DevicePolicyManager
public
class
DevicePolicyManager
extends Object
java.lang.Object | |
↳ | android.app.admin.DevicePolicyManager |
Manages device policy and restrictions applied to the user of the device or apps running on the device.
This class contains three types of methods:
- Those aimed at managing apps
- Those aimed at the Device Policy Management Role Holder
- Those aimed at apps which wish to respect device policy
The intended caller for each API is indicated in its Javadoc.
Managing Apps
Apps can be made capable of setting device policy ("Managing Apps") either by being set as a Device Administrator, being set as a Device Policy Controller, or by holding the appropriate Permissions.
A Device Administrator is an app which is able to enforce device
policies that it has declared in its device admin XML file. An app can prompt the user to give it
device administator privileges using the ACTION_ADD_DEVICE_ADMIN
action.
For more information about Device Administration, read the Device Administration developer guide.
Device Administrator apps can also be recognised as Device Policy Controllers. Device Policy Controllers can be one of two types:
- A Device Owner, which only ever exists on the
System User
or Main User, is the most powerful type of Device Policy Controller and can affect policy across the device. - A Profile Owner, which can exist on any user, can
affect policy on the user it is on, and when it is running on
a profile
has limited ability to affect policy on its parent.
Additional capabilities can be provided to Device Policy Controllers in the following circumstances:
- A Profile Owner on an organization owned device has access to additional abilities, both affecting policy on the profile's parent and also the profile itself.
- A Profile Owner running on the
System User
has access to additional capabilities which affect theSystem User
and also the whole device. - A Profile Owner running on an affiliated user has capabilities similar to that of a Device Owner
For more information, see Building a Device Policy Controller.
Permissions are generally only given to apps
fulfilling particular key roles on the device (such as managing
device locks
).
Device Policy Management Role Holder
One app on the device fulfills the Device Policy Management Role and is trusted with managing the overall state of Device Policy. This has access to much more powerful methods than managing apps.
Querying Device Policy
In most cases, regular apps do not need to concern themselves with device policy, and restrictions will be enforced automatically. There are some cases where an app may wish to query device policy to provide a better user experience. Only a small number of policies allow apps to query them directly. These APIs will typically have no special required permissions.
Managed Provisioning
Managed Provisioning is the process of recognising an app as a Device Owner or Profile Owner. It involves presenting education and consent screens to the user to ensure they are aware of the capabilities this grants the Device Policy Controller
For more information on provisioning, see Building a Device Policy Controller.
A Managed Profile enables data separation. For example to use a device both for personal and corporate usage. The managed profile and its parent share a launcher.
Affiliation
Using the setAffiliationIds(ComponentName, Set)
method, a
Device Owner can set a list of affiliation ids for the
System User
. Any Profile Owner on
the same device can also call setAffiliationIds(ComponentName, Set)
to set affiliation ids
for the user
it is on. When there is the same ID
present in both lists, the user is said to be "affiliated" and we can refer to
the Profile Owner as a "profile owner on an affiliated
user" or an "affiliated profile owner".
Becoming affiliated grants the Profile Owner capabilities similar to
that of the Device Owner. It also allows use of the
bindDeviceAdminServiceAsUser(ComponentName, Intent, ServiceConnection, BindServiceFlags, UserHandle)
APIs for direct communication between the
Device Owner and
affiliated Profile Owners.
Organization Owned
An organization owned device is one which is not owned by the person making use of the device and is instead owned by an organization such as their employer or education provider. These devices are recognised as being organization owned either by the presence of a device owner or of aprofile which has a profile owner is marked
as organization owned
.
Profile owners running on an
organization owned device can exercise additional capabilities
using the getParentProfileInstance(android.content.ComponentName)
API which apply to the parent user.
Each API will indicate if it is usable in this way.
Android Automotive
On "Android Automotive builds"
, some methods can throw
"an exception"
if an action is unsafe (for example, if the vehicle
is moving). Callers running on
"Android Automotive builds"
should always check for this exception.
Requires the PackageManager#FEATURE_DEVICE_ADMIN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Summary
Nested classes | ||
---|---|---|
class |
DevicePolicyManager.InstallSystemUpdateCallback
Callback used in |
|
interface |
DevicePolicyManager.OnClearApplicationUserDataListener
Callback used in |
Constants | |
---|---|
String |
ACTION_ADD_DEVICE_ADMIN
Activity action: ask the user to add a new device administrator to the system. |
String |
ACTION_ADMIN_POLICY_COMPLIANCE
Activity action: Starts the administrator to show policy compliance for the provisioning. |
String |
ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
Broadcast Action: Sent after application delegation scopes are changed. |
String |
ACTION_CHECK_POLICY_COMPLIANCE
Activity action: launch the DPC to check policy compliance. |
String |
ACTION_DEVICE_ADMIN_SERVICE
Service action: Action for a service that device owner and profile owner can optionally own. |
String |
ACTION_DEVICE_FINANCING_STATE_CHANGED
Broadcast Action: Broadcast sent to indicate that the device financing state has changed. |
String |
ACTION_DEVICE_OWNER_CHANGED
Broadcast action: sent when the device owner is set, changed or cleared. |
String |
ACTION_DEVICE_POLICY_RESOURCE_UPDATED
Broadcast action: notify system apps (e.g. settings, SysUI, etc) that the device management
resources with IDs |
String |
ACTION_GET_PROVISIONING_MODE
Activity action: Starts the administrator to get the mode for the provisioning. |
String |
ACTION_MANAGED_PROFILE_PROVISIONED
Broadcast Action: This broadcast is sent to indicate that provisioning of a managed profile has completed successfully. |
String |
ACTION_PROFILE_OWNER_CHANGED
Broadcast action: sent when the profile owner is set, changed or cleared. |
String |
ACTION_PROVISIONING_SUCCESSFUL
Activity action: This activity action is sent to indicate that provisioning of a managed profile or managed device has completed successfully. |
String |
ACTION_PROVISION_MANAGED_DEVICE
This constant was deprecated
in API level 31.
to support |
String |
ACTION_PROVISION_MANAGED_PROFILE
Activity action: Starts the provisioning flow which sets up a managed profile. |
String |
ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
Activity action: have the user enter a new password for the parent profile. |
String |
ACTION_SET_NEW_PASSWORD
Activity action: have the user enter a new password. |
String |
ACTION_START_ENCRYPTION
Activity action: begin the process of encrypting data on the device. |
String |
ACTION_SYSTEM_UPDATE_POLICY_CHANGED
Broadcast action: notify that a new local system update policy has been set by the device owner. |
int |
APP_FUNCTIONS_DISABLED
Indicates that |
int |
APP_FUNCTIONS_DISABLED_CROSS_PROFILE
Indicates that |
int |
APP_FUNCTIONS_NOT_CONTROLLED_BY_POLICY
Indicates that |
int |
AUTO_TIME_DISABLED
Specifies the "disabled" auto time state. |
int |
AUTO_TIME_ENABLED
Specifies the "enabled" auto time state. |
int |
AUTO_TIME_NOT_CONTROLLED_BY_POLICY
Specifies that the auto time state is not controlled by device policy. |
int |
AUTO_TIME_ZONE_DISABLED
Specifies the "disabled" auto time zone state. |
int |
AUTO_TIME_ZONE_ENABLED
Specifies the "enabled" auto time zone state. |
int |
AUTO_TIME_ZONE_NOT_CONTROLLED_BY_POLICY
Specifies that the auto time zone state is not controlled by device policy. |
int |
CONTENT_PROTECTION_DISABLED
Indicates that content protection is controlled and disabled by a policy (default). |
int |
CONTENT_PROTECTION_ENABLED
Indicates that content protection is controlled and enabled by a policy. |
int |
CONTENT_PROTECTION_NOT_CONTROLLED_BY_POLICY
Indicates that content protection is not controlled by policy, allowing user to choose. |
String |
DELEGATION_APP_RESTRICTIONS
Delegation of application restrictions management. |
String |
DELEGATION_BLOCK_UNINSTALL
Delegation of application uninstall block. |
String |
DELEGATION_CERT_INSTALL
Delegation of certificate installation and management. |
String |
DELEGATION_CERT_SELECTION
Grants access to selection of KeyChain certificates on behalf of requesting apps. |
String |
DELEGATION_ENABLE_SYSTEM_APP
Delegation for enabling system apps. |
String |
DELEGATION_INSTALL_EXISTING_PACKAGE
Delegation for installing existing packages. |
String |
DELEGATION_KEEP_UNINSTALLED_PACKAGES
Delegation of management of uninstalled packages. |
String |
DELEGATION_NETWORK_LOGGING
Grants access to |
String |
DELEGATION_PACKAGE_ACCESS
Delegation of package access state. |
String |
DELEGATION_PERMISSION_GRANT
Delegation of permission policy and permission grant state. |
String |
DELEGATION_SECURITY_LOGGING
Grants access to |
int |
ENCRYPTION_STATUS_ACTIVATING
This constant was deprecated in API level 34. This result code has never actually been used, so there is no reason for apps to check for it. |
int |
ENCRYPTION_STATUS_ACTIVE
Result code for |
int |
ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY
Result code for |
int |
ENCRYPTION_STATUS_ACTIVE_PER_USER
Result code for |
int |
ENCRYPTION_STATUS_INACTIVE
Result code for |
int |
ENCRYPTION_STATUS_UNSUPPORTED
Result code for |
String |
EXTRA_ADD_EXPLANATION
An optional CharSequence providing additional explanation for why the admin is being added. |
String |
EXTRA_DELEGATION_SCOPES
An |
String |
EXTRA_DEVICE_ADMIN
The ComponentName of the administrator component. |
String |
EXTRA_DEVICE_PASSWORD_REQUIREMENT_ONLY
A boolean extra for |
String |
EXTRA_PASSWORD_COMPLEXITY
An integer indicating the complexity level of the new password an app would like the user to
set when launching the action |
String |
EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
An |
String |
EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
A |
String |
EXTRA_PROVISIONING_ALLOWED_PROVISIONING_MODES
An |
String |
EXTRA_PROVISIONING_ALLOW_OFFLINE
A boolean extra indicating whether offline provisioning should be used. |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
A ComponentName extra indicating the |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE
An int extra holding a minimum required version code for the device admin package. |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
A String extra holding the URL-safe base64 encoded SHA-256 hash of the file at download
location specified in |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
A String extra holding a http cookie header which should be used in the http request to the
url specified in |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
A String extra holding a url that specifies the download location of the device admin package. |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
This constant was deprecated
in API level 23.
Use |
String |
EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
A String extra holding the URL-safe base64 encoded SHA-256 checksum of any signature of the
android package archive at the download location specified in |
String |
EXTRA_PROVISIONING_DISCLAIMERS
A |
String |
EXTRA_PROVISIONING_DISCLAIMER_CONTENT
A |
String |
EXTRA_PROVISIONING_DISCLAIMER_HEADER
A String extra of localized disclaimer header. |
String |
EXTRA_PROVISIONING_EMAIL_ADDRESS
This constant was deprecated
in API level 26.
From |
String |
EXTRA_PROVISIONING_IMEI
A string extra holding the IMEI (International Mobile Equipment Identity) of the device. |
String |
EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION
Boolean extra to indicate that the
|
String |
EXTRA_PROVISIONING_KEEP_SCREEN_ON
This constant was deprecated
in API level 34.
from |
String |
EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
A Boolean extra that can be used by the mobile device management application to skip the
disabling of system apps during provisioning when set to |
String |
EXTRA_PROVISIONING_LOCALE
A String extra holding the |
String |
EXTRA_PROVISIONING_LOCAL_TIME
A Long extra holding the wall clock time (in milliseconds) to be set on the device's
|
String |
EXTRA_PROVISIONING_LOGO_URI
This constant was deprecated in API level 33. Logo customization is no longer supported in the provisioning flow. |
String |
EXTRA_PROVISIONING_MAIN_COLOR
This constant was deprecated in API level 31. Color customization is no longer supported in the provisioning flow. |
String |
EXTRA_PROVISIONING_MODE
An intent extra holding the provisioning mode returned by the administrator. |
String |
EXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT
A boolean extra indicating the admin of a fully-managed device opts out of controlling
permission grants for sensor-related permissions,
see |
String |
EXTRA_PROVISIONING_SERIAL_NUMBER
A string extra holding the serial number of the device. |
String |
EXTRA_PROVISIONING_SHOULD_LAUNCH_RESULT_INTENT
A boolean extra that determines whether the provisioning flow should launch the resulting
launch intent, if one is supplied by the device policy management role holder via |
String |
EXTRA_PROVISIONING_SKIP_EDUCATION_SCREENS
A boolean extra indicating if the education screens from the provisioning flow should be skipped. |
String |
EXTRA_PROVISIONING_SKIP_ENCRYPTION
A boolean extra indicating whether device encryption can be skipped as part of provisioning. |
String |
EXTRA_PROVISIONING_SKIP_USER_CONSENT
This constant was deprecated in API level 31. this extra is no longer relevant as device owners cannot create managed profiles |
String |
EXTRA_PROVISIONING_TIME_ZONE
A String extra holding the time zone |
String |
EXTRA_PROVISIONING_USE_MOBILE_DATA
A boolean extra indicating if mobile data should be used during the provisioning flow for downloading the admin app. |
String |
EXTRA_PROVISIONING_WIFI_ANONYMOUS_IDENTITY
The anonymous identity of the wifi network in |
String |
EXTRA_PROVISIONING_WIFI_CA_CERTIFICATE
The CA certificate of the wifi network in |
String |
EXTRA_PROVISIONING_WIFI_DOMAIN
The domain of the wifi network in |
String |
EXTRA_PROVISIONING_WIFI_EAP_METHOD
The EAP method of the wifi network in |
String |
EXTRA_PROVISIONING_WIFI_HIDDEN
A boolean extra indicating whether the wifi network in |
String |
EXTRA_PROVISIONING_WIFI_IDENTITY
The identity of the wifi network in |
String |
EXTRA_PROVISIONING_WIFI_PAC_URL
A String extra holding the proxy auto-config (PAC) URL for the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_PASSWORD
A String extra holding the password of the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_PHASE2_AUTH
The phase 2 authentication of the wifi network in |
String |
EXTRA_PROVISIONING_WIFI_PROXY_BYPASS
A String extra holding the proxy bypass for the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_PROXY_HOST
A String extra holding the proxy host for the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_PROXY_PORT
An int extra holding the proxy port for the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
A String extra indicating the security type of the wifi network in
|
String |
EXTRA_PROVISIONING_WIFI_SSID
A String extra holding the ssid of the wifi network that should be used during nfc device owner provisioning for downloading the mobile device management application. |
String |
EXTRA_PROVISIONING_WIFI_USER_CERTIFICATE
The user certificate of the wifi network in |
String |
EXTRA_RESOURCE_IDS
An integer array extra for |
String |
EXTRA_RESOURCE_TYPE
An |
int |
EXTRA_RESOURCE_TYPE_DRAWABLE
A |
int |
EXTRA_RESOURCE_TYPE_STRING
A |
String |
EXTRA_RESULT_LAUNCH_INTENT
An |
int |
FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY
Flag for |
int |
FLAG_MANAGED_CAN_ACCESS_PARENT
Flag used by |
int |
FLAG_PARENT_CAN_ACCESS_MANAGED
Flag used by |
int |
ID_TYPE_BASE_INFO
Specifies that the device should attest its manufacturer details. |
int |
ID_TYPE_IMEI
Specifies that the device should attest its IMEI. |
int |
ID_TYPE_INDIVIDUAL_ATTESTATION
Specifies that the device should attest using an individual attestation certificate. |
int |
ID_TYPE_MEID
Specifies that the device should attest its MEID. |
int |
ID_TYPE_SERIAL
Specifies that the device should attest its serial number. |
int |
INSTALLKEY_REQUEST_CREDENTIALS_ACCESS
Specifies that the calling app should be granted access to the installed credentials immediately. |
int |
INSTALLKEY_SET_USER_SELECTABLE
Specifies that a user can select the key via the Certificate Selection prompt. |
int |
KEYGUARD_DISABLE_BIOMETRICS
Disable all biometric authentication on keyguard secure screens (e.g. PIN/Pattern/Password). |
int |
KEYGUARD_DISABLE_FACE
Disable face authentication on keyguard secure screens (e.g. PIN/Pattern/Password). |
int |
KEYGUARD_DISABLE_FEATURES_ALL
Disable all current and future keyguard customizations. |
int |
KEYGUARD_DISABLE_FEATURES_NONE
Widgets are enabled in keyguard |
int |
KEYGUARD_DISABLE_FINGERPRINT
Disable fingerprint authentication on keyguard secure screens (e.g. PIN/Pattern/Password). |
int |
KEYGUARD_DISABLE_IRIS
Disable iris authentication on keyguard secure screens (e.g. PIN/Pattern/Password). |
int |
KEYGUARD_DISABLE_REMOTE_INPUT
This constant was deprecated
in API level 33.
This flag was added in version |
int |
KEYGUARD_DISABLE_SECURE_CAMERA
Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password) |
int |
KEYGUARD_DISABLE_SECURE_NOTIFICATIONS
Disable showing all notifications on secure keyguard screens (e.g. PIN/Pattern/Password) |
int |
KEYGUARD_DISABLE_SHORTCUTS_ALL
Disable all keyguard shortcuts. |
int |
KEYGUARD_DISABLE_TRUST_AGENTS
Disable trust agents on secure keyguard screens (e.g. PIN/Pattern/Password). |
int |
KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS
Only allow redacted notifications on secure keyguard screens (e.g. PIN/Pattern/Password) |
int |
KEYGUARD_DISABLE_WIDGETS_ALL
Disable all keyguard widgets. |
int |
LEAVE_ALL_SYSTEM_APPS_ENABLED
Flag used by |
int |
LOCK_TASK_FEATURE_BLOCK_ACTIVITY_START_IN_TASK
Enable blocking of non-allowlisted activities from being started into a locked task. |
int |
LOCK_TASK_FEATURE_GLOBAL_ACTIONS
Enable the global actions dialog during LockTask mode. |
int |
LOCK_TASK_FEATURE_HOME
Enable the Home button during LockTask mode. |
int |
LOCK_TASK_FEATURE_KEYGUARD
Enable the keyguard during LockTask mode. |
int |
LOCK_TASK_FEATURE_NONE
Disable all configurable SystemUI features during LockTask mode. |
int |
LOCK_TASK_FEATURE_NOTIFICATIONS
Enable notifications during LockTask mode. |
int |
LOCK_TASK_FEATURE_OVERVIEW
Enable the Overview button and the Overview screen during LockTask mode. |
int |
LOCK_TASK_FEATURE_SYSTEM_INFO
Enable the system info area in the status bar during LockTask mode. |
int |
MAKE_USER_EPHEMERAL
Flag used by |
String |
MIME_TYPE_PROVISIONING_NFC
This MIME type is used for starting the device owner provisioning. |
int |
MTE_DISABLED
Require that MTE be disabled on the device. |
int |
MTE_ENABLED
Require that MTE be enabled on the device, if supported. |
int |
MTE_NOT_CONTROLLED_BY_POLICY
Allow the user to choose whether to enable MTE on the device. |
int |
NEARBY_STREAMING_DISABLED
Indicates that nearby streaming is disabled. |
int |
NEARBY_STREAMING_ENABLED
Indicates that nearby streaming is enabled. |
int |
NEARBY_STREAMING_NOT_CONTROLLED_BY_POLICY
Indicates that nearby streaming is not controlled by policy, which means nearby streaming is allowed. |
int |
NEARBY_STREAMING_SAME_MANAGED_ACCOUNT_ONLY
Indicates that nearby streaming is enabled only to devices offering a comparable level of security, with the same authenticated managed account. |
int |
OPERATION_SAFETY_REASON_DRIVING_DISTRACTION
Indicates that a |
int |
PASSWORD_COMPLEXITY_HIGH
Constant for |
int |
PASSWORD_COMPLEXITY_LOW
Constant for |
int |
PASSWORD_COMPLEXITY_MEDIUM
Constant for |
int |
PASSWORD_COMPLEXITY_NONE
Constant for |
int |
PASSWORD_QUALITY_ALPHABETIC
Constant for |
int |
PASSWORD_QUALITY_ALPHANUMERIC
Constant for |
int |
PASSWORD_QUALITY_BIOMETRIC_WEAK
Constant for |
int |
PASSWORD_QUALITY_COMPLEX
Constant for |
int |
PASSWORD_QUALITY_NUMERIC
Constant for |
int |
PASSWORD_QUALITY_NUMERIC_COMPLEX
Constant for |
int |
PASSWORD_QUALITY_SOMETHING
Constant for |
int |
PASSWORD_QUALITY_UNSPECIFIED
Constant for |
int |
PERMISSION_GRANT_STATE_DEFAULT
Runtime permission state: The user can manage the permission through the UI. |
int |
PERMISSION_GRANT_STATE_DENIED
Runtime permission state: The permission is denied to the app and the user cannot manage the permission through the UI. |
int |
PERMISSION_GRANT_STATE_GRANTED
Runtime permission state: The permission is granted to the app and the user cannot manage the permission through the UI. |
int |
PERMISSION_POLICY_AUTO_DENY
Permission policy to always deny new permission requests for runtime permissions. |
int |
PERMISSION_POLICY_AUTO_GRANT
Permission policy to always grant new permission requests for runtime permissions. |
int |
PERMISSION_POLICY_PROMPT
Permission policy to prompt user for new permission requests for runtime permissions. |
int |
PERSONAL_APPS_NOT_SUSPENDED
Return value for |
int |
PERSONAL_APPS_SUSPENDED_EXPLICITLY
Flag for |
int |
PERSONAL_APPS_SUSPENDED_PROFILE_TIMEOUT
Flag for |
String |
POLICY_DISABLE_CAMERA
Constant to indicate the feature of disabling the camera. |
String |
POLICY_DISABLE_SCREEN_CAPTURE
Constant to indicate the feature of disabling screen captures. |
int |
PRIVATE_DNS_MODE_OFF
Specifies that Private DNS was turned off completely. |
int |
PRIVATE_DNS_MODE_OPPORTUNISTIC
Specifies that the device owner requested opportunistic DNS over TLS |
int |
PRIVATE_DNS_MODE_PROVIDER_HOSTNAME
Specifies that the device owner configured a specific host to use for Private DNS. |
int |
PRIVATE_DNS_MODE_UNKNOWN
Specifies that the Private DNS setting is in an unknown state. |
int |
PRIVATE_DNS_SET_ERROR_FAILURE_SETTING
General failure to set the Private DNS mode, not due to one of the reasons listed above. |
int |
PRIVATE_DNS_SET_ERROR_HOST_NOT_SERVING
If the |
int |
PRIVATE_DNS_SET_NO_ERROR
The selected mode has been set successfully. |
int |
PROVISIONING_MODE_FULLY_MANAGED_DEVICE
The provisioning mode for fully managed device. |
int |
PROVISIONING_MODE_MANAGED_PROFILE
The provisioning mode for managed profile. |
int |
PROVISIONING_MODE_MANAGED_PROFILE_ON_PERSONAL_DEVICE
The provisioning mode for a managed profile on a personal device. |
int |
RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT
Flag for |
int |
RESET_PASSWORD_REQUIRE_ENTRY
Flag for |
int |
SKIP_SETUP_WIZARD
Flag used by |
int |
WIFI_SECURITY_ENTERPRISE_192
Constant for |
int |
WIFI_SECURITY_ENTERPRISE_EAP
Constant for |
int |
WIFI_SECURITY_OPEN
Constant for |
int |
WIFI_SECURITY_PERSONAL
Constant for |
int |
WIPE_EUICC
Flag for |
int |
WIPE_EXTERNAL_STORAGE
Flag for |
int |
WIPE_RESET_PROTECTION_DATA
Flag for |
int |
WIPE_SILENTLY
Flag for |
Public methods | |
---|---|
void
|
acknowledgeDeviceCompliant()
Called by a profile owner of an organization-owned managed profile to acknowledge that the device is compliant and the user can turn the profile off if needed according to the maximum time off policy. |
void
|
addCrossProfileIntentFilter(ComponentName admin, IntentFilter filter, int flags)
Called by the profile owner of a managed profile so that some intents sent in the managed profile can also be resolved in the parent, or vice versa. |
boolean
|
addCrossProfileWidgetProvider(ComponentName admin, String packageName)
Called by the profile owner of a managed profile or a holder of the permission
|
int
|
addOverrideApn(ComponentName admin, ApnSetting apnSetting)
Called by device owner or managed profile owner to add an override APN. |
void
|
addPersistentPreferredActivity(ComponentName admin, IntentFilter filter, ComponentName activity)
Called by a profile owner or device owner or holder of the permission
|
void
|
addUserRestriction(ComponentName admin, String key)
Called by a profile owner, device owner or a holder of any permission that is associated with a user restriction to set a user restriction specified by the key. |
void
|
addUserRestrictionGlobally(String key)
Called by a profile owner, device owner or a holder of any permission that is associated with
a user restriction to set a user restriction specified by the provided |
boolean
|
bindDeviceAdminServiceAsUser(ComponentName admin, Intent serviceIntent, ServiceConnection conn, int flags, UserHandle targetUser)
Called by a device owner to bind to a service from a secondary managed user or vice versa. |
boolean
|
bindDeviceAdminServiceAsUser(ComponentName admin, Intent serviceIntent, ServiceConnection conn, Context.BindServiceFlags flags, UserHandle targetUser)
|
boolean
|
canAdminGrantSensorsPermissions()
Returns true if the caller is running on a device where an admin can grant permissions related to device sensors. |
boolean
|
canUsbDataSignalingBeDisabled()
Returns whether enabling or disabling USB data signaling is supported on the device. |
void
|
clearApplicationUserData(ComponentName admin, String packageName, Executor executor, DevicePolicyManager.OnClearApplicationUserDataListener listener)
Called by the device owner or profile owner to clear application user data of a given package. |
void
|
clearCrossProfileIntentFilters(ComponentName admin)
Called by a profile owner of a managed profile to remove the cross-profile intent filters that go from the managed profile to the parent, or from the parent to the managed profile. |
void
|
clearDeviceOwnerApp(String packageName)
This method was deprecated
in API level 26.
This method is expected to be used for testing purposes only. The device owner
will lose control of the device and its data after calling it. In order to protect any
sensitive data that remains on the device, it is advised that the device owner factory resets
the device instead of calling this method. See |
void
|
clearPackagePersistentPreferredActivities(ComponentName admin, String packageName)
Called by a profile owner or device owner or holder of the
permission |
void
|
clearProfileOwner(ComponentName admin)
This method was deprecated
in API level 26.
This method is expected to be used for testing purposes only. The profile owner
will lose control of the user and its data after calling it. In order to protect any
sensitive data that remains on this user, it is advised that the profile owner deletes it
instead of calling this method. See |
boolean
|
clearResetPasswordToken(ComponentName admin)
Called by a profile, device owner or holder of the permission
|
void
|
clearUserRestriction(ComponentName admin, String key)
Called by a profile owner, device owner or a holder of any permission that is associated with a user restriction to clear a user restriction specified by the key. |
Intent
|
createAdminSupportIntent(String restriction)
Called by any app to display a support dialog when a feature was disabled by an admin. |
UserHandle
|
createAndManageUser(ComponentName admin, String name, ComponentName profileOwner, PersistableBundle adminExtras, int flags)
Called by a device owner to create a user with the specified name and a given component of the calling package as profile owner. |
int
|
enableSystemApp(ComponentName admin, Intent intent)
Re-enable system apps by intent that were disabled by default when the user was initialized. |
void
|
enableSystemApp(ComponentName admin, String packageName)
Re-enable a system app that was disabled by default when the user was initialized. |
AttestedKeyPair
|
generateKeyPair(ComponentName admin, String algorithm, KeyGenParameterSpec keySpec, int idAttestationFlags)
This API can be called by the following to generate a new private/public key pair:
|
String[]
|
getAccountTypesWithManagementDisabled()
Gets the array of accounts for which account management is disabled by the profile owner or device owner. |
List<ComponentName>
|
getActiveAdmins()
Return a list of all currently active device administrators' component names. |
Set<String>
|
getAffiliationIds(ComponentName admin)
Returns the set of affiliation ids previously set via |
Set<String>
|
getAlwaysOnVpnLockdownWhitelist(ComponentName admin)
Called by device or profile owner to query the set of packages that are allowed to access the network directly when always-on VPN is in lockdown mode but not connected. |
String
|
getAlwaysOnVpnPackage(ComponentName admin)
Called by a device or profile owner to read the name of the package administering an always-on VPN connection for the current user. |
int
|
getAppFunctionsPolicy()
Returns the current |
Bundle
|
getApplicationRestrictions(ComponentName admin, String packageName)
Retrieves the application restrictions for a given target application running in the calling user. |
String
|
getApplicationRestrictionsManagingPackage(ComponentName admin)
This method was deprecated
in API level 26.
