAccess |
boolean : true to request that the calling app be granted access to the
credentials immediately. Otherwise, access to the credentials will be gated by user
approval. |
Returns | |
---|---|
boolean |
true if the keys were installed, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner. |
installKeyPair
public boolean installKeyPair (ComponentName admin, PrivateKey privKey, Certificate cert, String alias)
Called by a device or profile owner, or delegated certificate installer, to install a certificate and corresponding private key. All apps within the profile will be able to access the certificate and use the private key, given direct user approval.
Access to the installed credentials will not be granted to the caller of this API without direct user approval. This is for security - should a certificate installer become compromised, certificates it had already installed will be protected.
If the installer must have access to the credentials, call
installKeyPair(ComponentName, PrivateKey, Certificate[], String, boolean)
instead.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
privKey |
PrivateKey : The private key to install.This value must never be |
cert |
Certificate : The certificate to install.This value must never be |
alias |
String : The private key alias under which to install the certificate. If a certificate
with that alias already exists, it will be overwritten.This value must never be |
Returns | |
---|---|
boolean |
true if the keys were installed, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner. |
isActivePasswordSufficient
public boolean isActivePasswordSufficient ()
Determine whether the current password the user has set is sufficient to meet the policy requirements (e.g. quality, minimum length) that have been requested by the admins of this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account. The user must be unlocked in order to perform the check.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to determine if the password set on
the parent profile is sufficient.
Returns | |
---|---|
boolean |
Returns true if the password meets the current requirements, else false. |
Throws | |
---|---|
SecurityException |
if the calling application does not own an active administrator
that uses DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD |
IllegalStateException |
if the user is not unlocked. |
isAdminActive
public boolean isAdminActive (ComponentName admin)
Return true if the given administrator component is currently active (enabled) in the system.
Parameters | |
---|---|
admin |
ComponentName : The administrator component to check for.This value must never be |
Returns | |
---|---|
boolean |
true if admin is currently enabled in the system, false
otherwise
|
isAffiliatedUser
public boolean isAffiliatedUser ()
Returns whether this user/profile is affiliated with the device.
By definition, the user that the device owner runs on is always affiliated with the device.
Any other user/profile is considered affiliated with the device if the set specified by its
profile owner via setAffiliationIds(ComponentName, Set
intersects with the device owner's.
Returns | |
---|---|
boolean |
See also:
isApplicationHidden
public boolean isApplicationHidden (ComponentName admin, String packageName)
Determine if a package is hidden. This function can be called by a device owner, profile
owner, or by a delegate given the DELEGATION_PACKAGE_ACCESS
scope via
setDelegatedScopes(ComponentName, String, List
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is a package access delegate. |
packageName |
String : The name of the package to retrieve the hidden status of. |
Returns | |
---|---|
boolean |
boolean true if the package is hidden, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
isBackupServiceEnabled
public boolean isBackupServiceEnabled (ComponentName admin)
Return whether the backup service is enabled by the device owner.
Backup service manages all backup and restore mechanisms on the device.
Parameters | |
---|---|
admin |
ComponentName This value must never be |
Returns | |
---|---|
boolean |
true if backup service is enabled, false otherwise. |
isCallerApplicationRestrictionsManagingPackage
public boolean isCallerApplicationRestrictionsManagingPackage ()
This method was deprecated
in API level 26.
From Build.VERSION_CODES.O
. Use getDelegatedScopes(ComponentName, String)
instead.
Called by any application to find out whether it has been granted permission via
setApplicationRestrictionsManagingPackage(ComponentName, String)
to manage application restrictions
for the calling user.
This is done by comparing the calling Linux uid with the uid of the package specified by that method.
Returns | |
---|---|
boolean |
isDeviceIdAttestationSupported
public boolean isDeviceIdAttestationSupported ()
Returns true
if the device supports attestation of device identifiers in addition
to key attestation.
Returns | |
---|---|
boolean |
true if Device ID attestation is supported.
|
isDeviceOwnerApp
public boolean isDeviceOwnerApp (String packageName)
Used to determine if a particular package has been registered as a Device Owner app.
A device owner app is a special device admin that cannot be deactivated by the user, once
activated as a device admin. It also cannot be uninstalled. To check whether a particular
package is currently registered as the device owner app, pass in the package name from
Context.getPackageName()
to this method.
Parameters | |
---|---|
packageName |
String : the package name of the app, to compare with the registered device owner
app, if any. |
Returns | |
---|---|
boolean |
whether or not the package is registered as the device owner app. |
isEphemeralUser
public boolean isEphemeralUser (ComponentName admin)
Checks if the profile owner is running in an ephemeral user.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
boolean |
whether the profile owner is running in an ephemeral user. |
isLockTaskPermitted
public boolean isLockTaskPermitted (String pkg)
This function lets the caller know whether the given component is allowed to start the lock task mode.
Parameters | |
---|---|
pkg |
String : The package to check
|
Returns | |
---|---|
boolean |
isLogoutEnabled
public boolean isLogoutEnabled ()
Returns whether logout is enabled by a device owner.
Returns | |
---|---|
boolean |
true if logout is enabled by device owner, false otherwise.
|
isManagedProfile
public boolean isManagedProfile (ComponentName admin)
Return if this user is a managed profile of another user. An admin can become the profile
owner of a managed profile with ACTION_PROVISION_MANAGED_PROFILE
and of a managed
user with createAndManageUser(ComponentName, String, ComponentName, PersistableBundle, int)
Parameters | |
---|---|
admin |
ComponentName : Which profile owner this request is associated with.This value must never be |
Returns | |
---|---|
boolean |
if this user is a managed profile of another user. |
isMasterVolumeMuted
public boolean isMasterVolumeMuted (ComponentName admin)
Called by profile or device owners to check whether the master volume mute is on or off.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
boolean |
true if master volume is muted, false if it's not. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
isNetworkLoggingEnabled
public boolean isNetworkLoggingEnabled (ComponentName admin)
Return whether network logging is enabled by a device owner.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Can only
be null if the caller has MANAGE_USERS permission. |
Returns | |
---|---|
boolean |
true if network logging is enabled by device owner, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner and caller has
no MANAGE_USERS permission
|
isOverrideApnEnabled
public boolean isOverrideApnEnabled (ComponentName admin)
Called by device owner to check if override APNs are currently enabled.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated withThis value must never be |
Returns | |
---|---|
boolean |
true if override APNs are currently enabled, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
isPackageSuspended
public boolean isPackageSuspended (ComponentName admin, String packageName)
Determine if a package is suspended. This function can be called by a device owner, profile
owner, or by a delegate given the DELEGATION_PACKAGE_ACCESS
scope via
setDelegatedScopes(ComponentName, String, List
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is a package access delegate. |
packageName |
String : The name of the package to retrieve the suspended status of. |
Returns | |
---|---|
boolean |
true if the package is suspended or false if the package is not
suspended, could not be found or an error occurred. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
PackageManager.NameNotFoundException |
if the package could not be found. |
isProfileOwnerApp
public boolean isProfileOwnerApp (String packageName)
Used to determine if a particular package is registered as the profile owner for the user. A profile owner is a special device admin that has additional privileges within the profile.
Parameters | |
---|---|
packageName |
String : The package name of the app to compare with the registered profile owner. |
Returns | |
---|---|
boolean |
Whether or not the package is registered as the profile owner. |
isProvisioningAllowed
public boolean isProvisioningAllowed (String action)
Returns whether it is possible for the caller to initiate provisioning of a managed profile or device, setting itself as the device or profile owner.
Parameters | |
---|---|
action |
String : One of ACTION_PROVISION_MANAGED_DEVICE ,
ACTION_PROVISION_MANAGED_PROFILE .This value must never be |
Returns | |
---|---|
boolean |
whether provisioning a managed profile or device is possible. |
Throws | |
---|---|
IllegalArgumentException |
if the supplied action is not valid. |
isResetPasswordTokenActive
public boolean isResetPasswordTokenActive (ComponentName admin)
Called by a profile or device owner to check if the current reset password token is active.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. |
Returns | |
---|---|
boolean |
true if the token is active, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
IllegalStateException |
if no token has been set. |
isSecurityLoggingEnabled
public boolean isSecurityLoggingEnabled (ComponentName admin)
Return whether security logging is enabled or not by the device owner.
Can only be called by the device owner, otherwise a SecurityException
will be
thrown.
Parameters | |
---|---|
admin |
ComponentName : Which device owner this request is associated with.This value may be |
Returns | |
---|---|
boolean |
true if security logging is enabled by device owner, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
isUninstallBlocked
public boolean isUninstallBlocked (ComponentName admin, String packageName)
Check whether the user has been blocked by device policy from uninstalling a package. Requires the caller to be the profile owner if checking a specific admin's policy.
Note: Starting from Build.VERSION_CODES.LOLLIPOP_MR1
, the
behavior of this API is changed such that passing null
as the admin
parameter
will return if any admin has blocked the uninstallation. Before L MR1, passing null
will cause a NullPointerException to be raised.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component whose blocking policy will be checked, or
null to check whether any admin has blocked the uninstallation. |
packageName |
String : package to check. |
Returns | |
---|---|
boolean |
true if uninstallation is blocked. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
isUsingUnifiedPassword
public boolean isUsingUnifiedPassword (ComponentName admin)
When called by a profile owner of a managed profile returns true if the profile uses unified challenge with its parent user. Note: This method is not concerned with password quality and will return false if the profile has empty password as a separate challenge.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner of a managed profile. |
See also:
lockNow
public void lockNow ()
Make the device lock immediately, as if the lock screen timeout has expired at the point of this call.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_FORCE_LOCK
to be able to call this method; if it has not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to lock the parent profile.
