java.lang.Object | |
↳ | android.app.admin.DevicePolicyManager |
Public interface for managing policies enforced on a device. Most clients
of this class must have published a DeviceAdminReceiver
that the user
has currently enabled.
For more information about managing policies for device adminstration, read the Device Administration developer guide.
Constants | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
String | ACTION_ADD_DEVICE_ADMIN | Activity action: ask the user to add a new device administrator to the system. | |||||||||
String | ACTION_PROVISION_MANAGED_PROFILE | Activity action: Starts the provisioning flow which sets up a managed profile. | |||||||||
String | ACTION_SET_NEW_PASSWORD | Activity action: have the user enter a new password. | |||||||||
String | ACTION_START_ENCRYPTION | Activity action: begin the process of encrypting data on the device. | |||||||||
int | ENCRYPTION_STATUS_ACTIVATING | Result code for setStorageEncryption(ComponentName, boolean) and getStorageEncryptionStatus() :
indicating that encryption is not currently active, but is currently
being activated. |
|||||||||
int | ENCRYPTION_STATUS_ACTIVE | Result code for setStorageEncryption(ComponentName, boolean) and getStorageEncryptionStatus() :
indicating that encryption is active. |
|||||||||
int | ENCRYPTION_STATUS_INACTIVE | Result code for setStorageEncryption(ComponentName, boolean) and getStorageEncryptionStatus() :
indicating that encryption is supported, but is not currently active. |
|||||||||
int | ENCRYPTION_STATUS_UNSUPPORTED | Result code for setStorageEncryption(ComponentName, boolean) and getStorageEncryptionStatus() :
indicating that encryption is not supported. |
|||||||||
String | EXTRA_ADD_EXPLANATION | An optional CharSequence providing additional explanation for why the admin is being added. | |||||||||
String | EXTRA_DEVICE_ADMIN | The ComponentName of the administrator component. | |||||||||
String | EXTRA_PROVISIONING_DEFAULT_MANAGED_PROFILE_NAME | A String extra holding the default name of the profile that is created during managed profile provisioning. | |||||||||
String | EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME | A String extra holding the name of the package of the mobile device management application that starts the managed provisioning flow. | |||||||||
int | KEYGUARD_DISABLE_FEATURES_ALL | Disable all current and future keyguard customizations. | |||||||||
int | KEYGUARD_DISABLE_FEATURES_NONE | Widgets are enabled in keyguard | |||||||||
int | KEYGUARD_DISABLE_SECURE_CAMERA | Disable the camera on secure keyguard screens (e.g. | |||||||||
int | KEYGUARD_DISABLE_SECURE_NOTIFICATIONS | Disable showing all notifications on secure keyguard screens (e.g. | |||||||||
int | KEYGUARD_DISABLE_TRUST_AGENTS | Ignore trust agent state on secure keyguard screens (e.g. | |||||||||
int | KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS | Only allow redacted notifications on secure keyguard screens (e.g. | |||||||||
int | KEYGUARD_DISABLE_WIDGETS_ALL | Disable all keyguard widgets. | |||||||||
int | PASSWORD_QUALITY_ALPHABETIC | Constant for setPasswordQuality(ComponentName, int) : the user must have entered a
password containing at least alphabetic (or other symbol) characters. |
|||||||||
int | PASSWORD_QUALITY_ALPHANUMERIC | Constant for setPasswordQuality(ComponentName, int) : the user must have entered a
password containing at least both> numeric and
alphabetic (or other symbol) characters. |
|||||||||
int | PASSWORD_QUALITY_BIOMETRIC_WEAK | Constant for setPasswordQuality(ComponentName, int) : the policy allows for low-security biometric
recognition technology. |
|||||||||
int | PASSWORD_QUALITY_COMPLEX | Constant for setPasswordQuality(ComponentName, int) : the user must have entered a
password containing at least a letter, a numerical digit and a special
symbol, by default. |
|||||||||
int | PASSWORD_QUALITY_NUMERIC | Constant for setPasswordQuality(ComponentName, int) : the user must have entered a
password containing at least numeric characters. |
|||||||||
int | PASSWORD_QUALITY_SOMETHING | Constant for setPasswordQuality(ComponentName, int) : the policy requires some kind
of password, but doesn't care what it is. |
|||||||||
int | PASSWORD_QUALITY_UNSPECIFIED | Constant for setPasswordQuality(ComponentName, int) : the policy has no requirements
for the password. |
|||||||||
int | RESET_PASSWORD_REQUIRE_ENTRY | Flag for resetPassword(String, int) : don't allow other admins to change
the password again until the user has entered it. |
|||||||||
int | WIPE_EXTERNAL_STORAGE | Flag for wipeData(int) : also erase the device's external
storage. |
Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
FLAG_TO_MANAGED_PROFILE | Flag for addForwardingIntentFilter(ComponentName, IntentFilter, int) : the intents will be forwarded to the managed
profile. |
||||||||||
FLAG_TO_PRIMARY_USER | Flag for addForwardingIntentFilter(ComponentName, IntentFilter, int) : the intents will forwarded to the primary user. |
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Called by a profile owner to forward intents sent from the managed profile to the owner, or
from the owner to the managed profile.