From |
boolean
|
getAutoTimeEnabled(ComponentName admin)
Returns true if auto time is enabled on the device. |
int
|
getAutoTimePolicy()
Returns current auto time policy's state. |
boolean
|
getAutoTimeRequired()
This method was deprecated
in API level 30.
From |
boolean
|
getAutoTimeZoneEnabled(ComponentName admin)
Returns true if auto time zone is enabled on the device. |
int
|
getAutoTimeZonePolicy()
Returns auto time zone policy's current state. |
List<UserHandle>
|
getBindDeviceAdminTargetUsers(ComponentName admin)
Returns the list of target users that the calling device owner or owner of secondary user
can use when calling |
boolean
|
getBluetoothContactSharingDisabled(ComponentName admin)
Called by a profile owner of a managed profile to determine whether or not Bluetooth devices cannot access enterprise contacts. |
boolean
|
getCameraDisabled(ComponentName admin)
Determine whether or not the device's cameras have been disabled for this user, either by the calling admin, if specified, or all admins. |
String
|
getCertInstallerPackage(ComponentName admin)
This method was deprecated
in API level 26.
From |
int
|
getContentProtectionPolicy(ComponentName admin)
Returns the current content protection policy. |
PackagePolicy
|
getCredentialManagerPolicy()
Called by a device owner or profile owner of a managed profile to retrieve the credential manager policy. |
Set<String>
|
getCrossProfileCalendarPackages(ComponentName admin)
This method was deprecated
in API level 34.
Use |
boolean
|
getCrossProfileCallerIdDisabled(ComponentName admin)
This method was deprecated
in API level 34.
starting with |
boolean
|
getCrossProfileContactsSearchDisabled(ComponentName admin)
This method was deprecated
in API level 34.
From |
Set<String>
|
getCrossProfilePackages(ComponentName admin)
Returns the set of package names that the admin has previously set as allowed to request user
consent for cross-profile communication, via |
List<String>
|
getCrossProfileWidgetProviders(ComponentName admin)
Called by the profile owner of a managed profile or a holder of the permission
|
int
|
getCurrentFailedPasswordAttempts()
Retrieve the number of times the user has failed at entering a password since that last successful password entry. |
List<String>
|
getDelegatePackages(ComponentName admin, String delegationScope)
Called by a profile owner or device owner to retrieve a list of delegate packages that were granted a delegation scope. |
List<String>
|
getDelegatedScopes(ComponentName admin, String delegatedPackage)
Called by a profile owner or device owner to retrieve a list of the scopes given to a delegate package. |
CharSequence
|
getDeviceOwnerLockScreenInfo()
|
String
|
getDevicePolicyManagementRoleHolderPackage()
Returns the package name of the device policy management role holder. |
CharSequence
|
getEndUserSessionMessage(ComponentName admin)
Returns the user session end message. |
String
|
getEnrollmentSpecificId()
Returns an enrollment-specific identifier of this device, which is guaranteed to be the same value for the same device, enrolled into the same organization by the same managing app. |
FactoryResetProtectionPolicy
|
getFactoryResetProtectionPolicy(ComponentName admin)
Callable by device owner or profile owner of an organization-owned device, to retrieve
the current factory reset protection (FRP) policy set previously by
|
String
|
getGlobalPrivateDnsHost(ComponentName admin)
Returns the system-wide Private DNS host. |
int
|
getGlobalPrivateDnsMode(ComponentName admin)
Returns the system-wide Private DNS mode. |
List<byte[]>
|
getInstalledCaCerts(ComponentName admin)
Returns all CA certificates that are currently trusted, excluding system CA certificates. |
List<String>
|
getKeepUninstalledPackages(ComponentName admin)
Get the list of apps to keep around as APKs even if no user has currently installed it. |
Map<Integer, Set<String>>
|
getKeyPairGrants(String alias)
Called by a device or profile owner, or delegated certificate chooser (an app that has been
delegated the |
int
|
getKeyguardDisabledFeatures(ComponentName admin)
Determine whether or not features have been disabled in keyguard either by the calling admin, if specified, or all admins that set restrictions on this user and its participating profiles. |
int
|
getLockTaskFeatures(ComponentName admin)
Gets which system features are enabled for LockTask mode. |
String[]
|
getLockTaskPackages(ComponentName admin)
Returns the list of packages allowed to start the lock task mode. |
CharSequence
|
getLongSupportMessage(ComponentName admin)
Called by a device admin to get the long support message. |
PackagePolicy
|
getManagedProfileCallerIdAccessPolicy()
Called by a profile owner of a managed profile to retrieve the caller id policy. |
PackagePolicy
|
getManagedProfileContactsAccessPolicy()
Called by a profile owner of a managed profile to determine the current policy applied to managed profile contacts. |
long
|
getManagedProfileMaximumTimeOff(ComponentName admin)
Called by a profile owner of an organization-owned managed profile to get maximum time the profile is allowed to be turned off. |
ManagedSubscriptionsPolicy
|
getManagedSubscriptionsPolicy()
Returns the current |
int
|
getMaximumFailedPasswordsForWipe(ComponentName admin)
Retrieve the current maximum number of login attempts that are allowed before the device or profile is wiped, for a particular admin or all admins that set restrictions on this user and its participating profiles. |
long
|
getMaximumTimeToLock(ComponentName admin)
Retrieve the current maximum time to unlock for a particular admin or all admins that set restrictions on this user and its participating profiles. |
List<String>
|
getMeteredDataDisabledPackages(ComponentName admin)
Called by a device or profile owner to retrieve the list of packages which are restricted by the admin from using metered data. |
int
|
getMinimumRequiredWifiSecurityLevel()
Returns the current Wi-Fi minimum security level. |
int
|
getMtePolicy()
Called by a device owner, profile owner of an organization-owned device to get the Memory Tagging Extension (MTE) policy Learn more about MTE |
int
|
getNearbyAppStreamingPolicy()
Returns the current runtime nearby app streaming policy set by the device or profile owner. |
int
|
getNearbyNotificationStreamingPolicy()
Returns the current runtime nearby notification streaming policy set by the device or profile owner. |
int
|
getOrganizationColor(ComponentName admin)
This method was deprecated
in API level 31.
From |
CharSequence
|
getOrganizationName(ComponentName admin)
Called by the device owner (since API 26) or profile owner (since API 24) or holders of the permission {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY to retrieve the name of the organization under management. |
List<ApnSetting>
|
getOverrideApns(ComponentName admin)
Called by device owner or managed profile owner to get all override APNs inserted by
device owner or managed profile owner previously using |
DevicePolicyManager
|
getParentProfileInstance(ComponentName admin)
Called by the profile owner of a managed profile or other apps in a managed profile to
obtain a |
int
|
getPasswordComplexity()
Returns how complex the current user's screen lock is. |
long
|
getPasswordExpiration(ComponentName admin)
Get the current password expiration time for a particular admin or all admins that set restrictions on this user and its participating profiles. |
long
|
getPasswordExpirationTimeout(ComponentName admin)
Get the password expiration timeout for the given admin. |
int
|
getPasswordHistoryLength(ComponentName admin)
Retrieve the current password history length for a particular admin or all admins that set restrictions on this user and its participating profiles. |
int
|
getPasswordMaximumLength(int quality)
Return the maximum password length that the device supports for a particular password quality. |
int
|
getPasswordMinimumLength(ComponentName admin)
This method was deprecated
in API level 31.
see |
int
|
getPasswordMinimumLetters(ComponentName admin)
This method was deprecated
in API level 31.
see |
int
|
getPasswordMinimumLowerCase(ComponentName admin)
This method was deprecated
in API level 31.
see |
int
|
getPasswordMinimumNonLetter(ComponentName admin)
This method was deprecated
in API level 31.
see |
int
|
getPasswordMinimumNumeric(ComponentName admin)
This method was deprecated
in API level 31.
see |
int
|
getPasswordMinimumSymbols(ComponentName admin)
This method was deprecated
in API level 31.
see |
int
|
getPasswordMinimumUpperCase(ComponentName admin)
This method was deprecated
in API level 31.
see |
int
|
getPasswordQuality(ComponentName admin)
This method was deprecated
in API level 31.
see |
SystemUpdateInfo
|
getPendingSystemUpdate(ComponentName admin)
Get information about a pending system update. |
int
|
getPermissionGrantState(ComponentName admin, String packageName, String permission)
Returns the current grant state of a runtime permission for a specific application. |
int
|
getPermissionPolicy(ComponentName admin)
Returns the current runtime permission policy set by the device or profile owner. |
List<String>
|
getPermittedAccessibilityServices(ComponentName admin)
Returns the list of permitted accessibility services set by this device or profile owner. |
List<String>
|
getPermittedCrossProfileNotificationListeners(ComponentName admin)
Returns the list of packages installed on the primary user that allowed to use a
|
List<String>
|
getPermittedInputMethods(ComponentName admin)
Returns the list of permitted input methods set by this device or profile owner. |
int
|
getPersonalAppsSuspendedReasons(ComponentName admin)
Called by profile owner of an organization-owned managed profile to check whether personal apps are suspended. |
List<PreferentialNetworkServiceConfig>
|
getPreferentialNetworkServiceConfigs()
Get preferential network configuration |
int
|
getRequiredPasswordComplexity()
Gets the password complexity requirement set by |
long
|
getRequiredStrongAuthTimeout(ComponentName admin)
Determine for how long the user will be able to use secondary, non strong auth for authentication, since last strong method authentication (password, pin or pattern) was used. |
DevicePolicyResourcesManager
|
getResources()
Returns a |
boolean
|
getScreenCaptureDisabled(ComponentName admin)
Determine whether or not screen capture has been disabled by the calling admin, if specified, or all admins. |
List<UserHandle>
|
getSecondaryUsers(ComponentName admin)
Called by a device owner to list all secondary users on the device. |
CharSequence
|
getShortSupportMessage(ComponentName admin)
Called by a device admin or holder of the permission
|
CharSequence
|
getStartUserSessionMessage(ComponentName admin)
Returns the user session start message. |
boolean
|
getStorageEncryption(ComponentName admin)
This method was deprecated
in API level 30.
This method only returns the value set by |
int
|
getStorageEncryptionStatus()
Called by an application that is administering the device to determine the current encryption status of the device. |
Set<Integer>
|
getSubscriptionIds()
Returns the subscription ids of all subscriptions which were downloaded by the calling admin. |
SystemUpdatePolicy
|
getSystemUpdatePolicy()
Retrieve a local system update policy set previously by |
PersistableBundle
|
getTransferOwnershipBundle()
Returns the data passed from the current administrator to the new administrator during an ownership transfer. |
List<PersistableBundle>
|
getTrustAgentConfiguration(ComponentName admin, ComponentName agent)
Gets configuration for the given trust agent based on aggregating all calls to
|
List<String>
|
getUserControlDisabledPackages(ComponentName admin)
Returns the list of packages over which user control is disabled by a device or profile
owner or holders of the permission
|
Bundle
|
getUserRestrictions(ComponentName admin)
Called by an admin to get user restrictions set by themselves with
|
Bundle
|
getUserRestrictionsGlobally()
Called by a profile or device owner to get global user restrictions set with
|
String
|
getWifiMacAddress(ComponentName admin)
Called by a device owner or profile owner on organization-owned device to get the MAC address of the Wi-Fi device. |
WifiSsidPolicy
|
getWifiSsidPolicy()
Returns the current Wi-Fi SSID policy. |
boolean
|
grantKeyPairToApp(ComponentName admin, String alias, String packageName)
Called by a device or profile owner, or delegated certificate chooser (an app that has been
delegated the |
boolean
|
grantKeyPairToWifiAuth(String alias)
Called by a device or profile owner, or delegated certificate chooser (an app that has been
delegated the |
boolean
|
hasCaCertInstalled(ComponentName admin, byte[] certBuffer)
Returns whether this certificate is installed as a trusted CA. |
boolean
|
hasGrantedPolicy(ComponentName admin, int usesPolicy)
Returns true if an administrator has been granted a particular device policy. |
boolean
|
hasKeyPair(String alias)
This API can be called by the following to query whether a certificate and private key are installed under a given alias:
AppUriAuthenticationPolicy .
|
boolean
|
hasLockdownAdminConfiguredNetworks(ComponentName admin)
Called by a device owner or a profile owner of an organization-owned managed profile to determine whether the user is prevented from modifying networks configured by the admin. |
boolean
|
installCaCert(ComponentName admin, byte[] certBuffer)
Installs the given certificate as a user CA. |
boolean
|
installExistingPackage(ComponentName admin, String packageName)
Install an existing package that has been installed in another user, or has been kept after
removal via |
boolean
|
installKeyPair(ComponentName admin, PrivateKey privKey, Certificate[] certs, String alias, int flags)
This API can be called by the following to install a certificate chain and corresponding private key for the leaf certificate:
|
boolean
|
installKeyPair(ComponentName admin, PrivateKey privKey, Certificate[] certs, String alias, boolean requestAccess)
This API can be called by the following to install a certificate chain and corresponding private key for the leaf certificate:
|
boolean
|
installKeyPair(ComponentName admin, PrivateKey privKey, Certificate cert, String alias)
This API can be called by the following to install a certificate and corresponding private key:
|
void
|
installSystemUpdate(ComponentName admin, Uri updateFilePath, Executor executor, DevicePolicyManager.InstallSystemUpdateCallback callback)
Called by device owner or profile owner of an organization-owned managed profile to install a system update from the given file. |
boolean
|
isActivePasswordSufficient()
Determines whether the calling user's current password meets policy requirements (e.g. quality, minimum length). |
boolean
|
isActivePasswordSufficientForDeviceRequirement()
Called by profile owner of a managed profile to determine whether the current device password meets policy requirements set explicitly device-wide. |
boolean
|
isAdminActive(ComponentName admin)
Return true if the given administrator component is currently active (enabled) in the system. |
boolean
|
isAffiliatedUser()
Returns whether this user is affiliated with the device. |
boolean
|
isAlwaysOnVpnLockdownEnabled(ComponentName admin)
Called by device or profile owner to query whether current always-on VPN is configured in lockdown mode. |
boolean
|
isApplicationHidden(ComponentName admin, String packageName)
Determine if a package is hidden. |
boolean
|
isBackupServiceEnabled(ComponentName admin)
Return whether the backup service is enabled by the device owner or profile owner for the
current user, as previously set by |
boolean
|
isCallerApplicationRestrictionsManagingPackage()
This method was deprecated
in API level 26.
From |
boolean
|
isCommonCriteriaModeEnabled(ComponentName admin)
Returns whether Common Criteria mode is currently enabled. |
boolean
|
isComplianceAcknowledgementRequired()
Called by a profile owner of an organization-owned managed profile to query whether it needs to acknowledge device compliance to allow the user to turn the profile off if needed according to the maximum profile time off policy. |
boolean
|
isDeviceFinanced()
Returns |
boolean
|
isDeviceIdAttestationSupported()
Returns |
boolean
|
isDeviceOwnerApp(String packageName)
Used to determine if a particular package has been registered as a Device Owner app. |
boolean
|
isEphemeralUser(ComponentName admin)
Checks if the profile owner is running in an ephemeral user. |
boolean
|
isKeyPairGrantedToWifiAuth(String alias)
Called by a device or profile owner, or delegated certificate chooser (an app that has been
delegated the |
boolean
|
isLockTaskPermitted(String pkg)
This function lets the caller know whether the given component is allowed to start the lock task mode. |
boolean
|
isLogoutEnabled()
Returns whether logout is enabled by a device owner. |
boolean
|
isManagedProfile(ComponentName admin)
Return if this user is a managed profile of another user. |
boolean
|
isMasterVolumeMuted(ComponentName admin)
Called by profile or device owners to check whether the global volume mute is on or off. |
static
boolean
|
isMtePolicyEnforced()
Get the current MTE state of the device. |
boolean
|
isNetworkLoggingEnabled(ComponentName admin)
Return whether network logging is enabled by a device owner or profile owner of a managed profile. |
boolean
|
isOrganizationOwnedDeviceWithManagedProfile()
Apps can use this method to find out if the device was provisioned as organization-owend device with a managed profile. |
boolean
|
isOverrideApnEnabled(ComponentName admin)
Called by device owner to check if override APNs are currently enabled. |
boolean
|
isPackageSuspended(ComponentName admin, String packageName)
Determine if a package is suspended. |
boolean
|
isPreferentialNetworkServiceEnabled()
Indicates whether preferential network service is enabled. |
boolean
|
isProfileOwnerApp(String packageName)
Used to determine if a particular package is registered as the profile owner for the user. |
boolean
|
isProvisioningAllowed(String action)
Returns whether it is possible for the caller to initiate provisioning of a managed profile or device, setting itself as the device or profile owner. |
boolean
|
isResetPasswordTokenActive(ComponentName admin)
Called by a profile, device owner or a holder of the permission
|
boolean
|
isSafeOperation(int reason)
Checks if it's safe to run operations that can be affected by the given |
boolean
|
isSecurityLoggingEnabled(ComponentName admin)
Return whether security logging is enabled or not by the admin. |
boolean
|
isStatusBarDisabled()
Returns whether the status bar is disabled/enabled, see |
boolean
|
isUninstallBlocked(ComponentName admin, String packageName)
Check whether the user has been blocked by device policy from uninstalling a package. |
boolean
|
isUniqueDeviceAttestationSupported()
Returns |
boolean
|
isUsbDataSignalingEnabled()
Returns whether USB data signaling is currently enabled. |
boolean
|
isUsingUnifiedPassword(ComponentName admin)
When called by a profile owner of a managed profile returns true if the profile uses unified challenge with its parent user. |
List<UserHandle>
|
listForegroundAffiliatedUsers()
Gets the list of |
void
|
lockNow()
Make the device lock immediately, as if the lock screen timeout has expired at the point of this call. |
void
|
lockNow(int flags)
Make the device lock immediately, as if the lock screen timeout has expired at the point of this call. |
int
|
logoutUser(ComponentName admin)
Called by a profile owner of secondary user that is affiliated with the device to stop the
calling user and switch back to primary user (when the user was
|
void
|
reboot(ComponentName admin)
Called by device owner to reboot the device. |
void
|
removeActiveAdmin(ComponentName admin)
Remove a current administration component. |
boolean
|
removeCrossProfileWidgetProvider(ComponentName admin, String packageName)
Called by the profile owner of a managed profile or a holder of the permission
|
boolean
|
removeKeyPair(ComponentName admin, String alias)
This API can be called by the following to remove a certificate and private key pair installed under a given alias:
From Android |
boolean
|
removeOverrideApn(ComponentName admin, int apnId)
Called by device owner or managed profile owner to remove an override APN. |
boolean
|
removeUser(ComponentName admin, UserHandle userHandle)
Called by a device owner to remove a user/profile and all associated data. |
boolean
|
requestBugreport(ComponentName admin)
Called by a device owner to request a bugreport. |
boolean
|
resetPassword(String password, int flags)
This method was deprecated
in API level 30.
Please use |
boolean
|
resetPasswordWithToken(ComponentName admin, String password, byte[] token, int flags)
Called by device or profile owner to force set a new device unlock password or a managed profile challenge on current user. |
List<NetworkEvent>
|
retrieveNetworkLogs(ComponentName admin, long batchToken)
Called by device owner, profile owner of a managed profile or delegated app with
|
List<SecurityLog.SecurityEvent>
|
retrievePreRebootSecurityLogs(ComponentName admin)
Called by device owner or profile owner of an organization-owned managed profile to retrieve device logs from before the device's last reboot. |
List<SecurityLog.SecurityEvent>
|
retrieveSecurityLogs(ComponentName admin)
Called by device owner or profile owner of an organization-owned managed profile to retrieve all new security logging entries since the last call to this API after device boots. |
boolean
|
revokeKeyPairFromApp(ComponentName admin, String alias, String packageName)
Called by a device or profile owner, or delegated certificate chooser (an app that has been
delegated the |
boolean
|
revokeKeyPairFromWifiAuth(String alias)
Called by a device or profile owner, or delegated certificate chooser (an app that has been
delegated the |
void
|
setAccountManagementDisabled(ComponentName admin, String accountType, boolean disabled)
Called by a device owner or profile owner to disable account management for a specific type of account. |
void
|
setAffiliationIds(ComponentName admin, Set<String> ids)
Indicates the entity that controls the device. |
void
|
setAlwaysOnVpnPackage(ComponentName admin, String vpnPackage, boolean lockdownEnabled)
Called by a device or profile owner to configure an always-on VPN connection through a specific application for the current user. |
void
|
setAlwaysOnVpnPackage(ComponentName admin, String vpnPackage, boolean lockdownEnabled, Set<String> lockdownAllowlist)
A version of |
void
|
setAppFunctionsPolicy(int policy)
Sets the |
boolean
|
setApplicationHidden(ComponentName admin, String packageName, boolean hidden)
Hide or unhide packages. |
void
|
setApplicationRestrictions(ComponentName admin, String packageName, Bundle settings)
Sets the application restrictions for a given target application running in the calling user. |
void
|
setApplicationRestrictionsManagingPackage(ComponentName admin, String packageName)
This method was deprecated
in API level 26.
From |
void
|
setAutoTimeEnabled(ComponentName admin, boolean enabled)
Called by a device owner, a profile owner for the primary user or a profile owner of an organization-owned managed profile to turn auto time on and off. |
void
|
setAutoTimePolicy(int policy)
Called by a device owner, a profile owner for the primary user or a profile owner of an organization-owned managed profile to turn auto time on and off i.e. |
void
|
setAutoTimeRequired(ComponentName admin, boolean required)
This method was deprecated
in API level 30.
From |
void
|
setAutoTimeZoneEnabled(ComponentName admin, boolean enabled)
Called by a device owner, a profile owner for the primary user or a profile owner of an organization-owned managed profile to turn auto time zone on and off. |
void
|
setAutoTimeZonePolicy(int policy)
Called by a device owner, a profile owner for the primary user or a profile owner of an organization-owned managed profile to turn auto time zone on and off. |
void
|
setBackupServiceEnabled(ComponentName admin, boolean enabled)
Allows the device owner or profile owner to enable or disable the backup service. |
void
|
setBluetoothContactSharingDisabled(ComponentName admin, boolean disabled)
Called by a profile owner of a managed profile to set whether bluetooth devices can access enterprise contacts. |
void
|
setCameraDisabled(ComponentName admin, boolean disabled)
Called by an application that is administering the device to disable all cameras on the device, for this user. |
void
|
setCertInstallerPackage(ComponentName admin, String installerPackage)
This method was deprecated
in API level 26.
From |
void
|
setCommonCriteriaModeEnabled(ComponentName admin, boolean enabled)
Called by device owner or profile owner of an organization-owned managed profile to toggle Common Criteria mode for the device. |
void
|
setConfiguredNetworksLockdownState(ComponentName admin, boolean lockdown)
Called by a device owner or a profile owner of an organization-owned managed profile to control whether the user can change networks configured by the admin. |
void
|
setContentProtectionPolicy(ComponentName admin, int policy)
Sets the content protection policy which controls scanning for deceptive apps. |
void
|
setCredentialManagerPolicy(PackagePolicy policy)
Called by a device owner or profile owner of a managed profile to set the credential manager policy. |
void
|
setCrossProfileCalendarPackages(ComponentName admin, Set<String> packageNames)
This method was deprecated
in API level 34.
Use |
void
|
setCrossProfileCallerIdDisabled(ComponentName admin, boolean disabled)
This method was deprecated
in API level 34.
starting with |
void
|
setCrossProfileContactsSearchDisabled(ComponentName admin, boolean disabled)
This method was deprecated
in API level 34.
From |
void
|
setCrossProfilePackages(ComponentName admin, Set<String> packageNames)
Sets the set of admin-allowlisted package names that are allowed to request user consent for cross-profile communication. |
void
|
setDefaultDialerApplication(String packageName)
Must be called by a device owner or a profile owner of an organization-owned managed profile to set the default dialer application for the calling user. |
void
|
setDefaultSmsApplication(ComponentName admin, String packageName)
Must be called by a device owner or a profile owner of an organization-owned managed profile to set the default SMS application. |
void
|
setDelegatedScopes(ComponentName admin, String delegatePackage, List<String> scopes)
Called by a profile owner or device owner to grant access to privileged APIs to another app. |
void
|
setDeviceOwnerLockScreenInfo(ComponentName admin, CharSequence info)
Sets the device owner information to be shown on the lock screen. |
void
|
setEndUserSessionMessage(ComponentName admin, CharSequence endUserSessionMessage)
Called by a device owner to specify the user session end message. |
void
|
setFactoryResetProtectionPolicy(ComponentName admin, FactoryResetProtectionPolicy policy)
Callable by device owner or profile owner of an organization-owned device, to set a factory reset protection (FRP) policy. |
int
|
setGlobalPrivateDnsModeOpportunistic(ComponentName admin)
Sets the global Private DNS mode to opportunistic. |
int
|
setGlobalPrivateDnsModeSpecifiedHost(ComponentName admin, String privateDnsHost)
Sets the global Private DNS host to be used. |
void
|
setGlobalSetting(ComponentName admin, String setting, String value)
This method is mostly deprecated. |
void
|
setKeepUninstalledPackages(ComponentName admin, List<String> packageNames)
Set a list of apps to keep around as APKs even if no user has currently installed it. |
boolean
|
setKeyPairCertificate(ComponentName admin, String alias, List<Certificate> certs, boolean isUserSelectable)
This API can be called by the following to associate certificates with a key pair that was
generated using
From Android |
boolean
|
setKeyguardDisabled(ComponentName admin, boolean disabled)
Called by a device owner or profile owner of secondary users that is affiliated with the device to disable the keyguard altogether. |
void
|
setKeyguardDisabledFeatures(ComponentName admin, int which)
Called by an application that is administering the device to disable keyguard customizations, such as widgets. |
void
|
setLocationEnabled(ComponentName admin, boolean locationEnabled)
Called by device owners to set the user's global location setting. |
void
|
setLockTaskFeatures(ComponentName admin, int flags)
Sets which system features are enabled when the device runs in lock task mode. |
void
|
setLockTaskPackages(ComponentName admin, String[] packages)
Sets which packages may enter lock task mode. |
void
|
setLogoutEnabled(ComponentName admin, boolean enabled)
Called by a device owner to specify whether logout is enabled for all secondary users. |
void
|
setLongSupportMessage(ComponentName admin, CharSequence message)
Called by a device admin to set the long support message. |
void
|
setManagedProfileCallerIdAccessPolicy(PackagePolicy policy)
Called by a profile owner of a managed profile to set the packages that are allowed to lookup contacts in the managed profile based on caller id information. |
void
|
setManagedProfileContactsAccessPolicy(PackagePolicy policy)
Called by a profile owner of a managed profile to set the packages that are allowed access to the managed profile contacts from the parent user. |
void
|
setManagedProfileMaximumTimeOff(ComponentName admin, long timeoutMillis)
Called by a profile owner of an organization-owned managed profile to set maximum time the profile is allowed to be turned off. |
void
|
setManagedSubscriptionsPolicy(ManagedSubscriptionsPolicy policy)
Called by a profile owner of an organization-owned device to specify Managed subscriptions policy controls how SIMs would be associated with the managed profile. |
void
|
setMasterVolumeMuted(ComponentName admin, boolean on)
Called by profile or device owners to set the global volume mute on or off. |
void
|
setMaximumFailedPasswordsForWipe(ComponentName admin, int num)
Setting this to a value greater than zero enables a policy that will perform a device or profile wipe after too many incorrect device-unlock passwords have been entered. |
void
|
setMaximumTimeToLock(ComponentName admin, long timeMs)
Called by an application that is administering the device to set the maximum time for user activity until the device will lock. |
List<String>
|
setMeteredDataDisabledPackages(ComponentName admin, List<String> packageNames)
Called by a device or profile owner to restrict packages from using metered data. |
void
|
setMinimumRequiredWifiSecurityLevel(int level)
Called by device owner or profile owner of an organization-owned managed profile to specify the minimum security level required for Wi-Fi networks. |
void
|
setMtePolicy(int policy)
Called by a device owner, profile owner of an organization-owned device, to set the Memory Tagging Extension (MTE) policy. |
void
|
setNearbyAppStreamingPolicy(int policy)
Called by a device/profile owner to set nearby app streaming policy. |
void
|
setNearbyNotificationStreamingPolicy(int policy)
Called by a device/profile owner to set nearby notification streaming policy. |
void
|
setNetworkLoggingEnabled(ComponentName admin, boolean enabled)
Called by a device owner, profile owner of a managed profile or delegated app with
|
void
|
setOrganizationColor(ComponentName admin, int color)
This method was deprecated
in API level 31.