Equivalent to calling lockNow(int)
with no flags.
Throws | |
---|---|
SecurityException |
if the calling application does not own an active administrator
that uses DeviceAdminInfo.USES_POLICY_FORCE_LOCK
|
lockNow
public void lockNow (int flags)
Make the device lock immediately, as if the lock screen timeout has expired at the point of this call.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_FORCE_LOCK
to be able to call this method; if it has not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to lock the parent profile.
Parameters | |
---|---|
flags |
int : May be 0 or FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY .Value is either |
Throws | |
---|---|
SecurityException |
if the calling application does not own an active administrator
that uses DeviceAdminInfo.USES_POLICY_FORCE_LOCK or the
FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY flag is passed by an application
that is not a profile
owner of a managed profile. |
IllegalArgumentException |
if the FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY flag is
passed when locking the parent profile. |
UnsupportedOperationException |
if the FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY
flag is passed when getStorageEncryptionStatus() does not return
ENCRYPTION_STATUS_ACTIVE_PER_USER .
|
logoutUser
public int logoutUser (ComponentName admin)
Called by a profile owner of secondary user that is affiliated with the device to stop the calling user and switch back to primary.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner affiliated with the device. |
See also:
reboot
public void reboot (ComponentName admin)
Called by device owner to reboot the device. If there is an ongoing call on the device,
throws an IllegalStateException
.
Parameters | |
---|---|
admin |
ComponentName : Which device owner the request is associated with.This value must never be |
Throws | |
---|---|
IllegalStateException |
if device has an ongoing call. |
SecurityException |
if admin is not a device owner. |
See also:
removeActiveAdmin
public void removeActiveAdmin (ComponentName admin)
Remove a current administration component. This can only be called by the application that owns the administration component; if you try to remove someone else's component, a security exception will be thrown.
Note that the operation is not synchronous and the admin might still be active (as
indicated by getActiveAdmins()
) by the time this method returns.
Parameters | |
---|---|
admin |
ComponentName : The administration compononent to remove.This value must never be |
Throws | |
---|---|
SecurityException |
if the caller is not in the owner application of admin .
|
removeCrossProfileWidgetProvider
public boolean removeCrossProfileWidgetProvider (ComponentName admin, String packageName)
Called by the profile owner of a managed profile to disable widget providers from a given
package to be available in the parent profile. For this method to take effect the package
should have been added via
addCrossProfileWidgetProvider(android.content.ComponentName, String)
.
Note: By default no widget provider package is white-listed.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
packageName |
String : The package from which widget providers are no longer white-listed. |
Returns | |
---|---|
boolean |
Whether the package was removed. |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner. |
removeKeyPair
public boolean removeKeyPair (ComponentName admin, String alias)
Called by a device or profile owner, or delegated certificate installer, to remove a certificate and private key pair installed under a given alias.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
alias |
String : The private key alias under which the certificate is installed.This value must never be |
Returns | |
---|---|
boolean |
true if the private key alias no longer exists, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner. |
removeOverrideApn
public boolean removeOverrideApn (ComponentName admin, int apnId)
Called by device owner to remove an override APN.
This method may returns false
if there is no override APN with the given
apnId
.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated withThis value must never be |
apnId |
int : the id of the override APN to remove |
Returns | |
---|---|
boolean |
true if the required override APN is successfully removed, false
otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
removeUser
public boolean removeUser (ComponentName admin, UserHandle userHandle)
Called by a device owner to remove a user/profile and all associated data. The primary user can not be removed.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
userHandle |
UserHandle : the user to remove.This value must never be |
Returns | |
---|---|
boolean |
true if the user was removed, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
requestBugreport
public boolean requestBugreport (ComponentName admin)
Called by a device owner to request a bugreport.
If the device contains secondary users or profiles, they must be affiliated with the device.
Otherwise a SecurityException
will be thrown. See isAffiliatedUser()
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Returns | |
---|---|
boolean |
true if the bugreport collection started successfully, or false if it
wasn't triggered because a previous bugreport operation is still active (either the
bugreport is still running or waiting for the user to share or decline) |
Throws | |
---|---|
SecurityException |
if admin is not a device owner, or there is at least one
profile or secondary user that is not affiliated with the device. |
See also:
resetPassword
public boolean resetPassword (String password, int flags)
Force a new password for device unlock (the password needed to access the entire device) or the work profile challenge on the current user. This takes effect immediately.
For device owner and profile owners targeting SDK level
Build.VERSION_CODES.O
or above, this API is no longer available and will
throw SecurityException
. Please use the new API resetPasswordWithToken(ComponentName, String, byte[], int)
instead.
Note: This API has been limited as of Build.VERSION_CODES.N
for
device admins that are not device owner and not profile owner.
The password can now only be changed if there is currently no password set. Device owner
and profile owner can still do this when user is unlocked and does not have a managed
profile.
The given password must be sufficient for the current password quality and length constraints
as returned by getPasswordQuality(ComponentName)
and
getPasswordMinimumLength(ComponentName)
; if it does not meet these constraints, then
it will be rejected and false returned. Note that the password may be a stronger quality
(containing alphanumeric characters when the requested quality is only numeric), in which
case the currently active quality will be increased to match.
Calling with a null or empty password will clear any existing PIN, pattern or password if the
current password constraints allow it. Note: This will not work in
Build.VERSION_CODES.N
and later for managed profiles, or for device admins
that are not device owner or profile owner. Once set, the password cannot be changed to null
or empty except by these admins.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_RESET_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
Parameters | |
---|---|
password |
String : The new password for the user. Null or empty clears the password. |
flags |
int : May be 0 or combination of RESET_PASSWORD_REQUIRE_ENTRY and
RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT . |
Returns | |
---|---|
boolean |
Returns true if the password was applied, or false if it is not acceptable for the current constraints or if the user has not been decrypted yet. |
Throws | |
---|---|
SecurityException |
if the calling application does not own an active administrator
that uses DeviceAdminInfo.USES_POLICY_RESET_PASSWORD |
IllegalStateException |
if the calling user is locked or has a managed profile. |
resetPasswordWithToken
public boolean resetPasswordWithToken (ComponentName admin, String password, byte[] token, int flags)
Called by device or profile owner to force set a new device unlock password or a managed profile challenge on current user. This takes effect immediately.
Unlike resetPassword(String, int)
, this API can change the password even before the user or
device is unlocked or decrypted. The supplied token must have been previously provisioned via
setResetPasswordToken(ComponentName, byte[])
, and in active state isResetPasswordTokenActive(ComponentName)
.
The given password must be sufficient for the current password quality and length constraints
as returned by getPasswordQuality(ComponentName)
and
getPasswordMinimumLength(ComponentName)
; if it does not meet these constraints, then
it will be rejected and false returned. Note that the password may be a stronger quality, for
example, a password containing alphanumeric characters when the requested quality is only
numeric.
Calling with a null
or empty password will clear any existing PIN, pattern or
password if the current password constraints allow it.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
password |
String : The new password for the user. null or empty clears the password. |
token |
byte : the password reset token previously provisioned by
setResetPasswordToken(ComponentName, byte[]) . |
flags |
int : May be 0 or combination of RESET_PASSWORD_REQUIRE_ENTRY and
RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT . |
Returns | |
---|---|
boolean |
Returns true if the password was applied, or false if it is not acceptable for the current constraints. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
IllegalStateException |
if the provided token is not valid. |
retrieveNetworkLogs
public List<NetworkEvent> retrieveNetworkLogs (ComponentName admin, long batchToken)
Called by device owner to retrieve the most recent batch of network logging events.
A device owner has to provide a batchToken provided as part of
DeviceAdminReceiver.onNetworkLogsAvailable(Context, Intent, long, int)
callback. If the token doesn't match the
token of the most recent available batch of logs, null
will be returned.
NetworkEvent
can be one of DnsEvent
or ConnectEvent
.
The list of network events is sorted chronologically, and contains at most 1200 events.
Access to the logs is rate limited and this method will only return a new batch of logs
after the device device owner has been notified via
DeviceAdminReceiver.onNetworkLogsAvailable(Context, Intent, long, int)
.
If a secondary user or profile is created, calling this method will throw a
SecurityException
until all users become affiliated again. It will also no longer be
possible to retrieve the network logs batch with the most recent batchToken provided
by DeviceAdminReceiver.onNetworkLogsAvailable(Context, Intent, long, int)
. See
setAffiliationIds(ComponentName, Set
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
batchToken |
long : A token of the batch to retrieve |
Returns | |
---|---|
List<NetworkEvent> |
A new batch of network logs which is a list of NetworkEvent . Returns
null if the batch represented by batchToken is no longer available or if
logging is disabled. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner, or there is at least one
profile or secondary user that is not affiliated with the device. |
retrievePreRebootSecurityLogs
public List<SecurityLog.SecurityEvent> retrievePreRebootSecurityLogs (ComponentName admin)
Called by device owners to retrieve device logs from before the device's last reboot.
This API is not supported on all devices. Calling this API on unsupported devices
will result in null
being returned. The device logs are retrieved from a RAM region
which is not guaranteed to be corruption-free during power cycles, as a result be cautious
about data corruption when parsing.
If there is any other user or profile on the device, it must be affiliated with the
device. Otherwise a SecurityException
will be thrown. See isAffiliatedUser()
.
Parameters | |
---|---|
admin |
ComponentName : Which device owner this request is associated with.This value must never be |
Returns | |
---|---|
List<SecurityLog.SecurityEvent> |
Device logs from before the latest reboot of the system, or null if this API
is not supported on the device. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner, or there is at least one
profile or secondary user that is not affiliated with the device. |
retrieveSecurityLogs
public List<SecurityLog.SecurityEvent> retrieveSecurityLogs (ComponentName admin)
Called by device owner to retrieve all new security logging entries since the last call to this API after device boots.