| |||||||||||
Called by a profile owner or device owner to add a default intent handler activity for
intents that match a certain intent filter.
| |||||||||||
Called by a profile or device owner to set a user restriction specified
by the key.
| |||||||||||
Called by a profile owner to remove the forwarding intent filters from the current user
and from the owner.
| |||||||||||
Called by a profile owner or device owner to remove all persistent intent handler preferences
associated with the given package that were set by
addPersistentPreferredActivity(ComponentName, IntentFilter, ComponentName) . | |||||||||||
Called by a profile or device owner to clear a user restriction specified
by the key.
| |||||||||||
Called by a device owner to create a user with the specified name.
| |||||||||||
Called by profile or device owner to re-enable a system app that was disabled by default
when the managed profile was created.
| |||||||||||
Called by profile or device owner to re-enable system apps by intent that were disabled
by default when the managed profile was created.
| |||||||||||
Gets the array of accounts for which account management is disabled by the profile owner.
| |||||||||||
Return a list of all currently active device administrator's component
names.
| |||||||||||
Called by a profile or device owner to get the application restrictions for a given target
application running in the managed profile.
| |||||||||||
Determine whether or not the device's cameras have been disabled either by the current
admin, if specified, or all admins.
| |||||||||||
Retrieve the number of times the user has failed at entering a
password since that last successful password entry.
| |||||||||||
Determine whether or not features have been disabled in keyguard either by the current
admin, if specified, or all admins.
| |||||||||||
Retrieve the current maximum number of login attempts that are allowed
before the device wipes itself, for all admins of this user and its profiles
or a particular one.
| |||||||||||
Retrieve the current maximum time to unlock for all admins of this user
and its profiles or a particular one.
| |||||||||||
Get the current password expiration time for the given admin or an aggregate of
all admins of this user and its profiles if admin is null.
| |||||||||||
Get the password expiration timeout for the given admin.
| |||||||||||
Retrieve the current password history length for all admins of this
user and its profiles or a particular one.
| |||||||||||
Return the maximum password length that the device supports for a
particular password quality.
| |||||||||||
Retrieve the current minimum password length for all admins of this
user and its profiles or a particular one.
| |||||||||||
Retrieve the current number of letters required in the password for all
admins or a particular one.
| |||||||||||
Retrieve the current number of lower case letters required in the
password for all admins of this user and its profiles or a particular one.
| |||||||||||
Retrieve the current number of non-letter characters required in the
password for all admins of this user and its profiles or a particular one.
| |||||||||||
Retrieve the current number of numerical digits required in the password
for all admins of this user and its profiles or a particular one.
| |||||||||||
Retrieve the current number of symbols required in the password for all
admins or a particular one.
| |||||||||||
Retrieve the current number of upper case letters required in the
password for all admins of this user and its profiles or a particular one.
| |||||||||||
Retrieve the current minimum password quality for all admins of this user
and its profiles or a particular one.
| |||||||||||
Called by an application that is administering the device to
determine the requested setting for secure storage.
| |||||||||||
Called by an application that is administering the device to
determine the current encryption status of the device.
| |||||||||||
Returns true if an administrator has been granted a particular device policy.
| |||||||||||
Determine whether the current password the user has set is sufficient
to meet the policy requirements (quality, minimum length) that have been
requested by the admins of this user and its profiles.
| |||||||||||
Return true if the given administrator component is currently
active (enabled) in the system.
| |||||||||||
Called by device or profile owner to determine if a package is blocked.
| |||||||||||
Used to determine if a particular package has been registered as a Device Owner app.
| |||||||||||
This function lets the caller know whether the given component is allowed to start the
lock task mode.
| |||||||||||
Used to determine if a particular package is registered as the Profile Owner for the
current user.
| |||||||||||
Make the device lock immediately, as if the lock screen timeout has
expired at the point of this call.
| |||||||||||
Remove a current administration component.
| |||||||||||
Called by a device owner to remove a user and all associated data.
| |||||||||||
Force a new device unlock password (the password needed to access the
entire device, not for individual accounts) on the user.
| |||||||||||
Called by a profile owner to disable account management for a specific type of account.
| |||||||||||
Called by device or profile owner to block or unblock packages.
| |||||||||||
Called by a profile or device owner to set the application restrictions for a given target
application running in the managed profile.
| |||||||||||
Called by profile or device owner to block or unblock currently installed packages.
| |||||||||||
Called by an application that is administering the device to disable all cameras
on the device.
| |||||||||||
Called by device owners to update
Settings.Global settings. | |||||||||||
Called by an application that is administering the device to disable keyguard customizations,
such as widgets.
| |||||||||||
Sets which components may enter lock task mode.