From |
void
|
setOrganizationId(String enterpriseId)
Sets the Enterprise ID for the work profile or managed device. |
void
|
setOrganizationName(ComponentName admin, CharSequence title)
Called by the device owner (since API 26) or profile owner (since API 24) to set the name of the organization under management. |
void
|
setOverrideApnsEnabled(ComponentName admin, boolean enabled)
Called by device owner to set if override APNs should be enabled. |
String[]
|
setPackagesSuspended(ComponentName admin, String[] packageNames, boolean suspended)
Called by device or profile owners to suspend packages for this user. |
void
|
setPasswordExpirationTimeout(ComponentName admin, long timeout)
Called by a device admin to set the password expiration timeout. |
void
|
setPasswordHistoryLength(ComponentName admin, int length)
Called by an application that is administering the device to set the length of the password history. |
void
|
setPasswordMinimumLength(ComponentName admin, int length)
This method was deprecated
in API level 31.
see |
void
|
setPasswordMinimumLetters(ComponentName admin, int length)
This method was deprecated
in API level 31.
see |
void
|
setPasswordMinimumLowerCase(ComponentName admin, int length)
This method was deprecated
in API level 31.
see |
void
|
setPasswordMinimumNonLetter(ComponentName admin, int length)
This method was deprecated
in API level 31.
see |
void
|
setPasswordMinimumNumeric(ComponentName admin, int length)
This method was deprecated
in API level 31.
see |
void
|
setPasswordMinimumSymbols(ComponentName admin, int length)
This method was deprecated
in API level 31.
see |
void
|
setPasswordMinimumUpperCase(ComponentName admin, int length)
This method was deprecated
in API level 31.
see |
void
|
setPasswordQuality(ComponentName admin, int quality)
This method was deprecated
in API level 31.
Prefer using |
boolean
|
setPermissionGrantState(ComponentName admin, String packageName, String permission, int grantState)
Sets the grant state of a runtime permission for a specific application. |
void
|
setPermissionPolicy(ComponentName admin, int policy)
Set the default response for future runtime permission requests by applications. |
boolean
|
setPermittedAccessibilityServices(ComponentName admin, List<String> packageNames)
Called by a profile or device owner to set the permitted
|
boolean
|
setPermittedCrossProfileNotificationListeners(ComponentName admin, List<String> packageList)
Called by a profile owner of a managed profile to set the packages that are allowed to use
a |
boolean
|
setPermittedInputMethods(ComponentName admin, List<String> packageNames)
Called by a profile or device owner or holder of the
|
void
|
setPersonalAppsSuspended(ComponentName admin, boolean suspended)
Called by a profile owner of an organization-owned managed profile to suspend personal apps on the device. |
void
|
setPreferentialNetworkServiceConfigs(List<PreferentialNetworkServiceConfig> preferentialNetworkServiceConfigs)
Sets preferential network configurations. |
void
|
setPreferentialNetworkServiceEnabled(boolean enabled)
Sets whether preferential network service is enabled. |
void
|
setProfileEnabled(ComponentName admin)
Sets the enabled state of the profile. |
void
|
setProfileName(ComponentName admin, String profileName)
Sets the name of the profile. |
void
|
setRecommendedGlobalProxy(ComponentName admin, ProxyInfo proxyInfo)
Set a network-independent global HTTP proxy. |
void
|
setRequiredPasswordComplexity(int passwordComplexity)
Sets a minimum password complexity requirement for the user's screen lock. |
void
|
setRequiredStrongAuthTimeout(ComponentName admin, long timeoutMs)
Called by a device/profile owner to set the timeout after which unlocking with secondary, non strong auth (e.g. fingerprint, face, trust agents) times out, i.e. |
boolean
|
setResetPasswordToken(ComponentName admin, byte[] token)
Called by a profile or device owner to provision a token which can later be used to reset the
device lockscreen password (if called by device owner), or managed profile challenge (if
called by profile owner), via |
void
|
setRestrictionsProvider(ComponentName admin, ComponentName provider)
Designates a specific service component as the provider for making permission requests of a local or remote administrator of the user. |
void
|
setScreenCaptureDisabled(ComponentName admin, boolean disabled)
Called by a device/profile owner to set whether the screen capture is disabled. |
void
|
setSecureSetting(ComponentName admin, String setting, String value)
This method is mostly deprecated. |
void
|
setSecurityLoggingEnabled(ComponentName admin, boolean enabled)
Called by device owner or a profile owner of an organization-owned managed profile to control the security logging feature. |
void
|
setShortSupportMessage(ComponentName admin, CharSequence message)
Called by a device admin to set the short support message. |
void
|
setStartUserSessionMessage(ComponentName admin, CharSequence startUserSessionMessage)
Called by a device owner to specify the user session start message. |
boolean
|
setStatusBarDisabled(ComponentName admin, boolean disabled)
Called by device owner or profile owner of secondary users that is affiliated with the device to disable the status bar. |
int
|
setStorageEncryption(ComponentName admin, boolean encrypt)
This method was deprecated
in API level 30.
This method does not actually modify the storage encryption of the device.
It has never affected the encryption status of a device.
Called by an application that is administering the device to request that the storage system
be encrypted. Does nothing if the caller is on a secondary user or a managed profile.
When multiple device administrators attempt to control device encryption, the most secure,
supported setting will always be used. If any device administrator requests device
encryption, it will be enabled; Conversely, if a device administrator attempts to disable
device encryption while another device administrator has enabled it, the call to disable will
fail (most commonly returning
This policy controls encryption of the secure (application data) storage area. Data written
to other storage areas may or may not be encrypted, and this policy does not require or
control the encryption of any other storage areas. There is one exception: If
Important Note: On some devices, it is possible to encrypt storage without requiring the user
to create a device PIN or Password. In this case, the storage is encrypted, but the
encryption key may not be fully secured. For maximum security, the administrator should also
require (and check for) a pattern, PIN, or password. |
void
|
setSystemSetting(ComponentName admin, String setting, String value)
Called by a device or profile owner to update |
void
|
setSystemUpdatePolicy(ComponentName admin, SystemUpdatePolicy policy)
Called by device owners or profile owners of an organization-owned managed profile to set a local system update policy. |
boolean
|
setTime(ComponentName admin, long millis)
Called by a device owner or a profile owner of an organization-owned managed profile to set the system wall clock time. |
boolean
|
setTimeZone(ComponentName admin, String timeZone)
Called by a device owner or a profile owner of an organization-owned managed profile to set the system's persistent default time zone. |
void
|
setTrustAgentConfiguration(ComponentName admin, ComponentName target, PersistableBundle configuration)
Sets a list of configuration features to enable for a trust agent component. |
void
|
setUninstallBlocked(ComponentName admin, String packageName, boolean uninstallBlocked)
Change whether a user can uninstall a package. |
void
|
setUsbDataSignalingEnabled(boolean enabled)
Called by a device owner or profile owner of an organization-owned managed profile to enable or disable USB data signaling for the device. |
void
|
setUserControlDisabledPackages(ComponentName admin, List<String> packages)
Called by a device owner or a profile owner or holder of the permission
|
void
|
setUserIcon(ComponentName admin, Bitmap icon)
Called by profile or device owners to set the user's photo. |
void
|
setWifiSsidPolicy(WifiSsidPolicy policy)
Called by device owner or profile owner of an organization-owned managed profile to
specify the Wi-Fi SSID policy ( |
int
|
startUserInBackground(ComponentName admin, UserHandle userHandle)
Called by a device owner to start the specified secondary user in background. |
int
|
stopUser(ComponentName admin, UserHandle userHandle)
Called by a device owner to stop the specified secondary user. |
boolean
|
switchUser(ComponentName admin, UserHandle userHandle)
Called by a device owner to switch the specified secondary user to the foreground. |
void
|
transferOwnership(ComponentName admin, ComponentName target, PersistableBundle bundle)
Changes the current administrator to another one. |
void
|
uninstallAllUserCaCerts(ComponentName admin)
Uninstalls all custom trusted CA certificates from the profile. |
void
|
uninstallCaCert(ComponentName admin, byte[] certBuffer)
Uninstalls the given certificate from trusted user CAs, if present. |
boolean
|
updateOverrideApn(ComponentName admin, int apnId, ApnSetting apnSetting)
Called by device owner or managed profile owner to update an override APN. |
void
|
wipeData(int flags, CharSequence reason)
Ask that all user data be wiped. |
void
|
wipeData(int flags)
|
void
|
wipeDevice(int flags)
Ask that the device be wiped and factory reset. |
Inherited methods | |
---|---|
Constants
ACTION_ADD_DEVICE_ADMIN
public static final String ACTION_ADD_DEVICE_ADMIN
Activity action: ask the user to add a new device administrator to the system.
The desired policy is the ComponentName of the policy in the
EXTRA_DEVICE_ADMIN
extra field. This will invoke a UI to
bring the user through adding the device administrator to the system (or
allowing them to reject it).
You can optionally include the EXTRA_ADD_EXPLANATION
field to provide the user with additional explanation (in addition
to your component's description) about what is being added.
If your administrator is already active, this will ordinarily return immediately (without user intervention). However, if your administrator has been updated and is requesting additional uses-policy flags, the user will be presented with the new list. New policies will not be available to the updated administrator until the user has accepted the new list.
Constant Value: "android.app.action.ADD_DEVICE_ADMIN"
ACTION_ADMIN_POLICY_COMPLIANCE
public static final String ACTION_ADMIN_POLICY_COMPLIANCE
Activity action: Starts the administrator to show policy compliance for the provisioning.
This action is used any time that the administrator has an opportunity to show policy
compliance before the end of setup wizard. This could happen as part of the admin-integrated
provisioning flow (in which case this gets sent after ACTION_GET_PROVISIONING_MODE
),
or it could happen during provisioning finalization if the administrator supports
finalization during setup wizard.
Intents with this action may also be supplied with the EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
extra.
See also:
Constant Value: "android.app.action.ADMIN_POLICY_COMPLIANCE"
ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
public static final String ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
Broadcast Action: Sent after application delegation scopes are changed. The new delegation
scopes will be sent in an ArrayList<String>
extra identified by the
EXTRA_DELEGATION_SCOPES
key.
Note: This is a protected intent that can only be sent by the system.
Constant Value: "android.app.action.APPLICATION_DELEGATION_SCOPES_CHANGED"
ACTION_CHECK_POLICY_COMPLIANCE
public static final String ACTION_CHECK_POLICY_COMPLIANCE
Activity action: launch the DPC to check policy compliance. This intent is launched when the user taps on the notification about personal apps suspension. When handling this intent the DPC must check if personal apps should still be suspended and either unsuspend them or instruct the user on how to resolve the noncompliance causing the suspension.
Constant Value: "android.app.action.CHECK_POLICY_COMPLIANCE"
ACTION_DEVICE_ADMIN_SERVICE
public static final String ACTION_DEVICE_ADMIN_SERVICE
Service action: Action for a service that device owner and profile owner can optionally
own. If a device owner or a profile owner has such a service, the system tries to keep
a bound connection to it, in order to keep their process always running.
The service must be protected with the Manifest.permission.BIND_DEVICE_ADMIN
permission.
Constant Value: "android.app.action.DEVICE_ADMIN_SERVICE"
ACTION_DEVICE_FINANCING_STATE_CHANGED
public static final String ACTION_DEVICE_FINANCING_STATE_CHANGED
Broadcast Action: Broadcast sent to indicate that the device financing state has changed.
This occurs when, for example, a financing kiosk app has been added or removed.
To query the current device financing state see isDeviceFinanced()
.
This will be delivered to the following apps if they include a receiver for this action in their manifest:
- Device owner admins.
- Organization-owned profile owner admins
- The supervision app
- The device management role holder
Constant Value: "android.app.admin.action.DEVICE_FINANCING_STATE_CHANGED"
ACTION_DEVICE_OWNER_CHANGED
public static final String ACTION_DEVICE_OWNER_CHANGED
Broadcast action: sent when the device owner is set, changed or cleared. This broadcast is sent only to the primary user.
See also:
Constant Value: "android.app.action.DEVICE_OWNER_CHANGED"
ACTION_DEVICE_POLICY_RESOURCE_UPDATED
public static final String ACTION_DEVICE_POLICY_RESOURCE_UPDATED
Broadcast action: notify system apps (e.g. settings, SysUI, etc) that the device management
resources with IDs EXTRA_RESOURCE_IDS
has been updated, the updated resources can be
retrieved using DevicePolicyResourcesManager.getDrawable
and
DevicePolicyResourcesManager.getString
.
This broadcast is sent to registered receivers only.
EXTRA_RESOURCE_TYPE
will be included to identify the type of resource being
updated.
Constant Value: "android.app.action.DEVICE_POLICY_RESOURCE_UPDATED"
ACTION_GET_PROVISIONING_MODE
public static final String ACTION_GET_PROVISIONING_MODE
Activity action: Starts the administrator to get the mode for the provisioning. This intent may contain the following extras:
EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
EXTRA_PROVISIONING_IMEI
EXTRA_PROVISIONING_SERIAL_NUMBER
EXTRA_PROVISIONING_ALLOWED_PROVISIONING_MODES
EXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT
The target activity should return one of the following values in
EXTRA_PROVISIONING_MODE
as result:
If performing fully-managed device provisioning and the admin app desires to show its
own education screens, the target activity can additionally return
EXTRA_PROVISIONING_SKIP_EDUCATION_SCREENS
set to true
.
The target activity may also return the account that needs to be migrated from primary
user to managed profile in case of a profile owner provisioning in
EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
as result.
The target activity may also include the EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
extra in the intent result. The values of this PersistableBundle
will be
sent as an intent extra of the same name to the ACTION_ADMIN_POLICY_COMPLIANCE
activity, along with the values of the EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
extra
that are already supplied to this activity.
Other extras the target activity may include in the intent result:
EXTRA_PROVISIONING_DISCLAIMERS
EXTRA_PROVISIONING_SKIP_ENCRYPTION
EXTRA_PROVISIONING_KEEP_SCREEN_ON
EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION
for work profile provisioningEXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
for work profile provisioningEXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT
for fully-managed device provisioningEXTRA_PROVISIONING_LOCALE
for fully-managed device provisioningEXTRA_PROVISIONING_LOCAL_TIME
for fully-managed device provisioningEXTRA_PROVISIONING_TIME_ZONE
for fully-managed device provisioning
See also:
Constant Value: "android.app.action.GET_PROVISIONING_MODE"
ACTION_MANAGED_PROFILE_PROVISIONED
public static final String ACTION_MANAGED_PROFILE_PROVISIONED
Broadcast Action: This broadcast is sent to indicate that provisioning of a managed profile has completed successfully.
The broadcast is limited to the primary profile, to the app specified in the provisioning
intent with action ACTION_PROVISION_MANAGED_PROFILE
.
This intent will contain the following extras
Intent.EXTRA_USER
, corresponds to theUserHandle
of the managed profile.EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
, corresponds to the account requested to be migrated at provisioning time, if any.
Constant Value: "android.app.action.MANAGED_PROFILE_PROVISIONED"
ACTION_PROFILE_OWNER_CHANGED
public static final String ACTION_PROFILE_OWNER_CHANGED
Broadcast action: sent when the profile owner is set, changed or cleared. This broadcast is sent only to the user managed by the new profile owner.
Constant Value: "android.app.action.PROFILE_OWNER_CHANGED"
ACTION_PROVISIONING_SUCCESSFUL
public static final String ACTION_PROVISIONING_SUCCESSFUL
Activity action: This activity action is sent to indicate that provisioning of a managed
profile or managed device has completed successfully. It'll be sent at the same time as
DeviceAdminReceiver.ACTION_PROFILE_PROVISIONING_COMPLETE
broadcast but this will be
delivered faster as it's an activity intent.
The intent is only sent to the new device or profile owner.
Constant Value: "android.app.action.PROVISIONING_SUCCESSFUL"
ACTION_PROVISION_MANAGED_DEVICE
public static final String ACTION_PROVISION_MANAGED_DEVICE
This constant was deprecated
in API level 31.
to support Build.VERSION_CODES.S
and later, admin apps must
implement activities with intent filters for the ACTION_GET_PROVISIONING_MODE
and
ACTION_ADMIN_POLICY_COMPLIANCE
intent actions; using ACTION_PROVISION_MANAGED_DEVICE
to start provisioning will cause the provisioning to fail;
to additionally support pre-Build.VERSION_CODES.S
, admin apps must also
continue to use this constant.
Activity action: Starts the provisioning flow which sets up a managed device.
Must be started with Activity.startActivityForResult(Intent, int)
.
During device owner provisioning a device admin app is set as the owner of the device. A device owner has full control over the device. The device owner can not be modified by the user.
A typical use case would be a device that is owned by a company, but used by either an employee or client.
An intent with this action can be sent only on an unprovisioned device.
It is possible to check if provisioning is allowed or not by querying the method
isProvisioningAllowed(java.lang.String)
.
The intent contains the following extras:
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
EXTRA_PROVISIONING_SKIP_ENCRYPTION
, optionalEXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
, optionalEXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
, optionalEXTRA_PROVISIONING_LOGO_URI
, optionalEXTRA_PROVISIONING_DISCLAIMERS
, optionalEXTRA_PROVISIONING_SKIP_EDUCATION_SCREENS
, optional
When device owner provisioning has completed, an intent of the type
DeviceAdminReceiver.ACTION_PROFILE_PROVISIONING_COMPLETE
is broadcast to the
device owner.
From version Build.VERSION_CODES.O
, when device owner provisioning has
completed, along with the above broadcast, activity intent
ACTION_PROVISIONING_SUCCESSFUL
will also be sent to the device owner.
If provisioning fails, the device is factory reset.
A result code of Activity.RESULT_OK
implies that the synchronous part
of the provisioning flow was successful, although this doesn't guarantee the full flow will
succeed. Conversely a result code of Activity.RESULT_CANCELED
implies
that the user backed-out of provisioning, or some precondition for provisioning wasn't met.
Constant Value: "android.app.action.PROVISION_MANAGED_DEVICE"
ACTION_PROVISION_MANAGED_PROFILE
public static final String ACTION_PROVISION_MANAGED_PROFILE
Activity action: Starts the provisioning flow which sets up a managed profile.
It is possible to check if provisioning is allowed or not by querying the method
isProvisioningAllowed(java.lang.String)
.
The intent may contain the following extras:
Extra | Supported Versions | |
---|---|---|
EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE |
||
EXTRA_PROVISIONING_SKIP_ENCRYPTION |
Build.VERSION_CODES.N + |
|
EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE |
||
EXTRA_PROVISIONING_LOGO_URI |
||
EXTRA_PROVISIONING_SKIP_USER_CONSENT |
Can only be used by an existing device owner trying to create a managed profile | |
EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION |
||
EXTRA_PROVISIONING_DISCLAIMERS |
||
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME |
Required if EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME is not
specified. Must match the package name of the calling application.
|
Build.VERSION_CODES.LOLLIPOP + |
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME |
Required if EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME is not
specified. Package name must match the package name of the calling
application.
|
Build.VERSION_CODES.M + |
EXTRA_PROVISIONING_ALLOW_OFFLINE |
On Build.VERSION_CODES.TIRAMISU +, when set to
true this will force offline provisioning instead of allowing it |
When managed provisioning has completed, broadcasts
are sent to the application specified in the provisioning intent. The
DeviceAdminReceiver.ACTION_PROFILE_PROVISIONING_COMPLETE
broadcast is sent in the
managed profile and the ACTION_MANAGED_PROFILE_PROVISIONED
broadcast is sent in
the primary profile.
From version Build.VERSION_CODES.O
, when managed provisioning has
completed, along with the above broadcast, activity intent
ACTION_PROVISIONING_SUCCESSFUL
will also be sent to the profile owner.
If provisioning fails, the managed profile is removed so the device returns to its previous state.
If launched with Activity.startActivityForResult(Intent, int)
a
result code of Activity.RESULT_OK
indicates that the synchronous part of
the provisioning flow was successful, although this doesn't guarantee the full flow will
succeed. Conversely a result code of Activity.RESULT_CANCELED
indicates
that the user backed-out of provisioning or some precondition for provisioning wasn't met.
If a device policy management role holder updater is present on the device, an internet connection attempt must be made prior to launching this intent.
Constant Value: "android.app.action.PROVISION_MANAGED_PROFILE"
ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
public static final String ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
Activity action: have the user enter a new password for the parent profile.
If the intent is launched from within a managed profile, this will trigger
entering a new password for the parent of the profile. The caller can optionally
set EXTRA_DEVICE_PASSWORD_REQUIREMENT_ONLY
to only enforce device-wide
password requirement. In all other cases the behaviour is identical to
ACTION_SET_NEW_PASSWORD
.
Constant Value: "android.app.action.SET_NEW_PARENT_PROFILE_PASSWORD"
ACTION_SET_NEW_PASSWORD
public static final String ACTION_SET_NEW_PASSWORD
Activity action: have the user enter a new password.
For admin apps, this activity should be launched after using setPasswordQuality(android.content.ComponentName, int)
, or setPasswordMinimumLength(android.content.ComponentName, int)
to have the user enter a new password that
meets the current requirements. You can use isActivePasswordSufficient()
to
determine whether you need to have the user select a new password in order to meet the
current constraints. Upon being resumed from this activity, you can check the new
password characteristics to see if they are sufficient.
Non-admin apps can use getPasswordComplexity()
to check the current screen lock
complexity, and use this activity with extra EXTRA_PASSWORD_COMPLEXITY
to suggest
to users how complex the app wants the new screen lock to be. Note that both getPasswordComplexity()
and the extra EXTRA_PASSWORD_COMPLEXITY
require the
calling app to have the permission permission.REQUEST_PASSWORD_COMPLEXITY
.
If the intent is launched from within a managed profile with a profile
owner built against Build.VERSION_CODES.M
or before,
this will trigger entering a new password for the parent of the profile.
For all other cases it will trigger entering a new password for the user
or profile it is launched from.
See also:
Constant Value: "android.app.action.SET_NEW_PASSWORD"
ACTION_START_ENCRYPTION
public static final String ACTION_START_ENCRYPTION
Activity action: begin the process of encrypting data on the device. This activity should
be launched after using setStorageEncryption(ComponentName, boolean)
to request encryption be activated.
After resuming from this activity, use getStorageEncryption(ComponentName)
to check encryption status. However, on some devices this activity may never return, as
it may trigger a reboot and in some cases a complete data wipe of the device.
Constant Value: "android.app.action.START_ENCRYPTION"
ACTION_SYSTEM_UPDATE_POLICY_CHANGED
public static final String ACTION_SYSTEM_UPDATE_POLICY_CHANGED
Broadcast action: notify that a new local system update policy has been set by the device
owner. The new policy can be retrieved by getSystemUpdatePolicy()
.
Constant Value: "android.app.action.SYSTEM_UPDATE_POLICY_CHANGED"
APP_FUNCTIONS_DISABLED
public static final int APP_FUNCTIONS_DISABLED
Indicates that AppFunctionManager
is controlled and
disabled by policy, i.e. no apps in the current user are allowed to expose app functions.
Constant Value: 1 (0x00000001)
APP_FUNCTIONS_DISABLED_CROSS_PROFILE
public static final int APP_FUNCTIONS_DISABLED_CROSS_PROFILE
Indicates that AppFunctionManager
is controlled and
disabled by a policy for cross profile interactions only, i.e. app functions exposed by apps
in the current user can only be invoked within the same user.
This is different from APP_FUNCTIONS_DISABLED
in that it only disables cross
profile interactions (even if the caller has permissions required to interact across users).
appfunctions can still be used within the a user profile boundary.
Constant Value: 2 (0x00000002)
APP_FUNCTIONS_NOT_CONTROLLED_BY_POLICY
public static final int APP_FUNCTIONS_NOT_CONTROLLED_BY_POLICY
Indicates that AppFunctionManager
is not controlled by
policy.
If no admin set this policy, it means appfunctions are enabled.
Constant Value: 0 (0x00000000)
AUTO_TIME_DISABLED
public static final int AUTO_TIME_DISABLED
Specifies the "disabled" auto time state.
Constant Value: 1 (0x00000001)
AUTO_TIME_ENABLED
public static final int AUTO_TIME_ENABLED
Specifies the "enabled" auto time state.
Constant Value: 2 (0x00000002)
AUTO_TIME_NOT_CONTROLLED_BY_POLICY
public static final int AUTO_TIME_NOT_CONTROLLED_BY_POLICY
Specifies that the auto time state is not controlled by device policy.
Constant Value: 0 (0x00000000)
AUTO_TIME_ZONE_DISABLED
public static final int AUTO_TIME_ZONE_DISABLED
Specifies the "disabled" auto time zone state.
See also:
Constant Value: 1 (0x00000001)
AUTO_TIME_ZONE_ENABLED
public static final int AUTO_TIME_ZONE_ENABLED
Specifies the "enabled" auto time zone state.
See also:
Constant Value: 2 (0x00000002)
AUTO_TIME_ZONE_NOT_CONTROLLED_BY_POLICY
public static final int AUTO_TIME_ZONE_NOT_CONTROLLED_BY_POLICY
Specifies that the auto time zone state is not controlled by device policy.
See also:
Constant Value: 0 (0x00000000)
CONTENT_PROTECTION_DISABLED
public static final int CONTENT_PROTECTION_DISABLED
Indicates that content protection is controlled and disabled by a policy (default).
Constant Value: 1 (0x00000001)
CONTENT_PROTECTION_ENABLED
public static final int CONTENT_PROTECTION_ENABLED
Indicates that content protection is controlled and enabled by a policy.
Constant Value: 2 (0x00000002)
CONTENT_PROTECTION_NOT_CONTROLLED_BY_POLICY
public static final int CONTENT_PROTECTION_NOT_CONTROLLED_BY_POLICY
Indicates that content protection is not controlled by policy, allowing user to choose.
Constant Value: 0 (0x00000000)
DELEGATION_APP_RESTRICTIONS
public static final String DELEGATION_APP_RESTRICTIONS
Delegation of application restrictions management. This scope grants access to the
setApplicationRestrictions(ComponentName, String, Bundle)
and getApplicationRestrictions(ComponentName, String)
APIs.
Constant Value: "delegation-app-restrictions"
DELEGATION_BLOCK_UNINSTALL
public static final String DELEGATION_BLOCK_UNINSTALL
Delegation of application uninstall block. This scope grants access to the
setUninstallBlocked(ComponentName, String, boolean)
API.
Constant Value: "delegation-block-uninstall"
DELEGATION_CERT_INSTALL
public static final String DELEGATION_CERT_INSTALL
Delegation of certificate installation and management. This scope grants access to the
getInstalledCaCerts(ComponentName)
, hasCaCertInstalled(ComponentName, byte)
, installCaCert(ComponentName, byte)
,
uninstallCaCert(ComponentName, byte)
, uninstallAllUserCaCerts(ComponentName)
and installKeyPair(ComponentName, PrivateKey, Certificate, String)
APIs.
This scope also grants the ability to read identifiers that the delegating device owner or
profile owner can obtain. See getEnrollmentSpecificId()
.
Constant Value: "delegation-cert-install"
DELEGATION_CERT_SELECTION
public static final String DELEGATION_CERT_SELECTION
Grants access to selection of KeyChain certificates on behalf of requesting apps.
Once granted the app will start receiving
DelegatedAdminReceiver.onChoosePrivateKeyAlias
. The caller (PO/DO) will
no longer receive DeviceAdminReceiver.onChoosePrivateKeyAlias
.
There can be at most one app that has this delegation.
If another app already had delegated certificate selection access,
it will lose the delegation when a new app is delegated.
The delegated app can also call grantKeyPairToApp(ComponentName, String, String)
and
revokeKeyPairFromApp(ComponentName, String, String)
to directly grant KeyChain keys to other apps.
Can be granted by Device Owner or Profile Owner.
Constant Value: "delegation-cert-selection"
DELEGATION_ENABLE_SYSTEM_APP
public static final String DELEGATION_ENABLE_SYSTEM_APP
Delegation for enabling system apps. This scope grants access to the enableSystemApp(ComponentName, Intent)
API.
Constant Value: "delegation-enable-system-app"
DELEGATION_INSTALL_EXISTING_PACKAGE
public static final String DELEGATION_INSTALL_EXISTING_PACKAGE
Delegation for installing existing packages. This scope grants access to the
installExistingPackage(ComponentName, String)
API.
Constant Value: "delegation-install-existing-package"
DELEGATION_KEEP_UNINSTALLED_PACKAGES
public static final String DELEGATION_KEEP_UNINSTALLED_PACKAGES
Delegation of management of uninstalled packages. This scope grants access to the
setKeepUninstalledPackages(ComponentName, List)
and getKeepUninstalledPackages(ComponentName)
APIs.
Constant Value: "delegation-keep-uninstalled-packages"
DELEGATION_NETWORK_LOGGING
public static final String DELEGATION_NETWORK_LOGGING
Grants access to setNetworkLoggingEnabled(ComponentName, boolean)
, isNetworkLoggingEnabled(ComponentName)
and
retrieveNetworkLogs(ComponentName, long)
. Once granted the delegated app will start receiving
DelegatedAdminReceiver.onNetworkLogsAvailable() callback, and Device owner or Profile Owner
will no longer receive the DeviceAdminReceiver.onNetworkLogsAvailable() callback.
There can be at most one app that has this delegation.
If another app already had delegated network logging access,
it will lose the delegation when a new app is delegated.