Access to the logs is rate limited and it will only return new logs after the device
owner has been notified via DeviceAdminReceiver.onSecurityLogsAvailable(Context, Intent)
.
If there is any other user or profile on the device, it must be affiliated with the
device. Otherwise a SecurityException
will be thrown. See isAffiliatedUser()
.
Parameters | |
---|---|
admin |
ComponentName : Which device owner this request is associated with.This value must never be |
Returns | |
---|---|
List<SecurityLog.SecurityEvent> |
the new batch of security logs which is a list of SecurityLog.SecurityEvent ,
or null if rate limitation is exceeded or if logging is currently disabled. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner, or there is at least one
profile or secondary user that is not affiliated with the device. |
setAccountManagementDisabled
public void setAccountManagementDisabled (ComponentName admin, String accountType, boolean disabled)
Called by a device owner or profile owner to disable account management for a specific type of account.
The calling device admin must be a device owner or profile owner. If it is not, a security exception will be thrown.
When account management is disabled for an account type, adding or removing an account of that type will not be possible.
From Build.VERSION_CODES.N
the profile or device owner can still use
AccountManager
APIs to add or remove accounts when account
management for a specific type is disabled.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
accountType |
String : For which account management is disabled or enabled. |
disabled |
boolean : The boolean indicating that account management will be disabled (true) or
enabled (false). |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
setAffiliationIds
public void setAffiliationIds (ComponentName admin, Set<String> ids)
Indicates the entity that controls the device or profile owner. Two users/profiles are affiliated if the set of ids set by their device or profile owners intersect.
A user/profile that is affiliated with the device owner user is considered to be affiliated with the device.
Note: Features that depend on user affiliation (such as security logging
or bindDeviceAdminServiceAsUser(ComponentName, Intent, ServiceConnection, int, UserHandle)
) won't be available when a secondary user or profile
is created, until it becomes affiliated. Therefore it is recommended that the appropriate
affiliation ids are set by its profile owner as soon as possible after the user/profile is
created.
Parameters | |
---|---|
admin |
ComponentName : Which profile or device owner this request is associated with.This value must never be |
ids |
Set : A set of opaque non-empty affiliation ids.This value must never be |
Throws | |
---|---|
IllegalArgumentException |
if ids is null or contains an empty string. |
See also:
setAlwaysOnVpnPackage
public void setAlwaysOnVpnPackage (ComponentName admin, String vpnPackage, boolean lockdownEnabled)
Called by a device or profile owner to configure an always-on VPN connection through a specific application for the current user. This connection is automatically granted and persisted after a reboot.
To support the always-on feature, an app must
- declare a
VpnService
in its manifest, guarded byManifest.permission.BIND_VPN_SERVICE
; - target
API 24
or above; and - not explicitly opt out of the feature through
VpnService.SERVICE_META_DATA_SUPPORTS_ALWAYS_ON
.
Parameters | |
---|---|
admin |
ComponentName This value must never be |
vpnPackage |
String : The package name for an installed VPN app on the device, or null to
remove an existing always-on VPN configuration. |
lockdownEnabled |
boolean : true to disallow networking when the VPN is not connected or
false otherwise. This carries the risk that any failure of the VPN provider
could break networking for all apps. This has no effect when clearing. |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner. |
PackageManager.NameNotFoundException |
if vpnPackage is not installed. |
UnsupportedOperationException |
if vpnPackage exists but does not support being
set as always-on, or if always-on VPN is not available.
|
setApplicationHidden
public boolean setApplicationHidden (ComponentName admin, String packageName, boolean hidden)
Hide or unhide packages. When a package is hidden it is unavailable for use, but the data and
actual package file remain. This function can be called by a device owner, profile owner, or
by a delegate given the DELEGATION_PACKAGE_ACCESS
scope via
setDelegatedScopes(ComponentName, String, List
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is a package access delegate. |
packageName |
String : The name of the package to hide or unhide. |
hidden |
boolean : true if the package should be hidden, false if it should be
unhidden. |
Returns | |
---|---|
boolean |
boolean Whether the hidden setting of the package was successfully updated. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
setApplicationRestrictions
public void setApplicationRestrictions (ComponentName admin, String packageName, Bundle settings)
Sets the application restrictions for a given target application running in the calling user.
The caller must be a profile or device owner on that user, or the package allowed to manage
application restrictions via setDelegatedScopes(ComponentName, String, List
with the
DELEGATION_APP_RESTRICTIONS
scope; otherwise a security exception will be thrown.
The provided Bundle
consists of key-value pairs, where the types of values may be:
boolean
int
String
orString[]
- From
Build.VERSION_CODES.M
,Bundle
orBundle[]
If the restrictions are not available yet, but may be applied in the near future, the caller
can notify the target application of that by adding
UserManager.KEY_RESTRICTIONS_PENDING
to the settings parameter.
The application restrictions are only made visible to the target application via
UserManager.getApplicationRestrictions(String)
, in addition to the profile or device
owner, and the application restrictions managing package via
getApplicationRestrictions(ComponentName, String)
.
NOTE: The method performs disk I/O and shouldn't be called on the main thread
This method may take several seconds to complete, so it should only be called from a worker thread.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if called by the application restrictions managing package. |
packageName |
String : The name of the package to update restricted settings for. |
settings |
Bundle : A Bundle to be parsed by the receiving application, conveying a new
set of active restrictions. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
setApplicationRestrictionsManagingPackage
public void setApplicationRestrictionsManagingPackage (ComponentName admin, String packageName)
This method was deprecated
in API level 26.
From Build.VERSION_CODES.O
. Use setDelegatedScopes(ComponentName, String, List
with the DELEGATION_APP_RESTRICTIONS
scope instead.
Called by a profile owner or device owner to grant permission to a package to manage
application restrictions for the calling user via setApplicationRestrictions(ComponentName, String, Bundle)
and
getApplicationRestrictions(ComponentName, String)
.
This permission is persistent until it is later cleared by calling this method with a
null
value or uninstalling the managing package.
The supplied application restriction managing package must be installed when calling this
API, otherwise an PackageManager.NameNotFoundException
will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
packageName |
String : The package name which will be given access to application restrictions
APIs. If null is given the current package will be cleared. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
PackageManager.NameNotFoundException |
if packageName is not found |
setAutoTimeRequired
public void setAutoTimeRequired (ComponentName admin, boolean required)
Called by a device or profile owner to set whether auto time is required. If auto time is required, no user will be able set the date and time and network date and time will be used.
Note: if auto time is required the user can still manually set the time zone.
The calling device admin must be a device or profile owner. If it is not, a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
required |
boolean : Whether auto time is set required or not. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
setBackupServiceEnabled
public void setBackupServiceEnabled (ComponentName admin, boolean enabled)
Allows the device owner to enable or disable the backup service.
Backup service manages all backup and restore mechanisms on the device. Setting this to false will prevent data from being backed up or restored.
Backup service is off by default when device owner is present.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
enabled |
boolean : true to enable the backup service, false to disable it. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
setBluetoothContactSharingDisabled
public void setBluetoothContactSharingDisabled (ComponentName admin, boolean disabled)
Called by a profile owner of a managed profile to set whether bluetooth devices can access enterprise contacts.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
This API works on managed profile only.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
disabled |
boolean : If true, bluetooth devices cannot access enterprise contacts. |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
setCameraDisabled
public void setCameraDisabled (ComponentName admin, boolean disabled)
Called by an application that is administering the device to disable all cameras on the device, for this user. After setting this, no applications running as this user will be able to access any cameras on the device.
If the caller is device owner, then the restriction will be applied to all users.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_DISABLE_CAMERA
to be able to call this method; if it has
not, a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
disabled |
boolean : Whether or not the camera should be disabled. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or does not use
DeviceAdminInfo.USES_POLICY_DISABLE_CAMERA .
|
setCertInstallerPackage
public void setCertInstallerPackage (ComponentName admin, String installerPackage)
This method was deprecated
in API level 26.
From Build.VERSION_CODES.O
. Use setDelegatedScopes(ComponentName, String, List
with the DELEGATION_CERT_INSTALL
scope instead.
Called by a profile owner or device owner to grant access to privileged certificate
manipulation APIs to a third-party certificate installer app. Granted APIs include
getInstalledCaCerts(ComponentName)
, hasCaCertInstalled(ComponentName, byte[])
, installCaCert(ComponentName, byte[])
,
uninstallCaCert(ComponentName, byte[])
, uninstallAllUserCaCerts(ComponentName)
and installKeyPair(ComponentName, PrivateKey, Certificate, String)
.
Delegated certificate installer is a per-user state. The delegated access is persistent until it is later cleared by calling this method with a null value or uninstallling the certificate installer.
Note:Starting from Build.VERSION_CODES.N
, if the caller
application's target SDK version is Build.VERSION_CODES.N
or newer, the
supplied certificate installer package must be installed when calling this API, otherwise an
IllegalArgumentException
will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
installerPackage |
String : The package name of the certificate installer which will be given
access. If null is given the current package will be cleared. |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner. |
setCrossProfileCallerIdDisabled
public void setCrossProfileCallerIdDisabled (ComponentName admin, boolean disabled)
Called by a profile owner of a managed profile to set whether caller-Id information from the managed profile will be shown in the parent profile, for incoming calls.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
disabled |
boolean : If true caller-Id information in the managed profile is not displayed. |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
setCrossProfileContactsSearchDisabled
public void setCrossProfileContactsSearchDisabled (ComponentName admin, boolean disabled)
Called by a profile owner of a managed profile to set whether contacts search from the managed profile will be shown in the parent profile, for incoming calls.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
disabled |
boolean : If true contacts search in the managed profile is not displayed. |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
setDelegatedScopes
public void setDelegatedScopes (ComponentName admin, String delegatePackage, List<String> scopes)
Called by a profile owner or device owner to grant access to privileged APIs to another app.