| |||||||||||
Setting this to a value greater than zero enables a built-in policy
that will perform a device wipe after too many incorrect
device-unlock passwords have been entered.
| |||||||||||
Called by an application that is administering the device to set the
maximum time for user activity until the device will lock.
| |||||||||||
Called by a device admin to set the password expiration timeout.
| |||||||||||
Called by an application that is administering the device to set the length
of the password history.
| |||||||||||
Called by an application that is administering the device to set the
minimum allowed password length.
| |||||||||||
Called by an application that is administering the device to set the
minimum number of letters required in the password.
| |||||||||||
Called by an application that is administering the device to set the
minimum number of lower case letters required in the password.
| |||||||||||
Called by an application that is administering the device to set the
minimum number of non-letter characters (numerical digits or symbols)
required in the password.
| |||||||||||
Called by an application that is administering the device to set the
minimum number of numerical digits required in the password.
| |||||||||||
Called by an application that is administering the device to set the
minimum number of symbols required in the password.
| |||||||||||
Called by an application that is administering the device to set the
minimum number of upper case letters required in the password.
| |||||||||||
Called by an application that is administering the device to set the
password restrictions it is imposing.
| |||||||||||
Sets the enabled state of the profile.
| |||||||||||
Called by profile or device owners to update
Settings.Secure settings. | |||||||||||
Called by an application that is administering the device to
request that the storage system be encrypted.
| |||||||||||
Ask the user date be wiped.
|
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
java.lang.Object
|
Activity action: ask the user to add a new device administrator to the system.
The desired policy is the ComponentName of the policy in the
EXTRA_DEVICE_ADMIN
extra field. This will invoke a UI to
bring the user through adding the device administrator to the system (or
allowing them to reject it).
You can optionally include the EXTRA_ADD_EXPLANATION
field to provide the user with additional explanation (in addition
to your component's description) about what is being added.
If your administrator is already active, this will ordinarily return immediately (without user intervention). However, if your administrator has been updated and is requesting additional uses-policy flags, the user will be presented with the new list. New policies will not be available to the updated administrator until the user has accepted the new list.
Activity action: Starts the provisioning flow which sets up a managed profile.
A managed profile allows data separation for example for the usage of a device as a personal and corporate device. The user which provisioning is started from and the managed profile share a launcher.
This intent will typically be sent by a mobile device management application (mdm). Provisioning adds a managed profile and sets the mdm as the profile owner who has full control over the profile
This intent must contain the extras EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
EXTRA_PROVISIONING_DEFAULT_MANAGED_PROFILE_NAME
and EXTRA_DEVICE_ADMIN
.
When managed provisioning has completed, an intent of the type
ACTION_PROFILE_PROVISIONING_COMPLETE
is broadcasted to the
managed profile. The intent is sent to the DeviceAdminReceiver
specified in the
EXTRA_DEVICE_ADMIN
exclusively.
If provisioning fails, the managedProfile is removed so the device returns to its previous
state.
Input: Nothing.
Output: Nothing
Activity action: have the user enter a new password. This activity should
be launched after using setPasswordQuality(ComponentName, int)
,
or setPasswordMinimumLength(ComponentName, int)
to have the user
enter a new password that meets the current requirements. You can use
isActivePasswordSufficient()
to determine whether you need to
have the user select a new password in order to meet the current
constraints. Upon being resumed from this activity, you can check the new
password characteristics to see if they are sufficient.
Activity action: begin the process of encrypting data on the device. This activity should
be launched after using setStorageEncryption(ComponentName, boolean)
to request encryption be activated.
After resuming from this activity, use getStorageEncryption(ComponentName)
to check encryption status. However, on some devices this activity may never return, as
it may trigger a reboot and in some cases a complete data wipe of the device.
Result code for setStorageEncryption(ComponentName, boolean)
and getStorageEncryptionStatus()
:
indicating that encryption is not currently active, but is currently
being activated. This is only reported by devices that support
encryption of data and only when the storage is currently
undergoing a process of becoming encrypted. A device that must reboot and/or wipe data
to become encrypted will never return this value.
Result code for setStorageEncryption(ComponentName, boolean)
and getStorageEncryptionStatus()
:
indicating that encryption is active.
Result code for setStorageEncryption(ComponentName, boolean)
and getStorageEncryptionStatus()
:
indicating that encryption is supported, but is not currently active.
Result code for setStorageEncryption(ComponentName, boolean)
and getStorageEncryptionStatus()
:
indicating that encryption is not supported.
An optional CharSequence providing additional explanation for why the admin is being added.
The ComponentName of the administrator component.
A String extra holding the default name of the profile that is created during managed profile provisioning.
Use with ACTION_PROVISION_MANAGED_PROFILE
A String extra holding the name of the package of the mobile device management application that starts the managed provisioning flow. This package will be set as the profile owner.
Use with ACTION_PROVISION_MANAGED_PROFILE
.
Disable all current and future keyguard customizations.