Device Owner can grant this access since Android 10. Profile Owner of a managed profile can grant this access since Android 12.
Constant Value: "delegation-network-logging"
DELEGATION_PACKAGE_ACCESS
public static final String DELEGATION_PACKAGE_ACCESS
Delegation of package access state. This scope grants access to the
isApplicationHidden(ComponentName, String)
, setApplicationHidden(ComponentName, String, boolean)
, isPackageSuspended(ComponentName, String)
, and
setPackagesSuspended(ComponentName, String, boolean)
APIs.
Constant Value: "delegation-package-access"
DELEGATION_PERMISSION_GRANT
public static final String DELEGATION_PERMISSION_GRANT
Delegation of permission policy and permission grant state. This scope grants access to the
setPermissionPolicy(ComponentName, int)
, getPermissionGrantState(ComponentName, String, String)
,
and setPermissionGrantState(ComponentName, String, String, int)
APIs.
Constant Value: "delegation-permission-grant"
DELEGATION_SECURITY_LOGGING
public static final String DELEGATION_SECURITY_LOGGING
Grants access to setSecurityLoggingEnabled(ComponentName, boolean)
, isSecurityLoggingEnabled(ComponentName)
,
retrieveSecurityLogs(ComponentName)
, and retrievePreRebootSecurityLogs(ComponentName)
. Once granted the
delegated app will start receiving DelegatedAdminReceiver.onSecurityLogsAvailable
callback, and Device owner or Profile Owner will no longer receive the
DeviceAdminReceiver.onSecurityLogsAvailable
callback. There can be at most one app
that has this delegation. If another app already had delegated security logging access, it
will lose the delegation when a new app is delegated.
Can only be granted by Device Owner or Profile Owner of an organization-owned managed profile.
Constant Value: "delegation-security-logging"
ENCRYPTION_STATUS_ACTIVATING
public static final int ENCRYPTION_STATUS_ACTIVATING
This constant was deprecated
in API level 34.
This result code has never actually been used, so there is no reason for apps to
check for it.
Result code for getStorageEncryptionStatus()
: indicating that encryption is not
currently active, but is currently being activated.
Constant Value: 2 (0x00000002)
ENCRYPTION_STATUS_ACTIVE
public static final int ENCRYPTION_STATUS_ACTIVE
Result code for setStorageEncryption(ComponentName, boolean)
and getStorageEncryptionStatus()
:
indicating that encryption is active.
getStorageEncryptionStatus()
can only return this value for apps targeting API level
23 or lower, or on devices that use Full Disk Encryption. Support for Full Disk Encryption
was entirely removed in API level 33, having been replaced by File Based Encryption. The
result code ENCRYPTION_STATUS_ACTIVE_PER_USER
is used on devices that use File Based
Encryption, except when the app targets API level 23 or lower.
setStorageEncryption(ComponentName, boolean)
can still return this value for an unrelated reason, but setStorageEncryption(ComponentName, boolean)
is deprecated since it doesn't do anything useful.
Constant Value: 3 (0x00000003)
ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY
public static final int ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY
Result code for getStorageEncryptionStatus()
: indicating that encryption is active,
but the encryption key is not cryptographically protected by the user's credentials.
This value can only be returned on devices that use Full Disk Encryption. Support for Full Disk Encryption was entirely removed in API level 33, having been replaced by File Based Encryption. With File Based Encryption, each user's credential-encrypted storage is always cryptographically protected by the user's credentials.
Constant Value: 4 (0x00000004)
ENCRYPTION_STATUS_ACTIVE_PER_USER
public static final int ENCRYPTION_STATUS_ACTIVE_PER_USER
Result code for getStorageEncryptionStatus()
:
indicating that encryption is active and the encryption key is tied to the user or profile.
This value is only returned to apps targeting API level 24 and above. For apps targeting
earlier API levels, ENCRYPTION_STATUS_ACTIVE
is returned, even if the
encryption key is specific to the user or profile.
Constant Value: 5 (0x00000005)
ENCRYPTION_STATUS_INACTIVE
public static final int ENCRYPTION_STATUS_INACTIVE
Result code for setStorageEncryption(ComponentName, boolean)
and getStorageEncryptionStatus()
:
indicating that encryption is supported, but is not currently active.
getStorageEncryptionStatus()
can only return this value on devices that use Full Disk
Encryption. Support for Full Disk Encryption was entirely removed in API level 33, having
been replaced by File Based Encryption. Devices that use File Based Encryption always
automatically activate their encryption on first boot.
setStorageEncryption(ComponentName, boolean)
can still return this value for an unrelated reason, but setStorageEncryption(ComponentName, boolean)
is deprecated since it doesn't do anything useful.
Constant Value: 1 (0x00000001)
ENCRYPTION_STATUS_UNSUPPORTED
public static final int ENCRYPTION_STATUS_UNSUPPORTED
Result code for setStorageEncryption(ComponentName, boolean)
and getStorageEncryptionStatus()
:
indicating that encryption is not supported.
Constant Value: 0 (0x00000000)
EXTRA_ADD_EXPLANATION
public static final String EXTRA_ADD_EXPLANATION
An optional CharSequence providing additional explanation for why the admin is being added.
See also:
Constant Value: "android.app.extra.ADD_EXPLANATION"
EXTRA_DELEGATION_SCOPES
public static final String EXTRA_DELEGATION_SCOPES
An ArrayList<String>
corresponding to the delegation scopes given to an app in the
ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
broadcast.
Constant Value: "android.app.extra.DELEGATION_SCOPES"
EXTRA_DEVICE_ADMIN
public static final String EXTRA_DEVICE_ADMIN
The ComponentName of the administrator component.
See also:
Constant Value: "android.app.extra.DEVICE_ADMIN"
EXTRA_DEVICE_PASSWORD_REQUIREMENT_ONLY
public static final String EXTRA_DEVICE_PASSWORD_REQUIREMENT_ONLY
A boolean extra for ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
requesting that only
device password requirement is enforced during the parent profile password enrolment flow.
Normally when enrolling password for the parent profile, both the device-wide password
requirement (requirement set via getParentProfileInstance(android.content.ComponentName)
instance)
and the profile password requirement are enforced, if the profile currently does not have a
separate work challenge. By setting this to true
, profile password requirement is
explicitly disregarded.
Constant Value: "android.app.extra.DEVICE_PASSWORD_REQUIREMENT_ONLY"
EXTRA_PASSWORD_COMPLEXITY
public static final String EXTRA_PASSWORD_COMPLEXITY
An integer indicating the complexity level of the new password an app would like the user to
set when launching the action ACTION_SET_NEW_PASSWORD
.
Must be one of
PASSWORD_COMPLEXITY_HIGH
PASSWORD_COMPLEXITY_MEDIUM
PASSWORD_COMPLEXITY_LOW
PASSWORD_COMPLEXITY_NONE
If an invalid value is used, it will be treated as PASSWORD_COMPLEXITY_NONE
.
Requires Manifest.permission.REQUEST_PASSWORD_COMPLEXITY
Constant Value: "android.app.extra.PASSWORD_COMPLEXITY"
EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
public static final String EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
An Account
extra holding the account to migrate during managed
profile provisioning.
If the account supplied is present in the user, it will be copied, along with its credentials to the managed profile and removed from the user.
Constant Value: "android.app.extra.PROVISIONING_ACCOUNT_TO_MIGRATE"
EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
public static final String EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
A Parcelable
extra of type PersistableBundle
that is
passed directly to the Device Policy Controller
after provisioning.
Starting from Build.VERSION_CODES.M
, if used with
MIME_TYPE_PROVISIONING_NFC
as part of NFC managed device provisioning, the NFC
message should contain a stringified Properties
instance, whose string
properties will be converted into a PersistableBundle
and passed to the
management application after provisioning.
Constant Value: "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE"
EXTRA_PROVISIONING_ALLOWED_PROVISIONING_MODES
public static final String EXTRA_PROVISIONING_ALLOWED_PROVISIONING_MODES
An ArrayList
of Integer
extra specifying the allowed provisioning modes.
This extra will be passed to the admin app's ACTION_GET_PROVISIONING_MODE
activity, whose result intent must contain EXTRA_PROVISIONING_MODE
set to one of
the values in this array.
If the value set to EXTRA_PROVISIONING_MODE
is not in the array,
provisioning will fail.
Constant Value: "android.app.extra.PROVISIONING_ALLOWED_PROVISIONING_MODES"
EXTRA_PROVISIONING_ALLOW_OFFLINE
public static final String EXTRA_PROVISIONING_ALLOW_OFFLINE
A boolean extra indicating whether offline provisioning should be used.
The default value is false
.
Constant Value: "android.app.extra.PROVISIONING_ALLOW_OFFLINE"
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
A ComponentName extra indicating the device admin receiver
of
the application that will be set as the
Device Policy Controller.
If an application starts provisioning directly via an intent with action
ACTION_PROVISION_MANAGED_DEVICE
the package name of this
component has to match the package name of the application that started provisioning.
This component is set as device owner and active admin when device owner provisioning is
started by an intent with action ACTION_PROVISION_MANAGED_DEVICE
or by an NFC
message containing an NFC record with MIME type
MIME_TYPE_PROVISIONING_NFC
. For the NFC record, the component name must be
flattened to a string, via ComponentName.flattenToShortString()
.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME"
EXTRA_PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE
An int extra holding a minimum required version code for the device admin package. If the
device admin is already installed on the device, it will only be re-downloaded from
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
if the version of the
installed package is less than this version code.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
A String extra holding the URL-safe base64 encoded SHA-256 hash of the file at download
location specified in EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
.
Either this extra or EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
must be
present. The provided checksum must match the checksum of the file at the download
location. If the checksum doesn't match an error will be shown to the user and the user will
be asked to factory reset the device.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Note: for devices running Build.VERSION_CODES.LOLLIPOP
and Build.VERSION_CODES.LOLLIPOP_MR1
only SHA-1 hash is supported.
Starting from Build.VERSION_CODES.M
, this parameter accepts SHA-256 in
addition to SHA-1. From Build.VERSION_CODES.Q
, only SHA-256 hash is
supported.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
A String extra holding a http cookie header which should be used in the http request to the
url specified in EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
A String extra holding a url that specifies the download location of the device admin package. When not provided it is assumed that the device admin package is already installed.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
This constant was deprecated
in API level 23.
Use EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
.
A String extra holding the package name of the application that will be set as Device Policy Controller.
When this extra is set, the application must have exactly one
device admin receiver
. This receiver will be set as the
Device Policy Controller.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME"
EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
public static final String EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
A String extra holding the URL-safe base64 encoded SHA-256 checksum of any signature of the
android package archive at the download location specified in EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
.
The signatures of an android package archive can be obtained using
PackageManager.getPackageArchiveInfo(String, PackageInfoFlags)
with flag
PackageManager.GET_SIGNATURES
.
Either this extra or EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
must be
present. The provided checksum must match the checksum of any signature of the file at
the download location. If the checksum does not match an error will be shown to the user and
the user will be asked to factory reset the device.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM"
EXTRA_PROVISIONING_DISCLAIMERS
public static final String EXTRA_PROVISIONING_DISCLAIMERS
A Bundle
[] extra consisting of list of disclaimer headers and disclaimer contents.
Each Bundle
must have both EXTRA_PROVISIONING_DISCLAIMER_HEADER
as disclaimer header, and EXTRA_PROVISIONING_DISCLAIMER_CONTENT
as disclaimer
content.
The extra typically contains one disclaimer from the company of mobile device management application (MDM), and one disclaimer from the organization.
Call Bundle.putParcelableArray(String, Parcelable[])
to put the Bundle
[]
Maximum 3 key-value pairs can be specified. The rest will be ignored.
Can be used in an intent with action ACTION_PROVISION_MANAGED_PROFILE
. This
extra can also be returned by the admin app when performing the admin-integrated
provisioning flow as a result of the ACTION_GET_PROVISIONING_MODE
activity.
Constant Value: "android.app.extra.PROVISIONING_DISCLAIMERS"
EXTRA_PROVISIONING_DISCLAIMER_CONTENT
public static final String EXTRA_PROVISIONING_DISCLAIMER_CONTENT
A Uri
extra pointing to disclaimer content.
The following URI schemes are accepted:
- content (
ContentResolver.SCHEME_CONTENT
) - android.resource (
ContentResolver.SCHEME_ANDROID_RESOURCE
)
Styled text is supported. This is parsed by Html.fromHtml(String)
and displayed in a TextView
.
If a content:
URI is passed, the intent should also have the
flag Intent.FLAG_GRANT_READ_URI_PERMISSION
and the uri should be added to the
ClipData
of the intent.
System apps
can also insert a
disclaimer by declaring an application-level meta-data in AndroidManifest.xml
.
For example:
<meta-data android:name="android.app.extra.PROVISIONING_DISCLAIMER_CONTENT" android:resource="@string/disclaimer_content" />
This must be accompanied with another extra using the key
EXTRA_PROVISIONING_DISCLAIMER_HEADER
.
Constant Value: "android.app.extra.PROVISIONING_DISCLAIMER_CONTENT"
EXTRA_PROVISIONING_DISCLAIMER_HEADER
public static final String EXTRA_PROVISIONING_DISCLAIMER_HEADER
A String extra of localized disclaimer header.
The extra is typically the company name of mobile device management application (MDM) or the organization name.
System apps
can also insert a disclaimer by declaring
an application-level meta-data in AndroidManifest.xml
.
For example:
<meta-data android:name="android.app.extra.PROVISIONING_DISCLAIMER_HEADER" android:resource="@string/disclaimer_header" />
This must be accompanied with another extra using the key
EXTRA_PROVISIONING_DISCLAIMER_CONTENT
.
Constant Value: "android.app.extra.PROVISIONING_DISCLAIMER_HEADER"
EXTRA_PROVISIONING_EMAIL_ADDRESS
public static final String EXTRA_PROVISIONING_EMAIL_ADDRESS
This constant was deprecated
in API level 26.
From Build.VERSION_CODES.O
, never used while provisioning the
device.
Constant Value: "android.app.extra.PROVISIONING_EMAIL_ADDRESS"
EXTRA_PROVISIONING_IMEI
public static final String EXTRA_PROVISIONING_IMEI
A string extra holding the IMEI (International Mobile Equipment Identity) of the device.
Constant Value: "android.app.extra.PROVISIONING_IMEI"
EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION
public static final String EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION
Boolean extra to indicate that the
migrated account
should be kept.
If it's set to true
, the account will not be removed from the user after it is
migrated to the newly created user or profile.
Defaults to false
See also:
Constant Value: "android.app.extra.PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION"
EXTRA_PROVISIONING_KEEP_SCREEN_ON
public static final String EXTRA_PROVISIONING_KEEP_SCREEN_ON
This constant was deprecated
in API level 34.
from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, the flag wouldn't
be functional. The screen is kept on throughout the provisioning flow.
A boolean
flag that indicates whether the screen should be on throughout the
provisioning flow.
This extra can either be passed as an extra to the ACTION_PROVISION_MANAGED_PROFILE
intent, or it can be returned by the
admin app when performing the admin-integrated provisioning flow as a result of the
ACTION_GET_PROVISIONING_MODE
activity.
Constant Value: "android.app.extra.PROVISIONING_KEEP_SCREEN_ON"
EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
public static final String EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
A Boolean extra that can be used by the mobile device management application to skip the
disabling of system apps during provisioning when set to true
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
, an intent with action
ACTION_PROVISION_MANAGED_PROFILE
that starts profile owner provisioning or
set as an extra to the intent result of the ACTION_GET_PROVISIONING_MODE
activity.
Constant Value: "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED"
EXTRA_PROVISIONING_LOCALE
public static final String EXTRA_PROVISIONING_LOCALE
A String extra holding the Locale
that the device will be set to.
Format: xx_yy, where xx is the language code, and yy the country code.
Use only for device owner provisioning. This extra can be returned by the admin app when
performing the admin-integrated provisioning flow as a result of the ACTION_GET_PROVISIONING_MODE
activity.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_LOCALE"
EXTRA_PROVISIONING_LOCAL_TIME
public static final String EXTRA_PROVISIONING_LOCAL_TIME
A Long extra holding the wall clock time (in milliseconds) to be set on the device's
AlarmManager
.
Use only for device owner provisioning. This extra can be returned by the admin app when
performing the admin-integrated provisioning flow as a result of the ACTION_GET_PROVISIONING_MODE
activity.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_LOCAL_TIME"
EXTRA_PROVISIONING_LOGO_URI
public static final String EXTRA_PROVISIONING_LOGO_URI
This constant was deprecated
in API level 33.
Logo customization is no longer supported in the
provisioning flow.
A Uri
extra pointing to a logo image. This image will be shown during the
provisioning. If this extra is not passed, a default image will be shown.
The following URI schemes are accepted:
- content (
ContentResolver.SCHEME_CONTENT
) - android.resource (
ContentResolver.SCHEME_ANDROID_RESOURCE
)
It is the responsibility of the caller to provide an image with a reasonable pixel density for the device.
If a content: URI is passed, the intent should also have the flag
Intent.FLAG_GRANT_READ_URI_PERMISSION
and the uri should be added to the
ClipData
of the intent.
Constant Value: "android.app.extra.PROVISIONING_LOGO_URI"
EXTRA_PROVISIONING_MAIN_COLOR
public static final String EXTRA_PROVISIONING_MAIN_COLOR
This constant was deprecated
in API level 31.
Color customization is no longer supported in the provisioning flow.
A integer extra indicating the predominant color to show during the provisioning.
Refer to Color
for how the color is represented.
Use with ACTION_PROVISION_MANAGED_PROFILE
or
ACTION_PROVISION_MANAGED_DEVICE
.
Constant Value: "android.app.extra.PROVISIONING_MAIN_COLOR"
EXTRA_PROVISIONING_MODE
public static final String EXTRA_PROVISIONING_MODE
An intent extra holding the provisioning mode returned by the administrator.
The value of this extra must be one of the values provided in EXTRA_PROVISIONING_ALLOWED_PROVISIONING_MODES
, which is provided as an intent extra to
the admin app's ACTION_GET_PROVISIONING_MODE
activity.
Constant Value: "android.app.extra.PROVISIONING_MODE"
EXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT
public static final String EXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT
A boolean extra indicating the admin of a fully-managed device opts out of controlling
permission grants for sensor-related permissions,
see setPermissionGrantState(android.content.ComponentName, java.lang.String, java.lang.String, int)
.
The default for this extra is false
- by default, the admin of a fully-managed
device has the ability to grant sensors-related permissions.
Use only for device owner provisioning. This extra can be returned by the
admin app when performing the admin-integrated provisioning flow as a result of the
ACTION_GET_PROVISIONING_MODE
activity.
This extra may also be provided to the admin app via an intent extra for ACTION_GET_PROVISIONING_MODE
.
See also:
Constant Value: "android.app.extra.PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT"
EXTRA_PROVISIONING_SERIAL_NUMBER
public static final String EXTRA_PROVISIONING_SERIAL_NUMBER
A string extra holding the serial number of the device.
Constant Value: "android.app.extra.PROVISIONING_SERIAL_NUMBER"
EXTRA_PROVISIONING_SHOULD_LAUNCH_RESULT_INTENT
public static final String EXTRA_PROVISIONING_SHOULD_LAUNCH_RESULT_INTENT
A boolean extra that determines whether the provisioning flow should launch the resulting
launch intent, if one is supplied by the device policy management role holder via EXTRA_RESULT_LAUNCH_INTENT
. Default value is false
.
If true
, the resulting intent will be launched by the provisioning flow, if one
is supplied by the device policy management role holder.
If false
, the resulting intent will be returned as EXTRA_RESULT_LAUNCH_INTENT
to the provisioning initiator, if one is supplied by the device
manager role holder. It will be the responsibility of the provisioning initiator to launch
this Intent
after provisioning completes.
This extra is respected when provided via the provisioning intent actions such as ACTION_PROVISION_MANAGED_PROFILE
.
Constant Value: "android.app.extra.PROVISIONING_SHOULD_LAUNCH_RESULT_INTENT"
EXTRA_PROVISIONING_SKIP_EDUCATION_SCREENS
public static final String EXTRA_PROVISIONING_SKIP_EDUCATION_SCREENS
A boolean extra indicating if the education screens from the provisioning flow should be
skipped. If unspecified, defaults to false
.
This extra can be set in the following ways:
- By the admin app when performing the admin-integrated
provisioning flow as a result of the
ACTION_GET_PROVISIONING_MODE
activity - For managed account enrollment
If the education screens are skipped, it is the admin application's responsibility to display its own user education screens.
Constant Value: "android.app.extra.PROVISIONING_SKIP_EDUCATION_SCREENS"
EXTRA_PROVISIONING_SKIP_ENCRYPTION
public static final String EXTRA_PROVISIONING_SKIP_ENCRYPTION
A boolean extra indicating whether device encryption can be skipped as part of provisioning.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
or an intent with action
ACTION_PROVISION_MANAGED_DEVICE
that starts device owner provisioning.
From Build.VERSION_CODES.N
onwards, this is also supported for an
intent with action ACTION_PROVISION_MANAGED_PROFILE
.
Constant Value: "android.app.extra.PROVISIONING_SKIP_ENCRYPTION"
EXTRA_PROVISIONING_SKIP_USER_CONSENT
public static final String EXTRA_PROVISIONING_SKIP_USER_CONSENT
This constant was deprecated
in API level 31.
this extra is no longer relevant as device owners cannot create managed profiles
A boolean extra indicating if the user consent steps from the provisioning flow should be skipped.
If unspecified, defaults to false
.
Constant Value: "android.app.extra.PROVISIONING_SKIP_USER_CONSENT"
EXTRA_PROVISIONING_TIME_ZONE
public static final String EXTRA_PROVISIONING_TIME_ZONE
A String extra holding the time zone AlarmManager
that the device
will be set to.
Use only for device owner provisioning. This extra can be returned by the admin app when
performing the admin-integrated provisioning flow as a result of the ACTION_GET_PROVISIONING_MODE
activity.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_TIME_ZONE"
EXTRA_PROVISIONING_USE_MOBILE_DATA
public static final String EXTRA_PROVISIONING_USE_MOBILE_DATA
A boolean extra indicating if mobile data should be used during the provisioning flow
for downloading the admin app. If EXTRA_PROVISIONING_WIFI_SSID
is also specified,
wifi network will be used instead.
Default value is false
.
If this extra is set to true
and EXTRA_PROVISIONING_WIFI_SSID
is not
specified, this extra has different behaviour depending on the way provisioning is triggered:
- For provisioning started via a QR code or an NFC tag, mobile data is always used for downloading the admin app.
- For all other provisioning methods, a mobile data connection check is made at the start of provisioning. If mobile data is connected at that point, the admin app download will happen using mobile data. If mobile data is not connected at that point, the end-user will be asked to pick a wifi network and the admin app download will proceed over wifi.
Constant Value: "android.app.extra.PROVISIONING_USE_MOBILE_DATA"
EXTRA_PROVISIONING_WIFI_ANONYMOUS_IDENTITY
public static final String EXTRA_PROVISIONING_WIFI_ANONYMOUS_IDENTITY
The anonymous identity of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
. This is
only used if the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_ANONYMOUS_IDENTITY"
EXTRA_PROVISIONING_WIFI_CA_CERTIFICATE
public static final String EXTRA_PROVISIONING_WIFI_CA_CERTIFICATE
The CA certificate of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
. This should
be an X.509 certificate Base64 encoded DER format, ie. PEM representation of a certificate
without header, footer and line breaks. More information This is only
used if the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_CA_CERTIFICATE"
EXTRA_PROVISIONING_WIFI_DOMAIN
public static final String EXTRA_PROVISIONING_WIFI_DOMAIN
The domain of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
. This is only used if
the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_DOMAIN"
EXTRA_PROVISIONING_WIFI_EAP_METHOD
public static final String EXTRA_PROVISIONING_WIFI_EAP_METHOD
The EAP method of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
and could be one of PEAP
, TLS
, TTLS
, PWD
, SIM
,
AKA
or AKA_PRIME
. This is only used if the
EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_EAP_METHOD"
EXTRA_PROVISIONING_WIFI_HIDDEN
public static final String EXTRA_PROVISIONING_WIFI_HIDDEN
A boolean extra indicating whether the wifi network in EXTRA_PROVISIONING_WIFI_SSID
is hidden or not.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_HIDDEN"
EXTRA_PROVISIONING_WIFI_IDENTITY
public static final String EXTRA_PROVISIONING_WIFI_IDENTITY
The identity of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
. This is only used
if the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_IDENTITY"
EXTRA_PROVISIONING_WIFI_PAC_URL
public static final String EXTRA_PROVISIONING_WIFI_PAC_URL
A String extra holding the proxy auto-config (PAC) URL for the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_PAC_URL"
EXTRA_PROVISIONING_WIFI_PASSWORD
public static final String EXTRA_PROVISIONING_WIFI_PASSWORD
A String extra holding the password of the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_PASSWORD"
EXTRA_PROVISIONING_WIFI_PHASE2_AUTH
public static final String EXTRA_PROVISIONING_WIFI_PHASE2_AUTH
The phase 2 authentication of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
and could be one of NONE
, PAP
, MSCHAP
, MSCHAPV2
, GTC
,
SIM
, AKA
or AKA_PRIME
. This is only used if the
EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_PHASE2_AUTH"
EXTRA_PROVISIONING_WIFI_PROXY_BYPASS
public static final String EXTRA_PROVISIONING_WIFI_PROXY_BYPASS
A String extra holding the proxy bypass for the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_PROXY_BYPASS"
EXTRA_PROVISIONING_WIFI_PROXY_HOST
public static final String EXTRA_PROVISIONING_WIFI_PROXY_HOST
A String extra holding the proxy host for the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_PROXY_HOST"
EXTRA_PROVISIONING_WIFI_PROXY_PORT
public static final String EXTRA_PROVISIONING_WIFI_PROXY_PORT
An int extra holding the proxy port for the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_PROXY_PORT"
EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
public static final String EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
A String extra indicating the security type of the wifi network in
EXTRA_PROVISIONING_WIFI_SSID
and could be one of NONE
, WPA
,
WEP
or EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE"
EXTRA_PROVISIONING_WIFI_SSID
public static final String EXTRA_PROVISIONING_WIFI_SSID
A String extra holding the ssid of the wifi network that should be used during nfc device owner provisioning for downloading the mobile device management application.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_SSID"
EXTRA_PROVISIONING_WIFI_USER_CERTIFICATE
public static final String EXTRA_PROVISIONING_WIFI_USER_CERTIFICATE
The user certificate of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
. This
should be an X.509 certificate and private key Base64 encoded DER format, ie. PEM
representation of a certificate and key without header, footer and line breaks. More information This is only
used if the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner
provisioning via an NFC bump. It can also be used for QR code provisioning.
Constant Value: "android.app.extra.PROVISIONING_WIFI_USER_CERTIFICATE"
EXTRA_RESOURCE_IDS
public static final String EXTRA_RESOURCE_IDS
An integer array extra for ACTION_DEVICE_POLICY_RESOURCE_UPDATED
to indicate which
resource IDs (i.e. strings and drawables) have been updated.
Constant Value: "android.app.extra.RESOURCE_IDS"
EXTRA_RESOURCE_TYPE
public static final String EXTRA_RESOURCE_TYPE
An int
extra for ACTION_DEVICE_POLICY_RESOURCE_UPDATED
to indicate the type
of the resource being updated, the type can be EXTRA_RESOURCE_TYPE_DRAWABLE
or
EXTRA_RESOURCE_TYPE_STRING
Constant Value: "android.app.extra.RESOURCE_TYPE"
EXTRA_RESOURCE_TYPE_DRAWABLE
public static final int EXTRA_RESOURCE_TYPE_DRAWABLE
A int
value for EXTRA_RESOURCE_TYPE
to indicate that a resource of type
Drawable
is being updated.
Constant Value: 1 (0x00000001)
EXTRA_RESOURCE_TYPE_STRING
public static final int EXTRA_RESOURCE_TYPE_STRING
A int
value for EXTRA_RESOURCE_TYPE
to indicate that a resource of type
String
is being updated.
Constant Value: 2 (0x00000002)
EXTRA_RESULT_LAUNCH_INTENT
public static final String EXTRA_RESULT_LAUNCH_INTENT
An Intent
result extra specifying the Intent
to be launched after
provisioning is finalized.
If EXTRA_PROVISIONING_SHOULD_LAUNCH_RESULT_INTENT
is set to false
,
this result will be supplied as part of the result Intent
for provisioning actions
such as ACTION_PROVISION_MANAGED_PROFILE
. This result will also be supplied as
part of the result Intent
for the device policy management role holder provisioning
actions.
Constant Value: "android.app.extra.RESULT_LAUNCH_INTENT"
FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY
public static final int FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY
Flag for lockNow(int)
: also evict the user's credential encryption key from the
keyring. The user's credential will need to be entered again in order to derive the
credential encryption key that will be stored back in the keyring for future use.