Granted APIs are determined by scopes
, which is a list of the DELEGATION_*
constants.
A broadcast with the ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
action will be
sent to the delegatePackage
with its new scopes in an ArrayList<String>
extra
under the EXTRA_DELEGATION_SCOPES
key. The broadcast is sent with the
Intent.FLAG_RECEIVER_REGISTERED_ONLY
flag.
Delegated scopes are a per-user state. The delegated access is persistent until it is later
cleared by calling this method with an empty scopes
list or uninstalling the
delegatePackage
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
delegatePackage |
String : The package name of the app which will be given access.This value must never be |
scopes |
List : The groups of privileged APIs whose access should be granted to
delegatedPackage .This value must never be |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner.
|
setDeviceOwnerLockScreenInfo
public void setDeviceOwnerLockScreenInfo (ComponentName admin, CharSequence info)
Sets the device owner information to be shown on the lock screen.
If the device owner information is null
or empty then the device owner info is
cleared and the user owner info is shown on the lock screen if it is set.
If the device owner information contains only whitespaces then the message on the lock screen will be blank and the user will not be allowed to change it.
If the device owner information needs to be localized, it is the responsibility of the
DeviceAdminReceiver
to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast
and set a new version of this string accordingly.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check.This value must never be |
info |
CharSequence : Device owner information which will be displayed instead of the user owner info. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
setEndUserSessionMessage
public void setEndUserSessionMessage (ComponentName admin, CharSequence endUserSessionMessage)
Called by a device owner to specify the user session end message. This may be displayed during a user switch.
The message should be limited to a short statement or it may be truncated.
If the message needs to be localized, it is the responsibility of the
DeviceAdminReceiver
to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast
and set a new version of this message accordingly.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with.This value must never be |
endUserSessionMessage |
CharSequence : message for ending user session, or null to use system
default message. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
setGlobalSetting
public void setGlobalSetting (ComponentName admin, String setting, String value)
Called by device owner to update Settings.Global
settings.
Validation that the value of the setting is in the correct form for the setting type should
be performed by the caller.
The settings that can be updated with this method are:
Settings.Global.ADB_ENABLED
Settings.Global.AUTO_TIME
Settings.Global.AUTO_TIME_ZONE
Settings.Global.DATA_ROAMING
Settings.Global.USB_MASS_STORAGE_ENABLED
Settings.Global.WIFI_SLEEP_POLICY
Settings.Global.STAY_ON_WHILE_PLUGGED_IN
This setting is only available fromBuild.VERSION_CODES.M
onwards and can only be set ifsetMaximumTimeToLock(ComponentName, long)
is not used to set a timeout.Settings.Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN
This
setting is only available from
Build.VERSION_CODES.M
onwards.
Changing the following settings has no effect as of Build.VERSION_CODES.M
:
Settings.Global.BLUETOOTH_ON
. UseBluetoothAdapter.enable()
andBluetoothAdapter.disable()
instead.Settings.Global.DEVELOPMENT_SETTINGS_ENABLED
Settings.Global.MODE_RINGER
. UseAudioManager.setRingerMode(int)
instead.Settings.Global.NETWORK_PREFERENCE
Settings.Global.WIFI_ON
. UseWifiManager.setWifiEnabled(boolean)
instead.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
setting |
String : The name of the setting to update. |
value |
String : The value to update the setting to. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
setKeepUninstalledPackages
public void setKeepUninstalledPackages (ComponentName admin, List<String> packageNames)
Set a list of apps to keep around as APKs even if no user has currently installed it. This
function can be called by a device owner or by a delegate given the
DELEGATION_KEEP_UNINSTALLED_PACKAGES
scope via setDelegatedScopes(ComponentName, String, List
.
Please note that setting this policy does not imply that specified apps will be automatically pre-cached.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is a keep uninstalled packages delegate. |
packageNames |
List : List of package names to keep cached.This value must never be |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
setKeyPairCertificate
public boolean setKeyPairCertificate (ComponentName admin, String alias, List<Certificate> certs, boolean isUserSelectable)
Called by a device or profile owner, or delegated certificate installer, to associate
certificates with a key pair that was generated using generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)
, and
set whether the key is available for the user to choose in the certificate selection
prompt.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
alias |
String : The private key alias under which to install the certificate. The alias
should denote an existing private key. If a certificate with that alias already
exists, it will be overwritten.This value must never be |
certs |
List : The certificate chain to install. The chain should start with the leaf
certificate and include the chain of trust in order. This will be returned by
KeyChain.getCertificateChain(Context, String) .This value must never be |
isUserSelectable |
boolean : true to indicate that a user can select this key via the
certificate selection prompt, false to indicate that this key can only be
granted access by implementing
DeviceAdminReceiver.onChoosePrivateKeyAlias(Context, Intent, int, Uri, String) . |
Returns | |
---|---|
boolean |
true if the provided alias exists and the certificates has been
successfully associated with it, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner, or admin is null but the calling application is not a delegated
certificate installer.
|
setKeyguardDisabled
public boolean setKeyguardDisabled (ComponentName admin, boolean disabled)
Called by a device owner or profile owner of secondary users that is affiliated with the device to disable the keyguard altogether.
Setting the keyguard to disabled has the same effect as choosing "None" as the screen lock type. However, this call has no effect if a password, pin or pattern is currently set. If a password, pin or pattern is set after the keyguard was disabled, the keyguard stops being disabled.
As of Build.VERSION_CODES.P
, this call also dismisses the
keyguard if it is currently shown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
disabled |
boolean : true disables the keyguard, false reenables it. |
Returns | |
---|---|
boolean |
false if attempting to disable the keyguard while a lock password was in
place. true otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not the device owner, or a profile owner of
secondary user that is affiliated with the device. |
setKeyguardDisabledFeatures
public void setKeyguardDisabledFeatures (ComponentName admin, int which)
Called by an application that is administering the device to disable keyguard customizations, such as widgets. After setting this, keyguard features will be disabled according to the provided feature list.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES
to be able to call this method;
if it has not, a security exception will be thrown.
Calling this from a managed profile before version Build.VERSION_CODES.M
will throw a security exception. From version Build.VERSION_CODES.M
the
profile owner of a managed profile can set:
KEYGUARD_DISABLE_TRUST_AGENTS
, which affects the parent user, but only if there is no separate challenge set on the managed profile.KEYGUARD_DISABLE_FINGERPRINT
,KEYGUARD_DISABLE_FACE
orKEYGUARD_DISABLE_IRIS
which affects the managed profile challenge if there is one, or the parent user otherwise.KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS
which affects notifications generated by applications in the managed profile.
KEYGUARD_DISABLE_TRUST_AGENTS
, KEYGUARD_DISABLE_FINGERPRINT
,
KEYGUARD_DISABLE_FACE
and KEYGUARD_DISABLE_IRIS
can also be
set on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Requests to disable other features on a managed profile will be ignored.
The admin can check which features have been disabled by calling
getKeyguardDisabledFeatures(ComponentName)
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
which |
int : The disabled features flag which can be either
KEYGUARD_DISABLE_FEATURES_NONE (default),
KEYGUARD_DISABLE_FEATURES_ALL , or a combination of
KEYGUARD_DISABLE_WIDGETS_ALL , KEYGUARD_DISABLE_SECURE_CAMERA ,
KEYGUARD_DISABLE_SECURE_NOTIFICATIONS ,
KEYGUARD_DISABLE_TRUST_AGENTS ,
KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS ,
KEYGUARD_DISABLE_FINGERPRINT ,
KEYGUARD_DISABLE_FACE ,
KEYGUARD_DISABLE_IRIS . |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or does not user
DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES
|
setLockTaskFeatures
public void setLockTaskFeatures (ComponentName admin, int flags)
Sets which system features are enabled when the device runs in lock task mode. This method
doesn't affect the features when lock task mode is inactive. Any system features not included
in flags
are implicitly disabled when calling this method. By default, only
LOCK_TASK_FEATURE_GLOBAL_ACTIONS
is enabled—all the other features are disabled. To
disable the global actions dialog, call this method omitting
LOCK_TASK_FEATURE_GLOBAL_ACTIONS
.
This method can only be called by the device owner, a profile owner of an affiliated
user or profile, or the profile owner when no device owner is set. See
isAffiliatedUser()
.
Any features set using this method are cleared if the user becomes unaffiliated.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
flags |
int : The system features enabled during lock task mode.Value is either |
Throws | |
---|---|
SecurityException |
if admin is not the device owner, the profile owner of an
affiliated user or profile, or the profile owner when no device owner is set. |
See also:
setLockTaskPackages
public void setLockTaskPackages (ComponentName admin, String[] packages)
Sets which packages may enter lock task mode.
Any packages that share uid with an allowed package will also be allowed to activate lock
task. From Build.VERSION_CODES.M
removing packages from the lock task
package list results in locked tasks belonging to those packages to be finished.
This function can only be called by the device owner, a profile owner of an affiliated user
or profile, or the profile owner when no device owner is set. See isAffiliatedUser()
.