Widgets are enabled in keyguard
Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password)
Disable showing all notifications on secure keyguard screens (e.g. PIN/Pattern/Password)
Ignore trust agent state on secure keyguard screens (e.g. PIN/Pattern/Password).
Only allow redacted notifications on secure keyguard screens (e.g. PIN/Pattern/Password)
Disable all keyguard widgets. Has no effect.
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least alphabetic (or other symbol) characters.
Note that quality constants are ordered so that higher values are more
restrictive.
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least both> numeric and
alphabetic (or other symbol) characters. Note that quality constants are
ordered so that higher values are more restrictive.
Constant for setPasswordQuality(ComponentName, int)
: the policy allows for low-security biometric
recognition technology. This implies technologies that can recognize the identity of
an individual to about a 3 digit PIN (false detection is less than 1 in 1,000).
Note that quality constants are ordered so that higher values are more restrictive.
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least a letter, a numerical digit and a special
symbol, by default. With this password quality, passwords can be
restricted to contain various sets of characters, like at least an
uppercase letter, etc. These are specified using various methods,
like setPasswordMinimumLowerCase(ComponentName, int)
. Note
that quality constants are ordered so that higher values are more
restrictive.
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least numeric characters. Note that quality
constants are ordered so that higher values are more restrictive.
Constant for setPasswordQuality(ComponentName, int)
: the policy requires some kind
of password, but doesn't care what it is. Note that quality constants
are ordered so that higher values are more restrictive.
Constant for setPasswordQuality(ComponentName, int)
: the policy has no requirements
for the password. Note that quality constants are ordered so that higher
values are more restrictive.
Flag for resetPassword(String, int)
: don't allow other admins to change
the password again until the user has entered it.
Flag for wipeData(int)
: also erase the device's external
storage.
Flag for addForwardingIntentFilter(ComponentName, IntentFilter, int)
: the intents will be forwarded to the managed
profile.
Flag for addForwardingIntentFilter(ComponentName, IntentFilter, int)
: the intents will forwarded to the primary user.
Called by a profile owner to forward intents sent from the managed profile to the owner, or from the owner to the managed profile. If an intent matches this intent filter, then activities belonging to the other user can respond to this intent.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
filter | if an intent matches this IntentFilter, then it can be forwarded. |
Called by a profile owner or device owner to add a default intent handler activity for intents that match a certain intent filter. This activity will remain the default intent handler even if the set of potential event handlers for the intent filter changes and if the intent preferences are reset.
The default disambiguation mechanism takes over if the activity is not installed (anymore). When the activity is (re)installed, it is automatically reset as default intent handler for the filter.
The calling device admin must be a profile owner or device owner. If it is not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
filter | The IntentFilter for which a default handler is added. |
activity | The Activity that is added as default intent handler. |
Called by a profile or device owner to set a user restriction specified by the key.
The calling device admin must be a profile or device owner; if it is not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated
with. |
---|---|
key | The key of the restriction. See the constants in
UserManager for the list of keys.
|
Called by a profile owner to remove the forwarding intent filters from the current user and from the owner.
admin | Which DeviceAdminReceiver this request is associated with.
|
---|
Called by a profile owner or device owner to remove all persistent intent handler preferences
associated with the given package that were set by addPersistentPreferredActivity(ComponentName, IntentFilter, ComponentName)
.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
packageName | The name of the package for which preferences are removed. |
Called by a profile or device owner to clear a user restriction specified by the key.
The calling device admin must be a profile or device owner; if it is not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated
with. |
---|---|
key | The key of the restriction. See the constants in
UserManager for the list of keys.
|
Called by a device owner to create a user with the specified name. The UserHandle returned
by this method should not be persisted as user handles are recycled as users are removed and
created. If you need to persist an identifier for this user, use
getSerialNumberForUser(UserHandle)
.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
name | the user's name |
Called by profile or device owner to re-enable a system app that was disabled by default when the managed profile was created. This should only be called from a profile or device owner running within a managed profile.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
packageName | The package to be re-enabled in the current profile. |
Called by profile or device owner to re-enable system apps by intent that were disabled by default when the managed profile was created. This should only be called from a profile or device owner running within a managed profile.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
intent | An intent matching the app(s) to be installed. All apps that resolve for this intent will be re-enabled in the current profile. |
Gets the array of accounts for which account management is disabled by the profile owner.
Account management can be disabled/enabled by calling
setAccountManagementDisabled(ComponentName, String, boolean)
.
Return a list of all currently active device administrator's component names. Note that if there are no administrators than null may be returned.
Called by a profile or device owner to get the application restrictions for a given target application running in the managed profile.
The calling device admin must be a profile or device owner; if it is not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
packageName | The name of the package to fetch restricted settings of. |
Bundle
of settings corresponding to what was set last time
setApplicationRestrictions(ComponentName, String, Bundle)
was called, or an empty Bundle
if no restrictions have been set.
Determine whether or not the device's cameras have been disabled either by the current admin, if specified, or all admins.
admin | The name of the admin component to check, or null to check if any admins have disabled the camera |
---|
Retrieve the number of times the user has failed at entering a password since that last successful password entry.