This flag can only be used by a profile owner when locking a managed profile when
getStorageEncryptionStatus()
returns ENCRYPTION_STATUS_ACTIVE_PER_USER
.
In order to secure user data, the user will be stopped and restarted so apps should wait until they are next run to perform further actions.
Constant Value: 1 (0x00000001)
FLAG_MANAGED_CAN_ACCESS_PARENT
public static final int FLAG_MANAGED_CAN_ACCESS_PARENT
Flag used by addCrossProfileIntentFilter(ComponentName, IntentFilter, int)
to allow activities in
the managed profile to access intents sent from the parent profile.
That is, when an app in the parent profile calls
Activity.startActivity(Intent)
, the intent can be resolved by a
matching activity in the managed profile.
Constant Value: 2 (0x00000002)
FLAG_PARENT_CAN_ACCESS_MANAGED
public static final int FLAG_PARENT_CAN_ACCESS_MANAGED
Flag used by addCrossProfileIntentFilter(ComponentName, IntentFilter, int)
to allow activities in
the parent profile to access intents sent from the managed profile.
That is, when an app in the managed profile calls
Activity.startActivity(Intent)
, the intent can be resolved by a
matching activity in the parent profile.
Constant Value: 1 (0x00000001)
ID_TYPE_BASE_INFO
public static final int ID_TYPE_BASE_INFO
Specifies that the device should attest its manufacturer details. For use with
generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)
.
Constant Value: 1 (0x00000001)
ID_TYPE_IMEI
public static final int ID_TYPE_IMEI
Specifies that the device should attest its IMEI. For use with generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)
.
Constant Value: 4 (0x00000004)
ID_TYPE_INDIVIDUAL_ATTESTATION
public static final int ID_TYPE_INDIVIDUAL_ATTESTATION
Specifies that the device should attest using an individual attestation certificate.
For use with generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)
.
Constant Value: 16 (0x00000010)
ID_TYPE_MEID
public static final int ID_TYPE_MEID
Specifies that the device should attest its MEID. For use with generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)
.
Constant Value: 8 (0x00000008)
ID_TYPE_SERIAL
public static final int ID_TYPE_SERIAL
Specifies that the device should attest its serial number. For use with
generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)
.
Constant Value: 2 (0x00000002)
INSTALLKEY_REQUEST_CREDENTIALS_ACCESS
public static final int INSTALLKEY_REQUEST_CREDENTIALS_ACCESS
Specifies that the calling app should be granted access to the installed credentials
immediately. Otherwise, access to the credentials will be gated by user approval.
For use with installKeyPair(android.content.ComponentName, java.security.PrivateKey, java.security.cert.Certificate[], java.lang.String, int)
Constant Value: 1 (0x00000001)
INSTALLKEY_SET_USER_SELECTABLE
public static final int INSTALLKEY_SET_USER_SELECTABLE
Specifies that a user can select the key via the Certificate Selection prompt.
If this flag is not set when calling installKeyPair(ComponentName, PrivateKey, Certificate, String)
, the key can only be granted
access by implementing DeviceAdminReceiver.onChoosePrivateKeyAlias(Context, Intent, int, Uri, String)
.
For use with installKeyPair(android.content.ComponentName, java.security.PrivateKey, java.security.cert.Certificate[], java.lang.String, int)
Constant Value: 2 (0x00000002)
KEYGUARD_DISABLE_BIOMETRICS
public static final int KEYGUARD_DISABLE_BIOMETRICS
Disable all biometric authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Constant Value: 416 (0x000001a0)
KEYGUARD_DISABLE_FACE
public static final int KEYGUARD_DISABLE_FACE
Disable face authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Constant Value: 128 (0x00000080)
KEYGUARD_DISABLE_FEATURES_ALL
public static final int KEYGUARD_DISABLE_FEATURES_ALL
Disable all current and future keyguard customizations.
Constant Value: 2147483647 (0x7fffffff)
KEYGUARD_DISABLE_FEATURES_NONE
public static final int KEYGUARD_DISABLE_FEATURES_NONE
Widgets are enabled in keyguard
Constant Value: 0 (0x00000000)
KEYGUARD_DISABLE_FINGERPRINT
public static final int KEYGUARD_DISABLE_FINGERPRINT
Disable fingerprint authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Constant Value: 32 (0x00000020)
KEYGUARD_DISABLE_IRIS
public static final int KEYGUARD_DISABLE_IRIS
Disable iris authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Constant Value: 256 (0x00000100)
KEYGUARD_DISABLE_REMOTE_INPUT
public static final int KEYGUARD_DISABLE_REMOTE_INPUT
This constant was deprecated
in API level 33.
This flag was added in version Build.VERSION_CODES.N
, but it
never had any effect.
Disable text entry into notifications on secure keyguard screens (e.g. PIN/Pattern/Password).
Constant Value: 64 (0x00000040)
KEYGUARD_DISABLE_SECURE_CAMERA
public static final int KEYGUARD_DISABLE_SECURE_CAMERA
Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password)
Constant Value: 2 (0x00000002)
KEYGUARD_DISABLE_SECURE_NOTIFICATIONS
public static final int KEYGUARD_DISABLE_SECURE_NOTIFICATIONS
Disable showing all notifications on secure keyguard screens (e.g. PIN/Pattern/Password)
Constant Value: 4 (0x00000004)
KEYGUARD_DISABLE_SHORTCUTS_ALL
public static final int KEYGUARD_DISABLE_SHORTCUTS_ALL
Disable all keyguard shortcuts.
Constant Value: 512 (0x00000200)
KEYGUARD_DISABLE_TRUST_AGENTS
public static final int KEYGUARD_DISABLE_TRUST_AGENTS
Disable trust agents on secure keyguard screens (e.g. PIN/Pattern/Password).
By setting this flag alone, all trust agents are disabled. If the admin then wants to
allowlist specific features of some trust agent, setTrustAgentConfiguration(ComponentName, ComponentName, PersistableBundle)
can be
used in conjuction to set trust-agent-specific configurations.
Constant Value: 16 (0x00000010)
KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS
public static final int KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS
Only allow redacted notifications on secure keyguard screens (e.g. PIN/Pattern/Password)
Constant Value: 8 (0x00000008)
KEYGUARD_DISABLE_WIDGETS_ALL
public static final int KEYGUARD_DISABLE_WIDGETS_ALL
Disable all keyguard widgets. Has no effect between Build.VERSION_CODES.LOLLIPOP
and Build.VERSION_CODES.UPSIDE_DOWN_CAKE
(both inclusive), since keyguard widget is
only supported on Android versions lower than 5.0 and versions higher than 14.
Constant Value: 1 (0x00000001)
LEAVE_ALL_SYSTEM_APPS_ENABLED
public static final int LEAVE_ALL_SYSTEM_APPS_ENABLED
Flag used by createAndManageUser(ComponentName, String, ComponentName, PersistableBundle, int)
to specify that the newly created user should skip
the disabling of system apps during provisioning.
Constant Value: 16 (0x00000010)
LOCK_TASK_FEATURE_BLOCK_ACTIVITY_START_IN_TASK
public static final int LOCK_TASK_FEATURE_BLOCK_ACTIVITY_START_IN_TASK
Enable blocking of non-allowlisted activities from being started into a locked task.
See also:
Constant Value: 64 (0x00000040)
LOCK_TASK_FEATURE_GLOBAL_ACTIONS
public static final int LOCK_TASK_FEATURE_GLOBAL_ACTIONS
Enable the global actions dialog during LockTask mode. This is the dialog that shows up when the user long-presses the power button, for example. Note that the user may not be able to power off the device if this flag is not set.
This flag is enabled by default until setLockTaskFeatures(android.content.ComponentName, int)
is
called for the first time.
See also:
Constant Value: 16 (0x00000010)
LOCK_TASK_FEATURE_HOME
public static final int LOCK_TASK_FEATURE_HOME
Enable the Home button during LockTask mode. Note that if a custom launcher is used, it has
to be registered as the default launcher with
addPersistentPreferredActivity(android.content.ComponentName, android.content.IntentFilter, android.content.ComponentName)
, and its
package needs to be allowlisted for LockTask with
setLockTaskPackages(android.content.ComponentName, java.lang.String[])
.
See also:
Constant Value: 4 (0x00000004)
LOCK_TASK_FEATURE_KEYGUARD
public static final int LOCK_TASK_FEATURE_KEYGUARD
Enable the keyguard during LockTask mode. Note that if the keyguard is already disabled with
setKeyguardDisabled(android.content.ComponentName, boolean)
, setting this flag will have no effect.
If this flag is not set, the keyguard will not be shown even if the user has a lock screen
credential.
See also:
Constant Value: 32 (0x00000020)
LOCK_TASK_FEATURE_NONE
public static final int LOCK_TASK_FEATURE_NONE
Disable all configurable SystemUI features during LockTask mode. This includes,
- system info area in the status bar (connectivity icons, clock, etc.)
- notifications (including alerts, icons, and the notification shade)
- Home button
- Recents button and UI
- global actions menu (i.e. power button menu)
- keyguard
See also:
Constant Value: 0 (0x00000000)
LOCK_TASK_FEATURE_NOTIFICATIONS
public static final int LOCK_TASK_FEATURE_NOTIFICATIONS
Enable notifications during LockTask mode. This includes notification icons on the status
bar, heads-up notifications, and the expandable notification shade. Note that the Quick
Settings panel remains disabled. This feature flag can only be used in combination with
LOCK_TASK_FEATURE_HOME
. setLockTaskFeatures(android.content.ComponentName, int)
throws an IllegalArgumentException
if this feature flag is defined without
LOCK_TASK_FEATURE_HOME
.
See also:
Constant Value: 2 (0x00000002)
LOCK_TASK_FEATURE_OVERVIEW
public static final int LOCK_TASK_FEATURE_OVERVIEW
Enable the Overview button and the Overview screen during LockTask mode. This feature flag
can only be used in combination with LOCK_TASK_FEATURE_HOME
, and
setLockTaskFeatures(android.content.ComponentName, int)
will throw an
IllegalArgumentException
if this feature flag is defined without
LOCK_TASK_FEATURE_HOME
.
See also:
Constant Value: 8 (0x00000008)
LOCK_TASK_FEATURE_SYSTEM_INFO
public static final int LOCK_TASK_FEATURE_SYSTEM_INFO
Enable the system info area in the status bar during LockTask mode. The system info area usually occupies the right side of the status bar (although this can differ across OEMs). It includes all system information indicators, such as date and time, connectivity, battery, vibration mode, etc.
See also:
Constant Value: 1 (0x00000001)
MAKE_USER_EPHEMERAL
public static final int MAKE_USER_EPHEMERAL
Flag used by createAndManageUser(ComponentName, String, ComponentName, PersistableBundle, int)
to specify that the user should be created
ephemeral. Ephemeral users will be removed after switching to another user or rebooting the
device.
Constant Value: 2 (0x00000002)
MIME_TYPE_PROVISIONING_NFC
public static final String MIME_TYPE_PROVISIONING_NFC
This MIME type is used for starting the device owner provisioning.
During device owner provisioning a device admin app is set as the owner of the device. A device owner has full control over the device. The device owner can not be modified by the user and the only way of resetting the device is if the device owner app calls a factory reset.
A typical use case would be a device that is owned by a company, but used by either an employee or client.
The NFC message must be sent to an unprovisioned device.
The NFC record must contain a serialized Properties
object which
contains the following properties:
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
, optionalEXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
, optionalEXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
, optionalEXTRA_PROVISIONING_LOCAL_TIME
(convert to String), optionalEXTRA_PROVISIONING_TIME_ZONE
, optionalEXTRA_PROVISIONING_LOCALE
, optionalEXTRA_PROVISIONING_WIFI_SSID
, optionalEXTRA_PROVISIONING_WIFI_HIDDEN
(convert to String), optionalEXTRA_PROVISIONING_WIFI_SECURITY_TYPE
, optionalEXTRA_PROVISIONING_WIFI_PASSWORD
, optionalEXTRA_PROVISIONING_WIFI_PROXY_HOST
, optionalEXTRA_PROVISIONING_WIFI_PROXY_PORT
(convert to String), optionalEXTRA_PROVISIONING_WIFI_PROXY_BYPASS
, optionalEXTRA_PROVISIONING_WIFI_PAC_URL
, optionalEXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
, optional, supported fromBuild.VERSION_CODES.M
EXTRA_PROVISIONING_WIFI_EAP_METHOD
, optional, supported fromBuild.VERSION_CODES.Q
EXTRA_PROVISIONING_WIFI_PHASE2_AUTH
, optional, supported fromBuild.VERSION_CODES.Q
EXTRA_PROVISIONING_WIFI_CA_CERTIFICATE
, optional, supported fromBuild.VERSION_CODES.Q
EXTRA_PROVISIONING_WIFI_USER_CERTIFICATE
, optional, supported fromBuild.VERSION_CODES.Q
EXTRA_PROVISIONING_WIFI_IDENTITY
, optional, supported fromBuild.VERSION_CODES.Q
EXTRA_PROVISIONING_WIFI_ANONYMOUS_IDENTITY
, optional, supported fromBuild.VERSION_CODES.Q
EXTRA_PROVISIONING_WIFI_DOMAIN
, optional, supported fromBuild.VERSION_CODES.Q
As of Build.VERSION_CODES.M
, the properties should contain
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
instead of
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
, (although specifying only
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
is still supported).
Constant Value: "application/com.android.managedprovisioning"
MTE_DISABLED
public static final int MTE_DISABLED
Require that MTE be disabled on the device. Can be set by a device owner.
Constant Value: 2 (0x00000002)
MTE_ENABLED
public static final int MTE_ENABLED
Require that MTE be enabled on the device, if supported. Can be set by a device owner or a profile owner of an organization-owned managed profile.
Constant Value: 1 (0x00000001)
MTE_NOT_CONTROLLED_BY_POLICY
public static final int MTE_NOT_CONTROLLED_BY_POLICY
Allow the user to choose whether to enable MTE on the device.
Constant Value: 0 (0x00000000)
NEARBY_STREAMING_DISABLED
public static final int NEARBY_STREAMING_DISABLED
Indicates that nearby streaming is disabled.
Constant Value: 1 (0x00000001)
NEARBY_STREAMING_ENABLED
public static final int NEARBY_STREAMING_ENABLED
Indicates that nearby streaming is enabled.
Constant Value: 2 (0x00000002)
NEARBY_STREAMING_NOT_CONTROLLED_BY_POLICY
public static final int NEARBY_STREAMING_NOT_CONTROLLED_BY_POLICY
Indicates that nearby streaming is not controlled by policy, which means nearby streaming is allowed.
Constant Value: 0 (0x00000000)
NEARBY_STREAMING_SAME_MANAGED_ACCOUNT_ONLY
public static final int NEARBY_STREAMING_SAME_MANAGED_ACCOUNT_ONLY
Indicates that nearby streaming is enabled only to devices offering a comparable level of security, with the same authenticated managed account.
Constant Value: 3 (0x00000003)
OPERATION_SAFETY_REASON_DRIVING_DISTRACTION
public static final int OPERATION_SAFETY_REASON_DRIVING_DISTRACTION
Indicates that a UnsafeStateException
was thrown because the operation would distract
the driver of the vehicle.
Constant Value: 1 (0x00000001)
PASSWORD_COMPLEXITY_HIGH
public static final int PASSWORD_COMPLEXITY_HIGH
Constant for getPasswordComplexity()
and
setRequiredPasswordComplexity(int)
.
Define the high password complexity band as:
- PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 8
- alphabetic, length at least 6
- alphanumeric, length at least 6
When returned from getPasswordComplexity()
, the constant represents
the exact complexity band the password is in.
When passed to {@link #setRequiredPasswordComplexity(int), it sets the minimum complexity
band which the password must meet.
Constant Value: 327680 (0x00050000)
PASSWORD_COMPLEXITY_LOW
public static final int PASSWORD_COMPLEXITY_LOW
Constant for getPasswordComplexity()
and
setRequiredPasswordComplexity(int)
.
Define the low password complexity band as:
- pattern
- PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences
When returned from getPasswordComplexity()
, the constant represents
the exact complexity band the password is in.
When passed to {@link #setRequiredPasswordComplexity(int), it sets the minimum complexity
band which the password must meet.
Constant Value: 65536 (0x00010000)
PASSWORD_COMPLEXITY_MEDIUM
public static final int PASSWORD_COMPLEXITY_MEDIUM
Constant for getPasswordComplexity()
and
setRequiredPasswordComplexity(int)
.
Define the medium password complexity band as:
- PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 4
- alphabetic, length at least 4
- alphanumeric, length at least 4
When returned from getPasswordComplexity()
, the constant represents
the exact complexity band the password is in.
When passed to {@link #setRequiredPasswordComplexity(int), it sets the minimum complexity
band which the password must meet.
Constant Value: 196608 (0x00030000)
PASSWORD_COMPLEXITY_NONE
public static final int PASSWORD_COMPLEXITY_NONE
Constant for getPasswordComplexity()
and
setRequiredPasswordComplexity(int)
: no password.
When returned from getPasswordComplexity()
, the constant represents
the exact complexity band the password is in.
When passed to {@link #setRequiredPasswordComplexity(int), it sets the minimum complexity
band which the password must meet.
Constant Value: 0 (0x00000000)
PASSWORD_QUALITY_ALPHABETIC
public static final int PASSWORD_QUALITY_ALPHABETIC
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least alphabetic (or other symbol) characters.
Note that quality constants are ordered so that higher values are more
restrictive.
Constant Value: 262144 (0x00040000)
PASSWORD_QUALITY_ALPHANUMERIC
public static final int PASSWORD_QUALITY_ALPHANUMERIC
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least both> numeric and
alphabetic (or other symbol) characters. Note that quality constants are
ordered so that higher values are more restrictive.
Constant Value: 327680 (0x00050000)
PASSWORD_QUALITY_BIOMETRIC_WEAK
public static final int PASSWORD_QUALITY_BIOMETRIC_WEAK
Constant for setPasswordQuality(ComponentName, int)
: the policy allows for low-security biometric
recognition technology. This implies technologies that can recognize the identity of
an individual to about a 3 digit PIN (false detection is less than 1 in 1,000).
Note that quality constants are ordered so that higher values are more restrictive.
Constant Value: 32768 (0x00008000)
PASSWORD_QUALITY_COMPLEX
public static final int PASSWORD_QUALITY_COMPLEX
Constant for setPasswordQuality(ComponentName, int)
: allows the admin to set precisely how many
characters of various types the password should contain to satisfy the policy. The admin
should set these requirements via setPasswordMinimumLetters(ComponentName, int)
,
setPasswordMinimumNumeric(ComponentName, int)
, setPasswordMinimumSymbols(ComponentName, int)
,
setPasswordMinimumUpperCase(ComponentName, int)
, setPasswordMinimumLowerCase(ComponentName, int)
,
setPasswordMinimumNonLetter(ComponentName, int)
, and setPasswordMinimumLength(ComponentName, int)
.
Note that quality constants are ordered so that higher values are more restrictive.
Constant Value: 393216 (0x00060000)
PASSWORD_QUALITY_NUMERIC
public static final int PASSWORD_QUALITY_NUMERIC
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least numeric characters. Note that quality
constants are ordered so that higher values are more restrictive.
Constant Value: 131072 (0x00020000)
PASSWORD_QUALITY_NUMERIC_COMPLEX
public static final int PASSWORD_QUALITY_NUMERIC_COMPLEX
Constant for setPasswordQuality(ComponentName, int)
: the user must have entered a
password containing at least numeric characters with no repeating (4444)
or ordered (1234, 4321, 2468) sequences. Note that quality
constants are ordered so that higher values are more restrictive.
Constant Value: 196608 (0x00030000)
PASSWORD_QUALITY_SOMETHING
public static final int PASSWORD_QUALITY_SOMETHING
Constant for setPasswordQuality(ComponentName, int)
: the policy requires some kind
of password or pattern, but doesn't care what it is. Note that quality constants
are ordered so that higher values are more restrictive.
Constant Value: 65536 (0x00010000)
PASSWORD_QUALITY_UNSPECIFIED
public static final int PASSWORD_QUALITY_UNSPECIFIED
Constant for setPasswordQuality(ComponentName, int)
: the policy has no requirements
for the password. Note that quality constants are ordered so that higher
values are more restrictive.
Constant Value: 0 (0x00000000)
PERMISSION_GRANT_STATE_DEFAULT
public static final int PERMISSION_GRANT_STATE_DEFAULT
Runtime permission state: The user can manage the permission through the UI.
Constant Value: 0 (0x00000000)
PERMISSION_GRANT_STATE_DENIED
public static final int PERMISSION_GRANT_STATE_DENIED
Runtime permission state: The permission is denied to the app and the user cannot manage the permission through the UI.
Constant Value: 2 (0x00000002)
PERMISSION_GRANT_STATE_GRANTED
public static final int PERMISSION_GRANT_STATE_GRANTED
Runtime permission state: The permission is granted to the app and the user cannot manage the permission through the UI.
Constant Value: 1 (0x00000001)
PERMISSION_POLICY_AUTO_DENY
public static final int PERMISSION_POLICY_AUTO_DENY
Permission policy to always deny new permission requests for runtime permissions. Already granted or denied permissions are not affected by this.
Constant Value: 2 (0x00000002)
PERMISSION_POLICY_AUTO_GRANT
public static final int PERMISSION_POLICY_AUTO_GRANT
Permission policy to always grant new permission requests for runtime permissions. Already granted or denied permissions are not affected by this.
Constant Value: 1 (0x00000001)
PERMISSION_POLICY_PROMPT
public static final int PERMISSION_POLICY_PROMPT
Permission policy to prompt user for new permission requests for runtime permissions. Already granted or denied permissions are not affected by this.
Constant Value: 0 (0x00000000)
PERSONAL_APPS_NOT_SUSPENDED
public static final int PERSONAL_APPS_NOT_SUSPENDED
Return value for getPersonalAppsSuspendedReasons(ComponentName)
when personal apps are not
suspended.
Constant Value: 0 (0x00000000)
PERSONAL_APPS_SUSPENDED_EXPLICITLY
public static final int PERSONAL_APPS_SUSPENDED_EXPLICITLY
Flag for getPersonalAppsSuspendedReasons(ComponentName)
return value. Set when personal
apps are suspended by an admin explicitly via setPersonalAppsSuspended(ComponentName, boolean)
.
Constant Value: 1 (0x00000001)
PERSONAL_APPS_SUSPENDED_PROFILE_TIMEOUT
public static final int PERSONAL_APPS_SUSPENDED_PROFILE_TIMEOUT
Flag for getPersonalAppsSuspendedReasons(ComponentName)
return value. Set when personal apps are
suspended by framework because managed profile was off for longer than allowed by policy.
Constant Value: 2 (0x00000002)
POLICY_DISABLE_CAMERA
public static final String POLICY_DISABLE_CAMERA
Constant to indicate the feature of disabling the camera. Used as argument to
createAdminSupportIntent(java.lang.String)
.
Constant Value: "policy_disable_camera"
POLICY_DISABLE_SCREEN_CAPTURE
public static final String POLICY_DISABLE_SCREEN_CAPTURE
Constant to indicate the feature of disabling screen captures. Used as argument to
createAdminSupportIntent(java.lang.String)
.
Constant Value: "policy_disable_screen_capture"
PRIVATE_DNS_MODE_OFF
public static final int PRIVATE_DNS_MODE_OFF
Specifies that Private DNS was turned off completely.
Constant Value: 1 (0x00000001)
PRIVATE_DNS_MODE_OPPORTUNISTIC
public static final int PRIVATE_DNS_MODE_OPPORTUNISTIC
Specifies that the device owner requested opportunistic DNS over TLS
Constant Value: 2 (0x00000002)
PRIVATE_DNS_MODE_PROVIDER_HOSTNAME
public static final int PRIVATE_DNS_MODE_PROVIDER_HOSTNAME
Specifies that the device owner configured a specific host to use for Private DNS.
Constant Value: 3 (0x00000003)
PRIVATE_DNS_MODE_UNKNOWN
public static final int PRIVATE_DNS_MODE_UNKNOWN
Specifies that the Private DNS setting is in an unknown state.
Constant Value: 0 (0x00000000)
PRIVATE_DNS_SET_ERROR_FAILURE_SETTING
public static final int PRIVATE_DNS_SET_ERROR_FAILURE_SETTING
General failure to set the Private DNS mode, not due to one of the reasons listed above.
Constant Value: 2 (0x00000002)
PRIVATE_DNS_SET_ERROR_HOST_NOT_SERVING
public static final int PRIVATE_DNS_SET_ERROR_HOST_NOT_SERVING
If the privateDnsHost
provided was of a valid hostname but that host was found
to not support DNS-over-TLS.
Constant Value: 1 (0x00000001)
PRIVATE_DNS_SET_NO_ERROR
public static final int PRIVATE_DNS_SET_NO_ERROR
The selected mode has been set successfully. If the mode is
PRIVATE_DNS_MODE_PROVIDER_HOSTNAME
then it implies the supplied host is valid
and reachable.
Constant Value: 0 (0x00000000)
PROVISIONING_MODE_FULLY_MANAGED_DEVICE
public static final int PROVISIONING_MODE_FULLY_MANAGED_DEVICE
The provisioning mode for fully managed device.
Constant Value: 1 (0x00000001)
PROVISIONING_MODE_MANAGED_PROFILE
public static final int PROVISIONING_MODE_MANAGED_PROFILE
The provisioning mode for managed profile.
Constant Value: 2 (0x00000002)
PROVISIONING_MODE_MANAGED_PROFILE_ON_PERSONAL_DEVICE
public static final int PROVISIONING_MODE_MANAGED_PROFILE_ON_PERSONAL_DEVICE
The provisioning mode for a managed profile on a personal device.
This mode is only available when the provisioning initiator has explicitly instructed the
provisioning flow to support managed profile on a personal device provisioning. In that case,
PROVISIONING_MODE_MANAGED_PROFILE
corresponds to an organization-owned managed
profile, whereas this constant corresponds to a personally-owned managed profile.
See also:
Constant Value: 3 (0x00000003)
RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT
public static final int RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT
Flag for resetPasswordWithToken(ComponentName, String, byte, int)
and resetPassword(String, int)
: don't ask for user
credentials on device boot.
If the flag is set, the device can be booted without asking for user password.
The absence of this flag does not change the current boot requirements. This flag
can be set by the device owner only. If the app is not the device owner, the flag
is ignored. Once the flag is set, it cannot be reverted back without resetting the
device to factory defaults.
Constant Value: 2 (0x00000002)
RESET_PASSWORD_REQUIRE_ENTRY
public static final int RESET_PASSWORD_REQUIRE_ENTRY
Flag for resetPasswordWithToken(ComponentName, String, byte, int)
and resetPassword(String, int)
: don't allow other admins
to change the password again until the user has entered it.
Constant Value: 1 (0x00000001)
SKIP_SETUP_WIZARD
public static final int SKIP_SETUP_WIZARD
Flag used by createAndManageUser(ComponentName, String, ComponentName, PersistableBundle, int)
to skip setup wizard after creating a new user.
Constant Value: 1 (0x00000001)
WIFI_SECURITY_ENTERPRISE_192
public static final int WIFI_SECURITY_ENTERPRISE_192
Constant for getMinimumRequiredWifiSecurityLevel()
and
setMinimumRequiredWifiSecurityLevel(int)
: enterprise 192 bit network.
When returned from getMinimumRequiredWifiSecurityLevel()
, the constant
represents the current minimum security level required.
When passed to setMinimumRequiredWifiSecurityLevel(int)
, it sets the
minimum security level a Wi-Fi network must meet.
Constant Value: 3 (0x00000003)
WIFI_SECURITY_ENTERPRISE_EAP
public static final int WIFI_SECURITY_ENTERPRISE_EAP
Constant for getMinimumRequiredWifiSecurityLevel()
and
setMinimumRequiredWifiSecurityLevel(int)
: enterprise EAP network.
When returned from getMinimumRequiredWifiSecurityLevel()
, the constant
represents the current minimum security level required.
When passed to setMinimumRequiredWifiSecurityLevel(int)
, it sets the
minimum security level a Wi-Fi network must meet.
Constant Value: 2 (0x00000002)
WIFI_SECURITY_OPEN
public static final int WIFI_SECURITY_OPEN
Constant for getMinimumRequiredWifiSecurityLevel()
and
setMinimumRequiredWifiSecurityLevel(int)
: no minimum security level.
When returned from getMinimumRequiredWifiSecurityLevel()
, the constant
represents the current minimum security level required.
When passed to setMinimumRequiredWifiSecurityLevel(int)
, it sets the
minimum security level a Wi-Fi network must meet.
Constant Value: 0 (0x00000000)
WIFI_SECURITY_PERSONAL
public static final int WIFI_SECURITY_PERSONAL
Constant for getMinimumRequiredWifiSecurityLevel()
and
setMinimumRequiredWifiSecurityLevel(int)
: personal network such as WEP, WPA2-PSK.