Any package set via this method will be cleared if the user becomes unaffiliated.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
packages |
String : The list of packages allowed to enter lock task modeThis value must never be |
Throws | |
---|---|
SecurityException |
if admin is not the device owner, the profile owner of an
affiliated user or profile, or the profile owner when no device owner is set. |
setLogoutEnabled
public void setLogoutEnabled (ComponentName admin, boolean enabled)
Called by a device owner to specify whether logout is enabled for all secondary users. The system may show a logout button that stops the user and switches back to the primary user.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
enabled |
boolean : whether logout should be enabled or not. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
setLongSupportMessage
public void setLongSupportMessage (ComponentName admin, CharSequence message)
Called by a device admin to set the long support message. This will be displayed to the user in the device administators settings screen.
If the long support message needs to be localized, it is the responsibility of the
DeviceAdminReceiver
to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast
and set a new version of this string accordingly.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
message |
CharSequence : Long message to be displayed to the user in settings or null to clear the
existing message. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator.
|
setMasterVolumeMuted
public void setMasterVolumeMuted (ComponentName admin, boolean on)
Called by profile or device owners to set the master volume mute on or off. This has no effect when set on a managed profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
on |
boolean : true to mute master volume, false to turn mute off. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
setMaximumFailedPasswordsForWipe
public void setMaximumFailedPasswordsForWipe (ComponentName admin, int num)
Setting this to a value greater than zero enables a built-in policy that will perform a
device or profile wipe after too many incorrect device-unlock passwords have been entered.
This built-in policy combines watching for failed passwords and wiping the device, and
requires that you request both DeviceAdminInfo.USES_POLICY_WATCH_LOGIN
and
DeviceAdminInfo.USES_POLICY_WIPE_DATA
}.
To implement any other policy (e.g. wiping data for a particular application only, erasing or
revoking credentials, or reporting the failure to a server), you should implement
DeviceAdminReceiver.onPasswordFailed(Context, android.content.Intent)
instead. Do not
use this API, because if the maximum count is reached, the device or profile will be wiped
immediately, and your callback will not be invoked.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set a value on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
num |
int : The number of failed password attempts at which point the device or profile will
be wiped. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or does not use
both DeviceAdminInfo.USES_POLICY_WATCH_LOGIN and
DeviceAdminInfo.USES_POLICY_WIPE_DATA .
|
setMaximumTimeToLock
public void setMaximumTimeToLock (ComponentName admin, long timeMs)
Called by an application that is administering the device to set the maximum time for user activity until the device will lock. This limits the length that the user can set. It takes effect immediately.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_FORCE_LOCK
to be able to call this method; if it has not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
timeMs |
long : The new desired maximum time to lock in milliseconds. A value of 0 means there
is no restriction. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or it does not use
DeviceAdminInfo.USES_POLICY_FORCE_LOCK
|
setMeteredDataDisabledPackages
public List<String> setMeteredDataDisabledPackages (ComponentName admin, List<String> packageNames)
Called by a device or profile owner to restrict packages from using metered data.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with.This value must never be |
packageNames |
List : the list of package names to be restricted.This value must never be |
Returns | |
---|---|
List<String> |
a list of package names which could not be restricted. This value will never be |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
setNetworkLoggingEnabled
public void setNetworkLoggingEnabled (ComponentName admin, boolean enabled)
Called by a device owner to control the network logging feature.
Network logs contain DNS lookup and connect() library call events. The following library functions are recorded while network logging is active:
getaddrinfo()
gethostbyname()
connect()
Network logging is a low-overhead tool for forensics but it is not guaranteed to use full system call logging; event reporting is enabled by default for all processes but not strongly enforced. Events from applications using alternative implementations of libc, making direct kernel calls, or deliberately obfuscating traffic may not be recorded.
Some common network events may not be reported. For example:
- Applications may hardcode IP addresses to reduce the number of DNS lookups, or use
an alternative system for name resolution, and so avoid calling
getaddrinfo()
orgethostbyname
. - Applications may use datagram sockets for performance reasons, for example
for a game client. Calling
connect()
is unnecessary for this kind of socket, so it will not trigger a network event.
It is possible to directly intercept layer 3 traffic leaving the device using an
always-on VPN service.
See setAlwaysOnVpnPackage(ComponentName, String, boolean)
and VpnService
for details.
Note: The device owner won't be able to retrieve network logs if there
are unaffiliated secondary users or profiles on the device, regardless of whether the
feature is enabled. Logs will be discarded if the internal buffer fills up while waiting for
all users to become affiliated. Therefore it's recommended that affiliation ids are set for
new users as soon as possible after provisioning via setAffiliationIds(ComponentName, Set
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
enabled |
boolean : whether network logging should be enabled or not. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
setOrganizationColor
public void setOrganizationColor (ComponentName admin, int color)
Called by a profile owner of a managed profile to set the color used for customization. This color is used as background color of the confirm credentials screen for that user. The default color is teal (#00796B).
The confirm credentials screen can be created using
KeyguardManager.createConfirmDeviceCredentialIntent(CharSequence, CharSequence)
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
color |
int : The 24bit (0xRRGGBB) representation of the color to be used. |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
setOrganizationName
public void setOrganizationName (ComponentName admin, CharSequence title)
Called by the device owner (since API 26) or profile owner (since API 24) to set the name of the organization under management.
If the organization name needs to be localized, it is the responsibility of the DeviceAdminReceiver
to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast and set
a new version of this string accordingly.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
title |
CharSequence : The organization name or null to clear a previously set name. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
setOverrideApnsEnabled
public void setOverrideApnsEnabled (ComponentName admin, boolean enabled)
Called by device owner to set if override APNs should be enabled.
Override APNs are separated from other APNs on the device, and can only be inserted or modified by the device owner. When enabled, only override APNs are in use, any other APNs are ignored.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated withThis value must never be |
enabled |
boolean : true if override APNs should be enabled, false otherwise |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
setPackagesSuspended
public String[] setPackagesSuspended (ComponentName admin, String[] packageNames, boolean suspended)
Called by device or profile owners to suspend packages for this user. This function can be
called by a device owner, profile owner, or by a delegate given the
DELEGATION_PACKAGE_ACCESS
scope via setDelegatedScopes(ComponentName, String, List
.
A suspended package will not be able to start activities. Its notifications will be hidden, it will not show up in recents, will not be able to show toasts or dialogs or ring the device.
The package must already be installed. If the package is uninstalled while suspended the
package will no longer be suspended. The admin can block this by using
setUninstallBlocked(ComponentName, String, boolean)
.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null if the caller is a
package access delegate. |
packageNames |
String : The package names to suspend or unsuspend.This value must never be |
suspended |
boolean : If set to true than the packages will be suspended, if set to
false the packages will be unsuspended. |
Returns | |
---|---|
String[] |
an array of package names for which the suspended status is not set as requested in
this method. This value will never be |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
setPasswordExpirationTimeout
public void setPasswordExpirationTimeout (ComponentName admin, long timeout)
Called by a device admin to set the password expiration timeout. Calling this method will restart the countdown for password expiration for the given admin, as will changing the device password (for all admins).
The provided timeout is the time delta in ms and will be added to the current time. For example, to have the password expire 5 days from now, timeout would be 5 * 86400 * 1000 = 432000000 ms for timeout.
To disable password expiration, a value of 0 may be used for timeout.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
Note that setting the password will automatically reset the expiration time for all active admins. Active admins do not need to explicitly call this method in that case.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
timeout |
long : The limit (in ms) that a password can remain in effect. A value of 0 means
there is no restriction (unlimited). |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or admin
does not use DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD
|
setPasswordHistoryLength
public void setPasswordHistoryLength (ComponentName admin, int length)
Called by an application that is administering the device to set the length of the password
history. After setting this, the user will not be able to enter a new password that is the
same as any password in the history. Note that the current password will remain until the
user has set a new one, so the change does not take place immediately. To prompt the user for
a new password, use ACTION_SET_NEW_PASSWORD
or
ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value. This constraint is
only imposed if the administrator has also requested either PASSWORD_QUALITY_NUMERIC
, PASSWORD_QUALITY_NUMERIC_COMPLEX
PASSWORD_QUALITY_ALPHABETIC
, or
PASSWORD_QUALITY_ALPHANUMERIC
with setPasswordQuality(ComponentName, int)
.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
length |
int : The new desired length of password history. A value of 0 means there is no
restriction. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or admin
does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
|
setPasswordMinimumLength
public void setPasswordMinimumLength (ComponentName admin, int length)
Called by an application that is administering the device to set the minimum allowed password
length. After setting this, the user will not be able to enter a new password that is not at
least as restrictive as what has been set. Note that the current password will remain until
the user has set a new one, so the change does not take place immediately. To prompt the user
for a new password, use ACTION_SET_NEW_PASSWORD
or
ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value. This constraint is
only imposed if the administrator has also requested either PASSWORD_QUALITY_NUMERIC
, PASSWORD_QUALITY_NUMERIC_COMPLEX
, PASSWORD_QUALITY_ALPHABETIC
,
PASSWORD_QUALITY_ALPHANUMERIC
, or PASSWORD_QUALITY_COMPLEX
with
setPasswordQuality(ComponentName, int)
.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
length |
int : The new desired minimum password length. A value of 0 means there is no
restriction. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or admin
does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
|
setPasswordMinimumLetters
public void setPasswordMinimumLetters (ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of
letters required in the password. After setting this, the user will not be able to enter a
new password that is not at least as restrictive as what has been set. Note that the current
password will remain until the user has set a new one, so the change does not take place
immediately. To prompt the user for a new password, use ACTION_SET_NEW_PASSWORD
or
ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value. This constraint is
only imposed if the administrator has also requested PASSWORD_QUALITY_COMPLEX
with
setPasswordQuality(ComponentName, int)
. The default value is 1.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
length |
int : The new desired minimum number of letters required in the password. A value of
0 means there is no restriction. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or admin
does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
|
setPasswordMinimumLowerCase
public void setPasswordMinimumLowerCase (ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of lower
case letters required in the password. After setting this, the user will not be able to enter
a new password that is not at least as restrictive as what has been set. Note that the
current password will remain until the user has set a new one, so the change does not take
place immediately. To prompt the user for a new password, use
ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after
setting this value. This constraint is only imposed if the administrator has also requested
PASSWORD_QUALITY_COMPLEX
with setPasswordQuality(ComponentName, int)
. The default value is 0.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
length |
int : The new desired minimum number of lower case letters required in the password.