The calling device admin must have requested
USES_POLICY_WATCH_LOGIN
to be able to call
this method; if it has not, a security exception will be thrown.
Determine whether or not features have been disabled in keyguard either by the current admin, if specified, or all admins.
admin | The name of the admin component to check, or null to check if any admins have disabled features in keyguard. |
---|
setKeyguardDisabledFeatures(ComponentName, int)
for a list.
Retrieve the current maximum number of login attempts that are allowed before the device wipes itself, for all admins of this user and its profiles or a particular one.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Retrieve the current maximum time to unlock for all admins of this user and its profiles or a particular one.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Get the current password expiration time for the given admin or an aggregate of all admins of this user and its profiles if admin is null. If the password is expired, this will return the time since the password expired as a negative number. If admin is null, then a composite of all expiration timeouts is returned - which will be the minimum of all timeouts.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Get the password expiration timeout for the given admin. The expiration timeout is the
recurring expiration timeout provided in the call to
setPasswordExpirationTimeout(ComponentName, long)
for the given admin or the
aggregate of all policy administrators if admin is null.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Retrieve the current password history length for all admins of this user and its profiles or a particular one.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Return the maximum password length that the device supports for a particular password quality.
quality | The quality being interrogated. |
---|
Retrieve the current minimum password length for all admins of this user and its profiles or a particular one.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Retrieve the current number of letters required in the password for all
admins or a particular one. This is the same value as
set by {#link setPasswordMinimumLetters(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Retrieve the current number of lower case letters required in the
password for all admins of this user and its profiles or a particular one.
This is the same value as set by
{#link setPasswordMinimumLowerCase(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Retrieve the current number of non-letter characters required in the
password for all admins of this user and its profiles or a particular one.
This is the same value as set by
{#link setPasswordMinimumNonLetter(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Retrieve the current number of numerical digits required in the password
for all admins of this user and its profiles or a particular one.
This is the same value as set by
{#link setPasswordMinimumNumeric(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Retrieve the current number of symbols required in the password for all
admins or a particular one. This is the same value as
set by {#link setPasswordMinimumSymbols(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Retrieve the current number of upper case letters required in the
password for all admins of this user and its profiles or a particular one.
This is the same value as set by
{#link setPasswordMinimumUpperCase(ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Retrieve the current minimum password quality for all admins of this user and its profiles or a particular one.
admin | The name of the admin component to check, or null to aggregate all admins. |
---|
Called by an application that is administering the device to determine the requested setting for secure storage.
admin | Which DeviceAdminReceiver this request is associated with. If null,
this will return the requested encryption setting as an aggregate of all active
administrators. |
---|
Called by an application that is administering the device to
determine the current encryption status of the device.
Depending on the returned status code, the caller may proceed in different
ways. If the result is ENCRYPTION_STATUS_UNSUPPORTED
, the
storage system does not support encryption. If the
result is ENCRYPTION_STATUS_INACTIVE
, use ACTION_START_ENCRYPTION
to begin the process of encrypting or decrypting the
storage. If the result is ENCRYPTION_STATUS_ACTIVATING
or
ENCRYPTION_STATUS_ACTIVE
, no further action is required.
ENCRYPTION_STATUS_UNSUPPORTED
, ENCRYPTION_STATUS_INACTIVE
,
ENCRYPTION_STATUS_ACTIVATING
, orENCRYPTION_STATUS_ACTIVE
.
Returns true if an administrator has been granted a particular device policy. This can be used to check if the administrator was activated under an earlier set of policies, but requires additional policies after an upgrade.
admin | Which DeviceAdminReceiver this request is associated with. Must be
an active administrator, or an exception will be thrown. |
---|---|
usesPolicy | Which uses-policy to check, as defined in DeviceAdminInfo .
|
Determine whether the current password the user has set is sufficient to meet the policy requirements (quality, minimum length) that have been requested by the admins of this user and its profiles.
The calling device admin must have requested
USES_POLICY_LIMIT_PASSWORD
to be able to call
this method; if it has not, a security exception will be thrown.
Return true if the given administrator component is currently active (enabled) in the system.
Called by device or profile owner to determine if a package is blocked.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
packageName | The name of the package to retrieve the blocked status of. |
true
if the package is blocked, false
otherwise.
Used to determine if a particular package has been registered as a Device Owner app.
A device owner app is a special device admin that cannot be deactivated by the user, once
activated as a device admin. It also cannot be uninstalled. To check if a particular
package is currently registered as the device owner app, pass in the package name from
getPackageName()
to this method.
packageName | the package name of the app, to compare with the registered device owner app, if any. |
---|
This function lets the caller know whether the given component is allowed to start the lock task mode.
component | The component to check |
---|
Used to determine if a particular package is registered as the Profile Owner for the current user. A profile owner is a special device admin that has additional privileges within the managed profile.
packageName | The package name of the app to compare with the registered profile owner. |
---|
Make the device lock immediately, as if the lock screen timeout has expired at the point of this call.