When returned from getMinimumRequiredWifiSecurityLevel()
, the constant
represents the current minimum security level required.
When passed to setMinimumRequiredWifiSecurityLevel(int)
, it sets the
minimum security level a Wi-Fi network must meet.
Constant Value: 1 (0x00000001)
WIPE_EUICC
public static final int WIPE_EUICC
Flag for wipeData(int)
: also erase the device's eUICC data.
Constant Value: 4 (0x00000004)
WIPE_EXTERNAL_STORAGE
public static final int WIPE_EXTERNAL_STORAGE
Flag for wipeData(int)
: also erase the device's adopted external storage (such as
adopted SD cards).
See also:
Constant Value: 1 (0x00000001)
WIPE_RESET_PROTECTION_DATA
public static final int WIPE_RESET_PROTECTION_DATA
Flag for wipeData(int)
: also erase the factory reset protection
data.
This flag may only be set by device owner admins; if it is set by
other admins a SecurityException
will be thrown.
Constant Value: 2 (0x00000002)
WIPE_SILENTLY
public static final int WIPE_SILENTLY
Flag for wipeData(int)
: won't show reason for wiping to the user.
Constant Value: 8 (0x00000008)
Public methods
acknowledgeDeviceCompliant
public void acknowledgeDeviceCompliant ()
Called by a profile owner of an organization-owned managed profile to acknowledge that the
device is compliant and the user can turn the profile off if needed according to the maximum
time off policy.
This method should be called when the device is deemed compliant after getting
DeviceAdminReceiver.onComplianceAcknowledgementRequired(Context, Intent)
callback in
case it is overridden. Before this method is called the user is still free to turn the
profile off, but the timer won't be reset, so personal apps will be suspended sooner.
DPCs only need acknowledging device compliance if they override
DeviceAdminReceiver.onComplianceAcknowledgementRequired(Context, Intent)
, otherwise
compliance is acknowledged automatically.
Throws | |
---|---|
IllegalStateException |
if the user isn't unlocked |
addCrossProfileIntentFilter
public void addCrossProfileIntentFilter (ComponentName admin, IntentFilter filter, int flags)
Called by the profile owner of a managed profile so that some intents sent in the managed profile can also be resolved in the parent, or vice versa. Only activity intents are supported.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value may be null . |
filter |
IntentFilter : The IntentFilter the intent has to match to be also resolved in the
other profile |
flags |
int : DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT and
DevicePolicyManager.FLAG_PARENT_CAN_ACCESS_MANAGED are supported. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
addCrossProfileWidgetProvider
public boolean addCrossProfileWidgetProvider (ComponentName admin, String packageName)
Called by the profile owner of a managed profile or a holder of the permission
Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION
to enable
widget providers from a given package to be available in the parent profile. As a result the
user will be able to add widgets from the allowlisted package running under the profile to a
widget host which runs under the parent profile, for example the home screen. Note that a
package may have zero or more provider components, where each component provides a different
widget type.
Note: By default no widget provider package is allowlisted.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
packageName |
String : The package from which widget providers are allowlisted. |
Returns | |
---|---|
boolean |
Whether the package was added. |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner and not a holder of the
permission Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION . |
addOverrideApn
public int addOverrideApn (ComponentName admin, ApnSetting apnSetting)
Called by device owner or managed profile owner to add an override APN.
This method may returns -1
if apnSetting
conflicts with an existing
override APN. Update the existing conflicted APN with
updateOverrideApn(android.content.ComponentName, int, android.telephony.data.ApnSetting)
instead of adding a new entry.
Two override APNs are considered to conflict when all the following APIs return the same values on both override APNs:
ApnSetting.getOperatorNumeric()
ApnSetting.getApnName()
ApnSetting.getProxyAddressAsString()
ApnSetting.getProxyPort()
ApnSetting.getMmsProxyAddressAsString()
ApnSetting.getMmsProxyPort()
ApnSetting.getMmsc()
ApnSetting.isEnabled()
ApnSetting.getMvnoType()
ApnSetting.getProtocol()
ApnSetting.getRoamingProtocol()
Before Android version Build.VERSION_CODES.TIRAMISU
:
Only device owners can add APNs.
Starting from Android version Build.VERSION_CODES.TIRAMISU
:
Both device owners and managed profile owners can add enterprise APNs
(ApnSetting.TYPE_ENTERPRISE
), while only device owners can add other type of APNs.
Enterprise APNs are specific to the managed profile and do not override any user-configured
VPNs. They are prerequisites for enabling preferential network service on the managed
profile on 4G networks (setPreferentialNetworkServiceConfigs(List)
).
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with
This value cannot be null . |
apnSetting |
ApnSetting : the override APN to insert
This value cannot be null . |
Returns | |
---|---|
int |
The id of inserted override APN. Or -1 when failed to insert into
the database. |
Throws | |
---|---|
SecurityException |
If request is for enterprise APN admin is either device
owner or profile owner and in all other types of APN if admin is not a device owner. |
addPersistentPreferredActivity
public void addPersistentPreferredActivity (ComponentName admin, IntentFilter filter, ComponentName activity)
Called by a profile owner or device owner or holder of the permission
Manifest.permission.MANAGE_DEVICE_POLICY_LOCK_TASK
. to set a default activity
that the system selects to handle intents that match the given IntentFilter
instead
of showing the default disambiguation mechanism.
This activity will remain the default intent handler even if the set of potential event
handlers for the intent filter changes and if the intent preferences are reset.
Note that the target application should still declare the activity in the manifest, the API just sets the activity to be the default one to handle the given intent filter.
The default disambiguation mechanism takes over if the activity is not installed (anymore). When the activity is (re)installed, it is automatically reset as default intent handler for the filter.
Note that calling this API to set a default intent handler, only allow to avoid the default disambiguation mechanism. Implicit intents that do not trigger this mechanism (like invoking the browser) cannot be configured as they are controlled by other configurations.
The calling device admin must be a profile owner or device owner. If it is not, a security exception will be thrown.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the persistent preferred
activity policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
Bundle, TargetUser, PolicyUpdateResult)
will notify the admin on whether the policy was
successfully set or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY
- The additional policy params bundle, which contains
PolicyUpdateReceiver.EXTRA_INTENT_FILTER
the intent filter the policy applies to - The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
PolicyUpdateResult)
will notify the admin of this change. This callback will contain the
same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
NOTE: Performs disk I/O and shouldn't be called on the main thread.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
filter |
IntentFilter : The IntentFilter for which a default handler is added. |
activity |
ComponentName : The Activity that is added as default intent handler.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner or holder of the
permission Manifest.permission.MANAGE_DEVICE_POLICY_LOCK_TASK . |
addUserRestriction
public void addUserRestriction (ComponentName admin, String key)
Called by a profile owner, device owner or a holder of any permission that is associated with a user restriction to set a user restriction specified by the key.
The calling device admin must be a profile owner, device owner or holder of any permission that is associated with a user restriction; if it is not, a security exception will be thrown.
The profile owner of an organization-owned managed profile may invoke this method on
the DevicePolicyManager
instance it obtained from
getParentProfileInstance(android.content.ComponentName)
, for enforcing device-wide restrictions.
See the constants in UserManager
for the list of restrictions that can
be enforced device-wide. These constants will also state in their documentation which
permission is required to manage the restriction using this API.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the user restriction
policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
Bundle, TargetUser, PolicyUpdateResult)
will notify the admin on whether the policy was
successfully set or not. This callback will contain:
- The policy identifier returned from
DevicePolicyIdentifiers.getIdentifierForUserRestriction(String)
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
PolicyUpdateResult)
will notify the admin of this change. This callback will contain the
same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner and if the caller
has not been granted the permission to set the given user restriction. |
addUserRestrictionGlobally
public void addUserRestrictionGlobally (String key)
Called by a profile owner, device owner or a holder of any permission that is associated with
a user restriction to set a user restriction specified by the provided key
globally
on all users. To clear the restriction use clearUserRestriction(ComponentName, String)
.
For a given user, a restriction will be set if it was applied globally or locally by any admin.
The calling device admin must be a profile owner, device owner or a holder of any permission that is associated with a user restriction; if it is not, a security exception will be thrown.
See the constants in UserManager
for the list of restrictions that can
be enforced device-wide. These constants will also state in their documentation which
permission is required to manage the restriction using this API.
After the user restriction policy has been set,
PolicyUpdateReceiver.onPolicySetResult(Context, String, Bundle, TargetUser,
PolicyUpdateResult)
will notify the admin on whether the policy was successfully set or not.
This callback will contain:
- The policy identifier returned from
DevicePolicyIdentifiers.getIdentifierForUserRestriction(String)
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
PolicyUpdateResult)
will notify the admin of this change. This callback will contain the
same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner and if the
caller has not been granted the permission to set the given user restriction. |
IllegalStateException |
if caller is not targeting Android
Build.VERSION_CODES.UPSIDE_DOWN_CAKE or above. |
bindDeviceAdminServiceAsUser
public boolean bindDeviceAdminServiceAsUser (ComponentName admin, Intent serviceIntent, ServiceConnection conn, int flags, UserHandle targetUser)
Called by a device owner to bind to a service from a secondary managed user or vice versa.
See getBindDeviceAdminTargetUsers(ComponentName)
for the pre-requirements of a
device owner to bind to services of another managed user.
The service must be protected by Manifest.permission.BIND_DEVICE_ADMIN
.
Note that the Context
used to obtain this
DevicePolicyManager
instance via Context.getSystemService(Class)
will be used
to bind to the Service
.
Note: This method used to be available for communication between device owner and profile owner. However, since Android 11, this combination is not possible. This method is now only useful for communication between device owner and managed secondary users.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
serviceIntent |
Intent : Identifies the service to connect to. The Intent must specify either an
explicit component name or a package name to match an
IntentFilter published by a service.
This value cannot be null . |
conn |
ServiceConnection : Receives information as the service is started and stopped in main thread. This
must be a valid ServiceConnection object; it must not be null . |
flags |
int : Operation options for the binding operation. See
Context.bindService(Intent, ServiceConnection, int) .
Value is either 0 or a combination of Context.BIND_AUTO_CREATE , Context.BIND_DEBUG_UNBIND , Context.BIND_NOT_FOREGROUND , Context.BIND_ABOVE_CLIENT , Context.BIND_ALLOW_OOM_MANAGEMENT , Context.BIND_WAIVE_PRIORITY , Context.BIND_IMPORTANT , Context.BIND_ADJUST_WITH_ACTIVITY , Context.BIND_NOT_PERCEPTIBLE , Context.BIND_ALLOW_ACTIVITY_STARTS , Context.BIND_INCLUDE_CAPABILITIES , Context.BIND_SHARED_ISOLATED_PROCESS , Context.BIND_PACKAGE_ISOLATED_PROCESS , and Context.BIND_EXTERNAL_SERVICE |
targetUser |
UserHandle : Which user to bind to. Must be one of the users returned by
getBindDeviceAdminTargetUsers(ComponentName) , otherwise a SecurityException will
be thrown.
This value cannot be null . |
Returns | |
---|---|
boolean |
If you have successfully bound to the service, true is returned;
false is returned if the connection is not made and you will not
receive the service object. |
bindDeviceAdminServiceAsUser
public boolean bindDeviceAdminServiceAsUser (ComponentName admin, Intent serviceIntent, ServiceConnection conn, Context.BindServiceFlags flags, UserHandle targetUser)
See bindDeviceAdminServiceAsUser(android.content.ComponentName, android.content.Intent, android.content.ServiceConnection, int, android.os.UserHandle)
.
Call Context.BindServiceFlags.of(long)
to obtain a BindServiceFlags object.
Parameters | |
---|---|
admin |
ComponentName : This value cannot be null . |
serviceIntent |
Intent : This value cannot be null . |
conn |
ServiceConnection : This value cannot be null . |
flags |
Context.BindServiceFlags : This value cannot be null . |
targetUser |
UserHandle : This value cannot be null . |
Returns | |
---|---|
boolean |
canAdminGrantSensorsPermissions
public boolean canAdminGrantSensorsPermissions ()
Returns true if the caller is running on a device where an admin can grant
permissions related to device sensors.
This is a signal that the device is a fully-managed device where personal usage is
discouraged.
The list of permissions is listed in
setPermissionGrantState(android.content.ComponentName, java.lang.String, java.lang.String, int)
.
May be called by any app.
Returns | |
---|---|
boolean |
true if an admin can grant device sensors-related permissions, false otherwise. |
canUsbDataSignalingBeDisabled
public boolean canUsbDataSignalingBeDisabled ()
Returns whether enabling or disabling USB data signaling is supported on the device.
Returns | |
---|---|
boolean |
true if the device supports enabling and disabling USB data signaling. |
clearApplicationUserData
public void clearApplicationUserData (ComponentName admin, String packageName, Executor executor, DevicePolicyManager.OnClearApplicationUserDataListener listener)
Called by the device owner or profile owner to clear application user data of a given
package. The behaviour of this is equivalent to the target application calling
ActivityManager.clearApplicationUserData()
.
Note: an application can store data outside of its application data, e.g. external storage or user dictionary. This data will not be wiped by calling this API.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
packageName |
String : The name of the package which will have its user data wiped.
This value cannot be null . |
executor |
Executor : The executor through which the listener should be invoked.
This value cannot be null .
Callback and listener events are dispatched through this
Executor , providing an easy way to control which thread is
used. To dispatch events through the main thread of your
application, you can use
Context.getMainExecutor() .
Otherwise, provide an Executor that dispatches to an appropriate thread. |
listener |
DevicePolicyManager.OnClearApplicationUserDataListener : A callback object that will inform the caller when the clearing is done.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if the caller is not the device owner/profile owner. |
clearCrossProfileIntentFilters
public void clearCrossProfileIntentFilters (ComponentName admin)
Called by a profile owner of a managed profile to remove the cross-profile intent filters that go from the managed profile to the parent, or from the parent to the managed profile. Only removes those that have been set by the profile owner.
Note: A list of default cross profile intent filters are set up by the system when
the profile is created, some of them ensure the proper functioning of the profile, while
others enable sharing of data from the parent to the managed profile for user convenience.
These default intent filters are not cleared when this API is called. If the default cross
profile data sharing is not desired, they can be disabled with
UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value may be null . |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner. |
clearDeviceOwnerApp
public void clearDeviceOwnerApp (String packageName)
This method was deprecated
in API level 26.
This method is expected to be used for testing purposes only. The device owner
will lose control of the device and its data after calling it. In order to protect any
sensitive data that remains on the device, it is advised that the device owner factory resets
the device instead of calling this method. See wipeData(int)
.
Clears the current device owner. The caller must be the device owner. This function should be used cautiously as once it is called it cannot be undone. The device owner can only be set as a part of device setup, before it completes.
While some policies previously set by the device owner will be cleared by this method, it is a best-effort process and some other policies will still remain in place after the device owner is cleared.
Parameters | |
---|---|
packageName |
String : The package name of the device owner. |
Throws | |
---|---|
SecurityException |
if the caller is not in packageName or packageName
does not own the current device owner component. |
clearPackagePersistentPreferredActivities
public void clearPackagePersistentPreferredActivities (ComponentName admin, String packageName)
Called by a profile owner or device owner or holder of the
permission Manifest.permission.MANAGE_DEVICE_POLICY_LOCK_TASK
to remove all
persistent intent handler preferences associated with the given package that were set by
addPersistentPreferredActivity(ComponentName, IntentFilter, ComponentName)
.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the persistent preferred
activity policy has been cleared, PolicyUpdateReceiver.onPolicySetResult(Context,
String, Bundle, TargetUser, PolicyUpdateResult)
will notify the admin on whether the policy
was successfully cleared or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY
- The additional policy params bundle, which contains
PolicyUpdateReceiver.EXTRA_INTENT_FILTER
the intent filter the policy applies to - The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully cleared or the reason the policy failed to be cleared (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
PolicyUpdateResult)
will notify the admin of this change. This callback will contain the
same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
packageName |
String : The name of the package for which preferences are removed. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner or holder of the
permission Manifest.permission.MANAGE_DEVICE_POLICY_LOCK_TASK . |
clearProfileOwner
public void clearProfileOwner (ComponentName admin)
This method was deprecated
in API level 26.
This method is expected to be used for testing purposes only. The profile owner
will lose control of the user and its data after calling it. In order to protect any
sensitive data that remains on this user, it is advised that the profile owner deletes it
instead of calling this method. See wipeData(int)
.
Clears the active profile owner. The caller must be the profile owner of this user, otherwise a SecurityException will be thrown. This method is not available to managed profile owners.
While some policies previously set by the profile owner will be cleared by this method, it is a best-effort process and some other policies will still remain in place after the profile owner is cleared.
Parameters | |
---|---|
admin |
ComponentName : The component to remove as the profile owner.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if admin is not an active profile owner, or the method is
being called from a managed profile. |
clearResetPasswordToken
public boolean clearResetPasswordToken (ComponentName admin)
Called by a profile, device owner or holder of the permission
Manifest.permission.MANAGE_DEVICE_POLICY_RESET_PASSWORD
to revoke the current password reset token.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, this
method has no effect - the reset token should not have been set in the first place - and
false is returned.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
Returns | |
---|---|
boolean |
true if the operation is successful, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner and if the caller does
not the permission Manifest.permission.MANAGE_DEVICE_POLICY_RESET_PASSWORD . |
clearUserRestriction
public void clearUserRestriction (ComponentName admin, String key)
Called by a profile owner, device owner or a holder of any permission that is associated with a user restriction to clear a user restriction specified by the key.
The calling device admin must be a profile or device owner; if it is not, a security exception will be thrown.
The profile owner of an organization-owned managed profile may invoke this method on
the DevicePolicyManager
instance it obtained from
getParentProfileInstance(android.content.ComponentName)
, for clearing device-wide restrictions.
See the constants in UserManager
for the list of restrictions. These
constants state in their documentation which permission is required to manage the restriction
using this API.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the user restriction
policy has been cleared, PolicyUpdateReceiver.onPolicySetResult(Context, String,
Bundle, TargetUser, PolicyUpdateResult)
will notify the admin on whether the policy was
successfully cleared or not. This callback will contain:
- The policy identifier returned from
DevicePolicyIdentifiers.getIdentifierForUserRestriction(String)
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully cleared or the reason the policy failed to be cleared (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
PolicyUpdateResult)
will notify the admin of this change. This callback will contain the
same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner and if the
caller has not been granted the permission to set the given user restriction. |
createAdminSupportIntent
public Intent createAdminSupportIntent (String restriction)
Called by any app to display a support dialog when a feature was disabled by an admin.
This returns an intent that can be used with Context.startActivity(Intent)
to
display the dialog. It will tell the user that the feature indicated by restriction
was disabled by an admin, and include a link for more information. The default content of
the dialog can be changed by the restricting admin via
setShortSupportMessage(android.content.ComponentName, java.lang.CharSequence)
. If the restriction is not
set (i.e. the feature is available), then the return value will be null
.
Parameters | |
---|---|
restriction |
String : Indicates for which feature the dialog should be displayed. Can be a
user restriction from UserManager , e.g.
UserManager.DISALLOW_ADJUST_VOLUME , or one of the constants
POLICY_DISABLE_CAMERA or POLICY_DISABLE_SCREEN_CAPTURE .
This value cannot be null . |
Returns | |
---|---|
Intent |
Intent An intent to be used to start the dialog-activity if the restriction is set by an admin, or null if the restriction does not exist or no admin set it. |
createAndManageUser
public UserHandle createAndManageUser (ComponentName admin, String name, ComponentName profileOwner, PersistableBundle adminExtras, int flags)
Called by a device owner to create a user with the specified name and a given component of
the calling package as profile owner. The UserHandle returned by this method should not be
persisted as user handles are recycled as users are removed and created. If you need to
persist an identifier for this user, use UserManager.getSerialNumberForUser
. The new
user will not be started in the background.
admin is the DeviceAdminReceiver
which is the device owner. profileOwner is also a
DeviceAdminReceiver in the same package as admin, and will become the profile owner and will
be registered as an active admin on the new user. The profile owner package will be installed
on the new user.
If the adminExtras are not null, they will be stored on the device until the user is started for the first time. Then the extras will be passed to the admin when onEnable is called.
From Build.VERSION_CODES.P
onwards, if targeting
Build.VERSION_CODES.P
, throws UserOperationException
instead of
returning null
on failure.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
name |
String : The user's name.
This value cannot be null . |
profileOwner |
ComponentName : Which DeviceAdminReceiver will be profile owner. Has to be in the
same package as admin, otherwise no user is created and an
IllegalArgumentException is thrown.
This value cannot be null . |
adminExtras |
PersistableBundle : Extras that will be passed to onEnable of the admin receiver on the new
user.
This value may be null . |
flags |
int : SKIP_SETUP_WIZARD , MAKE_USER_EPHEMERAL and
LEAVE_ALL_SYSTEM_APPS_ENABLED are supported.
Value is either 0 or a combination of SKIP_SETUP_WIZARD , MAKE_USER_EPHEMERAL , android.app.admin.DevicePolicyManager.MAKE_USER_DEMO, and LEAVE_ALL_SYSTEM_APPS_ENABLED |
Returns | |
---|---|
UserHandle |
the UserHandle object for the created user, or null if the
user could not be created. |
Throws | |
---|---|
SecurityException |
if headless device is in
DeviceAdminInfo.HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER mode. |
SecurityException |
if admin is not a device owner |
UserManager.UserOperationException |
if the user could not be created and the calling app is
targeting Build.VERSION_CODES.P and running on
Build.VERSION_CODES.P . |
See also:
enableSystemApp
public int enableSystemApp (ComponentName admin, Intent intent)
Re-enable system apps by intent that were disabled by default when the user was initialized.
This function can be called by a device owner, profile owner, or by a delegate given the
DELEGATION_ENABLE_SYSTEM_APP
scope via setDelegatedScopes(ComponentName, String, List)
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is an enable system app delegate. |
intent |
Intent : An intent matching the app(s) to be installed. All apps that resolve for this
intent will be re-enabled in the calling profile. |
Returns | |
---|---|
int |
int The number of activities that matched the intent and were installed. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
enableSystemApp
public void enableSystemApp (ComponentName admin, String packageName)
Re-enable a system app that was disabled by default when the user was initialized. This
function can be called by a device owner, profile owner, or by a delegate given the
DELEGATION_ENABLE_SYSTEM_APP
scope via setDelegatedScopes(ComponentName, String, List)
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is an enable system app delegate. |
packageName |
String : The package to be re-enabled in the calling profile. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
generateKeyPair
public AttestedKeyPair generateKeyPair (ComponentName admin, String algorithm, KeyGenParameterSpec keySpec, int idAttestationFlags)
This API can be called by the following to generate a new private/public key pair:
- Device owner
- Profile owner
- Delegated certificate installer
- Credential management app
- An app that holds the
Manifest.permission.MANAGE_DEVICE_POLICY_CERTIFICATES
permission
installKeyPair(ComponentName, PrivateKey, Certificate, String)
.
From Android Build.VERSION_CODES.S
, the credential management app
can call this API. If called by the credential management app, the componentName must be
null
. Note, there can only be a credential management app on an unmanaged device.
Because this method might take several seconds to complete, it should only be called from
a worker thread. This method returns null
when called from the main thread.
This method is not thread-safe, calling it from multiple threads at the same time will
result in undefined behavior. If the calling thread is interrupted while the invocation is
in-flight, it will eventually terminate and return null
.
Note: If the provided alias
is of an existing alias, all former grants that apps
have been given to access the key and certificates associated with this alias will be
revoked.
Attestation: to enable attestation, set an attestation challenge in keySpec
via
KeyGenParameterSpec.Builder.setAttestationChallenge
. By specifying flags to the
idAttestationFlags
parameter, it is possible to request the device's unique
identity to be included in the attestation record.
Specific identifiers can be included in the attestation record, and an individual
attestation certificate can be used to sign the attestation record. To find out if the device
supports these features, refer to isDeviceIdAttestationSupported()
and
isUniqueDeviceAttestationSupported()
.
Device owner, profile owner, their delegated certificate installer and the credential
management app can use ID_TYPE_BASE_INFO
to request inclusion of the general device
information including manufacturer, model, brand, device and product in the attestation
record.
Only device owner, profile owner on an organization-owned device or affiliated user, and
their delegated certificate installers can use ID_TYPE_SERIAL
, ID_TYPE_IMEI
and ID_TYPE_MEID
to request unique device identifiers to be attested (the serial
number, IMEI and MEID correspondingly), if supported by the device
(see isDeviceIdAttestationSupported()
).
Additionally, device owner, profile owner on an organization-owned device and their delegated
certificate installers can also request the attestation record to be signed using an
individual attestation certificate by specifying the ID_TYPE_INDIVIDUAL_ATTESTATION
flag (if supported by the device, see isUniqueDeviceAttestationSupported()
).
If any of ID_TYPE_SERIAL
, ID_TYPE_IMEI
and ID_TYPE_MEID
is set, it is implicitly assumed that ID_TYPE_BASE_INFO
is also set.
Attestation using ID_TYPE_INDIVIDUAL_ATTESTATION
can only be requested if
key generation is done in StrongBox.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is not a device admin. |
algorithm |
String : The key generation algorithm, see KeyPairGenerator .
This value cannot be null . |
keySpec |
KeyGenParameterSpec : Specification of the key to generate, see
KeyPairGenerator .
This value cannot be null . |
idAttestationFlags |
int : A bitmask of the identifiers that should be included in the
attestation record (ID_TYPE_BASE_INFO , ID_TYPE_SERIAL ,
ID_TYPE_IMEI and ID_TYPE_MEID ), and
ID_TYPE_INDIVIDUAL_ATTESTATION if the attestation record should be signed
using an individual attestation certificate.
If any flag is specified, then an attestation challenge must be included in the
|
Returns | |
---|---|
AttestedKeyPair |
A non-null AttestedKeyPair if the key generation succeeded, null otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner, or admin is null but the calling application is not a delegated
certificate installer or credential management app. If Device ID attestation is
requested (using ID_TYPE_SERIAL , ID_TYPE_IMEI or
ID_TYPE_MEID ), the caller must be the Device Owner or the Certificate
Installer delegate. |
IllegalArgumentException |
in the following cases:
|
UnsupportedOperationException |
if Device ID attestation or individual attestation was requested but the underlying hardware does not support it. |
StrongBoxUnavailableException |
if the use of StrongBox for key generation was
specified in keySpec but the device does not have one. |
getAccountTypesWithManagementDisabled
public String[] getAccountTypesWithManagementDisabled ()
Gets the array of accounts for which account management is disabled by the profile owner or device owner.
Account management can be disabled/enabled by calling
setAccountManagementDisabled(ComponentName, String, boolean)
.
This method may be called on the DevicePolicyManager
instance returned from
getParentProfileInstance(android.content.ComponentName)
. Note that only a profile owner on
an organization-owned device can affect account types on the parent profile instance.
Returns | |
---|---|
String[] |
a list of account types for which account management has been disabled.
This value may be null . |
getActiveAdmins
public List<ComponentName> getActiveAdmins ()
Return a list of all currently active device administrators' component
names. If there are no administrators null
may be
returned.
Returns | |
---|---|
List<ComponentName> |
getAffiliationIds
public Set<String> getAffiliationIds (ComponentName admin)
Returns the set of affiliation ids previously set via setAffiliationIds(ComponentName, Set)
, or an
empty set if none have been set.
Parameters | |
---|---|
admin |
ComponentName : This value cannot be null . |
Returns | |
---|---|
Set<String> |
This value cannot be null . |
getAlwaysOnVpnLockdownWhitelist
public Set<String> getAlwaysOnVpnLockdownWhitelist (ComponentName admin)
Called by device or profile owner to query the set of packages that are allowed to access
the network directly when always-on VPN is in lockdown mode but not connected. Returns
null
when always-on VPN is not active or not in lockdown mode.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
Set<String> |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner. |
getAlwaysOnVpnPackage
public String getAlwaysOnVpnPackage (ComponentName admin)
Called by a device or profile owner to read the name of the package administering an
always-on VPN connection for the current user. If there is no such package, or the always-on
VPN is provided by the system instead of by an application, null
will be returned.
Parameters | |
---|---|
admin |
ComponentName : This value cannot be null . |
Returns | |
---|---|
String |
Package name of VPN controller responsible for always-on VPN, or null if none
is set. |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner. |
getAppFunctionsPolicy
public int getAppFunctionsPolicy ()
Returns the current AppFunctionManager
policy.
The returned policy will be the current resolved policy rather than the policy set by the calling admin.
Returns | |
---|---|
int |
Value is APP_FUNCTIONS_NOT_CONTROLLED_BY_POLICY , APP_FUNCTIONS_DISABLED , or APP_FUNCTIONS_DISABLED_CROSS_PROFILE |
Throws | |
---|---|
SecurityException |
if caller is not a device owner, a profile owner or a holder
of the permission Manifest.permission.MANAGE_DEVICE_POLICY_APP_FUNCTIONS . |
getApplicationRestrictions
public Bundle getApplicationRestrictions (ComponentName admin, String packageName)
Retrieves the application restrictions for a given target application running in the calling user.