A value of 0 means there is no restriction. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or admin
does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
|
setPasswordMinimumNonLetter
public void setPasswordMinimumNonLetter (ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of
non-letter characters (numerical digits or symbols) required in the password. After setting
this, the user will not be able to enter a new password that is not at least as restrictive
as what has been set. Note that the current password will remain until the user has set a new
one, so the change does not take place immediately. To prompt the user for a new password,
use ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after
setting this value. This constraint is only imposed if the administrator has also requested
PASSWORD_QUALITY_COMPLEX
with setPasswordQuality(ComponentName, int)
. The default value is 0.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
length |
int : The new desired minimum number of letters required in the password. A value of
0 means there is no restriction. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or admin
does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
|
setPasswordMinimumNumeric
public void setPasswordMinimumNumeric (ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of
numerical digits required in the password. After setting this, the user will not be able to
enter a new password that is not at least as restrictive as what has been set. Note that the
current password will remain until the user has set a new one, so the change does not take
place immediately. To prompt the user for a new password, use
ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after
setting this value. This constraint is only imposed if the administrator has also requested
PASSWORD_QUALITY_COMPLEX
with setPasswordQuality(ComponentName, int)
. The default value is 1.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
length |
int : The new desired minimum number of numerical digits required in the password. A
value of 0 means there is no restriction. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or admin
does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
|
setPasswordMinimumSymbols
public void setPasswordMinimumSymbols (ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of
symbols required in the password. After setting this, the user will not be able to enter a
new password that is not at least as restrictive as what has been set. Note that the current
password will remain until the user has set a new one, so the change does not take place
immediately. To prompt the user for a new password, use ACTION_SET_NEW_PASSWORD
or
ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value. This constraint is
only imposed if the administrator has also requested PASSWORD_QUALITY_COMPLEX
with
setPasswordQuality(ComponentName, int)
. The default value is 1.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
length |
int : The new desired minimum number of symbols required in the password. A value of
0 means there is no restriction. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or admin
does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
|
setPasswordMinimumUpperCase
public void setPasswordMinimumUpperCase (ComponentName admin, int length)
Called by an application that is administering the device to set the minimum number of upper
case letters required in the password. After setting this, the user will not be able to enter
a new password that is not at least as restrictive as what has been set. Note that the
current password will remain until the user has set a new one, so the change does not take
place immediately. To prompt the user for a new password, use
ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after
setting this value. This constraint is only imposed if the administrator has also requested
PASSWORD_QUALITY_COMPLEX
with setPasswordQuality(ComponentName, int)
. The default value is 0.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
length |
int : The new desired minimum number of upper case letters required in the password.
A value of 0 means there is no restriction. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or admin
does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
|
setPasswordQuality
public void setPasswordQuality (ComponentName admin, int quality)
Called by an application that is administering the device to set the password restrictions it
is imposing. After setting this, the user will not be able to enter a new password that is
not at least as restrictive as what has been set. Note that the current password will remain
until the user has set a new one, so the change does not take place immediately. To prompt
the user for a new password, use ACTION_SET_NEW_PASSWORD
or
ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after calling this method.
Quality constants are ordered so that higher values are more restrictive; thus the highest requested quality constant (between the policy set here, the user's preference, and any other considerations) is the one that is in effect.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has
not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
quality |
int : The new desired quality. One of PASSWORD_QUALITY_UNSPECIFIED ,
PASSWORD_QUALITY_SOMETHING , PASSWORD_QUALITY_NUMERIC ,
PASSWORD_QUALITY_NUMERIC_COMPLEX , PASSWORD_QUALITY_ALPHABETIC ,
PASSWORD_QUALITY_ALPHANUMERIC or PASSWORD_QUALITY_COMPLEX . |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or if admin
does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
|
setPermissionGrantState
public boolean setPermissionGrantState (ComponentName admin, String packageName, String permission, int grantState)
Sets the grant state of a runtime permission for a specific application. The state can be
default
in which a user can manage it through the UI,
denied
, in which the permission is denied and the user
cannot manage it through the UI, and granted
in which
the permission is granted and the user cannot manage it through the UI. This method can only
be called by a profile owner, device owner, or a delegate given the
DELEGATION_PERMISSION_GRANT
scope via setDelegatedScopes(ComponentName, String, List
.
default
does not revoke
the permission. It retains the previous grant, if any.
Permissions can be granted or revoked only for applications built with a
targetSdkVersion
of Build.VERSION_CODES.M
or later.
Parameters | |
---|---|
admin |
ComponentName : Which profile or device owner this request is associated with.This value must never be |
packageName |
String : The application to grant or revoke a permission to. |
permission |
String : The permission to grant or revoke. |
grantState |
int : The permission grant state which is one of
PERMISSION_GRANT_STATE_DENIED , PERMISSION_GRANT_STATE_DEFAULT ,
PERMISSION_GRANT_STATE_GRANTED , |
Returns | |
---|---|
boolean |
whether the permission was successfully granted or revoked. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
setPermissionPolicy
public void setPermissionPolicy (ComponentName admin, int policy)
Set the default response for future runtime permission requests by applications. This
function can be called by a device owner, profile owner, or by a delegate given the
DELEGATION_PERMISSION_GRANT
scope via setDelegatedScopes(ComponentName, String, List
.
The policy can allow for normal operation which prompts the user to grant a permission, or
can allow automatic granting or denying of runtime permission requests by an application.
This also applies to new permissions declared by app updates. When a permission is denied or
granted this way, the effect is equivalent to setting the permission * grant state via
setPermissionGrantState(ComponentName, String, String, int)
.
targetSdkVersion
of Build.VERSION_CODES.M
or later.
Parameters | |
---|---|
admin |
ComponentName : Which profile or device owner this request is associated with.This value must never be |
policy |
int : One of the policy constants PERMISSION_POLICY_PROMPT ,
PERMISSION_POLICY_AUTO_GRANT and PERMISSION_POLICY_AUTO_DENY . |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
setPermittedAccessibilityServices
public boolean setPermittedAccessibilityServices (ComponentName admin, List<String> packageNames)
Called by a profile or device owner to set the permitted
AccessibilityService
. When set by
a device owner or profile owner the restriction applies to all profiles of the user the
device owner or profile owner is an admin for. By default, the user can use any accessibility
service. When zero or more packages have been added, accessibility services that are not in
the list and not part of the system can not be enabled by the user.
Calling with a null value for the list disables the restriction so that all services can be used, calling with an empty list only allows the built-in system services. Any non-system accessibility service that's currently enabled must be included in the list.
System accessibility services are always available to the user the list can't modify this.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
packageNames |
List : List of accessibility service package names. |
Returns | |
---|---|
boolean |
true if the operation succeeded, or false if the list didn't
contain every enabled non-system accessibility service. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
setPermittedCrossProfileNotificationListeners
public boolean setPermittedCrossProfileNotificationListeners (ComponentName admin, List<String> packageList)
Called by a profile owner of a managed profile to set the packages that are allowed to use
a NotificationListenerService
in the primary user to
see notifications from the managed profile. By default all packages are permitted by this
policy. When zero or more packages have been added, notification listeners installed on the
primary user that are not in the list and are not part of the system won't receive events
for managed profile notifications.
Calling with a null
value for the list disables the restriction so that all
notification listener services be used. Calling with an empty list disables all but the
system's own notification listeners. System notification listener services are always
available to the user.
If a device or profile owner want to stop notification listeners in their user from seeing
that user's notifications they should prevent that service from running instead (e.g. via
setApplicationHidden(ComponentName, String, boolean)
)
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
packageList |
List : List of package names to whitelistThis value may be |
Returns | |
---|---|
boolean |
true if setting the restriction succeeded. It will fail if called outside a managed profile |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner. |
See also:
setPermittedInputMethods
public boolean setPermittedInputMethods (ComponentName admin, List<String> packageNames)
Called by a profile or device owner to set the permitted input methods services. When set by a device owner or profile owner the restriction applies to all profiles of the user the device owner or profile owner is an admin for. By default, the user can use any input method. When zero or more packages have been added, input method that are not in the list and not part of the system can not be enabled by the user. This method will fail if it is called for a admin that is not for the foreground user or a profile of the foreground user. Any non-system input method service that's currently enabled must be included in the list.
Calling with a null value for the list disables the restriction so that all input methods can be used, calling with an empty list disables all but the system's own input methods.
System input methods are always available to the user this method can't modify this.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
packageNames |
List : List of input method package names. |
Returns | |
---|---|
boolean |
true if the operation succeeded, or false if the list didn't
contain every enabled non-system input method service. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
setProfileEnabled
public void setProfileEnabled (ComponentName admin)
Sets the enabled state of the profile. A profile should be enabled only once it is ready to be used. Only the profile owner can call this.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner.
|
See also:
setProfileName
public void setProfileName (ComponentName admin, String profileName)
Sets the name of the profile. In the device owner case it sets the name of the user which it is called from. Only a profile owner or device owner can call this. If this is never called by the profile or device owner, the name will be set to default values.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associate with.This value must never be |
profileName |
String : The name of the profile. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
setRecommendedGlobalProxy
public void setRecommendedGlobalProxy (ComponentName admin, ProxyInfo proxyInfo)
Set a network-independent global HTTP proxy. This is not normally what you want for typical HTTP proxies - they are generally network dependent. However if you're doing something unusual like general internal filtering this may be useful. On a private network where the proxy is not accessible, you may break HTTP using this.