The calling device admin must have requested
USES_POLICY_FORCE_LOCK
to be able to call
this method; if it has not, a security exception will be thrown.
Remove a current administration component. This can only be called by the application that owns the administration component; if you try to remove someone else's component, a security exception will be thrown.
Called by a device owner to remove a user and all associated data. The primary user can not be removed.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
userHandle | the user to remove. |
true
if the user was removed, false
otherwise.
Force a new device unlock password (the password needed to access the
entire device, not for individual accounts) on the user. This takes
effect immediately.
The given password must be sufficient for the
current password quality and length constraints as returned by
getPasswordQuality(ComponentName)
and
getPasswordMinimumLength(ComponentName)
; if it does not meet
these constraints, then it will be rejected and false returned. Note
that the password may be a stronger quality (containing alphanumeric
characters when the requested quality is only numeric), in which case
the currently active quality will be increased to match.
The calling device admin must have requested
USES_POLICY_RESET_PASSWORD
to be able to call
this method; if it has not, a security exception will be thrown.
Can not be called from a managed profile.
password | The new password for the user. |
---|---|
flags | May be 0 or RESET_PASSWORD_REQUIRE_ENTRY . |
Called by a profile owner to disable account management for a specific type of account.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
When account management is disabled for an account type, adding or removing an account of that type will not be possible.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
accountType | For which account management is disabled or enabled. |
disabled | The boolean indicating that account management will be disabled (true) or enabled (false). |
Called by device or profile owner to block or unblock packages. When a package is blocked it is unavailable for use, but the data and actual package file remain.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
packageName | The name of the package to block or unblock. |
blocked | true if the package should be blocked, false if it should be
unblocked. |
Called by a profile or device owner to set the application restrictions for a given target application running in the managed profile.
The provided Bundle
consists of key-value pairs, where the types of values may be
Boolean
, String
, or String
[]. The recommended format for key strings
is "com.example.packagename/example-setting" to avoid naming conflicts with library
components such as WebView
.
The application restrictions are only made visible to the target application and the profile or device owner.
The calling device admin must be a profile or device owner; if it is not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
packageName | The name of the package to update restricted settings for. |
settings | A Bundle to be parsed by the receiving application, conveying a new
set of active restrictions.
|
Called by profile or device owner to block or unblock currently installed packages. This should only be called by a profile or device owner running within a managed profile.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
intent | An intent matching the app(s) to be updated. All apps that resolve for this intent will be updated in the current profile. |
blocked | true if the packages should be blocked, false if they should
be unblocked. |
Called by an application that is administering the device to disable all cameras on the device. After setting this, no applications will be able to access any cameras on the device.
The calling device admin must have requested
USES_POLICY_DISABLE_CAMERA
to be able to call
this method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
disabled | Whether or not the camera should be disabled. |
Called by device owners to update Settings.Global
settings. Validation that the value
of the setting is in the correct form for the setting type should be performed by the caller.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
setting | The name of the setting to update. |
value | The value to update the setting to. |
Called by an application that is administering the device to disable keyguard customizations, such as widgets. After setting this, keyguard features will be disabled according to the provided feature list.
The calling device admin must have requested
USES_POLICY_DISABLE_KEYGUARD_FEATURES
to be able to call
this method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
which | KEYGUARD_DISABLE_FEATURES_NONE (default),
KEYGUARD_DISABLE_WIDGETS_ALL , KEYGUARD_DISABLE_SECURE_CAMERA ,
KEYGUARD_DISABLE_SECURE_NOTIFICATIONS , KEYGUARD_DISABLE_TRUST_AGENTS ,
KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS , KEYGUARD_DISABLE_FEATURES_ALL
|
Sets which components may enter lock task mode. This function can only be called by the device owner or the profile owner.
components | The list of components allowed to enter lock task mode |
---|
SecurityException |
---|
Setting this to a value greater than zero enables a built-in policy
that will perform a device wipe after too many incorrect
device-unlock passwords have been entered. This built-in policy combines
watching for failed passwords and wiping the device, and requires
that you request both USES_POLICY_WATCH_LOGIN
and
USES_POLICY_WIPE_DATA
}.
To implement any other policy (e.g. wiping data for a particular
application only, erasing or revoking credentials, or reporting the
failure to a server), you should implement
onPasswordFailed(Context, android.content.Intent)
instead. Do not use this API, because if the maximum count is reached,
the device will be wiped immediately, and your callback will not be invoked.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
num | The number of failed password attempts at which point the device will wipe its data. |
Called by an application that is administering the device to set the maximum time for user activity until the device will lock. This limits the length that the user can set. It takes effect immediately.
The calling device admin must have requested
USES_POLICY_FORCE_LOCK
to be able to call
this method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
timeMs | The new desired maximum time to lock in milliseconds. A value of 0 means there is no restriction. |
Called by a device admin to set the password expiration timeout. Calling this method will restart the countdown for password expiration for the given admin, as will changing the device password (for all admins).