The caller must be a profile or device owner on that user, or the package allowed to manage
application restrictions via setDelegatedScopes(ComponentName, String, List)
with the
DELEGATION_APP_RESTRICTIONS
scope; otherwise a security exception will be thrown.
NOTE: The method performs disk I/O and shouldn't be called on the main thread
This method may take several seconds to complete, so it should
only be called from a worker thread.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if called by the application restrictions managing package. |
packageName |
String : The name of the package to fetch restricted settings of. |
Returns | |
---|---|
Bundle |
Bundle of settings corresponding to what was set last time
DevicePolicyManager.setApplicationRestrictions was called, or an empty
Bundle if no restrictions have been set.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
getApplicationRestrictionsManagingPackage
public String getApplicationRestrictionsManagingPackage (ComponentName admin)
This method was deprecated
in API level 26.
From Build.VERSION_CODES.O
. Use getDelegatePackages(ComponentName, String)
with the DELEGATION_APP_RESTRICTIONS
scope instead.
Called by a profile owner or device owner to retrieve the application restrictions managing
package for the current user, or null
if none is set. If there are multiple
delegates this function will return one of them.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
String |
The package name allowed to manage application restrictions on the current user, or
null if none is set. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
getAutoTimeEnabled
public boolean getAutoTimeEnabled (ComponentName admin)
Returns true if auto time is enabled on the device.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
Returns | |
---|---|
boolean |
true if auto time is enabled on the device. |
Throws | |
---|---|
SecurityException |
if caller is not a device owner, a profile owner for the primary user, or a profile owner of an organization-owned managed profile. |
getAutoTimePolicy
public int getAutoTimePolicy ()
Returns current auto time policy's state.
Returns | |
---|---|
int |
One of AUTO_TIME_ENABLED if enabled, AUTO_TIME_DISABLED if disabled
and AUTO_TIME_NOT_CONTROLLED_BY_POLICY if it's not controlled by
policy.
Value is AUTO_TIME_NOT_CONTROLLED_BY_POLICY , AUTO_TIME_DISABLED , or AUTO_TIME_ENABLED |
Throws | |
---|---|
SecurityException |
if caller is not a device owner, a profile owner for the primary user, or a profile owner of an organization-owned managed profile, or if the caller does not hold the required permission. |
getAutoTimeRequired
public boolean getAutoTimeRequired ()
This method was deprecated
in API level 30.
From Build.VERSION_CODES.R
. Use getAutoTimeEnabled(ComponentName)
Returns | |
---|---|
boolean |
true if auto time is required. |
getAutoTimeZoneEnabled
public boolean getAutoTimeZoneEnabled (ComponentName admin)
Returns true if auto time zone is enabled on the device.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
Returns | |
---|---|
boolean |
true if auto time zone is enabled on the device. |
Throws | |
---|---|
SecurityException |
if caller is not a device owner, a profile owner for the primary user, or a profile owner of an organization-owned managed profile. |
getAutoTimeZonePolicy
public int getAutoTimeZonePolicy ()
Returns auto time zone policy's current state.
Returns | |
---|---|
int |
One of AUTO_TIME_ZONE_ENABLED if enabled, AUTO_TIME_ZONE_DISABLED
if disabled and AUTO_TIME_ZONE_NOT_CONTROLLED_BY_POLICY if the state is not
controlled by policy.
Value is AUTO_TIME_ZONE_NOT_CONTROLLED_BY_POLICY , AUTO_TIME_ZONE_DISABLED , or AUTO_TIME_ZONE_ENABLED |
Throws | |
---|---|
SecurityException |
if caller is not a device owner, a profile owner for the primary user, or a profile owner of an organization-owned managed profile, or if the caller does not hold the required permission. |
getBindDeviceAdminTargetUsers
public List<UserHandle> getBindDeviceAdminTargetUsers (ComponentName admin)
Returns the list of target users that the calling device owner or owner of secondary user
can use when calling bindDeviceAdminServiceAsUser(ComponentName, Intent, ServiceConnection, BindServiceFlags, UserHandle)
.
A device owner can bind to a service from a secondary managed user and vice versa, provided
that both users are affiliated. See setAffiliationIds(ComponentName, Set)
.
Parameters | |
---|---|
admin |
ComponentName : This value cannot be null . |
Returns | |
---|---|
List<UserHandle> |
This value cannot be null . |
getBluetoothContactSharingDisabled
public boolean getBluetoothContactSharingDisabled (ComponentName admin)
Called by a profile owner of a managed profile to determine whether or not Bluetooth devices cannot access enterprise contacts.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
This API works on managed profile only.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner. |
getCameraDisabled
public boolean getCameraDisabled (ComponentName admin)
Determine whether or not the device's cameras have been disabled for this user, either by the calling admin, if specified, or all admins.
This method can be called on the DevicePolicyManager
instance,
returned by getParentProfileInstance(android.content.ComponentName)
, where the caller must be
the profile owner of an organization-owned managed profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to check whether any
admins have disabled the camera |
Returns | |
---|---|
boolean |
getCertInstallerPackage
public String getCertInstallerPackage (ComponentName admin)
This method was deprecated
in API level 26.
From Build.VERSION_CODES.O
. Use getDelegatePackages(ComponentName, String)
with the DELEGATION_CERT_INSTALL
scope instead.
Called by a profile owner or device owner to retrieve the certificate installer for the user,
or null
if none is set. If there are multiple delegates this function will return one
of them.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
String |
The package name of the current delegated certificate installer, or null if
none is set. |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner. |
getContentProtectionPolicy
public int getContentProtectionPolicy (ComponentName admin)
Returns the current content protection policy.
The returned policy will be the current resolved policy rather than the policy set by the calling admin.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
Returns | |
---|---|
int |
Value is CONTENT_PROTECTION_NOT_CONTROLLED_BY_POLICY , CONTENT_PROTECTION_DISABLED , or CONTENT_PROTECTION_ENABLED |
Throws | |
---|---|
SecurityException |
if admin is not the device owner, the profile owner of an
affiliated user or profile, or the profile owner when no device owner is set or holder of the
permission Manifest.permission.MANAGE_DEVICE_POLICY_CONTENT_PROTECTION . |
getCredentialManagerPolicy
public PackagePolicy getCredentialManagerPolicy ()
Called by a device owner or profile owner of a managed profile to retrieve the credential manager policy.
Returns | |
---|---|
PackagePolicy |
the current credential manager policy if null then this policy has not been configured. |
Throws | |
---|---|
SecurityException |
if caller is not a device owner or profile owner of a managed profile. |
getCrossProfileCalendarPackages
public Set<String> getCrossProfileCalendarPackages (ComponentName admin)
This method was deprecated
in API level 34.
Use setCrossProfilePackages(android.content.ComponentName, java.util.Set)
.
Gets a set of package names that are allowed to access cross-profile calendar APIs.
Called by a profile owner of a managed profile.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with
This value cannot be null . |
Returns | |
---|---|
Set<String> |
the set of names of packages that were previously allowed via
setCrossProfileCalendarPackages(android.content.ComponentName, java.util.Set) , or an
empty set if none have been allowed
This value may be null . |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner |
getCrossProfileCallerIdDisabled
public boolean getCrossProfileCallerIdDisabled (ComponentName admin)
This method was deprecated
in API level 34.
starting with Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, use
getManagedProfileCallerIdAccessPolicy()
instead
Called by a profile owner of a managed profile to determine whether or not caller-Id information has been disabled.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Starting with Build.VERSION_CODES.UPSIDE_DOWN_CAKE
,
this will return true when
setManagedProfileCallerIdAccessPolicy(android.app.admin.PackagePolicy)
has been set with a non-null policy whose policy type is NOT
PackagePolicy.PACKAGE_POLICY_BLOCKLIST
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner. |
getCrossProfileContactsSearchDisabled
public boolean getCrossProfileContactsSearchDisabled (ComponentName admin)
This method was deprecated
in API level 34.
From Build.VERSION_CODES.UPSIDE_DOWN_CAKE
use
getManagedProfileContactsAccessPolicy()
Called by a profile owner of a managed profile to determine whether or not contacts search has been disabled.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Starting with Build.VERSION_CODES.UPSIDE_DOWN_CAKE
,
this will return true when
setManagedProfileContactsAccessPolicy(android.app.admin.PackagePolicy)
has been set with a non-null policy whose policy type is NOT
PackagePolicy.PACKAGE_POLICY_BLOCKLIST
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner. |
getCrossProfilePackages
public Set<String> getCrossProfilePackages (ComponentName admin)
Returns the set of package names that the admin has previously set as allowed to request user
consent for cross-profile communication, via setCrossProfilePackages(android.content.ComponentName, java.util.Set)
.
Assumes that the caller is a profile owner and is the given admin
.
Note that other apps not included in the returned set may be able to request user consent for cross-profile communication if they have been explicitly allowlisted by the OEM.
Parameters | |
---|---|
admin |
ComponentName : the DeviceAdminReceiver this request is associated with
This value cannot be null . |
Returns | |
---|---|
Set<String> |
the set of package names the admin has previously set as allowed to request user
consent for cross-profile communication, via setCrossProfilePackages(android.content.ComponentName, java.util.Set)
This value cannot be null . |
getCrossProfileWidgetProviders
public List<String> getCrossProfileWidgetProviders (ComponentName admin)
Called by the profile owner of a managed profile or a holder of the permission
Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION
to query
providers from which packages are available in the parent profile.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
Returns | |
---|---|
List<String> |
The allowlisted package list.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner and not a holder of the
permission Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION . |
getCurrentFailedPasswordAttempts
public int getCurrentFailedPasswordAttempts ()
Retrieve the number of times the user has failed at entering a password since that last successful password entry.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(android.content.ComponentName)
in order to retrieve the number of failed
password attemts for the parent user.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_WATCH_LOGIN
to be able to call this method; if it has not, a security exception will be thrown.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password is always empty and this method always returns 0.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Returns | |
---|---|
int |
The number of times user has entered an incorrect password since the last correct password entry. |
Throws | |
---|---|
SecurityException |
if the calling application does not own an active administrator
that uses DeviceAdminInfo.USES_POLICY_WATCH_LOGIN |
getDelegatePackages
public List<String> getDelegatePackages (ComponentName admin, String delegationScope)
Called by a profile owner or device owner to retrieve a list of delegate packages that were granted a delegation scope.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
delegationScope |
String : The scope whose delegates should be retrieved.
This value cannot be null . |
Returns | |
---|---|
List<String> |
A list of package names of the current delegated packages for
delegationScope .
This value may be null . |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner. |
getDelegatedScopes
public List<String> getDelegatedScopes (ComponentName admin, String delegatedPackage)
Called by a profile owner or device owner to retrieve a list of the scopes given to a
delegate package. Other apps can use this method to retrieve their own delegated scopes by
passing null
for admin
and their own package name as
delegatedPackage
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is delegatedPackage . |
delegatedPackage |
String : The package name of the app whose scopes should be retrieved.
This value cannot be null . |
Returns | |
---|---|
List<String> |
A list containing the scopes given to delegatedPackage . |
Throws | |
---|---|
SecurityException |
if admin is not a device or a profile owner. |
getDeviceOwnerLockScreenInfo
public CharSequence getDeviceOwnerLockScreenInfo ()
Returns | |
---|---|
CharSequence |
The device owner information. If it is not set returns null . |
getDevicePolicyManagementRoleHolderPackage
public String getDevicePolicyManagementRoleHolderPackage ()
Returns the package name of the device policy management role holder.
If the device policy management role holder is not configured for this device, returns
null
.
Returns | |
---|---|
String |
getEndUserSessionMessage
public CharSequence getEndUserSessionMessage (ComponentName admin)
Returns the user session end message.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
CharSequence |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
getEnrollmentSpecificId
public String getEnrollmentSpecificId ()
Returns an enrollment-specific identifier of this device, which is guaranteed to be the same
value for the same device, enrolled into the same organization by the same managing app.
This identifier is high-entropy, useful for uniquely identifying individual devices within
the same organisation.
It is available both in a work profile and on a fully-managed device.
The identifier would be consistent even if the work profile is removed and enrolled again
(to the same organization), or the device is factory reset and re-enrolled.
Can only be called by the Profile Owner and Device Owner, and starting from Android
Build.VERSION_CODES.VANILLA_ICE_CREAM
, holders of the permission
Manifest.permission.MANAGE_DEVICE_POLICY_CERTIFICATES
.
If setOrganizationId(java.lang.String)
was not called, then the returned value will be an
empty string.
Note about access to device identifiers: a device owner, a profile owner of an
organization-owned device or the delegated certificate installer (holding the
DELEGATION_CERT_INSTALL
delegation) on such a device can still obtain hardware
identifiers by calling e.g. Build.getSerial()
, in addition to using
this method. However, a profile owner on a personal (non organization-owned) device, or the
delegated certificate installer on such a device, cannot obtain hardware identifiers anymore
and must switch to using this method.
Returns | |
---|---|
String |
A stable, enrollment-specific identifier.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if the caller is not a profile owner, device owner or holding the
Manifest.permission.MANAGE_DEVICE_POLICY_CERTIFICATES permission |
getFactoryResetProtectionPolicy
public FactoryResetProtectionPolicy getFactoryResetProtectionPolicy (ComponentName admin)
Callable by device owner or profile owner of an organization-owned device, to retrieve
the current factory reset protection (FRP) policy set previously by
setFactoryResetProtectionPolicy(ComponentName, FactoryResetProtectionPolicy)
.
This method can also be called by the FRP management agent on device or with the permission
Manifest.permission.MASTER_CLEAR
, in which case, it can pass null
as the ComponentName.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with or
null if the caller is not a device admin |
Returns | |
---|---|
FactoryResetProtectionPolicy |
The current FRP policy object or null if no policy is set. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner, a profile owner of
an organization-owned device or the FRP management agent. |
UnsupportedOperationException |
if factory reset protection is not supported on the device. |
getGlobalPrivateDnsHost
public String getGlobalPrivateDnsHost (ComponentName admin)
Returns the system-wide Private DNS host.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
String |
The hostname used for Private DNS queries, null if none is set. |
Throws | |
---|---|
SecurityException |
if the caller is not the device owner. |
getGlobalPrivateDnsMode
public int getGlobalPrivateDnsMode (ComponentName admin)
Returns the system-wide Private DNS mode.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
int |
one of PRIVATE_DNS_MODE_OFF , PRIVATE_DNS_MODE_OPPORTUNISTIC ,
PRIVATE_DNS_MODE_PROVIDER_HOSTNAME or PRIVATE_DNS_MODE_UNKNOWN . |
Throws | |
---|---|
SecurityException |
if the caller is not the device owner. |
getInstalledCaCerts
public List<byte[]> getInstalledCaCerts (ComponentName admin)
Returns all CA certificates that are currently trusted, excluding system CA certificates. If a user has installed any certificates by other means than device policy these will be included too.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
Returns | |
---|---|
List<byte[]> |
a List of byte[] arrays, each encoding one user CA certificate.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner. |
getKeepUninstalledPackages
public List<String> getKeepUninstalledPackages (ComponentName admin)
Get the list of apps to keep around as APKs even if no user has currently installed it. This
function can be called by a device owner or by a delegate given the
DELEGATION_KEEP_UNINSTALLED_PACKAGES
scope via setDelegatedScopes(ComponentName, String, List)
.
Please note that packages returned in this method are not automatically pre-cached.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is a keep uninstalled packages delegate. |
Returns | |
---|---|
List<String> |
List of package names to keep cached.
This value may be null . |
getKeyPairGrants
public Map<Integer, Set<String>> getKeyPairGrants (String alias)
Called by a device or profile owner, or delegated certificate chooser (an app that has been
delegated the DELEGATION_CERT_SELECTION
privilege), to query which apps have access
to a given KeyChain key.
Key are granted on a per-UID basis, so if several apps share the same UID, granting access to
one of them automatically grants it to others. This method returns a map containing one entry
per grantee UID. Entries have UIDs as keys and sets of corresponding package names as values.
In particular, grantee packages that don't share UID with other packages are represented by
entries having singleton sets as values.
Parameters | |
---|---|
alias |
String : The alias of the key to grant access to.
This value cannot be null . |
Returns | |
---|---|
Map<Integer, Set<String>> |
apps that have access to a given key, arranged in a map from UID to sets of
package names.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if the caller is not a device owner, a profile owner or delegated certificate chooser. |
IllegalArgumentException |
if alias doesn't correspond to an existing key. |
getKeyguardDisabledFeatures
public int getKeyguardDisabledFeatures (ComponentName admin)
Determine whether or not features have been disabled in keyguard either by the calling admin, if specified, or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to check whether any
admins have disabled features in keyguard. |
Returns | |
---|---|
int |
bitfield of flags. See setKeyguardDisabledFeatures(android.content.ComponentName, int)
for a list. |
getLockTaskFeatures
public int getLockTaskFeatures (ComponentName admin)
Gets which system features are enabled for LockTask mode.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, the returned policy will be the
current resolved policy rather than the policy set by the calling admin.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
Returns | |
---|---|
int |
bitfield of flags. See setLockTaskFeatures(android.content.ComponentName, int) for a list.
Value is either 0 or a combination of LOCK_TASK_FEATURE_NONE , LOCK_TASK_FEATURE_SYSTEM_INFO , LOCK_TASK_FEATURE_NOTIFICATIONS , LOCK_TASK_FEATURE_HOME , LOCK_TASK_FEATURE_OVERVIEW , LOCK_TASK_FEATURE_GLOBAL_ACTIONS , LOCK_TASK_FEATURE_KEYGUARD , and LOCK_TASK_FEATURE_BLOCK_ACTIVITY_START_IN_TASK |
Throws | |
---|---|
SecurityException |
if admin is not the device owner, the profile owner of an
affiliated user or profile, or the profile owner when no device owner is set or holder of the
permission Manifest.permission.MANAGE_DEVICE_POLICY_LOCK_TASK . |
getLockTaskPackages
public String[] getLockTaskPackages (ComponentName admin)
Returns the list of packages allowed to start the lock task mode.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, the returned policy will be the
current resolved policy rather than the policy set by the calling admin.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
Returns | |
---|---|
String[] |
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if admin is not the device owner, the profile owner of an
affiliated user or profile, or the profile owner when no device owner is set or holder of the
permission Manifest.permission.MANAGE_DEVICE_POLICY_LOCK_TASK . |
getLongSupportMessage
public CharSequence getLongSupportMessage (ComponentName admin)
Called by a device admin to get the long support message.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
CharSequence |
The message set by setLongSupportMessage(android.content.ComponentName, java.lang.CharSequence) or
null if no message has been set. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator. |
getManagedProfileCallerIdAccessPolicy
public PackagePolicy getManagedProfileCallerIdAccessPolicy ()
Called by a profile owner of a managed profile to retrieve the caller id policy.
The calling device admin must be a profile owner of a managed profile.
If it is not, a SecurityException
will be thrown.
Returns | |
---|---|
PackagePolicy |
the current caller id policy
This value may be null . |
Throws | |
---|---|
SecurityException |
if caller is not a profile owner of a managed profile. |
getManagedProfileContactsAccessPolicy
public PackagePolicy getManagedProfileContactsAccessPolicy ()
Called by a profile owner of a managed profile to determine the current policy applied to managed profile contacts.
The calling device admin must be a profile owner of a managed profile.
If it is not, a SecurityException
will be thrown.
Returns | |
---|---|
PackagePolicy |
the current contacts search policy
This value may be null . |
Throws | |
---|---|
SecurityException |
if caller is not a profile owner of a managed profile. |
getManagedProfileMaximumTimeOff
public long getManagedProfileMaximumTimeOff (ComponentName admin)
Called by a profile owner of an organization-owned managed profile to get maximum time the profile is allowed to be turned off.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with
This value cannot be null . |
Returns | |
---|---|
long |
Maximum time the profile is allowed to be off in milliseconds or 0 if not limited. |
getManagedSubscriptionsPolicy
public ManagedSubscriptionsPolicy getManagedSubscriptionsPolicy ()
Returns the current ManagedSubscriptionsPolicy
.
If the policy has not been set, it will return a default policy of Type ManagedSubscriptionsPolicy.TYPE_ALL_PERSONAL_SUBSCRIPTIONS
.
Returns | |
---|---|
ManagedSubscriptionsPolicy |
This value cannot be null . |
getMaximumFailedPasswordsForWipe
public int getMaximumFailedPasswordsForWipe (ComponentName admin)
Retrieve the current maximum number of login attempts that are allowed before the device or profile is wiped, for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
the value for the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password is always empty and this method returns a default value (0) indicating that the
policy is not set.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
all admins. |
Returns | |
---|---|
int |
getMaximumTimeToLock
public long getMaximumTimeToLock (ComponentName admin)
Retrieve the current maximum time to unlock for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
all admins. |
Returns | |
---|---|
long |
time in milliseconds for the given admin or the minimum value (strictest) of all admins if admin is null. Returns 0 if there are no restrictions. |
getMeteredDataDisabledPackages
public List<String> getMeteredDataDisabledPackages (ComponentName admin)
Called by a device or profile owner to retrieve the list of packages which are restricted by the admin from using metered data.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
List<String> |
the list of restricted package names.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
getMinimumRequiredWifiSecurityLevel
public int getMinimumRequiredWifiSecurityLevel ()
Returns the current Wi-Fi minimum security level.
Returns | |
---|---|
int |
Value is WIFI_SECURITY_OPEN , WIFI_SECURITY_PERSONAL , WIFI_SECURITY_ENTERPRISE_EAP , or WIFI_SECURITY_ENTERPRISE_192 |
See also:
getMtePolicy
public int getMtePolicy ()
Called by a device owner, profile owner of an organization-owned device to get the Memory Tagging Extension (MTE) policy Learn more about MTE
Returns | |
---|---|
int |
the currently set MTE policy
Value is MTE_ENABLED , MTE_DISABLED , or MTE_NOT_CONTROLLED_BY_POLICY |
Throws | |
---|---|
SecurityException |
if caller is not permitted to set Mte policy |
getNearbyAppStreamingPolicy
public int getNearbyAppStreamingPolicy ()
Returns the current runtime nearby app streaming policy set by the device or profile owner.
The caller must be the target user's device owner/profile owner or hold the
READ_NEARBY_STREAMING_POLICY
permission.
Returns | |
---|---|
int |
Value is NEARBY_STREAMING_NOT_CONTROLLED_BY_POLICY , NEARBY_STREAMING_DISABLED , NEARBY_STREAMING_ENABLED , or NEARBY_STREAMING_SAME_MANAGED_ACCOUNT_ONLY |
getNearbyNotificationStreamingPolicy
public int getNearbyNotificationStreamingPolicy ()
Returns the current runtime nearby notification streaming policy set by the device or profile owner.
The caller must be the target user's device owner/profile owner or hold the
READ_NEARBY_STREAMING_POLICY
permission.
Returns | |
---|---|
int |
Value is NEARBY_STREAMING_NOT_CONTROLLED_BY_POLICY , NEARBY_STREAMING_DISABLED , NEARBY_STREAMING_ENABLED , or NEARBY_STREAMING_SAME_MANAGED_ACCOUNT_ONLY |
getOrganizationColor
public int getOrganizationColor (ComponentName admin)
This method was deprecated
in API level 31.
From Build.VERSION_CODES.R
, the organization color is never
used as the background color of the confirm credentials screen.
Called by a profile owner of a managed profile to retrieve the color used for customization. This color is used as background color of the confirm credentials screen for that user.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
int |
The 24bit (0xRRGGBB) representation of the color to be used. |
Throws | |
---|---|
SecurityException |
if admin is not a profile owner. |
getOrganizationName
public CharSequence getOrganizationName (ComponentName admin)
Called by the device owner (since API 26) or profile owner (since API 24) or holders of the permission {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY to retrieve the name of the organization under management.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin. |
Returns | |
---|---|
CharSequence |
The organization name or null if none is set. |
Throws | |
---|---|
SecurityException |
if admin if admin is not a device or profile
owner or holder of the
permission Manifest.permission.MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY . |
getOverrideApns
public List<ApnSetting> getOverrideApns (ComponentName admin)
Called by device owner or managed profile owner to get all override APNs inserted by
device owner or managed profile owner previously using addOverrideApn(ComponentName, ApnSetting)
.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with
This value cannot be null . |
Returns | |
---|---|
List<ApnSetting> |
A list of override APNs inserted by device owner. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
getParentProfileInstance
public DevicePolicyManager getParentProfileInstance (ComponentName admin)
Called by the profile owner of a managed profile or other apps in a managed profile to
obtain a DevicePolicyManager
whose calls act on the parent profile.
The following methods are supported for the parent instance, all other methods will throw a SecurityException when called on the parent instance:
getPasswordQuality(ComponentName)
setPasswordQuality(ComponentName, int)
getPasswordMinimumLength(ComponentName)
setPasswordMinimumLength(ComponentName, int)
getPasswordMinimumUpperCase(ComponentName)
setPasswordMinimumUpperCase(ComponentName, int)
getPasswordMinimumLowerCase(ComponentName)
setPasswordMinimumLowerCase(ComponentName, int)
getPasswordMinimumLetters(ComponentName)
setPasswordMinimumLetters(ComponentName, int)
getPasswordMinimumNumeric(ComponentName)
setPasswordMinimumNumeric(ComponentName, int)
getPasswordMinimumSymbols(ComponentName)
setPasswordMinimumSymbols(ComponentName, int)
getPasswordMinimumNonLetter(ComponentName)
setPasswordMinimumNonLetter(ComponentName, int)
getPasswordHistoryLength(ComponentName)
setPasswordHistoryLength(ComponentName, int)
getPasswordExpirationTimeout(ComponentName)
setPasswordExpirationTimeout(ComponentName, long)
getPasswordExpiration(ComponentName)
getPasswordMaximumLength(int)
isActivePasswordSufficient()
getCurrentFailedPasswordAttempts()
getMaximumFailedPasswordsForWipe(ComponentName)
setMaximumFailedPasswordsForWipe(ComponentName, int)
getMaximumTimeToLock(ComponentName)
setMaximumTimeToLock(ComponentName, long)
lockNow()
getKeyguardDisabledFeatures(ComponentName)
setKeyguardDisabledFeatures(ComponentName, int)
getTrustAgentConfiguration(ComponentName, ComponentName)
setTrustAgentConfiguration(ComponentName, ComponentName, PersistableBundle)
getRequiredStrongAuthTimeout(ComponentName)
setRequiredStrongAuthTimeout(ComponentName, long)
getAccountTypesWithManagementDisabled()
setRequiredPasswordComplexity(int)
getRequiredPasswordComplexity()
The following methods are supported for the parent instance but can only be called by the profile owner on an organization owned managed profile:
getPasswordComplexity()
setCameraDisabled(ComponentName, boolean)
getCameraDisabled(ComponentName)
setAccountManagementDisabled(android.content.ComponentName, java.lang.String, boolean)
setPermittedInputMethods(ComponentName, List)
getPermittedInputMethods(ComponentName)
wipeData(int)
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with or
null if the caller is not a profile owner. |
Returns | |
---|---|
DevicePolicyManager |
a new instance of DevicePolicyManager that acts on the parent profile.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if the current user is not a managed profile. |
getPasswordComplexity
public int getPasswordComplexity ()
Returns how complex the current user's screen lock is.
Note that when called from a profile which uses an unified challenge with its parent, the screen lock complexity of the parent will be returned.
Apps need the permission.REQUEST_PASSWORD_COMPLEXITY
permission to call this
method. On Android Build.VERSION_CODES.S
and above, the calling
application does not need this permission if it is a device owner or a profile owner.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
Returns | |
---|---|
int |
Value is PASSWORD_COMPLEXITY_NONE , PASSWORD_COMPLEXITY_LOW , PASSWORD_COMPLEXITY_MEDIUM , or PASSWORD_COMPLEXITY_HIGH |
Throws | |
---|---|
IllegalStateException |
if the user is not unlocked. |
SecurityException |
if the calling application does not have the permission
permission.REQUEST_PASSWORD_COMPLEXITY , and is not a
device owner or a profile owner. |
getPasswordExpiration
public long getPasswordExpiration (ComponentName admin)
Get the current password expiration time for a particular admin or all admins that set
restrictions on this user and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account. If admin is null
, then a composite
of all expiration times is returned - which will be the minimum of all of them.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
the password expiration for the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password expiration is always disabled and this method always returns 0.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate all admins. |
Returns | |
---|---|
long |
The password expiration time, in milliseconds since epoch. |
getPasswordExpirationTimeout
public long getPasswordExpirationTimeout (ComponentName admin)
Get the password expiration timeout for the given admin. The expiration timeout is the
recurring expiration timeout provided in the call to
setPasswordExpirationTimeout(android.content.ComponentName, long)
for the given admin or the
aggregate of all participating policy administrators if admin
is null. Admins that
have set restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password expiration is always disabled and this method always returns 0.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate all admins. |
Returns | |
---|---|
long |
The timeout for the given admin or the minimum of all timeouts |
getPasswordHistoryLength
public int getPasswordHistoryLength (ComponentName admin)
Retrieve the current password history length for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password history length is always 0.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
all admins. |
Returns | |
---|---|
int |
The length of the password history |
getPasswordMaximumLength
public int getPasswordMaximumLength (int quality)
Return the maximum password length that the device supports for a particular password quality.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password is always empty and this method always returns 0.