This method requires the caller to be the device owner.
This proxy is only a recommendation and it is possible that some apps will ignore it.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
proxyInfo |
ProxyInfo : The a ProxyInfo object defining the new global HTTP proxy. A
null value will clear the global HTTP proxy. |
Throws | |
---|---|
SecurityException |
if admin is not the device owner.
|
See also:
setRequiredStrongAuthTimeout
public void setRequiredStrongAuthTimeout (ComponentName admin, long timeoutMs)
Called by a device/profile owner to set the timeout after which unlocking with secondary, non strong auth (e.g. fingerprint, trust agents) times out, i.e. the user has to use a strong authentication method like password, pin or pattern.
This timeout is used internally to reset the timer to require strong auth again after specified timeout each time it has been successfully used.
Fingerprint can also be disabled altogether using KEYGUARD_DISABLE_FINGERPRINT
.
Trust agents can also be disabled altogether using KEYGUARD_DISABLE_TRUST_AGENTS
.
The calling device admin must be a device or profile owner. If it is not,
a SecurityException
will be thrown.
The calling device admin can verify the value it has set by calling
getRequiredStrongAuthTimeout(ComponentName)
and passing in its instance.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set restrictions on the parent
profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
timeoutMs |
long : The new timeout in milliseconds, after which the user will have to unlock
with strong authentication method. A value of 0 means the admin is not participating
in controlling the timeout.
The minimum and maximum timeouts are platform-defined and are typically 1 hour and
72 hours, respectively. Though discouraged, the admin may choose to require strong
auth at all times using KEYGUARD_DISABLE_FINGERPRINT and/or
KEYGUARD_DISABLE_TRUST_AGENTS . |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
setResetPasswordToken
public boolean setResetPasswordToken (ComponentName admin, byte[] token)
Called by a profile or device owner to provision a token which can later be used to reset the
device lockscreen password (if called by device owner), or managed profile challenge (if
called by profile owner), via resetPasswordWithToken(ComponentName, String, byte[], int)
.
If the user currently has a lockscreen password, the provisioned token will not be
immediately usable; it only becomes active after the user performs a confirm credential
operation, which can be triggered by KeyguardManager.createConfirmDeviceCredentialIntent(CharSequence, CharSequence)
.
If the user has no lockscreen password, the token is activated immediately. In all cases,
the active state of the current token can be checked by isResetPasswordTokenActive(ComponentName)
.
For security reasons, un-activated tokens are only stored in memory and will be lost once
the device reboots. In this case a new token needs to be provisioned again.
Once provisioned and activated, the token will remain effective even if the user changes or clears the lockscreen password.
This token is highly sensitive and should be treated at the same level as user credentials. In particular, NEVER store this token on device in plaintext. Do not store the plaintext token in device-encrypted storage if it will be needed to reset password on file-based encryption devices before user unlocks. Consider carefully how any password token will be stored on your server and who will need access to them. Tokens may be the subject of legal access requests.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. |
token |
byte : a secure token a least 32-byte long, which must be generated by a
cryptographically strong random number generator. |
Returns | |
---|---|
boolean |
true if the operation is successful, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
IllegalArgumentException |
if the supplied token is invalid. |
setRestrictionsProvider
public void setRestrictionsProvider (ComponentName admin, ComponentName provider)
Designates a specific service component as the provider for making permission requests of a local or remote administrator of the user.
Only a profile owner can designate the restrictions provider.Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
provider |
ComponentName : The component name of the service that implements
RestrictionsReceiver . If this param is null, it removes the restrictions
provider previously assigned. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
setScreenCaptureDisabled
public void setScreenCaptureDisabled (ComponentName admin, boolean disabled)
Called by a device/profile owner to set whether the screen capture is disabled. Disabling
screen capture also prevents the content from being shown on display devices that do not have
a secure video output. See Display.FLAG_SECURE
for more details about
secure surfaces and secure displays.
The calling device admin must be a device or profile owner. If it is not, a security exception will be thrown.
From version Build.VERSION_CODES.M
disabling screen capture also blocks
assist requests for all activities of the relevant user.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
disabled |
boolean : Whether screen capture is disabled or not. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
setSecureSetting
public void setSecureSetting (ComponentName admin, String setting, String value)
Called by profile or device owners to update Settings.Secure
settings. Validation that the value of the setting is in the correct form for the setting
type should be performed by the caller.
The settings that can be updated by a profile or device owner with this method are:
A device owner can additionally update the following settings:
Note: Starting from Android O, apps should no longer call this method with the settingSettings.Secure.INSTALL_NON_MARKET_APPS
, which is
deprecated. Instead, device owners or profile owners should use the restriction
UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES
.
If any app targeting Build.VERSION_CODES.O
or higher calls this method
with Settings.Secure.INSTALL_NON_MARKET_APPS
,
an UnsupportedOperationException
is thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
setting |
String : The name of the setting to update. |
value |
String : The value to update the setting to. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
setSecurityLoggingEnabled
public void setSecurityLoggingEnabled (ComponentName admin, boolean enabled)
Called by device owner to control the security logging feature.
Security logs contain various information intended for security auditing purposes.
See SecurityLog.SecurityEvent
for details.
Note: The device owner won't be able to retrieve security logs if there
are unaffiliated secondary users or profiles on the device, regardless of whether the
feature is enabled. Logs will be discarded if the internal buffer fills up while waiting for
all users to become affiliated. Therefore it's recommended that affiliation ids are set for
new users as soon as possible after provisioning via setAffiliationIds(ComponentName, Set
.
Parameters | |
---|---|
admin |
ComponentName : Which device owner this request is associated with.This value must never be |
enabled |
boolean : whether security logging should be enabled or not. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
setShortSupportMessage
public void setShortSupportMessage (ComponentName admin, CharSequence message)
Called by a device admin to set the short support message. This will be displayed to the user in settings screens where funtionality has been disabled by the admin. The message should be limited to a short statement such as "This setting is disabled by your administrator. Contact someone@example.com for support." If the message is longer than 200 characters it may be truncated.
If the short support message needs to be localized, it is the responsibility of the
DeviceAdminReceiver
to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast
and set a new version of this string accordingly.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
message |
CharSequence : Short message to be displayed to the user in settings or null to clear the
existing message. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator.
|
setStartUserSessionMessage
public void setStartUserSessionMessage (ComponentName admin, CharSequence startUserSessionMessage)
Called by a device owner to specify the user session start message. This may be displayed during a user switch.
The message should be limited to a short statement or it may be truncated.
If the message needs to be localized, it is the responsibility of the
DeviceAdminReceiver
to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast
and set a new version of this message accordingly.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with.This value must never be |
startUserSessionMessage |
CharSequence : message for starting user session, or null to use
system default message. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
setStatusBarDisabled
public boolean setStatusBarDisabled (ComponentName admin, boolean disabled)
Called by device owner or profile owner of secondary users that is affiliated with the device to disable the status bar. Disabling the status bar blocks notifications, quick settings and other screen overlays that allow escaping from a single use device.
Note: This method has no effect for LockTask mode. The behavior of the
status bar in LockTask mode can be configured with
setLockTaskFeatures(ComponentName, int)
. Calls to this method when the device is in
LockTask mode will be registered, but will only take effect when the device leaves LockTask
mode.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
disabled |
boolean : true disables the status bar, false reenables it. |
Returns | |
---|---|
boolean |
false if attempting to disable the status bar failed. true otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not the device owner, or a profile owner of
secondary user that is affiliated with the device. |
setStorageEncryption
public int setStorageEncryption (ComponentName admin, boolean encrypt)
Called by an application that is administering the device to request that the storage system be encrypted. Does nothing if the caller is on a secondary user or a managed profile.
When multiple device administrators attempt to control device encryption, the most secure,
supported setting will always be used. If any device administrator requests device
encryption, it will be enabled; Conversely, if a device administrator attempts to disable
device encryption while another device administrator has enabled it, the call to disable will
fail (most commonly returning ENCRYPTION_STATUS_ACTIVE
).
This policy controls encryption of the secure (application data) storage area. Data written
to other storage areas may or may not be encrypted, and this policy does not require or
control the encryption of any other storage areas. There is one exception: If
Environment.isExternalStorageEmulated()
is true
, then the
directory returned by Environment.getExternalStorageDirectory()
must be
written to disk within the encrypted storage area.
Important Note: On some devices, it is possible to encrypt storage without requiring the user to create a device PIN or Password. In this case, the storage is encrypted, but the encryption key may not be fully secured. For maximum security, the administrator should also require (and check for) a pattern, PIN, or password.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
encrypt |
boolean : true to request encryption, false to release any previous request |
Returns | |
---|---|
int |
the new total request status (for all active admins), or ENCRYPTION_STATUS_UNSUPPORTED if called for a non-system user.
Will be one of ENCRYPTION_STATUS_UNSUPPORTED , ENCRYPTION_STATUS_INACTIVE , or ENCRYPTION_STATUS_ACTIVE . This is the value
of the requests; use getStorageEncryptionStatus() to query the actual device
state. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or does not use
DeviceAdminInfo.USES_ENCRYPTED_STORAGE
|
setSystemSetting
public void setSystemSetting (ComponentName admin, String setting, String value)
Called by a device or profile owner to update Settings.System
settings. Validation that the value of the setting is in the correct form for the setting
type should be performed by the caller.