The provided timeout is the time delta in ms and will be added to the current time. For example, to have the password expire 5 days from now, timeout would be 5 * 86400 * 1000 = 432000000 ms for timeout.
To disable password expiration, a value of 0 may be used for timeout.
The calling device admin must have requested
USES_POLICY_EXPIRE_PASSWORD
to be able to call this
method; if it has not, a security exception will be thrown.
Note that setting the password will automatically reset the expiration time for all active admins. Active admins do not need to explicitly call this method in that case.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
timeout | The limit (in ms) that a password can remain in effect. A value of 0 means there is no restriction (unlimited). |
Called by an application that is administering the device to set the length
of the password history. After setting this, the user will not be able to
enter a new password that is the same as any password in the history. Note
that the current password will remain until the user has set a new one, so
the change does not take place immediately. To prompt the user for a new
password, use ACTION_SET_NEW_PASSWORD
after setting this value.
This constraint is only imposed if the administrator has also requested
either PASSWORD_QUALITY_NUMERIC
,
PASSWORD_QUALITY_ALPHABETIC
, or
PASSWORD_QUALITY_ALPHANUMERIC
with setPasswordQuality(ComponentName, int)
.
The calling device admin must have requested
USES_POLICY_LIMIT_PASSWORD
to be able to call this
method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated
with. |
---|---|
length | The new desired length of password history. A value of 0 means there is no restriction. |
Called by an application that is administering the device to set the
minimum allowed password length. After setting this, the user
will not be able to enter a new password that is not at least as
restrictive as what has been set. Note that the current password
will remain until the user has set a new one, so the change does not
take place immediately. To prompt the user for a new password, use
ACTION_SET_NEW_PASSWORD
after setting this value. This
constraint is only imposed if the administrator has also requested either
PASSWORD_QUALITY_NUMERIC
, PASSWORD_QUALITY_ALPHABETIC
PASSWORD_QUALITY_ALPHANUMERIC
, or PASSWORD_QUALITY_COMPLEX
with setPasswordQuality(ComponentName, int)
.
The calling device admin must have requested
USES_POLICY_LIMIT_PASSWORD
to be able to call
this method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
length | The new desired minimum password length. A value of 0 means there is no restriction. |
Called by an application that is administering the device to set the
minimum number of letters required in the password. After setting this,
the user will not be able to enter a new password that is not at least as
restrictive as what has been set. Note that the current password will
remain until the user has set a new one, so the change does not take
place immediately. To prompt the user for a new password, use
ACTION_SET_NEW_PASSWORD
after setting this value. This
constraint is only imposed if the administrator has also requested
PASSWORD_QUALITY_COMPLEX
with setPasswordQuality(ComponentName, int)
. The
default value is 1.
The calling device admin must have requested
USES_POLICY_LIMIT_PASSWORD
to be able to call
this method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated
with. |
---|---|
length | The new desired minimum number of letters required in the password. A value of 0 means there is no restriction. |
Called by an application that is administering the device to set the
minimum number of lower case letters required in the password. After
setting this, the user will not be able to enter a new password that is
not at least as restrictive as what has been set. Note that the current
password will remain until the user has set a new one, so the change does
not take place immediately. To prompt the user for a new password, use
ACTION_SET_NEW_PASSWORD
after setting this value. This
constraint is only imposed if the administrator has also requested
PASSWORD_QUALITY_COMPLEX
with setPasswordQuality(ComponentName, int)
. The
default value is 0.
The calling device admin must have requested
USES_POLICY_LIMIT_PASSWORD
to be able to call
this method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated
with. |
---|---|
length | The new desired minimum number of lower case letters required in the password. A value of 0 means there is no restriction. |
Called by an application that is administering the device to set the
minimum number of non-letter characters (numerical digits or symbols)
required in the password. After setting this, the user will not be able
to enter a new password that is not at least as restrictive as what has
been set. Note that the current password will remain until the user has
set a new one, so the change does not take place immediately. To prompt
the user for a new password, use ACTION_SET_NEW_PASSWORD
after
setting this value. This constraint is only imposed if the administrator
has also requested PASSWORD_QUALITY_COMPLEX
with
setPasswordQuality(ComponentName, int)
. The default value is 0.
The calling device admin must have requested
USES_POLICY_LIMIT_PASSWORD
to be able to call
this method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated
with. |
---|---|
length | The new desired minimum number of letters required in the password. A value of 0 means there is no restriction. |
Called by an application that is administering the device to set the
minimum number of numerical digits required in the password. After
setting this, the user will not be able to enter a new password that is
not at least as restrictive as what has been set. Note that the current
password will remain until the user has set a new one, so the change does
not take place immediately. To prompt the user for a new password, use
ACTION_SET_NEW_PASSWORD
after setting this value. This
constraint is only imposed if the administrator has also requested
PASSWORD_QUALITY_COMPLEX
with setPasswordQuality(ComponentName, int)
. The
default value is 1.