Parameters | |
---|---|
quality |
int : The quality being interrogated. |
Returns | |
---|---|
int |
Returns the maximum length that the user can enter. |
getPasswordMinimumLength
public int getPasswordMinimumLength (ComponentName admin)
This method was deprecated
in API level 31.
see setPasswordQuality(android.content.ComponentName, int)
for details.
Retrieve the current minimum password length for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password is always treated as empty.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
all admins. |
Returns | |
---|---|
int |
getPasswordMinimumLetters
public int getPasswordMinimumLetters (ComponentName admin)
This method was deprecated
in API level 31.
see setPasswordQuality(android.content.ComponentName, int)
for details.
Retrieve the current number of letters required in the password
for a particular admin or all admins that set restrictions on this user
and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account.
This is the same value as set by
setPasswordMinimumLetters(android.content.ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password is always treated as empty.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of letters required in the password. |
getPasswordMinimumLowerCase
public int getPasswordMinimumLowerCase (ComponentName admin)
This method was deprecated
in API level 31.
see setPasswordQuality(android.content.ComponentName, int)
for details.
Retrieve the current number of lower case letters required in the password
for a particular admin or all admins that set restrictions on this user
and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account.
This is the same value as set by
setPasswordMinimumLowerCase(android.content.ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password is always treated as empty.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of lower case letters required in the password. |
getPasswordMinimumNonLetter
public int getPasswordMinimumNonLetter (ComponentName admin)
This method was deprecated
in API level 31.
see setPasswordQuality(android.content.ComponentName, int)
for details.
Retrieve the current number of non-letter characters required in the password
for a particular admin or all admins that set restrictions on this user
and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account.
This is the same value as set by
setPasswordMinimumNonLetter(android.content.ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password is always treated as empty.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of letters required in the password. |
getPasswordMinimumNumeric
public int getPasswordMinimumNumeric (ComponentName admin)
This method was deprecated
in API level 31.
see setPasswordQuality(android.content.ComponentName, int)
for details.
Retrieve the current number of numerical digits required in the password
for a particular admin or all admins that set restrictions on this user
and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account.
This is the same value as set by
setPasswordMinimumNumeric(android.content.ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password is always treated as empty.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of numerical digits required in the password. |
getPasswordMinimumSymbols
public int getPasswordMinimumSymbols (ComponentName admin)
This method was deprecated
in API level 31.
see setPasswordQuality(android.content.ComponentName, int)
for details.
Retrieve the current number of symbols required in the password
for a particular admin or all admins that set restrictions on this user
and its participating profiles. Restrictions on profiles that have
a separate challenge are not taken into account. This is the same value as
set by setPasswordMinimumSymbols(android.content.ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password is always treated as empty.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of symbols required in the password. |
getPasswordMinimumUpperCase
public int getPasswordMinimumUpperCase (ComponentName admin)
This method was deprecated
in API level 31.
see setPasswordQuality(android.content.ComponentName, int)
for details.
Retrieve the current number of upper case letters required in the password
for a particular admin or all admins that set restrictions on this user and
its participating profiles. Restrictions on profiles that have a separate challenge
are not taken into account.
This is the same value as set by
setPasswordMinimumUpperCase(android.content.ComponentName, int)
and only applies when the password quality is
PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the
password is always treated as empty.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to
aggregate all admins. |
Returns | |
---|---|
int |
The minimum number of upper case letters required in the password. |
getPasswordQuality
public int getPasswordQuality (ComponentName admin)
This method was deprecated
in API level 31.
see setPasswordQuality(android.content.ComponentName, int)
for details.
Retrieve the current minimum password quality for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
Note: on devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature,
the password is always treated as empty.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
all admins. |
Returns | |
---|---|
int |
getPendingSystemUpdate
public SystemUpdateInfo getPendingSystemUpdate (ComponentName admin)
Get information about a pending system update.
Can be called by device or profile owners, and starting from Android
Build.VERSION_CODES.VANILLA_ICE_CREAM
, holders of the permission
Manifest.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES
.
Parameters | |
---|---|
admin |
ComponentName : Which profile or device owner this request is associated with.
This value may be null . |
Returns | |
---|---|
SystemUpdateInfo |
Information about a pending system update or null if no update pending. |
Throws | |
---|---|
SecurityException |
if admin is not a device, profile owner or holders of
Manifest.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES . |
getPermissionGrantState
public int getPermissionGrantState (ComponentName admin, String packageName, String permission)
Returns the current grant state of a runtime permission for a specific application. This
function can be called by a device owner, profile owner, or by a delegate given the
DELEGATION_PERMISSION_GRANT
scope via setDelegatedScopes(ComponentName, String, List)
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
packageName |
String : The application to check the grant state for.
This value cannot be null . |
permission |
String : The permission to check for.
This value cannot be null . |
Returns | |
---|---|
int |
the current grant state specified by device policy. If admins have not set a grant
has not set a grant state, the return value is
PERMISSION_GRANT_STATE_DEFAULT . This does not indicate whether or not the
permission is currently granted for the package.
If a grant state was set by the profile or device owner, then the return value will
be one of PERMISSION_GRANT_STATE_DENIED or
PERMISSION_GRANT_STATE_GRANTED , which indicates if the permission is
currently denied or granted.
Value is PERMISSION_GRANT_STATE_DEFAULT , PERMISSION_GRANT_STATE_GRANTED , or PERMISSION_GRANT_STATE_DENIED |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
getPermissionPolicy
public int getPermissionPolicy (ComponentName admin)
Returns the current runtime permission policy set by the device or profile owner. The
default is PERMISSION_POLICY_PROMPT
.
Parameters | |
---|---|
admin |
ComponentName : Which profile or device owner this request is associated with. |
Returns | |
---|---|
int |
the current policy for future permission requests. |
getPermittedAccessibilityServices
public List<String> getPermittedAccessibilityServices (ComponentName admin)
Returns the list of permitted accessibility services set by this device or profile owner.
An empty list means no accessibility services except system services are allowed.
null
means all accessibility services are allowed.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
List<String> |
List of accessiblity service package names. |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
getPermittedCrossProfileNotificationListeners
public List<String> getPermittedCrossProfileNotificationListeners (ComponentName admin)
Returns the list of packages installed on the primary user that allowed to use a
NotificationListenerService
to receive
notifications from this managed profile, as set by the profile owner.
An empty list means no notification listener services except system ones are allowed.
A null
return value indicates that all notification listeners are allowed.
Parameters | |
---|---|
admin |
ComponentName : This value cannot be null . |
Returns | |
---|---|
List<String> |
getPermittedInputMethods
public List<String> getPermittedInputMethods (ComponentName admin)
Returns the list of permitted input methods set by this device or profile owner.
This method can be called on the DevicePolicyManager
instance,
returned by getParentProfileInstance(android.content.ComponentName)
, where the caller must be
a profile owner of an organization-owned managed profile. If called on the parent instance,
then the returned list of permitted input methods are those which are applied on the
personal profile.
An empty list means no input methods except system input methods are allowed. Null means all input methods are allowed.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin
This value may be null . |
Returns | |
---|---|
List<String> |
List of input method package names.
This value may be null . |
Throws | |
---|---|
SecurityException |
if admin is not a device, profile owner or if called on
the parent profile and the admin is not a profile owner
of an organization-owned managed profile. |
getPersonalAppsSuspendedReasons
public int getPersonalAppsSuspendedReasons (ComponentName admin)
Called by profile owner of an organization-owned managed profile to check whether personal apps are suspended.
Parameters | |
---|---|
admin |
ComponentName : This value cannot be null . |
Returns | |
---|---|
int |
a bitmask of reasons for personal apps suspension or
PERSONAL_APPS_NOT_SUSPENDED if apps are not suspended.
Value is either 0 or a combination of PERSONAL_APPS_NOT_SUSPENDED , PERSONAL_APPS_SUSPENDED_EXPLICITLY , and PERSONAL_APPS_SUSPENDED_PROFILE_TIMEOUT |
getPreferentialNetworkServiceConfigs
public List<PreferentialNetworkServiceConfig> getPreferentialNetworkServiceConfigs ()
Get preferential network configuration
Returns | |
---|---|
List<PreferentialNetworkServiceConfig> |
preferential network configuration.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if the caller is not the profile owner or device owner. |
See also:
getRequiredPasswordComplexity
public int getRequiredPasswordComplexity ()
Gets the password complexity requirement set by setRequiredPasswordComplexity(int)
,
for the current user.
The difference between this method and getPasswordComplexity()
is that this
method simply returns the value set by setRequiredPasswordComplexity(int)
while
getPasswordComplexity()
returns the complexity of the actual password.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to get
restrictions on the parent profile.
Returns | |
---|---|
int |
Value is PASSWORD_COMPLEXITY_NONE , PASSWORD_COMPLEXITY_LOW , PASSWORD_COMPLEXITY_MEDIUM , or PASSWORD_COMPLEXITY_HIGH |
Throws | |
---|---|
SecurityException |
if the calling application is not a device owner or a profile owner. |
getRequiredStrongAuthTimeout
public long getRequiredStrongAuthTimeout (ComponentName admin)
Determine for how long the user will be able to use secondary, non strong auth for authentication, since last strong method authentication (password, pin or pattern) was used. After the returned timeout the user is required to use strong authentication method.
This method can be called on the DevicePolicyManager
instance
returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve
restrictions on the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature,
0 is returned to indicate that no timeout is configured.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to aggregate
across all participating admins. |
Returns | |
---|---|
long |
The timeout in milliseconds or 0 if not configured for the provided admin. |
getResources
public DevicePolicyResourcesManager getResources ()
Returns a DevicePolicyResourcesManager
containing the required APIs to set, reset,
and get device policy related resources.
Returns | |
---|---|
DevicePolicyResourcesManager |
This value cannot be null . |
getScreenCaptureDisabled
public boolean getScreenCaptureDisabled (ComponentName admin)
Determine whether or not screen capture has been disabled by the calling admin, if specified, or all admins.
This method can be called on the DevicePolicyManager
instance,
returned by getParentProfileInstance(android.content.ComponentName)
, where the caller must be
the profile owner of an organization-owned managed profile (the calling admin must be
specified).
Parameters | |
---|---|
admin |
ComponentName : The name of the admin component to check, or null to check whether any
admins have disabled screen capture. |
Returns | |
---|---|
boolean |
getSecondaryUsers
public List<UserHandle> getSecondaryUsers (ComponentName admin)
Called by a device owner to list all secondary users on the device. Managed profiles are not considered as secondary users.
Used for various user management APIs, including switchUser(ComponentName, UserHandle)
, removeUser(ComponentName, UserHandle)
and stopUser(ComponentName, UserHandle)
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
List<UserHandle> |
list of other UserHandle s on the device. |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
getShortSupportMessage
public CharSequence getShortSupportMessage (ComponentName admin)
Called by a device admin or holder of the permission
Manifest.permission.MANAGE_DEVICE_POLICY_SUPPORT_MESSAGE
to get the short
support message.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
Returns | |
---|---|
CharSequence |
The message set by setShortSupportMessage(android.content.ComponentName, java.lang.CharSequence) or
null if no message has been set. |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator and not a holder of
the permission Manifest.permission.MANAGE_DEVICE_POLICY_SUPPORT_MESSAGE .. |
getStartUserSessionMessage
public CharSequence getStartUserSessionMessage (ComponentName admin)
Returns the user session start message.
Parameters | |
---|---|
admin |
ComponentName : which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
CharSequence |
Throws | |
---|---|
SecurityException |
if admin is not a device owner. |
getStorageEncryption
public boolean getStorageEncryption (ComponentName admin)
This method was deprecated
in API level 30.
This method only returns the value set by setStorageEncryption(ComponentName, boolean)
.
It does not actually reflect the storage encryption status.
Use getStorageEncryptionStatus()
for that.
Called by an application that is administering the device to
determine the requested setting for secure storage.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. If null,
this will return the requested encryption setting as an aggregate of all active
administrators. |
Returns | |
---|---|
boolean |
true if the admin(s) are requesting encryption, false if not. |
getStorageEncryptionStatus
public int getStorageEncryptionStatus ()
Called by an application that is administering the device to determine the current encryption status of the device.
Depending on the returned status code, the caller may proceed in different
ways. If the result is ENCRYPTION_STATUS_UNSUPPORTED
, the
storage system does not support encryption. If the
result is ENCRYPTION_STATUS_INACTIVE
, use ACTION_START_ENCRYPTION
to begin the process of encrypting or decrypting the
storage. If the result is ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY
, the
storage system has enabled encryption but no password is set so further action
may be required. If the result is ENCRYPTION_STATUS_ACTIVATING
,
ENCRYPTION_STATUS_ACTIVE
or ENCRYPTION_STATUS_ACTIVE_PER_USER
,
no further action is required.
Returns | |
---|---|
int |
current status of encryption. The value will be one of
ENCRYPTION_STATUS_UNSUPPORTED , ENCRYPTION_STATUS_INACTIVE ,
ENCRYPTION_STATUS_ACTIVATING , ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY ,
ENCRYPTION_STATUS_ACTIVE , or ENCRYPTION_STATUS_ACTIVE_PER_USER . |
Throws | |
---|---|
SecurityException |
if called on a parent instance. |
getSubscriptionIds
public Set<Integer> getSubscriptionIds ()
Returns the subscription ids of all subscriptions which were downloaded by the calling admin.
This returns only the subscriptions which were downloaded by the calling admin via
EuiccManager.downloadSubscription(DownloadableSubscription, boolean, PendingIntent)
.
If a subscription is returned by this method then in it subject to management controls
and cannot be removed by users.
Callable by device owners and profile owners.
Requires Manifest.permission.MANAGE_DEVICE_POLICY_MANAGED_SUBSCRIPTIONS
Returns | |
---|---|
Set<Integer> |
ids of all managed subscriptions currently downloaded by an admin on the device.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if the caller is not authorized to call this method. |
getSystemUpdatePolicy
public SystemUpdatePolicy getSystemUpdatePolicy ()
Retrieve a local system update policy set previously by setSystemUpdatePolicy(ComponentName, SystemUpdatePolicy)
.
Returns | |
---|---|
SystemUpdatePolicy |
The current policy object, or null if no policy is set. |
getTransferOwnershipBundle
public PersistableBundle getTransferOwnershipBundle ()
Returns the data passed from the current administrator to the new administrator during an
ownership transfer. This is the same bundle
passed in
transferOwnership(android.content.ComponentName, android.content.ComponentName, android.os.PersistableBundle)
. The bundle is
persisted until the profile owner or device owner is removed.
This is the same bundle
received in the
DeviceAdminReceiver.onTransferOwnershipComplete(Context, PersistableBundle)
.
Use this method to retrieve it after the transfer as long as the new administrator is the
active device or profile owner.
Returns null
if no ownership transfer was started for the calling user.
Returns | |
---|---|
PersistableBundle |
Throws | |
---|---|
SecurityException |
if the caller is not a device or profile owner. |
getTrustAgentConfiguration
public List<PersistableBundle> getTrustAgentConfiguration (ComponentName admin, ComponentName agent)
Gets configuration for the given trust agent based on aggregating all calls to
setTrustAgentConfiguration(android.content.ComponentName, android.content.ComponentName, android.os.PersistableBundle)
for
all device admins.
This method can be called on the DevicePolicyManager
instance returned by
getParentProfileInstance(android.content.ComponentName)
in order to retrieve the configuration set
on the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, null is
always returned.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. If null,
this function returns a list of configurations for all admins that declare
KEYGUARD_DISABLE_TRUST_AGENTS . If any admin declares
KEYGUARD_DISABLE_TRUST_AGENTS but doesn't call
setTrustAgentConfiguration(android.content.ComponentName, android.content.ComponentName, android.os.PersistableBundle)
for this or calls it with a null configuration, null is returned. |
agent |
ComponentName : Which component to get enabled features for.
This value cannot be null . |
Returns | |
---|---|
List<PersistableBundle> |
configuration for the given trust agent. |
getUserControlDisabledPackages
public List<String> getUserControlDisabledPackages (ComponentName admin)
Returns the list of packages over which user control is disabled by a device or profile
owner or holders of the permission
Manifest.permission.MANAGE_DEVICE_POLICY_APPS_CONTROL
.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, the returned policy will be the
current resolved policy rather than the policy set by the calling admin.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Null if the
caller is not a device admin.
This value may be null . |
Returns | |
---|---|
List<String> |
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner or holder of the
permission Manifest.permission.MANAGE_DEVICE_POLICY_APPS_CONTROL . |
getUserRestrictions
public Bundle getUserRestrictions (ComponentName admin)
Called by an admin to get user restrictions set by themselves with
addUserRestriction(android.content.ComponentName, java.lang.String)
.
The target user may have more restrictions set by the system or other admin.
To get all the user restrictions currently set, use
UserManager.getUserRestrictions()
.
The profile owner of an organization-owned managed profile may invoke this method on
the DevicePolicyManager
instance it obtained from
getParentProfileInstance(android.content.ComponentName)
, for retrieving device-wide restrictions
it previously set with addUserRestriction(android.content.ComponentName, java.lang.String)
.
For callers targeting Android Build.VERSION_CODES.UPSIDE_DOWN_CAKE
or
above, this API will return the local restrictions set on the calling user, or on the parent
profile if called from the DevicePolicyManager
instance obtained from
getParentProfileInstance(android.content.ComponentName)
. To get global restrictions set by admin,
call getUserRestrictionsGlobally()
instead.
Note that this is different that the returned restrictions for callers targeting pre
Android Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, were this API returns
all local/global restrictions set by the admin on the calling user using
addUserRestriction(android.content.ComponentName, java.lang.String)
or the parent user if called on the
DevicePolicyManager
instance it obtained from getParentProfileInstance(ComponentName)
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
Returns | |
---|---|
Bundle |
a Bundle whose keys are the user restrictions, and the values a
boolean indicating whether the restriction is set.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
getUserRestrictionsGlobally
public Bundle getUserRestrictionsGlobally ()
Called by a profile or device owner to get global user restrictions set with
addUserRestrictionGlobally(java.lang.String)
.
To get all the user restrictions currently set for a certain user, use
UserManager.getUserRestrictions()
.
Returns | |
---|---|
Bundle |
a Bundle whose keys are the user restrictions, and the values a
boolean indicating whether the restriction is set.
This value cannot be null . |
Throws | |
---|---|
SecurityException |
if admin is not a device or profile owner. |
IllegalStateException |
if caller is not targeting Android
Build.VERSION_CODES.UPSIDE_DOWN_CAKE or above. |
getWifiMacAddress
public String getWifiMacAddress (ComponentName admin)
Called by a device owner or profile owner on organization-owned device to get the MAC
address of the Wi-Fi device.
NOTE: The MAC address returned here should only be used for inventory management and is
not likely to be the MAC address used by the device to connect to Wi-Fi networks: MAC
addresses used for scanning and connecting to Wi-Fi networks are randomized by default.
To get the randomized MAC address used, call
WifiConfiguration.getRandomizedMacAddress()
.
Parameters | |
---|---|
admin |
ComponentName : Which admin this request is associated with. Null if the caller is not a device
admin
This value may be null . |
Returns | |
---|---|
String |
the MAC address of the Wi-Fi device, or null when the information is not available.
(For example, Wi-Fi hasn't been enabled, or the device doesn't support Wi-Fi.)
The address will be in the |
Throws | |
---|---|
SecurityException |
if admin is not permitted to get wifi mac addresses |
getWifiSsidPolicy
public WifiSsidPolicy getWifiSsidPolicy ()
Returns the current Wi-Fi SSID policy. If the policy has not been set, it will return NULL.
Returns | |
---|---|
WifiSsidPolicy |
This value may be null . |
Throws | |
---|---|
SecurityException |
if the caller is not a device owner or a profile owner on an organization-owned managed profile. |
See also:
grantKeyPairToApp
public boolean grantKeyPairToApp (ComponentName admin, String alias, String packageName)
Called by a device or profile owner, or delegated certificate chooser (an app that has been
delegated the DELEGATION_CERT_SELECTION
privilege), to grant an application access
to an already-installed (or generated) KeyChain key.
This is useful (in combination with installKeyPair(ComponentName, PrivateKey, Certificate, String)
or generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)
) to
let an application call KeyChain.getPrivateKey(Context, String)
without having to
call KeyChain.choosePrivateKeyAlias(Activity, KeyChainAliasCallback, String, Principal, Uri, String)
first.
The grantee app will receive the KeyChain.ACTION_KEY_ACCESS_CHANGED
broadcast when access to a key is granted.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
throws an
IllegalArgumentException
if alias
doesn't correspond to an existing key.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate chooser. |
alias |
String : The alias of the key to grant access to.
This value cannot be null . |
packageName |
String : The name of the (already installed) package to grant access to.
This value cannot be null . |
Returns | |
---|---|
boolean |
true if the grant was set successfully, false otherwise. |
Throws | |
---|---|
SecurityException |
if the caller is not a device owner, a profile owner or delegated certificate chooser. |
IllegalArgumentException |
if packageName or alias are empty, or if
packageName is not a name of an installed package. |
grantKeyPairToWifiAuth
public boolean grantKeyPairToWifiAuth (String alias)
Called by a device or profile owner, or delegated certificate chooser (an app that has been
delegated the DELEGATION_CERT_SELECTION
privilege), to allow using a KeyChain key
pair for authentication to Wifi networks. The key can then be used in configurations passed
to WifiManager.addNetwork(WifiConfiguration)
.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
throws an
IllegalArgumentException
if alias
doesn't correspond to an existing key.
Parameters | |
---|---|
alias |
String : The alias of the key pair.
This value cannot be null . |
Returns | |
---|---|
boolean |
true if the operation was set successfully, false otherwise. |
Throws | |
---|---|
SecurityException |
if the caller is not a device owner, a profile owner or delegated certificate chooser. |
See also:
hasCaCertInstalled
public boolean hasCaCertInstalled (ComponentName admin, byte[] certBuffer)
Returns whether this certificate is installed as a trusted CA.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
certBuffer |
byte : encoded form of the certificate to look up. |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner. |
hasGrantedPolicy
public boolean hasGrantedPolicy (ComponentName admin, int usesPolicy)
Returns true if an administrator has been granted a particular device policy. This can be used to check whether the administrator was activated under an earlier set of policies, but requires additional policies after an upgrade.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with. Must be an
active administrator, or an exception will be thrown.
This value cannot be null . |
usesPolicy |
int : Which uses-policy to check, as defined in DeviceAdminInfo . |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if admin is not an active administrator. |
hasKeyPair
public boolean hasKeyPair (String alias)
This API can be called by the following to query whether a certificate and private key are installed under a given alias:
- Device owner
- Profile owner
- Delegated certificate installer
- Credential management app
- An app that holds the
Manifest.permission.MANAGE_DEVICE_POLICY_CERTIFICATES
permission
AppUriAuthenticationPolicy
.
Parameters | |
---|---|
alias |
String : The alias under which the key pair is installed.
This value cannot be null . |
Returns | |
---|---|
boolean |
true if a key pair with this alias exists, false otherwise. |
Throws | |
---|---|
SecurityException |
if the caller is not a device or profile owner, a delegated
certificate installer, the credential management app and does not have the
Manifest.permission.MANAGE_DEVICE_POLICY_CERTIFICATES permission. |
hasLockdownAdminConfiguredNetworks
public boolean hasLockdownAdminConfiguredNetworks (ComponentName admin)
Called by a device owner or a profile owner of an organization-owned managed profile to determine whether the user is prevented from modifying networks configured by the admin.
Parameters | |
---|---|
admin |
ComponentName : admin Which DeviceAdminReceiver this request is associated
with.
This value may be null . |
Returns | |
---|---|
boolean |
Throws | |
---|---|
SecurityException |
if caller is not a device owner or a profile owner of an organization-owned managed profile. |
installCaCert
public boolean installCaCert (ComponentName admin, byte[] certBuffer)
Installs the given certificate as a user CA.
Inserted user CAs aren't automatically trusted by apps in Android 7.0 (API level 24) and
higher. App developers can change the default behavior for an app by adding a
Security Configuration
File to the app manifest file.
The caller must be a profile or device owner on that user, or a delegate package given the
DELEGATION_CERT_INSTALL
scope via setDelegatedScopes(ComponentName, String, List)
; otherwise a
security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if calling from a delegated certificate installer. |
certBuffer |
byte : encoded form of the certificate to install. |
Returns | |
---|---|
boolean |
false if the certBuffer cannot be parsed or installation is interrupted, true otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or profile
owner. |
installExistingPackage
public boolean installExistingPackage (ComponentName admin, String packageName)
Install an existing package that has been installed in another user, or has been kept after
removal via setKeepUninstalledPackages(ComponentName, List)
.
This function can be called by a device owner, profile owner or a delegate given
the DELEGATION_INSTALL_EXISTING_PACKAGE
scope via setDelegatedScopes(ComponentName, String, List)
.
When called in a secondary user or managed profile, the user/profile must be affiliated with
the device. See isAffiliatedUser()
.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with.
This value cannot be null . |
packageName |
String : The package to be installed in the calling profile. |
Returns | |
---|---|
boolean |
true if the app is installed; false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not the device owner, or the profile owner of
an affiliated user or profile. |
installKeyPair
public boolean installKeyPair (ComponentName admin, PrivateKey privKey, Certificate[] certs, String alias, int flags)
This API can be called by the following to install a certificate chain and corresponding private key for the leaf certificate:
- Device owner
- Profile owner
- Delegated certificate installer
- Credential management app
- An app that holds the
Manifest.permission.MANAGE_DEVICE_POLICY_CERTIFICATES
permission
From Android Build.VERSION_CODES.S
, the credential management app
can call this API. If called by the credential management app:
- The componentName must be
null
r - The alias must exist in the credential management app's
AppUriAuthenticationPolicy
- The key pair must not be user selectable
The caller of this API may grant itself access to the certificate and private key immediately, without user approval. It is a best practice not to request this unless strictly necessary since it opens up additional security vulnerabilities.
Include INSTALLKEY_SET_USER_SELECTABLE
in the flags
argument to allow
the user to select the key from a dialog.
Note: If the provided alias
is of an existing alias, all former grants that apps
have been given to access the key and certificates associated with this alias will be
revoked.
Parameters | |
---|---|
admin |
ComponentName : Which DeviceAdminReceiver this request is associated with, or
null if the caller is not a device admin. |
privKey |
PrivateKey : The private key to install.
This value cannot be null . |
certs |
Certificate : The certificate chain to install. The chain should start with the leaf
certificate and include the chain of trust in order. This will be returned by
KeyChain.getCertificateChain(Context, String) .
This value cannot be null . |
alias |
String : The private key alias under which to install the certificate. If a certificate
with that alias already exists, it will be overwritten.
This value cannot be null . |
flags |
int : Flags to request that the calling app be granted access to the credentials
and set the key to be user-selectable. See INSTALLKEY_SET_USER_SELECTABLE and
INSTALLKEY_REQUEST_CREDENTIALS_ACCESS . |
Returns | |
---|---|
boolean |
true if the keys were installed, false otherwise. |
Throws | |
---|---|
SecurityException |
if admin is not null and not a device or
profile owner, or admin is null but the calling application is not a
delegated certificate installer, credential management app and does not have the
Manifest.permission.MANAGE_DEVICE_POLICY_CERTIFICATES permission. |
installKeyPair
public boolean installKeyPair (ComponentName admin, PrivateKey privKey, Certificate[] certs, String alias, boolean requestAccess)
This API can be called by the following to install a certificate chain and corresponding private key for the leaf certificate:
- Device owner
- Profile owner
- Delegated certificate installer
- Credential management app
- An app that holds the
Manifest.permission.MANAGE_DEVICE_POLICY_CERTIFICATES
permission
From Android Build.VERSION_CODES.S
, the credential management app
can call this API. However, this API sets the key pair as user selectable by default,
which is not permitted when called by the credential management app. Instead,
installKeyPair(android.content.ComponentName, java.security.PrivateKey, java.security.cert.Certificate[], java.lang.String, int)
should be
called with INSTALLKEY_SET_USER_SELECTABLE
not set as a flag.
Note, there can only be a credential management app on an unmanaged device.
The caller of this API may grant itself access to the certificate and private key immediately, without user approval. It is a best practice not to request this unless strictly necessary since it opens up additional security vulnerabilities.
Note: If the provided alias
is of an existing alias, all former grants that apps
have been given to access the key and certificates associated with this alias will