The settings that can be updated by a device owner or profile owner of secondary user with this method are:
Settings.System.SCREEN_BRIGHTNESS
Settings.System.SCREEN_BRIGHTNESS_MODE
Settings.System.SCREEN_OFF_TIMEOUT
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
setting |
String : The name of the setting to update.This value must never be |
value |
String : The value to update the setting to. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
See also:
setSystemUpdatePolicy
public void setSystemUpdatePolicy (ComponentName admin, SystemUpdatePolicy policy)
Called by device owners to set a local system update policy. When a new policy is set,
ACTION_SYSTEM_UPDATE_POLICY_CHANGED
is broadcasted.
If the supplied system update policy has freeze periods set but the freeze periods do not
meet 90-day maximum length or 60-day minimum separation requirement set out in
SystemUpdatePolicy.setFreezePeriods(List
,
SystemUpdatePolicy.ValidationFailedException
will the thrown. Note that the system
keeps a record of freeze periods the device experienced previously, and combines them with
the new freeze periods to be set when checking the maximum freeze length and minimum freeze
separation constraints. As a result, freeze periods that passed validation during
SystemUpdatePolicy.setFreezePeriods(List
might fail the additional checks here due to
the freeze period history. If this is causing issues during development,
adb shell dpm clear-freeze-period-record
can be used to clear the record.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. All
components in the device owner package can set system update policies and the most
recent policy takes effect.This value must never be |
policy |
SystemUpdatePolicy : the new policy, or null to clear the current policy. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
IllegalArgumentException |
if the policy type or maintenance window is not valid. |
SystemUpdatePolicy.ValidationFailedException |
if the policy's freeze period does not meet the requirement. |
setTime
public boolean setTime (ComponentName admin, long millis)
Called by device owner to set the system wall clock time. This only takes effect if called
when Settings.Global.AUTO_TIME
is 0, otherwise false
will be
returned.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated withThis value must never be |
millis |
long : time in milliseconds since the Epoch |
Returns | |
---|---|
boolean |
true if set time succeeded, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
setTimeZone
public boolean setTimeZone (ComponentName admin, String timeZone)
Called by device owner to set the system's persistent default time zone. This only takes
effect if called when Settings.Global.AUTO_TIME_ZONE
is 0, otherwise
false
will be returned.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated withThis value must never be |
timeZone |
String : one of the Olson ids from the list returned by
TimeZone.getAvailableIDs() |
Returns | |
---|---|
boolean |
true if set timezone succeeded, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner.
|
See also:
setTrustAgentConfiguration
public void setTrustAgentConfiguration (ComponentName admin, ComponentName target, PersistableBundle configuration)
Sets a list of configuration features to enable for a trust agent component. This is meant to
be used in conjunction with KEYGUARD_DISABLE_TRUST_AGENTS
, which disables all trust
agents but those enabled by this function call. If flag
KEYGUARD_DISABLE_TRUST_AGENTS
is not set, then this call has no effect.
For any specific trust agent, whether it is disabled or not depends on the aggregated state
of each admin's KEYGUARD_DISABLE_TRUST_AGENTS
setting and its trust agent
configuration as set by this function call. In particular: if any admin sets
KEYGUARD_DISABLE_TRUST_AGENTS
and does not additionally set any
trust agent configuration, the trust agent is disabled completely. Otherwise, the trust agent
will receive the list of configurations from all admins who set
KEYGUARD_DISABLE_TRUST_AGENTS
and aggregate the configurations to determine its
behavior. The exact meaning of aggregation is trust-agent-specific.
The calling device admin must have requested
DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES
to be able to call this method;
if not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(ComponentName)
in order to set the configuration for
the parent profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
target |
ComponentName : Component name of the agent to be configured.This value must never be |
configuration |
PersistableBundle : Trust-agent-specific feature configuration bundle. Please consult
documentation of the specific trust agent to determine the interpretation of this
bundle. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator or does not use
DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES
|
setUninstallBlocked
public void setUninstallBlocked (ComponentName admin, String packageName, boolean uninstallBlocked)
Change whether a user can uninstall a package. This function can be called by a device owner,
profile owner, or by a delegate given the DELEGATION_BLOCK_UNINSTALL
scope via
setDelegatedScopes(ComponentName, String, List
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is a block uninstall delegate. |
packageName |
String : package to change. |
uninstallBlocked |
boolean : true if the user shouldn't be able to uninstall the package. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
setUserIcon
public void setUserIcon (ComponentName admin, Bitmap icon)
Called by profile or device owners to set the user's photo.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
icon |
Bitmap : the bitmap to set as the photo. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner.
|
startUserInBackground
public int startUserInBackground (ComponentName admin, UserHandle userHandle)
Called by a device owner to start the specified secondary user in background.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
userHandle |
UserHandle : the user to be started in background.This value must never be |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
See also:
stopUser
public int stopUser (ComponentName admin, UserHandle userHandle)
Called by a device owner to stop the specified secondary user.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
userHandle |
UserHandle : the user to be stopped.This value must never be |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
See also:
switchUser
public boolean switchUser (ComponentName admin, UserHandle userHandle)
Called by a device owner to switch the specified secondary user to the foreground.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.This value must never be |
userHandle |
UserHandle : the user to switch to; null will switch to primary. |
Returns | |
---|---|
boolean |
true if the switch was successful, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
transferOwnership
public void transferOwnership (ComponentName admin, ComponentName target, PersistableBundle bundle)
Changes the current administrator to another one. All policies from the current administrator are migrated to the new administrator. The whole operation is atomic - the transfer is either complete or not done at all.
Depending on the current administrator (device owner, profile owner), you have the following expected behaviour:
- A device owner can only be transferred to a new device owner
- A profile owner can only be transferred to a new profile owner
Use the bundle
parameter to pass data to the new administrator. The data
will be received in the
DeviceAdminReceiver.onTransferOwnershipComplete(Context, PersistableBundle)
callback of the new administrator.
The transfer has failed if the original administrator is still the corresponding owner after calling this method.
The incoming target administrator must have the
<support-transfer-ownership />
tag inside the
<device-admin></device-admin>
tags in the xml file referenced by
DeviceAdminReceiver.DEVICE_ADMIN_META_DATA
. Otherwise an
IllegalArgumentException
will be thrown.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated withThis value must never be |
target |
ComponentName : which DeviceAdminReceiver we want the new administrator to beThis value must never be |
bundle |
PersistableBundle : data to be sent to the new administratorThis value may be |
Throws | |
---|---|
SecurityException |
if admin is not a device owner nor a profile owner |
IllegalArgumentException |
if admin or target is null , they
are components in the same package or target is not an active admin
|
uninstallAllUserCaCerts
public void uninstallAllUserCaCerts (ComponentName admin)
Uninstalls all custom trusted CA certificates from the profile. Certificates installed by means other than device policy will also be removed, except for system CA certificates.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner.
|
uninstallCaCert
public void uninstallCaCert (ComponentName admin, byte[] certBuffer)
Uninstalls the given certificate from trusted user CAs, if present.
The caller must be a profile or device owner on that user, or a delegate package given the
DELEGATION_CERT_INSTALL
scope via setDelegatedScopes(ComponentName, String, List
; otherwise a
security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
certBuffer |
byte : encoded form of the certificate to remove. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner. |
updateOverrideApn
public boolean updateOverrideApn (ComponentName admin, int apnId, ApnSetting apnSetting)
Called by device owner to update an override APN.
This method may returns false
if there is no override APN with the given
apnId
.
This method may also returns false
if apnSetting
conflicts with an
existing override APN. Update the existing conflicted APN instead.
See addOverrideApn(ComponentName, ApnSetting)
for the definition of conflict.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated withThis value must never be |
apnId |
int : the id of the override APN to update |
apnSetting |
ApnSetting : the override APN to updateThis value must never be |
Returns | |
---|---|
boolean |
true if the required override APN is successfully updated,
false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
wipeData
public void wipeData (int flags, CharSequence reason)
Ask that all user data be wiped. If called as a secondary user, the user will be removed and other users will remain unaffected, the provided reason for wiping data can be shown to user. Calling from the primary user will cause the device to reboot, erasing all device data - including all the secondary users and their data - while booting up. In this case, we don't show the reason to the user since the device would be factory reset.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_WIPE_DATA
to
be able to call this method; if it has not, a security exception will be thrown.
Parameters | |
---|---|
flags |
int : Bit mask of additional options: currently supported flags are
WIPE_EXTERNAL_STORAGE and WIPE_RESET_PROTECTION_DATA . |
reason |
CharSequence : a string that contains the reason for wiping data, which can be
presented to the user.This value must never be |
Throws | |
---|---|
SecurityException |
if the calling application does not own an active administrator
that uses DeviceAdminInfo.USES_POLICY_WIPE_DATA |
IllegalArgumentException |
if the input reason string is null or empty. |
wipeData
public void wipeData (int flags)
Ask that all user data be wiped. If called as a secondary user, the user will be removed and other users will remain unaffected. Calling from the primary user will cause the device to reboot, erasing all device data - including all the secondary users and their data - while booting up.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_WIPE_DATA
to
be able to call this method; if it has not, a security exception will be thrown.
Parameters | |
---|---|
flags |
int : Bit mask of additional options: currently supported flags are
WIPE_EXTERNAL_STORAGE and WIPE_RESET_PROTECTION_DATA . |
Throws | |
---|---|
SecurityException |
if the calling application does not own an active administrator
that uses DeviceAdminInfo.USES_POLICY_WIPE_DATA
|
Interfaces
Classes
Exceptions