The calling device admin must have requested
USES_POLICY_LIMIT_PASSWORD
to be able to call
this method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated
with. |
---|---|
length | The new desired minimum number of numerical digits required in the password. A value of 0 means there is no restriction. |
Called by an application that is administering the device to set the
minimum number of symbols required in the password. After setting this,
the user will not be able to enter a new password that is not at least as
restrictive as what has been set. Note that the current password will
remain until the user has set a new one, so the change does not take
place immediately. To prompt the user for a new password, use
ACTION_SET_NEW_PASSWORD
after setting this value. This
constraint is only imposed if the administrator has also requested
PASSWORD_QUALITY_COMPLEX
with setPasswordQuality(ComponentName, int)
. The
default value is 1.
The calling device admin must have requested
USES_POLICY_LIMIT_PASSWORD
to be able to call
this method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated
with. |
---|---|
length | The new desired minimum number of symbols required in the password. A value of 0 means there is no restriction. |
Called by an application that is administering the device to set the
minimum number of upper case letters required in the password. After
setting this, the user will not be able to enter a new password that is
not at least as restrictive as what has been set. Note that the current
password will remain until the user has set a new one, so the change does
not take place immediately. To prompt the user for a new password, use
ACTION_SET_NEW_PASSWORD
after setting this value. This
constraint is only imposed if the administrator has also requested
PASSWORD_QUALITY_COMPLEX
with setPasswordQuality(ComponentName, int)
. The
default value is 0.
The calling device admin must have requested
USES_POLICY_LIMIT_PASSWORD
to be able to call
this method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated
with. |
---|---|
length | The new desired minimum number of upper case letters required in the password. A value of 0 means there is no restriction. |
Called by an application that is administering the device to set the
password restrictions it is imposing. After setting this, the user
will not be able to enter a new password that is not at least as
restrictive as what has been set. Note that the current password
will remain until the user has set a new one, so the change does not
take place immediately. To prompt the user for a new password, use
ACTION_SET_NEW_PASSWORD
after setting this value.
Quality constants are ordered so that higher values are more restrictive; thus the highest requested quality constant (between the policy set here, the user's preference, and any other considerations) is the one that is in effect.
The calling device admin must have requested
USES_POLICY_LIMIT_PASSWORD
to be able to call
this method; if it has not, a security exception will be thrown.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
quality | The new desired quality. One of
PASSWORD_QUALITY_UNSPECIFIED , PASSWORD_QUALITY_SOMETHING ,
PASSWORD_QUALITY_NUMERIC , PASSWORD_QUALITY_ALPHABETIC ,
PASSWORD_QUALITY_ALPHANUMERIC or PASSWORD_QUALITY_COMPLEX .
|
Sets the enabled state of the profile. A profile should be enabled only once it is ready to be used. Only the profile owner can call this.
admin | Which DeviceAdminReceiver this request is associated with.
|
---|
Called by profile or device owners to update Settings.Secure
settings. Validation
that the value of the setting is in the correct form for the setting type should be performed
by the caller.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
setting | The name of the setting to update. |
value | The value to update the setting to. |
Called by an application that is administering the device to request that the storage system be encrypted.
When multiple device administrators attempt to control device
encryption, the most secure, supported setting will always be
used. If any device administrator requests device encryption,
it will be enabled; Conversely, if a device administrator
attempts to disable device encryption while another
device administrator has enabled it, the call to disable will
fail (most commonly returning ENCRYPTION_STATUS_ACTIVE
).
This policy controls encryption of the secure (application data) storage area. Data
written to other storage areas may or may not be encrypted, and this policy does not require
or control the encryption of any other storage areas.
There is one exception: If isExternalStorageEmulated()
is
true
, then the directory returned by
getExternalStorageDirectory()
must be written to disk
within the encrypted storage area.
Important Note: On some devices, it is possible to encrypt storage without requiring the user to create a device PIN or Password. In this case, the storage is encrypted, but the encryption key may not be fully secured. For maximum security, the administrator should also require (and check for) a pattern, PIN, or password.
admin | Which DeviceAdminReceiver this request is associated with. |
---|---|
encrypt | true to request encryption, false to release any previous request |
ENCRYPTION_STATUS_UNSUPPORTED
, ENCRYPTION_STATUS_INACTIVE
, or
ENCRYPTION_STATUS_ACTIVE
. This is the value of the requests; Use
getStorageEncryptionStatus()
to query the actual device state.
Ask the user date be wiped. This will cause the device to reboot,
erasing all user data while next booting up. External storage such
as SD cards will be also erased if the flag WIPE_EXTERNAL_STORAGE
is set.
The calling device admin must have requested
USES_POLICY_WIPE_DATA
to be able to call
this method; if it has not, a security exception will be thrown.
flags | Bit mask of additional options: currently 0 and
WIPE_EXTERNAL_STORAGE are supported.
|
---|